Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Cloud Computing for the Enterprise, Dr Werner Vogels, CTO Amazon.com

749 visualizaciones

Publicado el

Publicado en: Tecnología, Empresariales
  • Sé el primero en comentar

Cloud Computing for the Enterprise, Dr Werner Vogels, CTO Amazon.com

  1. 1. Cloud Computing for the EnterpriseDr. Werner VogelsCTO, Amazon.comApril 24, 2012
  2. 2. AWS Global InfrastructureGovCloud US West US West US East South EU Asia Asia (US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo) AWS Regions AWS Edge Locations
  3. 3. Powering the Most Popular Internet Businesses
  4. 4. Trusted by Enterprises
  5. 5. And Government Agencies
  6. 6. What Enterprises are Running on AWS Business Applications Web Applications Big Data & High Performance Computing Disaster Recovery & Archive
  7. 7. The Scale of AWS: Amazon S3 Growth 905 Billion Peak Requests: 650,000+ 762 Billion per second Total Number of Objects Stored in Amazon S3 262 Billion 102 Billion 14 Billion 40 Billion2.9 BillionQ4 2006 Q4 2007 Q4 2008 Q4 2009 Q4 2010 Q4 2011 Q1 2012
  8. 8. Our Price Reduction Philosophy Scale & Innovation… … Drive Costs Down Attract More Invest in Customers Capital 19 Price ReductionsReduce Invest inPrices Technology Improve Efficiency
  9. 9. AWS Platform Overview Deployment & Administration App ServicesCompute Storage Database Networking AWS Global Infrastructure
  10. 10. AWS Global InfrastructureSecure, redundant Cloudinfrastructure for global companiesand global apps Regions Deployment & Administration Availability Zones App Services Compute Storage Database Networking Edge Locations AWS Global Infrastructure
  11. 11. AWS Networking ServicesExtend your enterprise infrastructureto the AWS Cloud Amazon Virtual Private Cloud VPN to Extend Your Network Topology to AWS Deployment & Administration AWS Direct Connect Private, Dedicated Connection to AWS App Services Compute Storage Database Amazon Route 53 Networking Scalable Domain Name Service AWS Global Infrastructure
  12. 12. Compute ServicesScalable Linux and Windowscompute services Amazon EC2 Virtual Servers in the AWS Cloud Deployment & Administration Auto Scaling App Services Rule-driven scaling service for EC2 Compute Storage Database Amazon Elastic Load Balancing Networking Virtual load balancers for EC2 AWS Global Infrastructure
  13. 13. Storage ServicesScalable and Durable High Performance Cloud Storage Amazon S3 Redundant, High-Scale Object Store Deployment & Administration App Services Amazon Elastic Block Store Persistent block storage for EC2 Compute Storage Database Networking AWS Storage Gateway AWS Global Infrastructure Seamless backup of enterprise data to S3
  14. 14. Database ServicesScalable and Durable HighPerformance Cloud Storage Amazon DynamoDB High Performance NoSQL Database Service Amazon RDS Deployment & Administration Managed Oracle & MySQL Database Service App Services Compute Storage Database Amazon ElastiCache Managed Memecached Service Networking AWS Global Infrastructure
  15. 15. AWS App ServicesHighly abstracted services Amazon CloudFrontthat replace software for Global Content Delivery Servicecommonly needed applicationfunctionality Amazon CloudSearch Managed Search Service that Automatically Scales Amazon SWF Deployment & Administration Simple Workflow Service App Services Amazon SNS Simple Notification Service Compute Storage Database Amazon SQS Networking Simple Queuing Service AWS Global Infrastructure Amazon SES Simple Transactional Email Service
  16. 16. Ecosystem App Services3rd party highly abstracted services Securitythat replace software for commonly Servicesneeded application functionality… and already run on AWS Log Analysis Services Deployment & Administration Developer Services App Services BI Compute Storage Database Services Networking Test Services AWS Global Infrastructure
