For these customers needing a way to bridge the enterprise and public cloud without limiting scale out, Layer 7 demonstrates a simple solution for addressing the challenges of federation, integration and governance using the Layer 7 AWS Gateway.
6. Virtualized disk management layer ensure only account owners can access storage disks (EBS)Support for SSL end point encryption for API calls Physical Security Multi-level, multi-factor controlled access environment Controlled, need-based access for AWS employees (least privilege) Management Plane Administrative Access Multi-factor, controlled ,need-based access to administrative host All access logged, monitored, reviewed AWS Administrators DO NOT have access inside a customer’s VMs, including applications and data
7. AWS Certifications Shared Responsibility Model Sarbanes-Oxley (SOX) SAS70 Type II Audit PCI Data Security Standard compliance Working on FISMA A&A NIST Low Approvals to Operate Actively pursuing NIST Moderate ATOs in progress at several agencies ST&E and Moderate Controls available now for incorporation into SSP Actively pursuing FedRAMP Includes DIACAP Mac II Sensitive ISO 27001 Certification Customers have deployed various compliant applications such as HIPAA (healthcare)
8. Amazon Web Services: Durable & Available Note: Conceptual drawing only. The number of Availability Zones may vary US East Region EU West Region Japan US West Region Singapore GovCloud (US) Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone C Customer Decides Where the Data Resides
9. Three Services: Better Together Elastic Load Balancer Latency CloudWatch Auto Scaling Utilization Metrics Server icons courtesy of http://creativecommons.org/licenses/by-nd/3.0/.
10. COOP and DR Load Balancer Availability Zone - B Availability Zone - A EC2 EC2 Auto Scale Ephemeral Network IO Network IO EBS Snapshot Amazon S3 EBS Snapshot EBS Snapshot US EAST Amazon S3 US WEST We Can Do Even Better..
14. Users and Groups within Accounts Unique security credentials Access keys Login/Password MFA device Policies control access to AWS APIs Deep integration into S3 policies on objects and buckets AWS Management Console now supports User log on Not for Operating Systems or Applications use LDAP, Active Directory, ADFS, etc... AWS Identity and Access Management (IAM)
15. Identity Federation Sample Use case: Enterprise employee signs with his normal credentials Access S3 with enterprise application Setup IIS for enterprise authentication against Active Directory Client application to access S3 Read-only access to S3
16. Amazon VPC Architecture Customer’s isolated AWS resources Subnets NAT Internet Router VPN Gateway AmazonWeb Services Cloud Secure VPN Connection over the Internet Customer’sNetwork
17. AWS GovCloud (US) Access AWS will screen customers prior to providing access to the AWS GovCloud (US). Customers must be: U.S. Persons; not subject to export restrictions; and comply with U.S. export control laws and regulations, including the International Traffic In Arms Regulations.
19. Amazon EC2 Instance Isolation … Customer 1 Customer 2 Customer n Hypervisor Virtual Interfaces … Customer 1 Security Groups Customer n Security Groups Customer 2 Security Groups Firewall Physical Interfaces Launching EC2
20. Multi-tier Security Architecture AWS employs a private network with ssh support for secure access between tiers and is configurable to limit access between tiers Web Tier Application Tier Database Tier EBS Volume Ports 80 and 443 only open to the Internet Engineering staff have ssh access to the App Tier, which acts as Bastion Amazon EC2 Security Group Firewall Authorized 3rd parties can be granted ssh access to select AWS resources, such as the Database Tier All other Internet ports blocked by default
31. Putting it all Together for Cloud Governance Monitor and Report Control Amazon EC2 VirtualAppliance Amazon EC2 Employee Adapt LDAP, SSO, MS AD, STS, etc Amazon EC2
Notes de l'éditeur
Shared Responsibility EnvironmentAWS services operate under a model of shared responsibility between the customer and AWS. AWS relieves customer burden by managing physical infrastructure and those components that enable virtualization. An example of this shared responsibility would be that a customer utilizing Amazon EC2 should expect AWS to operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. In this case the customer should assume responsibility and management of, but not limited to, the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services and their integration. It is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of items such as host based firewalls, host based intrusion detection/prevention, encryption and key management. The nature of this shared responsibility provides the flexibility and customer control that permits the deployment of solutions that meet industry-specific certification requirements. For instance, customers have built HIPAA-compliant healthcare applications on AWS (Creating HIPAA-Compliant Medical Data Applications with AWS whitepaper). Control Environment AWS is a unit within Amazon.com that is aligned organizationally around each of the web services, such as Amazon EC2 and Amazon S3. AWS leverages various aspects of Amazon’s overall control environment in the delivery of these web services. The collective control environment encompasses management and employee efforts to establish and maintain an environment that supports the effectiveness of specific controls. The control environment at Amazon begins at the highest level of the Company. Executive and senior leadership play important roles in establishing the Company’s tone and core values at the top. Every employee is provided with the Company’s Code of Business Conduct and Ethics, which sets guiding principles. The AWS organizational structure provides a framework for planning, executing and controlling business operations. The organizational structure assigns roles and responsibilities to provide for adequate staffing, efficiency of operations, and the segregation of duties. Management has also established authority and appropriate lines of reporting for key personnel. Included as part of the Company’s hiring verification processes are: education, previous employment, and criminal checks. The Company follows a structured on-boarding process to familiarize new employees with Amazon tools, processes, systems, policies and procedures. Certifications and AccreditationsAmazon Web Services’ controls are evaluated every six months by an independent auditor in accordance with Statement on Auditing Standards No. 70 (SAS70) Type II audit procedures. The report includes the firm’s opinion and results of their evaluation of the design and operational effectiveness of our most important internal control areas, which are operational performance and security to safeguard customer data. The SAS70 Type II report as well as the processes explained in this document, applies to all geographic regions within the AWS infrastructure. AWS plans to continue efforts to obtain industry certifications in order to verify its commitment to provide a secure, world-class cloud computing environment.
Point of Slide: to explain VPC's high-level architecture, walking them through the discrete elements of a VPC, and a specific data flow to exemplify 1) data-in-transit security and continued 1) AAA control by the enterprise.AWS (”orange cloud"): What everybody knows of AWS today.Customer’s Network (“blue square”): The customer’s internal IT infrastructure.VPC (”blue square on top of orange cloud"): Secure container for other object types; includes Border Router for external connectivity. The isolated resources that customers have in the AWS cloud.Cloud Router (“orange router surrounded by clouds”): Lives within a VPC; anchors an AZ; presents stateful filtering.Cloud Subnet (“blue squares” inside VPC): connects instances to a Cloud Router.VPN Connection: Customer Gateway and VPN Gateway anchor both sides of the VPN Connection, and enables secure connectivity; implemented using industry standard mechanisms. Please note that we currently require whatever customer gateway device is used supports BGP. We actually terminate two (2) tunnels - one tunnel per VPN Gateway - on our side. Besides providing high availability, we can service one device while maintaining service. As such, we can either connect to one of the customer's BGP-supporting devices (preferably running JunOS or IOS).
The HypervisorAmazon EC2 currently utilizes a highly customized version of the Xen hypervisor, taking advantage of paravirtualization (in the case of Linux guests). Because paravirtualized guests rely on the hypervisor to provide support for operations that normally require privileged access, the guest OS has no elevated access to the CPU. The CPU provides four separate privilege modes: 0-3, called rings. Ring 0 is the most privileged and 3 the least. The host OS executes in Ring 0. However, rather than executing in Ring 0 as most operating systems do, the guest OS runs in a lesser-privileged Ring 1 and applications in the least privileged Ring 3. This explicit virtualization of the physical resources leads to a clear separation between guest and hypervisor, resulting in additional security separation between the two. Instance IsolationDifferent instances running on the same physical machine are isolated from each other via the Xen hypervisor. Amazon is active in the Xen community, which ensures awareness of the latest developments. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms.
The firewall can be configured in groups permitting different classes of instances to have different rules. Consider for example, the case of a traditional three-tiered web application. The group for the web servers would have port 80 (HTTP) and/or port 443 (HTTPS) open to the Internet. The group for the application servers would have port 8000 (application specific) accessible only to the web server group. The group for the database servers would have port 3306 (MySQL) open only to the application server group. All three groups would permit administrative access on port 22 (SSH), but only from the customer’s corporate network. Highly secure applications can be deployed using this expressive mechanism. Here is an example of the commands needed to establish multi-tier security architecture and of course customers could use the AWS Management Console to do the same:# Permit HTTP(S) access to Web Layer from the Entire Internetec2auth Web -p 80,443 -s 0.0.0.0/0# Permit ssh access to App Layer from Corp Networkec2auth App -p 22 -s 1.2.3.4/32# Permit ssh access to DB Layer from Vendor Networkec2auth DB -p 22 -s 5.6.7.8/32# Permit Application and DB Layer Access to appropriate internal layersec2auth App -p $APP_PORT -o Webec2auth DB -p $DB_PORT -o App# Permit Bastion host access for Web and DB Layers from App Layerec2auth Web -p 22 -o Appec2auth DB -p 22 -o App
Amazon suggests that all EC2 users cryptographically control their EC2 control traffic, and SSH is the default method for doing so. Some users elect to wrap all their inbound and outbound traffic to their home corporate network within industry standard VPN tunnels. Doing so permits them to control the confidentiality and integrity of their traffic using industry-standard, tested cryptographic components that they control.
To understand why there’s all this excitement, it’s helpful to look at analogies of some major changes that have occurred in other industries over time. Here’s a picture of our CEO at the museum of a beer manufacturing facility in Belgium. This is their electric generator that they used over 100 years ago. There was no electric grid or utility industry then. If you wanted electricity, you made it yourself. That probably seemed very natural at the time – but I guarantee you that making their own electricity didn’t make their beer taste any better. Well, a couple decades later, the electric grid sprang up, and companies stopped making their own electricity; that was a fundamental shift in how they consumed one of their major inputs, and this freed them up to focus on things that likely mattered a lot more to their customers – like the beer. We think the chance exists for the company-owned data center to undergo just as fundamental a transformation over the coming years, as companies realize that they don’t necessarily have to be experts in this. People are now starting to glimpse that future, and find it pretty exciting.