Security and Regulation Best Practice when You Move to the Cloud.

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dob Todorov
Regional Technology Officer,Public Sector and Principal
Architect Security & Compliance EMEA
Security & Compliance in the
Cloud
Tel Aviv Pop Up Loft

2. 21st Century IT Security
Cloud
Security

3. AWS Global Infrastructure

4. “Based on our experience, I believe that we
can be even more secure in the AWS cloud
than in our own data centers”
Tom Soderstrom – CTO NASA JPL

5. Cost of Security on Premises / Hosted Facility
CapEx OpEx
Technology
(Physical Security,
Infrastructure, Power,
Networking)
£££££ £££
Processes
(standards, procedures,
guidelines, assurance,
compliance)
£££ ££
People
(hire, upskill, compensate,
train, manage)
££ ££££

6. Security and Business Value
Security as a “Feature”:
• Qualitative measure: either secure or
insecure
• No added end user value
Objective Reality:
• Small or shrinking budgets
• Threat vectors and agents rising in
number and sophistication
Challenge:
How do we justify the cost of security?

7. Cost of Security in the Cloud
CapEx OpEx
Technology
(Physical Security,
Infrastructure, Power,
Networking)
- -
Processes
(standards, procedures,
guidelines, assurance,
compliance)
- -
People
(hire, upskill, compensate,
train, manage)
- -
Infrastructure secure & compliant at
no extra cost
ISO
27001

8. ISO 27018: Protection of
Personally Identifiable
Information (PII) Based on certification examination in conformity with defined
requirements in ISO/IEC17021:2011 and ISO/IEC 27006:2011,
the Information Security Management System
as defined and implemented by
headquartered in Seattle, Washington, United States of America,
certified under certification number [2013-009],
is also compliant with the requirements as stated in the standard:
EY CertifyPoint will, according to the certification agreement
dated October 23, 2014, perform surveillance audits and acknowledge the
certificate until the expiration date of this certificate or the expiration of the
related ISMS certificate with number [2013-009].
*This certificate is applicable for the assets, services and locations as described in the
scoping section on the back of this certificate, with regard to the specific requirements
for information security and protection of personally identifiable information (PII)
as stated in Statement of Applicability version 2015,01, approved on September 15, 2015.
ISO/IEC 27018:2014
Issue date of certificate: October 1, 2015
Expiration date of certificate: November 12, 2016
Amazon Web Services, Inc.*
Certificate
Certificate number: 2015-016
Certified by EY CertifyPoint since:
October 1, 2015
© Copyrights with regard to this document reside with Ernst & Young CertifyPoint B.V. headquartered at
Antonio Vivaldistraat 150, 1083 HP Amsterdam, The Netherlands. All rights reserved.
Drs. R. Toppen RA
Director EY CertifyPoint
DIGITAL COPY1/3
o Customers control their content.
o Customers' content will not be used for any
unauthorized purposes.
o Physical media is destroyed prior to leaving
AWS data centers.
o AWS provides customers the means to
delete their content.
o AWS doesn’t disclose customers' content

9. ISO 27017: Cloud Service
Providers Code of Conduct
o Ongoing commitment to internationally-
recognised best practices
o Highly precise controls for Cloud services
o All AWS Regions and AWS Edge Locations
are within the scope
Based on certification examination in conformity with defined
requirements in ISO/IEC17021:2011 and ISO/IEC 27006:2011,
the Information Security Management System
as defined and implemented by
headquartered in Seattle, Washington, United States of America,
certified under certification number [2013-009],
is also compliant with the requirements as stated in the standard:
EY CertifyPoint will, according to the certification agreement
dated October 23, 2014, perform surveillance audits and acknowledge the
certificate until the expiration date of this certificate or the expiration of the
related ISMS certificate with number [2013-009].
*This certificate is applicable for the assets, services and locations as described in the
scoping section on the back of this certificate, with regard to the specific requirements
for information security and related specific cloud security controls
as stated in Statement of Applicability version 2015,02, approved on December 4, 2015.
ISO/IEC 27017:2015
Issue date of certificate: October 1, 2015
Re-issue date of certificate: December 7, 2015
Expiration date of certificate: November 12, 2016
Amazon Web Services, Inc.*
Certificate
Certificate number: 2015-015
Certified by EY CertifyPoint since:
October 1, 2015
© Copyrights with regard to this document reside with Ernst & Young CertifyPoint B.V. headquartered at
Antonio Vivaldistraat 150, 1083 HP Amsterdam, The Netherlands. All rights reserved.
Drs. R. Toppen RA
Director EY CertifyPoint
DIGITAL COPY1/3

10. Cloud Security Principles Compliance
o Issued 1 Apr 2014 by the UK CESG
o They replace the Business Impact Levels model (BIL: IL1-IL5+)
o Distributed certification model
o Risk-based approach: suitability for purpose
o New protective marking mechanisms
o AWS Whitepaper Available

11. “You should probably start engaging with the
idea that the Cloud can be considerably more
secure than the private cloud or your own data
centre, and start engaging with the risks that
are building in the spaces where you haven't
moved to the Cloud yet”
Dave Rogers - Head of Technology at UK
Ministry of Justice Digital

12. Cyber Essentials Plus Compliance in Dublin
Cyber Essentials Plus is a UK
Government-backed, industry-
supported certification scheme
that helps organisations
demonstrate security against
common cyber attacks.
The ‘Plus’ scheme benefits from
independent testing and validation
compared to the baseline ‘Cyber
Essentials’ scheme that is self-
attested.

13. IT Grundschutz in Germany

14. Shared Responsibility Model

15. Shared Responsibility Model
Security OF the Cloud
Security IN the Cloud

16. AWS Security Tools
AWS Trusted Advisor
AWS Config Rules
Amazon Inspector
Periodic evaluation of alignment with AWS Best
Practices. Not just Security-related.
Create rules that govern configuration of your
AWS resources. Continuous evaluation.
Security insightsinto your applications.
Runs on EC2 instances; on-demand scans
AWS Compliance AWS: Security of the cloud
Customer: Security in the cloud

19. Cloud Config Rules

21. Security by Design - SbD
• Systematic approach to
ensure security
• Formalises AWS account design
• Automates security controls
• Streamlines auditing
• Provides control insights
throughout the IT
management process
AWS
CloudTrail
AWS
CloudHSM
AWS IAM
AWS KMS
AWS
Config

22. AWS Compliance Enterprise Accelerator:
Scripting your governance policy
Set of CloudFormation Templates & Reference
Arhcitectures that accelerate compliance with PCI, EU
Personal Data Protection, HIPAA, FFIEC, FISMA, CJIS
Result: Reliable technical implementation of administrative
controls

23. What is Inspector?
• Application security assessment
• Selectable built-in rules
• Security findings
• Guidance and management
• Automatable via APIs

24. Rule packages
• CVE (common vulnerabilities and exposures)
• Network security best practices
• Authentication best practices
• Operating system security best practices
• Application security best practices
• PCI DSS 3.0 readiness

25. What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWS
WAF
AWS WAF rules:
1: BLOCK requests from bad guys.
2: ALLOW requests from good guys.
Types of conditions in rules:
1: Source IP/range
2: String Match
3: SQL Injection

26. Why AWS WAF?
Application DDoS, Vulnerabilities, Abuse
Good users
Bad guys
Web server Database

27. Anti DDoS with WAF & Lambda

28. AWS DDoS Protection Whitepaper

29. S2N – AWS Implementation of TLS
• Small:
• ~6,000 lines of code, all audited
• ~80% less memory consumed
• Fast:
• 12% faster
• Simple:
• Avoid rarely used options/extensions

30. VPC Flow Logs

31. Certification & Education
• Security Fundamentals on AWS
• free, online course for security auditors and
analysts
• Security Operations on AWS
• 3-day class for Security engineers, architects,
analysts, and auditors
• AWS Certification
• Security is part of all AWS exams

32. Well-architected Framework

33. Rich Security Capabilities in the Cloud
Prepare
Prevent
Detect
Respond

34. o AWS Security Solutions Architects
o AWS Professional Services
o AWS Secure by Design
o AWS Security Best Practices
o AWS Well-architected
o Partner Professional Services
o AWS Training and Certification
o Understand Compliance Requirements
Prepare

35. o Use IAM – consider MFA, roles, federation, SSO
o Implement Amazon WAF
o Leverage S2N for secure TLS connections
o Implement Config Rules to enforce compliance
o Implement Amazon Inspector to identify
vulnerabilities early on
Prevent

36. o Cloud Trail enabled across all accounts and services
o Consider Config & Config Rules logs
o Inspector can be used as a detective tool
o Trusted Advisor goes beyond just security
o Use CloudWatch logs
o VPC Flow Logs give insight into intended and
unintended communication taking place into your VPC
o Do look at partner log management and security
monitoring solutions
Detect

37. o Be Prepared:
o Develop, acquire or hire Security Incident Response
capabilities
o Test preparedness via game days
o Automated response and containment is always
better than manual response
o AWS supports forensic investigations
o Leverage AWS Support for best results
o Talk to our security partners
Respond

39. Be Secure & Compliant in
the Cloud!

40. Thank you!