Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

Similar documents
Getting started with AWS security

Title: Planning AWS Platform Security Assessment?

Getting started with AWS security

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Security & Compliance in the AWS Cloud. Amazon Web Services

Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Cloud and Storage. Transforming IT with AWS and Zadara. Doug Cliche, Storage Solutions Architect June 5, 2018

Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

BERLIN. 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Getting Started with AWS Security

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Securing Microservices Containerized Security in AWS

VMware Cloud on AWS Adoption in the Enterprise

Amazon GuardDuty. Amazon Guard Duty User Guide

Additional Security Services on AWS

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Amazon Web Services. Foundational Services for Research Computing. April Mike Kuentz, WWPS Solutions Architect

Expected Learning Outcomes Introduction To AWS

Cloud Transformation and Significance of Security

Advanced Techniques for DDoS Mitigation and Web Application Defense

AWS Security. Stephen E. Schmidt, Directeur de la Sécurité

Private Cloud Public Cloud Edge. Consistent Infrastructure & Consistent Operations

Introduction to Amazon Cloud & EC2 Overview

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Introduction to Amazon Cloud & EC2 Overview

Who done it: Gaining visibility and accountability in the cloud

CogniFit Technical Security Details

Cloud security 2.0: Joko nyt pilveen voi luottaa?

AWS Well Architected Framework

25 Best Practice Tips for architecting Amazon VPC. 25 Best Practice Tips for architecting Amazon VPC. Harish Ganesan- CTO- 8KMiles

Designing Fault-Tolerant Applications

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

AWS Security Overview. Bill Shinn Principal Security Solutions Architect

AWS Direct Connect Deep Dive

Amazon Web Services and Feb 28 outage. Overview presented by Divya


Hackproof Your Cloud Responding to 2016 Threats

Understanding Perimeter Security

Architecting for Greater Security in AWS

AWS Networking Fundamentals

Standardized Architecture for NIST High-Impact Controls on the AWS Cloud Featuring Trend Micro Deep Security

Engage with ESRI in the AWS Cloud. Teresa Carlson, VP of Global Public Sector

Creating your Virtual Data Centre

Network Security & Access Control in AWS

2013 AWS Worldwide Public Sector Summit Washington, D.C.

AWS Solution Architect Associate

Enroll Now to Take online Course Contact: Demo video By Chandra sir

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

8/3/17. Encryption and Decryption centralized Single point of contact First line of defense. Bishop

VMware Cloud on AWS The Next Generation Hybrid Cloud Architecture

Srinath Vaddepally.

TECHNICAL WORKBOOK. PCI Compliance in the AWS Cloud A NITIAN. Report Date: October 17, Jordan Wiseman, QSA

Protecting Your Data in AWS. 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

25 Best Practice Tips for architecting Amazon VPC

Security, compliance and GDPR and Google Cloud

What s New at AWS? looking at just a few new things for Enterprise. Philipp Behre, Enterprise Solutions Architect, Amazon Web Services

Oracle WebLogic Server 12c on AWS. December 2018

Building a More Secure Cloud Architecture

MarkLogic Cloud Service Pricing & Billing Effective: October 1, 2018

Standardized Architecture for PCI DSS on the AWS Cloud

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

McAfee Cloud Workload Security Product Guide

Training on Amazon AWS Cloud Computing. Course Content

Scaling on AWS. From 1 to 10 Million Users. Matthias Jung, Solutions Architect

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Cloud Security Strategy - Adapt to Changes with Security Automation -

Mid-Atlantic CIO Forum

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

AWS Data Security Security Update

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Amazon Web Services 101 April 17 th, 2014 Joel Williams Solutions Architect. Amazon.com, Inc. and its affiliates. All rights reserved.

HPE Digital Learner AWS Certified SysOps Administrator (Intermediate) Content Pack

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

Awareness Technologies Systems Security. PHONE: (888)

OptiSol FinTech Platforms

Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

Certificate of Registration

Joakim Stolpe AWS Nordics

Mapping traditional security technologies to AWS Dave Walker Specialised Solutions Architect Security and Compliance Amazon Web Services UK Ltd

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

AWS Landing Zone. AWS User Guide. November 2018

Launching a Highly-regulated Startup in the Cloud

PwC China and Hong Kong Cloud Security Enablement Services

AWS 101. Patrick Pierson, IonChannel

Architecting Microsoft Azure Solutions (proposed exam 535)

Simple Security for Startups. Mark Bate, AWS Solutions Architect

Azure Everywhere. Brandon Murray, Cami Williams, David Haver, Kevin Carter, Russ Henderson

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

Better, Faster, Stronger web apps with Amazon Web Services. Senior Technology Evangelist, Amazon Web Services

Lift and Shift, Don t Lift and Pray: Pragmatic Cloud Migration Strategies

Introducing Amazon Elastic File System (EFS)

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

AWS Security Hub. User Guide

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

McAfee Public Cloud Server Security Suite

Vom Server bis zum WorkSpace: Windows Anwendungen auf AWS

Cloud Security Best Practices

Deep Freeze Cloud. Architecture and Security Overview

Securing Your Amazon Web Services Virtual Networks

Transcription:

Security: A Driving Force Behind Moving to the Cloud Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved

Why is security traditionally so hard? Lack of Visibility Lack of Resiliency Defense in Depth Low degree of Automation

Four Security Benefits of the Cloud Increased visibility Increased availability and resiliency True Defense-in-Depth Ability to automate governance and Security Operations

