Security & Compliance

1© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Istanbul

November 8, 2016

Security and Compliance

Toros Gökkurt

Solutions Architect, Amazon Web Services

[email protected]

@torosgokkurt

mailto:[email protected]


Overview

AWS audits and attestations

Shared responsibility model

Security control framework of the AWS cloud

AWS security services and features

Security and auditing best practices in the AWS cloud


AWS Security: Top Priority

Customer

Data

Integrity

AWS

Infrastructure

Platforms

Controls


AWS Security: Benefits

Build an environment for the most security- sensitive

organizations.

Benefit ALL customers.

Validate design & operational effectiveness through AWS

third party audits.


AW

S

Responsible for security

‘of’ the cloud

AWS Shared Responsibility Model

Custo

mer


‘in’ the cloud

Customer Data

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Server-side Encryption(File System and/or Data)

Client-side Data

Encryption & Data

Integrity Authentication

Network Traffic Protection(Encryption / Integrity / Identify)

Compute Storage Database Networking

AWS Global

Infrastructure

Edge

Locations

Regions

Availability Zones


Security of the Cloud



‘of’ the cloud

Securing Your AWS Infrastructure


‘in’ the cloud

• AWS Security Services

• Asset Management

• Data Security

• Network Security

• Access Controls

• Physical & Environmental Security

• IT Operations

• Access Controls

• Security Policy & Governance

• Change Management


Physical & Environmental Security: Physical Security

Building

Perimeter and entry

Security staff and surveillance

Two-factor authentication

Escort


Physical & Environmental Security: Environmental Security

Fire detection and suppression

Power

Climate and temperature

Monitoring equipment

Storage device decommissioning


IT Operations Controls

Audit Logging Capacity

Management

Vulnerability

Management

Incident

Management

Prevent unauthorized

access going undetected

Prevent system

outages

Detect unauthorized

access

Recover and reconstitute

incidents quickly and

effectively


IT Operations Controls

Backup &

Recovery

Business

Continuity and

Disaster Recovery

Secure

Communication

Data

Management

Prevent loss of critical

dataRespond to & recover

from major disruptions

Prevent sensitive

information from being

disclosed to unauthorized

parties

Detect suspicious

activities & unauthorized

tampering of the system


Access Controls

Segregation

Account Review & Audit

Background Checks

Credentials Policy

Restrict access to

information resources

+Prevent unauthorized

disclosure


Security Policy & Governance Controls

Security

Policy

Risk

Assessment

Training &

Awareness

Guide operations &

information security in the

organization

Mitigate risks & reduce

exposure to

vulnerabilities

Enhance awareness of

AWS policies &

procedures


Security Policy & Governance Controls

Communication Compliance HR Security Third Party

Management

Prevent unauthorized

modification or disclosure

of information

Prevent inadvertent

violation of laws &

regulations

Prevent potential security

breaches resulting from

human resource

Prevent potential

compromise of information

due to misuse


Change Management Controls

Document the change

Communicate the change to the business

Test changes in non-production environments

Review changes for both technical rigor and business impact

Attain approval for the change by authorized team members


Audits & Attestations

Maintain alignment with thousands of global

requirements and best practices.

Validate a ubiquitous security control

environment.

Enable customers to assess their organization’s

compliance with industry and government

requirements.


Security in the Cloud



‘of’ the cloud

Securing Your AWS Infrastructure


‘in’ the cloud

• AWS Security Services

• Asset Management

• Data Security

• Network Security

• Access Controls

• Physical & Environmental Security

• IT Operations

• Access Controls

• Security Policy & Governance

• Change Management


AWS Security Services

AWS

CloudHSM

AWS

Config


AWS Security Services

AWS IAM

AWS KMS

AWS

CloudTrail


Logging in AWS

AWS

CloudTrail

• Control access to log files

• Obtain alerts on log file creation & misconfiguration

• Storage of log files

• Generate customized reporting of log data


Asset Management

Asset Identification

Asset Inventory

Secure Management

Change Mangement

Audit Assets

Amazon

CloudWatch

AWS

Config


Data Security

Understand

where data

resides

Identify key

management

policies

Ensure

appropriate

controls

Review: * Connection methods

* Internal policies and procedures for key management

* Encryption methods


Network Security

Always use security groups

Augment security groups with Network ACLs

Use trusted connections

Design network security in Layers

Best

Practices


Access Controls

Create individual IAM users

Use groups to assign permissions to IAM users

Grant least privilege

Configure a strong password policy for your users

Enable MFA for privileged users

Use roles for applications that run on Amazon EC2 instances


Access Controls

Delegate by using roles instead of by sharing credentials

Rotate credentials regularly

Remove unnecessary credentials

Use policy conditions for extra security

Monitor activity in your AWS account

Demonstration: AWS Security


AWS Global Compliance

AWS Customers

Certifications

/ AttestationsLaws, Regulations,

and Privacy

Alignments /

Frameworks

Global United States Europe Asia Pacific


Break

Security & Compliance

Technology

Transcript of Security & Compliance