More Related Content Similar to Automating Compliance Certification with Automated Mathematical Proof (SEC330) - AWS reInvent 2018.pdf (20) More from Amazon Web Services (20) Automating Compliance Certification with Automated Mathematical Proof (SEC330) - AWS reInvent 2018.pdf2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automating Compliance Certification
With Automated Mathematical Proof
Chad Woolf
Vice President,
AWS Security
S E C 3 3 0
Byron Cook
Director,
AWS Automated Reasoning
Tom McAndrew
CEO
Coalfire
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The auditor’s challenge
Complexity Evidence reliance
Efficiency Increasing assurance
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Today: Assuring characteristics of a system
Narrowed to describing the “control environment”
Narrative based
Automated controls – preventative and detective
Population sampling
Manual controls, written policies, culture
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Intro to automated reasoning
• Mathematic proofs
• Proving a system condition
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automated reasoning
Applied to security controls
• Method of generation – system versus manual –
Mathematically-based proof
• Completeness of coverage and scope –Evaluation of all
behaviors of system enables more accurate inference of
compliance than assessments of snippets of code.
• Frequency of generation – Handle greater evaluation
frequency that is closer to real-time.
• Source of evidence – Objectivity of the evidence.
• Type of evidence – reliability of evidence increases
depending upon the type of evidence.
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New assurance methods
Semantics-based reasoning about different aspects of AWS services,
such as AWS Identity and Access Management (IAM) policies, can infer
new insight about the compliance of those services using Zelkova, Tiros,
and the Checker Framework.
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Case studies
Encryption of data at rest
Use Checker Framework during build process to generate
proof that services integrated with KMS use 256-bit
length keys to meet the audit objective:
“Is this AWS service using strong encryption at all times?”
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Case studies
Data privacy compliance
Use Zelkova as a method to reason about
policies that govern access to resources and
generate evidence
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Case studies
Network access compliance
Use Tiros as a method of generating evidence by
evaluation of all possible network connections
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
More Information about Provable Security
https://aws.amazon.com/security/provable-security/
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.