Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AWS re:Invent 2013
Upcoming SlideShare
Loading in...5
×
 

Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AWS re:Invent 2013

on

  • 1,256 views

This session covers the shared responsibility model for security and compliance specific to the AWS GovCloud (US) region. This presentation highlights the enhanced security offerings of AWS GovCloud ...

This session covers the shared responsibility model for security and compliance specific to the AWS GovCloud (US) region. This presentation highlights the enhanced security offerings of AWS GovCloud (US), such as FIPS-140 Level 2 encryption, as well as the supported compliance regimes. It also reviews how our customers can build secure applications in GovCloud using the various security features such as IAM and VPC. This presentation also offers a brief overview of FedRAMP, explains the shared responsibility model through customer use cases, and covers how customers can obtain an Authority to Operate.

Statistics

Views

Total Views
1,256
Views on SlideShare
1,256
Embed Views
0

Actions

Likes
1
Downloads
36
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AWS re:Invent 2013 Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AWS re:Invent 2013 Presentation Transcript

  • SEC204 - Building Secure Applications and Navigating FedRAMP in the AWS GovCloud (US) Region CJ Moses, GM – AWS Global Cloud Solutions Chris Gile, Manager - AWS Federal Compliance Programs Jennifer Gray - Federal Cloud Lead - HHS Enterprise Cloud Architect Tom Soderstrom - CTO, Jet Propulsion Laboratory November 13, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • AWS GovCloud (US) • The AWS Government Community Cloud for vetted U.S. Government and U.S. commercial entities with ties to U.S. Government functions and services • Built with U.S. government customers in mind and appropriate for: – – – • U.S. Government agencies – US Federal, state and local entities U.S. Government contractors, systems integrators, and FFRDCs U.S. Companies with IT regulatory requirements Designed to allow U.S. government agencies and customers to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements – Appropriate for Controlled Unclassified Information (CUI) or Unclassified data and workloads
  • AWS GovCloud (US) • Data stays in CONUS – Region located in the Pacific Northwest • Only approved AWS U.S. Persons have access to restricted areas, networks, and systems for administration • AWS managed account provisioning; each potential customer is vetted to ensure they are a U.S. entity and not prohibited or restricted from exporting or from providing services by the U.S. government • Data, Network and Machine Isolation – – – Mandatory virtual private cloud (Amazon VPC) segregation for all customers, which offers an additional layer of isolation and protection Separate, isolated credentials database (AWS IAM) FIPS 140-2 hardware for endpoints and VPN
  • FedRAMP Overview • FedRAMP Overview • AWS FedRAMP Program • Shared Responsibility Model & Achieving Compliance with AWS
  • FedRAMP Overview • OMB mandated FedRAMP compliance for government agencies using CSPs • Government-wide program standardizing CSP security assessments • Four approaches for CSPs to demonstrate compliance supporting agency needs • All FedRAMP package types in FedRAMP repository can be leveraged by USG agencies
  • AWS’ FedRAMP Program • Agency ATOs (2) granted by HHS May ’13 covering: – US East/West and GovCloud (US) Regions – EC2, S3, EBS, VPC, and IAM services (more on the way!) – Reviewed by HHS, CDC, NIH, & FDA – FedRAMP-accredited 3PAO assessed AWS against all 297 Moderate FedRAMP controls • Subsequent federal agency ATOs granted based on AWS FedRAMP packages – Our Agency ATOs can be leveraged by any customer
  • AWS’ FedRAMP Program • Request AWS FedRAMP package via FedRAMP PMO or directly from AWS • So how do you achieve compliance using the AWS FedRAMP package?
  • Security is a Shared Responsibility Optimized Network/OS/App Controls Service-specific Controls Managed by Customer Compliance in the Cloud Cross-service Controls Cloud Service Provider Controls Compliance of the Cloud Managed by AWS
  • Security is a Shared Responsibility Customer Data • Customers implement their own set of controls (shared controls) • Customers document their implementation of controls in SSP • Customers conduct 3PAO assessment • Multiple customers with Low/Mod ATOs • Customers tell us High ATOs possible • Payment Card Industry (PCI) Data Security Standard Level 1 • NIST 800-53 Controls & multiple ATOs; FedRAMP • DoD Compliant Controls and multiple DIACAP ATOs • SSAE 16 Types 1 & 2 (SAS 70) • ISO 27001/ 2 Certification • HIPAA and ITAR Compliant Users and Roles Account Management Applications Managed by Customer Firewalls Network Configuration Guest Operating System Virtualization Layer Compute Infrastructure Storage Infrastructure Network Infrastructure Managed by AWS Facilities Physical Security AWS Global Infrastructure
