AWS Government, Education, &
Nonprofits Symposium
Canberra, Australia | May 20, 2014
Compliance and Governance on the AWS ...
2013 AWS WWPS Summit,
Canberra – May 23
Accreditation & Compliance, Old and New
Old world
•  Functionally optional (you ca...
Integration of Compliance and Security
•  In the cloud, scale, speed, and security disallow 1:1
customer/vendor security a...
Expert Audits: the Validation Scalpel
•  Experts auditors give
a 360° view of cloud
•  Constantly engaged;
the overall pro...
Benefits of Scale Apply to Security and Compliance
The entire community benefits from tough
scrutiny, the world-class AWS ...
Economies of Scale: World-class Teams
•  Where would some of the world’s best
security and compliance experts like to
work...
AWS	
  Founda+on	
  Services	
  
Compute	
   Storage	
   Database	
   Networking	
  
AWS	
  Global	
  
Infrastructure	
   ...
Compliance: Common Foundations
AWS	
  Founda+on	
  Services	
  
Compute	
   Storage	
   Database	
   Networking	
  
AWS	
 ...
AWS	
  Founda+on	
  Services	
  
Compute	
   Storage	
   Database	
   Networking	
  
AWS	
  Global	
  
Infrastructure	
   ...
AWS	
  Founda+on	
  Services	
  
Compute	
   Storage	
   Database	
   Networking	
  
AWS	
  Global	
  
Infrastructure	
   ...
You can choose to keep all your content (code, data,
etc.) onshore in Australia
•  AWS makes no secondary use of customer ...
Geographic
data locality
Control over regional
replication
Policies, resource
level permissions,
temporary credentials
Fin...
AWS Cloud Governance Mapping
Governance Area AWS Technologies
Roles and Responsibilities •  Identity and Access Management...
AWS Cloud Governance Mapping (cont.)
Governance Area AWS Technologies
Information Assurance:
Processing
•  Private “harden...
AWS Cloud Governance Mapping (cont.)
Governance Area AWS Technologies
Network Security •  Private addressing (Virtual Priv...
AWS Cloud Governance Service Enablers (cont.)
Governance Area AWS Technologies
Disaster Recovery and Continuity of
Operati...
AWS Governance Tool: Trusted Advisor
•  Trusted Advisor capabilities
–  Analyzes account for various kinds of
issues and p...
AWS Governance Tool: Cost Explorer
New portal feature
–  Configured and custom reports
–  View multiple linked accounts to...
AWS Governance Enabler: X-Account Roles
Cross-account roles
–  Target accounts define “role” (container
of access policies...
Read our AWS security, compliance and privacy
whitepapers and best practices
•  http://blogs.aws.amazon.com/security
•  ht...
THANK YOU
Please give us your feedback by filling out the Feedback Forms
AWS Government, Education, &
Nonprofits Symposium...
Upcoming SlideShare
Loading in …5
×

AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the AWS Cloud

1,108 views

Published on

Cloud computing on AWS provides central IT organizations with the ability to control their applications, data and security. This session will detail the processes and controls that CIO organizations can put in place to maintain control while helping their customers to realize the many benefits of cloud computing.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,108
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the AWS Cloud

