Post on 16-Apr-2017
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Todd Gleason, Executive Cloud Strategist, AWS
October, 25 2016
Modernizing Technology Governance
Reducing Security Surface Area ThroughAWS Shared Responsibility and Applying Security-by-Design
Over A Million Active Customers and Every Imaginable Use Case
1500+ Government
Agencies
3600+ Education Institutions
190 Countries 11,200+ Nonprofits
Security is Job Zero
Customer - Financial Services
"The financial services industry attracts some of the worst cyber criminals. We work closely with AWS to develop a security model, which we believe enables us to operate
more securely in the public cloud than we can in our own data centers."
CIOCapital One
Customer - PCI-DSS
Using AWS, Vodafone created TopUp, a secure, PCI-compliant solution that makes it easy for its customers to
buy credit for mobile phone SIM cards.
Customer - Healthcare
Oscar Insurance built a technology and data-driven health insurance company from the ground up in just three months on AWS while meeting HIPAA compliance
requirements.
The Forrester Wave™: Public Cloud Platform Service Providers' Security, Q4 2014
The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Assurance Programs
Certifications / Attestations Laws / Regulations / Privacy Alignments / FrameworksDoD SRG DNB [Netherlands] CISFedRAMP EAR CLIAFIPS EU Model Clauses CJISIRAP EU Data Protection Directive CMS EDGEISO 9001 FERPA CMSRISO 27001 GLBA CSAISO 27017 HIPAA FDAISO 27018 HITECH FedRAMP TICMLPS Level 3 IRS 1075 FISCMTCS ITAR FISMAPCI DSS Level 1 My Number Act [Japan] G-CloudSEC Rule 17-a-4(f) Privacy Act [Australia] GxP (FDA CFR 21 Part 11)SOC 1 Privacy Act [New Zealand] IT GrundschutzSOC 2 PDPA - 2010 [Malaysia] MITA 3.0SOC 3 PDPA - 2012 [Singapore] MPAAUK Cyber Essentials U.K. DPA - 1988 NERC
VPAT / Section 508 NISTEU-US Privacy Shield PHRSpanish DPA Authorization UK Cloud Security Principles
Comprehensive Security and Compliance
Foundational Certifications
ISO 9001Global Quality
Standard
ISO 27001Security
Management Standard
ISO 27017Cloud Specific
Controls
ISO 27018PII Specific
Controls
SOC 1Audit Controls
Report
SOC 2Compliance
Controls Report
SOC 3General Controls
Report
PCI DSS Level 1Payment Card
Standards
NIST 800-53Risk Management
Framework
Financial Services Compliance Enablers
Federal Financial Institutions Examination Council (FFIEC) published a guide for financial services institutions, examiners, and advisors on the use and security architecture of AWS.
U.S. Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations (OCIE) published an overview of the OCIE Cybersecurity Initiative on cybersecurity preparedness in the securities industry. Outlines customer compliance responsibilities in relation to AWS.
U.S. Securities and Exchange Commission's (SEC) 17a-4(f) & CFTC 1.31(b)-(c) Compliance Assessment Report for Amazon Glacier with Vault Lock
AWS Privacy and Data SecurityNow that the Safe Harbor compliance scheme has been ruled invalid, can customers still use AWS and comply with EU law?
Yes – the EU data protection authorities’ approval of the AWS Data Protection Agreement and Model Clauses enable transfer of data outside Europe – including to the US
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global Infrastructure
AWS Global Infrastructure
14 Regions38 Availability Zones63 Edge Locations
You decide where you want to put content and controls
Requirements From Every Industry
Nothing better for the entire community than a tough set of customers…
Everyone’s Systems and Applications
Financial Health Care Government
Global Infrastructure
Requirements Requirements Requirements
AWS Foundational Security Applies to Every CustomerAWS maintains a formal control environment• SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)• SOC 2 Type II and SOC 3 report• ISO Certification (27001, 270017, 270018)• Certified PCI DSS Level 1 Service Provider • FedRAMP Authorization• HIPAA and MPAA capable
Accredited experts audit and validate the AWS cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions Availability Zones Edge Locations
AWS is responsible forthe security OF
the Cloud
Auditor
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared Responsibility
Security is a Shared Responsibility
Customer Applications & Content
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Client-side Data Encryption
Server-side Data Encryption
Network TrafficProtection
Customers are responsible for their security IN the Cloud
AWS is responsible for
the security OF the Cloud
NetworkingDatabasesStorageCompute
EdgeLocations
AvailabilityZonesRegions
AWS Global Infrastructure
Foundation Services
AWS Shared Security Responsibility
Infrastructure Services
Platform Services
Abstracted Services
Security is Shared and Classified by Ownership
AWS Shared Responsibility:for Infrastructure Services
Customer Data
Platform & Application Management
Operating system, network, and firewall configuration
Data ConfidentialityEncryption at-rest /
in-transit, authentication
Data AvailabilityHA, DR/BC, Resource
Scaling
Data IntegrityAccess control, Version
control, Backups
Custom
er IAM
AWS IA
M
Managed by AWS
Managed by customers
AWS
Endpoints
NetworkingDatabasesStorageCompute
EdgeLocations
AvailabilityZonesRegions
AWS Global Infrastructure
Foundation Services
AWS• Foundation Services
(Network, Compute, Storage)
• AWS Global Infrastructure• AWS Endpoints
