Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013

2,438 views

Published on

With the rapid increase of complexity in managing security for distributed IT and cloud computing, security, and compliance managers can innovate in how to ensure a high level of security is practiced to manage AWS resources. In this session, Chad Woolf, Director of Compliance for AWS will discuss which AWS service features can be leveraged to achieve a high level of security assurance over AWS resources, giving you more control of the security of your data and preparing you for a wide range of audits. Attendees will also learn first-hand what some AWS customers have accomplished by leveraging AWS features to meet specific industry compliance requirements.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,438
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
86
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013

  1. 1. Security Assurance and Governance in AWS Chad Woolf, Director, AWS Risk and Compliance November 13, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. Better Security in the Cloud “…We’ll also see organizations adopt cloud services for the improved security protections and compliance controls that they otherwise could not provide as efficiently or effectively themselves.” - Security’s Cloud Revolution Is Upon Us, Forrester Research, Inc., August 2, 2013
  3. 3. Better Security in AWS Optimized Network/OS/App Controls Service-specific Controls Managed by Customer Security in the Cloud Cross-service Controls Cloud Service Provider Controls Security of the Cloud Managed by AWS Request reports at: aws.amazon.com/compliance/#contact
  4. 4. Governance, Security, Compliance Enablers Governance in AWS AWS Security Best Practices AWS Auditing Security Checklist AWS Risk and Compliance AWS Compliance Forum AWS Trusted Advisor
  5. 5. Security at Scale: Governance in AWS 1. 2. 3. 4. 5. Financial Control IT Asset Identification Asset Configuration and Management Logical Access Control Physical Access Control Get this whitepaper at: aws.amazon.com/compliance/ 6. 7. Data Encryption Network Configuration and Management 8. Security Logging and Monitoring 9. Security Incident Response 10. Disaster Recovery
  6. 6. Examples Governance Domain On-prem Challenge AWS Enabler Control Provided 8. Security Logging and Monitoring Centralized logging of user actions taken against a set of IT resources AWS CloudTrail Provides logging of API or console actions (e.g., logs when someone changes a bucket policy, stops and instance, etc.) Advanced monitoring capabilities of actions taken and changes made 10. Disaster Recovery Producing point in time, usable incremental backups EBS Snapshots Point-in-time full volume copies of Amazon EBS data into persistent storage of Amazon S3 Anytime incremental point-in-time backup of server data
  7. 7. Examples Governance Domain On-prem Challenge AWS Enabler Control Provided 8. Security Logging and Monitoring Centralized logging of user actions taken against a set of IT resources AWS CloudTrail Provides logging of API or console actions (e.g., logs when someone changes a bucket policy, stops and instance, etc.) Advanced monitoring capabilities of actions taken and changes made 10. Disaster Recovery Producing point in time, usable incremental backups EBS Snapshots Point-in-time full volume copies of Amazon EBS data into persistent storage of Amazon S3 Anytime incremental point-in-time backup of server data
  8. 8. Security at Scale: Governance in AWS 1. 2. 3. 4. 5. Financial Control IT Asset Identification Asset Configuration and Management Logical Access Control Physical Access Control Get this whitepaper at: aws.amazon.com/compliance/ 6. 7. Data Encryption Network Configuration and Management 8. Security Logging and Monitoring 9. Security Incident Response 10. Disaster Recovery
  9. 9. Scaling Security
  10. 10. AWS Compliance Forum Join the AWS Compliance Forum by emailing us at: awscompliance@amazon.com
  11. 11. Governance Tool: AWS Trusted Advisor • Online service from AWS Support – Analyzes account for various kinds of issues and possible concerns – Soon available as an API for integration with your tools or 3rd party solutions • Four categories: – – – – Cost savings Security Fault tolerance Performance
  12. 12. Innovative Governance Tool: AWS Trusted Advisor Since 1/1/2013: • 10,000 + customers • 700,000 recommendations reviewed • $140M in annualized savings Learn more about Trusted Advisor at: https://aws.amazon.com/premiumsupport/trustedadvisor/
  13. 13. Compliance Case Studies
  14. 14. Case: Pegasystems Company: Provides software for business process management, CRM, and case management Challenge: Pega tech is used cross-functionally across the healthcare industry; all data is considered PHI Results: Pega and their customers are HIPAA compliant on AWS
  15. 15. Case: NASDAQ FinQloud Company: provides products and services to manage the entire life cycle of a trade Challenge: Securely storing and managing vast amounts of data with strict compliance requirements Results: NASDAQ and FinQloud customers meets stringent SEC 17a-4 requirements for financial record retention
  16. 16. Case: Cognia Company: Global communications platform for call centers to capture communications data Challenge: must comply with PCI DSS so their customers can process payment card data on the platform Results: PCI certified on AWS
  17. 17. AWS: centralized security controls - visible, testable, automated
  18. 18. Resource Links AWS Compliance site - provides AWS Compliance Forum links, descriptions of audit reports available, contact links, and relevant whitepapers http://aws.amazon.com/ compliance/ AWS Security Center – provides links to a detailed whitepaper on how we manage security at AWS and provides links to contact AWS Security http://aws.amazon.com/ security/ AWS Security Blog – posts contain security best practices for AWS services, how-to guides, compliance milestones, and customer and partner stories http://blogs.aws.amazon .com/security/ AWS Trusted Advisor - information on the tool, the nature of the checks, and how to access it https://aws.amazon.com /premiumsupport/trusted advisor/ Case studies – features of a wide range of companies doing amazing things on AWS http://aws.amazon.com/ solutions/casestudies/all/
  19. 19. Recommended Sessions • • • • • • • SEC402 - Intrusion Detection in the Cloud SEC204 - Building Secure Applications and Navigating FedRAMP in the AWS GovCloud (US) Region ARC308 - Architecting for End-to-End Security in the Enterprise SEC306 - Implementing Bullet-Proof HIPAA Solutions on AWS SEC206 - Taking the Fear Out of PCI DSS Compliance in the Cloud ENT206 - Using AWS Enterprise Support to the Fullest SEC201 - Overview of AWS Identity and Access Management (IAM) “Come talk security with AWS” Event - between 4 and 6pm on Thursday in Toscana 3605.
  20. 20. Please give us your feedback on this presentation SEC203 As a thank you, we will select prize winners daily for completed surveys!

×