Shared Responsibility Deep Dive

Gavin FitzpatrickSecurity Assurance Technical Architect- EMEA

22/10/2015

Intro to AWS

Everyday, AWS adds enough new server capacity to support Amazon.com

when it was a $7 billion global enterprise.

where to place data

isolated by

design

• Data is not replicated to other AWS regions

manages

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer contentC

ust

om

ers Customers are

responsible for

their security and

compliance IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

Infrastructure Services

Container Services

Abstract Services

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Optional – Opaque data: 1’s and 0’s (in transit/at rest)

Platform & Applications Management

Customer content

Cu

sto

mer

s

Managed by

Managed by

Client-Side Data encryption & Data Integrity Authentication

Network Traffic ProtectionEncryption / Integrity / Identity

AW

S IAM

Cu

stom

er IA

M

Operating System, Network & Firewall Configuration

Server-Side EncryptionFire System and/or Data

• AWS Responsibility:• Foundational Services – Networking, Compute, Storage

• AWS Global Infrastructure

• AWS IAM

• AWS API Endpoints

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Optional – Opaque data: 1’s and 0’s (in transit/at rest)

Firewall

Co

nfigu

ration

Platform & Applications Management

Operating System, Network Configuration

Customer content

Cu

sto

mer

s

Managed by

Managed by

Client-Side Data encryption & Data Integrity Authentication

Network Traffic ProtectionEncryption / Integrity / Identity

AW

S IAM

Cu

stom

er IA

M

• AWS Responsibility:• Foundational Services – Networking, Compute, Storage

• AWS Global Infrastructure

• AWS IAM

• AWS API Endpoints

• Operating System

• Platform / Application

• High Availability

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Platform & Applications Management

Operating System, Network & Firewall Configuration

Customer content

Cu

sto

mer

s

Managed by

Managed by

Optional – Opaque Data: 1’s and 0’s

(in flight / at rest)Data Protection by the Platform

Protection of Data at Rest

Network Traffic Protection by the PlatformProtection of Data at in Transit

Client-Side Data Encryption & Data Integrity Authentication

AW

S IAM

• AWS Responsibility:• Foundational Services – Networking, Compute, Storage

• AWS Global Infrastructure

• AWS IAM

• AWS API Endpoints

• Operating System

• Platform / Application

• Data Protection (Rest - SSE, Transit)

• High Availability / Scaling

Infrastructure Services

Applications

Operating System

Container Services Abstract Services

Networking/Firewall

Data

Customer IAM

AWS IAM

Firewall

Data

AWS IAM

Data

Customer IAM

AWS IAM

OF

AWS Foundation Services

Hypervisor Compute Storage Network

AWS Global

InfrastructureRegions

AWS is responsible

for the security OF

the cloudAW

S

Availability Zones Edge Locations

on AWS

•Start on base of accredited services

•Functionally necessary – high watermark of

requirements

•Audits done by third party experts

•Accountable to everyone

•Continuous monitoring

•Compliance approach based on all workload

scenarios

•Security innovation drives broad compliance

on-Prem

• Start with bare concrete

• Functionally optional

– (you can build a secure system without it)

• Audits done by an in-house team

• Accountable to yourself

• Typically check once a year

• Workload-specific compliance checks

• Must keep pace and invest in security innovation

Auditing - Comparisonon-Prem vs on AWS

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Your own accreditation

Your own certifications

Your own external audits Customer scope and

effort is reduced

Better results

through focused

efforts

Built on AWS

consistent baseline

controls

Cu

sto

mer

s

accreditation certification possible

•Security Control Responsibility Matrix (CRM)

•AWS CloudFormation templates

•User Guides and Scripts to assist with deployment

Helpful Resources

https://aws.amazon.com/compliance/compliance-enablers/

https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/

https://aws.amazon.com/compliance

https://aws.amazon.com/security

https://blogs.aws.amazon.com/security/

awsaudittraining@amazon.com

awscompliance