Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automating Compliance Certification with Automated Mathematical Proof (SEC330) - AWS reInvent 2018.pdf

1,083 views

Published on

At AWS, we have begun using automated mathematical proof search methods to automate compliance certification. Our approach uses automated mathematical proof tools to find arguments that express, in a repeatable precise way, what controls are used, and why and how they are correctly implemented. In this chalk talk, learn how auditors can independently validate design and operating effectiveness using open-source and community-validated tools. This validation approach provides evidence of the operating effectiveness of a control at all times, for all operations. This approach can reduce costs and takes the time spent achieving compliance certification from months to seconds. This approach can also remove ambiguity from what it means to be compliant with a particular control.

  • Be the first to comment

  • Be the first to like this

Automating Compliance Certification with Automated Mathematical Proof (SEC330) - AWS reInvent 2018.pdf

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automating Compliance Certification With Automated Mathematical Proof Chad Woolf Vice President, AWS Security S E C 3 3 0 Byron Cook Director, AWS Automated Reasoning Tom McAndrew CEO Coalfire
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The auditor’s challenge Complexity Evidence reliance Efficiency Increasing assurance
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Today: Assuring characteristics of a system Narrowed to describing the “control environment” Narrative based Automated controls – preventative and detective Population sampling Manual controls, written policies, culture
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Intro to automated reasoning • Mathematic proofs • Proving a system condition
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated reasoning Applied to security controls • Method of generation – system versus manual – Mathematically-based proof • Completeness of coverage and scope –Evaluation of all behaviors of system enables more accurate inference of compliance than assessments of snippets of code. • Frequency of generation – Handle greater evaluation frequency that is closer to real-time. • Source of evidence – Objectivity of the evidence. • Type of evidence – reliability of evidence increases depending upon the type of evidence.
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New assurance methods Semantics-based reasoning about different aspects of AWS services, such as AWS Identity and Access Management (IAM) policies, can infer new insight about the compliance of those services using Zelkova, Tiros, and the Checker Framework.
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Case studies Encryption of data at rest Use Checker Framework during build process to generate proof that services integrated with KMS use 256-bit length keys to meet the audit objective: “Is this AWS service using strong encryption at all times?”
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Case studies Data privacy compliance Use Zelkova as a method to reason about policies that govern access to resources and generate evidence
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Case studies Network access compliance Use Tiros as a method of generating evidence by evaluation of all possible network connections
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. More Information about Provable Security https://aws.amazon.com/security/provable-security/
  13. 13. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×