There are four common challenges that CISOs and their security teams struggle with, even in the most secure and mature organizational datacenters – visibility, resilience, defense-in-depth, and automation. Learn how these challenges become benefits of using the AWS Cloud and why Cybersecurity is becoming a driving force behind commercial cloud adoption. This is an executive level presentation that covers key technical concepts and capabilities to meet business security and compliance objectives. Intended audience includes CIOs, CISOs, Technical Managers, senior architects and engineers new to AWS, and Technically-savvy Business Managers.

1. ©2017, Amazon Web Services, Inc. or its affiliates. All rights reserved
Security:
A Driving Force Behind Moving to the Cloud
Michael South
Americas Regional Leader,
Public Sector Security & Compliance

2. Why is security traditionally so hard?
Lack of
Visibility
Low degree
of Automation
Lack of
Resiliency
Defense-in-Depth
Challenges

3. Four Security Benefits of the Cloud
• Increased visibility
• Increased availability and resiliency
• True Defense-in-Depth
• Ability to automate for governance and Security
Operations

4. Customer
AWS
AWS is responsible for
security of the cloud
Customer is responsible for
security in the cloud
Customer data
Platform, applications, identity, & access management
Operating system, network, & firewall configuration
Client-side data encryption &
data integrity authentication
Server-side encryption
(file system &/or data)
Network traffic protection
(encryption/integrity/identity)
Compute Storage Database Networking
Edge
locations
Regions
Availability Zones
AWS Global
Infrastructure
Share your security responsibility with AWS

5. Visibility

6. Means of obtaining Visibility
Use of resource tags
CLI Describe
Console
Business
Intelligence
Tools
API Queries

7. AWS Services that provide Operational Visibility
Track user activity
and API usage
Monitor resources
and applications
Analyze OS and
application security
Self-service for AWS’
compliance reports
Track network
activity in/out of VPC
Intelligent Threat
Detection
Discover, classify, and
protect sensitive data
Guidance to reduce
cost, increase
performance, and
improve security
Track application
access/denials
Flow logs

8. Inherit global security and compliance controls
Certifications / Attestations Laws / Regulations / Privacy Alignments / Frameworks
C5 ! Agentina Data Privacy CIS (Center for Internet Security) 🌐
Cyber Essentials Plus # CISPE $ CJIS (US FBI) %
DoD SRG % EU Model Clauses $ CSA (Cloud Security Alliance) 🌐
FedRAMP % FERPA % ENS High &
FIPS % GDPR $ EU-US Privacy Shield $
IRAP ' GLBA % FFIEC %
ISO 9001 🌐 HIPAA % FISC (
ISO 27001 🌐 HITECH 🌐 FISMA %
ISO 27017 🌐 IRS 1075 % G-Cloud #
ISO 27018 🌐 ITAR % GxP (US FDA CFR 21 Part 11) %
K-ISMS ) My Number Act ( ICREA 🌐
MTCS * UK DPA - 1988 # IT Grundschutz !
PCI DSS Level 1 🌐 VPAT/Section 508 % MITA 3.0 (US Medicaid) %
SEC Rule 17-a-4(f) % Data Protection Directive $ MPAA %
SOC 1, SOC 2, SOC 3 🌐 Privacy Act [Australia] ' NIST %
Privacy Act [New Zealand] + PHR %
PDPA—2010 [Malaysia] , Uptime Institute Tiers 🌐
PDPA—2012 [Singapore] * Cloud Security Principles #
PIPEDA [Canada] -
🌐 = industry or global standard Spanish DPA Authorization &
Spanish DPA Authorization &

9. Resiliency

10. AWS Global Infrastructure Region &
Number of Availability Zones (AZ)
US Middle East
Oregon (3) Bahrain (3)
Northern California (3)
N. Virginia (6) Asia Pacific
Ohio (3) Singapore (3)
Sydney (3)
Canada Tokyo (4)
Central (2) Seoul (2)
Mumbai (2)
South America Hong Kong (3)
São Paulo (3)
China
Europe Beijing (2)
Ireland (3) Ningxia (3)
Frankfurt (3)
London (3)
Paris (3)
Stockholm (3)
Announced Regions
Jakarta, Milan, Cape Town
22Regions
69Availability
Zones
199Edge
Locations

11. Region Announced Regions
Bahrain, Jakarta, Milan, Sweden
Scale globally with resilience in every region
The largest global foot print consistently built with a multi-AZ and multi-datacenter design
AWS Availability Zone (AZ)AWS Region
A Region is a physical location
in the world where we have
multiple Availability Zones.
Availability Zones consist of one
or more discrete data centers,
each with redundant power,
networking, and connectivity,
housed in separate facilities.
Transit
Transit AZ
AZ
AZ
AZ
Datacenter Datacenter
Datacenter

12. Public Subnet Public Subnet
Auto Scaling group
Achieving High Availability in AWS
Customer data center
WEB
APP
DB DB
WEB
LB
FW
Customer Datacenter
AWS Cloud
AWS Region
VPC
Availability Zone A Availability Zone B
Web Server
App Subnet App Subnet
DB Subnet DB Subnet
DB Primary DB Secondary
Web Server
Auto Scaling group
App Server App Server
OR
APP