Visibility

AWS Services that provide Operational Visibility CloudTrail Track user activity and API usage VPC Flow Logs Track network activity in/out of VPC CloudWatch Monitor resources and applications WAF Logs Track application access/denials GuardDuty Intelligent Threat Detection Inspector Analyze OS and application security Trusted Advisor Guidance to reduce cost, increase performance, and improve security Macie Discover, classify, and protect sensitive data Artifact Self-service for AWS compliance reports

Resiliency

AWS Global Infrastructure 18 Regions 55 Availability Zones 121 Edge Locations Region & Number of Availability Zones AWS GovCloud EU Oregon (3) Ireland (3) Ohio (3) *Coming Soon Frankfurt (3) London (3) US West Paris (3) Oregon (3) Northern California (3) Asia Pacific Singapore (3) US East Sydney (3) N. Virginia (6) Tokyo (4) Ohio (3) Seoul (2) Mumbai (2) Canada Central (2) China Beijing (2) South America Ningxia (3) São Paulo (3) Announced Regions Bahrain, Hong Kong, Sweden, AWS GovCloud East

AWS Region and Availability Zone View - Regions: metropolitan area with independent cloud - Fully Isolated from other Regions (security boundary) 30 mile (appx) radius clustered data center architecture - Customer chooses Region - Data Stays within Region - Regions comprised of multiple Availability Zones AZ = 1 or more data centers - AZ s connected through redundant low-latency links - Physically separated; Separate Low Risk Flood Plains - Discrete UPS & Onsite backup - Redundant connections to multiple tier-1 ISP s - Built for Continuous Availability Availability Zone Physical Datacenter Fiber

Achieving High Availability in AWS FW LB Web Web auto scaling group WEB WEB DMZ Subnet DMZ Subnet APP App App auto scaling group App Subnet App Subnet DB security group DB primary synchronous replication DB secondary security group Customer data center Customer Datacenter Database Subnet Availability Zone A Database Subnet Availability Zone B AWS Virtual Private Cloud (VPC) AWS Region

Defense in Depth

Reality of Many On-Prem Network Defenses Hard Outer Shell (Perimeter) WAF Firewall IDS/IPS DLP Soft and Gooey Middle (Datacenter) VLANs ACLs

Defense-in-Depth in AWS at the Perimeter VPN Gateway Secure DevOps Comms AWS Direct Connect Private Fiber Comms VPC w/ ACLs Stateless Firewall DMZ Subnet Web App Subnet App DB Subnet DB primary Internet Gateway Path to Public Internet (Not present by default) AWS Shield DDoS Protection AWS WAF Web Application Firewall Amazon GuardDuty Signature & Behavioral-based Intrusion Detection System using Machine Learning

Defense-in-Depth in AWS between Workloads DMZ Subnet DMZ Subnet VPCs w/ ACLs Stateless Firewall Web DMZ Security Group App Subnet Internet Gateway Path to Public Internet VPCs w/ ACLs Stateless Firewall Web DMZ Security Group App Subnet App Security Group App DB Subnet DB primary Database Security Group VPN Gateway Secure Communications over Internet Default No Communications Between VPCs VPN Peering Private network connection between VPCs App Security Group App DB Subnet DB primary Database Security Group

Defense-in-Depth in AWS inside the Workload DMZ Subnet Web Web DMZ Security Group Web Security Group Statefull Firewall between Each application tier Amazon GuardDuty Signature & Behavioral-based Intrusion Detection System using Machine Learning 3 rd Party EPS OS Anti-virus, Firewall, Host Intrusion Protection System App Subnet App App App Security Group App Security Group Does NOT allow peer-topeer communications by default Amazon CloudWatch Event Management and Alerting DB Subnet Amazon Inspector Security & Compliance assessment DB primary DB secondary Database Security Group AWS CloudTrail API Logging

Automation

Amazon GuardDuty IDS Reconnaissance Instance recon: Port probe / accepted comm Port scan (intra-vpc) Brute force attack (IP) Drop point (IP) Tor communications Account recon Tor API call (failed) Instance compromise C&C activity Malicious domain request EC2 on threat list Drop point IP Malicious comms (ASIS) Bitcoin mining Outbound DDoS Spambot activity Outbound SSH brute force Unusual network port Unusual traffic volume/direction Unusual DNS requests Account compromise Malicious API call (bad IP) Tor API call (accepted) CloudTrail disabled Password policy change Instance launch unusual Region activity unusual Suspicious console login Unusual ISP caller Mutating API calls (create, update, delete) High volume of describe calls Unusual IAM user added Detections in gray are signature based, state-less findings Detections in blue are behavioral, state-full findings / anomaly detections

Automate with integrated services Automated threat remediation GuardDuty CloudWatch Events Lambda Web Application Firewall Amazon GuardDuty Amazon CloudWatch CloudWatch Event AWS Lambda Lambda Function AWS WAF WAF Rule

AWS security solutions Identity Detective control Infrastructure security Data protection Incident response AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie Certificate Manager Side Encryption AWS Config Rules AWS Lambda

Workloads appropriate for AWS Web applications and websites Backup, recovery and archiving Disaster recovery Security Operations Development and test Data center migration and hybrid Mission critical applications Enterprise IT Big data High-performance computing Mobile IoT

Improving security with the cloud Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own datacenters. -Tom Soderstrom, CTO, NASA JPL For more details, see Re:Invent 2013 presentations by NASA JPL cyber security engineer Matt Derenski (http://awsps.com/videos/sec205e-640px.mp4)

Summary The cloud is not only secure, but through shared responsibility, well-architected solutions, and best practices, it can be more secure than the traditional on-prem datacenter!

Thank you! Questions? 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback