More Related Content
Similar to Cloud-Based Innovation and Information Security - Choose Both
Similar to Cloud-Based Innovation and Information Security - Choose Both (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Cloud-Based Innovation and Information Security - Choose Both
- 1. S U M M I T
B a h ra i n
- 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cloud-based Innovation and
Information Security: Choose Both
Mark Ryland
Director, Office of the CISO
Amazon Web Services
- 3. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Charles Darwin
- 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Agenda
Situation, approaches, and challenges
An accreditation framework toward secure cloud adoption
Shared responsibility model
- 5. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cloud first, cloud by default, and cloud native
- 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why public cloud?
“A move to cloud computing—away from on-premises
owned and operated infrastructure—can generate a faster
pace of delivery, continuous improvement cycles, and broad
access to services.”
Australian Government Digital Transformation (DTA)
Secure Cloud Strategy, 2017
“When we start with the assumption that all our services
should run in the public cloud with no more locally
managed servers . . . we get the resilience and backups of
some of the most cyber-aware and heavily invested
companies in the world . . .”
UK National Health Service (NHS) Policy Paper, 2018
“Public ICT facilities and services can be tested and
deployed quicker, and maintained more cost effectively,
than if government agencies own and run unique
computing facilities themselves.”
Philippine Cloud-First Policy, 2017
“Using public cloud services means agencies can better
manage their risks, reducing the impact of any single
event.”
New Zealand Cloud-First Policy
“The use of cloud technology could lead to advantages
such as a reduction in operating and maintenance costs,
and the ability to run systems around the clock without
having to provide for expensive dedicated backups and
standbys.”
Prime Minister Lee Hsien Loong, Singapore
- 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cloud benefits
Cited benefits
• Cost saving/better way to manage cost
• Agility, speed, continuous
improvement
• Elasticity, scalability
• Improve resiliency
• Technology capability
• Operational efficiency
• SecurityAWS
Customer
- 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Legacy
systems
Budget
Skill/expertis
e
Security
Top concerns in cloud adoption
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cloud security accreditations
- 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
A snapshot of current accreditation schemes
Security Requirements Auditing Process Authorization Maintenance
US/FedRAMP NIST 800-53, 199 3rd Party Auditor/NIST SP
800-37
JAB Provisional ATO,
Agency ATO
Continuous monitoring,
ongoing assessment
AU/IRAP & IRAP
Protected
Information Security Manual 3rd Party Auditor (IRAP
accredited)
ACSC Annual assessment
China/MLPS GB/T 28448/Cybersecurity
Law
GB/T 28449/36627 Gov’t
Auditors (MPS accredited)
MPS Review Panel Annual assessment
Germany/C5 BSI IT-Grundschutz
Catalogues
3rd Party Auditor N/A Annual assessment
India/CSP Empanelment RFP (ISO 27001/17/18,
20000-1, TIA)
Gov’t Auditor (STQC) Meity Annual assessment
Korea/KISA Cloud
Assurance Program
KISA-defined standards;
Cloud Computing Act
KISA Auditor Authorizing Committee Continuous monitoring,
annual assessment
Korea/K-ISMS Korean ISMS standard KISA Auditor K-ISMS Committee Annual surveillance audit,
3-year re-cert
SG/MTCS L3/GovTech
Authorization
MTCSS (SS 584) / ISO 27001
/GovTech Reqmt
3rd Party Auditor (IMDA
accredited)/GovTech
IMDA/ESG/GovTech Annual surveillance audit;
3-year re-cert
Japan METI/MIC CSP
Certification Registration
New control criteria based on
existing common standards in
development
3rd Party Auditor
(METI/MIC accredited)
METI/MIC to-be-
determined agency
Annual surveillance audit,
3-year re-cert
- 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Challenges
Develop &
maintain
Types of
data/workloads
, how to decide
Skill/expertise
Authorization
policy
Time to
authorization
Keeping up
with pace of
cloud
- 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
A journey to authorization
- 14. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“Innovation almost always is not successful the
first time out. You try something and it doesn’t
work and it takes confidence to say we haven’t
failed yet. . . . Ultimately, you become
commercially successful.”
Clayton Christensen
Author, The Innovator’s Dilemma
Professor, Harvard Business School
- 15. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Design criteria
Efficient to operate and maintain
Timeliness
Resources (skills/expertise)
Cost
Effective
Addressing the dynamic nature of cloud
technology
Maximize reuse (inherit, leverage)
Existing certification and attestation schemes
International and industry-recognized standards
Practical
Keep risk / benefit in focus
No perfect system for security or assurance
“We must continually strike the
right balance between security and
usability.”
