This webinar will introduce the AWS Shared Security Model. We will examine how to use the inherent security of the AWS environment, coupled with the security tools and features AWS makes available, to create a resilient environment with the security you need. Learning Objectives: • Understand the security measures AWS puts in place to secure the environment where your data lives • Understand the tools AWS offers to help you create a resilient environment with the security you need • Consider actions when moving a sensitive workload to AWS • Security benefits you can expect by deploying in the AWS Cloud Who Should Attend: - Prospects and customers with a security background - Who are interested in using AWS to manage security-sensitive workloads

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Max Ramsay, Head of Americas Security Solution Architecture, AWS
March 19th, 2015
Understanding the AWS
Shared Security Model

2. Security is Job Zero
Familiar Security
Model
Validated and driven by
customers’ security experts
Benefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL

3. Vodafone built a mobile payment app
Amazon Web Services was the
clear choice in terms of security.
Stefano Harak
Online Senior Product Manager
PCI and DSS compliance was essential
Launched in 3 months
Reduced CapEx by 30%
Deployed to 7 channels, including Facebook
Payments

4. Agenda
• AWS Culture
• Shared Security Model
• Compliance
• Tools & Features
• Where to get help

5. Security & compliance requirements from every industry

6. Expert Audits: Transparency & Accuracy
SME
SME
SME
SME
SME

7. Security, compliance, governance, and audit related launches and updates
AWS constantly innovating – driven by your needs

8. Native tools improve compliance efficiency
Discover and provision cloud services
Audit and troubleshoot configuration
changes in the cloud
Get consistent visibility of cloud logs

9. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity Data Infrastructure
Customer applications & content
YouAWS and you share responsibility for security
You get to
define your
controls IN the
Cloud
AWS takes care
of the security
OF
the Cloud

10. What this means
• You benefit from an environment built for the most
security sensitive organizations
• AWS manages 1,800+ security controls so you don’t
have to
• You get to define the right security controls for your
workload sensitivity
• You always have full ownership and control of your data

11. Key AWS Certifications and Assurance Programs

12. IT Grundschutz Certification Workbook
• Assessed by TÜV TRUST IT
• AWS controls meet BSI IT Grundschutz requirements
• Customers can integrate AWS infrastructure into their
own ISMS and be compliant
• Report and workbook available at
aws.amazon.com/compliance

13. On AWS
•Start on base of accredited services
•Functionally necessary – high watermark of
requirements
•Audits done by third party experts
•Accountable to everyone
•Continuous monitoring
•Compliance approach based on all
workload scenarios
•Security innovation drives broad
compliance
On-prem
• Start with bare concrete
• Functionally optional (you can build a
secure system without it)
• Audits done by an in-house team
• Accountable to yourself
• Typically check once a year
• Workload-specific compliance checks
• Must keep pace and invest in security
innovation
Accreditation & Compliance: on-prem vs on AWS

14. AWS Security Tools & Features
IdentityDataInfrastructure
Customer applications & content
Oversight & Monitoring
• AWS and its partners offer over 700 security services, tools and
features
• Mirror the familiar controls you deploy within your on-prem
environments

15. Infrastructure: Enforce consistent security on hosts
EC2
AMI catalogue Running instance Your instance
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
• You fully control EC2 instances
• Configure and harden to your own specs!
• Use host-based protection software
• Manage administrative users
• Enforce separation of duties & least privilege
• Build out the rest of your standard security environment
• Connect to your existing services, e.g. SIEM, monitoring,
patching

16. Create flexible, resilient, segmented environments
Your organization
Project Teams Marketing
Business Units Reporting
Digital /
Websites
Dev and
Test
Redshift
EMR
Analytics
Internal
Enterprise
Apps
Amazon S3
Amazon Glacier
Storage/
Backup

17. Encrypt your Elastic Block Store volumes any way you like
• AWS native EBS encryption for free with a mouse-click
• Encrypt yourself using free utilities, plus Trend Micro, SafeNet and
other partners for high-assurance key management solutions
Amazon S3 offers either server or client-side encryption
• Manage your own keys or let AWS do it for you
Redshift has one-click disk encryption as standard
• Encrypt your data analytics
• You can supply your own keys
Amazon RDS supports encryption
• Encrypt your MySQL or PostgreSQL databases using keys you
manage through AWS Key Management Service (KMS)
• Supports Transparent Data Encryption in SQL Server and Oracle
Data: Encrypt your sensitive information
DBA

18. Identity: Control access and segregate duties
everywhere
You get to control who can do what in your AWS
environment when and from where
Fine-grained control of your AWS cloud with multi-
factor authentication
Integrate with your existing corporate directory using
SAML 2.0 and single sign-on
AWS account
owner
Network
management
Security
management
Server
management
Storage
management

19. Full visibility of your AWS environment
• CloudTrail will record access to API calls and save logs in your
S3 buckets, no matter how those API calls were made
Who did what and when and from where (IP address)
• Support for many AWS services and growing - includes EC2,
EBS, VPC, RDS, IAM and RedShift
• Easily Aggregate all log information
Out of the box integration with log analysis tools from
AWS partners including Splunk, AlertLogic and
SumoLogic
Monitoring: Get consistent visibility of logs

20. AWS Marketplace: One-stop shop for security tools
Advanced
Threat
Analytics
Application
Security
Identity and
Access Mgmt
Encryption &
Key Mgmt
Server &
Endpoint
Protection
Network
Security
Vulnerability
& Pen Testing

21. Getting help – Trusted Advisor
Performs a series of security
configuration checks of your
AWS environment:
• Open ports
• Unrestricted access
• IAM use
• CloudTrail Logging
• S3 Bucket Permissions
• Multi-factor auth
• Password Policy
• DB Access Risk
• DNS Records
• Load Balancer config

22. Getting Help: Support
Account Team
• Your Account Manager is your advocate
• Solutions Architects have a wealth of expertise
Four tiers of support
• Free – Basic, forum-based & health check support
• Developer – Email support & best practice guidance
• Business – Phone/chat/email support, 1 hour response time
• Enterprise – 15 min response time, dedicated Technical Account Manager

23. Getting Help: Professional Services
AWS Professional Services
• Enterprise Security Architecture
• Policy & Controls Mapping
• SOC Design
AWS Partner Network
• Over 600 certified AWS Consulting Partners worldwide

24. Summary
• Security is job zero for AWS
• AWS takes care of the security OF the Cloud
• You define your controls IN the Cloud
• Compliance is more cost effective in AWS
• You can take advantage of over 700 services, tools and
features from AWS and partners
• AWS and partner resources on hand to help

25. Thank you!