automating compliance defense in the cloud - toronto fsi symposium - october 2016
TRANSCRIPT
![Page 1: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/1.jpg)
Welcome to the
AWS Financial Services Cloud Symposium
![Page 2: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/2.jpg)
"We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.”- UK Financial Conduct Authority, FG 16-5, July 2016
“Insurance is a highly regulated industry where security, governance and compliance are key. Our internal compliance team conferred with both financial services regulators in the UK and our legal team, and they found that they could use AWS and remain compliant.”
- Adrian Hodgkison, Head of IT
Compliance with Regulation is Doable
![Page 3: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/3.jpg)
AWS & Customer Regulated Workloads
*
*
*
*Also an AWS Customer
![Page 4: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/4.jpg)
“It is a fallacy that Institutions can’t use cloud services
(because regulators don’t allow them)”
- G20 ITSG Meeting, Anonymous
![Page 5: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/5.jpg)
https://aws.amazon.com/solutions/#industry
https://aws.amazon.com/financial-services
Regulated, audited, and sensitive data will be better fit to be stored and processed in the cloud.
![Page 6: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/6.jpg)
AWS Security as a Platform for Compliance
DDOS Mitigation
Data Encryption
Inventory & Configuration
Monitoring & Logging
Identify & Access Control
Testing & Validation
Availability & Resiliency
AWS provides financial services customers a platform to engineer customized security
![Page 7: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/7.jpg)
Security & Compliance at AWS is the highest priority. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations.
An advantage of the AWS cloud is that it allows customers to Scale and Innovate, while maintaining a secure environment.
So you can Customize Security for the platform to meet any number of compliance regimes that apply to your business process and geography.
![Page 8: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/8.jpg)
AWS Security – Shared Responsibility Model• AWS and its customers share control over the IT environment, both parties have
responsibility for managing the IT environment.
• AWS’ part in this shared responsibility includes providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use.
• The customers’ responsibility includes configuring their IT environments in a secure and controlled manner for their purposes.
• While customers don’t share their use and configurations to AWS, AWS does share its security and control environment relevant to customers.
![Page 9: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/9.jpg)
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & AccessManagement
Operating System, Network & Firewall Configuration
Customer content
AWS Shared Responsibility
You get to define your controls IN the
cloud
AWS takes care of security OF the
cloud
aws.amazon.com/compliance/shared-responsibility-model
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones Edge
Locations
![Page 10: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/10.jpg)
AWS SecurityProtection and
Certification
Security Features in the Customer Environment
Customer Security and Compliance
• Advanced security protection
• Enhanced auditability• EU Data Privacy• Financial Reporting• Financial Services• Healthcare/Life Sciences• Local requirements
Amazon Inspector AWS WAF AWS
ConfigRules
EU Model Clauses
Identity Management
Access Control
Usage Auditing
Key Storage
Monitoring and Logs
AWS Investment: Security
![Page 11: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/11.jpg)
Audit & Certification Compliance Overview
![Page 12: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/12.jpg)
Tao of Cloud Compliance
1. Partner: the cloud tech SMEs and the security/ compliance SMEs
2. Integrate: industry standards, independent benchmarking, regulatory requirements
3. Design and Package: Create a master design that meets internal and external requirements
4. Constrain: enforce deployment to that design
5. Deploy: mechanize a scalable governance and auditing program
![Page 13: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/13.jpg)
Step 1: Partner the cloud tech SMEs and the security/ compliance SMEs
![Page 14: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/14.jpg)
Customer Governance Model: Permanent Supervision
AWS Best Practices
Industry Standards
AWS Architecture for Standards
Internal & Regulatory Requirements
Service Documentation
AWS Workbooks
AWS Technology ResourcesClient-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & AccessManagement
Operating System, Network & Firewall Configuration
Customer content
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones Edge
Locations
AWS Agreements
![Page 15: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/15.jpg)
Step 2: Integrate industry standards, independent benchmarking, regulatory requirements
![Page 16: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/16.jpg)
Industry Standards and Benchmarking
CIS Amazon Web Services Foundations
Benchmark v1.0.0
Description
This document provides prescriptive guidance for
configuring security options for a subset of
Amazon Web Services with an emphasis on
foundational, testable, and architecture agnostic
settings.
![Page 17: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/17.jpg)
FFIEC Assessment Guide for AWS
![Page 18: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/18.jpg)
Step 3: Create a master design that meets internal and external requirements
![Page 19: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/19.jpg)
Create a golden environment
Using baseline requirements to create a gold OS image
Configure use of AWS services, for example:
Amazon S3 Amazon EBS Amazon Redshift
Force SSE Turn on logging Specify retention Set Amazon Glacier archiving Prevent external access Specify overriding permissions Set event notifications
Define volume type Volume size limits IOPS performance
(input/output) Data location – regions Snapshot (backup) ID Encryption requirements
Cluster type (single or multi) Encryption (KMS or HSM) VPC location External access (yes/no) Security groups applied Create SNS topic Enforce Amazon CloudWatch
alarms
![Page 20: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/20.jpg)
Step 4: Enforce deployment to that design
![Page 21: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/21.jpg)
Enforce AWS Service Catalog
Allows administrators to create and manage catalogs of approved resources (products) that users can access via a personalized portal. Control which IT services and versions are available
Control the configuration of the available services
Control permission access by individual, group, department, or cost center.
Provisioning Team creates and manages Service Catalog
Products built from CloudFormation Templates
An AWS Service Catalog productis a deployable AWS
CloudFormation template.
![Page 22: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/22.jpg)
Step 5: Mechanize a scalable governance and auditing program
![Page 23: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/23.jpg)
Governance & Auditing Program
![Page 24: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/24.jpg)
Tech Automation via CloudAutomate deployments, provisioning, and configurations of the AWS customer environments
CloudFormation Service CatalogStack
Template
Instances AppsResourcesStack
Stack
Design Package
Products Portfolios
DeployConstrain
Identity & Access Management
Set Permissions
![Page 25: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/25.jpg)
Best Practices for a Strong Compliance Defense
1. How is the entity using the cloud?
2. Is the entity leveraging credible, third-party assessments?
3. Has the entity benchmarked their use of the cloud against CIS or another independent body?
4. How do they monitor use of the cloud?
5. How has application, logical access, resiliency, governance changed?
![Page 26: Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5878fc791a28ab49608b6cc9/html5/thumbnails/26.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jodi Scrofani, Financial Services Compliance Strategist at AWS
Thank You!