Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Compliance in the Cloud Using Security by Design


Published on

Up-front design of your AWS account can be done in a way that creates a reliably secure and controlled environment no matter how the AWS resources are used. This session will focus on "Secure by Design" principles and show how an AWS environment can be configured to provide a reliable operational security control capability to meet the compliance needs across multiple industry verticals (e.g. HIPAA, FISMA, PCI, etc.). This will include operational reporting through the use of AWS services (e.g. Config/Config Rules, CloudTrail, Inspector, etc.) as well as partner integration capabilities with partner solutions such as Splunk and Allgress for real-time governance, risk, and compliance reporting. Key takeaways from this session include: learning AWS Security best practices and automation capabilities for securing your environment, Automation accelerators for configuration, compliance, and audit reporting using CloudFormation, Config/Config Rules, CloudTrail, Inspector, etc., and ISV integration for real-time notification and reporting for security, compliance, and auditing in the cloud.

Published in: Software
  • Be the first to comment

Compliance in the Cloud Using Security by Design

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tim Sandage, Sr. Security Partner Strategist Compliance in the Cloud Using Security by Design Modernization of Technology Governance IN the Cloud
  2. 2. Problem Statement Increasing complexity (mobility, system connectivity) causes increasing difficulty in managing risk and security and demonstrating compliance.
  3. 3. Current State – Technology Governance Policies Procedures and Guidelines Standards
  4. 4. Issues – Technology Governance The majority of technology governance processes relies predominantly on administrative and operational security controls with LIMITED technology enforcement. Assets ThreatVulnerability Risk AWS has an opportunity to innovate and advance Technology Governance Services.
  5. 5. Flexibility and Complexity What is the regulatory requirement? What's in-scope or out- of-scope? How to verify the standards are met?
  6. 6. Security by Design Security by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. Instead of relying on auditing security retroactively, SbD provides security control built in throughout the AWS IT management process. Identity & Access Management CloudTrail CloudWatch Config Rules Trusted Advisor Cloud HSMKey Management Service Directory Service
  7. 7. Security by Design - Design Principles • Build security in every layer • Design for failures • Implement auto-healing • Think parallel • Plan for Breach • Don't fear constraints • Leverage different storage options • Design for cost • Treat Infrastructure as Code • Modular • Versioned • Constrained Developing new risk mitigation capabilities, which go beyond global security frameworks, by treating risks, eliminating manual processes, optimizing evidence and audit ratifications processes through rigid automation
  8. 8. SbD - Eco-system Security by Design (SbD) AWS CloudFormation AWS Config Rules Amazon Inspector
  9. 9. SbD - Modernize Tech Governance (MTG) Why? Complexity is growing, making the old way to govern technology obsolete You need automation AWS offers to manage security
  10. 10. Goal - Modernize Tech Governance (MTG) Adopting “Prevent” controls, making “Detect” controls more powerful and comprehensive
  11. 11. SbD - Modernizing Technology Governance (MTG) 1.2 Identify Your Workloads Moving to AWS 2.1 Rationalize Security Requirements 2.2 Define Data Protections and Controls 2.3 Document Security Architecture 3.1 Build/deploy Security Architecture 1. Decide what to do (Strategy) 2. Analyze and Document (outside of AWS) 1.1 Identify Stakeholders 3. Automate, Deploy & Monitor 3.2 Automate Security Operations 4. Certify 3.3 Continuous Monitor 4.1 Audit and Certification 3.4 Testing and Game Days
  12. 12. SbD – Rationalize Security Requirements AWS has partnered with CIS Benchmarks to create consensus-based, best-practice security configuration guides which will align to multiple security frameworks globally. The Benchmarks are: • Recommended technical control rules/values for hardening operating systems, middle ware and software applications, and network devices; • Distributed free of charge by CIS in .PDF format • Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices.
  13. 13. SbD – AWS CIS Benchmark Scope Foundational Benchmark CloudTrail Config & Config Rules Key Management Service Identity & Access Management CloudWatch S3 SNS Three-tier Web Architecture EC2 Elastic Load Balancing VPC Direct Connect Amazon Elastic Block Store Cloud HSM Glacier Route 53VPN Gateway CloudFront
  14. 14. Define Data Protections and Controls
  15. 15. Document Security Architecture
  16. 16. SbD – Automate Security Operations Automate deployments, provisioning, and configurations of the AWS customer environments CloudFormation Service CatalogStack Template Instances AppsResources Stack Stack Design Package Products Portfolios DeployConstrain Identity & Access Management Set Permissions
  17. 17. AWS CloudTrail EMR Kinesis VPC ELB S3 Lambda AWS ConfigAWS CloudWatch IoT Other Services Add-on for AWS Splunk App for AWS Explore Analyze Dashboard Alert Use Cases for AWS: Security Intelligence (Cloudtrail, Cloudwatch, VPC) Operational Intelligence (CloudWatch, ELB etc.) DevOps Intelligence (CloudWatch, Lambda) Big Data Insights (Kinesis, EMR, IoT, S3) Continuous Monitor – Splunk
  18. 18. AWS CloudTrail Resource Activity Splunk App for AWS – Visualize & Monitor AWS CloudTrail User Activity
  19. 19. SbD - Modernizing Technology Governance (MTG) Automate Governance Automate Deployments Automate Security Operations Continuous Compliance
  20. 20. Closing the loop - SbD - Modernizing Technology Governance Result: Reliable technical implementation and enforcement of operational and administrative controls
  21. 21. AWS Resources Amazon Web Services Cloud Compliance • SbD website and whitepaper – to wrap your head around this •