[AWS Summit 2012] ソリューションセッション#4 AWS: Overview of Security Processes

[AWS Summit 2012] ソリューションセッション#4 AWS: Overview of Security Processes

• 1.
  AWS: Overview of SecurityProcesses Bill Murray Manager – AWS Security Programs
• 2.
  AWS Security ModelOverview Certifications & Accreditations Shared Responsibility Model Sarbanes-Oxley (SOX) compliance Customer/SI Partner/ISV controls ISO 27001 Certification guest OS-level security, including PCI DSS Level I Certification patching and maintenance HIPAA compliant architecture Application level security, including password and role based access SAS 70(SOC 1) Type II Audit Host-based firewalls, including FISMA Low & Moderate ATOs Intrusion Detection/Prevention DIACAP MAC III-Sensitive Systems  Pursuing DIACAP MAC II–Sensitive Separation of Access Physical Security VM Security Network Security Multi-level, multi-factor controlled Multi-factor access to Amazon Instance firewalls can be configured access environment Account in security groups; Controlled, need-based access for Instance Isolation The traffic may be restricted by AWS employees (least privilege) • Customer-controlled firewall at protocol, by service port, as well as Management Plane Administrative Access the hypervisor level by source IP address (individual IP Multi-factor, controlled, need-based • Neighboring instances or Classless Inter-Domain Routing access to administrative host prevented access (CIDR) block). All access logged, monitored, • Virtualized disk management Virtual Private Cloud (VPC) reviewed layer ensure only account provides IPSec VPN access from AWS Administrators DO NOT have owners can access storage existing enterprise data center to a logical access inside a customer’s disks (EBS) set of logically isolated AWS VMs, including applications and resources Support for SSL end point data encryption for API calls
• 3.
  Shared Responsibility Model AWS Customer • Facilities • Operating System • Physical Security • Application • Physical Infrastructure • Security Groups • Network Infrastructure • Network ACLs • Virtualization • Network Configuration Infrastructure • Account Management
• 4.
  AWS Security Resources http://aws.amazon.com/security/ SecurityWhitepaper Risk and Compliance Whitepaper Latest Versions May 2011, January 2012 respectively Regularly Updated Feedback is welcome
• 5.
  AWS Certifications Sarbanes-Oxley (SOX) ISO27001 Certification Payment Card Industry Data Security Standard (PCI DSS) Level 1 Compliant SAS70(SOC 1) Type II Audit FISMA A&As • Multiple NIST Low Approvals to Operate (ATO) • NIST Moderate, GSA issued ATO • FedRAMP DIACAP MAC III Sensitive ATO Customers have deployed various compliant applications such as HIPAA (healthcare)
• 6.
  SOC 1 Type II – Control Objectives Control Objective 1: Security Organization Control Objective 2: Amazon Employee Lifecycle Control Objective 3: Logical Security Control Objective 4: Secure Data Handling Control Objective 5: Physical Security Control Objective 6: Environmental Safeguards Control Objective 7: Change Management Control Objective 8: Data Integrity, Availability and Redundancy Control Objective 9: Incident Handling
• 7.
  ISO 27001 AWS hasachieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers in all regions worldwide, and services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC). We have established a formal program to maintain the certification.
• 8.
  Physical Security Amazonhas been building large-scale data centers for many years Important attributes: • Non-descript facilities • Robust perimeter controls • Strictly controlled physical access • 2 or more levels of two-factor auth Controlled, need-based access for AWS employees (least privilege) All access is logged and reviewed
• 9.
  GovCloud US West US West US East South EU Asia Asia (US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo) AWS Regions AWS Edge Locations
• 10.
  AWS Regions andAvailability Zones Customer Decides Where Applications and Data Reside
• 11.
  Amazon EC2 Security Hostoperating system • Individual SSH keyed logins via bastion host for AWS admins • All accesses logged and audited Guest operating system • Customer controlled at root level • AWS admins cannot log in • Customer-generated keypairs Firewall • Mandatory inbound instance firewall, default deny mode • Outbound instance firewall available in VPC • VPC subnet ACLs Signed API calls • Require X.509 certificate or customer’s secret AWS key
• 12.
  Network Security Considerations DDoS(Distributed Denial of Service): • Standard mitigation techniques in effect MITM (Man in the Middle): • All endpoints protected by SSL • Fresh EC2 host keys generated at boot IP Spoofing: • Prohibited at host OS level Unauthorized Port Scanning: • Violation of AWS TOS • Detected, stopped, and blocked • Ineffective anyway since inbound ports blocked by default Packet Sniffing: • Promiscuous mode is ineffective • Protection at hypervisor level
• 13.
  Amazon Virtual PrivateCloud (VPC) Create a logically isolated environment in Amazon’s highly scalable infrastructure Specify your private IP address range into one or more public or private subnets Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection and/or AWS Direct Connect Use a wizard to easily create your VPC in 4 different topologies
• 14.
  Amazon VPC Architecture Customer’s isolated AWS resources Subnets NAT Internet Router VPN Gateway Secure VPN Amazon Connection over the Internet Web Services AWS Direct Cloud Connect – Dedicated Path/Bandwidth Customer’s Network
• 15.
  Amazon VPC -Dedicated Instances New option to ensure physical hosts are not shared with other customers $10/hr flat fee per Region + small hourly charge Can identify specific Instances as dedicated Optionally configure entire VPC as dedicated
• 16.
  AWS Deployment Models Logical Server Granular Logical Physical Government Only ITAR Sample Workloads and Information Network server Physical Network Compliant Application Access Policy Isolation Isolation and Facility (US Persons Isolation Isolation Only) Commercial   Public facing apps. Web Cloud sites, Dev test etc. Virtual Private     Data Center extension, Cloud (VPC) TIC environment, email, FISMA low and Moderate AWS GovCloud       US Persons Compliant (US) and Government Specific Apps.
• 17.
  Thanks! Remember to visit https://aws.amazon.com/security