Uploaded byCloudHesive
PPTX, PDF89 views

Best Practices in Secure Cloud Migration

This document discusses best practices for securely migrating to the cloud. It covers AWS services like VPC, IAM, and KMS that can be used to implement security. Frameworks for cloud adoption and security are presented, like the AWS Well Architected Framework. Encryption options on AWS including KMS, CloudHSM, and Vormetric are outlined. Additional AWS services for areas like logging, backups, and auditing that support security are described. The document provides recommendations for further learning about AWS security.

Embed presentation

Download to read offline
Best Practices in Secure Cloud Migration Secureworld Web Conference - October 30th, 2018 Patrick Hannah, VP of Engineering, CloudHesive
AWS Shared Responsibility Model
Who is using AWS (US and Abroad)? • Federal Government • Government-Sponsored Enterprise • State • Local • Higher Education • K-12 • Non-Profit • Private Sector
GovCloud • Additional Assurance Programs Above and Beyond other AWS Regions – ITAR – FedRAMP ATO (High for GovCloud, Medium for us-east/west) – DoD SRG (2,4,5 for GovCloud, 2 for us-east/west) • General – Separate Endpoints (utilize FIPS 140-2 approved cryptographic modules) – Separate Namespace – Separate Authentication (Tied to a non-GovCloud account for billing purposes - no Root Account) – 46 of the 127 AWS Services Available (EC2 Classic not Available) – US Citizen only Access • Physical Location – Northwestern US – Eastern US (forthcoming)
Cloud Adoption Framework • Perspectives – Business • Value Realization – People • Roles & Readiness – Governance • Prioritization & Control – Platform • Applications & Infrastructure – Security • Risk & Compliance – Operations • Manage & Scale
Security • Directive – Account Ownership and contact information – Change and asset management – Least privilege access • Preventive – Identity and access – Infrastructure protection – Data protection • Detective – Logging and monitoring – Asset inventory – Change detection • Responsive – Vulnerabilities – Privilege escalation – DDoS attack
Well Architected Framework • Operational Excellence • Security • Reliability • Performance Efficiency • Cost Optimization
Security • Design Principles – Implement a strong identity foundation – Enable traceability – Apply security at all layers – Automate security best practices – Protect data in transit and at rest – Prepare for security events • Best Practices – Identity and Access Management – Detective Controls – Infrastructure Protection – Data Protection – Incident Response
Sample Implementation • “NIST Quickstart” • Based on Cybersecurity Framework, SP 800-53, SP 800-37 • Corresponding Guide + Controls Matrix • CIS and PCI Variants Available • Good starting point
How does the Vormetric platform integrate with AWS? • Securely Generate Key Material and Import into KMS – Use KMS with VTE and VAE agents for tiered data protection/separation of duties • Protect Managed Services via Application Encryption or Tokenization – Use in place of agent VTE on data persistence tier • Enterprise Certificate Authority – Use PKCS#11 Extensions with nShield
How have other customers leveraged the Vormetric platform to protect workloads on AWS? • Protect On Premises with Public Cloud based Appliances – Virtual appliances provide FIPS 140-2 Level 1 protection of workloads in the cloud and on premises – Separates keys from data protected by keys, and optionally ring-fences via Tokenization – Provides future path for total public cloud migration – Enforces separation of duties • Project Public Cloud with On Premises based Appliances – Physical appliances provide FIPS 140-2 Level 3 protection of workloads in the cloud and on premises – Also separates keys from data protected by keys , and optionally ring-fences via Tokenization – Provides future path for hybrid cloud – Enforces separation of duties • Protect On Premises and Public Cloud with On Premises based Appliances – Physical appliances provide FIPS 140-2 Level 3 protection of workloads in the cloud and on premises – Also separates keys from data protected by keys , and optionally ring-fences via Tokenization – Enforces separation of duties • Protect On Premises and Public Cloud with Public Cloud based Appliances – Virtual appliances provide FIPS 140-2 Level 1 protection of workloads in the cloud and on premises – Separates keys from data protected by keys , and optionally ring-fences via Tokenization – Enforces separation of duties
Pool – Your encryption usage on AWS • I… – Leverage KMS – Leverage first generation CloudHSM – Leverage second generation CloudHSM – Leverage the Vormetric Platform – Leverage the nShield Platform – Leverage a home grown solution
Supporting Services • VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall) • VPC: Flow Logs (NetFlow) • VPC: VGW (Point to Point and IPSEC Connectivity) + Peering (VPC to VPC Connectivity) + Endpoints (Private Connectivity to AWS Services) • EC2: Patch Manager (OS and above patching + auditing) • EC2: Parameter Store (Secure Storage of Service Accounts)
Supporting Services • S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention • Code Commit/ECS: Secure Application and Artifact Repository • Code Deploy/Run Command: “Hands off” OS and configuration management + application deployment • CloudWatch Logs: OS and above log management • CloudWatch Events + Lambda: Event triggered code • CloudTrail: Audit Trail, Exportable as JSON to idempotent storage
Supporting Services • Config: Point in time snapshots of configuration items, Exportable as JSON to idempotent storage • OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management • CloudFormation: Infrastructure automation described as JSON/YAML, Version Controllable • IAM + Directory Service + SSO: Standalone and Federated AAA • KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services, provides expiration and ability to provide self-generated cryptographic material
Supporting Services • Workspaces: Secure Bastion • WAF: Layer 7 WAF • Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection • Tags: Built-in asset + inventory marking and tracking on configuration items • Service Catalog: Predefined configurations available to end users, can be integrated to ITSM system
Enforcement • AWS – Guard Duty – Inspector – Macie – Trusted Advisor – Config Rules – Various “Widgets” • Third Party – CIS CAT – CloudCheckr – AlertLogic – Tenable
Recommended Reading • AWS Well Architected Framework – https://aws.amazon.com/architecture/well-architected/ • AWS Cloud Adoption Framework – https://aws.amazon.com/professional-services/CAF/ • AWS Cloud Transformation Maturity Model – https://d0.awsstatic.com/whitepapers/AWS-Cloud-Transformation-Maturity-Model.pdf • Shared Responsibility Model – https://aws.amazon.com/compliance/shared-responsibility-model/ • Operational Checklists for AWS – https://d1.awsstatic.com/whitepapers/aws-operational-checklists.pdf • Introduction to Auditing the Use of AWS – https://d1.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf
Further Learning • Getting Started: https://aws.amazon.com/getting-started • General Reference: http://docs.aws.amazon.com/general/latest/gr • Global Infrastructure: https://aws.amazon.com/about-aws/global-infrastructure/ • FAQs: https://aws.amazon.com/faqs • Documentation: https://aws.amazon.com/documentation/ • Architecture: https://aws.amazon.com/architecture • Whitepapers: https://aws.amazon.com/whitepapers • Security: https://aws.amazon.com/security • Blog: https://aws.amazon.com/blogs • Service Specific Pages: https://aws.amazon.com/service • AWS Answers: https://aws.amazon.com/answers/ • AWS Knowledge Center: https://aws.amazon.com/premiumsupport/knowledge-center/ • SlideShare: http://www.slideshare.net/AmazonWebServices • Github: https://github.com/aws and https://github.com/awslabs

More Related Content

PPTX
AWS Security Architecture - Overview
bySai Kesavamatham
 
PPTX
Aws security best practices
bySundeep Roxx
 
PDF
AWS Control Tower
byCloudHesive
 
PPTX
Threat detection and mitigation at AWS
byNathan Case
 
KEY
AWS Security: A Practitioner's Perspective
byJason Chan
 
PDF
Meetup Protect from Ransomware Attacks
byCloudHesive
 
PPTX
Aws
byAhamedBashaN
 
PDF
5 Steps for Preventing Ransomware
byRapidSSLOnline.com
 
AWS Security Architecture - Overview
bySai Kesavamatham
 
Aws security best practices
bySundeep Roxx
 
AWS Control Tower
byCloudHesive
 
Threat detection and mitigation at AWS
byNathan Case
 
AWS Security: A Practitioner's Perspective
byJason Chan
 
Meetup Protect from Ransomware Attacks
byCloudHesive
 
Aws
byAhamedBashaN
 
5 Steps for Preventing Ransomware
byRapidSSLOnline.com
 

Similar to Best Practices in Secure Cloud Migration

PPTX
NIST Cybersecurity Framework (CSF) on the Public Cloud
byCloudHesive
 
PPTX
Security on AWS
byCloudHesive
 
PPTX
Blue Chip Tek Connect and Protect Presentation #3
byKimberly Macias
 
PPTX
5 minutes on security
byCloudHesive
 
PPTX
Cloudifying your Security Operations on AWS
byCloudHesive
 
PPTX
Security on AWS, 2021 Edition Meetup
byCloudHesive
 
PDF
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
PDF
Practical AWS Security - Scott Hogg
byTrish McGinity, CCSK
 
PDF
AWS Cloud Security
byAmazon Web Services LATAM
 
PPTX
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
byCloudHesive
 
PPTX
Winning Governance Strategies for the Technology Disruptions of our Time
byCloudHesive
 
PPTX
Building Bulletproof Infrastructure on AWS
by2nd Watch
 
PDF
AWS Summit Berlin 2013 - Keynote Steve Schmidt
byAWS Germany
 
PPTX
AWS Spotlight Series - Modernization and Security with AWS
byCloudHesive
 
PPTX
Security on AWS, 2021 Edition Meetup
byCloudHesive
 
PPTX
Amazon Web Services Federation Integration Governance Workshop with Layer 7
byCA API Management
 
PDF
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
byJames Strong
 
PDF
Securing Your Customers Data From Day One
byAmazon Web Services LATAM
 
PDF
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
byAWS Germany
 
PDF
Security in the cloud
byReham Maher El-Safarini
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
byCloudHesive
 
Security on AWS
byCloudHesive
 
Blue Chip Tek Connect and Protect Presentation #3
byKimberly Macias
 
5 minutes on security
byCloudHesive
 
Cloudifying your Security Operations on AWS
byCloudHesive
 
Security on AWS, 2021 Edition Meetup
byCloudHesive
 
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
Practical AWS Security - Scott Hogg
byTrish McGinity, CCSK
 
AWS Cloud Security
byAmazon Web Services LATAM
 
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
byCloudHesive
 
Winning Governance Strategies for the Technology Disruptions of our Time
byCloudHesive
 
Building Bulletproof Infrastructure on AWS
by2nd Watch
 
AWS Summit Berlin 2013 - Keynote Steve Schmidt
byAWS Germany
 
AWS Spotlight Series - Modernization and Security with AWS
byCloudHesive
 
Security on AWS, 2021 Edition Meetup
byCloudHesive
 
Amazon Web Services Federation Integration Governance Workshop with Layer 7
byCA API Management
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
byJames Strong
 
Securing Your Customers Data From Day One
byAmazon Web Services LATAM
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
byAWS Germany
 
Security in the cloud
byReham Maher El-Safarini
 

More from CloudHesive

PPTX
reInvent reCap 2022
byCloudHesive
 
PPTX
Serverless Generative AI on AWS, AWS User Groups of Florida
byCloudHesive
 
PPTX
Modernization of your AWS based SaaS platform
byCloudHesive
 
PPTX
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
byCloudHesive
 
PPTX
End User Computing at CloudHesive.pptx
byCloudHesive
 
PPTX
CloudHesive x Datadog Multi Generational Observability
byCloudHesive
 
PPTX
ConnectPath Introduction
byCloudHesive
 
PPTX
Amazon Connect Bootcamp
byCloudHesive
 
PPTX
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
byCloudHesive
 
PPTX
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
byCloudHesive
 
PDF
AWS Advanced Analytics Automation Toolkit (AAA)
byCloudHesive
 
PDF
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
byCloudHesive
 
PPTX
Serverless without Code (Lambda)
byCloudHesive
 
PPTX
Serverless data and analytics on AWS for operations
byCloudHesive
 
PPTX
Analytics at CloudHesive
byCloudHesive
 
PPTX
Modernization of your AWS based SaaS platform - Short
byCloudHesive
 
PPTX
Supporting your CMMC initiatives with Sumo Logic
byCloudHesive
 
PPTX
Accelerating Business and Research Through Automation and Artificial Intellig...
byCloudHesive
 
PDF
Modernize your contact center with ConnectPath CX v2.pdf
byCloudHesive
 
PDF
Modernize your contact center with ConnectPath CX — Chart.pdf
byCloudHesive
 
reInvent reCap 2022
byCloudHesive
 
Serverless Generative AI on AWS, AWS User Groups of Florida
byCloudHesive
 
Modernization of your AWS based SaaS platform
byCloudHesive
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
byCloudHesive
 
End User Computing at CloudHesive.pptx
byCloudHesive
 
CloudHesive x Datadog Multi Generational Observability
byCloudHesive
 
ConnectPath Introduction
byCloudHesive
 
Amazon Connect Bootcamp
byCloudHesive
 
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
byCloudHesive
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
byCloudHesive
 
AWS Advanced Analytics Automation Toolkit (AAA)
byCloudHesive
 
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
byCloudHesive
 
Serverless without Code (Lambda)
byCloudHesive
 
Serverless data and analytics on AWS for operations
byCloudHesive
 
Analytics at CloudHesive
byCloudHesive
 
Modernization of your AWS based SaaS platform - Short
byCloudHesive
 
Supporting your CMMC initiatives with Sumo Logic
byCloudHesive
 
Accelerating Business and Research Through Automation and Artificial Intellig...
byCloudHesive
 
Modernize your contact center with ConnectPath CX v2.pdf
byCloudHesive
 
Modernize your contact center with ConnectPath CX — Chart.pdf
byCloudHesive
 

Recently uploaded

PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
MathML Core in WebKit
byIgalia
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 

Best Practices in Secure Cloud Migration

  • 1.
    Best Practices inSecure Cloud Migration Secureworld Web Conference - October 30th, 2018 Patrick Hannah, VP of Engineering, CloudHesive
  • 2.
  • 3.
    Who is usingAWS (US and Abroad)? • Federal Government • Government-Sponsored Enterprise • State • Local • Higher Education • K-12 • Non-Profit • Private Sector
  • 4.
    GovCloud • Additional AssurancePrograms Above and Beyond other AWS Regions – ITAR – FedRAMP ATO (High for GovCloud, Medium for us-east/west) – DoD SRG (2,4,5 for GovCloud, 2 for us-east/west) • General – Separate Endpoints (utilize FIPS 140-2 approved cryptographic modules) – Separate Namespace – Separate Authentication (Tied to a non-GovCloud account for billing purposes - no Root Account) – 46 of the 127 AWS Services Available (EC2 Classic not Available) – US Citizen only Access • Physical Location – Northwestern US – Eastern US (forthcoming)
  • 5.
    Cloud Adoption Framework •Perspectives – Business • Value Realization – People • Roles & Readiness – Governance • Prioritization & Control – Platform • Applications & Infrastructure – Security • Risk & Compliance – Operations • Manage & Scale
  • 6.
    Security • Directive – AccountOwnership and contact information – Change and asset management – Least privilege access • Preventive – Identity and access – Infrastructure protection – Data protection • Detective – Logging and monitoring – Asset inventory – Change detection • Responsive – Vulnerabilities – Privilege escalation – DDoS attack
  • 7.
    Well Architected Framework •Operational Excellence • Security • Reliability • Performance Efficiency • Cost Optimization
  • 8.
    Security • Design Principles –Implement a strong identity foundation – Enable traceability – Apply security at all layers – Automate security best practices – Protect data in transit and at rest – Prepare for security events • Best Practices – Identity and Access Management – Detective Controls – Infrastructure Protection – Data Protection – Incident Response
  • 9.
    Sample Implementation • “NISTQuickstart” • Based on Cybersecurity Framework, SP 800-53, SP 800-37 • Corresponding Guide + Controls Matrix • CIS and PCI Variants Available • Good starting point
  • 10.
    How does theVormetric platform integrate with AWS? • Securely Generate Key Material and Import into KMS – Use KMS with VTE and VAE agents for tiered data protection/separation of duties • Protect Managed Services via Application Encryption or Tokenization – Use in place of agent VTE on data persistence tier • Enterprise Certificate Authority – Use PKCS#11 Extensions with nShield
  • 11.
    How have othercustomers leveraged the Vormetric platform to protect workloads on AWS? • Protect On Premises with Public Cloud based Appliances – Virtual appliances provide FIPS 140-2 Level 1 protection of workloads in the cloud and on premises – Separates keys from data protected by keys, and optionally ring-fences via Tokenization – Provides future path for total public cloud migration – Enforces separation of duties • Project Public Cloud with On Premises based Appliances – Physical appliances provide FIPS 140-2 Level 3 protection of workloads in the cloud and on premises – Also separates keys from data protected by keys , and optionally ring-fences via Tokenization – Provides future path for hybrid cloud – Enforces separation of duties • Protect On Premises and Public Cloud with On Premises based Appliances – Physical appliances provide FIPS 140-2 Level 3 protection of workloads in the cloud and on premises – Also separates keys from data protected by keys , and optionally ring-fences via Tokenization – Enforces separation of duties • Protect On Premises and Public Cloud with Public Cloud based Appliances – Virtual appliances provide FIPS 140-2 Level 1 protection of workloads in the cloud and on premises – Separates keys from data protected by keys , and optionally ring-fences via Tokenization – Enforces separation of duties
  • 12.
    Pool – Yourencryption usage on AWS • I… – Leverage KMS – Leverage first generation CloudHSM – Leverage second generation CloudHSM – Leverage the Vormetric Platform – Leverage the nShield Platform – Leverage a home grown solution
  • 13.
    Supporting Services • VPC:Security Groups (Stateful Firewall) + NACLs (Stateless Firewall) • VPC: Flow Logs (NetFlow) • VPC: VGW (Point to Point and IPSEC Connectivity) + Peering (VPC to VPC Connectivity) + Endpoints (Private Connectivity to AWS Services) • EC2: Patch Manager (OS and above patching + auditing) • EC2: Parameter Store (Secure Storage of Service Accounts)
  • 14.
    Supporting Services • S3/Glacier:File based storage with AAA, versioning, secure delete + policy based retention • Code Commit/ECS: Secure Application and Artifact Repository • Code Deploy/Run Command: “Hands off” OS and configuration management + application deployment • CloudWatch Logs: OS and above log management • CloudWatch Events + Lambda: Event triggered code • CloudTrail: Audit Trail, Exportable as JSON to idempotent storage
  • 15.
    Supporting Services • Config:Point in time snapshots of configuration items, Exportable as JSON to idempotent storage • OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management • CloudFormation: Infrastructure automation described as JSON/YAML, Version Controllable • IAM + Directory Service + SSO: Standalone and Federated AAA • KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services, provides expiration and ability to provide self-generated cryptographic material
  • 16.
    Supporting Services • Workspaces:Secure Bastion • WAF: Layer 7 WAF • Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection • Tags: Built-in asset + inventory marking and tracking on configuration items • Service Catalog: Predefined configurations available to end users, can be integrated to ITSM system
  • 17.
    Enforcement • AWS – GuardDuty – Inspector – Macie – Trusted Advisor – Config Rules – Various “Widgets” • Third Party – CIS CAT – CloudCheckr – AlertLogic – Tenable
  • 18.
    Recommended Reading • AWSWell Architected Framework – https://aws.amazon.com/architecture/well-architected/ • AWS Cloud Adoption Framework – https://aws.amazon.com/professional-services/CAF/ • AWS Cloud Transformation Maturity Model – https://d0.awsstatic.com/whitepapers/AWS-Cloud-Transformation-Maturity-Model.pdf • Shared Responsibility Model – https://aws.amazon.com/compliance/shared-responsibility-model/ • Operational Checklists for AWS – https://d1.awsstatic.com/whitepapers/aws-operational-checklists.pdf • Introduction to Auditing the Use of AWS – https://d1.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf
  • 19.
    Further Learning • GettingStarted: https://aws.amazon.com/getting-started • General Reference: http://docs.aws.amazon.com/general/latest/gr • Global Infrastructure: https://aws.amazon.com/about-aws/global-infrastructure/ • FAQs: https://aws.amazon.com/faqs • Documentation: https://aws.amazon.com/documentation/ • Architecture: https://aws.amazon.com/architecture • Whitepapers: https://aws.amazon.com/whitepapers • Security: https://aws.amazon.com/security • Blog: https://aws.amazon.com/blogs • Service Specific Pages: https://aws.amazon.com/service • AWS Answers: https://aws.amazon.com/answers/ • AWS Knowledge Center: https://aws.amazon.com/premiumsupport/knowledge-center/ • SlideShare: http://www.slideshare.net/AmazonWebServices • Github: https://github.com/aws and https://github.com/awslabs

Editor's Notes

  • #3 Echoing Eric’s slide: “You’re Responsible for Data Security”
  • #4 Public Cloud is used by Public Sector and Private Sector. While Public Sector use is driven by mission, usually aligned to a defined security standard, private sector varies – borrowing from (or strongly encouraged) public sector standards or the industry (CSA, ISC, etc) or building from the ground up (whether necessary or not)
  • #5 https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/ https://aws.amazon.com/compliance/services-in-scope/ See also C2S and Secret Region: https://aws.amazon.com/federal/us-intelligence-community/
  • #10 https://aws.amazon.com/quickstart/architecture/accelerator-nist/ NIST – Cybersecurity Framework, SP 800-53, SP 800-37 CIS – Benchmarks CSA – CCM + CAIQ Basic AWS Identity and Access Management (IAM) configuration with custom (IAM) policies, with associated groups, roles, and instance profiles. Standard, external-facing Amazon Virtual Private Cloud (Amazon VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for application and database. The Multi-AZ architecture helps ensure high availability. Amazon Simple Storage Service (Amazon S3) buckets for encrypted web content, logging, and backup data. Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack. The security groups limit access to only necessary services. Three-tier Linux web application using Auto Scaling and Elastic Load Balancing, which can be modified and/or bootstrapped with customer application. A secured bastion login host to facilitate command-line Secure Shell (SSH) access to Amazon EC2 instances for troubleshooting and systems administration activities. Encrypted, Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database. Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules (where available).
  • #12 GDPR, Monitoring, Key Management, BYoE/BYoK
  • #14 The next few slides I will detail some of the supporting services; a number of the AWS published matrices detail the alignment of these services to specific controls, rather than read through a matrix, I thought it would help to explain what these services are and how they can help