Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building for the Public Sector

629 views

Published on

This intends to help start-ups, ISV’s, SI’s and other organisations understand the security and assurance requirements needed to provide services for the UK public sector.

  • Be the first to comment

Building for the Public Sector

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Simone Hume, Matt Johnson 26th September 2017 Building for the Public Sector AWS Public Sector UK Team
  2. 2. Introduction to AWS
  3. 3. Retail Devices Media Web Services Innovating on behalf of our customers.
  4. 4. What Is Cloud Computing? The on-demand delivery of IT resources over public or private networks with zero up-front costs, no long-term contracts, and pay-as-you- go pricing
  5. 5. Equipment Resources and Administration Contracts Cost No Up Front Expense Pay for what you Use Improve Time to Market & Agility Scale Up and Down Self-Service Infrastructure Traditional Infrastructure AWS Cloud
  6. 6. AWS Pace of Innovation 2011 2012 2013 2014 2015 2016 80+ 160 280 516 722 1017
  7. 7. ENTERPRISE APPS DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS Data Warehousing Hadoop/ Spark Streaming Data Collection Machine Learning Elastic Search Virtual Desktops Sharing & Collaboration Corporate Email Backup Queuing & Notifications Workflow Search Email Transcoding One-click App Deployment Identity Sync Single Integrated Console Push Notifications DevOps Resource Management Application Lifecycle Management Containers Triggers Resource Templates TECHNICAL & BUSINESS SUPPORT Account Management Support Professional Services Training & Certification Security & Pricing Reports Partner Ecosystem Solutions Architects MARKETPLACE Business Apps Business Intelligence Databases DevOps Tools NetworkingSecurity Storage Regions Availability Zones Points of Presence INFRASTRUCTURE CORE SERVICES Compute VMs, Auto-scaling, & Load Balancing Storage Object,Blocks, Archival,Import/Export Databases Relational,NoSQL, Caching,Migration Networking VPC, DX, DNS CDN Access Control Identity Management Key Management & Storage Monitoring & Logs Assessment and reporting Resource & Usage Auditing SECURITY & COMPLIANCE Configuration Compliance Web application firewall HYBRID ARCHITECTURE Data Backups Integrated App Deployments Direct Connect Identity Federation Integrated Resource Management Integrated Networking API Gateway IoT Rules Engine Device Shadows Device SDKs Registry Device Gateway Streaming Data Analysis Business Intelligence Mobile Analytics AWS Service Portfolio
  8. 8. AWS Global Infrastructure 16 R e g i o n s 44A Z s 77Edge Locations Region & Number of Availability Zones New Region (coming soon)
  9. 9. EU (London) Region is now live! Launched on 13th December 2016 • 3rd AWS Region in Europe • 2 more regions coming in Europe (Paris and Stockholm)
  10. 10. Key Benefits of AWS approach to Regions Customer chooses where to place data AWS regions are geographically isolated & highly available by design Data is not replicated to other AWS regions and doesn’t move unless customer chooses to move it Customers manage access to their customer content and AWS services and resources https://aws.amazon.com/compliance/data-privacy-faq/
  11. 11. AWS in the Public Sector Tens of thousands of government agencies, education institutions, and nonprofit organizations around the world use AWS.
  12. 12. Public Sector Institutions Use AWS Worldwide
  13. 13. AWS Partners Focused on Public Sector
  14. 14. JustGiving Supports 24 Million Users on Charity Site Using AWS • Needed a new platform to support general operations and new analytics service • Moved to AWS, using a wide range of services • Can scale system faster in response to unanticipated spikes in traffic • Receives query results in seconds compared to 30 minutes under old system • Obtains deeper insights into billions of data points, using information to deliver better services Using the new AWS tools, we can extract much finer-grained data points based on millions of donations and billions of visits, and then use that information to provide a better platform for our visitors. Richard Atkinson Chief Information Officer, JustGiving ” “ JustGiving is a major online platform that supports charitable giving. The organization is based in London.
