centralized decentralized hybrid AWS Cloud Governance data infrastructure application A Shared Responsibility Model scalable highly available accessible
Governance…“Governance implies control and oversight overpolicies, procedures, and standards for applicationdevelopment, as well as thedesign, implementation, testing, and monitoring ofdeployed services.”Wayne Jansen, Timothy Grace, NIST SP 800-144: Guidelines on Security and Privacy inPublic Cloud Computing, January 2011.URL: http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
…is a Shared Responsibility “Cloud Providers and Cloud Consumers collaboratively design, build, deploy, and operate cloud-based systems. The split of control means both parties now share the responsibilities in providing adequate protections to the cloud-based systems. Security is a shared responsibility.”Fang Liu, Jin Tong, Jian Mao, Robert Bohn, John Messina, Lee Badger and DawnLeaf, NIST SP 500-292: NIST Cloud Computing Reference Architecture, September2011.
AWS Investments Establish a TrustedFoundationCertifications Physical Security HW, SW, Network SOC 1 Type 2 Datacenters in Systematic change (formerly SAS-70) nondescript facilities management ISO 27001 Physical access Phased updates strictly controlled deployment PCI DSS for EC2, S3, EBS, VPC, Must pass two-factor Safe storage RDS, ELB, IAM authentication at decommission least twice for floor Automated access monitoring and self- Physical access audit logged and audited Advanced network protection
Authorizations and ATOs FISMA Moderate ITAR Compliant Region (GovCloud) DIACAP MAC III/Sensative
Statement on Auditing Standards No. 70(SAS 70) Type II report. Conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) professional standards. Attests that AWS’ control objectives are appropriately designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is on-going with planned periodic audits. SOC 1 Type 2 Replaces Statement on Auditing Standards No. 70 (SAS 70) Type II report.
ISO 27001 Certification AWS achieved ISO 27001 certification of our Information Security Management System (ISMS) covering our infrastructure, data centers, and services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC). Certifies our systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. AWS’s ISO 27001 certification includes all AWS data centers in all regions worldwide and AWS has established a formal program to maintain the certification. A copy of our ISO certificate, available to AWS customers, describes the ISMS services and geographic scope.
Payment Card Industry (PCI) Data SecurityStandard (DSS) Certification PCI-DSS is a standard that specifies best practices and various security controls. Certification in the standard requires organizations to: Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong security measures Regularly test and monitor networks Maintain an information security policy
AWS Cloud Governance Service Enablers (cont.)Governance Area AWS TechnologiesAccess Controls • Identity and Access Management Policies • Bucket Policies • EC2 Instance Roles • Query String Authentication • Access Control ListsIdentification and • Identity and Access ManagementAuthentication • Multi-Factor Authentication • Group Policies and Roles • Federated Identity Management API
AWS Cloud Governance Service Enablers (cont.)Governance Area AWS TechnologiesDisaster Recovery and DataContinuity of Operations • EBS Snapshots • S3 Near-Line Storage • Glacier Near-Offline Storage • Storage Gateway • Bulk Data Import/Export • Managed AWS No-SQL/SQL Database Services • Extensive 3rd Party Solutions Workload • Elastic load Balancers • EC2 Auto Scaling • Route 53 – Latency Based Routing • Cloud Front – Content Delivery Network • Multi-AZ, Multi-Region Workload Deployment
AWS Cloud Governance Service Enablers (cont.)Governance Area AWS TechnologiesMonitoring and Reporting • Cloud Watch • Cloud Watch Alarms • Simple Notification Service
References and Further Reading Wayne Jansen, Timothy Grace, NIST SP 800-144: Guidelines on Security and Privacy in Public Cloud Computing, January 2011. URL: http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf Fang Liu, Jin Tong, Jian Mao, Robert Bohn, John Messina, Lee Badger and Dawn Leaf, NIST SP 500-292: NIST Cloud Computing Reference Architecture, September 2011.URL: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505 NIST SP 800-53 R3: Recommended Security Controls for Federal Information Systems and Organizations, August 2009. URL: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3- final_updated-errata_05-01-2010.pdf Amazon Web Services: Security and Accreditation Center: Certifications URL: http://aws.amazon.com/security/#certifications