  17. 17. Deployment & Administration3rd party managed services thatreplace software for commonly AWS Ecosystemneeded application functionality AWS Management Console Web-based management interface… and already run on AWS Amazon Elastic MapReduce Big Data Analytics Service Deployment & Administration AWS IAM Identity & Access Management App Services Amazon CloudWatch Automated monitoring & alerts Compute Storage Database AWS CloudFormation Networking Automated AWS resource provisioning AWS Elastic Beanstalk AWS Global Infrastructure Java & PHP App deployment & management
  18. 18. AWS Pace of Innovation… 82 Including: AWS Oregon Region 61 Elastic Beanstalk (Beta) Including: Amazon SES (Beta) Amazon SNS AWS CloudFormation Amazon CloudFront Amazon RDS for Oracle Amazon Route 53 AWS Direct Connect 48 S3 Bucket Policies AWS GovCloud (US) Including: RDS Multi-AZ Support Amazon ElastiCache Amazon RDS RDS Reserved Databases VPC Virtual Networking Amazon VPC AWS Import/Export VPC Dedicated Instances Amazon EMR AWS IAM Beta SMS Text Notification 24 EC2 Auto Scaling AWS Singapore Region CloudFront Live Streaming Including: EC2 Reserved Instances Cluster Instances for EC2 AWS Tokyo Region Amazon SimpleDB EC2 Elastic Load Balance Micro Instances for EC2 SAP RDS on EC2 9 Amazon Cloudfront AWS Import/Export Amazon Linux AMI SAP BO on EC2 Including: Amazon EBS AWS Mngmt Console Oracle Apps on EC2 Win Srv 2008 R2 on EC2 Amazon FPS EC2 Availability Zones Win Srv 2008 on EC2 SUSE Linux on EC2 Win Srv 2003 VM ImportRed Hat Enterprise on EC2 EC2 Elastic IP Addresses IBM Apps on EC2 VM Import for EC2 Amazon S3 SSE 2007 2008 2009 2010 2011
  19. 19. …Continuing in the First Quarter of 2012 15 Amazon DynamoDB in Europe Storage Gateway in South America CloudFront Live Streaming Route 53 Latency Based Routing PHP and Git for Elastic Beanstalk CloudFront Lowers Content Expiration 7 RDS Increases Backup Retention IAM Password Management Amazon DynamoDB 6 IAM User Access to Account Billing AWS Storage Gateway Amazon Simple Workflow Service Amazon RDS Free Trial program Amazon RDS on Amazon VPC Amazon DynamoDB in Japan Amazon EC2 Medium Instances AWS IAM Identity Federation ElastiCache in Oregon and Sao Paulo 64-bit AMI on Small & Medium Windows Free Usage Tier Amazon S3 Lower Prices EC2 Linux Login from Console New Premium Support Features AWS CloudFormation for VPC Beanstalk Resource Permissions New AWS Direct Connect Locations New Osaka and Milan Edge Locations EC2, RDS, ElastiCache Lower Prices January February March
  20. 20. AWS Direct Connect Private secure connection to AWS AWS Cloud Bypass the public Internet AWS Direct Connect High bandwidth and predictable Internet latencyCorporate Data Center
  21. 21. AWS Storage Gateway Easily backup on-premises data to AWS Snapshots in S3 Amazon S3 Store snapshots in Amazon S3 for backup and disaster recovery Simple software appliance - no changes required to your on-premises architecture AWSStorageGateway Your Data Center
  22. 22. Amazon Simple Workflow Service Run application workflows and business processes on AWS Amazon SWF Manage processes across Cloud, mobile and on-premises environmentsCloud Mobile On Premises Use any programming language for workflow logic
  23. 23. Amazon DynamoDB Non Relational (NoSQL) Database Fast & predictable performance Seamless Scalability Zero administration
  24. 24. Amazon CloudSearch Fully managed search service Up and running in less than an hour Automatically scales for data and traffic Starting at less than $100 / month
  25. 25. PHP & Git Deployment for AWS Beanstalk git push Elastic Beanstalk Run and manage existing PHP applications with no changes to application code PHPYour App Apache HTTP Server Amazon Provides full control over the Linux infrastructure and the software Elastic Load Balancer yourApp.elasticbeanstalk.com
  26. 26. AWS Marketplace Find, buy and run software running on AWS More than 250 listings at launch Sell your software or SaaS app to our hundreds of thousands of customers aws.amazon.com/marketplace
  27. 27. The AWS MissionEnable businesses and developers to use web services to build scalable, sophisticated applications.
