Post on 15-Apr-2017
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started with Automating Compliance Defense in the Cloud
What are you going to take-away
AWS Shared Responsibility
Know the cloud governance steps
How to use cloud services to create a persistent state of compliance
Best practices for a strong compliance defense
Poll Question
To understand the make up of today’s audience, please select the option that best describes your role.
https://aws.amazon.com/solutions/#industryhttps://aws.amazon.com/financial-services
Regulated, audited, and sensitive data will be better fit to be stored and processed in the cloud.
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
AWS Shared Responsibility
You get to define your controls IN
the cloud
AWS takes care of security OF the
cloud
aws.amazon.com/compliance/shared-responsibility-model
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Locations
Tao of Cloud Compliance
1. Partner the cloud tech SMEs and the security/ compliance SMEs2. Integrate industry standards, independent benchmarking,
regulatory requirements3. Design and Package: Create a master design that meets internal
and external requirements4. Constrain: Enforce deployment to that design5. Deploy: Mechanize a scalable governance and auditing program
Step 1: Partner the cloud tech SMEs and the security/ compliance SMEs
Customer Governance Model: Permanent Supervision AWS Best Practices Industry Standards AWS Architecture for Standards Internal & Regulatory Requirements Service Documentation AWS Workbooks AWS Technology Resources
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Locations
Poll Question
Within your organization, how closely does your compliance department work with your information technology team?
Step 2: Integrate industry standards, independent benchmarking, regulatory requirements
Industry Standards and Benchmarking
CIS Amazon Web Services Foundations Benchmark v1.0.0
DescriptionThis document provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.
FFIEC Assessment Guide for AWS
Poll Question
Has your organization leveraged CIS benchmarks to implement industry-standard best practices?
Step 3: Create a master design that meets internal and external requirements
Create a golden environment
Using baseline requirements to create a gold OS image Configure use of AWS services, for example:
Amazon S3 Amazon EBS Amazon Redshift
Force SSE Turn on logging Specify retention Set Amazon Glacier
archiving Prevent external access Specify overriding
permissions Set event notifications
Define volume type Volume size limits IOPS performance
(input/output) Data location – regions Snapshot (backup) ID Encryption requirements
Cluster type (single or multi) Encryption (KMS or HSM) VPC location External access (yes/no) Security groups applied Create SNS topic Enforce Amazon
CloudWatch alarms
Poll Question
What are your greatest challenges prohibiting the automation of controls throughout your organization?
Step 4: Enforce deployment to that design
Enforce AWS Service Catalog
Allows administrators to create and manage catalogs of approved resources (products) that users can access via a personalized portal.
Control which IT services and versions are availableControl the configuration of the available servicesControl permission access by individual, group, department, or cost center.
Provisioning Team creates and manages Service Catalog
Products built from CloudFormation Templates
An AWS Service Catalog product is a deployable AWS
CloudFormation template.
Step 5: Mechanize a scalable governance and auditing program
Governance & Auditing Program
Best Practices for a Strong Compliance Defense
1. How is the entity using the cloud?
2. Is the entity leveraging credible, third-party assessments?
3. Has the entity benchmarked their use of the cloud against CIS or another independent body?
4. How do they monitor use of the cloud?
5. How has application, logical access, resiliency, governance changed?
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jodi Scrofani, Financial Services Compliance Strategist at AWS
Thank You!