This document outlines a presentation given at the AWS Government, Education, and Nonprofits Symposium in Washington DC from June 24-26, 2014. The presentation discusses how public sector organizations can advance their security and governance capabilities using AWS. It provides examples of challenges organizations face with security logging, monitoring, and disaster recovery on-premises versus capabilities available in AWS like CloudTrail, EBS snapshots, and centralized security controls. Resources for the AWS compliance program, security best practices, and innovation tools like Trusted Advisor are also referenced.
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
How Public Sector Entities are Advancing Their Security and Governance Capabilities with AWS - AWS Washington D.C. 2014
1. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
How Public Sector is Advancing Their Security
and Governance Capabilities with AWS
Chad Woolf
Director, AWS Risk and Compliance
cwoolf@amazon.com
2. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Better Security in the Cloud
“…We’ll also see organizations adopt cloud services
for the improved security protections and
compliance controls that they otherwise could not
provide as efficiently or effectively themselves.”
- Security’s Cloud Revolution Is Upon Us,
Forrester Research, Inc., August 2, 2013
3. Better Security in AWS
Cross-service Controls
Service-specific Controls
Managed by
AWS
Managed by
Customer
Security of the Cloud
Security in the Cloud
Cloud Service Provider
Controls
Optimized Network/OS/App
Controls
Request reports at:
aws.amazon.com/compliance/#contact
4. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Governance, Security, Compliance Enablers
Governance in AWS
AWS Security Best Practices
AWS Auditing Security Checklist
AWS Risk and Compliance
AWS Trusted
Advisor
5. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
FedRAMP Package
• Standard package: SSP, SAR
• Most usable doc: SSP Template
Helps you figure out this ->
6. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Security at Scale: Governance in AWS
1. Financial Control
2. IT Asset Identification
3. Asset Configuration and
Management
4. Logical Access Control
5. Physical Access Control
6. Data Encryption
7. Network Configuration and
Management
8. Security Logging and
Monitoring
9. Security Incident Response
10. Disaster Recovery
Get this whitepaper at:
aws.amazon.com/compliance/
7. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Examples
Governance
Domain
On-prem Challenge AWS Enabler Control Provided
8. Security
Logging and
Monitoring
Centralized logging
of user actions
taken against a set
of IT resources
AWS CloudTrail
Provides logging of API or console
actions (e.g., logs when someone
changes a bucket policy, stops and
instance, etc.)
Advanced monitoring
capabilities of actions
taken and changes made
10. Disaster
Recovery
Producing point in
time, usable
incremental
backups
EBS Snapshots
Point-in-time full volume copies of
EBS data into persistent storage of
S3
Anytime incremental
point-in-time backup of
server data
9. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Examples
Governance
Domain
On-prem Challenge AWS Enabler Control Provided
8. Security
Logging and
Monitoring
Centralized logging
of user actions
taken against a set
of IT resources
AWS CloudTrail
Provides logging of API or console
actions (e.g., logs when someone
changes a bucket policy, stops and
instance, etc.)
Advanced monitoring
capabilities of actions
taken and changes made
10. Disaster
Recovery
Producing point in
time, usable
incremental
backups
EBS Snapshots
Point-in-time full volume copies of
EBS data into persistent storage of
S3
Anytime incremental
point-in-time backup of
server data
11. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Security at Scale: Governance in AWS
1. Financial Control
2. IT Asset Identification
3. Asset Configuration and
Management
4. Logical Access Control
5. Physical Access Control
6. Data Encryption
7. Network Configuration and
Management
8. Security Logging and
Monitoring
9. Security Incident Response
10. Disaster Recovery
Get this whitepaper at:
aws.amazon.com/compliance/
12. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Scaling Security
13. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Innovative Governance Tool:
AWS Trusted Advisor
• Online service from AWS Support
– Analyzes account for various kinds of
issues and possible concerns
– Soon available as an API for integration
with your tools or 3rd party solutions
• Four categories:
– Cost savings
– Security
– Fault tolerance
– Performance
14. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Since 1/1/2013:
• 10,000+ customers
• 700,000+ recommendations
reviewed
• $140M+ in annualized savings
Learn more about Trusted Advisor at:
https://aws.amazon.com/premiumsupport/trustedadvisor/
Innovative Governance Tool:
AWS Trusted Advisor
15. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS: centralized security
controls - visible, testable,
automated
16. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Resource Links
AWS Compliance site - provides AWS Compliance Forum links, descriptions of audit
reports available, contact links, and relevant whitepapers
http://aws.amazon.com/co
mpliance/
AWS Security Center – provides links to a detailed whitepaper on how we manage
security at AWS and provides links to contact AWS Security
http://aws.amazon.com/se
curity/
AWS Security Blog – posts contain security best practices for AWS services, how-to
guides, compliance milestones, and customer and partner stories
http://blogs.aws.amazon.c
om/security/
Trusted Advisor - information on the tool, the nature of the checks, and how to access
it
https://aws.amazon.com/p
remiumsupport/trustedad
visor/
Case studies – features of a wide range of companies doing amazing things on AWS http://aws.amazon.com/so
lutions/case-studies/all/
17. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Questions?
18. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Thank You
Chad Woolf
cwoolf@amazon.com
Editor's Notes
establish a high level of control over your cloud environment, with
all the security investment AWS offers with the platform itself, and
2) with the security services, features and tools provided by AWS.
This allows you to create a secure container that has security built in; security and control that will scale with your use and growth of the AWS cloud.
AWS Trusted Advisor tool.
from AWS’s aggregated operational history of serving hundreds of thousands of AWS customers
Draws on metrics - opportunities to save money, improve system performance, or close security gaps.
Expanding - identified over 100 possible checks
Trusted Advisor is available to customers with Business and Enterprise-level support.
Advising customers to be more efficient and to spend LESS
This tool is available now, and if you have Business or Enterprise level support I recommend starting with that to get an idea of how your AWS environment is operating.
Sessions will discuss this tool in more depth
Think back at Forrester quote
“…We’ll also see organizations adopt cloud services for the improved security protections and compliance controls that they otherwise could not provide as efficiently or effectively themselves.”
Advanced security in the cloud is here; customers are creating a scalable and controlled IT environment in AWS.
The AWS platform is a highly secure platform. We can prove it, and more importantly YOU can prove it.
AWS innovative features enable centralized security control. Control that is visible, testable, and automated. That scale.
You now have great resources to understand; tools to be more secure and compliant than traditional IT
Some recommended links to bring home with you…