0
SEC204 - Building Secure Applications and
Navigating FedRAMP in the AWS GovCloud (US)
Region
CJ Moses, GM – AWS Global Clo...
AWS GovCloud (US)
•

The AWS Government Community Cloud
for vetted U.S. Government and U.S. commercial
entities with ties ...
AWS GovCloud (US)
•

Data stays in CONUS
–

Region located in the Pacific Northwest

•

Only approved AWS U.S. Persons hav...
FedRAMP Overview
• FedRAMP Overview
• AWS FedRAMP Program
• Shared Responsibility Model & Achieving
Compliance with AWS
FedRAMP Overview
• OMB mandated FedRAMP compliance for
government agencies using CSPs
• Government-wide program standardiz...
AWS’ FedRAMP Program
• Agency ATOs (2) granted by HHS May ’13
covering:
– US East/West and GovCloud (US) Regions
– EC2, S3...
AWS’ FedRAMP Program
• Request AWS FedRAMP package via
FedRAMP PMO or directly from AWS
• So how do you achieve compliance...
Security is a Shared Responsibility
Optimized Network/OS/App
Controls

Service-specific Controls
Managed by
Customer

Comp...
Security is a Shared Responsibility
Customer Data

•

Customers implement their own set of
controls (shared controls)

•

...
Useful Links & Resources
•
•
•
•
•
•
•

AWS FedRAMP Package for AWS GovCloud (US) Region
AWS FedRAMP SSP Template
http://a...
OFFICE OF THE

CHIEF INFORMATION OFFICER
DEPARTMENT OF HEALTH AND HUMAN SERVICES
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVI...
Key Drivers
• HHS Cloud Strategy
• FedRAMP Policy Memo
(OMB Policy Memo
December 8, 2011)
• Existing HHS Cloud
Systems usi...
Build Effective Team
• OCIO Senior Leadership
• HHS OIS Security Cloud Security
Team
• Operational Divisions (FDA, NIH,
CD...
HHS FedRAMP Security Authorization Process
• Agency-wide FedRAMP
Standard Operating
Procedures
• Released by through HHS
C...
HHS FedRAMP AWS Authorization Process

15
AWS Achieves HHS FedRAMP ATO
• FedRAMP Complete - May 20, 2013
• Worked with HHS FedRAMP Team to
ensure standard process a...
Key Lessons Learned
•
•

•

•

•
•

Senior Management Sponsorship
Merge FedRAMP process into
existing security assessment ...
SEC204 - Building Secure Applications and Navigating
FedRAMP in the AWS GovCloud (US) Region
Tom Soderstrom, Jet Propulsio...
Agenda
1. JPL’s Journey
2. JPL’s Results
3. JPL’s Future
1. JPL’s Journey
Why Cloud Computing?
Increased demand for IT. Cloud computing
promised:
• Additional, powerful options for IT
• Increased ...
22

Flicker by WSDOT
23
2. JPL’s Results
JPL used Cloud Computing for Outreach… and beyond

Microsoft
JPL used
cloud
computing
for mission
critical
operations
… but ITAR
approval took a
while, producing
separate ATOs
for
FISMA Moderate
and
ITAR
AWS GovCloud ATO (US Persons Only)











Accountable (CIO)
Letter of intent and compliance by JPL IT CTO
Co...
Full 360 degree view
Quarterly reviews
Enables usage
Continuous
awareness
AWS GovCloud ATO (US Persons Only)











Accountable (CIO)
Letter of intent and compliance by JPL IT CTO
Co...
AWS GovCloud Use Cases So Far







Radar Processing (large scale)
Virtual Workshops
Big Data analytics of JPL sens...
Amazon Glacier Total Cost Comparison
DR Use Case Storage and Retrieval Costs Over 10 years

Glacier total costs
$

S3 tota...
3. JPL’s Future
MoonTours App shows new cloud-enabled architecture

:
Devices
+
Data
+
Processing
+
Clouds
Please give us your feedback on this
presentation

SEC204
As a thank you, we will select prize
winners daily for completed...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AWS re:Invent 2013
Upcoming SlideShare
Loading in...5
×

Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AWS re:Invent 2013

399

Published on

This session covers the shared responsibility model for security and compliance specific to the AWS GovCloud (US) region. This presentation highlights the enhanced security offerings of AWS GovCloud (US), such as FIPS-140 Level 2 encryption, as well as the supported compliance regimes. It also reviews how our customers can build secure applications in GovCloud using the various security features such as IAM and VPC. This presentation also offers a brief overview of FedRAMP, explains the shared responsibility model through customer use cases, and covers how customers can obtain an Authority to Operate.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
399
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AWS re:Invent 2013"

