I'm here at the AWS Summit conference at the Jacob Javitz center and am taking notes from a couple of sessions. My first session was on "Understanding AWS Security" by Bill Murray, who's two notches down below Bezos.
If I had to summarize Murray's argument into a single soundbite it would be:
The Air Force doesn't build airplanes. Lockheed Martin does.
You guys do business, we do security.
Also, the most intriguing slide from the talk is included here.
It shows a shredded solid state drive. Murray explained that no storage ever leaves an Amazon data center alive. It must be destroyed.
Another cool fact was that not even Murray can enter a data center at will. Even he will need to generate a ticket and get approval from his higher ups (in his case this includes Bezos) if he wants to go visit a data center.
Well, here are all the nitty gritty details from the session:
AWS NY Summit 2014
Understanding AWS Security
Bill Murray, Sr. Manager, AWS Security Programs
Security - different views
CEO - shareholder value
CIO - customer's info security
PR - keep company out of the news!!!!!
Security is a SHARED responsibility. Infrastructure + Application must BOTH be secure. AWS takes care of MOST of the security need.
AWS Logo: building blocks. This applies to security as well.
Customer Plug: “Based on our experience, I believe that we can be even more secure in AWS cloud thatn in our own data centers” Tom Soderstrom - CTO - NASA JPL
AWS Offers: more: Visibility, Audibility ,Control
Along 4 dimensions of security: Network, Physical, People, Data
Can you map your network?
AWS Control Panel: lets you know whats running, where it's running, who's running it, etc.
Trusted Advisor: Cost Optimization, Security suggestions such as "do you really want to keep port 80 open", Fault Tolerance, Performance
Audited a ton of different ways a ton of different ways: HIPAA, ISO 27,001, ITAR, FIPS, FISMA, etc. Fed is very anal (sic) about protecting data.
Security Control Objectives:
1. Security Organization
2. Amazon User Access
3. Logical Security
4. Secure Data Handling
5. Physical Security and Environmental Safeguards
6. Change Management
7. Data Integrity, Availability and Redundancy
8. Incident Handling
AWS CLOUDTRAIL - logs every API call made by person or machine. Who does what, when why? Records API calls and delivers to a log file on S3, every 15 minutes.
LOGS: Obtained, Retained, Analyzed
There are dozens of 3rd party providers that analyze amazon logs
Amazon Glacier - $.01 per gig per month. A service to hold on to data FOREVER.
CONTROL: various levels of security, down to the physical byte.
Everybody is on an equal footing security wise. From a huge corporation, to a small startup to a single college student -all have access to same services.
Can do VPN across various AWS services, or have direct pipes NEVER going through external non-AWS internet.
LEAST PRIVILEGE PRINCIPLE. Separate networks for corp. vs. customer data. (CORP vs. PRIV). Ticketing system implements this. Only get access for specific reasons.
Even Murray can't enter a data center!!!! He needs a ticket approved by Bezos!!!!
SIMPLE SECURITY CONTROLS. e.g. no storage media leaves data center in tact!!! Whenever drive comes out it's shredded (cf. photo of shredded solid state drive).
Granular: Bob can only access this data, from his desktop, from 9am to 5pm.
Can use hard tokens or soft tokens.
Can ensure that certain machines can't talk to others.
Amazon DynamoDB: Fine Grained Access Control. Can encrypt data at the granularity of a single data cell.
MFA DELETE PROTECTION:
Data stays WHERE you put it. 10 regions - 26 availability zones (AZ)- 51 edge locations: content delivery networks (CDN).
Cloudfront CDN (Edge locations).
USE MULTIPLE AZs. Default, data goes into 3 AZs ensuring 3 good copies at all times. AWS constantly queries the md5, looks back to the last non-corrupted state and uses that. that's where you get 11 9's of durability (lose data once in 10,000 years).
Choice: Automated - managed by AWS, Enabled - user manages w/ AWS, Client-side - totally controlled by the users meaning that AWS wouldn't even be able to see the data if they wanted to.
AWS CloudHSM (Hardware Security Modules) - he's very proud of it - This is a box that if you attempt open, if you loosen a screw, if you do anything, the data is automatically zeroed!!!!! This was created to make insider threat negligible.
ENCRYPT YOUR DATA - server side encryption: glacier, redsift, RDS
60% of organization agrees that CSPs provide better security than they do.
AWS Marketplace Security Solutions - entire environment that will help you do security.