  28. 28. The Seven Transformations of Cloud Computing
  29. 29. A common misconception: cloud computing is only about….Saving money Doing things faster
  30. 30. Cloud Transforms what’s possible
  31. 31. Transformation 1:Distributed Architectures Made Easy High Availability
  32. 32. Building Distributed Architectureswith Traditional Infrastructure is Difficult
  33. 33. Cloud Computing Makes This Easier Distributed Multi-AZ Building Loosely CoupledInfrastructure Services Blocks Process Coordination AWS Regions S3 EC2 SWF Instances DynamoDB SNS Availability Zones Elastic Load RDS Balancer SQS
  34. 34. Architecture Templates for Common Patterns MICROSOFT SHAREPOINTaws.amazon.com/architecture
  35. 35. … open source Simian Armycoming soon
  36. 36. Transformation 2:Embracing the security advantages of shared systems
  37. 37. Applications Flexibility to Choose the Right Your AppsSecurity Model for Each Application Infrastructure AWS Security Infrastructure SOC 1/SSAE 16/ISAE 3402, Every Customer Gets the ISO 27001, PCI DSS, HIPAA, ITAR, FISMA Moderate, FIPS 140-2 Highest Level of Security
  38. 38. Kit, go fasterTransformation 3: From Scaling by Architecture … to Scaling By Yes Command Michael
  39. 39. Scaling by Architecture: NoSQL Database Cluster Set up Config & Shard & Rinse &more servers Tune Repartition Repeat
  40. 40. Scaling by Command with Amazon DynamoDBAmazon DynamoDB Data is automatically spread across enough hardware to deliver single digit millisecond latency.
  41. 41. Transformation 4:A Supercomputer in the Hands of Every Developer
  42. 42. Supercomputers Today are Privileges of the EliteExpensiveRationed timeOnly for the “highest value” jobs
  43. 43. Supercomputers by the Hour… for Everyone.AWS built the 42nd fastest supercomputer in the world1,064 Amazon EC2 CC2 instances with17,024 cores240 teraflops cluster (240 trillion calculations per second)Less than $1,000 per hour
  44. 44. Develops leading computational chemistry algorithms
  45. 45. Instead of $20M in datacenter spend… 51,132 Cores… 3 Hours… $4,828/ hour …
  46. 46. Transformation 5:Experiment Often & Fail Quickly
  47. 47. Traditional Infrastructure Drives up the Cost of Failure … Innovation SuffersHow many big tickettechnology ideas canyour budget tolerate?
  48. 48. Experiment Often & Fail Quickly with AWS     Cost of failure falls dramaticallyPeople are free to try out new ideas   More risk taking, more innovation      
  49. 49. Transformation 6:Big Data without Big Servers
  50. 50. Attacking Big Data Problems Shouldn’t Be This Complicated Storing Massive Data Investing In Expensive Volumes Into A Huge Data Server Clusters To Process Warehouse The Data
  51. 51. The Cloud Makes This a Lot Simpler Hadoop Clusters Amazon S3Amazon DynamoDB Amazon EMR Load Data in Organize & Visualize the Cloud Analyze Data Results 1 2 3
  52. 52. Transformation 7:Mobile Ecosystem for a Mobile-First World
  53. 53. Building MobileApplications on Your Own is Hard
  54. 54. What Your Mobile App RequiresRich media experience Virtual goods economyMulti-device access RecommendationsLocation context aware Integration with social networksReal-time presence driven AdvertisementSocial graph based Premium supportUser generated content
  55. 55. Cloud Mobile Ecosystem
  56. 56. PBS Video for iPad PBSKids Video for iPad Launched Nov ‘10 Launched April ‘11
  57. 57. Fun With Numbers - February 2012Total Video Mobile VideoUnique visitors: 30M/mo 115k unique visitors per dayVisits: 57M/mo 310k daily app opensPage views: 367M / mo 27% of hours watched, 40% of streamsVideo streams: 145M/moHours watched: 2.3M/mo
  58. 58. Thank You!
  59. 59. How Enterprises are using the AWS CloudDan PowersVP, Global Sales and Business Development
  60. 60. Trusted by Enterprises throughout the world
  61. 61. Why?
