AWS Government, Education, & Nonprofits Symposium

Canberra, Australia | May 20, 2014

Security  as  an  enabler  –  improving  security  with  the  AWS  cloud   Stephen Quigg Principal Security Solutions Architect, Asia Pacific Amazon Web Services

AWS  Region  US-WEST (N. California) EU-WEST (Ireland)

ASIA PAC (Tokyo)

ASIA PAC (Singapore)

US-WEST (Oregon)

SOUTH AMERICA (Sao Paulo)

US-EAST (Virginia)

GOV CLOUD

ASIA PAC (Sydney)

AWS has Regions across the globe – including Sydney

You can stay onshore in Australia with AWS

AWS Sydney Region Multiple availability zones

You can improve your security with the AWS cloud

AWS  Founda;on  Services  

Compute   Storage   Database   Networking  

AWS  Global  Infrastructure   Regions  

Availability  Zones  Edge  Loca;ons  

Client-­‐side  Data  Encryp8on  

Server-­‐side  Data  Encryp8on  

Network  Traffic  Protec8on  

Pla@orm,  Applica8ons,  Iden8ty  &  Access  Management  

Opera8ng  System,  Network  &  Firewall  Configura8on  

Customer  content  

Custom

ers  

You can deploy a consistent security model every time

Customers control their level of security and compliance IN

the Cloud

AWS is responsible for the security OF

the Cloud

You can build everything to be resilient and fault tolerant

AWS  operates  scalable,  fault  tolerant  services  Build  resilient  solu8ons  opera8ng  in  mul8ple  datacenters  AWS  helps  simplify  ac8ve-­‐ac8ve  resilient  solu8ons  

All  AWS  facili8es  are  always  on  No  need  for  a  “Disaster  Recovery  Datacenter”  when  you  can  have  resilience  Every  AWS  facility  managed  to  the  same  global  standards  

AWS has robust connectivity and bandwidth Each AZ has multiple, redundant Tier 1 ISP Service Providers Resilient network infrastructure

Everything can have fine-grained network security Av

aila

bilit

y Zo

ne A

Avai

labi

lity

Zone

B

You control your VPC address range •  Your own private, isolated

section of the AWS cloud •  Every VPC has a private IP

address space you define •  Create your own subnets and

control all internal and external connectivity

AWS network security •  AWS network will prevent

spoofing and other common layer 2 attacks

•  Every compute instance gets multiple security groups - stateful firewalls

•  Every subnet gets network access control lists

Create multi-tier architectures every time VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

10.0.3.0/24

EC2

10.0.5.0/24

Jump host

10.0.4.0/24

EC2 App Log

EC2 Web

Load balancing

Firewall every single compute instance VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

10.0.3.0/24

EC2

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App

“Web servers will accept Port 80 from load balancers”

“App servers will accept Port 8080

from web servers”

“Allow SSH access only from from Jump Hosts”

Log

EC2 Web

Load balancing

Enable network access control on every subnet VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

10.0.3.0/24

EC2

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

“Deny all traffic between the web server subnet and the database

server subnet”

Load balancing

Control every Internet connection VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

10.0.4.0/24

EC2 App

EC2 Web EC

2 Web EC

2 EC2 Web

Internet Gateway

Control Internet routing •  Create Public subnets and

Private subnets

•  Implement DMZ architectures as per normal best practices

•  Allocate static Elastic IP addresses or use AWS-managed public IP addresses

Load balancing

Connect in private to your existing datacentres VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

10.0.4.0/24

EC2 App

EC2 Web EC

2 Web EC

2 EC2 Web

Use Internet VPNs or use AWS Direct

Connect

Your premises

Load balancing

You can route to the Internet using your gateway VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

10.0.4.0/24

EC2 App

EC2 Web EC

2 Web EC

2 EC2 Web

Use Internet VPNs or use AWS Direct

Connect

Your premises

Load balancing

Create flexible multi-VPC hybrid environments

Your organisation

Project Teams Marketing

Business Units Reporting

Digital / Websites

Dev and Test

Redshift EMR

Analytics

Internal Enterprise

Apps

Amazon S3

Amazon Glacier

Storage/Backup

Every website can absorb attacks and scale out

Amazon S3

Distributed attackers

Customers

Customers

Route53

Sydney region CloudFront

Your VPC

WAF WAF WAF WAF

ELB ELB

ELB ELB

App App App App

Auto Scaling

Auto Scaling

Auto Scaling

Auto Scaling

 Encrypt  your  Elas8c  Block  Store  volumes  any  way  you  like  

•  Many  free  u8li8es,  plus  Trend,  SafeNet  and  other  partners  offer  

high-­‐assurance  solu8ons  

Amazon  S3  offers  either  server  or  client-­‐side  encryp8on  

•  Manage  your  own  keys  or  let  AWS  do  it  for  you  

RedshiR  has  one-­‐click  disk  encryp8on  as  standard  

•  Encrypt  your  data  analy8cs  

•  You  can  supply  your  own  keys  

RDS  supports  transparent  data  encryp8on  (TDE)  

