• Like
Federal Compliance Deep Dive: FISMA, FedRAMP, and Beyond - AWS Symposium 2014 - Washington D.C.
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Federal Compliance Deep Dive: FISMA, FedRAMP, and Beyond - AWS Symposium 2014 - Washington D.C.

  • 738 views
Published

Security is your number one priority and it is ours too. With customers around the world across all industries, it is our top priority to ensure the underlying cloud infrastructure is secure and …

Security is your number one priority and it is ours too. With customers around the world across all industries, it is our top priority to ensure the underlying cloud infrastructure is secure and compliant. This presentation will address our shared security/responsibility model, specific compliance requirements such as FedRAMP, DISA/DoD Cloud Security Models, and detail the specific AWS compliance programs that supports our customers in these compliance environments.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
738
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
57
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Federal Compliance Deep Dive: AWS Public Sector Security Assurance Programs Chris Gile Senior Manager AWS Risk and Compliance cgile@amazon.com
  • 2. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Shared Security Responsibility • AWS & Customers both have security/compliance obligations • Logical assessment & accreditation boundaries Cross-service Controls Service-specific Controls Managed by AWS Managed by Customer Compliance of the Cloud Compliance in the Cloud Cloud Service Provider Controls Optimized Network/OS/App Controls
  • 3. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS FedRAMP Program • AWS has two Agency ATOs granted by HHS; assessment reviewed by HHS, FDA, CDC, and NIH covering: – All AWS US Regions (US East/West, & GovCloud (US)) – EC2, S3, EBS, VPC, IAM – New: Amazon Redshift (US East/West only) • Assessed against all FedRAMP-Moderate controls • Agency ATO packages have reciprocity with federal agencies • AWS will directly field FedRAMP package requests; agencies can still request AWS FedRAMP package from FedRAMP PMO – AWS provides customers a FedRAMP SSP Template, inherited/shared control matrix, as well as FedRAMP package cloud.cio.gov/fedramp/amazon
  • 4. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Building Solutions on AWS • Partners & Agencies can leverage FedRAMP compliant AWS • AWS’s FedRAMP package covers AWS infrastructure and underlying management of services • Partner’s FedRAMP package includes inherited controls; shared controls documents partner’s application/service built on AWS • To support partners we can provide: – Partner FedRAMP package: ATO Letters, CIS spreadsheet, FIPS 199, etc. – SSP Template: Pre-populated with inherited control language, guidance on completing shared controls – ATO Letters as stand-alone documents – Support: Security Solutions Architects, Security Assurance Architects, Professional Services
  • 5. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Documentation Support • AWS Package is specific to the AWS Infrastructure • Partner’s Package is specific to the Partner’s Application or managed services • Inherited v. Shared Controls
  • 6. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS DoD CSM Program • 2/6/14 Provisional Authorization for Levels 1-2 • DISA-managed Cloud Security Model (CSM) • 70 additional control enhancements overlaid on FedRAMP Moderate • Partners have achieved MAC II Sensitive DIACAP ATOs
  • 7. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Certifications & Compliance • AWS Environment – SOC 1/2/3 – ISO 27001 Certification – Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider – FedRAMP (up to Moderate) – AWS GovCloud (US) – ITAR compliant region • Customers have deployed various compliant applications – Sarbanes-Oxley (SOX) – HIPAA (healthcare) – FISMA/FedRAMP (US Federal Government) – DIACAP – up to MAC II Sensitive – International Traffic in Arms Regulations (ITAR)
  • 8. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Customer Resources • Whitepapers – Risk & Compliance Whitepaper – Overview of Security Processes – “Security at Scale” series • Governance in AWS • Logging in AWS • Template – FedRAMP SSP Template • Workbooks – FISMA-High – CJIS
  • 9. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Other Compliance Programs • FISMA-High – Workbook available for partners under NDA – 84 additional control enhancements; 21 inherited, 54 shared, 9 customer • CJIS Workbook – Available under NDA – 121 security requirements; 10 inherited, 87 shared, and 24 customer-responsible requirements • Both are partner-based approaches to build a portfolio of authorizations
  • 10. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Compliance & Security Centers • Answers to many security and compliance questions • Security whitepaper • Risk and Compliance whitepaper • Overview of Security Processes whitepaper • “Security at Scale” whitepaper series • Security bulletins • Customer penetration testing requests • Security best practices • Request more information by contacting us aws.amazon.com/security aws.amazon.com/compliance
  • 11. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Additional AWS Security & Compliance References • https://aws.amazon.com/security • https://aws.amazon.com/compliance • https://aws.amazon.com/compliance/#whitepapers • https://aws.amazon.com/compliance/fedramp-faqs • https://aws.amazon.com/govcloud-us • https://aws.amazon.com/documentation • https://aws.amazon.com/iam awscompliance@amazon.com
  • 12. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Questions?
  • 13. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Thank You Chris Gile cgile@amazon.com