Prime Minister Lee Hsien Loong, Singapore,
GovTech Conference, 2018
- 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
International accreditations
Security Requirements Auditing Process Authorization Maintenance
ISO Certification ISO/IEC 27001/17/18 ISO Accredited Auditor ISO-Accredited
Certification Bodies
Annual surveillance audit;
3-year re-cert
AICPA SOC 1 & 2 Organizational Policy;
SSAE-18; Trust Service
Criteria
SSAE-18/CPA Firm’s
Auditor
Auditing Firm (CPA and
Partners)
Six-month cycle of
continuous assessment
ISO/IEC 27001, based on
ISO/IEC 27000 family of
standards, in operation
since 1997 (starting with
BS 7799-2)
SOC 1, 2 & 3 auditor to
auditor standards in
operation since 1992,
starting with SAS 70
Reporting
- 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Point-in-time versus continuous assurance
- 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
German BSI C5
Leverage
existing
standards
• 17 thematic
sections
• Uses recognized
security standards
Self-
disclosure
• Surrounding
parameters for
transparency
• Enable customer
decision beyond
control compliance
Verificatio
n process
• Minor addition to
cloud provider’s
existing assurance
• Recognizes SOC 2
Report
• ISO/IEC 27001:2013
• CSA Cloud Controls Matrix 3.01
• AICPA Trust Service Principles Criteria 2014
• ANSSI Référentiel Secure Cloud 2.0 (Draft)
• IDW ERS FAIT 5 04.11.201 [Generally accepted
accounting principles for the outsourcing of
accounting-related services including cloud
computing], November 2014 version)
• BSI IT-Grundschutz Catalogues, v14, 2014
• BSI SaaS Sicherheitsprofile [BSI SaaS security
profiles]
• Data location, place of jurisdiction, certifications
and duties of investigation and disclosure toward
government agencies, and system description.
• “A[n] SOC 2 report proves that a cloud provider
complies with the requirements of the catalogue
and that the statements made on transparency are
correct. This report is based on the internationally
recognised attestation system of the ISAE 3000,
which is used by public auditors. When auditing the
annual financial statements, the auditors are
already on site, and auditing according to the Cloud
Computing Compliance Controls Catalogue (C5)
can be performed with not too great additional
effort.” - BSI
Ref:
https://www.bsi.bund.de/EN/Topics/
CloudComputing/Compliance_Contro
ls_Catalogue/Compliance_Controls_C
atalogue_node.html
- 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Inherit global security and compliance controls
- 21. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“Cloud service providers offer robust
security features and internationally
recognized certifications that would
be a challenge for any one
organization to deliver on its own.”
Government of Canada Cloud Adoption Strategy,
2018 update
- 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Data classification with cloud deployment models
Cloud Deployment Models Examples Data Examples Legal Scope
Tier 1: Non-
sensitive or public
data (unclassified);
low impact
Level 1: Basic Security—Cloud infrastructures
in conformance with security best practices
standards and guidelines
Open data, public data, non-
sensitive administrative
information, website hosting
public information
Public and private
businesses
Tier 2: Restricted or
administrative;
medium impact
Level 2: Strong Security—Level 1 plus
additional security controls, e.g., strong
identity authentication (MFA), mandated data
encryption, and high-availability architecture
requirements
Restricted matters, business
or administrative data,
emails, client support and
CRM systems, financial
records, and medical records;
citizens’ identity and social
security data
Public and private
businesses
Tier 3: High impact;
government highly
confidential or
above
Level 3: In-Depth Protection—Level 2 plus
additional security controls, e.g., encrypted
private network link to the CSP’s data center
or network access points, virtual network
separation between departments, use of
dedicated instances
Government documents and
applications dealing with
matters of international
negotiations; technical matter
of military nature or requiring
higher protection
National defense;
foreign mission and
trade of the state
national
intelligence
- 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cloud Deployment Models Examples Data Examples Legal Scope
Tier 1: Non-
sensitive or public
data (unclassified);
low impact
Level 1: Basic Security—Cloud infrastructures
in conformance with security best practices
standards and guidelines
Open data, public data, non-
sensitive administrative
information, website hosting
public information
Public and private
businesses
Tier 2: Restricted or
administrative;
medium impact
Level 2: Strong Security—Level 1 plus
additional security controls, e.g., strong
identity authentication (MFA), mandated data
encryption, and high-availability architecture
requirements
Restricted matters, business
or administrative data,
emails, client support and
CRM systems, financial
records, and medical records;
citizens’ identity and social
security data
Public and private
businesses
Tier 3: High impact;
government highly
confidential or
above
Level 3: In-Depth Protection—Level 2 plus
additional security controls, e.g., encrypted
private network link to the CSP’s data center
or network access points, virtual network
separation between departments, use of
dedicated instances
Government documents and
applications dealing with
matters of international
negotiations; technical matter
of military nature or requiring
higher protection
National defense;
foreign mission and
trade of the state
national
intelligence
Data classification with cloud deployment models
Apply FedRAMP or custom approach
Tier-3: 3rd Party audit of additional &
enhanced security controls to ensure
compliance
Continuous monitoring and
configuration management; ongoing
assessment.
