Más contenido relacionado La actualidad más candente (20) Similar a Cybersecurity: scenario e strategie. (20) Más de Amazon Web Services (20) Cybersecurity: scenario e strategie.1. Cyber Security – Scenari e strategie
Jusef Khamlichi, Information & Cyber Security Advisor, P4I
2. 1
Source:GlobalRisks2017WorldEconomicForum
World Economic Forum:
• i cyber attacks rappresentano una minaccia
molto probabile con un elevato impatto
Rapporto Clusit:
• un danno economico complessivo di circa 500
miliardi di dollari
• Dal 2014 al 2018: +78% di attacchi gravi
• Nel biennio 18-19 il numero degli attacchi gravi
cresce di 10 volte rispetto al precedente biennio
9. 8
Tecniche di attacco
Il più grave attacco di sempre, 10 Miliardi US$
+104%
+88%
ExPetr/NotPetya
Phishing
Account Cracking
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Governance on AWS
14
Carmela Gambardella
AWS Solutions Architect – Public Sector
Giuseppe Russo
AWS Security Assurance Manager
November 2019
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
A Definition
Security governance is meant to support business objectives
by defining policies & controls to manage risk
Framework Policies Business Outcomes Manage Risks
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Strengthen your security posture
Over 50 global
compliance certifications
& accreditations
Benefit from AWS
industry leading security
teams 24/7,
365 days a year
World-class network
performance
and capabilities
Security infrastructure
built to satisfy military,
global banks, and other
high-sensitivity organizations
“Based on our experience, I believe that we can be even more
secure in the AWS Cloud than in our own data center.”
Tom Soderstrom – CTO NASA JPL
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
The shared responsibility model
CUSTOMER DATA
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
OPERATION SYSTEM, NETWORK & FIREWALL, CONFIGURATION
CLIENT-SIDE DATA ENCRYPTION
& DATA INTEGRITY AUTHENTICATION
SERVER-SIDE ENCRYPTION
(FILE SYSTEM AND/OR DATA)
NETWORK TRAFFIC PROTECTION
(ENCRYPTION/INTEGRITY/IDENTITY)
RESPONSIBLE
FOR
SECURITY
“IN” THE CLOUD
CUSTOMERS
RESPONSIBLE
FOR
SECURITY
“OF” THE CLOUD
SOFTWARE
HARDWARE / AWS GLOBAL INFRASTRUCTURE
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
CSA
Cloud Security
Alliance Controls
ISO 9001
Global Quality
Standard
ISO 27001
Security Management
Controls
ISO 27017
Cloud Specific
Controls
ISO 27018
Personal Data
Protection
PCI DSS Level 1
Payment Card
Standards
SOC 1
Audit Controls
Report
SOC 2
Security, Availability, &
Confidentiality Report
SOC 3
General Controls
Report
Global United States
CJIS
Criminal Justice
Information Services
DoD SRG
DoD Data
Processing
FedRAMP
Government Data
Standards
FERPA
Educational
Privacy Act
FIPS
Government Security
Standards
FISMA
Federal Information
Security Management
GxP
Quality Guidelines
and Regulations
ISO FFIEC
Financial Institutions
Regulation
HIPAA
Protected Health
Information
ITAR
International Arms
Regulations
MPAA
Protected Media
Content
NIST
National Institute of
Standards and Technology
SEC Rule 17a-4(f)
Financial Data
Standards
VPAT/Section 508
Accountability
Standards
Asia Pacific
FISC [Japan]
Financial Industry
Information Systems
IRAP [Australia]
Australian Security
Standards
K-ISMS [Korea]
Korean Information
Security
MTCS Tier 3 [Singapore]
Multi-Tier Cloud
Security Standard
My Number Act [Japan]
Personal Information
Protection
Europe
C5 [Germany]
Operational Security
Attestation
Cyber Essentials
Plus [UK]
Cyber Threat
Protection
G-Cloud [UK]
UK Government
Standards
IT-Grundschutz
[Germany]
Baseline Protection
Methodology
X P
G
Complying with virtually every regulatory agency
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
What about GDPR compliance?
