Move Away From the Worry-Based Fiction of the Cloud - AWS Washington D.C. Symposium 2014

AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Security Assurance:
DoD Community
Chris Gile
Bill Murray
awsbill@amazon.com
cgile@amazon.com

Security in the Cloud
Bill Murray
Sr. Manager
AWS Security Programs

Different Customer Viewpoints on Security
Public Affairs
keep out of the news
Leader
protect shareholder
value
CI{S}O
preserve the
confidentiality, integrity
and availability of data

Security Is Our No.1 Priority
Comprehensive Security Capabilities to Support Virtually Any Workload
PEOPLE &
PROCEDURES
NETWORK
SECURITY
PHYSICAL
SECURITY
PLATFORM
SECURITY

SECURITY IS SHARED

WHAT NEEDS
TO BE DONE
TO KEEP THE
SYSTEM SAFE

WHAT
WE DO
FOR YOU
WHAT YOU DO
YOURSELF

EVERY CUSTOMER HAS ACCESS
TO THE SAME SECURITY
CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR
ENTERPRISE

“Based on our experience, I believe that we
can be even more secure in the AWS cloud
than in our own data centers”
Tom Soderstrom – CTO
NASA JPL

AWS SECURITY OFFERS MORE
VISIBILITY
AUDITABILITY
CONTROL

MORE VISIBILITY

CAN YOU MAP YOUR NETWORK?
WHAT IS IN YOUR ENVIRONMENT
RIGHT NOW?

TRUSTED ADVISOR

MORE AUDITABILITY

AWS CLOUDTRAIL

You are making
API calls...
On a growing set of
services around the
world…
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you

Security Analysis
Use log files as an input into log management and analysis solutions to perform security
analysis and to detect user behavior patterns.
Track Changes to AWS Resources
Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances,
Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot Operational Issues
Quickly identify the most recent changes made to resources in your environment.
Compliance Aid
Easier to demonstrate compliance with internal policies and regulatory standards.

LOGS
OBTAINED, RETAINED,
ANALYZED

MORE CONTROL

Defense in Depth
Multi level security
• Physical security of the data centers
• Network security
• System security
• Data security

AWS Security Delivers More Control & Granularity
Customize the implementation based on your business needs
AWS
CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS Storage
Gateway

LEAST PRIVILEGE PRINCIPLE
AT AWS

CONFINE ROLES ONLY TO THE MATERIAL
REQUIRED TO DO SPECIFIC WORK

SEPARATE NETWORKS FOR CORPORATE WORK VS.
ACCESSING CUSTOMER DATA

MUST HAVE A BUSINESS NEED-TO-KNOW ABOUT
SENSITIVE INFORMATION LIKE DATA CENTER
LOCATIONS

MUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER
TO ACCESS DATA CENTERS

SIMPLE SECURITY CONTROLS
ARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT,
AND EASIEST TO ENFORCE

AWS IAM
IDENTITY & ACCESS MANAGEMENT

CONTROL WHO CAN DO WHAT
WITH YOUR AWS ACCOUNT

MFA DELETE PROTECTION

YOUR DATA STAYS
WHERE YOU PUT IT

USE MULTIPLE AZs
AMAZON S3
AMAZON DYNAMODB
AMAZON RDS MULTI-AZ
AMAZON EBS SNAPSHOTS

DATA ENCRYPTION
CHOOSE WHAT’S RIGHT FOR YOU:
Automated – AWS manages encryption
Enabled – user manages encryption using AWS
Client-side – user manages encryption using their own mean

AWS CloudHSM
Managed and monitored by AWS, but you
control the keys
Increase performance for applications that
use HSMs for key storage or encryption
Comply with stringent regulatory and
contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM

ENCRYPT YOUR DATA
AWS CLOUDHSM
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS

MORE AUDITABILITY
MORE VISIBILITY
MORE CONTROL

IDC Survey
Attitudes and Perceptions Around Security and Cloud Services
Nearly 60% of organizations agreed that CSPs [Cloud Service Providers]
provide better security than their own IT organization
Source: IDC 2013 U.S. Cloud Security Survey
Doc #242836, September 2013

AWS.AMAZON.COM/
SECURITY

RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES
AWS Security Whitepapers

AWS Security Assurance:
DoD Community
Chris Gile

Increasing
Security and
Operating
Requirements
DoD Cloud Security Model
(Administered via DISA)
15 FedRAMP
Compliant CSP1
10 – IaaS, 3- PaaS, 2- SaaS
FedRAMP Authority to Operate
CSM ATO
Levels 1-2
(Public)
CSM ATO
Levels 3-5
(NIPR)
CSM ATO
Level 6
(SIPR)
1
2
3
4
5
6
Providers are a mix of IaaS,
PaaS, SaaS
(Initial Focus on IaaS)
3 Provisional
Authorizations
granted1
0 Provisional
Authorization
granted2
100’s of Cloud Service
Providers (CSP)
System-
Specific
ATO
John Doe
DoD DAA
The DoD
provisionally
authorized
commercial CSP
offering is eligible to
be included in the
Enterprise Cloud
Service Catalog
1 Source: http://www.gsa.gov/portal/content/131931
2 Provisional ATO granted as of 2/15/2014
Cloud Services Provider
DoD Cloud Security Model (CSM) - ATO Process