13. Defense in Depth

14. Reality of Many On-Prem Network Defenses
Hard Outer Shell
(Perimeter)
Soft and Gooey Middle
(LAN / Datacenter)WAF
Firewall
IDS/IPS
DLP
VLANs
ACLs
EPS

15. Defense-in-Depth in AWS at the Perimeter
DDoS Protection
Web Application Firewall
VPN Gateway
Secure DevOps Comms
VPC
w/ Subnet ACLs
Stateless Firewall
Internet Gateway
Path to Public Internet
(Not present by default)
Signature & Behavioral-based
Intrusion Detection System
using Machine Learning
Private Fiber Between
AWS & Customer
Partner Solutions
Firewall, IDS/IPS, WAF
VPC
AWS Cloud
AWS Region
Public Subnet
Web Server
App Subnet
DB Subnet
DB Primary
App Server

16. Defense-in-Depth in AWS between Workloads
VPC
w/ Subnet ACLs
Stateless Firewall
VPC 1
AWS Cloud
AWS Region
Public Subnet
Web Server
App Subnet
DB Subnet
DB Primary
App Server
VPC
w/ Subnet ACLs
Stateless Firewall
VPC 2
Public Subnet
Web Server
App Subnet
DB Subnet
DB Primary
App Server
VPC Peering
(Private network connection
between VPCs)
Internet gateway w/ VPN
(Public path to Internet)
Default
No Communications
Between VPCs
Private Link
(1-way secure comms)

17. Defense-in-Depth in AWS inside the Workload
Signature & Behavioral-based
Intrusion Detection System
using Machine Learning
VPC
AWS Cloud
AWS Region
Web Security Group
App Security Group
DB Security Group
DB Server
3rd Party EPS
OS Anti-virus, Firewall,
Host Intrusion
Protection System
Security & Compliance
assessment
Event Management
and Alerting
API Logging
Operational View &
Control of ResourcesStatefull Firewall between
Each application tier
Does NOT allow peer-to-
peer communications by
default
Web
Servers
App
Servers

18. Automation

19. Remove Humans from the Data

20. Amazon GuardDuty IDS
• Reconnaissance
• Instance recon:
• Port probe / accepted comm
• Port scan (intra-VPC)
• Brute force attack (IP)
• Drop point (IP)
• Tor communications
• Account recon
• Tor API call (failed)
Instance compromise
• C&C activity
• Malicious domain request
• EC2 on threat list
• Drop point IP
• Malicious comms (ASIS)
• Bitcoin mining
• Outbound DDoS
• Spambot activity
• Outbound SSH brute force
• Unusual network port
• Unusual traffic volume/direction
• Unusual DNS requests
Account compromise
• Malicious API call (bad IP)
• Tor API call (accepted)
• CloudTrail disabled
• Password policy change
• Instance launch unusual
• Region activity unusual
• Suspicious console login
• Unusual ISP caller
• Mutating API calls (create, update,
delete)
• High volume of describe calls
• Unusual IAM user added
• Detections in gray are signature based,
state-less findings
• Detections in blue are behavioral, state-
full findings / anomaly detections

21. Automate with integrated services
Automated threat remediation
Event (event-
based)
Lambda
Function
Filtering rule
Other AWS &
Partner Services

22. AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Directory Service
AWS Single Sign-On
AWS Cognito
AWS Secrets Manager
Resource Access Manager
AWS Config
AWS Security Hub
Amazon GuardDuty
Amazon
CloudWatch
AWS CloudTrail
VPC Flow Logs
AWS Shield
AWS Firewall Manager
AWS Web Application
Firewall (WAF)
AWS Firewall Manager
Amazon Virtual Private
Cloud (VPC)
Amazon EC2
Systems Manager
Amazon Inspector
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
Certificate Manager
Server Side Encryption
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions

23. Workloads appropriate for AWS
Web applications
and websites
Backup,
recovery
and archiving
Disaster
recovery
Development
and test
Big data
High-performance
computingEnterprise IT MobileMission critical
applications
Data center
migration
and hybrid
IoT
Security
Operations

24. Improving security with the cloud
For more details, see Re:Invent 2013 presentations by NASA JPL cyber
security engineer Matt Derenski (http://awsps.com/videos/SEC205E-640px.mp4)
“Based on our experience, I believe that we can be even
more secure in the AWS cloud than in our own
datacenters.”
-Tom Soderstrom, CTO, NASA JPL

25. Summary
The cloud is not only secure, but through
shared responsibility, well-architected solutions,
and best practices, it can be more secure than
the traditional on-prem datacenter!

26. Come visit our booth!!!
Booth #3
Drop your business card to enter the
raffle to win an Amazon Echo
Or, register online at:
All participants will receive our whitepaper
“A call to action to protect citizens, the
private sector, and governments”
developed in partnership with Organization
of American States
https://amzn.to/cyberspace-protection

27. ©2017, Amazon Web Services, Inc. or its affiliates. All rights reserved
Thank you!
Questions?