© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Todd Gleason, Kristen Haught, Balaji Palanisamy, Aaron Richmond

November 2016

Chalk Talk: GPSCT308

Applying Security by Design to Drive

Compliance and Audit Assertion

What to expect from the session

• Overview of AWS Assurance programs

• Overview of Security by Design (SbD)

• Demonstration of SbD and automated controls

• Q&A

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS Assurance Programs

Certifications / Attestations Laws / Regulations / Privacy Alignments / Frameworks

DoD SRG DNB [Netherlands] CIS

FedRAMP EAR CLIA

FIPS EU Model Clauses CJIS

IRAP EU Data Protection Directive CMS EDGE

ISO 9001 FERPA CMSR

ISO 27001 GLBA CSA

ISO 27017 HIPAA FDA

ISO 27018 HITECH FedRAMP TIC

MLPS Level 3 IRS 1075 FISC

MTCS ITAR FISMA

PCI DSS Level 1 My Number Act [Japan] G-Cloud

SEC Rule 17-a-4(f) Privacy Act [Australia] GxP (FDA CFR 21 Part 11)

SOC 1 Privacy Act [New Zealand] IT Grundschutz

SOC 2 PDPA - 2010 [Malaysia] MITA 3.0

SOC 3 PDPA - 2012 [Singapore] MPAA

UK Cyber Essentials U.K. DPA - 1988 NERC

VPAT / Section 508 NIST

EU-US Privacy Shield PHR

Spanish DPA Authorization UK Cloud Security Principles

Comprehensive security and compliance

Foundational Certifications

ISO 9001

Global Quality

Standard

ISO 27001

Security

Management

Standard

ISO 27017

Cloud Specific

Controls

ISO 27018

PII Specific

Controls

SOC 1

Audit Controls

Report

SOC 2

Compliance

Controls Report

SOC 3

General Controls

Report

PCI DSS Level 1

Payment Card

Standards

NIST 800-53

Risk Management

Framework

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Security by Design

Keys to Cloud Security

Cloud goes beyond the traditional elements of security and adds…

• Agility

• Automation

Visibility Auditability Controllability

What is Security by Design (SbD)?

Modern, systematic, security assurance approach

Formalizes AWS account design, automates security

controls, and streamlines auditing

Provides security control built in throughout the AWS

IT management process

Effective security is ubiquitous and automatic…

Why Is This Important?

Modern day IT environments present challenges to managing security and meeting

compliance requirements due to the volume of information that needs to be safeguarded

and the dynamic connectivity of data, applications, and users. A reliable security approach

is needed to ensure data is protected and available to authorized users and systems.

Confidentiality Integrity Availability

Why―Modernize Technology Governance

The majority of technology governance relies predominantly

on administrative and operational security controls with

LIMITED technology enforcement.

Assets

ThreatVulnerability

RiskAutomation is needed to

enforce governance through

technology enablement.

Approaching Security by Design

Understand your

requirements

1

Build a “secure

environment” that fits

your requirements

2

Enforce the use of

the templates

3

Perform validation

activities

4

Impact of Security by Design

Creates a forcing function that cannot be overridden by users

Establishes reliable operation of controls

Enables continuous and real-time auditing

Result

Automated environment enabling enforcement of security and

compliance polices and a functionally reliable governance model.

Nerd version - Represents the technical scripting of your

governance policy

AWS Security and Compliance Resources

AWS Risk & Compliance

Introduction to AWS Security

AWS Security Overview

AWS Security Best Practices

Security at Scale whitepapers

Customer penetration testing requests

Security Partner Solutions

Request more information by contacting us

aws.amazon.com/securityaws.amazon.com/compliance

Demo

Demo – Automating Security Operations

1. Auto-deploy PCI environment from template

2. Simulate threats

3. Notification of threats

4. Automated mitigation of threats

5. Continuous audit for compliance

AWS Services Highlighted

AWS CloudTrail

Amazon CloudWatch

AWS CloudFormation

Amazon Kinesis

Amazon EC2

ALB/ELB

AWS Service Catalog

AWS Config

Amazon SNS

AWS Lambda

Auto Scaling

AWS WAF

Thank you!

Remember to complete

your evaluations!