compliance and security in a cloud-first eraaws-de-media.s3.amazonaws.com/images/aws summit... ·...
TRANSCRIPT
Compliance and Security in a
Cloud-First Era
• Regions:– Dublin (EU-West) – 3 x Availability Zones
• Launched in 2007
– Frankfurt (EU-Central) – 2 x Availability Zones
• Launched 2014
• Edge Locations:– Amsterdam, The Netherlands (2), Dublin, Ireland, Frankfurt,
Germany (3), London, England (3), Madrid, Spain, Marseille,
France, Milan, Italy, Paris, France (2), Stockholm, Sweden, and
Warsaw, Poland
• Direct Connect POPs:– Dublin, London, Frankfurt
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer applications & contentC
ust
om
ers
shared responsibility
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Cu
sto
mer
s
Managed by
Managed by
Client-Side Data encryption & Data Integrity Authentication
Network Traffic ProtectionEncryption / Integrity / Identity
AW
S IAM
Cu
stom
er IA
M
Operating System, Network & Firewall Configuration
Server-Side EncryptionFire System and/or Data
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Co
nfigu
ration
Platform & Applications Management
Operating System, Network Configuration
Customer content
Cu
sto
mer
s
Managed by
Managed by
Client-Side Data encryption & Data Integrity Authentication
Network Traffic ProtectionEncryption / Integrity / Identity
AW
S IAM
Cu
stom
er IA
M
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Platform & Applications Management
Operating System, Network & Firewall Configuration
Customer content
Cu
sto
mer
s
Managed by
Managed by
Optional – Opaque Data: 1’s and 0’s
(in flight / at rest)Server Side Encryption by the Platform
Protection of Data at Rest
Network Traffic Protection by the PlatformProtection of Data at in Transit
Client-Side Data Encryption & Data Integrity Authentication
AW
S IAM
Security cannot be a blocker of innovative business
“…We’ll also see organizations adopt
cloud services for the improved
security protections and compliance
controls that they otherwise could not
provide as efficiently or effectively
themselves.”
- Security’s Cloud Revolution Is Upon Us,
Forrester Research, Inc., August 2, 2013
Singapore
MTCS
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Your own accreditation
Your own certifications
Your own external audits
Customer scope and
effort is reduced
Better results
through focused
efforts
Built on AWS
consistent baseline
controls
Cu
sto
mer
s
© TÜV TRUST IT GmbH –
Unternehmensgruppe TÜV AUSTRIA
Page 30
Defining the information domain
Structure analysis
Modeling the domain
Based on the whitepaper “IT Grundschutz
compliance on Amazon Web Services”.
© TÜV TRUST IT GmbH –
Unternehmensgruppe TÜV AUSTRIA
Page 31
Source: BSI-Standard 100-1, Information Security Management Systems (ISMS), Version 1.5, p. 10
© TÜV TRUST IT GmbH –
Unternehmensgruppe TÜV AUSTRIA
Page 32
Information domain: infrastructure, organization, staff and technical objects that are
used for information processing.
Organization
Infrastructure
IT systems
Applications
Employees
Information domain can include:
entire institutions or single areas or focus on e.g. certain applications.
Information domain is essentially the scope of an ISMS and the related certification.
Noteworthy: IT Grundschutz is certified on the basis of ISO 27001;
therefore, IT Grundschutz is fully compatible with ISO 27001 and 27002.
© TÜV TRUST IT GmbH –
Unternehmensgruppe TÜV AUSTRIA
Page 33
Detailed description of any part of the information domain.
Generally based on a network plan.
When using external providers (“outsourcing”), interfaces must be included
in the documentation.
Result: a list of components that are relevant for the IT Grundschutz
methodology.
In an AWS context, the components are located both at the customer and at
AWS.
© TÜV TRUST IT GmbH –
Unternehmensgruppe TÜV AUSTRIA
Page 34
Security IN the cloud
Responsibility of the customer
As customers retain control of what security they choose to implement to protect their
own:
content, platform, applications, systems and networks, no differently than they would for
applications in an on-site datacenter
Security OF the cloud
Security of the cloud refers to how AWS manages the security of the cloud’s underlying
infrastructure.
AWS operates, manages and controls the components from the host operating system
and virtualization layer down to the physical security of the facilities in which the AWS
services operate
Conclusion - IT Grundschutz
modules to be addressed by the customer (security in the cloud)
Modules to be delivered by AWS (security of the cloud).
© TÜV TRUST IT GmbH –
Unternehmensgruppe TÜV AUSTRIA
Page 35
Replicating the information domain using the modules and related
instructions found in the IT Grundschutz catalogues.
Modules are used for structuring the recommendations of the IT-
Grundschutz catalogues into:
technical components or organizational measures, with respective security
measures.
Based on protection requirements of the components.
Examples for modules that need to be addressed by the customer:
M 1.11 Outsourcing
M 1.12 Archiving
© TÜV TRUST IT GmbH –
Unternehmensgruppe TÜV AUSTRIA
Page 36
The customer does not have to implement the respective modules if a task
has been completely transferred to AWS.
Some modules need to be addressed by both sides.
Examples for modules that need to be addressed by AWS:
M 2.1 General building
M 2.2 Electric cabling
M 2.9 Data centers
M 2.12 IT-cabling
The Whitepaper “IT Grundschutz compliance on Amazon Web Services”
contains more details on modules.
© TÜV TRUST IT GmbH –
Unternehmensgruppe TÜV AUSTRIA
Page 37
Contents of the whitepaper:
Abstract
Section 1 – Customer View
Description of the IT-Grundschutz catalogues to be modeled
Modules to be addressed by the customer
Implementing catalogue M 1.11 Outsourcing
Modules to be delivered by AWS
Section 2 – AWS View
Description of what needs to be provided by the customer
Covering requirements with existing AWS certifications or
measures
AWS Alignment to BSI IT-Grundschutz
© TÜV TRUST IT GmbH –
Unternehmensgruppe TÜV AUSTRIA
Company: UK-based global communications platform for call
centers to capture communications data
Challenge: must comply with PCI DSS so their customers can
process payment card data on the platform
Results: PCI certified on AWS; also SOC 1 Type 2 audited, ISO
27001 certified
http://d36cz9buwru1tt.cloudfront.net/Cognia-Case-Study.pdf
Company: France-based insurance and healthcare coverage company,
responsible for secure use and storage of confidential customer information
Challenge: move critical IT to AWS and comply with the Solvency II
Directive (EU insurance regulation)
Results: Moved to AWS, realized cloud benefits (financial, security,
scalability, availability, resiliency) and remain fully compliant with Solvency II
and other compliance requirements. They are moving their other
environments onto AWS.
http://aws.amazon.com/solutions/case-studies/smatis/
https://run.qwiklab.com/
awscompliance