Practical Federal Compliance Strategiesand Examples  Chad Woolf, AWS Compliance Officer
Researcher Perspective“In 2011, we got real proof that the providers are at leastdoing their part [toward addressing secur...
3Today’s Topics Discuss compliance in general and how it relates to business objectives Discuss three methods of using com...
4Compliance and Security Being compliant is related to but not always the same thing as being secure (and vice versa) Secu...
Compliance Simplified                        Business                        Objective          Tracking of               ...
6Key Concept: Shared Responsibility Moving IT infrastructure to AWS services creates a model of shared responsibility betw...
We’re In This Together:        Shared         Software                               Responsibility     Firewalls/IDS/AV  ...
In Practice: Compliance with     Security Standards
9Info Security Compliance Strategy Achieving information security compliance can be done:   In a detailed way (looking at...
10Examples of detailed vs. general validation General validation: ISO 27001 Detailed validation: SSAE 16/SOC1 (formerly SA...
11Use Case: FISMA Federal Information Security Management Act Requires each federal agency to develop, document, and imple...
Use Case: FISMA                                 •   Properly manage                                                       ...
13FISMA – Which Strategy to Use? Security compliance strategy options:   In a detailed way (looking at individual control...
14FISMA – GSA BPA AWS and reseller URS-Apptis was awarded an IaaS blanket purchase agreement (BPA) from the GSA GSA-Associ...
15Leveraging GSA BPA vs.Sponsoring an ATO Leverage   Effort Greater                      Review the ATO docs             L...
Example: CDC BioSense Centers for Disease Control and Prevention’s (CDC) BioSense Program is designed to establish an inte...
Example: Consumer Financial ProtectionBureau CFPB’s mission is to make markets for consumer financial products and service...
Example: DoD and DIACAP An Air Force customer received a DIACAP MAC III ATO in early April for 3 years ATO was based on re...
Use case: ITAR ITAR-International Traffic in Arms Regulations Prohibits the unlicensed export of defense articles, defense...
Use case: ITAR – AWS GovCloud (US) AWS GovCloud (US) provides a region restricted to US persons only Allows customers to s...
FISMA Compliance – Today FISMA –   AWS has customers operating in our environment under    FISMA-Low & Moderate   Agenci...
FISMA Compliance – Soon Federal Risk and Authorization Management Program (FedRAMP)   A standard approach to assessing an...
FedRAMP – Opportunities, Challenges Strongest value propositions: Leveragability, speed to ATO Aspects to be determined  ...
24Takeaways Compliance validation strategies vary A broad ATO, like the GSA blanket agreement, can simplify compliance eff...
Thank You!!     Chad Woolf cwoolf@amazon.com
Upcoming SlideShare
Loading in …5
×

Practical Federal Compliance Strategies and Examples

1,283 views
1,070 views

Published on

Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,283
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Practical Federal Compliance Strategies and Examples

