AWS is hosting the first FSI Cloud Symposium in Hong Kong, which will take place on Thursday, March 23, 2017 at Grand Hyatt Hotel. The event will bring together FSI customers, industry professional and AWS experts, to explore how to turn the dream of transformation, innovation and acceleration into reality by exploiting Cloud, Voice to Text and IoT technologies. The packed agenda includes expert sessions on a host of pressing issues, such as security and compliance, as well as customer experience sharing on how cloud computing is benefiting the industry.
Speaker: Iolaire Mckinnon, Senior Consultant - Security, Risk & Compliance, Professional Services, AWS
2. Who is responsible for what?
When evaluating controls in a cloud environment, it is
important for you to understand and distinguish between:
• Controls that AWS implements and operates on your behalf –
“Security OF the cloud”
• Controls that you implement and operate, related to the security
of your content and applications that make use of AWS services –
“Security IN the cloud"
3. What is the AWS Shared Security Model?
AWS Foundation Services
Compute Storage Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
4. Customer IAM
AWS IAM
Firewall
Code and Data
AWS IAM
Code and Data
App Requirements
Operating System
Networking/Firewall
Code and Data
Customer IAM
AWS IAM
Infrastructure
Services (EC2)
Platform Services
(RDS, ECS)
Abstract Services
(Lambda, DynamoDB)
Who is responsible for what?
5. Who are AWS Security
AWS CISO Staff
Security Operations Center
(SOC)
AWS Abuse Team
AWS Lookout Team
Support Security SMEs &
TAMs
AWS Security Solution
Architects
AWS Security Assurance
AWS Professional Services
SRC Practice
AWS Service Team
Security SDEs
AWS Employees
6. Security “OF” The Cloud: Example
End-of-life storage devices follow a decommissioning process that is
designed to prevent customer data from being exposed to unauthorized
individuals.
AWS destroys data on storage devices using techniques from:
• US DoD 5220.22-M (“National Industrial Security Program Operating Manual “)
• NIST 800-88 (“Guidelines for Media Sanitization”)
Decommissioned storage devices are degaussed (for magnetic
devices) and physically destroyed in accordance with industry-standard
practices.
Storage Device Decommissioning
10. What benefits does AWS Security provide you?
Highly Automated
• At AWS we purpose-build security tools, and we tailor them for our
unique environment, scale, and global requirements. Building
security tools from the ground up allows AWS to automate many of
the routine tasks security experts normally spend time on.
Meet Compliance Requirements
• AWS environments are continuously audited for dozens of
compliance programs, with certifications from accreditation bodies
across the globe. This means that segments of your compliance
have already been completed.
11. Security “OF” The Cloud – More information
AWS Security Whitepaper
AWS Global Security Infrastructure
Physical and Environmental Security
Business Continuity Management
Network Security
AWS Employee Access
Secure Design Principles
Change Management
AWS Account Security Features
AWS Service-Specific Security
13. Auditing – Comparison
• Start with bare concrete
• Audits done by an in-house team
• Accountable to your company
• Typically check once a year
• Workload-specific compliance checks
• Audit team must keep pace and invest in
security innovation
• Manual (often physical) evidence checks
on-premises
ü Start on base of accredited services
ü Audits done by third party experts
ü Accountable to everyone
ü Continuous monitoring
ü Compliance approach based on all
workload scenarios
ü AWS security innovation drives broad
compliance
ü Automated checks, full visibility
on
14. What is the AWS Compliance Program?
AWS engages with external certifying bodies and
independent auditors to provide customers with
considerable information regarding the policies, processes,
and controls established and operated by AWS.
16. Our Accreditations and Compliance Reports
Achieve your compliance objectives with AWS
Your own
external audits
Your own
accreditation
Your own
certifications
Customers
MTCS Level 3
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS
consistent baseline
controls
17. Where to find our Compliance Reports
Public reports/certificates:
SOC 3 Report
ISO 27001 Certification
ISO 27017 Certificate
ISO 27018 Certificate
ISO 9001 Certificate
Many reports are available on-
demand once you’ve signed an
NDA.
https://aws.amazon.com/compliance/contact/
19. Your takeaway:
Finally, let me reiterate the principle of the shared security
model:
• Controls that AWS implements and operates on your behalf
– “Security OF the cloud”
• Controls that you implement and operate, related to the security
of your content and applications that make use of AWS services
– “Security IN the cloud"