The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
The AWS Shared Security Responsibility Model in
Practice
Nirav Kothari
Principal Consultant, AWS Professional Services
12/15/2016

AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)
Asia Pacific (Seoul)

US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
São Paulo
China (Beijing)
Region
An independent collection of AWS
resources in a defined geography
A solid foundation for meeting location-
dependent privacy and compliance
requirements

US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
China (Beijing)
São Paulo
Availability Zone
Designed as independent failure zones
Physically separated within a typical
metropolitan region

Edge Location
collections of servers in geographically
dispersed data centers
deliver content to end users with lower latency

16 Regions
42 Availability Zones
63 Edge locations
Over 1 million active customers
Every day, AWS adds enough new server
capacity to support Amazon.com when it was a
$7 billion global enterprise.

Data Locality
Customer chooses where to place data
AWS regions are geographically isolated by
design
Data is not replicated to other AWS regions
and doesn’t move unless you choose to move it

Data Locality in practice
Block level storage
Instance Storage (Elastic Cloud Compute - EC2)
Elastic Block Storage (EBS)
Object level storage
Simple Storage Service (S3)
Database storage
Relational Database Service (RDS)
NoSQL (DynamoDB)
Columnar (Redshift)
Caching (Elasticache)

Shared Responsibility
Who manages which parts?

AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

AWS Shared Responsibility Model – Deep Dive
Will one model work for all services?
Infrastructure
Services
Container
Services
Abstract
Services

Network Traffic Protection
Encryption / Integrity / Identity
AWS Global
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Customers
AWS Shared Responsibility Model:
for Infrastructure Services
Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
AWSIAMCustomerIAM
Server-Side Encryption
Fire System and/or Data
APIEndpoints

Infrastructure Service
Example – EC2
• Foundation Services — Networking, Compute, Storage
• AWS Global Infrastructure
• AWS API Endpoints
AWS
• Customer Data
• Customer Application
• Operating System
• Network & Firewall
• Customer IAM (Corporate Directory
Service)
• High Availability, Scaling
• Instance Management
• Data Protection (Transit, Rest, Backup)
• AWS IAM (Users, Groups, Roles,
Policies)
Customers
RESPONSIBILITIES

AWS Global
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Configuration
Operating System, Network Configuration
Customer content
Customers
for Container Services Managed by
Managed by
Client-Side Data encryption
Network Traffic Protection
Encryption / Integrity / Identity
AWSIAMCustomerIAM
APIEndpoints

Container Service
Example – RDS
• Foundational Services –
Networking, Compute, Storage
• Platform / Application
AWS
• Customer Data
• Firewall (VPC)
• Customer IAM (DB Users, Table
Permissions)
• AWS IAM (Users, Groups, Roles,
Policies)
• High Availability
• Data Protection (Transit, Rest,
Backup)
• Scaling
Customers
RESPONSIBILITIES

AWS Global
Availability Zones
Edge Locations
Customer content
Customers
for Abstract Services
Managed by
Managed by
Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the Platform
Protection of Data at in Transit
(optional)
Opaque Data: 1’s and 0’s
(in flight / at rest)
Client-Side Data Encryption
APIEndpoints
AWSIAM

• Foundational Services
• Platform / Application
• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
AWS
• Customer Data
• Data Protection (Rest – CSE)
• AWS IAM (Users, Groups, Roles, Policies)
Customers
Abstract Service
Example – S3

Summary of Customer Responsibility in the Cloud
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
Infrastructure
Services
Container
Services
Abstract
Services

Shared Responsibility
What about security OF the cloud?

Security Shared Responsibility Model
AWS is responsible
for the security OF
the cloud
AWS Global
Availability Zones
Edge Locations

Auditing - Comparison
on-prem vs on AWS
Start with bare concrete
Functionally optional – you can build a secure
system without it
Audits done by an in-house team
Accountable to yourself
Typically check once a year
Workload-specific compliance checks
Must keep pace and invest in security innovation
on-prem
Start on base of accredited services
Functionally necessary – high watermark of
requirements
Audits done by third party experts
Accountable to everyone
Continuous monitoring
Compliance approach based on all workload
scenarios
Security innovation drives broad compliance
on AWS

What this means
You benefit from an environment built for the most security
sensitive organizations
AWS manages 1,800+ security controls so you don’t have to
You get to define the right security controls for your workload
sensitivity
You always have full ownership and control of your data

AWS Global
Availability Zones
Edge Locations
Meet your own security objectives
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS
consistent baseline
controls
Your own
external audits
Customers
Your own
accreditation
Your own
certifications

Navigating Shared Responsibility
Achieving accreditation or certification on
AWS is possible but how can we help?

AWS Enterprise Accelerator:
Compliance Architectures
Sample Architecture –
Security Controls Matrix
Cloudformation Templates
5 x templates
User Guide
http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html

Compliance Resources
https://aws.amazon.com/compliance/resources/

Education — AWS Security & Compliance
AWS Security Fundamentals
3 hour eLearning course
Target audience – Security Auditors/Analysts
It’s Free 
AWS Security Operations
3 day Instructor Lead Training
Target audience – Security Engineer/Architects
12 Modules + Labs
Self paced labs available on http://qwiklabs.com
https://aws.amazon.com/training/course-descriptions/

Helpful Resources
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/
Compliance Center Website: https://aws.amazon.com/compliance
Security Center: https://aws.amazon.com/security
Security Blog: https://blogs.aws.amazon.com/security/
AWS Audit Training: awsaudittraining@amazon.com

The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS

Similar a The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS (20)

Más de Alert Logic

Más de Alert Logic (20)

Último

Último (20)

The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS