Road to re:Invent - The Shared Responsibility Model
52 minute read | Last updated 25-Sep-2019 | 
AWS, AWS re:Invent, Livestream
The Shared Responsibility Model governs how operations (which security is a part of) work in the cloud. In this live stream, we explore the realities of the model and how to verify AWS is fulfilling their responsibilities.
Bad Robot Transcript
Morning, everybody. How you doing today? A different camera today because this one doesn’t seem to want to respond. I’m going to see if we can fix that real quick and troubleshooting on the fly always a fun thing and hopefully that will do it. If not, we are looking directly into the webcam which gives us some reasonable feed.
That’s fine. It’s no big deal as we are live here on LinkedIn. We have the comments set up and I don’t know why I always point to my screen but I do with the common set up on LinkedIn. So if you have any questions as we’re going on a monitor.
Please, let me know and we will take them on the fly at ATS a really important part of the process. We’ve done three of these already where we’ve covered just a gentle kick-off like hey, that’s what we’re going to do this year a leading up to reinvent and we’ve also had a one on the heat to be slammed though.
We didn’t intro on YouTube that was kind of cool and we worked on some basic coding talked about land at work. And then set up a trigger from S3 where you dropped a violin and then you would see output in in the logs, which was awesome then two days ago on Monday.
We did a to b a c a l. I we introduced the concept of the sea Eliza mirror of the API great way to start kind of easing your way into a AWS and we did some basic stuff like we upload a file using a the CLI and we also did some translation translation.
I also classic floppy floppy disks for coasters the translation by the CLI. What do they was pretty cool. So today we are going to tackle the shared-responsibility model. And as I said the comments already that is way more interesting than it sounds and because everyone just shared responsibility model.
Here we go. How we going to deal with this? Let’s let’s start by actually walking through with AWS considers to be the shared-responsibility model. Then I’ll give you my take on it to simplify things and to make it stuff easier and thanks for jumping on the livestream everybody appreciate it.
If you have any questions, please by all means jump in totally comfortable to fly. The idea of this is casual. There’s so much stuff going on leading up to reinvent that I wanted to help you guys out. I wanted to sort of get a better idea for myself even of what’s going on.
I’m kind of help bridge some of the gaps in the cloud. So am I did put a link right off the bat Sam. I just updated my website finally went through and cleaned some stuff up, but I have a page up for me and that is where I’m collecting all things reinvent.
And then you can see here. We’ve got a countdown timer click through to the ultimate guide that I’ve been writing a Four Eyes Upon a cloud Guru blog and but it is the sort of The Ultimate Guide to the show and we can see what’s going on as far as activities during the show themselves and but more importantly at is keeping track of the live streams so you can see here.
We’ve got out of the replace from the previous ones as well as what’s up next for doing this one right now, but if you click on to the replay, you’ll see the embed from YouTube which is great and then also actually translated or transcribed for the machine so lots of mistakes in there but some interesting stuff none the less.
So let’s go and Andrew has already hit it on that timer is not powered Bailando. That is good old school JavaScript really simple and the whole websites. It’s an S3 though, and we’re going to talk about that on the next step. Where to talk about past 3 I think in general, but Andrew is already hit it out of the out of the park at the shared-responsibility ability model from AWS is ugly.
It’s worse than ugly Andrew. It is counterproductive. It’s too complicated a tries to get across a very simple concept but it has done. So by having a generous helping of either engineering or marketing. I’m not quite sure which one or maybe they’re both fighting and this is generally been there their way of presenting the shared-responsibility model how you’re going to see this in the AWS documentation.
I’ll show you their actual date of your site for shared responsibility middle of the two key points and let me move myself over to the other side so you can see here the two critical points. This does get across is the concept of security of the cloud Security in the cloud now, That’s good.
I’m going to highlight that that’s a good thing. That’s what I like about this diagram. I don’t like anything else about it. And the reason being is it’s only talking about security. The shared-responsibility model is more than just security but also the ad is just too many things going on here and doesn’t get across the core concept.
That is absolutely critical when we are talking about this about this concept in this is the shared-responsibility model is how everything works in the AWS Cloud. So let’s I shall leave myself over here. Let me a flip over and show you how AWS presents that model so they have a page and compliance / shared-responsibility model and if you scroll down you’re going to get the whole blurb about security compliance is a shared responsibility between 8 lbs in the customer hundred percent correct operations is also a shared responsibility and it works on this model and I don’t like You guys have followed me for any like the time you know that I really have a challenge in the way that security is always put off to the side you like.
Oh, here’s all this stuff in their security as well. It’s a fundamental integrated part. There’s no separation security at just one aspect of building. Well and for me, it comes down to my definition the goal of cybersecurity to make sure whatever you’ve built that works as intended and only as intended.
It’s just something that I think we need to hammer home time and time again. So while this model is presented in the concept of security, it really applies to everything and they’ve got the big giant diagram here at talking about security of the cloud vs Security in the cloud and this was stemmed from very early days in AWS.
They had a huge amount of pushback from customer is saying the services are not secure. I have nothing could have been further from the truth at that time. Let alone today it’ll be us has proven themselves time and time again to be world-class as far as operations organizations Go including security.
I’m so this concept of security of the cloud. What’s the rate of US build into this Cloud offerings? What AWS does themselves for security and Security in the cloud. That’s what you was a customer need to do. You need to build Security in the cloud and which is a really really important at thing.
So Andrew just dropped a great Link in the in the comments here definitely check that out. He’s got the very simplified model of the shared-responsibility model and I love it and highlighting the and let me actually pull that up for you guys. Cuz I think it’s definitely worth calling out on the stream itself scuse my messaging I always hate that with the with LinkedIn there we going what’s course we can’t do that.
So now you see his very very simple diagram of and in love it simple the link is there. Check it out. Now. Let’s put that a big like right now pull that off the screen to make sure and so security of the cloud Security in the cloud getting great concept fine.
You keep scrolling down and they’ve got a whole bunch of details on how they actually implement this. I got no problem with any of it since it’s it IT addresses the core issues. And then that’s the end of it. I think they sort of don’t put enough emphasis on this because of this model is absolutely critical to understanding everything that you do in the cloud.
So let me show you how I present the model. This is the diagram I use Okay, I use this one time and time again I have for years. It is changed very very little because I think it’s score. It’s it’s a fundamental principle is shared responsibility for security for operations for everything.
You’re doing normally just say this how the cloud works and then to find hey Securities not off on its own security is an absolutely critical part of everything that we’re doing. So we start on the left hand side of your screen with on premises and the way we introduces the saying there’s basically six areas.
Where you have to do something every day? Okay. Something has to be arson to that. It was let me reset. I was jumping ahead of myself. There are six areas where 6.76 areas where something has to be done basically day today. If not hourly to keep things working to keep the lights on to keep things safe and secure and we start with physical moving up the infrastructure virtualization OS apps and data if you think in a traditional environment at you need to make sure that the building is physically there is it safe is it secure is it, you know in an earthquake zone like there are considerations around physical for infrastructure or do you have redundant Heating and Cooling? Do you have redundant up links to the internet? Are you on a solid set of routing, you know, is that kind of infrastructure in place virtualization? Obviously, can you abstract away physical? Resources to make their consumption more efficient using virtual machines virtual istorage software-defined networking.
Then you get into the stuff that a lot more people are comfortable with operating systems. Are you packing them? Are you maintaining them? Are you configured incorrectly Target hardening them your apps that you either you’re installing off the shelf for your building yourself and then data and data is always your responsibility across all of these a different verticals.
So you got on promises and most people understand it, right and which is great and even in there the way you can sort of understand and yeah Brian, thank you. I think we all agree that you know, shared-responsibility model absolutely needs to be understood. The challenge is getting their rights of the way.
I was a reason why I start with on-premise is because people are used to collaborating whether they know it or not. So the way to break this down is going in your in your organization is today special for larger Enterprises. No one team is responsible for all this stuff.
You have a data center team that’s responsible for Police on the Davis Center for making sure the building is okay to make sure there’s enough Rackspace you’ve got teams who are worried about the networking who are worried about the virtualization. They are you probably have a standard or a couple of standard OS teams, right? So this is something that you’re used to worrying about are used to delegating and working as a team and collaborating it.
So how does that shift when we move into the cloud on the cloud? We have three primary delivery models and traditionally, I asked a simple structures and service platform-as-a-service software-as-a-service and the complaints demonator vs started shifting their language a little while ago where a couple years back when they talk about infrastructure Services container services as before containers get super popular and but the service is that contain something and then abstract level services.
So hopefully they’ll change that middle tier to some other name, but I think it was those are generally understood essentially. What happens is right off the bat when you move into the cloud at with an infrastructure level service you. Navigate half of your responsibilities are your teams responsibilities to the cloud provider? So you never know about the lease is on AWS data centers, right? You don’t even know specifically where the data centers.
Are you have his idea of availability zones within regions. You’re not worried about redundant up links. You’re not worried about Heating and Cooling same with the abstraction. Now that I primarily nitro with in AWS fantastic set of service at the they’ve developed and deployed. They talk about it. Every once in awhile on Monday or Tuesday Night Live at James.
Hamilton is given a few phenomenal talks at reinvent. I Peter DeSantis have given some fantastic talks at reinvent for me wrs at sort of peeling back the covers and saying this is how we manage this aspect of the shared-responsibility model and they’ve done some really amazing things make it was last year James Hamilton did like 10 minutes on how they figure out fiber multiplexing bandwidth within their cables, which is it absurd thing to think of but if their scale Made a ton of sense and put that CID is right off the bat.
If you were just standing up an instance in ec2 half of the daily responsibilities are pushed off to somebody else. That’s the deal you’re making with your cloud provider. Now, it’s different than a traditional Outsourcing Outsourcing tends to suck. It’s always sucked because there’s a service layer in between that doesn’t work nearly as well.
The AWS service layer is an API you it’s consistent. It may not always be accurate but it’s consistently inaccurate when it is not accurate, but that’s that’s the deal you make it right? So when you spit up and listen to ec2 you are responsible for the operating system for the app you install and then the day to you put in it.
So if you want to then configure your OS to be a the password for the route for the main user to be password you can do it. It’s a stupid thing to do. I do not recommend. It pro tip is don’t do that. But if you wanted to you can cuz it’s your responsibility, right and that’s how the shared responsibility.
Did you need to understand your sort of cut off in the layer of where you where you take over if you move into container level Services, you’re responsible for the app that you put on top of them and then the date and then if you go all the way over to abstract services, are you responsible for the data you put in so if you think of something like ask 3 you’re responsible to see whether or not the data you put in your comfortable with the security controls in place and that brings us to service configuration right for service configuration.
You are always responsible for configuring the options in the knobs in the levers that are presented you so when it comes to ask 3 a.m. You are you making the access control proper? Are you turning everything to public cuz you probably shouldn’t be doing that unless you have a very specific intention of making that happen.
Right and this comes to you know to Augustus, took data should always be treated as it is super value on absolutely. Everything else is replaceable. Your data is the one critical thing that you need to protect you. No notice in the shared responsibility. Model you are responsible for your data all the time at you are also responsible for service configuration all of the time.
So if we take something like AWS Lambda, in fact with flip over the Lambda console and so when we going to Lambda and if this is I’m looking at a specific sample, we made this actually in the first one. I am responsible for the data, which is this code you see on the screen.
This is the date of that I put into the service is this data appropriate? Yes. This is just a centrally reading an incoming event and making a decision based on that event. But I’m also responsible for the service configuration. So there’s the option to create environmental variables. Well, these are readable not just buy my function but anyone who has access to this account, so I shouldn’t be putting secret information in here unless I’ve encrypted it right and there are other ways to do that in a different manner.
I’m also responsible for the role that I’m using. So am I giving this Lambda function the appropriate permissions, this is all Under service configuration same within my placing this function into a VPC or not. Am I putting in a virtual private Cloud? I need to decide these things because they’re firmly in my area of the shared-responsibility model.
They are not in Aid of your asses. What AWS is handling for us here in Lambda. If we flip back to the model is the application that runs Lambda there’s a whole host of containers that fire up to execute your function and then shut down and the operating system that those containers are running on and the OS in those containers.
That’s all I ask of you is his responsibility same with the Nitro layer for virtualization the infrastructure the physical that’s not my problem. And the beauty of this is that I get to run my code that you see here for you no $0.20 for every million executions, but I am responsible for that coat.
That’s the date. I put into the service and I’m responsible for the service configuration. So have I made the right choices with run time have I made Right choices with my environmental variables with tagging with using the permissions in the rolls. So that’s roughly how the shared-responsibility model works.
Now if any of you are pure security folk with your tinfoil hats on you’re probably going we’ll wait a minute. I don’t just blindly trust in that is absolutely 100% true. You need to verify that all of these great out areas here. The AWS is responsible for that. They’re actually doing what they said they’re going to do cuz this model there is an implicit trust right you trust that when you spin up an ec2 instance, you will have a virtualization covered infrastructure covered and physical covered and I’m just checking is Andrew made a great, here.
I should snack on that code absolutely but it’s Nick find the problem with for nested if statements. I need to hang up my coat and hat but yes Nixa phenomenal reference service really great. If you haven’t checked them out you absolutely should. Great way to verify open source vulnerabilities in your Downstream dependencies in a really really smooth manner in your pipeline a snake.
IO, I think it’s a website being Google LinkedIn too for their team great tool. But yeah, if I if this level of code requires in-depth testing and then I’m I’m in trouble and and also I put some if so, I made sure I did. Okay. I have been back to the challenge at hand here is that you need to make sure the AWS is holding up their end of the bargain.
If 8 is not holding up their end of the bargain this whole thing falls down Pro tip their 100% holding up their end of the bargain cuz if they did they would be making so much money people would be leaving them in droves, but there is a service that we are going to dive into today and we’ve got probably about 10 minutes left and I don’t think we’re going to take that whole time but this is one of my all-time favorite services.
So if we go back into our account here and is there a demo count so we’ll see we’ve never actually use this. We are going to pull up AWS artifact. Most people have never heard of this service. And which is a shame cuz like I said, it’s my absolute favorite.
So we click on artifact. This is the extent of the service will see there is agreements and reports. They’ve actually added agreements which is nice and I’m so you have the account agreements around Australia’s and notifiable data breach and the business associate Amendment at for hip hop in the states.
And then my Japanese is not as slick as it should be at but this is the Japanese Privacy Law Amendment. I’m or agreement for being a service provider. So if you need copies of that that’s their butt artifact is the way that you was the user verify that a w I was doing what they say.
They’re doing and the reason being is that artifact provide you with the AWS side of the report. That hand yeah address is coming that he knows a bunch of people or ahold Pro shirts and they don’t know about artifact hundred percent get it. It’s a ridiculous service when you think of it is literally a list of buttons, but it’s absolutely critical because if we scroll down here to get to something more reasonable, so this is a good one time if we look at the cloud computing compliance controls catalog or C5 and this was developed by Germany in a national security Authority and it basically says any cloud provider needs to adhere to these controls.
What if we click the blue get this artifact button what’s going to happen is that we have to accept a non-disclosure agreement. Now I have actually read this. I’m just scrolling through for the impact here. I just cuz I’m not going to walk you guys through it, but I am a nerd like that.
I have read this agreement before I cannot blindly accepting it. But as soon as you accept it at what ends up happening is you see down here we got this nice little PDF. I’m in let me make sure I open it in something safe. What’s going to happen is due preview is open this up.
Perfect. Okay, so I’m going to switch over my screen for a second. This might be a little disorienting and it should be this is an example of what you’re going to get from artifact. If you go down and scroll you’re going to see that’s just the non-disclosure to make sure that I get my artifact.
If you eventually get this to work what’s going to happen? Yes, you will get open finder. I want to see if I actually get the artifact what you should be getting and I got the disclosure agreement again. All right, there’s a little challenge here. I will dig into that afterwards.
But the point is what you end up getting is 8 of your asses side of a various. I’m report and that’s a great question answers ask me. How many licks does it get take to get into the artifact. I apparently don’t know cuz I can’t seem to do it.
But if you keep scrolling down you’ll see there’s two things like the W-9 the government of Canada partner package. We made the list and ISO certification. These ones are where people are more familiar with so if you look at them, we’re just going to flip helps if I go back to Chrome here.
So for back in the AWS, that’s what I was talking about. Just keep scrolling down and let’s just see the iso 27001 statements which are great. But if you come back to the 8th of u.s. Compliance website and you go to compliance programs what you’re going to see here is logo soup.
K logo soup Andrews is playing on I have to open up an Adobe PDF which is ridiculous, but it could point. So if you go through here, you’ll see all the logos that they have attestations for and you got like sock level one level 3 PCI DSS all that kind of stuff what you’re going to get is a matching document in artifact and that will tell you what is going on with all of the it’s situated all of the various items.
So while we’re talking here, I’m actually going to install Dobies good old acrobat cuz I’ve got the Creative Suite unfortunately and that’s going to let us open the if these of these is a document but basically what I’m telling you here is it for each one of these there’s almost always a matching document on artifact and that’s going to give you the details of how AWS fulfills their side of the shared-responsibility model.
Now another way to do this or another way to check in a non-official ways. If you go to the AWS whitepapers and what you’re going to see is under security. There is a number of documents, especially in the AWS. Well architected framework that overview how AWS is covering off various security responsibilities.
So they’ve got best practices for detox resiliency and which explains what they’re doing on the deed outside and then let me just see if my other PDF reader is going to open up this guy. I’ll see you in a sec. I’m so the you’ve got these various white papers in here.
And there’s a really good one on security add that I will have to figure out the actual I’m Ops resilience and something like there’s a security overview of Lambda. There’s a generic version of this and for various Security Services, but this tells you so you can see right here shared-responsibility model is one of the core aspects that are horrible diagram again, but this document walkthrough what AWS is doing to fulfill their side of the shared-responsibility model until you have the lamp to run time works.
It tells you where your responsibilities start and there’s a overall document that cover security for this an operations for a very services and as well as the specific one sitting in artifact. So good old creative Cloud’s taking forever to install a acrobat by a man has given us some great info in the comments here that if you’re using the official Acrobat PDF opener and it will get you past the non-disclosure agreement.
You’ll actually be able to open up the artifacts themselves, maybe post a screenshot or something like that. But you guys get the point when it comes to the shared-responsibility model these areas Below in the gray AWS is responsible for you need to make sure that you understand where that line is.
Right? If you don’t know where that line is you’re in trouble operationally end from a security perspective and that’s absolutely critical. So if you are running an instance in ec2, you are responsible from the OS which means like this week or Microsoft release to critical patches, you need to apply them to your window systems or not.
You’re going to happen automatically, where is if you were running in a pass level service or something like RDS and for SQL Server that’s running on Windows 8 lbs takes care of that patching. You have to worry about that cuz they’re patching the OS you have to worry about the AV app in the data on top of it.
Right? And if you move all the way over to the data side, you need to like me song. Amanda is my code. Okay, am I putting it in there? You know, I had an Andrew suggested great one, you know, if you’re not sure about the quality that day that you can run something like snake against your code.
If you’re an S3. The question is is this is top-secret information in my comfortable with that and then as always always always always always you’re responsible for service configuration and you need to understand that AWS provides a bunch of great lovers and knobs and things like that for you to have take advantage of so at you need to get there and then actually brings us to a whole service area the security identity and compliance.
Are you hear that you see on screen these guys their tools the AWS has provided or services are features that a TBS provides to help you fulfill your aspect of the shared-responsibility model. That’s the goal of these things. They don’t automatically do security for you. They help you fulfill your responsibilities and security vendor.
So I work for a Trend Micro. We’re on advanced technology partner from a TBI. I’ve been forever. I’m all the security Partners. You see any in the APN in the Amazon partner or any of his partner Network. We’re all trying to help you fulfill your aspect of the shared-responsibility model same with these sets of services.
So if you look at like Secrets manager Secrets manager is trying to help you manage secrets so that when you can figure things like a Lambda function, you don’t need to put the secret in the code, right? You don’t need to put the secret in the data. You can have it in an area where you’re more comfortable same with inspector is looking at your instances to make sure your os’s are up-to-date your apps are up to date and not vulnerable to something these entire Suite of services are trying to help you fulfill your area of this shared-responsibility model, but I far prefer I do not like presenting it like this.
I like Andrews version of this. Diagram if you want to go out of the cloud in the cloud, but I think if you’re talking about it with teams, if you’re trying to understand yourself, I think this is far simpler. I think it is very much straightforward. And this is what you should be at.
Tattoo wrap your head around nowhere. This line is for infrastructure OSN up platformer container a pin-up Sasser abstract stuff data and up so data and service configuration absolutely critical that you understand this not just for security, but for operations as well with that we’ve hit at 10:30. We’re going to call it on this stream the link I dropped the star the start that’s where I’m tracking all of this stuff right all the way up Google LinkedIn on the updated site.
So you’ll see it on the all things reinvent page tracking existing stream. So I’ll put this one up there and then the next dream might be this week or next week. I’ll look at my schedule. I’m trying to get a little ahead. So you guys have a better idea instead of just randomly get those LinkedIn notifications I have but as far as topics go fire them off in the comments here on LinkedIn if you’re watching this in the replay on YouTube in the description below and because of building I don’t I want to know what makes sense for you guys and what I’m thinking for the next time is a deeper dive in Amazon S3 supposed to Clear and configuration.
I am an understanding your part of the shared-responsibility model, which is why I wanted to tackle that today. I really appreciate you guys jumping on the stream sticking with us. It’s great. I love the comments. I Andrew just fired up one more here on using systems manager for Amherst or it is free, but there are challenges with that as Secrets manager offer also offers rotations, and there’s something to be said for separation of Duties and separation of data storage, but we’ll cover that on another stream.
And yes, Augusto. I will absolutely share this slide out. I’m just as a straight image. I’m so that you guys can use it and maybe put it up somewhere in the cloud off center so that people understand it and email it to all your friends all that kind of stuff so that you drill this model home at thank you very much for joining us a really really appreciate it through the super trippy.
We will talk to you soon and keep those comments coming. Thanks again. Morning, everybody. How you doing today at different camera today because this one doesn’t seem to want to respond. I’m going to see if we can fix that real quick Uno troubleshooting on the Fly always a fun thing and hopefully that will do it.
If not, we are looking directly into the webcam which gives us some reasonable feed. That’s fine. It’s no big deal as we are live here on LinkedIn. We have the comments set up and I don’t know why I always point to my screen but I do with the common set up on LinkedIn.
So if you have any questions as we’re going on a monitor. Please, let me know and we will take them on the fly at ATS a really important part of the process. We’ve done three of these already where we’ve covered just a gentle kick-off like hey, that’s what we’re going to do this year a leading up to reinvent and we’ve also had a one on the heat to be slammed though.
We didn’t intro on YouTube that was kind of cool and we worked on some basic coding talked about land at work. And then set up a trigger from S3 where you dropped a violin and then you would see output in in the logs, which was awesome then two days ago on Monday.
We did a to b a c a l. I we introduced the concept of the sea Eliza mirror of the API great way to start kind of easing your way into a AWS and we did some basic stuff like we upload a file using a the CLI and we also did some translation translation.
I also classic floppy floppy disks for coasters the translation by the CLI. What do they was pretty cool. So today we are going to tackle the shared-responsibility model. And as I said the comments already that is way more interesting than it sounds and because everyone just shared responsibility model.
Here we go. How we going to deal with this? Let’s let’s start by actually walking through with AWS considers to be the shared-responsibility model. Then I’ll give you my take on it to simplify things and to make it stuff easier and thanks for jumping on the livestream everybody appreciate it.
If you have any questions, please by all means jump in totally comfortable to fly. The idea of this is casual. There’s so much stuff going on leading up to reinvent that I wanted to help you guys out. I wanted to sort of get a better idea for myself even of what’s going on.
I’m kind of help bridge some of the gaps in the cloud. So am I did put a link right off the bat Sam. I just updated my website finally went through and cleaned some stuff up, but I have a page up for me and that is where I’m collecting all things reinvent.
And then you can see here. We’ve got a countdown timer click through to the ultimate guide that I’ve been writing a Four Eyes Upon a cloud Guru blog and but it is the sort of The Ultimate Guide to the show and we can see what’s going on as far as activities during the show themselves and but more importantly at is keeping track of the live streams so you can see here.
We’ve got out of the replace from the previous ones as well as what’s up next for doing this one right now, but if you click on to the replay, you’ll see the embed from YouTube which is great and then also actually translated or transcribed for the machine so lots of mistakes in there but some interesting stuff none the less.
So let’s go and Andrew has already hit it on that timer is not powered Bailando. That is good old school JavaScript really simple and the whole websites. It’s an S3 though, and we’re going to talk about that on the next step. Where to talk about past 3 I think in general, but Andrew is already hit it out of the out of the park at the shared-responsibility ability model from AWS is ugly.
It’s worse than ugly Andrew. It is counterproductive. It’s too complicated a tries to get across a very simple concept but it has done. So by having a generous helping of either engineering or marketing. I’m not quite sure which one or maybe they’re both fighting and this is generally been there their way of presenting the shared-responsibility model how you’re going to see this in the AWS documentation.
I’ll show you their actual date of your site for shared responsibility middle of the two key points and let me move myself over to the other side so you can see here the two critical points. This does get across is the concept of security of the cloud Security in the cloud now, That’s good.
I’m going to highlight that that’s a good thing. That’s what I like about this diagram. I don’t like anything else about it. And the reason being is it’s only talking about security. The shared-responsibility model is more than just security but also the ad is just too many things going on here and doesn’t get across the core concept.
That is absolutely critical when we are talking about this about this concept in this is the shared-responsibility model is how everything works in the AWS Cloud. So let’s I shall leave myself over here. Let me a flip over and show you how AWS presents that model so they have a page and compliance / shared-responsibility model and if you scroll down you’re going to get the whole blurb about security compliance is a shared responsibility between 8 lbs in the customer hundred percent correct operations is also a shared responsibility and it works on this model and I don’t like You guys have followed me for any like the time you know that I really have a challenge in the way that security is always put off to the side you like.
Oh, here’s all this stuff in their security as well. It’s a fundamental integrated part. There’s no separation security at just one aspect of building. Well and for me, it comes down to my definition the goal of cybersecurity to make sure whatever you’ve built that works as intended and only as intended.
It’s just something that I think we need to hammer home time and time again. So while this model is presented in the concept of security, it really applies to everything and they’ve got the big giant diagram here at talking about security of the cloud vs Security in the cloud and this was stemmed from very early days in AWS.
They had a huge amount of pushback from customer is saying the services are not secure. I have nothing could have been further from the truth at that time. Let alone today it’ll be us has proven themselves time and time again to be world-class as far as operations organizations Go including security.
I’m so this concept of security of the cloud. What’s the rate of US build into this Cloud offerings? What AWS does themselves for security and Security in the cloud. That’s what you was a customer need to do. You need to build Security in the cloud and which is a really really important at thing.
So Andrew just dropped a great Link in the in the comments here definitely check that out. He’s got the very simplified model of the shared-responsibility model and I love it and highlighting the and let me actually pull that up for you guys. Cuz I think it’s definitely worth calling out on the stream itself scuse my messaging I always hate that with the with LinkedIn there we going what’s course we can’t do that.
So now you see his very very simple diagram of and in love it simple the link is there. Check it out. Now. Let’s put that a big like right now pull that off the screen to make sure and so security of the cloud Security in the cloud getting great concept fine.
You keep scrolling down and they’ve got a whole bunch of details on how they actually implement this. I got no problem with any of it since it’s it IT addresses the core issues. And then that’s the end of it. I think they sort of don’t put enough emphasis on this because of this model is absolutely critical to understanding everything that you do in the cloud.
So let me show you how I present the model. This is the diagram I use Okay, I use this one time and time again I have for years. It is changed very very little because I think it’s score. It’s it’s a fundamental principle is shared responsibility for security for operations for everything.
You’re doing normally just say this how the cloud works and then to find hey Securities not off on its own security is an absolutely critical part of everything that we’re doing. So we start on the left hand side of your screen with on premises and the way we introduces the saying there’s basically six areas.
Where you have to do something every day? Okay. Something has to be arson to that. It was let me reset. I was jumping ahead of myself. There are six areas where 6.76 areas where something has to be done basically day today. If not hourly to keep things working to keep the lights on to keep things safe and secure and we start with physical moving up the infrastructure virtualization OS apps and data if you think in a traditional environment at you need to make sure that the building is physically there is it safe is it secure is it, you know in an earthquake zone like there are considerations around physical for infrastructure or do you have redundant Heating and Cooling? Do you have redundant up links to the internet? Are you on a solid set of routing, you know, is that kind of infrastructure in place virtualization? Obviously, can you abstract away physical? Resources to make their consumption more efficient using virtual machines virtual istorage software-defined networking.
Then you get into the stuff that a lot more people are comfortable with operating systems. Are you packing them? Are you maintaining them? Are you configured incorrectly Target hardening them your apps that you either you’re installing off the shelf for your building yourself and then data and data is always your responsibility across all of these a different verticals.
So you got on promises and most people understand it, right and which is great and even in there the way you can sort of understand and yeah Brian, thank you. I think we all agree that you know, shared-responsibility model absolutely needs to be understood. The challenge is getting their rights of the way.
I was a reason why I start with on-premise is because people are used to collaborating whether they know it or not. So the way to break this down is going in your in your organization is today special for larger Enterprises. No one team is responsible for all this stuff.
You have a data center team that’s responsible for Police on the Davis Center for making sure the building is okay to make sure there’s enough Rackspace you’ve got teams who are worried about the networking who are worried about the virtualization. They are you probably have a standard or a couple of standard OS teams, right? So this is something that you’re used to worrying about are used to delegating and working as a team and collaborating it.
So how does that shift when we move into the cloud on the cloud? We have three primary delivery models and traditionally, I asked a simple structures and service platform-as-a-service software-as-a-service and the complaints demonator vs started shifting their language a little while ago where a couple years back when they talk about infrastructure Services container services as before containers get super popular and but the service is that contain something and then abstract level services.
So hopefully they’ll change that middle tier to some other name, but I think it was those are generally understood essentially. What happens is right off the bat when you move into the cloud at with an infrastructure level service you. Navigate half of your responsibilities are your teams responsibilities to the cloud provider? So you never know about the lease is on AWS data centers, right? You don’t even know specifically where the data centers.
Are you have his idea of availability zones within regions. You’re not worried about redundant up links. You’re not worried about Heating and Cooling same with the abstraction. Now that I primarily nitro with in AWS fantastic set of service at the they’ve developed and deployed. They talk about it. Every once in awhile on Monday or Tuesday Night Live at James.
Hamilton is given a few phenomenal talks at reinvent. I Peter DeSantis have given some fantastic talks at reinvent for me wrs at sort of peeling back the covers and saying this is how we manage this aspect of the shared-responsibility model and they’ve done some really amazing things make it was last year James Hamilton did like 10 minutes on how they figure out fiber multiplexing bandwidth within their cables, which is it absurd thing to think of but if their scale Made a ton of sense and put that CID is right off the bat.
If you were just standing up an instance in ec2 half of the daily responsibilities are pushed off to somebody else. That’s the deal you’re making with your cloud provider. Now, it’s different than a traditional Outsourcing Outsourcing tends to suck. It’s always sucked because there’s a service layer in between that doesn’t work nearly as well.
The AWS service layer is an API you it’s consistent. It may not always be accurate but it’s consistently inaccurate when it is not accurate, but that’s that’s the deal you make it right? So when you spit up and listen to ec2 you are responsible for the operating system for the app you install and then the day to you put in it.
So if you want to then configure your OS to be a the password for the route for the main user to be password you can do it. It’s a stupid thing to do. I do not recommend. It pro tip is don’t do that. But if you wanted to you can cuz it’s your responsibility, right and that’s how the shared responsibility.
Did you need to understand your sort of cut off in the layer of where you where you take over if you move into container level Services, you’re responsible for the app that you put on top of them and then the date and then if you go all the way over to abstract services, are you responsible for the data you put in so if you think of something like ask 3 you’re responsible to see whether or not the data you put in your comfortable with the security controls in place and that brings us to service configuration right for service configuration.
You are always responsible for configuring the options in the knobs in the levers that are presented you so when it comes to ask 3 a.m. You are you making the access control proper? Are you turning everything to public cuz you probably shouldn’t be doing that unless you have a very specific intention of making that happen.
Right and this comes to you know to Augustus, took data should always be treated as it is super value on absolutely. Everything else is replaceable. Your data is the one critical thing that you need to protect you. No notice in the shared responsibility. Model you are responsible for your data all the time at you are also responsible for service configuration all of the time.