  15. 15. Customer Engagement Model
  16. 16. The Customer Account Manager Solutions Architect Business Development ProServe Partner(s) (SIs, ISVs, & MSPs) Technical Account Manager AWS Enterprise Engagement Model
  17. 17. Your AWS Account Team Account Manager (AM) • Your primary contact point into AWS • Pricing & contract enquiries and escalations • Office Hours Solutions Architect (SA) • Architectural design and Well Architected workshops • Roadmap workshops and Service Team engagements • Technical queries (note: NOT 24x7 service support! J ) • Office Hours Business Development Manager (BD / BM / BDM) • Strategic initiatives, marketing, wider community engagement
  18. 18. Your extended AWS Account Team Sector Leads • Leads the account team within specific sectors • Central Gov, Local Gov, Health, Education, NfP, NatSec Technical Account Manager (TAM) • Primary contact for support-related questions and escalations • Infrastructure Event Management (IEM) • Operational Excellence workshops Professional Services (ProServe / ProServ / PS) • Short-term consultancy and CAF / Migration services • Resident Architects • Paid engagements (via Statements of Work)
  19. 19. A PATH TO SUCCESS © 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Y O U R A P N J O U R N E Y S T A R T S N O W 2 0 1 7
  20. 20. WHAT TO EXPECT © 2 0 1 7 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d . State of the AWS Partner Ecosystem The APN Partner Journey Building Your Business on AWS and Progressing Through APN Tiers
  21. 21. © 2 0 1 7 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d . AWS PARTNER NETWORK 10,000+ APN PARTNERS HAVE JOINED THE APN IN THE PAST 12 MONTHS 90%+ Fortune 100 110%Yo Y AWS Consulting Partners 130%Yo Y AWS Managed Service Partners 60%+ APN Partners Headquartered Outside U.S. 370M EC2 Hours Per Month AWS Customers use for AWS Marketplace products Growth Use APN Partner solutions & services
  22. 22. BUILDING PROGRAMS AT THE SPEED OF CLOUD © 2 0 1 7 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d . PR EM IER AD VAN C ED STAN D AR D R EGIS TER ED M S P P r o g r a m T E C H N O L O G Y C o m p e t e n c y P r o g r a m S e r v i c e D e l i v e r y P r o g r a m C h a n n e l R e s e l l e r P r o g r a m C O N S U LT I N G A W S M a r k e t p l a c e
  23. 23. THE APN PARTNER JOURNEY © 2 0 1 7 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d . AWS PARTNER NETWORK
  24. 24. © 2 0 1 7 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d . AWS PARTNER NETWORK THE BENEFITS OF BECOMING AN APN PARTNER… Partner Resources Business Planning Visibility Go-to-Market Funding
  25. 25. © 2 0 1 7 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d . APN PARTNER JOURNEY Y O U R J O U R N E Y S T A R T S N O W …
  26. 26. © 2 0 1 7 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d . Tr a i n i n g Bu i l d i n g Yo u r Bu si n e ss R E G I S T E R A P N P A R T N E R J O U R N E Y
  27. 27. © 2 0 1 7 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d . GETTING TO STANDARD… Tiers Consulting Partner Qualifications Standard Registered Getting Started on AWS 2 Customer References, 4 Accreditations, 2 Associate Certifications, $1K+ in AWS spend
  28. 28. © 2 0 1 7 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d . GETTING TO STANDARD… Tiers Technology Partner Qualifications Standard Registered Getting Started on AWS Pr oduc t in GA on AWS 2 C us t om e r R e f e r e nc e s
  29. 29. © 2 0 1 7 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d . GETTING TO ADVANCED… Tiers Consulting Partner Qualifications Standard Registered Getting Started on AWS 2 Customer References, 4 Accreditations, 2 Associate Certifications, $1K+ in AWS spend Advanced 6 Customer References, 20 Accreditations, 4 Associate Certifications, 2 Professional Certifications $50k in AWS Spend
  30. 30. © 2 0 1 7 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d . GETTING TO ADVANCED… Tiers Technology Partner Qualifications Standard Registered Getting Started on AWS Product in GA on AWS, 2 Customer References Advanced Product in GA on AWS, AWS Technical Validation, 6 Customer References, $50k US+ in AWS Spend -or- AWS Competency Holder
  31. 31. © 2 0 1 7 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d . GET STARTED TODAY Learn about the APN at: https://aws.amazon.com/partners/ Register for the APN Portal See AWS Partner Success: https://aws.amazon.com/partners/success/ Stay in touch with us: APN Blog & @AWS_Partners
  32. 32. G-Cloud
  33. 33. What is G-Cloud? • It is a UK Government Framework for the procurement of commodity-based, pay-as-you-go cloud services and their associated support services. • The Framework is owned by Crown Commercial Service (CCS) and hosted online through a ‘Digital Marketplace’. • It is open to any UK public sector entity that is able to list tenders under OJEU.
