1. Cloud Security
Security as an Enabler – Improving security in the cloud
Tom Laszewski
Global Lead Partner Solution Architects
Amazon Web Services
2. Old world
• ISP supplies “clean pipes” or managed
DDoS service
• CDN with value add DDoS and WAF
services
• Pure-play Internet DDoS and WAF
protection
• Expensive on-premise devices for WAF or
DDoS mitigation
• Sticky platforms that last for years
• Customer gets unfiltered Internet pipes
• Leverages Cloud provider expertise in
infrastructure and connectivity
• Ability to build scale and resilience
everywhere
• Offload functionality to the cloud provider
API that the cloud provider manages and
operates rather than customer
• Flexible, disposable platforms
Cloud
3. Gain access to a world-class security
team
Where would some of the world’s top security
people like to work? At scale on huge
challenges with huge rewards
Cloud providers have world-class security and
compliance teams watching your back!
Every customer benefits from the tough
scrutiny of other cloud customers
5. The Good News Is That You Can Get All of
This in the Cloud
Private network
Private compute
Private storage Private key
management
Governance
6. How is it the same
• You apply security patches; perform backups; install
anti-virus, IDS/IPS, and security incident and event
monitoring tools
• You can set up subnets in order to separate
environments that should remain isolated from one
another
• You can set up a traditional three-tier architecture in the
AWS cloud, complete with a DMZ.
7. How is it the same
• You can create user accounts and provide their own
unique credentials.
• You can use network monitoring and security
management tools
• You can set up a hardware VPN from your office or data
center
• Data encrypted automatically on the cloud side or you
can encrypt it on the client side before you upload it
8. How is it different
• Manage your resources remotely instead of
locally.
• Software-based security mechanisms instead of
hardware-based solutions
• Instead of racking and stacking, your IT support
folks will be launching and configuring
9. How is it different
• To create a reusable, hardened baseline image
of your virtual server, you create an machine
images
• Protect your cloud account credentials
• Security becomes a shared endeavor between
you and the cloud provider
11. Security Advantages of Cloud
• Instant visibility into your inventory
• Free security tools
• Independent regions provide data privacy
compliance
• Significant DDoS protection
12. Security Advantages of Cloud
• Security economies of scale
• No more duplicate data centers for disaster
recovery
• Continuous hardware replacement and upgrade
• Part (or all) of your compliance work done
13. Security is Job Zero
– “Based on our experience, I believe that we can be even more
secure in the AWS cloud than in our own data centers.”
-Tom Soderstrom, CTO, NASA JPL
– Nearly 60% of organizations agreed that CSPs [cloud service
providers] provide better security than their own IT organizations.
Source: IDC 2013 U.S. Cloud Security Survey,
doc #242836, September 2013
Top three things to cover/focus/mantras of session:
How does AWS make security easier and is better … dispelling myths
Like what you have today
How does it impact ‘managing human resources better’/save cost
the good news is that you can get all of this in the cloud with AWS
Most of the security tools and techniques that you’re already familiar with can be used in the cloud.
If you use Amazon EC2 instances, you keep your guest OS and applications updated with the latest security patches; perform backups of your data; and install anti-virus, intrusion detection, and security incident and event monitoring (SIEM) tools.
You can set up subnets in order to separate environments that should remain isolated from one another—for example to separate your dev/test environment from your production environment—and then configure network ACLs to control how traffic is routed between them.
You can set up a traditional three-tier architecture in the AWS cloud, complete with a DMZ. You can allow your front-end web servers, proxy servers, or even load balancers to take the brunt of the unvetted traffic, protecting your backend apps and databases from unauthorized access.
If you have multiple users—like developers, testers, or administrators—you can create user accounts for each of them and provide them with their own unique credentials for accessing your AWS resources. You can even require them to use multi-factor authentication.
You can use network monitoring and security management tools to collect and analyze logs and network traffic information for your resources.
You can set up a hardware VPN from your office or data center to your cloud resources to add an additional layer of transmission protection.
If you would like to encrypt your data or objects when they’re stored in the cloud, you can have it encrypted automatically on the cloud side or you can encrypt it on the client side before you upload it.
You and your administrators/developers manage your resources remotely instead of locally.
You use software-based security mechanisms instead of hardware-based solutions.
Instead of racking and stacking, your IT support folks will be launching and configuring.
To create a reusable, hardened baseline image of your virtual server (EC2 instance), you create an Amazon Machine Image (AMI), which is a template that includes your OS, libraries, applications, configurations, etc. You can then save that baseline image and have it automatically loaded on every new instance you launch.
You must protect your AWS Account credentials carefully since they control access to all of the cloud resources and data under your account. We recommend creating IAM user accounts (each with their own unique credentials) under the AWS Account and then using the IAM credentials instead of the AWS Account credentials.
Security becomes a shared endeavor between you and AWS. To read more about this division of labor, see our Sharing the Security Responsibilities page.
For your security compliance requirements, you can request a copy of the applicable certification report (ISO, PCI, FedRAMP, etc.) for the underlying AWS infrastructure.
Instant visibility into your inventory
The first step in securing your assets is knowing what they are. With AWS, you never have to guess what your IT inventory is again. With tools like AWS Config and resource tagging, you can always see exactly what cloud assets you’re using at any moment. You can easily label each asset for tracking purposes.
Free security tools
Many of our security features and services are free, like individual firewalls (security groups) for your EC2 instances, security logging with CloudTrail, private subnets with VPC, user access control with IAM, and automatic encryption of your archived data in Glacier. For a more comprehensive list, see our AWS Security Features page.
Independent regions provide data privacy compliance
With our data centers located in so many geographical regions across the world, you can choose the area that meets your data privacy requirements. AWS never moves your data out of the region you put it in.
Significant DDoS protection
Our size and scale can help you be DDoS resilient. The AWS infrastructure is equipped to handle extremely large amounts of traffic; and when you use AWS services like ELB, Auto Scaling, CloudWatch, and CloudFront, you can architect a highly available system that can help you weather DDoS attacks.
Security economies of scale
The smallest AWS customers reap the same security benefits as the largest when they’re in our cloud. AWS has a large, dedicated security team and a variety of systems and tools that continuously monitor and protect the underlying cloud infrastructure.
No more duplicate data centers for disaster recovery
When you use AWS features like Auto Scaling and Elastic Load Balancing, you can ensure that your production systems remain online and traffic is always routed to healthy instances. You can continuously replicate your data and have it ready to bring online if your primary nodes fail, only paying for the nodes when you actually use them.
Continuous hardware replacement and upgrade
We’re always improving our infrastructure. We replace end-of-life hardware with the latest processors that not only improve performance and speed, but also include the latest secure platform technology, like the Intel AES-NI encryption instruction set, which significantly speeds up the execution of the AES algorithm.
Part of your compliance work done
Because AWS has already received several certifications for its infrastructure, part of your compliance work has already been done. You only have to certify the applications and architectures you create on AWS. For a list of the certifications that AWS has received, see our AWS Compliance webpage.