So if we take something like AWS Lambda, in fact with flip over the Lambda console and so when we going to Lambda and if this is I’m looking at a specific sample, we made this actually in the first one. I am responsible for the data, which is this code you see on the screen.
This is the date of that I put into the service is this data appropriate? Yes. This is just a centrally reading an incoming event and making a decision based on that event. But I’m also responsible for the service configuration. So there’s the option to create environmental variables. Well, these are readable not just buy my function but anyone who has access to this account, so I shouldn’t be putting secret information in here unless I’ve encrypted it right and there are other ways to do that in a different manner.
I’m also responsible for the role that I’m using. So am I giving this Lambda function the appropriate permissions, this is all Under service configuration same within my placing this function into a VPC or not. Am I putting in a virtual private Cloud? I need to decide these things because they’re firmly in my area of the shared-responsibility model.
They are not in Aid of your asses. What AWS is handling for us here in Lambda. If we flip back to the model is the application that runs Lambda there’s a whole host of containers that fire up to execute your function and then shut down and the operating system that those containers are running on and the OS in those containers.
That’s all I ask of you is his responsibility same with the Nitro layer for virtualization the infrastructure the physical that’s not my problem. And the beauty of this is that I get to run my code that you see here for you no $0.20 for every million executions, but I am responsible for that coat.
That’s the date. I put into the service and I’m responsible for the service configuration. So have I made the right choices with run time have I made Right choices with my environmental variables with tagging with using the permissions in the rolls. So that’s roughly how the shared-responsibility model works.
Now if any of you are pure security folk with your tinfoil hats on you’re probably going we’ll wait a minute. I don’t just blindly trust in that is absolutely 100% true. You need to verify that all of these great out areas here. The AWS is responsible for that. They’re actually doing what they said they’re going to do cuz this model there is an implicit trust right you trust that when you spin up an ec2 instance, you will have a virtualization covered infrastructure covered and physical covered and I’m just checking is Andrew made a great, here.
I should snack on that code absolutely but it’s Nick find the problem with for nested if statements. I need to hang up my coat and hat but yes Nixa phenomenal reference service really great. If you haven’t checked them out you absolutely should. Great way to verify open source vulnerabilities in your Downstream dependencies in a really really smooth manner in your pipeline a snake.
IO, I think it’s a website being Google LinkedIn too for their team great tool. But yeah, if I if this level of code requires in-depth testing and then I’m I’m in trouble and and also I put some if so, I made sure I did. Okay. I have been back to the challenge at hand here is that you need to make sure the AWS is holding up their end of the bargain.
If 8 is not holding up their end of the bargain this whole thing falls down Pro tip their 100% holding up their end of the bargain cuz if they did they would be making so much money people would be leaving them in droves, but there is a service that we are going to dive into today and we’ve got probably about 10 minutes left and I don’t think we’re going to take that whole time but this is one of my all-time favorite services.
So if we go back into our account here and is there a demo count so we’ll see we’ve never actually use this. We are going to pull up AWS artifact. Most people have never heard of this service. And which is a shame cuz like I said, it’s my absolute favorite.
So we click on artifact. This is the extent of the service will see there is agreements and reports. They’ve actually added agreements which is nice and I’m so you have the account agreements around Australia’s and notifiable data breach and the business associate Amendment at for hip hop in the states.
And then my Japanese is not as slick as it should be at but this is the Japanese Privacy Law Amendment. I’m or agreement for being a service provider. So if you need copies of that that’s their butt artifact is the way that you was the user verify that a w I was doing what they say.
They’re doing and the reason being is that artifact provide you with the AWS side of the report. That hand yeah address is coming that he knows a bunch of people or ahold Pro shirts and they don’t know about artifact hundred percent get it. It’s a ridiculous service when you think of it is literally a list of buttons, but it’s absolutely critical because if we scroll down here to get to something more reasonable, so this is a good one time if we look at the cloud computing compliance controls catalog or C5 and this was developed by Germany in a national security Authority and it basically says any cloud provider needs to adhere to these controls.
What if we click the blue get this artifact button what’s going to happen is that we have to accept a non-disclosure agreement. Now I have actually read this. I’m just scrolling through for the impact here. I just cuz I’m not going to walk you guys through it, but I am a nerd like that.
I have read this agreement before I cannot blindly accepting it. But as soon as you accept it at what ends up happening is you see down here we got this nice little PDF. I’m in let me make sure I open it in something safe. What’s going to happen is due preview is open this up.
Perfect. Okay, so I’m going to switch over my screen for a second. This might be a little disorienting and it should be this is an example of what you’re going to get from artifact. If you go down and scroll you’re going to see that’s just the non-disclosure to make sure that I get my artifact.
If you eventually get this to work what’s going to happen? Yes, you will get open finder. I want to see if I actually get the artifact what you should be getting and I got the disclosure agreement again. All right, there’s a little challenge here. I will dig into that afterwards.
But the point is what you end up getting is 8 of your asses side of a various. I’m report and that’s a great question answers ask me. How many licks does it get take to get into the artifact. I apparently don’t know cuz I can’t seem to do it.
But if you keep scrolling down you’ll see there’s two things like the W-9 the government of Canada partner package. We made the list and ISO certification. These ones are where people are more familiar with so if you look at them, we’re just going to flip helps if I go back to Chrome here.
So for back in the AWS, that’s what I was talking about. Just keep scrolling down and let’s just see the iso 27001 statements which are great. But if you come back to the 8th of u.s. Compliance website and you go to compliance programs what you’re going to see here is logo soup.
K logo soup Andrews is playing on I have to open up an Adobe PDF which is ridiculous, but it could point. So if you go through here, you’ll see all the logos that they have attestations for and you got like sock level one level 3 PCI DSS all that kind of stuff what you’re going to get is a matching document in artifact and that will tell you what is going on with all of the it’s situated all of the various items.
