© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Karim Hopper, Solution Architecture APAC

27 May 2015

Governance, Risk and Compliance Considerations for the Cloud

Hong Kong

Demonstrating Compliance

AWS Assurance ProgramsConsistent, regular and exhaustive 3rd party evaluations

Customers control how they manage their own risks

AWS Managed and Audited Controls

SOC 1

AWS SOC 2 PCI-DSS NIST 800-53 ISO 270001

Virtual Private Cloud

Key Management Logging

AWS Provided, Customer Configured and Managed Controls

Other AWS features and services

Classification

Security Policy

Customer Provided and Managed Controls

Encryption

Governance

ITDaM

ITSM

Monitoring

Operations

Malware

Risk Management

Cus

tom

ers

Customer Risk Appetite and Desired Control Environment

Business Risks Sourcing Risks Technology Risks Security Risks Compliance

Compliance Programs

Reports and letters of attestation are available for a number of certifications

SOC 1 (Type 2) Controls safeguarding customer data; auditor validated over a 6 month period. Evaluates control design, and evidence of controls working (Formerly SAS 70)

SOC 2 (Type 2) Provides additional transparency into AWS security and availability, including BCP

ISO 27001 Widely adopted global security standard for ISMS. Evaluates management of information security risks that affect confidentiality, integrity and availability of company and customer information

PCI DSS Level 3.0 Customers can run PCI compliant technology infrastructure for storing, processing and transmitting credit card information to the cloud

Security Shared Responsibility Model

AWS is responsible for the security OF

the cloud

AWS Foundation Services

AWS Global Infrastructure Regions

AWS

Availability Zones Edge Locations

Hypervisor Compute Storage Network

Customer applications and content

Security Shared Responsibility Model

AWS Foundation Services

Hypervisor Compute Storage Network

AWS Global Infrastructure Regions

AWS is responsible for the security OF

the cloud

Platform, Applications, Identity and Access Management

Operating System, Network and Firewall Configuration

Client-side data encryption

Server-side data encryption

Network Traffic Protection

The customer is responsible for

configuring security IN the cloudC

usto

mer

sAW

S

Availability Zones Edge Locations

Data Locality

Customer chooses where to place data

AWS regions are geographically isolated by design

Data is not replicated to other AWS regions and doesn’t move unless you choose to move it

AWS Employee Access

Staff vetting and enforcement of the principle of least privilege• No logical access to customer instances

• Control-plane access limited and monitoredBastion hosts, least privileged model, zoned data center access

• Access based on strict business needs

• Separate privileged account management systems

For more on compliance…http://aws.amazon.com/compliance

• Whitepapers

• Work books

• Reference Architectures

• Security and privacy resources

Security is our #1 priority

“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.”

Tom Soderstrom, CTO, NASA JPL

Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations.

Source: IDC 2013 U.S. Cloud Security Survey

doc #242836, September 2013

AWS Security in Context

VISIBILITY

AUDITABILITY

CONTROL

AGILITY

Customer get more…

Through our…

Visibility

Visibility

Customers can see their entire infrastructure at a click of a mouse Using AWS CloudTrail customers can continuously record activities happening on the AWS platform

Use cases enabled by AWS CloudTrail

Security AnalysisUse log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns

Track Changes to AWS ResourcesTrack creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes

Troubleshoot Operational IssuesIdentify the most recent actions made to resources in your AWS account

Compliance AidEasier to demonstrate compliance with internal policies and regulatory standards

VisibilityAWS Trusted Advisor Recommends security best practices (identifies potential security issues)

Auditability

Auditability

The AWS Config Service lets customers audit the historical configuration of resources and send notifications when those resources change

Use CasesSecurity Analysis Am I safe?Audit Compliance Where is the evidence?Change Management What will this change affect?Troubleshooting What has changed?

Auditability AWS Config ServiceReview the historical configuration of resources and send notifications when those resources change

Control

ControlAWS offers several flexible encryption options

KMI

Encryption Method

Key Storage

Key Management

KMI

Encryption Method

Key Storage

Key Management

KMI

Encryption Method

Key Storage

Key Management

Customer Managed

AWS Managed

AWS manages the method, storage and KMI

AWS Key Management Service

AWS provides key storageCustomer manages encryption method & management layer of

KMIAWS CloudHSM

Customer controls everythingE.g. KMI / keys stored on-

premise and client side encryption used

A B C

Control

AWS Key Management Service• A managed service that makes it easy for you to create, control, and use your

encryption keys• Integrated with AWS SDKs and AWS services including storage, compute and

database / data warehouse • CloudTrail support

AWS CloudHSM• Dedicated Safenet Luna-based solution (FIPS 2 compliant)

Control

Data Destruction• Storage media destroyed before being permitted outside our datacenters• Media destruction consistent with US Dept. of Defense Directive 5220.22

Control – Customers choose what they need

AWS CloudHSM

Defense in depthApplication log file captureIsolated, private networking environmentsFine grained access controlsSegregation of dutiesMulti-factor authentication, identity federationSingle tenant / dedicated serversDirect connections HSM-based key storageMultiple tiers of firewalls

AWS IAM

Amazon VPC

AWS Direct Connect

AWS delivers more control and granularity

Agility

New Security 29Features year to date

RDS Encryption using KMS

Oracle TDE with CloudHSM

S3 Endpoints in VPC

IAM Managed Policies

Glacier Vault Access Policies

…

Chief Info. Security Officer (CISO)

Operations

Engineering

Application Security

Compliance

CEO Amazon.com

AWS Security Organization

Amazon’s Culture• Everyone’s an owner

• Decentralize – security engineers are embedded in service teams

• Executive accountability

• Metrics driven – measuring constantly

• Five Why’s to establish the cause of error

• Test Constantly

• Understand normal and then identify anomalies

Thank you

aws.amazon.com/compliance aws.amazon.com/security

http://www.linkedin.com/in/karimhopper