Infrastructure Services – Example Amazon EC2Customer• Customer Data• Customer Application• Operating System• Network & Firewall (VPC)• Customer IAM• AWS IAM
(Users, Groups, Roles, Policies)
• High-Availability / Scaling• Instance Management• Data Protection
(In-transit, At-rest, Backup)
AWS Shared Responsibility:for Platform Services
Customer Data
Client-side data encryption & data integrity authentication
Network traffic protection encryption / integrity / identity
Custom
er IA
MAW
S IA
M
Managed by customers
Managed by AWS
Platform & Application Management
Firewall
Configuration
Operating system & Network Configuration
AWS
Endpoints
NetworkingDatabasesStorageCompute
EdgeLocations
AvailabilityZonesRegions
AWS Global Infrastructure
Foundation Services
AWS• Foundation Services
(Network, Compute, Storage)
• AWS Global Infrastructure• AWS Endpoints• Operating System• Instance Management• Platform / Application
(Aurora, MS SQL, Oracle, MySQL, PostgreSQL)
Platform Services – Example RDSCustomer• Customer Data• Firewall (VPC)• Customer IAM
(DB Users, Table Permissions)
• AWS IAM(Users, Groups, Roles, Policies)
• High-Availability / Scaling• Data Protection
(In-transit, At-rest, Backup)
AWS Shared Responsibility:for Abstracted Services
Customer Data
Client-side data encryption, data integrity and authentication
AWS IA
M
Managed by customers
Client-side data encryption provided by platform (protection of data at-rest)
Network traffic encryption provided by platform (protection of data in-transit)
Platform & Application Management
Operating system, network, and firewall configurationManaged by
AWS
AWS
Endpoints
NetworkingDatabasesStorageCompute
EdgeLocations
AvailabilityZonesRegions
AWS Global Infrastructure
Foundation Services
AWS• Foundation Services• (Network, Compute, Storage)
• AWS Global Infrastructure• AWS Endpoints• Platform / Application• Data Protection (In-transit, At-rest)
• High-Availability / Scaling
Platform Services – Example S3Customer• Customer Data• Data Protection
(In-transit, At-rest)
• AWS IAM(Users, Groups, Roles, Policies)
Approaches to Auditing
AWS services are regularly assessed against industry standards and requirements.
Policy or procedure controls are the responsibility of the customer.
Manage AWS services similar to traditional infrastructure services.
Access to AWS services should be treated like other privileged administrator access.
Part of Your Compliance Work is Done
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Application security
Service configuration
Account management
Authorization policies
+ =
Customer
Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.
Secure, compliant workloads
What Does This Mean For You?
You benefit from an environment built for the most security sensitive organizations
AWS manages and validates testing against more than 3000 security controls so you don’t have to
You can define the right security controls for your workload sensitivity
You always have full ownership and control of your data
Familiar Security Model
Validated and driven by customers’ security experts
Benefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
Closing the Loop – AWS Shared Responsibility
Our pace of innovation, comprehensive security and compliance features allows you to measurably improve your security program.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security by Design
What is Security?
Practice of protecting your intellectual property from unauthorized access, use, or modification.
What are the key things that come to your mind when talking about Security?
• Visibility• Auditability• Controllability• Agility• Automation
Cloud goes beyond the traditional elements of security and adds…
What is Security by Design (SbD)?
Modern, systematic security assurance approach
Formalizes AWS account design, automates security controls and streamlines auditing
Provides security control built in throughout the AWS IT management process
Effective Security is ubiquitous and automatic…
Why is this important?
Modern day IT environments present challenges to managing security and meeting compliance requirements due to the volume of information that needs to be safeguarded and the dynamic connectivity of data, applications, and users. A reliable security approach is needed to ensure data is safeguarded and available to authorized users and systems.
Confidentiality Integrity Availability
Why - Modernize Technology Governance
The majority of technology governance relies predominantly on administrative and operational security controls with LIMITED technology enforcement.
Assets
ThreatVulnerability
RiskAutomation is needed to dominate governance through technology enablement.
Approaching Security by Design
Understand your requirements
Build a “secure environment” that fits
your requirements
1Enforce the use of
the templatesPerform validation
activities
2 3 4
Impact of Security by Design
Creates a forcing function that cannot be overridden by users Establishes reliable operation of controls Enables continuous and real-time auditing Represents the technical scripting of your governance policy
ResultAutomated environment enabling enforcement of security and compliance polices and a functionally reliable governance model.
AWS Security & Compliance Resources
AWS Risk & Compliance Introduction to AWS Security AWS Security Overview AWS Security Best Practices Security at Scale Whitepapers Customer penetration testing requests Security Partner Solutions Request more information by contacting us
aws.amazon.com/securityaws.amazon.com/compliance
Thank you!