Post on 07-Sep-2014
description
transcript
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
AWS Compliance Forum Introduction
October 22, 2013
Session
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Your cloud compliance comfort and the AWS Compliance Forum tenets
Connect you with AWS specialists
Connect you with other AWS customers
Provide you with industry/standard-specific compliance resources
Not comfortable
23%
Somewhat comfortable65%
Very comfortable
12%
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Delivering on the AWS Compliance Forum tenets
What you shared How we plan to meet your needs
97% of you want to connect with AWS specialists on how to architect your environment for compliance
Who:• AWS Security Solutions Architects• AWS Compliance Architects• AWS Security, Risk, Compliance consultantsHow:• Case studies• Use-case reference architectures• Discussion groups
98% want to connect with other AWS customers navigating compliance in the cloud
Who:• Customers in your industry• Customers pursuing similar compliance certificationsHow:• Small discussion groups based on industry and/or certification• ‘Anonymized’ stories about successes and challenges
99% want to learn how to interpret and implement your specific control requirements in the cloud
Who:• AWS Compliance Architects• AWS Security, Risk, Compliance consultantsHow:• One-on-one connection points between you and AWS• Use-case reference architectures
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Which are you most interested in?
A. Connecting with AWS Security Solutions Architect
B. Connecting with AWS Compliance Architect
C. Connecting with AWS Security, Risk and Compliance
professional services consultant
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Sample of Industries Using AWS
http://aws.amazon.com/solutions/case-studies/all/
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Dutch National Bank – A Key Milestone for the Cloud
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Security is a Shared Responsibility
Virtualization Layer
Compute Infrastructure
Storage Infrastructure
Network Infrastructure
Facilities Physical Security
AWS Global Infrastructure
Customer Data
Users and Roles
Account Management
Applications
Firewalls
Network Configuration
Guest Operating SystemManaged by
Customer
Managed by AWS
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Building a Robust Program Understand your Cloud Boundary
Amazon EC2 Route 53 Amazon VPC
Amazon S3 Amazon EBS DynamoDB
What services are you using? What is the Business Case / Use Case?
For example: For example:
• Big Data Analytics• High performance Compute• Sensitive Data Archiving &
Storage• Web Applications
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Building a Robust Program – Your Control Set
Cross-service Controls
Service-specific Controls
Managed by AWS
Managed by Customer
Compliance of the Cloud
Compliance in the Cloud
Cloud Service Provider Controls
Optimized Network/OS/App Controls
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Compliance of the Cloud – CSP Controls
InternalControls
IndustryStandards
Identify All Controls
+
Validate CSP Controls
Cross-service Controls
Service-specific Controls
Cloud Service Provider Controls
Optimized Network/OS/App Controls
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Compliance in the Cloud – Cross Service Controls
IAM
Control Implementation Guidance
Multi-factor authentication must be used to secure IAM users
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html
Cross-service Controls
Service-specific Controls
Cloud Service Provider Controls
Optimized Network/OS/App Controls
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Compliance in the Cloud – Service-specific Controls
Amazon S3
Control Implementation Guidance
Server Side Encryption (SSE) is enabled for all objects classified per [customer] data classification policy as Confidential.
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
Cross-service Controls
Service-specific Controls
Cloud Service Provider Controls
Optimized Network/OS/App Controls
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Compliance in the Cloud – Traditional, AWS Optimized
Control Implementation Guidance
1. Harden machine images
2. Use an approved OS image
[Customer] Server Secure hardening rules
Optimized by AWS: Share Private AMIshttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
Cross-service Controls
Service-specific Controls
Cloud Service Provider Controls
Optimized Network/OS/App Controls
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Scaling Security in Growth
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Scaling Security in Scope
Cloud Service Provider Controls
Cross Service Security Controls
Service Specific Controls
Network/OS/App Controls
Cloud Service Provider Controls
Cross Service Security Controls
Service Specific Controls
Network/OS/App Controls
New service specific Control
New Network/OS/App
Control
On-boarded Service New Service Assessment
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Additional Resources
• Available at aws.amazon.com/compliance– AWS Risk & Compliance Whitepaper– AWS Auditing Security Checklist for AWS
• Available at aws.amazon.com/security– AWS Security Whitepaper
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Key Takeaways
1.Global companies are innovating on AWS with regulated
data.
2.You can be more secure in the AWS cloud by:
a.Using the secure AWS cloud infrastructure
b.Using the automated software controls AWS services provide
3.Layered assurance provides an effective approach to
cloud security
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
What’s next?
Compliance-requirement-specific webinars with AWS
specialists
Segmenting industry-specific discussion groups with
other AWS Compliance Forum customers
Compliance-requirement-specific and industry-specific
control mapping workbooks
AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Copyright © 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.
This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc.
Commercial copying, lending, or selling is prohibited.
Questions? Email us at awscompliance@amazon.com