AWS Security Week: Why Your Customers Care About Compliance
•
2 likes•425 views
AWS Security Week at the San Francisco Loft: Why Your Customers Care About Compliance...and You Should Too! Presenter: Kristen Haught, AWS Security Assurance
Recommended
More Related Content
What's hot
What's hot (20)
Similar to AWS Security Week: Why Your Customers Care About Compliance
Similar to AWS Security Week: Why Your Customers Care About Compliance (20)
More from Amazon Web Services
More from Amazon Web Services (20)
AWS Security Week: Why Your Customers Care About Compliance
- 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Why Your Customers Care About Compliance… and You Should Too! Kristen Haught AWS Security Assurance
- 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved • What and why compliance? • Compliance before the cloud • Compliance on AWS • Implement and achieve compliance • Market and communicate compliance • Q & A Agenda
- 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved What is Compliance? Why does it matter?
- 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Why should compliance be a part of your business strategy?
- 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Compliance before the cloud • Physical and environmental security • Security of compute, storage, networking, and databases • Time intensive, manually performed • Limited flexibility • Limited agility
- 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Compliance Programs Certifications & Attestations Laws, Regulations and Privacy Alignments & Frameworks Cloud Computing Compliance Controls Catalogue (C5) DE ! CISPE EU " CIS (Center for Internet Security) # Cyber Essentials Plus UK $ EU Model Clauses EU " CJIS (US FBI) US % DoD SRG US % FERPA US % CSA (Cloud Security Alliance) # FedRAMP US % GLBA US % Esquema Nacional de Seguridad ES & FIPS US % HIPAA US % EU-US Privacy Shield EU " IRAP AU ' HITECH # FISC JP ( ISO 9001 # IRS 1075 US % FISMA US % ISO 27001 # ITAR US % G-Cloud UK $ ISO 27017 # My Number Act JP ( GxP (US FDA CFR 21 Part 11) US % ISO 27018 # Data Protection Act – 1988 UK $ ICREA # MLPS Level 3 CN ) VPAT / Section 508 US % IT Grundschutz DE ! MTCS SG * Data Protection Directive EU " MITA 3.0 (US Medicaid) US % PCI DSS Level 1 + Privacy Act [Australia] AU ' MPAA US % SEC Rule 17-a-4(f) US % Privacy Act [New Zealand] NZ , NIST US % SOC 1, SOC 2, SOC 3 # PDPA - 2010 [Malaysia] MY - Uptime Institute Tiers # ENS High PDPA - 2012 [Singapore] SG * Cloud Security Principles UK $ PIPEDA [Canada] CA . # = industry or global standard Agencia Española de Protección de Datos ES & Updated table: https://aws.amazon.com/compliance/programs/
- 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved How will the cloud make my compliance efforts easier? • Security and compliance built in • Breadth of functionality • Speed of innovation • Mature ecosystem Using AWS, Pacific Life can quickly scale up additional compute capacity with less cost and IT overhead than by adding to its own data center assets, while benefitting from built-in security features in AWS products that help Pacific Life with compliance issues.
- 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Getting started with compliance in the cloud 1. Make security a priority 2. Aggregate all compliance requirements you and your customers are subject to 3. Develop and/or incorporate cloud into a controls framework to be nimble 4. Implement controls and automation to reduce risk 5. Test, audit, and monitor for security assurance 6. Communicate your compliance effectively to customers
- 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Getting started recommendations • Don’t make security and compliance an afterthought • Leverage AWS Compliance Quickstarts as a baseline (https://aws.amazon.com/quickstart/) • Select a global third-party audit to be your compliance foundation (SOC, ISO) • Select and incorporate AWS audit reports into your certification & accreditation process for security control inheritance
- 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Market and communicate “When speaking with senior executives, an important but often neglected aspect is the language barrier,” said Peter Firstbrook, VP at Gartner, during the Gartner Security and Risk Management Summit 2018.* *https://www.gartner.com/smarterwithgartner/gartner-top-5-security-and-risk-management-trends/
- 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Market and communicate • With great security and the right assessment(s), compliance becomes a translation activity. • Seek to understand the compliance and regulation your prospective customers are subject to, and speak that language. • FAQ: Do you comply with <insert 1 of 3000+ standards, laws, and regulations>? *https://www.gartner.com/smarterwithgartner/gartner-top-5-security-and-risk-management-trends/
- 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Recommendation: Translate your security to your customer’s language MEDIA DESTRUCTION CONTROL SOC SOC 2 NIST 800- 53 ISO 27001 ISO 27017 ISO 27018 PCI 3.2 HIPAA C5 Media storage devices used to store customer data are classified by AWS as Critical and treated accordingly, as high impact, throughout their life-cycles. AWS has exacting standards on how to install, service, and eventually destroy the devices when they are no longer useful. When a storage device has reached the end of its useful life, AWS decommissions media using techniques detailed in NIST 800-88. Media that stored customer data is not removed from AWS control until it has been securely decommissioned. 5.13 7.7 CC5.6 C1.8 MP-6 MP-6 (4) PE-1 MA-3 (3) MP-6 (1) MP-6 (2) A.11.2.7 A.8.3.2 11.2.7 8.3.2 A.10.13 9.8 9.8.1 9.8.2 3.1 164.310( d)(2)(i) 164.310( d)(2)(ii) AM-04 PI-05 https://aws.amazon.com/compliance/data-center/controls/
- 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Common Regulated Customer Questions & Objectives • “The cloud isn’t secure enough for the sensitivity of our data.” • “Our regulation does not permit the use of the cloud.” • “We prefer a private cloud.” • “We require physical separation of our data.” • “We can only consider use if your data centers are greater than a 100 miles apart.” • “You must have a tier 4 certified data center.”
- 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved General Electric Capital One BMW Johnson & Johnson Merck Nordstrom AWS Global Enterprise Customers DTTC, a centralized clearinghouse that processes 100 million securities transactions per day, is transforming trade processing and analytics using AWS. DTCC is all in on AWS, running more than 20 workloads in a regulated environment that demands resilience, secure storage, and industry-wide collaboration. Robert Palatnick, technology architect at DTCC (Watch Online) More testimonials from customers in regulated industries: https://aws.amazon.com/compliance/testimonials/
- 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Closing Recommendations: • Make security a priority • Approach compliance early with a strategy to scale • Maintain and build on a control framework • Don’t get discouraged from the initial challenges • Take advantage of AWS’ mature ecosystem and the security and compliance you inherent from AWS
- 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS