ENT305 Compliance and Cloud Security for Regulated Industries

© 2018, Amazon Web Services, Inc.
or its affiliates. All rights reserved.
A P R I L 3 , 2 0 1 8
Benjamin Andrew
Global Leader, Security & Network Infrastructure
AWS Marketplace – Amazon Web Services
S E S S I O N # E N T 3 0 5
Compliance and Cloud
Security for Regulated
Industries

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliance and Cloud Security for
Regulated Industries
• What we hear from customers
• AWS Marketplace
• Security & compliance is a shared responsibility
• A healthcare customer’s journey to the cloud
• Establishing a Cloud Center of Excellence
• Heuristics: cloud-first and security by
design
• Secure Amazon Machine Image (AMI) Factory
• Mapping security to compliance controls
• RansomWare? No More Ransom
2
A G E N D A

What we hear from our customers
• Software entitlement
& deployment models
• Complex agreement management
• Constant renewal and replacement
• Out-of-date procurement mechanisms
• No single approved catalog
of software in place
• Compliance in hybrid and cloud
computing
• Rapidly innovate by buying and
deploying software solutions on-
demand
• Simplify and streamline purchasing,
license management, and invoicing
• Upgrade on demand
• Reduce cost while picking new
standards
• Know what AWS Services and third-
party software provide compliance
3
C H A L L E N G E S C U S T O M E R S W A N T T O

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.4
AWS Marketplace: Find, buy, deploy, and
manage software in the cloud
• Deploy software on demand
• 1,280+ ISVs
• 4,200+ product listings
• Simplified procurement and
deployment
• Billed through AWS account
• Deployed in 15 regions around the
world
• 160,000 active customers
• 481M EC2 hours deployed per month
A B O U T A W S M A R K E T P L A C E

Security & compliance is a shared responsibility
Customer
Responsible
for security
IN the cloud
AWS
Responsible
for security
OF the cloud
Customer data
Platform, applications, identity & access management
Operating system, network & firewall configuration
Client-side data
encryption & Data integrity
authentication
Server-side encryption
(file system and/or data)
Network traffic protection
(encryption/
integrity/identity)
Compute Storage Database Networking
AWS global
infrastructure
Regions
Edge locations
Availability Zones
5

Security subcategories
Network
security
Security
intelligence
Identity & access
management
Security
orchestration
Cloud workload
security
Data
security
Application
security
Easy, fast, and secure
way to search, analyze,
and visualize massive
data streams
Okta is an integrated
identity and mobility
management service
Protection of data,
digital identities, payments,
and transactions from
the edge to the core
Get hourly proactive
protection for your AWS
workloads with Trend Micro
Deep Security
Alert Logic Cloud Defender
gives you the technology
and managed security
services to assess
vulnerabilities and
streamline compliance
Imperva SecureSphere
WAF for AWS extends
all of the security and
management capabilities
of the world's most-trusted
web application firewall to
Amazon Web Services
environments
Quickly create a hybrid
architecture that
extends your existing
data center into AWS
via encrypted tunnels
With Sumo Logic, you can
collect, compress, and
securely transfer all of your
log data regardless of
volume, type, or location
OneLogin, the innovator
in Identity and Access
Management-as-
a-Service (IDaaS)
Proactive security
from a single agent
designed for AWS
Dome9 automates AWS
security groups and adds
an extra layer of protection
against hackers
Many AWS-hosted apps
choose Barracuda, an AWS
Preferred Security
Competency Partner,
due to its continuous
monitoring & policy tuning by
world-class security experts.
Other popular
solutions:
Fortinet
Other popular
solutions:
Bitium, ClearLogin,
Ping Identity
Other popular
solutions:
HyTrust, CTERA
Other popular
solutions:
Tenable, Qualys
Other popular
solutions:
McAfee, CrowdStrike
Other popular
solutions:
Fortinet
Other popular
solutions:
Check Point,
Fortinet, Alert Logic
The F5 WAF secures
applications from layer
7 DDoS attacks,
malicious bot traffic,
common application
vulnerabilities and all
OWASP top 10 threats.
Symantec Cloud Workload
Protection automates
security for public cloud
workloads, enabling
agility, risk reduction, and
cost savings, while easing
DevOps & admin burdens.
6

A healthcare customer’s journey to the cloud

2 Accounts | 20 VPCs
Production
Non-Prod
2015

29 Accounts | 62 VPCs2 Accounts | 20 VPCs
Production
Non-Prod
2016
+
2015

10
Shared Services
Security
Data Center
29 Accounts | 62 VPCs 35 Accounts | 35 VPCs2 Accounts | 20 VPCs
Production
Non-Prod
2016 2017
+
2015

Healthcare customer - where they are
today
AWS CLOUD
VIRTUAL PRIVATE CLOUD
AWS IAM AWS KMS Amazon
CloudWatch
AWS
CloudTrail
AWS
Config
AMI Flow logs
Amazon
EC2
Elastic Load
Balancing
Amazon
RDS
Amazon
SQS
Amazon
SES
Amazon
S3
AWS Direct
Connect
VPC SUBNET
AUTO SCALING GROUP
SECURITY GROUP
Non-Prod Prod
VPC
peering
DNS SSO
Logging
Log
Analysis
SHARED SERVICES SECURITY
Corporate
data center

AWS CLOUD
VIRTUAL PRIVATE CLOUD
AWS IAM AWS KMS Amazon
CloudWatch
AWS
CloudTrail
AWS
Config
AMI Flow logs
Amazon
EC2
Elastic Load
Balancing
Amazon
RDS
Amazon
SQS
Amazon
SES
Amazon
S3
AWS Direct
Connect
VPC SUBNET
AUTO SCALING GROUP
SECURITY GROUP
Non-Prod Prod
Shared Services
Security
Data Center
Healthcare customer - where they are
today

• The cloud is not just another data
center with virtual machines
• Leverage managed services
• For every problem, ask: how do we best solve
this in the cloud using current best practices?
• Let modern tools solve old hard problems
C L O U D - F I R S T
• Secure every part all the time
• Apply the principle of Least Privilege
S E C U R I T Y B Y D E S I G N
• Build everything as Infrastructure as Code
• Do not log in to the console
and make changes
• Never log in to a server
A U T O M A T E E V E R Y T H I N G
Cloud-first & automated security by design
Establishment of Engineering Heuristics - rules you won’t break

Cloud-first & automated security by design
Establishment of Engineering Heuristics - rules you won’t break
Secure Managed Standards Documented
Infrastructure
as code

DevSecOps Secure
AMI Factory

AWS
Marketplace
AWS Service
Catalog
Approved
AppStack
BUILD VALIDATE APPROVE DISTRIBUTE
16
Secure AMI Factory:

Instance
Base AMI
Instance
Candidate
AMI
Scan
Scripts
Updates
Software
Secure AMI Factory: Build Phase
17
SSM
Automatio
n
Document

SSM
Automatio
n
Document
18
Ansible AMI
Ansible Instance
ssh keys
Execute Playbook Download Playbook
Instance
Base AMI
Gold AMI

SSM
Automatio
n
Document
19
Instance
Base AMI
Amazon
Inspector
Email
Notification
ApproveApprover
AMI ID
SSM
Parameter Store

Region
us-east-1
Region
us-west-2
Region
ca-central-1
SSMPS
CIE TEAM DEV TEAM A DEV TEAM B
COPY
SHARE
20
Secure AMI Factory: Distribution (Regions &
Accounts)

Service catalog
SSM
Parameter
Store
Product
template
Product
template
Product
template
AWS SERVICE CATALOG
Product
Product
Product
Portfolio
Portfolio
21

Mapping Security
to compliance
controls

Allgress Regulatory
Product Mapping
ToolReduce complexity and
shorten the timeframe of
achieving security compliance

• Identifies solutions in AWS
Marketplace that can
implement the
requirements of each
security control.
• FedRAMP moderate
example:
24
Allgress RPM:
Product Explorer

Allgress RPM:
Product Explorer
25
• Compliance controls are
mapped directly to the
associated AWS Marketplace
product.
• Select a product and quickly see
all the controls it fulfills.
• Generate a report of selected
products; visit the AWS
Marketplace listing page to
purchase.
D E T A I L

Ransomware?

#NoMoreRansom
Stats
28
• Can decrypt 84 ransomware families with 52
decryption tools in 29 languages
• 120 partners: (including founding members,
Barracuda and AWS)
• 40 LEA: New: Cypriot & Estonian police
• 80 non-LEA: New: KPN; Telenor; CPIC
• 1.6 million visitors from more than 180
countries
• More than 35,000 people have retrieved
their files for free, preventing criminals from
profiting from more than $12M USD
• CryptXXX, CrySIS, and Dharma are the most
detected infections.
• NoMoreRansom.org

Q&A

Thank You!
B E N J A M I N A N D R E W
benand@amazon.com
linkedin.com/in/benandrew

Please complete the session survey in
the summit mobile app.

Submit Session Feedback
1. Tap the Schedule icon. 2. Select the session
you attended.
3. Tap Session
Evaluation to submit your
feedback.

ENT305 Compliance and Cloud Security for Regulated Industries

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to ENT305 Compliance and Cloud Security for Regulated Industries

Similar to ENT305 Compliance and Cloud Security for Regulated Industries (20)

More from Amazon Web Services

More from Amazon Web Services (20)

ENT305 Compliance and Cloud Security for Regulated Industries