6. Every Customer Has Access to the Same Security Capabilities
• And gets to choose what’s right for their business needs
– Governments
– Financial Sector
– Pharmaceuticals
– Entertainment
– Start-ups
– Social Media
– Home Users
– Retail
8. “No nosso Laboratório de Inovação na AWS, conseguimos testar novas
tecnologias e lançar novos produtos em tempo recorde”.
• A Serasa Experian, parte do grupo
Experian, é o maior bureau de crédito do
mundo fora dos Estados Unidos, detendo
o mais extenso banco de dados da América
Latina sobre consumidores, empresas e
grupos econômicos.
• Há 45 anos no mercado brasileiro, a Serasa
Experian participa da maioria das decisões
de crédito e negócios tomadas no País,
respondendo, on-line e em tempo real, a 6
milhões de consultas por dia,
demandadas por 500 mil clientes diretos e
indiretos.
“A AWS nos
possibilita estudar
novas tecnologias
e inovar em uma
velocidade antes
inimaginável para
uma grande empresa
do setor financeiro”
- Rodrigo Zenun
9. O Desafio
• Criar uma extensão de nossos data
centers com, no mínimo, os mesmos
padrões de segurança que
possibilitasse o estudo de tecnologias
emergentes.
• Combinar flexibilidade, agilidade e
segurança da informação.
• Usufruir da elasticidade oferecida pela
AWS para front-end de aplicações e
produtos.
10. Sobre a o Papel da AWS e
Benefícios alcançados
• Realização de provas de conceito e
protótipos com muita facilidade e
agilidade;
• Viabilidade de lançamento de novos
produtos;
• Distribuição de conteúdo público;
• Redução de despesas e elasticidade;
15. Security & Compliance Control Objectives
• Control Objective 1: Security Organization
• Control Objective 2: Amazon User Access
• Control Objective 3: Logical Security
• Control Objective 4: Secure Data Handling
• Control Objective 5: Physical Security and Environmental Safeguards
• Control Objective 6: Change Management
• Control Objective 7: Data Integrity, Availability and Redundancy
• Control Objective 8: Incident Handling
16. Security & Compliance Control Objectives (cont’d)
• Control Objective 1: Security Organization
– Who we are
– Proper control & access within the organization
• Control Objective 2: Amazon User Access
– How we vet our staff
– Minimization of access
17. Security & Compliance Control Objectives (cont’d)
• Control Objective 3: Logical Security
– Our staff start with no system access
– Need-based access grants
– Rigorous system separation
– System access grants regularly evaluated & automatically revoked
18. Security & Compliance Control Objectives (cont’d)
• Control Objective 4: Secure Data Handling
– Storage media destroyed before being permitted outside our datacenters
– Media destruction consistent with US Dept. of Defense Directive 5220.22
• Control Objective 5: Physical Security and Environmental Safeguards
– Keeping our facilities safe
– Maintaining the physical operating parameters of our datacenters
19. Security & Compliance Control Objectives (cont’d)
• Control Objective 6: Change Management
– Continuous operation
• Control Objective 7: Data Integrity, Availability and Redundancy
– Ensuring your data remains safe, intact, & available
• Control Objective 8: Incident Handling
– Process & procedures for mitigating and managing potential issues
29. VPC - Dedicated Instances
• Option to ensure physical hosts are not shared with other customers
• $2/hr flat fee per region + small hourly charge
• Can identify specific Instances as dedicated
• Optionally configure entire VPC as dedicated
30. AWS Deployment Models
Logical Server
and
Application
Isolation
Granular
Information
Access Policy
Logical
Network
Isolation
Physical
server
Isolation
Government Only
Physical Network
and Facility
Isolation
ITAR
Compliant
(US Persons
Only)
Sample Workloads
CommercialCloud Public-facing apps, web
sites, dev, test, etc.
Virtual Private
Cloud (VPC)
Datacenter extension, TIC
environment, email,
FISMA low and Moderate
AWS GovCloud (US) US Persons Compliantand
Government Specific Apps
31. Premium Support Trusted Advisor
• Security Checks
– Security Group Rules (Hosts & Ports)
– IAM Use
– S3 Policies
• Fault Tolerance Checks
– Snapshots
– Multi-AZ
– VPN Tunnel Redundancy
32. Focus on Trend Micro
JD Sherry
Vice President, Technology and Solutions
33. Security in 2013
The Cloud Changes Nothing…
and Everything!
