Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PDA Presentation - MBodo


Published on

  • Be the first to comment

  • Be the first to like this

PDA Presentation - MBodo

  1. 1. Shortcuts & Roadblocks Encountered on the path to protecting your data in the cloud Simplify, Unify, Optimize Life Science Compliance for Regulated Systems Amazon Web Services IaaS for Life Sciences
  2. 2. • “One Slide” intro to Amazon Web Services • AWS Security, Certifications, and Compliance • Responsibility Models • Roadblock #1 – Qualify The Cloud! • Shortcut #1 – Qualify The Cloud! • Roadblock #2 – Lock down The Cloud! • Shortcut #2 – Lock down The Cloud! • Data Integrity Concerns • Conclusion Agenda
  3. 3. AWS Explained in a Slide … Non-Technical Explanation Amazon EC2 AWS Storage Gateway Amazon S3 Amazon Glacier Amazon RDS Amazon Redshift Amazon DynamoDB AWS Direct Connect Amazon VPC AWS IAM AWS IoT Amazon Kinesis Technobabble Nonsense Technical Explanation
  4. 4. Certifications / Attestations Laws, Regulations, and Privacy Alignments / Frameworks DoD SRG CS Mark [Japan] CJIS FedRAMP DNB [Netherlands] CLIA FIPS EAR CMS EDGE IRAP EU Model Clauses CMSR ISO 9001 FERPA CSA ISO 27001 GLBA FDA ISO 27017 HIPAA FedRAMP TIC ISO 27018 HITECH FISC MLPS Level 3 IRS 1075 FISMA MTCS ITAR G-Cloud PCI DSS Level 1 My Number Act [Japan] GxP (FDA CFR 21 Part 11) SEC Rule 17-a-4(f) U.K. DPA - 1988 IT Grundschutz SOC 1 VPAT / Section 508 MITA 3.0 SOC 2 EU Data Protection Directive MPAA SOC 3 Privacy Act [Australia] NERC Privacy Act [New Zealand] NIST PDPA - 2010 [Malaysia] PHR PDPA – 2012 [Singapore] UK Cyber Essentials Adapted from
  5. 5. Your Data Platform, Applications, I&AM Operating Systems, Network & Firewall Configuration Server-side Encryption (File System and/or Data) Client-side Data Encryption & Data Integrity Authentication Network Traffic Protection (Encryption/Integrity/Identity) Adapted from Compute Storage NetworkingDatabase AWS Global Infrastructure Regions Availability Zones Edge Locations AWS Responsible for security “of” the Cloud Customer Responsible for security “in” the Cloud
  6. 6. • Scenario: Shared Responsibility Model not understood • Efforts to qualify low-level infrastructure ensue • Policies incongruent to service model are pushed • Cycles wasted in trying to absorb AWS’s declared responsibilities Roadblock #1 – Qualify the Cloud!
  7. 7. • Scenario: Shared Responsibility Model is integrated into IT • Policies are updated to allow distributed management • Controls in place to govern Cloud Assets • Definitions updated to allow for new CIs • Maintain & Manage State of Control Shortcut #1 – Qualify the Cloud! Manage as independent assets Business as usual
  8. 8. • Enact strict “no trust/deny all” security policy on Cloud assets • Cloud assets are isolated from traditional/on prem assets • Islands of data pile up • UID poses an issue/threat Roadblock #2 – Lock down The Cloud!
  9. 9. • For Private/Internal Assets • Protect/Preserve via VPC • Use Security Zones or Subnets within VPC • Lockdown & Audit assets per normal methods (business as usual) Shortcut #2 – Lock down The Cloud! virtual private cloud VPC subnet PROD LIMS VPC subnet DEV LIMS corporate network users VPN connection AWS Direct Connect
  10. 10. • Be nimble, like Jack … but remember • POCs can unexpectedly gain momentum • Fragmentation likely to occur • Integrate IAM early, review & audit often • Consider corporate directory integration mandatory • Strategies for Data at Rest Data Integrity Concerns AWS IAM AWS CloudTrail AWS Directory Service
  11. 11. • If your house is not in good order today: • It will be even worse in the cloud! • Assess compliance gaps, perceived or real, before moving to Cloud • Implement bridges to gaps; be Cloud-Aware when doing so • Treat AWS as an extension to your Corporate Datacenter • It will be infinitely easier to manage • Management of Cloud Assets should be the same as on-prem • Except when it isn’t! Plan specifically for Cloud management Conclusion