modernizing technology governance

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Todd Gleason, Executive Cloud Strategist, AWS

October, 25 2016

Modernizing Technology Governance

Reducing Security Surface Area ThroughAWS Shared Responsibility and Applying Security-by-Design

Over A Million Active Customers and Every Imaginable Use Case

1500+ Government

Agencies

3600+ Education Institutions

190 Countries 11,200+ Nonprofits

Security is Job Zero

Customer - Financial Services

"The financial services industry attracts some of the worst cyber criminals. We work closely with AWS to develop a security model, which we believe enables us to operate

more securely in the public cloud than we can in our own data centers."

CIOCapital One

Customer - PCI-DSS

Using AWS, Vodafone created TopUp, a secure, PCI-compliant solution that makes it easy for its customers to

buy credit for mobile phone SIM cards.

Customer - Healthcare

Oscar Insurance built a technology and data-driven health insurance company from the ground up in just three months on AWS while meeting HIPAA compliance

requirements.

The Forrester Wave™: Public Cloud Platform Service Providers' Security, Q4 2014

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.


AWS Assurance Programs

Certifications / Attestations Laws / Regulations / Privacy Alignments / FrameworksDoD SRG DNB [Netherlands] CISFedRAMP EAR CLIAFIPS EU Model Clauses CJISIRAP EU Data Protection Directive CMS EDGEISO 9001 FERPA CMSRISO 27001 GLBA CSAISO 27017 HIPAA FDAISO 27018 HITECH FedRAMP TICMLPS Level 3 IRS 1075 FISCMTCS ITAR FISMAPCI DSS Level 1 My Number Act [Japan] G-CloudSEC Rule 17-a-4(f) Privacy Act [Australia] GxP (FDA CFR 21 Part 11)SOC 1 Privacy Act [New Zealand] IT GrundschutzSOC 2 PDPA - 2010 [Malaysia] MITA 3.0SOC 3 PDPA - 2012 [Singapore] MPAAUK Cyber Essentials U.K. DPA - 1988 NERC

VPAT / Section 508 NISTEU-US Privacy Shield PHRSpanish DPA Authorization UK Cloud Security Principles

Comprehensive Security and Compliance

Foundational Certifications

ISO 9001Global Quality

Standard

ISO 27001Security

Management Standard

ISO 27017Cloud Specific

Controls

ISO 27018PII Specific

Controls

SOC 1Audit Controls

Report

SOC 2Compliance

Controls Report

SOC 3General Controls

Report

PCI DSS Level 1Payment Card

Standards

NIST 800-53Risk Management

Framework

Financial Services Compliance Enablers

Federal Financial Institutions Examination Council (FFIEC) published a guide for financial services institutions, examiners, and advisors on the use and security architecture of AWS.

U.S. Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations (OCIE) published an overview of the OCIE Cybersecurity Initiative on cybersecurity preparedness in the securities industry. Outlines customer compliance responsibilities in relation to AWS.

U.S. Securities and Exchange Commission's (SEC) 17a-4(f) & CFTC 1.31(b)-(c) Compliance Assessment Report for Amazon Glacier with Vault Lock

AWS Privacy and Data SecurityNow that the Safe Harbor compliance scheme has been ruled invalid, can customers still use AWS and comply with EU law?

Yes – the EU data protection authorities’ approval of the AWS Data Protection Agreement and Model Clauses enable transfer of data outside Europe – including to the US


AWS Global Infrastructure


14 Regions38 Availability Zones63 Edge Locations

You decide where you want to put content and controls

Requirements From Every Industry

Nothing better for the entire community than a tough set of customers…

Everyone’s Systems and Applications

Financial Health Care Government

Global Infrastructure

Requirements Requirements Requirements

AWS Foundational Security Applies to Every CustomerAWS maintains a formal control environment• SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)• SOC 2 Type II and SOC 3 report• ISO Certification (27001, 270017, 270018)• Certified PCI DSS Level 1 Service Provider • FedRAMP Authorization• HIPAA and MPAA capable

Accredited experts audit and validate the AWS cloud

AWS Foundation Services

Compute Storage Database Networking


Regions Availability Zones Edge Locations

AWS is responsible forthe security OF

the Cloud

Auditor


AWS Shared Responsibility

Security is a Shared Responsibility

Customer Applications & Content

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Client-side Data Encryption

Server-side Data Encryption

Network TrafficProtection

Customers are responsible for their security IN the Cloud

AWS is responsible for

the security OF the Cloud

NetworkingDatabasesStorageCompute

EdgeLocations

AvailabilityZonesRegions


Foundation Services

AWS Shared Security Responsibility

Infrastructure Services

Platform Services

Abstracted Services

Security is Shared and Classified by Ownership

AWS Shared Responsibility:for Infrastructure Services

Customer Data

Platform & Application Management

Operating system, network, and firewall configuration

Data ConfidentialityEncryption at-rest /

in-transit, authentication

Data AvailabilityHA, DR/BC, Resource

Scaling

Data IntegrityAccess control, Version

control, Backups

Custom

er IAM

AWS IA

M

Managed by AWS

Managed by customers

AWS

Endpoints


EdgeLocations



Foundation Services

AWS• Foundation Services

(Network, Compute, Storage)