July 2013
JD Sherry
Vice President, Technology & Solutions
34. Discussion Outcomes
8/2/2013 Copyright 2013 Trend Micro Inc. 36
• Enterprises and the Cloud
• Best Practices for Compliance & Security in the Cloud
• Solutions and Case Studies
35. Enterprises and the Cloud …
8/2/2013 Copyright 2013 Trend Micro Inc. 37
• Security & compliance top priorities for enterprises, underscoring
concerns that are impeding cloud adoption
• Are cloud security needs that different than on-premise?
– Cloud introduces the concept of shared responsibility for securing their
services and applications running in the cloud
• Security is not the only inhibitor …
– Many organizations are reluctant to change status quo
• Fear of the unknown
• Cloud concepts & terminology intimidating
• IT job loss concerns
• Dramatic change from a process & operations perspective …
• Not sure how/where to get started …
36. Customer Security Concerns
8/2/2013 Copyright 2013 Trend Micro Inc. 38
• Data sovereignty
– Concerns over stewardship of data
• Who has access to the data? customer, provider,
government?
• Data privacy concerns > other tenants, attacks against
my data …
• Will my data leave the country?
– If I terminate a cloud server, do copies of my
data still exist in the cloud?
– US Patriot Act
• Could USA law enforcement gain access to my
systems and data?
37. Customer Security Concerns
8/2/2013 Copyright 2013 Trend Micro Inc. 39
• Multi-tenancy
– Risk of configuration errors leading to data exposure
– How can I protect my cloud servers from attack?
– Will I even know my cloud servers are being attacked?
• Compliance
– How can I use the cloud and still meet internal and
external compliance requirements?
– Who is responsible for cloud security?
38. Consumers of Cloud Services Responsibilities
8/2/2013 Copyright 2013 Trend Micro Inc. 40
• Consumers of cloud services are responsible for
– Security of the instance (OS & Applications)
– Ensuring SLA’s are maintained
– Ultimately it boils down to protecting your instances from compromise
and the integrity of the applications running in the cloud …
• How do you protect AWS instances?
– Traditional network appliances are not feasible
• Limited control over the network …
– Agent-based host security controls are required
39. Cloud Security is a Shared Responsibility
8/2/2013 Copyright 2013 Trend Micro Inc. 41
• What type of host security controls are required?
The Need Preferred Security Control
Data confidentiality Encryption
Block malicious software Anti-Malware
Detect & track vulnerabilities Vulnerability scanning services
Control server communications Host-firewalls
Detect suspicious activity Intrusion Prevention
Detect unauthorized changes File Integrity Monitoring
Block OS & App vulnerabilities Patch & shield vulnerabilities
Data monitoring & compliance DLP
• Security principles don’t change
• Implementation & Management change drastically
40. 8/2/2013 42
The Cloud Changes
Nothing…and Everything!
Practical Guidance for
Compliance & Security
in the Cloud
41. Practical Considerations
8/2/2013 Copyright 2013 Trend Micro Inc. 43
Cloud Elasticity
• Automated protection of new instances critical
to success
• Equally important that terminated instances are
not left ‘orphaned’
• Security must become part of the cloud fabric,
including working within the provisioning
process, with support for leading tools critical
OpsWorks
42. Copyright 2013 Trend Micro Inc.
Transformation
Physical Virtual Cloud
Cloud and Data Center Security
Anti-Malware
Integrity
Monitoring
Encryption
Log
Inspection
Firewall
Intrusion
Prevention
Data Center Ops
Security
Deep Security SecureCloud
43. Case Study
8/2/2013 Copyright 2013 Trend Micro Inc. 45
Global Financial/Insurance
Company
Rapid business
expansion
Address high cost &
complexity with cloud
First Mover in their
industry
Opportunities
Challenges
Compliance &
data privacy
Cloud provider
role definition
Data
destruction
Solution
Shared responsibility
model
SecureCloud
Dynamic encryption
via automated policy
Data persistently
encryption
(destruction)
Sensitive data
protected via
key access
44. Case Study
8/2/2013 Copyright 2013 Trend Micro Inc. 46
Large Manufacturing Company
Data center
consolidation
Address high cost with
cloud (utility pricing)
Infrastructure
elasticity
Opportunities
Challenges
Management
& platform
support
Security in the
cloud
Managing
multiple point
solutions
Solution
Dynamic
infrastructure with
utility billing
Deep Security
Comprehensive cloud
security
Automated
management &
integration with Chef
Broad
environment
support
45. Case Study
8/2/2013 Copyright 2013 Trend Micro Inc. 47
Global Transportation
Company
Efficiency
Drive down cost
with cloud
Infrastructure
elasticity & reliability
Opportunities
Challenges
Management
across systems
Support for
multiple clouds
Corporate
governance
Solution
Rapid deployment
Deep Security
Comprehensive
cloud security
SecureCloud
Encryption of
sensitive data
Broad
environment
support