  62. 62. On-Premise Infrastructure is Costly & Complex Large Capital Expenditures Underutilized IT Assets Patching Software Out of Datacenter SpaceScaling down as needed Slow IT Deployments Contract negotiation Scaling up quickly Prices too high for IT products Managing physical growth “IT spends 80% of its time and resources keeping the lights on”
  63. 63. Key benefits to running in the AWS Cloud No Up-Front Low Variable Pay Only for Capital Expense Pricing What You Use Self-Service Easily Scale Up Improve Agility & Infrastructure and Down Time to Market
  64. 64. No Up-Front Capital Expense On-PremiseUp-Front On-Premise Costs VariableCloud Computing Costs Cloud Computing Physical Space Cabling Power Cooling Networking $0 Racks to Get Started Servers Storage Certification Labor
  65. 65. Low Cost Scale & Innovation … … Drive Costs Down Attract Invest in More Capital Customers Reduce Invest in Prices Technology Improve Efficiency“TCO savings inherent in a cloud provider’s environment relative to that of atradition enterprise datacenter may be as high as 60%.”Morgan Stanly Research, Cloud Computing Takes Off
  66. 66. Pay Only for What You Use Actual UsageCompute Power Customer Dissatisfaction Predicted Usage Waste Time
  67. 67. Self-Service Infrastructure On-Premise Cloud Computing Build new environments can be New infrastructure is always a few complex and slow clicks away Needs Survey Assess New Development Environment New Test Environment Plan Design Engineer New Environment in Japan Commissi Procure Construct on Add 1,000 Servers Deploy Remove 1,000 ServersSource: PTS Data Center Solutions
  68. 68. Easily Scale Up and Down Internet Video App on Amazon EC2 From 50 to 5,000 servers in 3 days 5,000 Scaled to peak of Number of EC2 Instances 5,000 instances in 3 days Launch of Facebook application 0 Monday Tuesday Wednesday Thursday Friday Saturday SundayThe Animoto Blog
  69. 69. Cloud Computing is More Than Just Virtualization Cloud Computing On-Premise VirtualizationSelf-Service Infrastructure  ?No Up-Front Capital Expense  Low Cost  Pay Only for What You Use  Easily Scale Up and Down  Improve Agility & Time-to-Market  
  70. 70. What Analysts are Saying about AWSInfrastructure-as-a-Service Leader in 2011 Gartner Leader in 2011 Forrester Market Share Leader IaaS Magic Quadrant Hadoop Wave
  71. 71. AWS Global InfrastructureGovCloud US West US West US East South EU Asia Asia (US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo) AWS Regions AWS Edge Locations
  72. 72. Built for Enterprise Security Standards Certifications Physical Security HW, SW, Network SOC 1 Type 2 (formerly Datacenters in nondescript Systematic change SAS-70) facilities management ISO 27001 Physical access strictly Phased updates controlled deployment PCI DSS for EC2, S3, EBS, VPC, RDS, ELB, IAM Must pass two-factor Safe storage authentication at least decommission FISMA Moderate twice for floor access Compliant Controls Automated monitoring and Physical access logged self-audit HIPAA & ITAR Compliant and audited Architecture Advanced network protection aws.amazon.com/security
  73. 73. 10.2.1.1 Your NetworkVirtual Private Cloud 10.1.1.1 VPN Enterprise Apps On AWS Internet
  74. 74. 10.2.1.1 Your Network 10.1.1.1 AWS Direct Connect Enterprise Apps On AWS Internet
  75. 75. What Enterprises are Running on AWS Business Applications Web Applications Big Data & High Performance Computing Disaster Recovery & Archive
  76. 76. Business apps are more efficient in the cloud
  77. 77. A Variety of Partner Choices..
  78. 78. A Variety of Enterprise Products and Licensing Options.. License Hourly Popular Applications Mobility Licensing Oracle Applications Oracle Fusion Middleware Oracle DB 11g SAP ERP/A1 SAP Business Objects SAP Rapid Deployment Solutions Microsoft SharePoint Server Microsoft Server and Tools Microsoft Windows Server Apps IBM DB2 and Informix IBM WebSphere IBM Lotus, Tivoli, etc. RedHat Enterprise Linux JBOSS Gluster
  79. 79. Benefits Infrastructure Procurement Time Reduced from over four to six weeks to minutes. Amazon Corporate IT Server Image Build Process that had previouslyDeploys Mission-Critical taken a half day is now automated. Corporate Intranet Annual Infrastructure Costs Cut by 22 percentrunning SharePoint 2010 when replacing on-premise hardware with equivalent cloud resources. to AWS Cloud Eliminating Operational Overhead of server lease returns, freeing up approximately 2 weeks of engineering overhead per year by replacing servers with equivalent cloud resources.
