Implementing FISMA Moderate Applications on AWS

3,092 views
2,668 views

Published on

Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,092
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • FERPA: Family Educational Rights and Privacy Act of 1974 (FERPA)HIPAA: Health Information Portability and Accountability Act 1996GLB: Gramm-Leach-Bliley Act - Protect the financial information of consumers.HSA: Homeland Security Act 2002 - Created the Department of Homeland Security and many data-related requirementsCUI: Controlled but Unclassified InformationNASD Rule 3110: National Association of Securities Dealers (NASD) must control customer account information.PCI: Payment Card Industry Data Security Standard - requirements for enhancing payment account data security.
  • Implementing FISMA Moderate Applications on AWS

    1. 1. Implementing FISMA ModerateApplications Nathan Beach Principle Solution Architect AWS Worldwide Public Sector
    2. 2. Session Topics Resources Available Online Hi! We’re Here to Help You Things to Consider FISMA Primer Where to Begin We’re In This Together Putting the Solution Together Public Sector Security Ecosystem
    3. 3. Resources Available Online GSA: FedRAMP Home Page  http://www.gsa.gov/portal/category/102371 NIST: Computer Security Division – Resource Center  http://csrc.nist.gov/publications/PubsSPs.html AWS Security and Compliance Center  http://aws.amazon.com/security/  New AWS: Risk Compliance Whitepaper, July 2012 AWS Architecture Center  http://aws.amazon.com/architecture/ AWS U.S. Federal Government  http://aws.amazon.com/federal/ Find AWS Partner Solution Providers  https://aws.amazon.com/solution-providers
    4. 4. Hi! We’re Here to Help You Getting Started  Account Representatives  Partner Representatives  Solution Architects  Security and Compliance Team Up and Running  Technical Account Managers  Premium Support Services But most of all….
    5. 5. Our Public Sector Security Ecosystem https://aws.amazon.com/solution-providers/
    6. 6. Things to Consider You Understand Applicable Federal Regulations and Data Protection Policies  FISMA, FERPA, HIPAA, CUI, PCI,... Your Solution Is Suitable for Accreditation Your Government Sponsor is a Full-Partner in the Process  Business Owner  Information Assurance Team
    7. 7. Applicable CUI Information Domains CUI Category CUI Category CUI Category Agriculture Copyright Critical Infrastructure Export Control (ITAR) Financial Immigration Intelligence Law Enforcement Legal Nuclear Patent Privacy Proprietary (IP) Statistical Tax Transportation
    8. 8. Solution Suitability for Accreditation Designed and Implemented with FISMA Accreditation as a primary goal. Ability to configure or customize relevant control areas:  Access Controls  Identification and Authorization  Audit Points and Audit Integrity  System and System Communication Protection  Etc…
    9. 9. FISMA Primer – 18 ControlsAC – Access Control PE - Physical andAT – Awareness and Training Environmental ProtectionAU – Audit and Accountability PL – PlanningCA – Security Assessment and PS – Personnel SecurityAuthorization RA – Risk AssessmentCM – Configuration SA – System and ServicesManagement AcquisitionCP – Contingency Planning SC – System andIA – Identification and Communications ProtectionAuthentication SI – System and InformationIR – Incident Response IntegrityMA – Maintenance PM – Program ManagementMP – Media Protection
    10. 10. FISMA Primer (cont.) Customer Configured  Definition: The workload operator seeking accreditation is required to proactively use and configure capabilities implemented and maintained by AWS to be in compliance with the control. Customer Provided  Definition: The workload operator seeking accreditation is required to implement, maintain, proactively use and configure capabilities independently of AWS to be in compliance with the control.
    11. 11. FISMA Primer (cont.) Hybrid Controls  Definition: Shared implementation responsibility between AWS and the workload operator seeking accreditation.
    12. 12. We’re In This Together: Shared Software Responsibility Firewalls/IDS/AV Application Customer Control & Customer Responsibility Data Guest Operating System Hypervisor AWS Control & Hardware AWS Responsibility Physical Infrastructure
    13. 13. Examples of “Customer Responsibilities” Apply Your Information Management Program - that integrates Information Assurance Standardize Machine Images – create gold copy images for production deployment/to launch new instances Build and test in a sandbox environment – work out the bugs, figure out how to break it, architect to be resilient Do the same stuff you do in-house – quarterly patch management, IDS/IPS, logging, tripwire, etc. Conduct a Risk Assessment - to determine level of security controls you require Role Based Access Controls – restrict access to system components based upon need to know
    14. 14. Examples of “Customer Responsibilities” (cont.) Use Encryption – for data in transit, for data at rest, file system Key Management – rotate keys used to access your resources (AWS does not hold these…you do) Setup Monitoring/Alerting – collect metrics and enable alerting for when events occur Vulnerability Scans – allowed via a permission process (else we’ll kill/block the source of scans) Prepare for Failure – create backups, store data in more than one location, test backups, have a contingency system ready
    15. 15. Together Putting the Solution Physical Security HW, SW, Network Certifications Datacenters in Systematic change SOC 1 Type 2 nondescript facilities management (formerly SAS-70) Physical access Phased updates ISO 27001 strictly controlled deployment PCI DSS for Must pass two-factor Safe storage EC2, S3, EBS, VPC, authentication at decommission RDS, ELB, IAM least twice for floor Automated FISMA Moderate access monitoring and self- Compliant Controls Physical access audit HIPAA & ITAR logged and audited Advanced network Compliant protection Architecture Amazon Physical Infrastructure (GSS) (Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial Fiber/Network Capacity, Infrastructure Control Systems and Services)1. In-Scope Service Feature operated under common service control process.2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.