  1. 1. AWS Government, Education, & Nonprofits Symposium Canberra, Australia | May 20, 2014 Compliance and Governance on the AWS Cloud Mark Ryland Chief Solutions Architect Worldwide Public Sector Team
  2. 2. 2013 AWS WWPS Summit, Canberra – May 23 Accreditation & Compliance, Old and New Old world •  Functionally optional (you can build a secure system without it) •  Audits done by an in-house team •  Not so much about actual security; rather, check the compliance boxes •  Check once a year (?) •  Workload-specific analysis New world •  Functionally necessary (no, you cannot visit our data centers!) •  Audits done by third party auditors •  Better security drives better compliance and vice versa •  Continuous monitoring, updates •  Based on all workload scenarios
  3. 3. Integration of Compliance and Security •  In the cloud, scale, speed, and security disallow 1:1 customer/vendor security assessments •  But of course “trust me” is not a viable solution to the challenge •  Solution: rigorous compliance regimes and constant surveillance by multiple teams of expert third-party auditors generally better than 1:1 assessments
  4. 4. Expert Audits: the Validation Scalpel •  Experts auditors give a 360° view of cloud •  Constantly engaged; the overall process never stops •  “Continuous monitoring” like you’ve never seen before SME SME SME SME SME SME=subject matter expert
  5. 5. Benefits of Scale Apply to Security and Compliance The entire community benefits from tough scrutiny, the world-class AWS security team, market-leading capabilities, and constant improvements Everyone’s Systems and Applications Security Infrastructure Security Infrastructure Requirements Nothing better for the community than a tough set of customers…
  6. 6. Economies of Scale: World-class Teams •  Where would some of the world’s best security and compliance experts like to work? •  They want to work at scale: huge challenges with huge rewards! •  So AWS has world-class security and compliance teams watching your back!
  7. 7. AWS  Founda+on  Services   Compute   Storage   Database   Networking   AWS  Global   Infrastructure   Regions   Availability  Zones   Edge  Loca+ons   Client-­‐side  Data   Encryp2on   Server-­‐side  Data   Encryp2on   Network  Traffic   Protec2on   Pla<orm,  Applica2ons,  Iden2ty  &  Access  Management   Opera2ng  System,  Network  &  Firewall  Configura2on   Customer  content   Customers   AWS & Customers Share Responsibility Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud
  8. 8. Compliance: Common Foundations AWS  Founda+on  Services   Compute   Storage   Database   Networking   AWS  Global   Infrastructure   Regions   Availability  Zones   Edge  Loca+ons  
  9. 9. AWS  Founda+on  Services   Compute   Storage   Database   Networking   AWS  Global   Infrastructure   Regions   Availability  Zones   Edge  Loca+ons   Your  own   accredita2on     Meet Your Own Compliance & Security Objectives Your  own   cer2fica2ons   Your  own   external  audits   Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls Customers  
  10. 10. AWS  Founda+on  Services   Compute   Storage   Database   Networking   AWS  Global   Infrastructure   Regions   Availability  Zones   Edge  Loca+ons       … Like Several Australian Gov’t Customers Your iRAP assessments and Security and Risk Management Plans Customers  
  11. 11. You can choose to keep all your content (code, data, etc.) onshore in Australia •  AWS makes no secondary use of customer content •  Managing your privacy objectives any way that you want •  Keep data in your chosen format and move it, or delete it, at any time you choose •  No automatic replication of data outside of your chosen AWS Region •  Customers can encrypt their content any way they choose Read our new whitepaper on Australian Privacy Considerations Customers Retain Full Ownership and Control
  12. 12. Geographic data locality Control over regional replication Policies, resource level permissions, temporary credentials Fine-grained access control In-depth logging AWS CloudTrail AWS Governance Capabilities Fine-grained visibility and control for accounts, resources, data Visibility into resources and usage Service Describe* APIs and AWS CloudWatch Control over deployment AWS CloudFormation
  13. 13. AWS Cloud Governance Mapping Governance Area AWS Technologies Roles and Responsibilities •  Identity and Access Management: Groups, Policies, Roles •  Tag-based IAM policies Configuration Management •  Private “hardened” AMIs; others restricted via IAM policies •  Security-reviewed CloudFormation templates •  Elastic Beanstalk or OpsWorks for application lifecycle management Financial Controls and Reporting •  Billing reports; linked accounts/consolidated billing •  Tagging of resources •  CloudWatch Billing Alarms •  Cost Explorer Monitoring and Reporting •  CloudWatch / CW Alarms •  Simple Notification Service (SNS) •  CloudTrail API logging
  14. 14. AWS Cloud Governance Mapping (cont.) Governance Area AWS Technologies Information Assurance: Processing •  Private “hardened/gold master” AMIs (OS images) •  VPC network isolation for all workloads •  Optional dedicated EC2 instances •  CloudHSM service Information Assurance: Storage •  S3 AES 256 bit server-side encryption, client-side encryption •  EBS volume encryption; volume wiping before termination •  RDS database encryption •  Complete destruction of all storage media on decommissioning Information Assurance Transmission •  SSL termination for all AWS endpoints •  HW/SW VPN Connections •  DirectConnect
  15. 15. AWS Cloud Governance Mapping (cont.) Governance Area AWS Technologies Network Security •  Private addressing (Virtual Private Cloud) •  Route tables •  Network ACLs •  Security Groups •  Virtual Private Gateways Identification and Authentication •  Intrinsic IAM identities •  Federated IAM identities (AWS as RP); support for SAML •  Multi-factor authentication •  Groups and Roles (EC2, cross-account, federation) •  Strong password policies Authorization and Access •  IAM Policies centrally enforced across all services •  Resource-based IAM policies in S3, SQS, SNS •  CloudTrail logging of allow/deny with rich metadata
  16. 16. AWS Cloud Governance Service Enablers (cont.) Governance Area AWS Technologies Disaster Recovery and Continuity of Operations: Data •  EBS Snapshots •  S3 online storage •  Glacier offline storage •  Storage Gateway •  Bulk data via Import/Export Service •  Managed AWS No-SQL/SQL Database Services •  Extensive 3rd party solutions Disaster Recovery and Continuity of Operations: Workloads •  Elastic Load Balancers, EC2 Auto Scaling, CloudWatch •  Route 53 – 100% SLA; health checks, latency based routing •  CloudFront CDN •  Multi-AZ, Multi-Region workload deployment
  17. 17. AWS Governance Tool: Trusted Advisor •  Trusted Advisor capabilities –  Analyzes account for various kinds of issues and possible concerns –  New checks being added regularly –  Available as an API for integration with your tools or 3rd party solutions •  Four categories: –  Cost savings –  Security –  Fault tolerance –  Performance 1,000,000+ recommendations $207M+ in cost reductions
  18. 18. AWS Governance Tool: Cost Explorer New portal feature –  Configured and custom reports –  View multiple linked accounts together –  Sort/filter by service, account, tags, etc –  Custom date ranges and graph types –  Save any result by bookmarking URL –  Download CSV data from any particular view/report
  19. 19. AWS Governance Enabler: X-Account Roles Cross-account roles –  Target accounts define “role” (container of access policies); give permission to central account to assume role –  Central account can assume roles to access multiple accounts within same org without credential sharing –  Powerful way for IT team to provide central auditing and management –  CloudTrail logs, S3 logs, RDS logs, etc; future features giving more transparency –  Today: API level only, but in the future …
  20. 20. Read our AWS security, compliance and privacy whitepapers and best practices •  http://blogs.aws.amazon.com/security •  http://aws.amazon.com/compliance •  http://aws.amazon.com/security •  Australian Privacy Considerations •  AWS Risk and Compliance •  Security and governance best practices •  Audit and operational checklists Best practices and guidance on compliance
  21. 21. THANK YOU Please give us your feedback by filling out the Feedback Forms AWS Government, Education, & Nonprofits Symposium Canberra, Australia | May 20, 2014

×