Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Security & Compliance - Tim Rains, AWS

Presentation at Solita Public Sector Pulse 4.6.2019, Helsinki

  • Login to see the comments

  • Be the first to like this

Cloud Security & Compliance - Tim Rains, AWS

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud Security & Compliance A focus on Governance Tim Rains Regional Leader, Security & Compliance Business Acceleration Worldwide Public Sector, Amazon Web Services
  2. 2. Agenda Traditional Information Security Governance Security & Compliance Game Changers Governance Improved
  3. 3. Initially contemplating the cloud • On-premises control equivalency: support for current controls/vendors? • Data protection: what controls prevent unauthorized access? • Multi-tenancy: is there any new risk from other tenants? • Data residency: will our data move outside of a specific country/region? • Resilience: can it meet our requirements? • Governance: support for the framework(s), policies and controls that help us manage risk?
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Traditional Information Security Governance
  5. 5. Traditional Governance Flow Strategy
  6. 6. Traditional Governance Flow Strategy Policy
  7. 7. Traditional Governance Flow Project Team Strategy Policy
  8. 8. Traditional Governance Flow Project Team Governance Strategy Policy
  9. 9. Traditional Governance Flow Project Team Governance Check Strategy Policy
  10. 10. Traditional Governance Flow Project Team Governance Check Strategy Governance Policy Audit
  11. 11. Traditional Governance Flow Project Team Governance Check Release! Strategy Governance Policy Audit
  12. 12. Traditional Governance Flow Project Team Governance Check Release! Strategy Governance Archive Policy Audit
  13. 13. Traditional Governance Flow Project Team Governance Check Release! Strategy GovernancePolicy Archive Policy Audit
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security & Compliance Game Changers
  15. 15. Zoom In: AWS Region Zoom In: AWS AZ Sample Region Datacenter Datacenter Datacenter Sample Availability Zone Availability Zone B Availability Zone A Availability Zone C • Independent geographic areas, isolated from other Regions (security boundary) • Customer chooses in which Region(s) to deploy services • Regions are comprised of multiple Availability Zones (AZs), which enables the deployment of high- availability architecture • AZs are independent failure zones; physically separated; on separate low risk flood plains • Discrete Uninterruptible Power Supply (UPS); Onsite backup generation facilities • Built for continuous availability
  16. 16. AWS Global Infrastructure The AWS Cloud spans 66 Availability Zones within 21 geographic Regions around the world, with announced plans for 12 more Availability Zones and four more Regions in Bahrain, Cape Town, Jakarta, and Milan.
  17. 17. AWS CloudFront & Route 53 Edge Infrastructure Amazon CloudFront uses a global network of 180 Points of Presence (169 Edge Locations and 11 Regional Edge Caches) in 69 cities across 30 countries. Europe Edge locations: Amsterdam, The Netherlands (2); Berlin, Germany (2); Copenhagen, Denmark; Dublin, Ireland; Frankfurt, Germany (8); Helsinki, Finland; London, England (9); Madrid, Spain (2); Manchester, England; Marseille, France; Milan, Italy; Munich, Germany (2); Oslo, Norway; Palermo, Italy; Paris, France (5); Prague, Czech Republic; Stockholm, Sweden (3); Vienna, Austria; Warsaw, Poland; Zurich, Switzerland Regional Edge caches: Frankfurt, Germany; London, England
  18. 18. Things are different in the cloud On AWSOn-premises Big perimeter End-to-End ownership Build it all yourself Server-centric approach De-centralised administration Focus on physical assets Multiple (manual) processes Micro-perimeters Own just enough Focus on your core values Service-centric approach Focus on protecting data Central control plane (API) Everything is automated
  19. 19. Game changer: everything is automated
  20. 20. COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT RUN INTEGRATION, SECURITY, LOAD AND OTHER TESTS DEPLOY TO PRODUCTION ENVIRONMENT MANAGE RUNTIME SOURCE CONTROL BUILD TESTING & STAGING PRODUCTION MAINTAIN CONTINUOUS INTEGRATION CONTINUOUS DELIVERY Secure development lifecycle applies equally to applications and infrastructure as code The changing nature of security
  21. 21. Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable – always know what, and who, is doing what • Secure – verified integrity, authenticated, no covert channels • Fast - can be read and manipulated in sub-second time • Precise – defines the state of all infrastructure and services • Evolving – continuously improving • Uniform - provides consistency across disparate components • Automatable - enables some really cool capabilities
  22. 22. AWS CloudTrail Store/ Archive Troubleshoot Monitor & alarm You are making API calls On a growing set of AWS services around the world CloudTrail is continuously recording API calls AWS Management Console SDK CLI VPC Redshift
  23. 23. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Config and AWS Config Rules A continuous recording and assessment service Changing resources AWS Config Config Rules History, Snapshot Notifications API Access Normalized Answer the questions: How are my resources configured over time? Is a change that just occurred to a resource, compliant?
  24. 24. Automating Responses Based on Multiple Controls Detect Investigate RespondLambda function Amazon CloudWatch Events Amazon GuardDuty Amazon Inspector AWS CloudTrail VPC Flow Logs AWS Config AWS APIs Team collaboration (Slack etc.) Amazon Macie
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Governance Improved
  26. 26. Governance At The Speed Of Cloud Strategy Policy
  27. 27. Governance At The Speed Of Cloud Project Team Strategy Policy
  28. 28. Governance At The Speed Of Cloud Project Team Strategy Policy Automated Checks
  29. 29. Governance At The Speed Of Cloud Project Team Strategy Policy Automated Checks
  30. 30. Governance At The Speed Of Cloud Project Team Release! Strategy Policy Automated Checks
  31. 31. Governance At The Speed Of Cloud Project Team Release! Strategy Policy Automated Checks Compliance Data
  32. 32. Governance At The Speed Of Cloud Project Team Release! Strategy Governance Policy Automated Checks Compliance Data
  33. 33. Governance At The Speed Of Cloud Project Team Release! Strategy Governance Policy Automated Checks Compliance Data
  34. 34. Governance At The Speed Of Cloud Project Team Release! Strategy Governance Policy Automated Checks Compliance Data
  35. 35. Governance At The Speed Of Cloud Project Team Release! Strategy Governance Policy Ops Automated Checks Compliance Data
  36. 36. Governance At The Speed Of Cloud Project Team Release! Strategy Governance Policy Ops Audit Automated Checks Compliance Data
  37. 37. Governance At The Speed Of Cloud Project Team Release! Strategy Governance Policy Ops Audit Automated Checks Compliance Data
  38. 38. Certifications, Attestations, Standards GLACIER VAULT LOCK & SEC RULE 17A-4(F) SOC 1 SOC 2 SOC 3 PSN
  39. 39. General Data Protection Regulation https://aws.amazon.com/compliance/gdpr-center
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tim Rains rainstim@amazon.co.uk

×