Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
The AWS Shared Security Responsibility Model in
Pr...
AWS Global Footprint
AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (T...
AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (T...
AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (T...
AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (T...
AWS Global Footprint
AWS Global Footprint
Edge Location
collections of servers in geographically
dispersed data centers
deliver content to end ...
AWS Global Footprint
AWS Global Footprint
12 Regions
33 Availability Zones
54 Edge locations
Over 1 million active customers
Every day, AWS add...
Data Locality
Customer chooses where to place data
AWS regions are geographically isolated by
design
Data is not replicate...
Data Locality in practice
Block level storage
Instance Storage (Elastic Cloud Compute - EC2)
Elastic Block Storage (EBS)
O...
Shared Responsibility
Who manages which parts?
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Loca...
Interacting with AWS (common protocols)
Management
SSH
RDP
Database
MySQL
MS SQL
Oracle
File Transfer
FTP, etc…..
Interacting with AWS
Application Program Interface (API)
API Endpoints per Service
API Endpoints per Region
Service Intera...
AWS Shared Responsibility Model – Deep Dive
Will one model work for all services?
Infrastructure
Services
Container
Servic...
Network Traffic Protection
Encryption / Integrity / Identity
AWS Foundation Services
Compute Storage Database Networking
A...
Infrastructure Service
Example – EC2
• Foundation Services — Networking, Compute, Storage
• AWS Global Infrastructure
• AW...
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Loca...
Infrastructure Service
Example – RDS
• Foundational Services –
Networking, Compute, Storage
• AWS Global Infrastructure
• ...
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Loca...
• Foundational Services
• AWS Global Infrastructure
• AWS API Endpoints
• Operating System
• Platform / Application
• Data...
Summary of Customer Responsibility in the Cloud
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Applications
Operating Sys...
Shared Responsibility
What about security OF the cloud?
Security Shared Responsibility Model
AWS is responsible
for the security OF
the cloud
AWS Foundation Services
Compute Stor...
Auditing - Comparison
on-prem vs on AWS
Start with bare concrete
Functionally optional – you can build a secure
system wit...
What this means
You benefit from an environment built for the most security
sensitive organizations
AWS manages 1,800+ sec...
AWS Assurance Programs
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Loca...
Navigating Shared Responsibility
Achieving accreditation or certification on
AWS is possible but how can we help?
Industry Best Practices for
Securing AWS Resources
CIS Amazon Web Services Foundations
Architecture agnostic set of securi...
Industry Best Practices for
Securing AWS Resources
Benchmarks for AWS Marketplace
O.S images hardened according to the tru...
AWS Enterprise Accelerator:
Compliance Architectures
Sample Architecture –
Security Controls Matrix
Cloudformation Templat...
Compliance Resources
https://aws.amazon.com/compliance/resources/
Education — AWS Security & Compliance
AWS Security Fundamentals
3 hour eLearning course
Target audience – Security Auditor...
Helpful Resources
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper...
awscompliance@amazon.com
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Gavin Fitzpatrick
Security Assurance TPM
Amazon We...
Próxima SlideShare
Cargando en…5
×

The AWS Shared Security Responsibility Model in Practice

16.216 visualizaciones

Publicado el

The AWS Shared Security Responsibility Model in Practice

Publicado en: Tecnología
  • Get the best essay, research papers or dissertations. from ⇒ www.HelpWriting.net ⇐ A team of professional authors with huge experience will give u a result that will overcome your expectations.
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • If you have any problems with writing, feel free to ask our writers for help! The team of Paper Help ⇒ HelpWriting.net ⇐ is ready to help with any kind of academic writing!
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • Dating for everyone is here: ❶❶❶ http://bit.ly/39mQKz3 ❶❶❶
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • Follow the link, new dating source: ❤❤❤ http://bit.ly/39mQKz3 ❤❤❤
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • HOW TO UNLOCK HER LEGS! (SNEAK PEAK), learn more... ◆◆◆ http://t.cn/AiurDrZp
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí

The AWS Shared Security Responsibility Model in Practice

  1. 1. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved The AWS Shared Security Responsibility Model in Practice Gavin Fitzpatrick Security Assurance TPM 23/03/16
  2. 2. AWS Global Footprint
  3. 3. AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Asia Pacific (Seoul)
  4. 4. AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) São Paulo EU Central (Frankfurt) Asia Pacific (Tokyo) China (Beijing) Asia Pacific (Seoul) Region An independent collection of AWS resources in a defined geography A solid foundation for meeting location- dependent privacy and compliance requirements
  5. 5. AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Asia Pacific (Seoul)
  6. 6. AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Asia Pacific (Seoul) Availability Zone Designed as independent failure zones Physically separated within a typical metropolitan region
  7. 7. AWS Global Footprint
  8. 8. AWS Global Footprint Edge Location collections of servers in geographically dispersed data centers deliver content to end users with lower latency
  9. 9. AWS Global Footprint
  10. 10. AWS Global Footprint 12 Regions 33 Availability Zones 54 Edge locations Over 1 million active customers Every day, AWS adds enough new server capacity to support Amazon.com when it was a $7 billion global enterprise.
  11. 11. Data Locality Customer chooses where to place data AWS regions are geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless you choose to move it
  12. 12. Data Locality in practice Block level storage Instance Storage (Elastic Cloud Compute - EC2) Elastic Block Storage (EBS) Object level storage Simple Storage Service (S3) Database storage Relational Database Service (RDS) NoSQL (DynamoDB) Columnar (Redshift) Caching (Elasticache)
  13. 13. Shared Responsibility Who manages which parts?
  14. 14. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers AWS Shared Responsibility Model Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud
  15. 15. Interacting with AWS (common protocols) Management SSH RDP Database MySQL MS SQL Oracle File Transfer FTP, etc…..
  16. 16. Interacting with AWS Application Program Interface (API) API Endpoints per Service API Endpoints per Region Service Interaction AWS Management Console AWS SDKs (Java, Python, PHP, .NET, Ruby, Go) AWS Unified CLI Service Interaction Examples: aws ec2 describe-instances aws ec2 start-instances –instance-ids <value> aws ec2 stop-instances –instance-ids <value> aws s3 ls aws s3 mb s3://mybucket --region eu-west-1 aws s3 cp object.file s3://mybucket/object.file aws s3 sync s3://mybucket ./localfolder/
  17. 17. AWS Shared Responsibility Model – Deep Dive Will one model work for all services? Infrastructure Services Container Services Abstract Services
  18. 18. Network Traffic Protection Encryption / Integrity / Identity AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Platform & Applications Management Customer content Customers AWS Shared Responsibility Model: for Infrastructure Services Managed by Managed by Client-Side Data encryption & Data Integrity Authentication AWSIAMCustomerIAM Operating System, Network & Firewall Configuration Server-Side Encryption Fire System and/or Data APIEndpoints Mgmt Protocols API Calls
  19. 19. Infrastructure Service Example – EC2 • Foundation Services — Networking, Compute, Storage • AWS Global Infrastructure • AWS API Endpoints AWS • Customer Data • Customer Application • Operating System • Network & Firewall • Customer IAM (Corporate Directory Service) • High Availability, Scaling • Instance Management • Data Protection (Transit, Rest, Backup) • AWS IAM (Users, Groups, Roles, Policies) Customers RESPONSIBILITIES
  20. 20. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Firewall Configuration Platform & Applications Management Operating System, Network Configuration Customer content Customers AWS Shared Responsibility Model: for Container Services Managed by Managed by Client-Side Data encryption & Data Integrity Authentication Network Traffic Protection Encryption / Integrity / Identity AWSIAMCustomerIAM APIEndpoints Mgmt Protocols API Calls
  21. 21. Infrastructure Service Example – RDS • Foundational Services – Networking, Compute, Storage • AWS Global Infrastructure • AWS API Endpoints • Operating System • Platform / Application AWS • Customer Data • Firewall (VPC) • Customer IAM (DB Users, Table Permissions) • AWS IAM (Users, Groups, Roles, Policies) • High Availability • Data Protection (Transit, Rest, Backup) • Scaling Customers RESPONSIBILITIES
  22. 22. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Platform & Applications Management Operating System, Network & Firewall Configuration Customer content Customers AWS Shared Responsibility Model: for Abstract Services Managed by Managed by Data Protection by the Platform Protection of Data at Rest Network Traffic Protection by the Platform Protection of Data at in Transit (optional) Opaque Data: 1’s and 0’s (in flight / at rest) Client-Side Data Encryption & Data Integrity Authentication APIEndpoints AWSIAM API Calls
  23. 23. • Foundational Services • AWS Global Infrastructure • AWS API Endpoints • Operating System • Platform / Application • Data Protection (Rest - SSE, Transit) • High Availability / Scaling AWS • Customer Data • Data Protection (Rest – CSE) • AWS IAM (Users, Groups, Roles, Policies) Customers Infrastructure Service Example – S3
  24. 24. Summary of Customer Responsibility in the Cloud Customer IAM AWS IAM Firewall Data AWS IAM Data Applications Operating System Networking/Firewall Data Customer IAM AWS IAM Infrastructure Services Container Services Abstract Services
  25. 25. Shared Responsibility What about security OF the cloud?
  26. 26. Security Shared Responsibility Model AWS is responsible for the security OF the cloud AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations
  27. 27. Auditing - Comparison on-prem vs on AWS Start with bare concrete Functionally optional – you can build a secure system without it Audits done by an in-house team Accountable to yourself Typically check once a year Workload-specific compliance checks Must keep pace and invest in security innovation on-prem Start on base of accredited services Functionally necessary – high watermark of requirements Audits done by third party experts Accountable to everyone Continuous monitoring Compliance approach based on all workload scenarios Security innovation drives broad compliance on AWS
  28. 28. What this means You benefit from an environment built for the most security sensitive organizations AWS manages 1,800+ security controls so you don’t have to You get to define the right security controls for your workload sensitivity You always have full ownership and control of your data
  29. 29. AWS Assurance Programs
  30. 30. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Meet your own security objectives Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls Your own external audits Customers Your own accreditation Your own certifications
  31. 31. Navigating Shared Responsibility Achieving accreditation or certification on AWS is possible but how can we help?
  32. 32. Industry Best Practices for Securing AWS Resources CIS Amazon Web Services Foundations Architecture agnostic set of security configuration best practices provides set-by-step implementation and assessment procedures
  33. 33. Industry Best Practices for Securing AWS Resources Benchmarks for AWS Marketplace O.S images hardened according to the trusted secure configuration baselines prescribed by CIS
  34. 34. AWS Enterprise Accelerator: Compliance Architectures Sample Architecture – Security Controls Matrix Cloudformation Templates 5 x templates User Guide http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html
  35. 35. Compliance Resources https://aws.amazon.com/compliance/resources/
  36. 36. Education — AWS Security & Compliance AWS Security Fundamentals 3 hour eLearning course Target audience – Security Auditors/Analysts It’s Free  AWS Security Operations 3 day Instructor Lead Training Target audience – Security Engineer/Architects 12 Modules + Labs Self paces labs available on http://qwiklabs.com https://aws.amazon.com/training/course-descriptions/
  37. 37. Helpful Resources Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/ Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/ Compliance Center Website: https://aws.amazon.com/compliance Security Center: https://aws.amazon.com/security Security Blog: https://blogs.aws.amazon.com/security/ AWS Audit Training: awsaudittraining@amazon.com
  38. 38. awscompliance@amazon.com
  39. 39. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Gavin Fitzpatrick Security Assurance TPM Amazon Web Services Thank You

×