  80. 80. “The AWS Cloud brings business agility as Shell is able to deploy services much more quickly” - Johan Krebers Vice President of Architecture Enterprise case study Business Benefits• Using AWS since 2010 • No minimum commitment up front and• Operationalizing their cloud strategy pay per use brings significant savings• Shell Foundation Platform – an IT • Fast provisioning within minutes for framework – is AWS approved many applications• Core operational applications • Elasticity – the ability to expand and running in production on AWS contract IT infrastructure as needed• Default for new apps: AWS
  81. 81. “This is a fantastic cloud use case for our company – a truly live production environment with dynamic content.” - Rob Prager, Director of IT Use of AWS Business BenefitInsurance and Financial Services Cloud-hosted service approved by securitycompany with over 15M customers. and privacy officers.Address security challenges whilehandling customer data in a regulated Compliant with data privacy requirementsindustry. in the U.S. and Europe.Amazon AWS services leveraged todeliver Trend Micro SecureCloud. E-signature application in production.
  82. 82. Project Usage AWS Footprint- Started in Jan 2008, 5 FTE - 276 Cloud Appliances 1,100 new SAP systems- Focus: IT Automation on IaaS > 600 SAP employees as direct users 42,086 EC2 Instance Hours from >16 countries 39 TB EBS Storage- SAP Self-service since March 2008 >10,000 SAP systems provisioned 3 TB S3 Storage- Enables unlimited # systems in clouds - Cost Savings based on- Weekly Feature Extensions 1. Less expensive Hardware Hosting 2. IT Process Automation Top 3 Consuming Departments – Avg. Cost Saving Rate: 77% Customer Workshops Customer Trainings Customer Demos 215 SAP Systems 111 SAP Systems 118 SAP Systems $ 15 / SAP system $ 42 / SAP system $ 76 / SAP system 26 hrs / SAP system 82 hrs / SAP system 119 hrs / SAP system Status: Productive Status: Pilot + Ramp up Status: Productive + Ramp upSource: SAP
  83. 83. Enterprises getting to value quickly in the cloud
  84. 84. Samsung saved $34M on their Smart Hub application Problem: Needed to reduce IT costs and were looking to create a more flexible IT environment Solution: AWS’s low, pay-as-you-go prices and reliable services. With every request, the application authenticates devices, delivers apps and content, and pushes notifications. Business Benefits: Saved $34M in hardware and maintenance expenses, 85% less than running on- premises
  85. 85. The Guardian easily responds to theunpredictable demand of new applications Problem: Building new online services and they needed the ability to easily respond to large-scale unpredictable demand Solution: The scale and reliability of the AWS Cloud. GNM uses AWS for its Apple iPhone application and Content API service Business Benefits: Reduced server configuration from 3 weeks to 30 minutes Able to meet availability SLAs even with significant demand peaks after the service’s launched.