    16. 16. Together Putting the Solution Amazon VPC Architecture with DirectConnect Infrastructure Compute Services Network Services Building Blocks Amazon EC2 Amazon VPC Storage Services HPC Clusters1 Elastic Load Balancers1 Amazon S3 Auto Scaling1 Amazon Route 531 Amazon EBS VM Import1 Direct Connect1 Amazon Physical Infrastructure (GSS) (Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial Fiber/Network Capacity, Infrastructure Control Systems and Services)1. In-Scope Service Feature operated under common service control process.2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.
    17. 17. Users and Groups within Accounts Together Putting the Solution Unique security credentials  Access keys  Login/Password  MFA device Policies control access to AWS APIs Deep integration into S3  policies on objects and buckets AWS Management Console now supports User log on Not for Operating Systems or Applications  use LDAP, Active Directory, ADFS, etc... Identity and Access Management1 Cross Service (IAM w/ Multi-Factor Authentication) Features Infrastructure Compute Services Network Services Building Blocks Amazon EC2 Amazon VPC Storage Services HPC Clusters1 Elastic Load Balancers1 Amazon S3 Auto Scaling1 Amazon Route 531 Amazon EBS VM Import1 Direct Connect1 Amazon Physical Infrastructure (GSS) (Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial Fiber/Network Capacity, Infrastructure Control Systems and Services)1. In-Scope Service Feature operated under common service control process.2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.
    18. 18. AWS Multi-Factor Authentication• Helps prevent anyone with unauthorized knowledge of your credentials from impersonating you• Additional protection for account information and critical APIs• Physical and virtual MFA devices supported via RFC 6238• Works with  Account (root) identity  IAM Users• Integrated into  AWS Management Console  Key pages on the AWS Portal  MFA-protected API access (new feature)  S3 secure deleteA recommended opt-in security feature!
    19. 19. Customer Workload Business/ AWS Network Layer – Configuration Touch Points Mission Together Putting the Solution ServicesLibraries and SDKs1 Web Interface2 Command Line Tools to Access Java, .Net, Ruby, PHP Management Console Interface1 AWS Services Identity and Access Management1 Cross Service (IAM w/ Multi-Factor Authentication) Features Infrastructure Compute Services Network Services Building Blocks Amazon EC2 Amazon VPC Storage Services HPC Clusters1 Elastic Load Balancers1 Amazon S3 Auto Scaling1 Amazon Route 531 Amazon EBS VM Import1 Direct Connect1 Amazon Physical Infrastructure (GSS) (Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial Fiber/Network Capacity, Infrastructure Control Systems and Services)1. In-Scope Service Feature operated under common service control process.2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.
    20. 20. Amazon VPC Architecture NAT Private Customer’s isolated AWS resources Public Private Subnets Internet Router VPN Gateway Amazon Web Services Cloud Secure VPN Connection over AWS DirectConnect Customer’s Network
    21. 21. Business/ Together Putting the Solution Customer Workload AWS Network Layer – Configuration Touch Points Mission Services Customer Operating Systems AWS Virtualization Layer – Configuration Touch Points Customer Storage AWS Storage Layer – Configuration Touch PointsLibraries and SDKs1 Web Interface2 Command Line Tools to Access Java, .Net, Ruby, PHP Management Console Interface1 AWS Services Identity and Access Management1 Cross Service (IAM w/ Multi-Factor Authentication) Features Infrastructure Compute Services Network Services Building Blocks Amazon EC2 Amazon VPC Storage Services HPC Clusters1 Elastic Load Balancers1 Amazon S3 Auto Scaling1 Amazon Route 531 Amazon EBS VM Import1 Direct Connect1 Amazon Physical Infrastructure (GSS) (Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial Fiber/Network Capacity, Infrastructure Control Systems and Services)1. In-Scope Service Feature operated under common service control process.2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.
    22. 22. Business/ Together Putting the Solution Customer Workload AWS Network Layer – Configuration Touch Points Mission Services Customer Application Customer Operating Systems AWS Virtualization Layer – Configuration Touch Points Customer Storage AWS Storage Layer – Configuration Touch PointsLibraries and SDKs1 Web Interface2 Command Line Tools to Access Java, .Net, Ruby, PHP Management Console Interface1 AWS Services Identity and Access Management1 Cross Service (IAM w/ Multi-Factor Authentication) Features Infrastructure Compute Services Network Services Building Blocks Amazon EC2 Amazon VPC Storage Services HPC Clusters1 Elastic Load Balancers1 Amazon S3 Auto Scaling1 Amazon Route 531 Amazon EBS VM Import1 Direct Connect1 Amazon Physical Infrastructure (GSS) (Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial Fiber/Network Capacity, Infrastructure Control Systems and Services)1. In-Scope Service Feature operated under common service control process.2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.
    23. 23. Virtual Firewall & IDS Appliance AWS VPC Gateway Company Over DirectConnect Network Company VPN Gateway Security Group A HTTP/HTTPS DMZ - 10.254.1.0/24 , 10.254.2.0/24 Policy B 53 ” DNS ud lo SC Company.com AWS Management MFA ” W PC Console “A “V Elastic Load Balancer Logs IAM Add-on Security Group B Security Group B WEB10.30.1.X Policy C IAM Security Policy Auto Scaling Group A Security Group Security Group C Security Group C S3 Bucket Business 10.20.1.X Policy D Auto Scaling Group B LDAP DC S3 Bucket Security Group D Security Group D Backups IAM Add-onData Svc10.10.1.X Backups YourDBSvr YourDBSvr Availability Zone #1 Availability Zone #2 AWS Virtual Private Cloud
    24. 24. AWS Public Sector Security Ecosystem

    ×