So while we’re talking here, I’m actually going to install Dobies good old acrobat cuz I’ve got the Creative Suite unfortunately and that’s going to let us open the if these of these is a document but basically what I’m telling you here is it for each one of these there’s almost always a matching document on artifact and that’s going to give you the details of how AWS fulfills their side of the shared-responsibility model.
Now another way to do this or another way to check in a non-official ways. If you go to the AWS whitepapers and what you’re going to see is under security. There is a number of documents, especially in the AWS. Well architected framework that overview how AWS is covering off various security responsibilities.
So they’ve got best practices for detox resiliency and which explains what they’re doing on the deed outside and then let me just see if my other PDF reader is going to open up this guy. I’ll see you in a sec. I’m so the you’ve got these various white papers in here.
And there’s a really good one on security add that I will have to figure out the actual I’m Ops resilience and something like there’s a security overview of Lambda. There’s a generic version of this and for various Security Services, but this tells you so you can see right here shared-responsibility model is one of the core aspects that are horrible diagram again, but this document walkthrough what AWS is doing to fulfill their side of the shared-responsibility model until you have the lamp to run time works.
It tells you where your responsibilities start and there’s a overall document that cover security for this an operations for a very services and as well as the specific one sitting in artifact. So good old creative Cloud’s taking forever to install a acrobat by a man has given us some great info in the comments here that if you’re using the official Acrobat PDF opener and it will get you past the non-disclosure agreement.
You’ll actually be able to open up the artifacts themselves, maybe post a screenshot or something like that. But you guys get the point when it comes to the shared-responsibility model these areas Below in the gray AWS is responsible for you need to make sure that you understand where that line is.
Right? If you don’t know where that line is you’re in trouble operationally end from a security perspective and that’s absolutely critical. So if you are running an instance in ec2, you are responsible from the OS which means like this week or Microsoft release to critical patches, you need to apply them to your window systems or not.
You’re going to happen automatically, where is if you were running in a pass level service or something like RDS and for SQL Server that’s running on Windows 8 lbs takes care of that patching. You have to worry about that cuz they’re patching the OS you have to worry about the AV app in the data on top of it.
Right? And if you move all the way over to the data side, you need to like me song. Amanda is my code. Okay, am I putting it in there? You know, I had an Andrew suggested great one, you know, if you’re not sure about the quality that day that you can run something like snake against your code.
If you’re an S3. The question is is this is top-secret information in my comfortable with that and then as always always always always always you’re responsible for service configuration and you need to understand that AWS provides a bunch of great lovers and knobs and things like that for you to have take advantage of so at you need to get there and then actually brings us to a whole service area the security identity and compliance.
Are you hear that you see on screen these guys their tools the AWS has provided or services are features that a TBS provides to help you fulfill your aspect of the shared-responsibility model. That’s the goal of these things. They don’t automatically do security for you. They help you fulfill your responsibilities and security vendor.
So I work for a Trend Micro. We’re on advanced technology partner from a TBI. I’ve been forever. I’m all the security Partners. You see any in the APN in the Amazon partner or any of his partner Network. We’re all trying to help you fulfill your aspect of the shared-responsibility model same with these sets of services.
So if you look at like Secrets manager Secrets manager is trying to help you manage secrets so that when you can figure things like a Lambda function, you don’t need to put the secret in the code, right? You don’t need to put the secret in the data. You can have it in an area where you’re more comfortable same with inspector is looking at your instances to make sure your os’s are up-to-date your apps are up to date and not vulnerable to something these entire Suite of services are trying to help you fulfill your area of this shared-responsibility model, but I far prefer I do not like presenting it like this.
I like Andrews version of this. Diagram if you want to go out of the cloud in the cloud, but I think if you’re talking about it with teams, if you’re trying to understand yourself, I think this is far simpler. I think it is very much straightforward. And this is what you should be at.
Tattoo wrap your head around nowhere. This line is for infrastructure OSN up platformer container a pin-up Sasser abstract stuff data and up so data and service configuration absolutely critical that you understand this not just for security, but for operations as well with that we’ve hit at 10:30. We’re going to call it on this stream the link I dropped the star the start that’s where I’m tracking all of this stuff right all the way up Google LinkedIn on the updated site.
So you’ll see it on the all things reinvent page tracking existing stream. So I’ll put this one up there and then the next dream might be this week or next week. I’ll look at my schedule. I’m trying to get a little ahead. So you guys have a better idea instead of just randomly get those LinkedIn notifications I have but as far as topics go fire them off in the comments here on LinkedIn if you’re watching this in the replay on YouTube in the description below and because of building I don’t I want to know what makes sense for you guys and what I’m thinking for the next time is a deeper dive in Amazon S3 supposed to Clear and configuration.
I am an understanding your part of the shared-responsibility model, which is why I wanted to tackle that today. I really appreciate you guys jumping on the stream sticking with us. It’s great. I love the comments. I Andrew just fired up one more here on using systems manager for Amherst or it is free, but there are challenges with that as Secrets manager offer also offers rotations, and there’s something to be said for separation of Duties and separation of data storage, but we’ll cover that on another stream.
And yes, Augusto. I will absolutely share this slide out. I’m just as a straight image. I’m so that you guys can use it and maybe put it up somewhere in the cloud off center so that people understand it and email it to all your friends all that kind of stuff so that you drill this model home at thank you very much for joining us a really really appreciate it through the super trippy.
We will talk to you soon and keep those comments coming. Thanks again.