•  Easily  encrypt  sensi8ve  database  tables  

You can encrypt your sensitive information everywhere

DBA

Tamper-resistant customer controlled hardware security modules within your VPC •  Industry-standard SafeNet Luna devices. Common Criteria

EAL4+, NIST FIPS 140-2 certified •  No access from Amazon administrators who manage and

maintain the appliance •  High availability and replication with on-premise HSMs

Reliable & Durable Key Storage •  Use for transparent data encryption on self-managed

databases and natively with AWS Redshift •  Integrate with applications using Java APIs •  Integration with marketplace disk-encryption and SSL

Store your encryption keys securely in CloudHSM

Use your own HSMs if you want

Your premises

Applications

Your HSM NAT CloudHSM NAT CloudHSM

Volume, object, database encryption

Signing / DRM / apps

EC2

SYNC

EBS

S3

Amazon S3

Amazon Glacier

You can enforce consistent host security

Launch instanc

e EC2

AMI catalogue Running instance Your instance

Hardening

Audit and logging

Vulnerability management

Malware and HIPS

Whitelisting and integrity

User administration

Operating system

Configure

instance

You  control  the  configura8on  of  your  servers  Harden operating system and platforms to your own spec Use host-based protection software •  Apply ASD Top 35 mitigation strategies! Think about how you will manage administrative users •  Restrict access as much as possible Build out the rest of your standard security environment •  Connect to your existing services, e.g. SIEM

Control access and segregate duties everywhere

Region

Internet Gateway

Subnet 10.0.1.0/24

Subnet 10.0.2.0/24

VPC A - 10.0.0.0/16

Availability Zone

Availability Zone

Router

Internet

Customer Gateway

You  get  to  control  who  can  do  what  in  your  AWS  environment  and  from  where    Fine-­‐grained  control  of  your  en8re  cloud  environment  with  two-­‐factor  authen8ca8on    Integrated  with  your  exis8ng  corporate  directory  using  SAML  2.0  

AWS account owner

Network management

Security management

Server management

Storage management

Build and run

Full visibility of your AWS environment •  CloudTrail will record access to API calls and save logs in

your S3 buckets, no matter how those API calls were made

Who did what and when and from what IP address •  Support for many AWS services and growing - includes

EC2, EBS, VPC, RDS, IAM and RedShift •  Easily Aggregate all log information Out of the box integration with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic

Get consistent visibility of logs that you can monitor

You get to do all of this in DEVELOPMENT TESTING PRE-PRODUCTION LIVE

Lets hear from an AWS customer who has done it

Bruce Haefele Chief Architect Heath Direct Australia

Delivering health services on AWS

Who we are and what we do

We isolate environments into VPCs

Dev Int

Test Staging Prod.

Tools Admin Corp.

Sydney region

HSM Appliance

External Datacenter Provider

VPN

We isolate components within each VPC

Avai

labi

lity

Zone

A

EC2 Web EC

2 API Port.

App.

IAM Vuln.

PII Log

SIEM

Mon.

Sec. Man.

Enc. Man.

De-id

Auth.

Sec. Data

Public Unclassified Sensitive / Health

Web

WAF

API. Gate.

ESB

Services we use in the AWS cloud

Dynamo DB RDS

Elastic Network Interface

EBS

Elastic Load Balancer

Glacier

VPC

Storage Gateway

EC2 Cloud Formation AWS IAM Autoscaling Elastic IPs

Route 53

Cloudwatch

S3

Cloudfront VPC VPN

Things you should think about

•  Start  small  and  experiment  •  Rethink  your  approach  to  your  infrastructure  

•  Data  classifica8on  • What  AWS  services  you  can  use  and  what  you  have  to  build  

•  Defense  in  depth  • Where  and  how  to  encrypt  

• What  to  log,  backup  strategies,  archive  and  retrieval  

• How  to  federate  and  integrate  –  levels  of  trust  

•  Privileged  access  •  Compliance  •  Vendor  licensing  models  •  Financial  management  

Read AWS security whitepapers, tips and good practices •  http://blogs.aws.amazon.com/security •  http://aws.amazon.com/compliance •  http://aws.amazon.com/security •  Risk and compliance, best practices, audit guides and

operational checklists to help you before you go live •  Workshop  solu8ons  with  an  AWS  solu8ons  architect,  including  me!  •  Get  free  trials  of  security  from  AWS  Partners  on  the  AWS  marketplace Sign up for AWS premium support •  http://aws.amazon.com/support •  Get help when you need it most – as you grow •  Choose different levels of support with no long-term commitment

Further info and how to get AWS support

THANK YOU Please give us your feedback by filling out the Feedback Forms

AWS Government, Education, & Nonprofits Symposium

Canberra, Australia | May 20, 2014

AWS Government, Education, & Nonprofits Symposium

Canberra, Australia | May 20, 2014

Security  as  an  enabler  –  improving  security  with  the  AWS  cloud   Stephen Quigg Principal Security Solutions Architect, Asia Pacific Amazon Web Services