  1. 1. SEC204 - Building Secure Applications and Navigating FedRAMP in the AWS GovCloud (US) Region CJ Moses, GM – AWS Global Cloud Solutions Chris Gile, Manager - AWS Federal Compliance Programs Jennifer Gray - Federal Cloud Lead - HHS Enterprise Cloud Architect Tom Soderstrom - CTO, Jet Propulsion Laboratory November 13, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. AWS GovCloud (US) • The AWS Government Community Cloud for vetted U.S. Government and U.S. commercial entities with ties to U.S. Government functions and services • Built with U.S. government customers in mind and appropriate for: – – – • U.S. Government agencies – US Federal, state and local entities U.S. Government contractors, systems integrators, and FFRDCs U.S. Companies with IT regulatory requirements Designed to allow U.S. government agencies and customers to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements – Appropriate for Controlled Unclassified Information (CUI) or Unclassified data and workloads
  3. 3. AWS GovCloud (US) • Data stays in CONUS – Region located in the Pacific Northwest • Only approved AWS U.S. Persons have access to restricted areas, networks, and systems for administration • AWS managed account provisioning; each potential customer is vetted to ensure they are a U.S. entity and not prohibited or restricted from exporting or from providing services by the U.S. government • Data, Network and Machine Isolation – – – Mandatory virtual private cloud (Amazon VPC) segregation for all customers, which offers an additional layer of isolation and protection Separate, isolated credentials database (AWS IAM) FIPS 140-2 hardware for endpoints and VPN
  4. 4. FedRAMP Overview • FedRAMP Overview • AWS FedRAMP Program • Shared Responsibility Model & Achieving Compliance with AWS
  5. 5. FedRAMP Overview • OMB mandated FedRAMP compliance for government agencies using CSPs • Government-wide program standardizing CSP security assessments • Four approaches for CSPs to demonstrate compliance supporting agency needs • All FedRAMP package types in FedRAMP repository can be leveraged by USG agencies
  6. 6. AWS’ FedRAMP Program • Agency ATOs (2) granted by HHS May ’13 covering: – US East/West and GovCloud (US) Regions – EC2, S3, EBS, VPC, and IAM services (more on the way!) – Reviewed by HHS, CDC, NIH, & FDA – FedRAMP-accredited 3PAO assessed AWS against all 297 Moderate FedRAMP controls • Subsequent federal agency ATOs granted based on AWS FedRAMP packages – Our Agency ATOs can be leveraged by any customer
  7. 7. AWS’ FedRAMP Program • Request AWS FedRAMP package via FedRAMP PMO or directly from AWS • So how do you achieve compliance using the AWS FedRAMP package?
  8. 8. Security is a Shared Responsibility Optimized Network/OS/App Controls Service-specific Controls Managed by Customer Compliance in the Cloud Cross-service Controls Cloud Service Provider Controls Compliance of the Cloud Managed by AWS
  9. 9. Security is a Shared Responsibility Customer Data • Customers implement their own set of controls (shared controls) • Customers document their implementation of controls in SSP • Customers conduct 3PAO assessment • Multiple customers with Low/Mod ATOs • Customers tell us High ATOs possible • Payment Card Industry (PCI) Data Security Standard Level 1 • NIST 800-53 Controls & multiple ATOs; FedRAMP • DoD Compliant Controls and multiple DIACAP ATOs • SSAE 16 Types 1 & 2 (SAS 70) • ISO 27001/ 2 Certification • HIPAA and ITAR Compliant Users and Roles Account Management Applications Managed by Customer Firewalls Network Configuration Guest Operating System Virtualization Layer Compute Infrastructure Storage Infrastructure Network Infrastructure Managed by AWS Facilities Physical Security AWS Global Infrastructure
  10. 10. Useful Links & Resources • • • • • • • AWS FedRAMP Package for AWS GovCloud (US) Region AWS FedRAMP SSP Template http://aws.amazon.com/compliance http://aws.amazon.com/compliance/#whitepapers http://aws.amazon.com/compliance/fedramp-faqs http://aws.amazon.com/security http://aws.amazon.com/documentation awscompliance@amazon.com
  11. 11. OFFICE OF THE CHIEF INFORMATION OFFICER DEPARTMENT OF HEALTH AND HUMAN SERVICES U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES HHS Use Case Agency FedRAMP ATO Experience Jennifer Gray
