Security as an Enabler – Cloud Security
•
0 likes•1,451 views
How cloud security is the same, different (then your current security) and can improve your security posture.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Security as an Enabler – Cloud Security
Similar to Security as an Enabler – Cloud Security (20)
More from Tom Laszewski
More from Tom Laszewski (20)
Recently uploaded
Recently uploaded (20)
Security as an Enabler – Cloud Security
- 1. Cloud Security Security as an Enabler – Improving security in the cloud Tom Laszewski Global Lead Partner Solution Architects Amazon Web Services
- 2. Old world • ISP supplies “clean pipes” or managed DDoS service • CDN with value add DDoS and WAF services • Pure-play Internet DDoS and WAF protection • Expensive on-premise devices for WAF or DDoS mitigation • Sticky platforms that last for years • Customer gets unfiltered Internet pipes • Leverages Cloud provider expertise in infrastructure and connectivity • Ability to build scale and resilience everywhere • Offload functionality to the cloud provider API that the cloud provider manages and operates rather than customer • Flexible, disposable platforms Cloud
- 3. Gain access to a world-class security team Where would some of the world’s top security people like to work? At scale on huge challenges with huge rewards Cloud providers have world-class security and compliance teams watching your back! Every customer benefits from the tough scrutiny of other cloud customers
- 4. The cloud takes care of compliance
- 5. The Good News Is That You Can Get All of This in the Cloud Private network Private compute Private storage Private key management Governance
- 6. How is it the same • You apply security patches; perform backups; install anti-virus, IDS/IPS, and security incident and event monitoring tools • You can set up subnets in order to separate environments that should remain isolated from one another • You can set up a traditional three-tier architecture in the AWS cloud, complete with a DMZ.
- 7. How is it the same • You can create user accounts and provide their own unique credentials. • You can use network monitoring and security management tools • You can set up a hardware VPN from your office or data center • Data encrypted automatically on the cloud side or you can encrypt it on the client side before you upload it
- 8. How is it different • Manage your resources remotely instead of locally. • Software-based security mechanisms instead of hardware-based solutions • Instead of racking and stacking, your IT support folks will be launching and configuring
- 9. How is it different • To create a reusable, hardened baseline image of your virtual server, you create an machine images • Protect your cloud account credentials • Security becomes a shared endeavor between you and the cloud provider
- 10. You can improve your security with the cloud
- 11. Security Advantages of Cloud • Instant visibility into your inventory • Free security tools • Independent regions provide data privacy compliance • Significant DDoS protection
- 12. Security Advantages of Cloud • Security economies of scale • No more duplicate data centers for disaster recovery • Continuous hardware replacement and upgrade • Part (or all) of your compliance work done
- 13. Security is Job Zero – “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.” -Tom Soderstrom, CTO, NASA JPL – Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations. Source: IDC 2013 U.S. Cloud Security Survey, doc #242836, September 2013
- 14. Thank you Tom Laszewski tomlasz@amazon.com Amazon Web Services
Editor's Notes
- Top three things to cover/focus/mantras of session: How does AWS make security easier and is better … dispelling myths Like what you have today How does it impact ‘managing human resources better’/save cost
- the good news is that you can get all of this in the cloud with AWS
- Most of the security tools and techniques that you’re already familiar with can be used in the cloud. If you use Amazon EC2 instances, you keep your guest OS and applications updated with the latest security patches; perform backups of your data; and install anti-virus, intrusion detection, and security incident and event monitoring (SIEM) tools. You can set up subnets in order to separate environments that should remain isolated from one another—for example to separate your dev/test environment from your production environment—and then configure network ACLs to control how traffic is routed between them. You can set up a traditional three-tier architecture in the AWS cloud, complete with a DMZ. You can allow your front-end web servers, proxy servers, or even load balancers to take the brunt of the unvetted traffic, protecting your backend apps and databases from unauthorized access.
- If you have multiple users—like developers, testers, or administrators—you can create user accounts for each of them and provide them with their own unique credentials for accessing your AWS resources. You can even require them to use multi-factor authentication. You can use network monitoring and security management tools to collect and analyze logs and network traffic information for your resources. You can set up a hardware VPN from your office or data center to your cloud resources to add an additional layer of transmission protection. If you would like to encrypt your data or objects when they’re stored in the cloud, you can have it encrypted automatically on the cloud side or you can encrypt it on the client side before you upload it.
- You and your administrators/developers manage your resources remotely instead of locally. You use software-based security mechanisms instead of hardware-based solutions. Instead of racking and stacking, your IT support folks will be launching and configuring.
- To create a reusable, hardened baseline image of your virtual server (EC2 instance), you create an Amazon Machine Image (AMI), which is a template that includes your OS, libraries, applications, configurations, etc. You can then save that baseline image and have it automatically loaded on every new instance you launch. You must protect your AWS Account credentials carefully since they control access to all of the cloud resources and data under your account. We recommend creating IAM user accounts (each with their own unique credentials) under the AWS Account and then using the IAM credentials instead of the AWS Account credentials. Security becomes a shared endeavor between you and AWS. To read more about this division of labor, see our Sharing the Security Responsibilities page. For your security compliance requirements, you can request a copy of the applicable certification report (ISO, PCI, FedRAMP, etc.) for the underlying AWS infrastructure.
- Instant visibility into your inventory The first step in securing your assets is knowing what they are. With AWS, you never have to guess what your IT inventory is again. With tools like AWS Config and resource tagging, you can always see exactly what cloud assets you’re using at any moment. You can easily label each asset for tracking purposes. Free security tools Many of our security features and services are free, like individual firewalls (security groups) for your EC2 instances, security logging with CloudTrail, private subnets with VPC, user access control with IAM, and automatic encryption of your archived data in Glacier. For a more comprehensive list, see our AWS Security Features page. Independent regions provide data privacy compliance With our data centers located in so many geographical regions across the world, you can choose the area that meets your data privacy requirements. AWS never moves your data out of the region you put it in. Significant DDoS protection Our size and scale can help you be DDoS resilient. The AWS infrastructure is equipped to handle extremely large amounts of traffic; and when you use AWS services like ELB, Auto Scaling, CloudWatch, and CloudFront, you can architect a highly available system that can help you weather DDoS attacks.
- Security economies of scale The smallest AWS customers reap the same security benefits as the largest when they’re in our cloud. AWS has a large, dedicated security team and a variety of systems and tools that continuously monitor and protect the underlying cloud infrastructure. No more duplicate data centers for disaster recovery When you use AWS features like Auto Scaling and Elastic Load Balancing, you can ensure that your production systems remain online and traffic is always routed to healthy instances. You can continuously replicate your data and have it ready to bring online if your primary nodes fail, only paying for the nodes when you actually use them. Continuous hardware replacement and upgrade We’re always improving our infrastructure. We replace end-of-life hardware with the latest processors that not only improve performance and speed, but also include the latest secure platform technology, like the Intel AES-NI encryption instruction set, which significantly speeds up the execution of the AES algorithm. Part of your compliance work done Because AWS has already received several certifications for its infrastructure, part of your compliance work has already been done. You only have to certify the applications and architectures you create on AWS. For a list of the certifications that AWS has received, see our AWS Compliance webpage.