Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
VELOGICA’S JOURNEY
TO SOC2/TYPE2 VIA AWS
Clarke Rodgers, CISO, SCOR Velogica
About
• SCOR Velogica
 Business unit within SCOR Global Life Americas
 Location: Charlotte, NC
 Home to the Velogica au...
Challenge
Business Problem
 Security questionnaires & related due diligence taking up too much
time and resources during ...
Solution
Business Solution
 Obtain an internationally recognized and accepted third party
assurance report attesting to t...
What is SOC2/Type2?
• Set of standards (Trust Principles) developed by the
AICPA covering:
- Security (base report)
- Conf...
SOC2 by way of AWS
For SCOR Velogica, the best path to achieving SOC2/T2 attestation
was to move to AWS by:
 Focusing on ...
Key Decisions – SCOR Velogica AWS Migration
1. Develop cloud expertise
internally?
2. Migrate to AWS platforms &
services ...
Shared Responsibility Model
A note about Trust
The more you know about a provider, and their ability to be
transparent about their services instills t...
For your further investigation
AWS
 Has more certified platforms and services (for your workloads) than
any other cloud p...
Our Enhanced Security Posture in AWS
If it logs, we
log it.
If it can be
encrypted,
we encrypt
it.
SCOR Velogica’s Cloud Security Program
Each member of
the team excels
at their
individual
strengths,
making the
entire tea...
So what does “All-in AWS” mean exactly?
Three pieces of
our critical
infrastructure
NOT in AWS:
• Desk Phones.
• Internet
...
Non SOC2 related benefits of our move to AWS
 Failure is cheap.
 Granular control over our costs.
 Real time detailed i...
Next steps for SCOR Velogica
 Maintain SOC2/Type 2
 Exploit the AWS platform to our business advantage:
 Continue the a...
Final Thoughts: What business are you in?
At SCOR Velogica, we provide the leading automated
life insurance underwriting p...
Resources
• AWS Compliance - https://aws.amazon.com/compliance/
• AWS Security - https://aws.amazon.com/security/
• AWS Co...
Connect
https://www.linkedin.com/in/clarkerodgers
crodgers@scorvelogica.com
https://www.twitter.com/clarkerodgers
Thank you.
Upcoming SlideShare
Loading in …5
×

#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS

278 views

Published on

Clarke Rodgers (CISO, SCOR Velogica)'s presentation on SCOR's journey to SOC2/TYPE2 via AWS at the NYC Alert Logic Cloud Security Summit on June 14th, 2016.