  12. 12. Key Drivers • HHS Cloud Strategy • FedRAMP Policy Memo (OMB Policy Memo December 8, 2011) • Existing HHS Cloud Systems using AWS environment • HHS FedRAMP Standard Operating Procedures 12
  13. 13. Build Effective Team • OCIO Senior Leadership • HHS OIS Security Cloud Security Team • Operational Divisions (FDA, NIH, CDC, OS) • FedRAMP Program Management Office • Amazon Web Services (AWS) Risk & Compliance Team • 3PAO (Veris Group) FDA FedRAMP PMO NIH HHS OIS Cloud Security Team AWS (CSP) CDC 13
  14. 14. HHS FedRAMP Security Authorization Process • Agency-wide FedRAMP Standard Operating Procedures • Released by through HHS CISO • Defines how HHS will authorize cloud services to ensure they meet FedRAMP requirements 14
  15. 15. HHS FedRAMP AWS Authorization Process 15
  16. 16. AWS Achieves HHS FedRAMP ATO • FedRAMP Complete - May 20, 2013 • Worked with HHS FedRAMP Team to ensure standard process aligns with FedRAMP PMO expectations • Consistent with FedRAMP CONOPs. • Includes details about initial documentation as well as periodic updates 16
  17. 17. Key Lessons Learned • • • • • • Senior Management Sponsorship Merge FedRAMP process into existing security assessment and authorization processes Ensure all security artifacts are provided at least one week prior to reviews Develop full project schedule with all key stakeholders in advance Develop FAQ post ATO Collect resource metrics for future planning 17
  18. 18. SEC204 - Building Secure Applications and Navigating FedRAMP in the AWS GovCloud (US) Region Tom Soderstrom, Jet Propulsion Laboratory November 13, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  19. 19. Agenda 1. JPL’s Journey 2. JPL’s Results 3. JPL’s Future
  20. 20. 1. JPL’s Journey
  21. 21. Why Cloud Computing? Increased demand for IT. Cloud computing promised: • Additional, powerful options for IT • Increased compute and storage capability • Faster speed to market • Lowering unit IT costs • One size does not have to fit all • Computing as secure as we have today • Needed ITAR-certified cloud computing
  22. 22. 22 Flicker by WSDOT
  23. 23. 23
  24. 24. 2. JPL’s Results
  25. 25. JPL used Cloud Computing for Outreach… and beyond Microsoft
  26. 26. JPL used cloud computing for mission critical operations
  27. 27. … but ITAR approval took a while, producing separate ATOs for FISMA Moderate and ITAR
  28. 28. AWS GovCloud ATO (US Persons Only)           Accountable (CIO) Letter of intent and compliance by JPL IT CTO Concurrence by JPL IT Security and Infrastructure Concurrence by NASA OCIO Concurrence by Caltech Audit Concurrence by NASA Office of Inspector General Concurrence by JPL and NASA Export Control Office Concurrence by Caltech/JPL Legal Concurrence by additional key stakeholders Adheres to JPL’s standard Policies and Procedures
  29. 29. Full 360 degree view Quarterly reviews Enables usage Continuous awareness
  30. 30. AWS GovCloud ATO (US Persons Only)           Accountable (CIO) Letter of intent and compliance by JPL IT CTO Concurrence by JPL IT Security and Infrastructure Concurrence by NASA OCIO Concurrence by Caltech Audit Concurrence by NASA Office of Inspector General Concurrence by JPL and NASA Export Control Office Concurrence by Caltech/JPL Legal Concurrence by additional key stakeholders Adheres to JPL’s standard Policies and Procedures
  31. 31. AWS GovCloud Use Cases So Far       Radar Processing (large scale) Virtual Workshops Big Data analytics of JPL sensitive data Storage and processing of Mars Exploration Rovers data Rapid prototyping when some data is sensitive User: “If it can handle ITAR, I don’t have to separate the data, so I’ll get started now”  Cyber Security: “I can use my normal tools”  JPL wants Glacier next
  32. 32. Amazon Glacier Total Cost Comparison DR Use Case Storage and Retrieval Costs Over 10 years Glacier total costs $ S3 total costs SDSC total costs JPL Private Cloud total costs Denver total costs 1 2 3 4 5 6 Storage Years 7 8 9 10
  33. 33. 3. JPL’s Future
  34. 34. MoonTours App shows new cloud-enabled architecture : Devices + Data + Processing + Clouds
  35. 35. Please give us your feedback on this presentation SEC204 As a thank you, we will select prize winners daily for completed surveys!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×