  86. 86. FCBarcelona Responds to its Game DayDemand Peaks with AWS, Saving Money Use of AWS: FCBarcelona’s websites, ecommerce, and mobile applications. Use Amazon EC2, Amazon CloudFront, Amazon RDS, Amazon Route 53, and many other services. Business Benefits: Easily respond to game day peaks Improved time-to-market
  87. 87. “IaaS will significantly change the way IT will deliver infrastructure services to the business. We selected AWS because they are a leader in that field.” - Yves Martelle, Global Director of Infrastructure Enterprise Case Study Business Benefit• Started moving Internet and Intranet • Open and flexible platform allows workloads to AWS in early 2011 Schneider to run Java and .NET apps on• Runs 15 production applications on Windows and Linux virtual servers AWS • Increased IT agility by rolling out new• Used Amazon VPC to connect its applications faster on AWS datacenter to the AWS cloud
  88. 88. Enterprises are scalingelastically in the cloud
  89. 89. Bank – Credit-Risk Simulation“The AWS platform was a good fit for its unlimited and flexible computational power to our risk-simulation process requirements. With AWS, we now have the power to decide how fast we want to obtain simulation results, and, more importantly, we have the ability to run simulations not possible before due to the large amount of infrastructure required.” – Castillo, Director, BankinterAverage time-to-solution down from 23 hours to 20 minutes
  90. 90. Bank – Credit-Risk Simulation“The AWS platform was a good fit for its unlimited and flexible computational power to our risk-simulation process requirements. With AWS, we now have the power to decide how fast we want to obtain simulation results, and, more importantly, we have the ability to run simulations not possible before due to the large amount of infrastructure required.” – Castillo, Director, BankinterAverage time-to-solution down from 23 hours to 20 minutes
  91. 91. “We see continued value in using the AWS cloud because of the flexibility and the scalability. We have a long queue of projects and we envision using AWS to help us get there.” Jeff Sternberg, Data Science Lead Capital IQ / Standard & Poors Big Data Case Study Business Benefit• Recommendation engine for investment • EMR and S3 provided a low-cost and bankers looking for new ideas. high-performance foundation for• Leverages EC2, EMR, S3, VPC. parallel applications• EMR pulls data from S3 for processing • Increased security by using VPC and and pushes the results into a SQL to extend corporate datacenter into database. the AWS cloud
  92. 92. “Unilever’s digital data program now processes genetic sequences twenty times faster—without incurring higher compute costs. In addition, its robust architecture supports ten times as many scientists, all working simultaneously.” - Pete Keeley Unilever Research’s eScience IT Lead for Cloud The Story Business Benefit• New biology and informatics program • Ten times as many scientists can process promotes access to public data studies simultaneously, compared to non-cloud• Underlying architecture must keep pace with architecture expanding scientific discoveries • Genetic sequence processing is twenty times• Simple but robust solution combines Amazon faster, without increasing compute costs EC2, Amazon RDS, and Amazon S3 with the • Both companies are confident that the AWS- open-source workflow system, eHive based program helps Unilever’s scientists create market-leading innovations
  93. 93. Enterprises are protecting their data in the cloud
  94. 94. “The primary driver wasnt cost, but rather the ability to set HAVEN up the infrastructure even though we recognized the design was changing.” POWER - Paul Armstrong, Business Systems Manager Use of AWS Business Benefit• U.K.-based electric company • Flexible DR architecture at low cost• Needed flexible disaster recovery • Avoided large up-front investment• AWS offered flexibility, proven services, lower cost • IT and Operations are more responsive to the• Smart421 able to quickly translate requirements business into a solution • New builds that used to take days now take hours• Running disaster recovery, testing, and development on AWS• Planning big data projects on AWS
  95. 95. Archive Vaulting solution Business Benefits“Since 2003 we used IT-Lifeline to safeguard • Complete elimination of tape from theour corporate data and provide data center,technology, and workspace recovery if archival processadversity strikes. Because they have deliveredtheir promise of recovery on multiple • Faster recovery speedsoccasions, we feel confident in expanding ourrelationship with IT-Lifeline.” • Protects 246 nodes and 40TB dailyJim Brockett, Chief Information Officer,Washington Trust Bank
  96. 96. Fortune 400 Customer Uses Sonian to Migrate Archiving to AWS Customer: Partner: Business Problem AWS Solution Business Benefit • Had a legacy on-prem Sonian’s email archiving • Reduced risk on archive system that wasn’t platform to enable: company’s early case keeping up with their assessment incoming data – 10K • Enhanced early case • Enabled search across mailboxes assessment activities millions of archived emails • Challenged to find support • Intuitive search to facilitate eDiscovery as for Lotus Domino archiving capabilities well as worker productivity • Needed support for early- • Cost-effective archiving • 50% less cost than on- case assessment and solution premise archiving internal investigations • Reduced overhead on IT staff to support archiving
  97. 97. Next StepsLearn more on Enterprise Cloud Computing: aws.amazon.com/enterpriseGet started with a free trial aws.amazon.com/free
  98. 98. Thank You!