All AWS services can be used in compliance with
the General Data Protection Regulation (GDPR)
«Navigating GDPR Compliance on AWS» whitepaper:
• Explains the role that AWS plays in your GDPR compliance process
• Shows how AWS can help your organization accelerate the process of aligning your compliance
programs to the GDPR by using AWS Cloud Services
https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Identity, directory,
and access
IAM
Manage user access and
encryption keys
Single Sign-On
Cloud single sign-on for AWS accounts
and business apps
Directory Service
Host and manage Microsoft
Active Directory
Organizations
Manage settings for multiple accounts
Resource Access Manager
Share resources across multiple accounts
Secrets Manager
Rotate, manage, and retrieve secrets
Cognito
Identity management for your apps
Detective controls
and Management
Security Hub
Centrally view and manage security alerts
and automate compliance checks
GuardDuty
Continuous threat detection & monitoring
Service Catalog
Create and use standardized products
Launch Templates
Standardize deployments
across resources
Config
Track resource inventory and changes
CloudTrail
Track user activity and API usage
CloudWatch
Monitor resources and applications
Inspector
Analyze application security
Artifact
Self-service for AWS’ compliance reports
Data
protection
Key Management Service
Manage creation and control of encryption
keys
Certificate Manager
Provision, manage, and deploy
SSL/TSL certificates
ACM Private CA
Private certificate authority
CloudHSM
Hardware-based key storage
Macie
Discover, classify, and protect data
Server-side Encryption
Flexible data encryption options
Encrypted Boot & EBS volumes
Networking and
infrastructure
Virtual Private Cloud
Isolated cloud resources
VPC Flow Logs
Elastic Load Balancing
Secure network and application
load balancing
Web Application Firewall
Filter malicious web traffic
Shield
DDoS protection
Firewall Manager
Manage WAF rules across accounts
PrivateLink
Securely access services hosted on AWS
Best security building blocks in the cloud
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security as Code
21
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
DevOps: AWS Code Tools and Services
22
AWS
CodeBuild
+ Third
Party
Source Build Test Deploy Monitor
AWS CodeCommit AWS CodeBuild AWS CodeDeploy
AWS CodePipeline
AWS CodeStar
Amazon CloudWatch
AWS CloudTrail
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS DevOps Portfolio - Security as Code
Software development and
continuous delivery toolchain
Infrastructure as Code
Security as Code
Monitoring and Logging
AWS CodeStar
AWS CodeCommit
AWS CodeBuild
AWS CodeDeploy
AWS CodePipeline
AWS CloudFormation
AWS OpsWorks
AWS Config
Amazon CloudWatch
AWS CloudTrail
AWS X-Ray
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Threat Detection: Log Data Inputs
Monitor apps using log
data, store & access log
files
Amazon
CloudWatch
Logs
Track user activity
and API usage
AWS CloudTrail
IP traffic to/from
network
interfaces in a
VPC
VPC Flow Logs
Log of DNS
queries in a VPC
when using the
VPC DNS resolver
DNS Logs
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Threat Detection: Machine Learning
25
Intelligent threat detection
and continuous monitoring
to protect your AWS
accounts and workloads
Machine learning-powered
security service to discover,
classify & protect sensitive
data
Amazon GuardDuty Amazon Macie
27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Threat Detection: Introducing AWS Security Hub
• Comprehensive view of your security state within AWS.
• Aggregates security findings and alerts generated by other AWS security services.
• Analyze security trends and identify the highest priority security issues
AWS Security Hub
Security
findings
providers
Findings
Insights
AWS Security
Partners
Amazon Inspector Amazon GuardDuty Amazon Macie
28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Threat Remediation: Automation
27
AWS Lambda
Run code for virtually
any kind of application
or backend service –
zero administration
AWS Systems
Manager
Automate patching and proactively
mitigate threats at the instance
level
29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Taking Action with Security Hub
AWS
Security
Hub
Amazon
CloudWatch
Events
Amazon GuardDuty
Amazon Inspector
Amazon Macie
Partner Solutions
!
Target options
Partner Solutions
AWS Services
30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
“Taking Action”
AWS
Security Hub
Amazon
CloudWatch
Events
Partners forwarding findings into AWS Security Hub
Amazon
GuardDuty
Amazon
Inspector
Amazon
Macie
AWS Security Services Forwarding
findings into AWS Security Hub
Partner integrations
31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Scenario
AWS
Security
Hub
Amazon
CloudWatch
Events
Amazon GuardDuty
Amazon Inspector
Amazon Macie
Partner Solutions
!
Target option
AWS
Lambda Amazon Simple
Notification Service
Operation
Team
📃 Findings
Sec Team
32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Foundational and Layered Security Services
Protect Detect Respond
Automate
Investigate
RecoverIdentify
AWS Systems
Manager
AWS Config
AWS
Lambda
Amazon
CloudWatch
Amazon
Inspector
Amazon
Macie
Amazon
GuardDuty
AWS
Security Hub
AWS IoT
Device
Defender
KMSIAM
AWS
Single
Sign-On
Snapshot Archive
AWS
CloudTrail
Amazon
CloudWatch
Amazon
VPC
AWS
WAF
AWS Shield AWS Secrets
Manager
AWS
Firewall
Manager
AWS
Organizations
Personal Health
Dashboard
Amazon
Route 53
AWS
Direct
Connect
AWS Transit
Gateway
Amazon
VPC
PrivateLink
AWS Step
Functions
Amazon
Cloud
Directory
AWS
CloudHSM
AWS
Certificate
Manager
AWS
Control
Tower
AWS Service
Catalog
AWS Well-
Architected
Tool
AWS
Trusted
Advisor
Resource
Access
manager
AWS
Directory
Service
Amazon
Cognito
Amazon S3
Glacier
AWS
Security Hub
AWS Systems
Manager AWS CloudFormation
AWS
OpsWorks
33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Web Resources
AWS Cloud Security
https://aws.amazon.com/security/
AWS Security Fundamentals
https://aws.amazon.com/training/course-
descriptions/security-fundamentals/
GDPR Center
https://aws.amazon.com/it/compliance/gdpr-
center/
AWS for Public Sector
https://aws.amazon.com/it/government-
education/italy-digital-future/
34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
lla
hitect – Public Sector
n.it
bblico