  • Useful Links & Resources • • • • • • • AWS FedRAMP Package for AWS GovCloud (US) Region AWS FedRAMP SSP Template http://aws.amazon.com/compliance http://aws.amazon.com/compliance/#whitepapers http://aws.amazon.com/compliance/fedramp-faqs http://aws.amazon.com/security http://aws.amazon.com/documentation awscompliance@amazon.com
  • OFFICE OF THE CHIEF INFORMATION OFFICER DEPARTMENT OF HEALTH AND HUMAN SERVICES U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES HHS Use Case Agency FedRAMP ATO Experience Jennifer Gray
  • Key Drivers • HHS Cloud Strategy • FedRAMP Policy Memo (OMB Policy Memo December 8, 2011) • Existing HHS Cloud Systems using AWS environment • HHS FedRAMP Standard Operating Procedures 12
  • Build Effective Team • OCIO Senior Leadership • HHS OIS Security Cloud Security Team • Operational Divisions (FDA, NIH, CDC, OS) • FedRAMP Program Management Office • Amazon Web Services (AWS) Risk & Compliance Team • 3PAO (Veris Group) FDA FedRAMP PMO NIH HHS OIS Cloud Security Team AWS (CSP) CDC 13
  • HHS FedRAMP Security Authorization Process • Agency-wide FedRAMP Standard Operating Procedures • Released by through HHS CISO • Defines how HHS will authorize cloud services to ensure they meet FedRAMP requirements 14
  • HHS FedRAMP AWS Authorization Process 15
  • AWS Achieves HHS FedRAMP ATO • FedRAMP Complete - May 20, 2013 • Worked with HHS FedRAMP Team to ensure standard process aligns with FedRAMP PMO expectations • Consistent with FedRAMP CONOPs. • Includes details about initial documentation as well as periodic updates 16
  • Key Lessons Learned • • • • • • Senior Management Sponsorship Merge FedRAMP process into existing security assessment and authorization processes Ensure all security artifacts are provided at least one week prior to reviews Develop full project schedule with all key stakeholders in advance Develop FAQ post ATO Collect resource metrics for future planning 17
  • SEC204 - Building Secure Applications and Navigating FedRAMP in the AWS GovCloud (US) Region Tom Soderstrom, Jet Propulsion Laboratory November 13, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • Agenda 1. JPL’s Journey 2. JPL’s Results 3. JPL’s Future
  • 1. JPL’s Journey
  • Why Cloud Computing? Increased demand for IT. Cloud computing promised: • Additional, powerful options for IT • Increased compute and storage capability • Faster speed to market • Lowering unit IT costs • One size does not have to fit all • Computing as secure as we have today • Needed ITAR-certified cloud computing
  • 22 Flicker by WSDOT
  • 23
  • 2. JPL’s Results
  • JPL used Cloud Computing for Outreach… and beyond Microsoft
  • JPL used cloud computing for mission critical operations
  • … but ITAR approval took a while, producing separate ATOs for FISMA Moderate and ITAR
  • AWS GovCloud ATO (US Persons Only)           Accountable (CIO) Letter of intent and compliance by JPL IT CTO Concurrence by JPL IT Security and Infrastructure Concurrence by NASA OCIO Concurrence by Caltech Audit Concurrence by NASA Office of Inspector General Concurrence by JPL and NASA Export Control Office Concurrence by Caltech/JPL Legal Concurrence by additional key stakeholders Adheres to JPL’s standard Policies and Procedures
  • Full 360 degree view Quarterly reviews Enables usage Continuous awareness
  • AWS GovCloud ATO (US Persons Only)           Accountable (CIO) Letter of intent and compliance by JPL IT CTO Concurrence by JPL IT Security and Infrastructure Concurrence by NASA OCIO Concurrence by Caltech Audit Concurrence by NASA Office of Inspector General Concurrence by JPL and NASA Export Control Office Concurrence by Caltech/JPL Legal Concurrence by additional key stakeholders Adheres to JPL’s standard Policies and Procedures
  • AWS GovCloud Use Cases So Far       Radar Processing (large scale) Virtual Workshops Big Data analytics of JPL sensitive data Storage and processing of Mars Exploration Rovers data Rapid prototyping when some data is sensitive User: “If it can handle ITAR, I don’t have to separate the data, so I’ll get started now”  Cyber Security: “I can use my normal tools”  JPL wants Glacier next
  • Amazon Glacier Total Cost Comparison DR Use Case Storage and Retrieval Costs Over 10 years Glacier total costs $ S3 total costs SDSC total costs JPL Private Cloud total costs Denver total costs 1 2 3 4 5 6 Storage Years 7 8 9 10
  • 3. JPL’s Future
  • MoonTours App shows new cloud-enabled architecture : Devices + Data + Processing + Clouds
  • Please give us your feedback on this presentation SEC204 As a thank you, we will select prize winners daily for completed surveys!