When the Shared Responsibility model is not understood, an organization may tend to gravitate towards doing only what it knows today, meaning there may be policies or procedures that are incongruent or not practical to apply when it comes to a cloud vendor such as Amazon.
Lower level infrastructure, such as the supporting utilities, physical security, logical security, physical infrastructure, attached storage, and so on, are now managed by the vendor, in this case, AWS. The need to manage a system level topography below what is within the Customer’s realm of responsibility is no longer a directly manageable activity.
Many attempts to attempt to convince or coerce a cloud vendor such as AWS will likely result in wasted time and effort, and lead to frustration with cloud vendors as a whole.
At this point, I would strongly recommend relying upon the contractual agreement and obligations your organization has entered into with your cloud provider, and ensure those obligations, at minimum, meet the requirements of your organization’s quality policy.
In the case of managing assets that are internal to the organization, such as an enterprise LIMS system, one would want to control and lock down assets the same way that traditional assets are managed. The large difference, in this particular scenario, is that the assets are hosted external to the corporate network.
In this case, it is the VPN connection or the AWS Direct Connect which needs to be configured to properly allow data in motion to be handled the same as it is handled between different geographical locations in corporate offices. The assumption is that the company will treat off-prem assets the same as on-prem assets.
At the end of the day, in each area of the VPC, you would want to apply the same logical restrictions on your assets running in the cloud as you would running on your corporate network; that is to say, you wouldn’t want to treat them much differently.
External assets would need to be evaluated on a case by case basis, taking into account data criticality, operational risk, regulatory risk, etc etc.
Jack be nimble, jack be quick, jack provisioned a datacenter with just one click. Keep keen eye over what projects your AWS infrastructure are supporting Keep an eye on how many version(s) of the same solution are floating around – this will avoid the discussion of “are my data CORRECT” Understand your IAM strategy. Integrate IAM as quickly as possible. Dispel any attribution issues as early as possible. Scenario – data are being pushed via Kinesis Firehose into an S3 bucket and a RedShift table for real time analysis of a manufacturing environment – you’d want to be certain that the datapoints you’re collecting can be properly attributed to the correct origin – the correct data generating device or person.
PDA Presentation - MBodo
Shortcuts & Roadblocks Encountered on the
path to protecting your data in the cloud
Simplify, Unify, Optimize
Life Science Compliance for Regulated Systems
Amazon Web Services
IaaS for Life Sciences
• “One Slide” intro to Amazon Web Services
• AWS Security, Certifications, and Compliance
• Responsibility Models
• Roadblock #1 – Qualify The Cloud!
• Shortcut #1 – Qualify The Cloud!
• Roadblock #2 – Lock down The Cloud!
• Shortcut #2 – Lock down The Cloud!
• Data Integrity Concerns
AWS Explained in a Slide …
Certifications / Attestations Laws, Regulations, and Privacy Alignments / Frameworks
DoD SRG CS Mark [Japan] CJIS
FedRAMP DNB [Netherlands] CLIA
FIPS EAR CMS EDGE
IRAP EU Model Clauses CMSR
ISO 9001 FERPA CSA
ISO 27001 GLBA FDA
ISO 27017 HIPAA FedRAMP TIC
ISO 27018 HITECH FISC
MLPS Level 3 IRS 1075 FISMA
MTCS ITAR G-Cloud
PCI DSS Level 1 My Number Act [Japan] GxP (FDA CFR 21 Part 11)
SEC Rule 17-a-4(f) U.K. DPA - 1988 IT Grundschutz
SOC 1 VPAT / Section 508 MITA 3.0
SOC 2 EU Data Protection Directive MPAA
SOC 3 Privacy Act [Australia] NERC
Privacy Act [New Zealand] NIST
PDPA - 2010 [Malaysia] PHR
PDPA – 2012 [Singapore] UK Cyber Essentials
Adapted from https://aws.amazon.com/compliance/
Platform, Applications, I&AM
Operating Systems, Network & Firewall Configuration
Server-side Encryption (File
System and/or Data)
Client-side Data Encryption &
Data Integrity Authentication
Network Traffic Protection
Adapted from https://aws.amazon.com/compliance/shared-responsibility-model/
Compute Storage NetworkingDatabase
AWS Global Infrastructure
security “of” the
security “in” the
• Scenario: Shared Responsibility Model not understood
• Efforts to qualify low-level infrastructure ensue
• Policies incongruent to service model are pushed
• Cycles wasted in trying to absorb AWS’s declared responsibilities
Roadblock #1 – Qualify the Cloud!
• Scenario: Shared Responsibility Model is integrated into IT
• Policies are updated to allow distributed management
• Controls in place to govern Cloud Assets
• Definitions updated to allow for new CIs
• Maintain & Manage State of Control
Shortcut #1 – Qualify the Cloud!
Manage as independent assets
Business as usual
• Enact strict “no trust/deny all” security policy on Cloud assets
• Cloud assets are isolated from traditional/on prem assets
• Islands of data pile up
• UID poses an issue/threat
Roadblock #2 – Lock down The Cloud!
• For Private/Internal Assets
• Protect/Preserve via VPC
• Use Security Zones or Subnets within VPC
• Lockdown & Audit assets per normal methods (business as usual)
Shortcut #2 – Lock down The Cloud!
virtual private cloud
• Be nimble, like Jack
… but remember
• POCs can unexpectedly gain momentum
• Fragmentation likely to occur
• Integrate IAM early, review & audit often
• Consider corporate directory integration mandatory
• Strategies for Data at Rest
Data Integrity Concerns
• If your house is not in good order today:
• It will be even worse in the cloud!
• Assess compliance gaps, perceived or real, before moving to Cloud
• Implement bridges to gaps; be Cloud-Aware when doing so
• Treat AWS as an extension to your Corporate Datacenter
• It will be infinitely easier to manage
• Management of Cloud Assets should be the same as on-prem
• Except when it isn’t! Plan specifically for Cloud management