  34. 34. What is G-Cloud? • Customer (referred to as ‘Buyers’) are able to assess Supplier offerings through their Digital Marketplace entries, and award business to a selected Supplier. • It allows Public Sector Customers to comply with procurement regulation and procure flexible cloud services in a ‘compliant’ manner.
  35. 35. How do Customers use it? • Customers follow a structured process designed to ensure they buy fairly. They… • Internally prepare their requirements. • Search on the Digital Marketplace using keywords and filters. • Compare listed Services using a scoring system (M.E.A.T) • Choose the Service/Supplier and notify the Supplier of award.
  36. 36. How do Customers use it? • Find out more about the process Buyers follow here: https://www.gov.uk/guidance/g-cloud-buyers-guide • To complete the purchase, Customers and Suppliers mutually agree and execute a Call-Off Contract.
  37. 37. AWS on G-Cloud • From the Digital Marketplace • Search for AWS currently returns 1,100+ results • https://www.digitalmarketplace.service.gov.uk/g- cloud/search?q=aws
  38. 38. Any questions so far?
  39. 39. Security on AWS
  40. 40. Security is Our No. 1 Priority Designed for Security Constantly Monitored Highly Automated Highly Available Highly Accredited https://aws.amazon.com/security/
  41. 41. Economies of Scale Apply to Security and Compliance Tough scrutiny, market-leading capabilities, constant improvements, and a world-class AWS security team benefit the whole client community. Everyone’s Systems and Applications REQUIREMENTS REQUIREMENTS REQUIREMENTS Amazon Web Services Security Infrastructure The stringent demands of a few… Set a higher standard for everyone
  42. 42. AWS is Architected for Government Security Requirements Certifications and accreditations for workloads that matter – Compliant Solutions AWS CloudTrail and AWS Config – Call logging and configuration management for governance and compliance • Log, review, alarm on all user actions • Browse-and-query database of current and previous state of cloud resources MTCS
  43. 43. AWS Shared Responsibility Model
  44. 44. Applying the Shared Responsibility Model Security of the cloud • Security measures that AWS implements and operates • AWS security standards shown by Certifications and Attestations Security in the cloud • Security measures that the customer implements and operates • Certifications and Attestations can be used by customers when undertaking risk assessments or using Frameworks such as the NCSC Cloud Security Principles
  45. 45. AWS Compliance Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function. AWS provides functionality (such as security features) and enablers (including compliance playbooks, mapping documents, and whitepapers) for these types of programmes.
  46. 46. Infrastructure Security Inventory & Configuration Data EncryptionIdentity & Access Control Monitoring & Logging AWS Partner Solutions AWS Security Tools & Features
  47. 47. Access a deep set of cloud security tools Encryption Networking Compliance & Governance Identity Amazon VPC AWS Direct Connect VPN connection Security Groups AWS WAFAWS Shield AWS KMS AWS CloudHSM Flow logs AWS Certificate Manager Client-side encryption IAM AWS Artifact AWS Organizations Temporary Security credentials AWS Directory Service Active Directory integration Amazon Inspector AWS Trusted Advisor AWS Service Catalog Amazon CloudWatch AWS CloudFormation AWS CloudTrail AWS Config Route table Amazon EC2 Systems Manager SAML Federation
  48. 48. What does this mean? You benefit from an environment built for the most security sensitive organizations AWS manages 1,800+ security controls so you don’t have to You get to define the right security controls for your workload sensitivity You always have full ownership and control of your data
  49. 49. UK OFFICIAL
  50. 50. Government Digital Service (GDS): “It’s possible for public sector organisations to safely put highly personal and sensitive data into the public cloud.” “Cloud providers have a significant budget to maintain, patch and secure their cloud infrastructure. This means public cloud services can mitigate many common risks that often pose challenges for government organisations.” As published on: https://www.gov.uk/guidance/public-sector-use-of-the-public-cloud
  51. 51. Security benefits from using AWS Some of the security benefits of AWS include: • Keep your data safe: The AWS infrastructure puts strong safeguards in place to help protect customer privacy. All data is stored in highly secure AWS data centers. • Meet Compliance Requirements: AWS manages dozens of compliance programs in its infrastructure. This means that segments of your compliance have already been completed. • Scale Quickly: Security scales with your AWS cloud usage. No matter the size of your business the AWS infrastructure is designed to keep data safe.