• AWS Global Infrastructure• AWS Endpoints

Infrastructure Services – Example Amazon EC2Customer• Customer Data• Customer Application• Operating System• Network & Firewall (VPC)• Customer IAM• AWS IAM

(Users, Groups, Roles, Policies)

• High-Availability / Scaling• Instance Management• Data Protection

(In-transit, At-rest, Backup)

AWS Shared Responsibility:for Platform Services

Customer Data

Client-side data encryption & data integrity authentication

Network traffic protection encryption / integrity / identity

Custom

er IA

MAW

S IA

M


Managed by AWS


Firewall

Configuration

Operating system & Network Configuration

AWS

Endpoints


EdgeLocations



Foundation Services

AWS• Foundation Services

(Network, Compute, Storage)

• AWS Global Infrastructure• AWS Endpoints• Operating System• Instance Management• Platform / Application

(Aurora, MS SQL, Oracle, MySQL, PostgreSQL)

Platform Services – Example RDSCustomer• Customer Data• Firewall (VPC)• Customer IAM

(DB Users, Table Permissions)

• AWS IAM(Users, Groups, Roles, Policies)

• High-Availability / Scaling• Data Protection

(In-transit, At-rest, Backup)

AWS Shared Responsibility:for Abstracted Services

Customer Data

Client-side data encryption, data integrity and authentication

AWS IA

M


Client-side data encryption provided by platform (protection of data at-rest)

Network traffic encryption provided by platform (protection of data in-transit)


Operating system, network, and firewall configurationManaged by

AWS

AWS

Endpoints


EdgeLocations



Foundation Services

AWS• Foundation Services• (Network, Compute, Storage)

• AWS Global Infrastructure• AWS Endpoints• Platform / Application• Data Protection (In-transit, At-rest)

• High-Availability / Scaling

Platform Services – Example S3Customer• Customer Data• Data Protection

(In-transit, At-rest)

• AWS IAM(Users, Groups, Roles, Policies)

Approaches to Auditing

AWS services are regularly assessed against industry standards and requirements.

Policy or procedure controls are the responsibility of the customer.

Manage AWS services similar to traditional infrastructure services.

Access to AWS services should be treated like other privileged administrator access.

Part of Your Compliance Work is Done

Facilities

Physical security

Compute infrastructure

Storage infrastructure

Network infrastructure

Virtualization layer (EC2)

Hardened service endpoints

Rich IAM capabilities

Network configuration

Security groups

OS firewalls

Operating systems

Application security

Service configuration

Account management

Authorization policies

+ =

Customer

Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.

Secure, compliant workloads

What Does This Mean For You?

You benefit from an environment built for the most security sensitive organizations

AWS manages and validates testing against more than 3000 security controls so you don’t have to

You can define the right security controls for your workload sensitivity

You always have full ownership and control of your data

Familiar Security Model

Validated and driven by customers’ security experts

Benefits all customers

PEOPLE & PROCESS

SYSTEM

NETWORK

PHYSICAL

Closing the Loop – AWS Shared Responsibility

Our pace of innovation, comprehensive security and compliance features allows you to measurably improve your security program.


Security by Design

What is Security?

Practice of protecting your intellectual property from unauthorized access, use, or modification.

What are the key things that come to your mind when talking about Security?

• Visibility• Auditability• Controllability• Agility• Automation

Cloud goes beyond the traditional elements of security and adds…

What is Security by Design (SbD)?

Modern, systematic security assurance approach

Formalizes AWS account design, automates security controls and streamlines auditing

Provides security control built in throughout the AWS IT management process

Effective Security is ubiquitous and automatic…

Why is this important?

Modern day IT environments present challenges to managing security and meeting compliance requirements due to the volume of information that needs to be safeguarded and the dynamic connectivity of data, applications, and users. A reliable security approach is needed to ensure data is safeguarded and available to authorized users and systems.

Confidentiality Integrity Availability

Why - Modernize Technology Governance

The majority of technology governance relies predominantly on administrative and operational security controls with LIMITED technology enforcement.

Assets

ThreatVulnerability

RiskAutomation is needed to dominate governance through technology enablement.

Approaching Security by Design

Understand your requirements

Build a “secure environment” that fits

your requirements

1Enforce the use of

the templatesPerform validation

activities

2 3 4

Impact of Security by Design

Creates a forcing function that cannot be overridden by users Establishes reliable operation of controls Enables continuous and real-time auditing Represents the technical scripting of your governance policy

ResultAutomated environment enabling enforcement of security and compliance polices and a functionally reliable governance model.

AWS Security & Compliance Resources

AWS Risk & Compliance Introduction to AWS Security AWS Security Overview AWS Security Best Practices Security at Scale Whitepapers Customer penetration testing requests Security Partner Solutions Request more information by contacting us

aws.amazon.com/securityaws.amazon.com/compliance

http://aws.amazon.com/security/

http://aws.amazon.com/compliance

Thank you!