  99. 99. Cloud Computing for the Enterprise | London WiFi access Network: WCH Username: AMAZON #hashtag #AWSLondon Password: P6FW3HY
  100. 100. AWS: Overview of Security ProcessesStephen SchmidtChief Information Security Officer
  101. 101. AWS Security Model Overview Certifications & Accreditations Shared Responsibility Model Sarbanes-Oxley (SOX) compliance Customer/SI Partner/ISV controls ISO 27001 Certification guest OS-level security, including PCI DSS Level I Certification patching and maintenance HIPAA compliant architecture Application level security, including password and role based access SAS 70(SOC 1) Type II Audit Host-based firewalls, including FISMA Low & Moderate ATOs Intrusion Detection/Prevention DIACAP MAC III-Sensitive Systems  Pursuing DIACAP MAC II–Sensitive Separation of AccessPhysical Security VM Security Network Security Multi-level, multi-factor controlled Multi-factor access to Amazon Instance firewalls can be configured access environment Account in security groups; Controlled, need-based access for Instance Isolation The traffic may be restricted by AWS employees (least privilege) • Customer-controlled firewall at protocol, by service port, as well asManagement Plane Administrative Access the hypervisor level by source IP address (individual IP Multi-factor, controlled, need-based • Neighboring instances or Classless Inter-Domain Routing access to administrative host prevented access (CIDR) block). All access logged, monitored, • Virtualized disk management Virtual Private Cloud (VPC) reviewed layer ensure only account provides IPSec VPN access from AWS Administrators DO NOT have owners can access storage existing enterprise data center to a logical access inside a customer’s disks (EBS) set of logically isolated AWS VMs, including applications and resources Support for SSL end point data encryption for API calls
  102. 102. Shared Responsibility ModelAWS Customer Facilities Operating System Physical Security Application Physical Infrastructure Security Groups Network Infrastructure Network ACLs Virtualization Network Configuration Infrastructure Account Management
  103. 103. AWS Security Resourceshttp://aws.amazon.com/security/Security WhitepaperRisk and Compliance WhitepaperLatest Versions May 2011, January2012 respectivelyRegularly UpdatedFeedback is welcome
  104. 104. AWS CertificationsSarbanes-Oxley (SOX)ISO 27001 CertificationPayment Card Industry Data Security Standard (PCI DSS) Level 1 CompliantSAS70(SOC 1) Type II AuditFISMA A&As • Multiple NIST Low Approvals to Operate (ATO) • NIST Moderate, GSA issued ATO • FedRAMPDIACAP MAC III Sensitive IATOCustomers have deployed various compliant applications such asHIPAA (healthcare)
  105. 105. SOC 1 Type IIAmazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2report every six months and maintains a favorable unbiased and unqualified opinionfrom its independent auditors. AWS identifies those controls relating to the operationalperformance and security to safeguard customer data. The SOC 1 report audit atteststhat AWS’ control objectives are appropriately designed and that the individual controlsdefined to safeguard customer data are operating effectively. Our commitment to the SOC1 report is on-going and we plan to continue our process of periodic audits.The audit for this report is conducted in accordance with the Statement on Standards forAttestation Engagements No. 16 (SSAE 16) and the International Standards for AssuranceEngagements No. 3402 (ISAE 3402) professional standards. This dual-standard report canmeet a broad range of auditing requirements for U.S. and international auditing bodies.This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70)Type II report.This report is available to customers under NDA.
  106. 106. SOC 1 Type II – Control ObjectivesControl Objective 1: Security OrganizationControl Objective 2: Amazon Employee LifecycleControl Objective 3: Logical SecurityControl Objective 4: Secure Data HandlingControl Objective 5: Physical SecurityControl Objective 6: Environmental SafeguardsControl Objective 7: Change ManagementControl Objective 8: Data Integrity, Availability and RedundancyControl Objective 9: Incident Handling
  107. 107. ISO 27001AWS has achieved ISO 27001 certification of ourInformation Security Management System (ISMS)covering AWS infrastructure, data centers in all regionsworldwide, and services including Amazon ElasticCompute Cloud (Amazon EC2), Amazon Simple StorageService (Amazon S3) and Amazon Virtual Private Cloud(Amazon VPC). We have established a formal programto maintain the certification.