  52. 52. Public sector customers running on AWS Find out more at: www.london.aws
  53. 53. The G-Cloud Security approach “Impact Levels are no longer relevant to describe the security properties and accreditation of different services.” “…in the OFFICIAL tier, we will be adopting the Cloud Security Principles. Buyers should be choosing a service that meets their requirements and then deciding if a higher level of security is required or not.” Taken from the GDS blog published at: https://digitalmarketplace.blog.gov.uk/2014/06/09/the-g-cloud-security-approach/
  54. 54. What is OFFICIAL? As published in: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/2 51480/Government-Security-Classifications-April-2014.pdf
  55. 55. National Cyber Security Centre (NCSC) Cloud Security Principles 1. Data in transit protection 2. Asset protection & resilience 3. Separation between users 4. Governance framework 5. Operational security 6. Personnel security 7. Secure development 8. Supply chain security 9. Secure user management 10. Identity & authentication 11. External interface protection 12. Secure service administration 13. Audit information for users 14. Secure use of the service As published on: https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles
  56. 56. Alignment with NCSC’s Cloud Security Principles AWS has published a white- paper providing guidance on alignment with NCSC’s Cloud Security Principles http://d0.awsstatic.com/whitepapers/compliance/ AWS_CESG_UK_Cloud_Security_Principles.pdf
  57. 57. Key certifications / reports for UK public sector These reports can be used (under NDA) by customers to demonstrate existing AWS security controls against the Cloud Security Principles or other assessment criteria
  58. 58. Key Frameworks for UK public sector NCSC Cloud Security Principles Center for Internet Security G-Cloud Framework These frameworks can be used by customers to demonstrate alignment of AWS security controls against NCSC Cloud Security Principles or other assessment criteria
  59. 59. Accessing AWS Compliance Reports AWS Artifact: • On-demand access to AWS’ compliance reports • Globally available • Easy identification • Quick assessments • Continuous monitoring • Enhanced transparency
  60. 60. Guidance on use of public cloud (GDS) “Well-executed use of public cloud services will be appropriate for the vast majority of government information and services. However, each organisation needs to make their own risk-based decision for their specific systems or data.” “You should understand how responsibility for security is shared between you and the cloud provider.” As published on: https://www.gov.uk/guidance/public-sector-use-of-the-public-cloud
  61. 61. NCSC guidance for choosing cloud services 1. Know your business requirements 2. Understand your information 3. Determine relevant security principles 4. Understand how principles are implemented 5. Understand level of assurance offered 6. Identify additional mitigations 7. Consider residual risks 8. Continue to monitor & manage the risks As published on: https://www.ncsc.gov.uk/guidance/introduction-understanding-cloud-security
  62. 62. Connecting to PSN & N3 / HSCN
  63. 63. Connecting AWS to Private Networks • Approach uses Direct Connect (DX) to cross-connect • Private Network extended into a Gateway VPC • Gateway VPC peers with Application VPCs • Cross-connectivity into Government Private Networks is delivered via DX Partners • N3 / HSCN: Redcentric • PSN-A, PSN-P: Level 3 • Available now – contact AWS for details
  64. 64. 12​month PSN connection compliance certificate This is to certify that Amazon Web Services Inc has had its compliance reviewed and has demonstrated that its infrastructure is sufficiently secure to connect to the PSN during the following period 17 February 2017 17 February 2018 date issued expiry date For and on behalf of the Public Services Network Mark Smith PSN Head of Compliance This Public Services Network (PSN) connection compliance certificate is issued following completion of the PSN compliance verification process. It shows that your organisation has successfully achieved PSN compliance by demonstrating to the PSN team that your infrastructure is sufficiently secure that your connection to the PSN would not present an unacceptable risk to the security of the network. Your certificate is valid