Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016

1,792 views

Published on

Jodi Scrofani
Global Financial Services Compliance Strategist for AWS takes us on a journey of Security and Compliance mechanisms, that are mandatory in the Financial Services Industry, and explains how they are addressed by customers today on the AWS Cloud. She explains the AWS Shared Security Model, gives a detailed overview of audit and certifications achieved by AWS, and shows best practices and steps that FSI customers should take to ensure compliance and security.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October 2016

  1. 1. Welcome to the AWS Financial Services Cloud Symposium
  2. 2. "We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.” - UK Financial Conduct Authority, FG 16-5, July 2016 “Insurance is a highly regulated industry where security, governance and compliance are key. Our internal compliance team conferred with both financial services regulators in the UK and our legal team, and they found that they could use AWS and remain compliant.” - Adrian Hodgkison, Head of IT Compliance with Regulation is Doable
  3. 3. AWS & Customer Regulated Workloads * * * *Also an AWS Customer
  4. 4. “It is a fallacy that Institutions can’t use cloud services (because regulators don’t allow them)” - G20 ITSG Meeting, Anonymous
  5. 5. https://aws.amazon.com/solutions/#industry https://aws.amazon.com/financial-services Regulated, audited, and sensitive data will be better fit to be stored and processed in the cloud.
  6. 6. AWS Security as a Platform for Compliance DDOS Mitigation Data Encryption Inventory & Configuration Monitoring & Logging Identify & Access Control Testing & Validation Availability & Resiliency AWS provides financial services customers a platform to engineer customized security
  7. 7. Security & Compliance at AWS is the highest priority. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. An advantage of the AWS cloud is that it allows customers to Scale and Innovate, while maintaining a secure environment. So you can Customize Security for the platform to meet any number of compliance regimes that apply to your business process and geography.
  8. 8. AWS Security – Shared Responsibility Model • AWS and its customers share control over the IT environment, both parties have responsibility for managing the IT environment. • AWS’ part in this shared responsibility includes providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use. • The customers’ responsibility includes configuring their IT environments in a secure and controlled manner for their purposes. • While customers don’t share their use and configurations to AWS, AWS does share its security and control environment relevant to customers.
  9. 9. Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & AccessManagement Operating System, Network & Firewall Configuration Customer content AWSSharedResponsibility You get to define your controls IN the cloud AWS takes care of security OF the cloud aws.amazon.com/compliance/shared-responsibility-model AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations
  10. 10. AWS Security Protection and Certification Security Features in the Customer Environment Customer Security and Compliance • Advanced security protection • Enhanced auditability • EU Data Privacy • Financial Reporting • Financial Services • Healthcare/Life Sciences • Local requirements Amazon Inspector AWS WAF AWS Config Rules EU Model Clauses Identity Management Access Control Usage Auditing Key Storage Monitoring and Logs AWS Investment: Security
  11. 11. Audit & Certification Compliance Overview
  12. 12. Tao of Cloud Compliance 1. Partner: the cloud tech SMEs and the security/ compliance SMEs 2. Integrate: industry standards, independent benchmarking, regulatory requirements 3. Design and Package: Create a master design that meets internal and external requirements 4. Constrain: enforce deployment to that design 5. Deploy: mechanize a scalable governance and auditing program
  13. 13. Step 1: Partner the cloud tech SMEs and the security/ compliance SMEs
  14. 14. CustomerGovernance Model: Permanent Supervision  AWS Best Practices  Industry Standards  AWS Architecture for Standards  Internal & Regulatory Requirements  Service Documentation  AWS Workbooks  AWS Technology Resources Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & AccessManagement Operating System, Network & Firewall Configuration Customer content AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS Agreements
  15. 15. Step 2: Integrate industry standards, independent benchmarking, regulatory requirements
  16. 16. Industry Standards and Benchmarking CIS Amazon Web Services Foundations Benchmark v1.0.0 Description This document provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.
  17. 17. FFIEC Assessment Guide for AWS
  18. 18. Step 3: Create a master design that meets internal and external requirements
  19. 19. Create a golden environment  Using baseline requirements to create a gold OS image  Configure use of AWS services, for example: Amazon S3 Amazon EBS Amazon Redshift  Force SSE  Turn on logging  Specify retention  Set Amazon Glacier archiving  Prevent external access  Specify overriding permissions  Set event notifications  Define volume type  Volume size limits  IOPS performance (input/output)  Data location – regions  Snapshot (backup) ID  Encryption requirements  Cluster type (single or multi)  Encryption (KMS or HSM)  VPC location  External access (yes/no)  Security groups applied  Create SNS topic  Enforce Amazon CloudWatch alarms
  20. 20. Step 4: Enforce deployment to that design
  21. 21. Enforce AWS Service Catalog Allows administrators to create and manage catalogs of approved resources (products) that users can access via a personalized portal.  Control which IT services and versions are available  Control the configuration of the available services  Control permission access by individual, group, department, or cost center. Provisioning Team creates and manages Service Catalog Products built from CloudFormation Templates An AWS Service Catalog product is a deployable AWS CloudFormation template.
  22. 22. Step 5: Mechanize a scalable governance and auditing program
  23. 23. Governance & Auditing Program
  24. 24. Tech Automation via Cloud Automate deployments, provisioning, and configurations of the AWS customer environments CloudFormation Service CatalogStack Template Instances AppsResources Stack Stack Design Package Products Portfolios DeployConstrain Identity & Access Management Set Permissions
  25. 25. Best Practices for a Strong Compliance Defense 1. How is the entity using the cloud? 2. Is the entity leveraging credible, third-party assessments? 3. Has the entity benchmarked their use of the cloud against CIS or another independent body? 4. How do they monitor use of the cloud? 5. How has application, logical access, resiliency, governance changed?
  26. 26. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jodi Scrofani, Financial Services Compliance Strategist at AWS Thank You!

×