Apply C5 or MTCS approach
Tier-1: Verification of ISO
27001/17/18 certifications and SOC 1
& 2 Reports + Self-Disclosure
Tier-2: 3rd Party audit of additional
security controls to ensure
compliance
Annual re-verification
- 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Shared responsibility model
AWS
Security OF
the Cloud
AWS is responsible for
protecting the infrastructure
that runs all of the services
offered in the AWS Cloud
Security IN the
Cloud
Customer responsibility for
proper configuration and
operation of cloud services
Customer
- 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Dynamic over time
AWS
Security OF
the Cloud
AWS constantly raising the bar
in service capabilities and
security ease of use
Security IN the
Cloud
Customers using higher level
services plus security services get
more and more “for free”
Customer
- 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What the shared responsibility model means to you
Establish a government-wide cloud
security policy and/or internal
security guidelines
• Reinforce government’s commitment to
the customer side of the shared
responsibility model
• Ensure adequate execution of this
responsibility at every level within the
cloud environment
Re-engineer IT operation and
support processes
• Ensure proper accountability of security
and operational responsibilities in the
cloud environment
• Execute with adequate security and risk
governance oversights
Far more likely to have real-world
security impact than CSP issues!
“Fundamental 're-engineering' of Government to provide better and faster
public services: PM Lee”, Oct. 2, 2018, The Straits Times, Singapore
Ref: https://www.straitstimes.com/singapore/government-e-services-
to-be-created-faster-and-more-cost-efficiently-with-rollout-of
- 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Streamline accreditation to attain cloud benefits
Efficient to operate and maintain
Timeliness
Resources (skills/expertise)
Cost
Effective
Addressing the dynamic nature of cloud
technology
Maximize reuse (inherit, leverage)
Existing certification and attestation
schemes
International and industry-recognized
standards
Practical
Keep risk/ benefit in focus
No perfect system for security or
assurance
Develop &
maintain
Types of
workloads,
how to
decide
Skill/expertis
e
Authorizatio
n policy
Time to
authorization
Addition of
new services
- 28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Government stories and case studies (a snapshot)
Ref: https://aws.amazon.com/solutions/case-studies/government-education/all-government-education-nonprofit/
- 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
In closing …
• Gaining security assurance of
CSP is an important step toward
cloud adoption but not the only
step that ensures security
• Security accreditation must not
become a barrier to cloud
benefits
• Learn from early cloud adopters
in both public and commercial
sectors
• Adopt international standards
and industry best practices
• Use the 80/20 principle
• Low/medium impact workloads: move
fast
• Focus resources on high-impact/critical
workloads
• Both aspects of the shared
responsibility model need
attention and actions—internal
re-engineering/changes
• Cloud security is also a journey
- 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What’s next
Learn more about AWS Compliance
https://aws.amazon.com/compliance/
Read the whitepapers/blogs
AWS Smart Cloud Native Policy whitepaper
https://pages.awscloud.com/public_sector_aws-smart-cloud-native-policy-
whitepaper.html
Data Classification - Secure cloud adoption
https://d1.awsstatic.com/whitepapers/compliance/AWS_Data_Classification.pdf
Logical Separation – An evaluation of US DoD security requirements for sensitive
workloads
https://aws.amazon.com/blogs/security/how-aws-meets-a-physical-separation-
requirement-with-a-logical-separation-approach/
The Five Ways Organizations Initially Get Compromised and Tools to Protect Yourself
https://aws.amazon.com/blogs/publicsector/the-five-ways-organizations-initially-
get-compromised-and-tools-to-protect-yourself/
- 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I TS U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Mark Ryland
Director, Office of the CISO
Amazon Web Services
- 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I TS U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Outcomes
Realize benefits of Cloud First
Policy earlier with faster cloud
adoption
Workload tiering allows for up to 90% to
migrate faster with internationally certified
and validated CSPs—realizing the benefits
of the Cloud First Policy
Better risk management, better
returns of security investment
Learn from migration of non-sensitive,
lower-impact workloads to apply on higher-
impact, more critical systems to ensure
overall better protection
Increase focus on implementing
user-side of Shared Responsibility
Model.
- 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Security is a shared responsibility
DatabaseStorageCompute Networking
Edge
Locations
Regions
Avail. Zones
AWS Global
Infrastructure
Customers are
responsible for security
in the cloud
AWS is responsible for
security of the Cloud
Customer Data
Platform, Applications,
Identity & Access Management
Operating System, Network &
Firewall Configuration
Client-Side Data
Encryption & Data
Integrity Authen
Server-Side
Encryption (File
System and/or Data)
Network Traffic
Protection (Encryption
/Integrity/Identity)