  108. 108. Physical SecurityAmazon has been building large-scale data centers for manyyearsImportant attributes:• Non-descript facilities• Robust perimeter controls• Strictly controlled physical access• 2 or more levels of two-factor authControlled, need-based access for AWS employees (least privilege)All access is logged and reviewed
  109. 109. GovCloud US West US West US East South EU Asia Asia (US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo) AWS Regions AWS Edge Locations
  110. 110. AWS Regions and Availability ZonesCustomer Decides Where Applications and Data Reside
  111. 111. AWS Identity and Access ManagementEnables a customer to create multiple Users andmanage the permissions for each of theseUsers.Secure by default; new Users have no access toAWS until permissions are explicitly granted. UsAWS IAM enables customers to minimize theuse of their AWS Account credentials. Insteadall interactions with AWS Services andresources should be with AWS IAM Usersecurity credentials.erCustomers can enable MFA devices for theirAWS Account as well as for the Users they havecreated under their AWS Account with AWS IAM.
  112. 112. AWS MFA BenefitsHelps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating youRequires a device in your physical possession to gain accessto secure pages on the AWS Portal or to gain access to theAWS Management ConsoleAdds an extra layer of protection to sensitive information,such as your AWS access identifiersExtends protection to your AWS resources such as AmazonEC2 instances and Amazon S3 data
  113. 113. Amazon EC2 SecurityHost operating system • Individual SSH keyed logins via bastion host for AWS admins • All accesses logged and auditedGuest operating system • Customer controlled at root level • AWS admins cannot log in • Customer-generated keypairsFirewall • Mandatory inbound instance firewall, default deny mode • Outbound instance firewall available in VPC • VPC subnet ACLsSigned API calls • Require X.509 certificate or customer’s secret AWS key
  114. 114. Amazon EC2 Instance Isolation Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Customer 2 Customer nSecurity Groups Security Groups … Security Groups Firewall Physical Interfaces
  115. 115. Virtual Memory & Local Disk Amazon EC2 Instances Encrypted File System Amazon EC2 Instance Encrypted Swap File• Proprietary Amazon disk management prevents one Instance from reading the disk contents of another• Local disk storage can also be encrypted by the customer for an added layer of security
  116. 116. Network Security ConsiderationsDDoS (Distributed Denial of Service): • Standard mitigation techniques in effectMITM (Man in the Middle): • All endpoints protected by SSL • Fresh EC2 host keys generated at bootIP Spoofing: • Prohibited at host OS levelUnauthorized Port Scanning: • Violation of AWS TOS • Detected, stopped, and blocked • Ineffective anyway since inbound ports • blocked by defaultPacket Sniffing: • Promiscuous mode is ineffective • Protection at hypervisor level
  117. 117. Amazon Virtual Private Cloud (VPC)Create a logically isolated environment in Amazon’s highly scalable infrastructureSpecify your private IP address range into one or more public or private subnetsControl inbound and outbound access to and from individual subnets using statelessNetwork Access Control ListsProtect your Instances with stateful filters for inbound and outbound traffic usingSecurity GroupsAttach an Elastic IP address to any instance in your VPC so it can be reacheddirectly from the InternetBridge your VPC and your onsite IT infrastructure with an industry standard encryptedVPN connection and/or AWS Direct ConnectUse a wizard to easily create your VPC in 4 different topologies
  118. 118. Amazon VPC Architecture Customer’s isolated AWS resources Subnets NATInternet Router VPN Gateway Secure VPN Amazon Connection over the Internet Web Services AWS Direct Cloud Connect – Dedicated Path/Bandwidth Customer’s Network
  119. 119. Amazon VPC Network Security Controls
  120. 120. Amazon VPC - Dedicated InstancesNew option to ensure physical hosts are not shared withother customers$10/hr flat fee per Region + small hourly chargeCan identify specific Instances as dedicatedOptionally configure entire VPC as dedicated
  121. 121. AWS Deployment Models Logical Server Granular Logical Physical Government Only ITAR Sample Workloads and Information Network server Physical Network Compliant Application Access Policy Isolation Isolation and Facility (US Persons Isolation Isolation Only)Commercial   Public facing apps. WebCloud sites, Dev test etc.Virtual Private     Data Center extension,Cloud (VPC) TIC environment, email, FISMA low and ModerateAWS GovCloud       US Persons Compliant(US) and Government Specific Apps.
  122. 122. Thanks!Remember to visithttps://aws.amazon.com/security
  123. 123. Cloud Computing for the Enterprise | London WiFi access Network: WCH Username: AMAZON #hashtag #AWSLondon Password: P6FW3HY

×