Shared Security Responsibility
• AWS & Customers both have
security/compliance obligations
• Logical assessment &
accreditation boundaries
• How are our ATOs consumed?
– Agencies & Partners
Cross-service Controls
Service-specific Controls
Managed by
AWS
Managed by
Customer
Compliance of
the Cloud
Compliance in
the Cloud
Cloud Service Provider Controls
Optimized Network/OS/App
Controls

Availability
Zone C
Sample US Region
- Multiple Isolated locations within a Region
- Availability Zone = 1 or more “data center”
- Independent Failure Zone
- Physically separated
- On separate Low Risk Flood Plains
- Discrete UPS
- Onsite backup generation facilities
- Fed from different segments of utility provider
- Redundantly connected to multiple tier-1 ISP’s
- No “Disaster Recovery Datacenter”
- Built for Continuous Availability
- Customer decides Availability Zone for Compute
~ DoD Data Center
Availability
Zone B
Availability
Zone A
AWS Availability Zone (AZ) View

AWS FedRAMP Program
• AWS has two Agency ATOs granted by HHS; assessment reviewed by HHS, FDA, CDC, and NIH covering:
– All AWS US Regions (US East/West, & GovCloud (US))
– EC2, S3, EBS, VPC, IAM
– New: Amazon Redshift (US East/West only)
• Assessed against all FedRAMP-Moderate controls (298)
• Agency ATO packages have reciprocity with federal agencies
• AWS will directly field FedRAMP package requests from all customers, though agencies can still request AWS
FedRAMP package from FedRAMP PMO if desired
– AWS provides customers a FedRAMP SSP Template, inherited/shared control matrix, as well as FedRAMP package
• AWS Security Assurance supports the lifecycle of customer engagements with supporting personnel and
resources
cloud.cio.gov/fedramp/amazon

AWS DoD CSM Program
• 2/6/14 Provisional Authorization for Levels 1-2
• DISA managed Cloud Security Model (CSM)
• 68 additional control enhancements overlaid on
FedRAMP Moderate
• Partners have achieved MAC II Sensitive DIACAP ATOs

Building Solutions on AWS
• Partners & Agencies can leverage FedRAMP compliant AWS
• AWS’ FedRAMP package covers AWS infrastructure and
underlying management of services
• Partner’s FedRAMP package includes inherited controls; shared
controls documents partner’s application/service built on AWS
• To support partners we can provide:
– Partner FedRAMP package: ATO Letters, CIS spreadsheet, FIPS 199,
etc.
– SSP Template: Pre-populated with inherited control language, guidance
on completing shared controls
– ATO Letters as stand alone documents
– Support: Security Solutions Architects, Security Assurance Architects,
Professional Services

AWS Documentation Support
• AWS Package is specific to the
AWS Infrastructure
• Partner’s Package is specific to
the Partner’s Application or
managed services
• Inherited vs. Shared Controls

Certifications & Compliance
• AWS Environment
– SOC 1/2/3
– ISO 27001 Certification
– Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider
– FedRAMP (up to Moderate)
– AWS GovCloud (US) – ITAR compliant region
• Customers have deployed various compliant applications
– Sarbanes-Oxley (SOX)
– HIPAA (healthcare)
– FISMA/FedRAMP (US Federal Government)
– DIACAP – up to MAC II Sensitive
– International Traffic in Arms Regulations (ITAR)

Customer Resources
• Whitepapers
– Risk & Compliance Whitepaper
– Overview of Security Processes
– “Security at Scale” series
• Governance in AWS
• Logging in AWS
• Template
– FedRAMP SSP Template
• Workbooks
– FISMA-High
– CJIS

Other Compliance Programs
• FISMA-High Handbook
– Workbook available for partners under NDA
– 84 additional control enhancements [21
inherited, 54 shared, 9 customer]
• CJIS Handbook
– Available under NDA
– 121 security requirements; 10 inherited, 87
shared, and 24 customer-responsible
requirements
• Both are partner-based approaches
to build a portfolio of authorizations

AWS Compliance & Security Centers
• Answers to many security and compliance
questions
• Security whitepaper
• Risk and Compliance whitepaper
• Overview of Security Processes whitepaper
• “Security at Scale” whitepaper series
• Security bulletins
• Customer penetration testing requests
• Security best practices
• Request more information by contacting us
aws.amazon.com/security
aws.amazon.com/compliance

Additional AWS Security &
Compliance References
• https://aws.amazon.com/security
• https://aws.amazon.com/compliance
• https://aws.amazon.com/compliance/#whitepapers
• https://aws.amazon.com/compliance/fedramp-faqs
• https://aws.amazon.com/govcloud-us
• https://aws.amazon.com/documentation
• https://aws.amazon.com/iam
awscompliance@amazon.com

Thank You
Chris Gile
Bill Murray
awsbill@amazon.com
cgile@amazon.com

Move Away From the Worry-Based Fiction of the Cloud - AWS Washington D.C. Symposium 2014

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (8)

Similar to Move Away From the Worry-Based Fiction of the Cloud - AWS Washington D.C. Symposium 2014

Similar to Move Away From the Worry-Based Fiction of the Cloud - AWS Washington D.C. Symposium 2014 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Move Away From the Worry-Based Fiction of the Cloud - AWS Washington D.C. Symposium 2014

Editor's Notes