Security as an Enabler – Cloud Security

Editor's Notes

• #2: Top three things to cover/focus/mantras of session: How does AWS make security easier and is better … dispelling myths Like what you have today How does it impact ‘managing human resources better’/save cost
• #6: the good news is that you can get all of this in the cloud with AWS
• #7: Most of the security tools and techniques that you’re already familiar with can be used in the cloud. If you use Amazon EC2 instances, you keep your guest OS and applications updated with the latest security patches; perform backups of your data; and install anti-virus, intrusion detection, and security incident and event monitoring (SIEM) tools. You can set up subnets in order to separate environments that should remain isolated from one another—for example to separate your dev/test environment from your production environment—and then configure network ACLs to control how traffic is routed between them. You can set up a traditional three-tier architecture in the AWS cloud, complete with a DMZ. You can allow your front-end web servers, proxy servers, or even load balancers to take the brunt of the unvetted traffic, protecting your backend apps and databases from unauthorized access.
• #8: If you have multiple users—like developers, testers, or administrators—you can create user accounts for each of them and provide them with their own unique credentials for accessing your AWS resources. You can even require them to use multi-factor authentication. You can use network monitoring and security management tools to collect and analyze logs and network traffic information for your resources. You can set up a hardware VPN from your office or data center to your cloud resources to add an additional layer of transmission protection. If you would like to encrypt your data or objects when they’re stored in the cloud, you can have it encrypted automatically on the cloud side or you can encrypt it on the client side before you upload it.
• #9: You and your administrators/developers manage your resources remotely instead of locally. You use software-based security mechanisms instead of hardware-based solutions. Instead of racking and stacking, your IT support folks will be launching and configuring.
• #10: To create a reusable, hardened baseline image of your virtual server (EC2 instance), you create an Amazon Machine Image (AMI), which is a template that includes your OS, libraries, applications, configurations, etc. You can then save that baseline image and have it automatically loaded on every new instance you launch. You must protect your AWS Account credentials carefully since they control access to all of the cloud resources and data under your account. We recommend creating IAM user accounts (each with their own unique credentials) under the AWS Account and then using the IAM credentials instead of the AWS Account credentials. Security becomes a shared endeavor between you and AWS. To read more about this division of labor, see our Sharing the Security Responsibilities page. For your security compliance requirements, you can request a copy of the applicable certification report (ISO, PCI, FedRAMP, etc.) for the underlying AWS infrastructure.
• #12: Instant visibility into your inventory The first step in securing your assets is knowing what they are. With AWS, you never have to guess what your IT inventory is again. With tools like AWS Config and resource tagging, you can always see exactly what cloud assets you’re using at any moment. You can easily label each asset for tracking purposes. Free security tools Many of our security features and services are free, like individual firewalls (security groups) for your EC2 instances, security logging with CloudTrail, private subnets with VPC, user access control with IAM, and automatic encryption of your archived data in Glacier. For a more comprehensive list, see our AWS Security Features page. Independent regions provide data privacy compliance With our data centers located in so many geographical regions across the world, you can choose the area that meets your data privacy requirements. AWS never moves your data out of the region you put it in. Significant DDoS protection Our size and scale can help you be DDoS resilient. The AWS infrastructure is equipped to handle extremely large amounts of traffic; and when you use AWS services like ELB, Auto Scaling, CloudWatch, and CloudFront, you can architect a highly available system that can help you weather DDoS attacks.
• #13: Security economies of scale The smallest AWS customers reap the same security benefits as the largest when they’re in our cloud. AWS has a large, dedicated security team and a variety of systems and tools that continuously monitor and protect the underlying cloud infrastructure. No more duplicate data centers for disaster recovery When you use AWS features like Auto Scaling and Elastic Load Balancing, you can ensure that your production systems remain online and traffic is always routed to healthy instances. You can continuously replicate your data and have it ready to bring online if your primary nodes fail, only paying for the nodes when you actually use them. Continuous hardware replacement and upgrade We’re always improving our infrastructure. We replace end-of-life hardware with the latest processors that not only improve performance and speed, but also include the latest secure platform technology, like the Intel AES-NI encryption instruction set, which significantly speeds up the execution of the AES algorithm. Part of your compliance work done Because AWS has already received several certifications for its infrastructure, part of your compliance work has already been done. You only have to certify the applications and architectures you create on AWS. For a list of the certifications that AWS has received, see our AWS Compliance webpage.