until the expiry date shown above. It may be withdrawn at any time in accordance with the PSN Code of Connection (CoCo) if it is found that you no longer meet the agreed standards. PSN service provision compliance certificate This is to certify that Amazon Web Services Inc has had its compliance reviewed and has demonstrated that its SRV_0396 AWS UK Region service is sufficiently secure to be made available to PSN-connected organisations during the following period 17 February 2017 17 February 2018 date issued expiry date For and on behalf of the Public Services Network Mark Smith PSN Head of Compliance This Public Services Network (PSN) service provision compliance certificate is issued following completion of the PSN Service Security Standards (PSSS) process. It shows that your organisation has successfully demonstrated to the PSN team that the above service is suitable for handling public sector information at OFFICIAL and does not present an unacceptable risk to the security of the PSN. Your certificate is valid until the expiry date shown above. It may be withdrawn at any time in accordance with the PSN Code of Practice (CoP) if it is found that the certified service no longer meets the agreed standard. AWS PSN Certificates for the UK Region
  65. 65. Summary AWS suitable for hosting public sector workloads § OFFICIAL classified systems… § …including “Sensitive” handling caveat § Available in all AWS EU Regions Government Network Connectivity § PSN Assured and PSN Protected Networks § N3 (and HSCN when launched) § Other networks are currently being scoped § Available in the AWS London Region
  66. 66. AWS Quick Starts
  67. 67. AWS Quick Starts AWS Quick Starts are: • built by AWS solutions architects and partners • help you deploy popular solutions on AWS • based on AWS best practices for security and high availability Covers a wide range of topics • DevOps; Security & Compliance • Database & Storage; Big Data & Analytics • Microsoft & SAP https://aws.amazon.com/quickstart/
  68. 68. DevOps
  69. 69. Microsoft & SAP
  70. 70. Security & Compliance
  71. 71. Building your own AWS Quick Start https://aws-quickstart.github.io/ • Differences between Quick Starts and AWS Marketplace • Advice on code design & deployment • AMI configuration and regionalisation • Parameterising CloudFormation • Best practices
  72. 72. Building your own AWS Quick Start
  73. 73. Building your own AWS Quick Start
  74. 74. UK OFFICIAL QuickStart
  75. 75. UK-OFFICIAL AWS Quick Start Sample cloud architecture supporting NCSC and CIS for UK- OFFICIAL workloads AWS CloudFormation creates a standardised environment • Deploys a sample, multi-tier Linux web application • Additional controls such as CloudWatch Alarms Security Controls Matrix demonstrates: • Alignment to the NCSC Cloud Security Principles • Alignment to the CIS Critical Security Controls
  76. 76. UK-OFFICIAL – High Level Design
  77. 77. UK-OFFICIAL – CloudFormation deployment
  78. 78. How the Quick Start helps with NCSC Guidance The UK-OFFICIAL AWS Quick Start provides supporting information for four steps of the NCSC guidance process: • Determine relevant security principles: Security Controls Matrix (SCM) lists the CSPs relevant to the Quick Start • Understand how the principles are implemented: cross- referencing of the CloudFormation template within the SCM • Understand level of assurance offered: SCM refers back to AWS compliance reports, certifications and alignments • Identify additional mitigations: Optional use of additional AWS controls to further enhance security
  79. 79. UK-OFFICIAL – Security Controls Matrix
  80. 80. The UK-OFFICIAL AWS Quick Start ISN’T… • …a magic bullet that automatically provides assurance: • The customer is still responsible for the risk assessment • Remember the Shared Responsibility Model • …the only way to do it: • This is one of many architectural patterns that could be used for OFFICIAL workloads on AWS • Over time there might be new capabilities, designs and functionality via this or other Quick Starts
  81. 81. Upcoming Events • AWS Public Sector Transformation Day • 30th October, London • Register here: https://aws.amazon.com/events/transformation-day-public- sector-london/ • AWS re:Invent • 27th Nov - 1st Dec, Las Vegas • Register here: https://reinvent.awsevents.com/
  82. 82. Thank you! Questions?

×