compliance and security in a cloud-first eraaws-de-media.s3.amazonaws.com/images/aws summit... ·...

Compliance and Security in a

Cloud-First Era

• Regions:– Dublin (EU-West) – 3 x Availability Zones

• Launched in 2007

– Frankfurt (EU-Central) – 2 x Availability Zones

• Launched 2014

• Edge Locations:– Amsterdam, The Netherlands (2), Dublin, Ireland, Frankfurt,

Germany (3), London, England (3), Madrid, Spain, Marseille,

France, Milan, Italy, Paris, France (2), Stockholm, Sweden, and

Warsaw, Poland

• Direct Connect POPs:– Dublin, London, Frankfurt

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer applications & contentC

ust

om

ers

shared responsibility

Customers are

responsible for

their security IN

the Cloud

AWS is

responsible for

the security OF

the Cloud




Availability ZonesEdge Locations

Optional – Opaque data: 1’s and 0’s (in transit/at rest)

Platform & Applications Management

Customer content

Cu

sto

mer

s

Managed by

Managed by

Client-Side Data encryption & Data Integrity Authentication

Network Traffic ProtectionEncryption / Integrity / Identity

AW

S IAM

Cu

stom

er IA

M


Server-Side EncryptionFire System and/or Data





Optional – Opaque data: 1’s and 0’s (in transit/at rest)

Firewall

Co

nfigu

ration


Operating System, Network Configuration

Customer content

Cu

sto

mer

s

Managed by

Managed by

Client-Side Data encryption & Data Integrity Authentication

Network Traffic ProtectionEncryption / Integrity / Identity

AW

S IAM

Cu

stom

er IA

M







Customer content

Cu

sto

mer

s

Managed by

Managed by

Optional – Opaque Data: 1’s and 0’s

(in flight / at rest)Server Side Encryption by the Platform

Protection of Data at Rest

Network Traffic Protection by the PlatformProtection of Data at in Transit

Client-Side Data Encryption & Data Integrity Authentication

AW

S IAM

Security cannot be a blocker of innovative business

“…We’ll also see organizations adopt

cloud services for the improved

security protections and compliance

controls that they otherwise could not

provide as efficiently or effectively

themselves.”

- Security’s Cloud Revolution Is Upon Us,

Forrester Research, Inc., August 2, 2013

Singapore

MTCS




Availability Zones

Edge Locations

Your own accreditation

Your own certifications

Your own external audits

Customer scope and

effort is reduced

Better results

through focused

efforts

Built on AWS

consistent baseline

controls

Cu

sto

mer

s

© TÜV TRUST IT GmbH –

Unternehmensgruppe TÜV AUSTRIA

Defining the information domain

Structure analysis

Modeling the domain

Based on the whitepaper “IT Grundschutz

compliance on Amazon Web Services”.



Source: BSI-Standard 100-1, Information Security Management Systems (ISMS), Version 1.5, p. 10



Information domain: infrastructure, organization, staff and technical objects that are

used for information processing.

Organization

Infrastructure

IT systems

Applications

Employees

Information domain can include:

entire institutions or single areas or focus on e.g. certain applications.

Information domain is essentially the scope of an ISMS and the related certification.

Noteworthy: IT Grundschutz is certified on the basis of ISO 27001;

therefore, IT Grundschutz is fully compatible with ISO 27001 and 27002.



Detailed description of any part of the information domain.

Generally based on a network plan.

When using external providers (“outsourcing”), interfaces must be included

in the documentation.

Result: a list of components that are relevant for the IT Grundschutz

methodology.

In an AWS context, the components are located both at the customer and at

AWS.



Security IN the cloud

Responsibility of the customer

As customers retain control of what security they choose to implement to protect their

own:

content, platform, applications, systems and networks, no differently than they would for

applications in an on-site datacenter

Security OF the cloud

Security of the cloud refers to how AWS manages the security of the cloud’s underlying

infrastructure.

AWS operates, manages and controls the components from the host operating system

and virtualization layer down to the physical security of the facilities in which the AWS

services operate

Conclusion - IT Grundschutz

modules to be addressed by the customer (security in the cloud)

Modules to be delivered by AWS (security of the cloud).



Replicating the information domain using the modules and related

instructions found in the IT Grundschutz catalogues.

Modules are used for structuring the recommendations of the IT-

Grundschutz catalogues into:

technical components or organizational measures, with respective security

measures.

Based on protection requirements of the components.

Examples for modules that need to be addressed by the customer:

M 1.11 Outsourcing

M 1.12 Archiving



The customer does not have to implement the respective modules if a task

has been completely transferred to AWS.

Some modules need to be addressed by both sides.

Examples for modules that need to be addressed by AWS:

M 2.1 General building

M 2.2 Electric cabling

M 2.9 Data centers

M 2.12 IT-cabling

The Whitepaper “IT Grundschutz compliance on Amazon Web Services”

contains more details on modules.



Contents of the whitepaper:

Abstract

Section 1 – Customer View

Description of the IT-Grundschutz catalogues to be modeled

Modules to be addressed by the customer

Implementing catalogue M 1.11 Outsourcing

Modules to be delivered by AWS

Section 2 – AWS View

Description of what needs to be provided by the customer

Covering requirements with existing AWS certifications or

measures

AWS Alignment to BSI IT-Grundschutz



Company: UK-based global communications platform for call

centers to capture communications data

Challenge: must comply with PCI DSS so their customers can

process payment card data on the platform

Results: PCI certified on AWS; also SOC 1 Type 2 audited, ISO

27001 certified

http://d36cz9buwru1tt.cloudfront.net/Cognia-Case-Study.pdf

http://d36cz9buwru1tt.cloudfront.net/Cognia-Case-Study.pdf

Company: France-based insurance and healthcare coverage company,

responsible for secure use and storage of confidential customer information

Challenge: move critical IT to AWS and comply with the Solvency II

Directive (EU insurance regulation)

Results: Moved to AWS, realized cloud benefits (financial, security,

scalability, availability, resiliency) and remain fully compliant with Solvency II

and other compliance requirements. They are moving their other

environments onto AWS.

http://aws.amazon.com/solutions/case-studies/smatis/

http://aws.amazon.com/solutions/case-studies/smatis/

https://run.qwiklab.com/

https://run.qwiklab.com/

awscompliance

compliance and security in a cloud-first eraaws-de-media.s3.amazonaws.com/images/aws summit... ·...

Documents