Post on 20-May-2020
Berlin
Security & AWS
Stephen Schmidt
Vice President and CISO
Security is Job Zero
Familiar Security
ModelValidated and driven by
customers’ security expertsBenefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
The Enterprise AWS Security Journey
Phase 1:
How do I move
to AWS?
Time
Experience
AWS Foundation Services
Compute Storage Database Networking
AWS Global
InfrastructureRegions
Availability Zones
Edge Locations
Network
SecurityInventory &
Configuration
Customer applications & content
Yo
uAWS and you share responsibility for security
You get to
define your
controls IN the
Cloud
AWS takes care
of the security
OF
the Cloud
Data
Encryption
Access
Control
Start with the 5 why’s of security
1) Why is security such a hot topic?
Because its important, and it’s hard
2) Why is enterprise security traditionally so hard?
Because so much planning is needed
3) Why so much planning which takes so long?
Because it requires so many processes
4) Why so many processes?
Because mistakes are easy
to make and hard to put right
5) Why are mistakes so hard to put right?
Lack of visibility Low degree of automation
So where does AWS come in?
AWS makes security
more agile
Lets you move fast while
staying safe
The Enterprise AWS Security Journey
Phase 2:
How do I use AWS to improve?
Time
Experience
Design
Deploy
Operate
Improve
Improve
Design
DeployOperate
From this To this
Design & Deploy
Define sensible defaults
Inherit compliance controls
Use available security features
Manage templates - not instances
Operate & Improve
Constantly reduce the role of people
Reduce Privileged accounts
Concentrate on what matters
Example: Hardened InstancesQ
uestion t
o a
nsw
er
• How many of my instances came from the correct “approved” server image?
• How many “approved” instances?
Tra
ditio
nal IT • Manual IT process
to prevent
• Even more manual process to audit
AW
S • CloudTrailidentifies instance launches with unapproved AMIs
• Continuously auditable
• Push notification rather than regular pull
Example: Entitlements ReportingQ
uestion t
o a
nsw
er
• What accesses do your people have?
Tra
ditio
nal IT • Inventory your
assets and privileges
• Reconcile with user accounts
• All manual
AW
S • IAM Auditing native API calls
• GetAccountAuthorizationDetails
• ListUserPolicies
• ListGroupPolicies
• ListRolePolicies
The Enterprise AWS Security Journey
Phase 3:
How do I design
security for
tomorrow?
Time
Experience
The Five Why’s at Work at AWS
AWS Security Team
Operations
Application Security
Engineering
Compliance
Aligned for speed
Security Ownership as part of DNA
• Promotes culture of “everyone is an owner” for security
• Makes security stakeholder in business success
• Enables easier and smoother communication
Distributed Embedded
Operating Principles
Separation of duties
Different personnel across service lines
Least privilege
Technology to automate operational principles
Visibility through log analytics
Shrinking the protection boundaries
Ubiquitous encryption
Log analysis at AWS
• Internal project at AWS to analyze internal log
traffic• Collecting 90TB of logs per day - ~70k EPS average
• Correlate with permissions
• Compress 10:1 and store in S3
• Less than a minute response time for 3 billion sequential
accesses
• Costing a fraction of off the shelf software
Log analysis data flow
Raw logs
Permissions
Amazon EMR
Amazon Glacier
Amazon Redshift
Amazon S3
Write to S3
Parse in EMR and
upload to Redshift
EC2 Instances
Analyze with standard
BI tools
Archive to Glacier
AWS CloudTrail
Encrypted
end-to-end!
What are we looking for?
• Unused permissions
• Overuse of privileged accounts
• Usage of keys
• Anomalous logins
• Policy violations
• System abuse
• ….
• Collect data once, many use cases
Infrastructure Security at AWS
AWS Data Center
x
• Bastion hosts for maintenance
• Two Factor Authentication
• Ubiquitous Encryption
• Separation to Enhance Containment
• Testing & Metrics
Ubiquitous encryption
AWS CloudTrail
IAM
EBS
RDS
Redshift
S3
Glacier
Encrypted in transit
and at rest
Fully auditable
Fully managed
keys
Restricted access
Ubiquitous encryption is one of our core design tenets
Good Crypto Everywhere, All The Time
TLS is everywhere in our APIs
Good Crypto Everywhere, All The Time
TLS is complex
Good Crypto Everywhere, All The Time
Good Crypto Everywhere, All The Time
Small, Fast, Simple
Good Crypto Everywhere, All The Time
Small: ~6,000 lines of code, all audited
~80% less memory consumed
Good Crypto Everywhere, All The Time
Fast: 12% faster
Good Crypto Everywhere, All The Time
Simple: avoid rarely used options/extensions
Good Crypto Everywhere, All The Time
Open Source
Available on AWSLabs today
https://github.com/awslabs/s2n
Good Crypto Everywhere, All The Time
AWS is committed to OpenSSL
Supporting OpenSSL development through the Linux
Foundation’s Core Infrastructure Initiative
Good Crypto Everywhere, All The Time
Benefits of Enterprise Security on AWS
Higher degree of visibility, transparency and accountability
Higher degree of trust and autonomy
Better ability to respond to business’ requirements for change
Agility in security leading to speed to market
St. James’s Place Runs 85 Percent of Its Applications on AWS
St. James’s Place is a U.K. wealth-management
company managing over £52 billion of client funds.
We were able to double our capacity
during the peak tax season, and then
contract it back down when it was no
longer required.
Andy Montgomery
Head of Division for IT Operations and Solution
Design, St James’s Place
”
“ Needed flexible IT resources that
could scale as customer base grows
50% every year.
Needed high level of data security and
compliance with Financial Conduct
Authority (FCA) regulations
Migrated 85 percent of its applications
to AWS and expects a full migration by
2016.
https://blogs.aws.amazon.com/security/
For more information:
Thank you!