Learn how to increase the effectiveness of your security operations as you move to the Cloud. We will discuss how your current incident response, monitoring, and audit response tactics have to change in the Cloud. Drawing from experiences helping clients move to the Cloud, industry research, and the 'school of hard knocks', this talk will help provide practical advice you can apply today. This session is recommended for technical users who want to know how the day-to-day work of securing their on-premises workloads should change when moving to the Cloud.
08448380779 Call Girls In Civil Lines Women Seeking Men
Updating Security Operations for the Cloud - AWS Symposium 2014 - Washington D.C. - Partner Presentation - TrendMicro
1. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Security Features of AWS
Services in AWS GovCloud (US)
Alice Rison adeane@amazon.com
Mark Ryland markry@amazon.com
Mai-Lan Tomsen Bukovec mailan@amazon.com
CJ Moses cmoses@amazon.com
2. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
To enable businesses,
governments,
educational
institutions, and
developers to use
web services to build
scalable, sophisticated
applications.
g o v c l o u d
p
c
f e d r a m p
s
s
c
r
i
t
y
t a r
w
3
e
m a
i
The AWS Mission
3. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS GovCloud (US)
AWS exclusive government
community cloud
restricted to vetted
U.S. Government and U.S. commercial
entities with government oriented and
regulated workloads
g o v c l o u d
e
s
c
r
i
t
y
4. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Compliance Regimes
• International Traffic in Arms Regulations (ITAR):
– 3rd Party ITAR attestation letter
– US Persons only physical/ logical access
– ITAR boundary defined in the AWS GovCloud
Users Guide for all AWS services
• FedRAMP:
– FedRAMP Agency ATO with HHS
– NIST 800-53 Security Controls
– Boundary includes EC2, VPC, IAM, EBS, and S3
f e d r a m p
i
r
t
5. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Shared Responsibility Model
• Security is a shared responsibility model
• AWS – responsible for physical security of data
centers through the virtualization level up to the host
operating system
• Customers – responsible for building secure
applications
• AWS services provide you with the features you
need to create a reliable, secure, scalable, highly
available and cost-efficient IT system
a w
t
u
c
s
r
m
o
e
6. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Identity & Access Management
• AWS GovCloud (US): the IAM you know and love,
except:
– Disjoint principal database
– Disjoint resource/ARN namespace (including S3)
– No console access for root identity
– Challenges for cross-region features
• SAML Federation!
• EC2 resource permissions: status and plans
m
a
i
i t r
7. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Amazon S3 Features
• Data confidentiality, integrity, and availability
• Data access restricted by default:
– Object: IAM policies, ACLs, Bucket Policies
– Log access to buckets and objects
• Plethora of encryption options:
– data in transit: FIPS 140-2 validated endpoints in AWS GovCloud
(US) and SSL options
– data at rest: 256-bit Advanced Encryption Option (AES-256) with
S3 SSE
• Designed for 99.9% availability and up to eleven 9’s of
durability
• Amazon S3 Versioning’s MFA Delete feature
r
3
t
s
o
a
g
e
8. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Master Security Group
Amazon S3
Web App
Server
Virtual Private Cloud
Corporate Data center
Slave Security Group
1
1
2
5
7
VPN
Gateway
2
3
4
5
6
6
3
4
Store your input and output data in S3
using S3 Server Side Encryption
EMR reads and writes to S3 using
https
EMR creates security groups for the
master and slaves. You can configure
them to only allow certain ports/IPs
Encrypt data stored on disk (optional)
Encrypt data in transit between nodes
(optional)
Launch the cluster in a VPC
7 Connect to your own data center
using VPN
Amazon EMR
EMR Cluster
9. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Amazon EMR Features
• EC2 Security Groups
• Data is transferred to and from Amazon
S3 using the FIPS validated endpoint
• Cluster specific access control
• Integration with VPC
• Cohesive with data at rest encryption
u
e
s
c
r
i
t
y
me
10. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Customer’s
network
Amazon
Web Services
cloud
Secure VPN
connection over
the Internet
Subnets
Customer’s
isolated AWS
resources
Amazon VPC Architecture
Router
VPN
gateway
Internet
NAT
11. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Amazon VPC Features
• AWS GovCloud (US) – mandatory VPC
• Firewall/ Security Groups
• Network Access Control Lists
• Subnets and Route Tables
• Virtual Private Gateways
• Internet Gateways
g o v c l o u d
p
c
12. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Web & Mobile Applications
Big Data & High Performance Computing
Mission Oriented Applications
Disaster Recovery & Archive
Ideal Workloads
13. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Case Study Organizational Benefits
• The US Centers for Disease Control and
Prevention’s (CDC) mission is to improve
public health.
• With the BioSense 2.0 program, the CDC is
tasked with providing awareness for all
health-related threats and to support
responses to these threats at the national,
state, and local level.
• The CDC re-launched BioSense 2.0 on
Amazon Web Services in AWS GovCloud
(US) and other Regions using Amazon
EC2, Amazon S3, Amazon EMR, and
Amazon SES.
• Needing to avoid purchasing expensive
hardware and software, the organization
turned to AWS for its low cost, pay-per-
use model, high availability, as well as
security and compliance practices.
• The CDC leveraged service level security
features in AWS GovCloud (US) to meet
the confidentiality, availability and integrity
security controls needed to obtain a
FISMA Moderate Level ATO
CDC BioSense 2.0
14. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Learn More
• Security White Papers:
http://aws.amazon.com/security/security-resources/
– AWS Security Overview
– AWS Security Best Practices
– Securing Data Rest With Encryption
– Amazon VPC Connectivity Options
– Auditing Security Checklist
– Security at Scale: Logging in AWS
• AWS GovCloud (US) User Guide:
http://docs.aws.amazon.com/govcloud-us
15. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Thank You!!
http://aws.amazon.com/govcloud-us
g o v c l o u d
p
c
f e d r a m p
s
s
c
r
i
t
y
t a r
w
3
e
m a
i