Published in: Technology
  • Be the first to comment

#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS

  1. 1. VELOGICA’S JOURNEY TO SOC2/TYPE2 VIA AWS Clarke Rodgers, CISO, SCOR Velogica
  2. 2. About • SCOR Velogica  Business unit within SCOR Global Life Americas  Location: Charlotte, NC  Home to the Velogica automated life insurance underwriting Service. (B2B)  Over 2.5 million underwriting recommendations have been issued by the Velogica Service since its inception. • Our Customers  Direct Life Insurers  Focused on Velogica platform’s business agility and security of their customer’s data.
  3. 3. Challenge Business Problem  Security questionnaires & related due diligence taking up too much time and resources during sales cycle. How do we prove to our future and existing clients that we have best in class security?
  4. 4. Solution Business Solution  Obtain an internationally recognized and accepted third party assurance report attesting to the security controls in place at SCOR Velogica.  Provide report to clients (and prospective clients) in lieu of spreadsheet exchanges, meetings, etc..  Do it quickly.
  5. 5. What is SOC2/Type2? • Set of standards (Trust Principles) developed by the AICPA covering: - Security (base report) - Confidentiality (additive) - Availability (additive) - Processing Integrity (additive) - Privacy (additive) • Controls are reviewed and tested annually (at minimum) by a third party auditing firm. • Becoming the de-facto standard of third party assurance reports for security controls. learn more at www.aicpa.org
  6. 6. SOC2 by way of AWS For SCOR Velogica, the best path to achieving SOC2/T2 attestation was to move to AWS by:  Focusing on OUR expertise: the controls, development & operations that are key to our business (e.g. the Velogica web service)  Relying on best of breed trusted third parties (e.g. AWS, 2nd Watch & Alert Logic) to do what THEY do best:  AWS – cloud computing infrastructure, management platform & services.  2nd Watch – (MCSP) professional services [design& migration] and managed cloud operations.  Alert Logic – (MSSP) security monitoring, log correlation and 24/7 security operations.
  7. 7. Key Decisions – SCOR Velogica AWS Migration 1. Develop cloud expertise internally? 2. Migrate to AWS platforms & services or perform a “lift and shift” of our existing platform? 3. How do we communicate/educate our clients on the move? Pro tip: Don’t assume everyone knows that Amazon is in the datacenter business. 
  8. 8. Shared Responsibility Model
  9. 9. A note about Trust The more you know about a provider, and their ability to be transparent about their services instills trust in their offerings and ability to execute. We: 1. Reviewed (under NDA) available assurance reports for each key provider. 2. Made site visits, interviewed key personnel and asked detailed questions that mattered the most to our business. 3. Met with current customers to get their insights on the providers. It is YOUR responsibility to thoroughly vet your providers.
  10. 10. For your further investigation AWS  Has more certified platforms and services (for your workloads) than any other cloud provider… and the list keeps growing.  Internal operations are validated and published (under NDA) for customer review (see aws.amazon.com/compliance for more info) 2nd Watch  Maintains SOC2/Type2 attestation.  Audited by AWS under partner program agreement. Alert Logic  Maintains SOC1/Type2 and SOC2/Type2 attestations.  Audited by AWS under partner program agreement.
  11. 11. Our Enhanced Security Posture in AWS If it logs, we log it. If it can be encrypted, we encrypt it.
  12. 12. SCOR Velogica’s Cloud Security Program Each member of the team excels at their individual strengths, making the entire team stronger. SCOR Velogica AWS Alert Logic 2nd Watch Foundational cloud platform with resilient architecture. Security baked into every product and service. API driven. Strong security partner ecosystem. Security operations expertise. Threat & vulnerability management, log monitoring & correlation. Security intelligence & threat research, etc… Secure cloud design and best practices. Patching, Antivirus, Web Proxy, Active Directory, Hardened builds, IAM, Infrastructure & application monitoring, etc… Overall Responsibility of Program. Secure application development, Access Review, Security Awareness, Incident Response coordination, Reporting, Client interaction, etc... Oversight of the entire program is the customer’s (your) responsibility. If your vendors aren’t measuring up, find different ones, coach the ones you have or do it yourself.
  13. 13. So what does “All-in AWS” mean exactly? Three pieces of our critical infrastructure NOT in AWS: • Desk Phones. • Internet Connection. • Printers.  Secure MFA access to AWS Workspaces from anywhere on any supported device.  Customer facing Velogica Web Service - in AWS.  All application development – in AWS.  All customer billing & operations – in AWS.  All core infrastructure (e.g. Active Directory, network file shares, etc..) – in AWS.  Business Continuity - in AWS.  Disaster Recovery – in AWS. All new technology products and services purchases are either AWS friendly or other third party SaaS offerings (e.g. Office 365). If not, we don’t buy it!
  14. 14. Non SOC2 related benefits of our move to AWS  Failure is cheap.  Granular control over our costs.  Real time detailed inventory of everything we have.  Built in metrics of what is being used and what isn't. We are at the cusp of the cloud computing revolution. It is really just starting and we’ve positioned ourselves to take full advantage of all the innovations yet to come. Exciting times!
  15. 15. Next steps for SCOR Velogica  Maintain SOC2/Type 2  Exploit the AWS platform to our business advantage:  Continue the automation of our entire software development lifecycle.  Build an automated, event driven security program to address human errors/misconfiguration.  Duplicate the application environment when needed to support international expansion of the Velogica platform  Continue maturing our DevOps/DevSecOps culture within the development & infrastructure/ops teams.  Training & Certification path for everyone who wants it.
  16. 16. Final Thoughts: What business are you in? At SCOR Velogica, we provide the leading automated life insurance underwriting platform in the industry. We are experts in automated life insurance underwriting. We are not:  In the datacenter management business.  In the enterprise infrastructure/cloud management business.  In the security monitoring/threat analytics and log review business. There are others who will operate in the above spaces with an expertise that will be hard to match, because that is their focus.
  17. 17. Resources • AWS Compliance - https://aws.amazon.com/compliance/ • AWS Security - https://aws.amazon.com/security/ • AWS Contact for SOC1, SOC2 & PCI Compliance packages -https://aws.amazon.com/compliance/contact/ • PCI FAQs, including which AWS services are in scope -https://aws.amazon.com/compliance/pci-dss-level-1-faqs/ • Introduction to AWS Security - https://d0.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf • Cloud Security Whitepaper – https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf • Cloud Security Best Practices - https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf • AWS Well Architected Framework - https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf • AWS Cloud Adoption Framework Documents: o https://d0.awsstatic.com/whitepapers/Maturity_Perspective_v1.0.pdf o https://d0.awsstatic.com/whitepapers/Process_Perspective_v1.0.pdf o https://d0.awsstatic.com/whitepapers/Operations_Perspective_v1.0.pdf o https://d0.awsstatic.com/whitepapers/AWS_CAF_People_Perspective.pdf o https://d0.awsstatic.com/whitepapers/Platform_Perspective.pdf o https://d0.awsstatic.com/whitepapers/Business_Perspective_v1.0.pdf o https://d0.awsstatic.com/whitepapers/aws_cloud_adoption_framework.pdf • AWS Blogs to Read Every Day - https://aws.amazon.com/blogs/aws/ ; https://blogs.aws.amazon.com/security/ • AWS Case Studies - https://aws.amazon.com/solutions/case-studies/enterprise-it/?hp=tile • AWS Global Infrastructure -https://aws.amazon.com/about-aws/global-infrastructure/?hp=tile • Example of what can be done in AWS that can’t be matched on premise (from Security perspective) - https://securosis.com/blog/event-driven-security-on-aws-a- practical-example • Must attend events: https://aws.amazon.com/summits/ ;https://reinvent.awsevents.com/ • Training Resources (other than official AWS courses): https://cloudacademy.com/ • Books – Consumption Economics by J.T. Wood & The Phoenix Project by Gene Kim and Kevin Behr
  18. 18. Connect https://www.linkedin.com/in/clarkerodgers crodgers@scorvelogica.com https://www.twitter.com/clarkerodgers
  19. 19. Thank you.

×