1

Kourosh Amin-Tehrani Pete Mauro

ktehrani@encore-c.com pmauro@encore-c.com

AWS Certified Professional President

www.encore-c.com

Encore Consulting Services, Inc

2

AboutMr. Amin-Tehrani has over two decades of Network/Information Systems Design and Implementation experience. He has successfully developed architectures and implemented innovative cloud computing solutions. He is an experienced solutions architect for cloud initiatives and production environments for various markets like healthcare and government.You can expect a personalized service that is tailored to your organization's needs.

3

System Driven Approach

• Business and Technical requirements drive strategy and

architecture.

• Capturing requirements is essential.

• Leverage know best practices in the industry.

• Define key principles/policies/critical success factors for IT.• Security from the beginning (upfront).

• Agile is key (multiple phases / MVPs)

Approach

4

Approach

5

Approach• Assist in designing, building, operating/monitoring, and auditing, a cloud security architecture and

secure platform• Assist in qualifying outside AWS security / Big Data firm to execute again above• Coach in detailed design and implementation, as well as helping with decision making around work

products, scope changes, etc.• Assist in FISMA Moderate certification of the environment by an outside firm, chosen by Security.• Assist in any subsequent software assessment(s) to round out our toolset, e.g. Cloud Access Security

Broker (CASB) software for on-going validation and monitoring, or if/as determined• Assurance and testing strategy and methods• Other duties as necessary, AKA, all of the things we don’t yet know we need• Build the framework for operating, monitoring and auditing, as well as setting up the training to make it

possible for either outside firms are internal folks to perform the work.

6

V Lifecycle Approach(with an Agile / DevOps Framework)

7

Security Compliance on AWS· Amazon API Gateway · Amazon Glacier· Amazon Aurora [MySQL, PostgreSQL] · Amazon Inspector· AWS Batch · AWS Key Management Service

· Amazon CloudFront [including Lambda@Edge] · Amazon Kinesis Streams· AWS CloudHSM · AWS Lambda· Amazon CloudWatch Logs · Amazon Redshift

· Amazon Cognito · Amazon Relational Database Service · Amazon Connect · Amazon Route 53

· AWS Database Migration Service · AWS Shield [Standard and Advanced]

· AWS Direct Connect · Amazon Simple Notification Service (SNS)

· AWS Directory Services excluding Simple AD and AD Connector · Amazon Simple Queue Service (SQS)

· Amazon DynamoDB · Amazon Simple Storage Service (S3)· Amazon EC2 Container Service (ECS) · AWS Snowball· Amazon EC2 Systems Manager · AWS Snowball Edge· Amazon ElastiCache · AWS Snowmobile· Amazon Elastic Block Store (Amazon EBS) · AWS Storage Gateway

· Amazon Elastic Compute Cloud (Amazon EC2) · Amazon Virtual Private Cloud (VPC)

· Elastic Load Balancing · AWS Web Application Firewall (WAF)· Amazon Elastic MapReduce (Amazon EMR) · Amazon WorkDocs

· Amazon WorkSpaces

8

FedRAMP vs. FISMA

9

FedRAMP vs. FISMA

10

Evaluating alternative Architecture- Assess current state- Meet stakeholders to involve them in the project scope- Evaluate current security controls- Propose future-state architecture

11

AWS Secure Cloud Architecture

AWS Security Levels of Separation:

1. AWS Account

2. AWS VPC

3. AWS Subnets

Centralized vs Decentralized vs Security Needs vs Developer Needs

Note: AWS Architecture always changes

12

DevOps

13

DevSecOps

14

Cloud Governance