Move Better, Faster, and More Securely

Cloud-Enabled Security Solutions

Pawan Agnihotri– AWS Principal Security Solutions Architect

Takeaways from today’s session

I. Revolution: Why the Cloud? The Inspirations and Motivations

II. Myth Busting: Common Security Misconceptions

III. Protection: Benefits of Cloud-Enabled Security for the Enterprise

IV. Transformation: Common Best Practices When Migrating to the Cloud

Revolution“There has never been a time of greater promise, or one of greater potential peril. Today’s decision-makers, however, are too often trapped in traditional, linear thinking, or too absorbed by the multiple crises demanding their attention, to think strategically about the forces of disruption and innovation shaping our future.”

- Klaus Schwab, Founder & Executive Chairman, World Economic Forum

1784Steam PowerMechanical Production

1870Electricity

Mass Production

1969ElectronicsAutomated Production

TodayCloud

IoTDigital

We stand on the brink of a technological revolution that will fundamentally alter the way we live, work, and relate to one another. In its scale, scope, and complexity, the transformation will be unlike anything humankind has experienced before.

”“

”“- Klaus Schwab, Founder & Executive Chairman, World Economic Forum

The First Industrial Revolution used water and steam power to mechanize production. The Second used electric power to create mass production. The Third used electronics and information technology to automate production. Now a Fourth Industrial Revolution is building on the Third, the digital revolution that has been occurring since the middle of the last century. It is characterized by a fusion of technologies that is blurring the lines between the physical, digital, and biological spheres.

FinTech

Challenger BanksMarket Agility

Improved Margins

Risk Reduction

Onerous Regulations

Greater Transparency

Improved Responsiveness

Responsiveness

Resiliency

The Digital Agenda

Cost Reduction

Increased Productivity

Inspirations and Motivations for Migration

OR

Move Fast

Stay Secure

AND

Move Fast

Stay Secure

Myth Busting“Cyber security is better in the cloud than it is in private managed data centers.”

- Steve Randich, EVP and CIO of FINRA

Some API-enabled services

Disparate APIs

No true control plane

Physical concealments

Often co-habited

Physical vs API

Fully API-enabled

API homogeneity

A “source of truth” control plane

Nowhere to hide

Nobody can “climb into” your account

State of the Art Facilities

Documented and Verified Controls

We’ve helped our FSI customers successfully address regulatory requirements from these agencies, and many others around the world.

APAC Regulatory Landscape

Tested by Millions and Standardized for all

Capital One

Protection“We worked closely with the Amazon team to develop a security model, which we believe enables us to operate more securely in the public cloud than we can even in our data centers.”

- Rob Alexander, CIO of Capital One

16 Regions – 42 Availability Zones – 68 Edge Locations Region & Number of Availability Zones

AWS GovCloud (2) EUIreland (3)

US West Frankfurt (2)

Oregon (3) London (2)

Northern California (3)

Asia PacificUS East Singapore (2)

N. Virginia (5) Ohio (3) Sydney (2), Tokyo (3)

Seoul (2), Mumbai (2)

CanadaCentral (2) China

Beijing (2)

South AmericaSão Paulo (3) New regions coming soon

Paris, Ningxia

Deploy Faster Wherever You Like

Local Versus Global View

> 90% driven by customers needs

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

AWS AWS Security

Security Innovation: AWS Innovates Constantly

1017722

516

280

159

826148

2008 2009 2010 2011 2012 20130

50

100

150

200

250

0 8 14 2051

71

2448 61

82

159

235

Security Features All Significant Services & Features 2 per Mov. Avg. (security features) 2 per. Mov. Ag (all significant services & features)

Pace of Innovation: Security versus All

Multi-Dimensional Protection at Many Layers

SecureDMZs Honeypot

PerimeterIDS/IPS DLP

Message Security (anti-virus, anti-malware)

PerimeterFirewall

DHSEinstein

Web Proxy Control Filtering

Enterprise Message Security

InlinePatching

EnterpriseWirelessSecurity

NAC

VoIPProtection

EnterpriseRemoteAccess

DLP

Enclave/DatacenterFirewall

Endpoint SecurityEnforcement

Content Security(anti-virus,

anti-malware)

HostIDS/IPS

DesktopFirewall

FDCCCompliance

Patch Management

DLP

WAFDynamic App

TestingDatabase

Monitoring/Scanning

Database Secure Gateway (Shield)

Static AppTestingCode

Review

Identity & Access Management

Enterprise RightManagement

DataClassification

Data IntegrityMonitoring

Data/DriveEncryption

DAR/DIMProtection

Data WipingCleansing

PKI

SIEM Digital Forensics Security SLA/SLO Reporting

EscalationManagement

Situational Awareness

SecurityDashboard

FocusedOps

Continuous Monitoring &Assessment

Incident Reporting, Detection, Response (CIRT)

SOC/NOCMonitoring (24x7)

OPERATIONSPOLICY MANAGEMENT

Continuous C&A Security Awareness Training Vulnerability Assessment

Penetration Testing

Security Architecture& Design

ThreatModeling

Cyber ThreatIntelligence

Security Policies& Compliance

IT Security &Governance

EnterpriseIDS/IPS

DLP

Risk Management

MISSIONCRITICALASSETS

Reaction Time (Inequality thereof…) – Get Ahead

Deter

Monitor

DetectDiagnose

Secure

Before: Attackers (minutes) > Defenders (days)

AFTER: Constant, real-time protection

Administration& Security

Access Control

Identity Management

Key Management & Storage

Monitoring& Logs

Resource & Usage Auditing

PlatformServices

Analytics App Services Developer Tools & Operations Mobile Services

DataPipelines

DataWarehouse

Hadoop

Real-timeStreaming Data

Application Lifecycle Management

Containers

Deployment

DevOps

Event-driven Computing

Resource Templates

Identity

Mobile Analytics

Push Notifications

Sync

App Streaming

Email

Queuing & Notifications

Search

Transcoding

Workflow

CoreServices

CDNCompute(VMs, Auto-scaling, and Load Balancing)

Databases(Relational, NoSQL, and Caching)

Networking(VPC, DX, and DNS)

Storage(Object, Block, EFS, and Archival)

InfrastructureAvailability Zones

Points of PresenceRegions

EnterpriseApplications

Business Email

Sharing & Collaboration

Virtual Desktop

Technical & Business Support

AccountManagement

PartnerEcosystem

ProfessionalServices

Security & Pricing Reports

SolutionsArchitectsSupport Training &

Certification

Machine Learning

What is Amazon Web Services?

Transformation

“There’s so much security built into these cloud computing platforms today. For us, it’s our No. 1 priority — it’s not even close, relative to anything else.”

- Rob Alexander, CIO of Capital One

Cloud Security – Design Patterns

01Access rights just-in-time

Temporary Credentials

Integrated Identity and Access Management

+

02Durable, Highly

Available StorageAPI Logs

Performance, Network, Apps LogsDurable and Cheap

Archive Storage

Consolidated Logging

+ +Streaming

Data

03Key Storage on HSMManaged KMI

DIY

ArchiveObjectStorage

Block Storage

Out-of-band data transfer

Database Data Warehouse Log Trails

Ubiquitous Encryption

+

04Auto-ScalingCompute Instances

Non-Persistent & Elastic

+

05Logically Isolated Section

of the Cloud

Network Architecture Agility

+Virtual Firewall

+Leased Line

Virtual Firewall

DNS

Web App Firewall

CDN Auto-scalingScaling Load Balancer

06 Network Architecture Resiliency

Event-Driven, Server-Less Code Execution

Monitor and React swiftly

+Alarms Based on

Performance, Network, Apps

07

Standardized Environments & Security as Code

+Continuous Configuration

AutomationSoftware Development

Kit (SDKs)

08

Validate Change at Scale

+Inventory, Configuration

History and Change

Baselines Rules for Inventory and Configuration

09