  1. 1. Practical Federal Compliance Strategiesand Examples Chad Woolf, AWS Compliance Officer
  2. 2. Researcher Perspective“In 2011, we got real proof that the providers are at leastdoing their part [toward addressing security]. The leadingcloud providers earned key certifications (ISO 27001,20001, PCI-DSS, and FISMA), and nearly all providedstrong transparency to their operational practices. We alsosaw the leading clouds land local data centers in Europeand Asia while validating the proper handling of in-countrydata. And for the most part we saw enterprise customersawaken responsibilities for securing their use of clouds.There’s much progress to be made, but the excuses for notleaving the starting gate are no more.” Master 10 Trends For Your Cloud Journey Forrester Research, Inc., May 10, 2012
  3. 3. 3Today’s Topics Discuss compliance in general and how it relates to business objectives Discuss three methods of using compliance mechanisms to respond to business objectives Address the different ways and methods to be compliant on AWS Use cases – FISMA, ITAR
  4. 4. 4Compliance and Security Being compliant is related to but not always the same thing as being secure (and vice versa) Security focus: protecting information and systems (44 U.S.C. §3542) Compliance focus: the demonstration of adherence to policies, procedures, published standards, or other mandates (security related or otherwise)
  5. 5. Compliance Simplified Business Objective Tracking of Activities those that drive activities the objective
  6. 6. 6Key Concept: Shared Responsibility Moving IT infrastructure to AWS services creates a model of shared responsibility between the customer and AWS Moving to AWS can relieve burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security The customer assumes responsibility and management of the guest OS and the configuration of the AWS-provided security group firewall Understanding this thoroughly streamlines compliance efforts
  7. 7. We’re In This Together: Shared Software Responsibility Firewalls/IDS/AV Application Customer Control & Customer Responsibility Data Guest Operating System Hypervisor AWS Control & Hardware AWS Responsibility Physical Infrastructure
  8. 8. In Practice: Compliance with Security Standards
  9. 9. 9Info Security Compliance Strategy Achieving information security compliance can be done:  In a detailed way (looking at individual controls)  In a general way (looking at an entire control environment, including subjective factors) When working with service providers, you also have options:  Require service provider to publish specific controls, with pass/fail audits  Require service providers to adhere to a broad standard, and rely on a process or security certification
  10. 10. 10Examples of detailed vs. general validation General validation: ISO 27001 Detailed validation: SSAE 16/SOC1 (formerly SAS70) FISMA can be either (discussed next)
  11. 11. 11Use Case: FISMA Federal Information Security Management Act Requires each federal agency to develop, document, and implement an agency-wide information security program for the data and information systems that support the agency, including those provided or managed by another agency, contractor, or other source. NIST is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security
  12. 12. Use Case: FISMA • Properly manage information assets • Comply with Business information security Objective legislationValidate that you andyour service providersare performing the Secure yourrequired activities environment in Tracking of Activities conformity with the those that drive law, including that part activities the objective of the environment managed by service providers
  13. 13. 13FISMA – Which Strategy to Use? Security compliance strategy options:  In a detailed way (looking at individual controls)  In a general way (looking at an entire control environment, including subjective factors) Agency/entity strategy differences are centered around:  internal security requirements  historical practices  varied levels of focus of security elements and requirements  comfort on how reasonable assurance is obtained yrbyd
  14. 14. 14FISMA – GSA BPA AWS and reseller URS-Apptis was awarded an IaaS blanket purchase agreement (BPA) from the GSA GSA-Associated agencies can now use AWS with low accreditation effort  ATO covers anything procured through the BPA  Complexity of agency systems may require a deep dive in the documentation
  15. 15. 15Leveraging GSA BPA vs.Sponsoring an ATO Leverage Effort Greater Review the ATO docs Less Review pending actions (POA&M) Review assessment report (SAR) Review System Security Plan (SSP) Review test cases Less Integrate agency/AWS SSPs Greater Pursue an independent (unleveraged) agency ATO
  16. 16. Example: CDC BioSense Centers for Disease Control and Prevention’s (CDC) BioSense Program is designed to establish an integrated system of nationwide biosurveillance for early detection and prompt assessment of potential bioterrorism-related illness  Approved: BioSense 2.0, was accredited and approved to operate on at FISMA-Moderate by the CDC  Backed up: BioSense 2.0 system information is backed-up by system administrators on a nightly basis and is reviewed on a monthly basis for completeness and correctness.  Durable: The Amazon S3 storage infrastructure employs multiple copies of data to ensure it can be recovered if necessary.  Secure: The BioSense 2 partitioned storage architecture makes use of AWS native infrastructure protections and authentication mechanisms are used to ensure that data is kept secure from unauthorized access.
  17. 17. Example: Consumer Financial ProtectionBureau CFPB’s mission is to make markets for consumer financial products and services work for Americans by educating, enforcing and analyzing information. Consumer Bureau ensures that consumers get the information they need to make the financial decisions best for themselves and their families. Summary:  Currently using Office of the Thrift Supervision data center which has combined with Office of the Comptroller of the Currency within the Department of Treasury.  CFPB is using AWS by Shared Service through the Department of Treasury’s SharePoint environment for their website.  They have gone through the SSP read (3 full days in June) and have had a 3rd party independent assessor to review their internal C&A.  They are currently in the final stages of penetration testing and analyzing the results. They will be finished within weeks and planning to issue the ATO soon after.
  18. 18. Example: DoD and DIACAP An Air Force customer received a DIACAP MAC III ATO in early April for 3 years ATO was based on reviewing the SSP, mapping to DIACAP requirements AWS has multiple DoD customers who are in various stages of the DIACAP accreditation process
  19. 19. Use case: ITAR ITAR-International Traffic in Arms Regulations Prohibits the unlicensed export of defense articles, defense services, and related technical data A non-US person accessing data is an “export” A company managing ITAR articles and data must ensure US-person only access, end-to-end
  20. 20. Use case: ITAR – AWS GovCloud (US) AWS GovCloud (US) provides a region restricted to US persons only Allows customers to store and process ITAR-restricted data Compliance efforts focus on security restrictions over GovCloud (US) resources AWS completed a comprehensive audit over US- persons access; publishes a letter of attestation Compliance greatly simplified for an entity: no need for separate audits of AWS, reduces compliance scope
  21. 21. FISMA Compliance – Today FISMA –  AWS has customers operating in our environment under FISMA-Low & Moderate  Agencies may engage with AWS directly GSA IaaS BPA  Customers can purchase through the BPA now for U.S. East & West regions  3-year ATO was issued to Apptis/AWS in April 2012  Compliance documentation can be requested through the GSA
  22. 22. FISMA Compliance – Soon Federal Risk and Authorization Management Program (FedRAMP)  A standard approach to assessing and authorizing cloud computing services/products  FedRAMP started accepting applications in June  AWS GovCloud compliance package currently under review by FedRAMP  GovCloud 3PAO assessment underway
  23. 23. FedRAMP – Opportunities, Challenges Strongest value propositions: Leveragability, speed to ATO Aspects to be determined  Actual FedRAMP PATO process  100% compliance / compensating controls  Agency ATOs: what is the process for Agencies  Agency-specific controls  Protection of CSP information  Continuous Monitoring: Automatic data feeds (what data, how to deliver, applicability to customer, ability to interpret)  TIC monitoring requirements
  24. 24. 24Takeaways Compliance validation strategies vary A broad ATO, like the GSA blanket agreement, can simplify compliance efforts FISMA Moderate: compliance is a reality today ITAR: another example of AWS reducing operational compliance effort for agencies FedRAMP is designed to simplify, streamline
  25. 25. Thank You!! Chad Woolf cwoolf@amazon.com

×