Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Balancing cloud innovation and security
Meng-Chow Kang, PhD, CISSP
Head, Security Assurance, APJC
Amazon Web Services
G R C 3 1 7

“Innovate or die.”
Peter Drucker

“It is not the strongest of the species that
survives, nor the most intelligent, but the
most responsive to change.”
Charles Darwin

Agenda
Situation, approaches, and challenges
An accreditation framework toward secure cloud adoption
Shared responsibility model

Cloud first, cloud by default, and cloud native

Why public cloud?
“A move to cloud computing—away from on-premises owned
and operated infrastructure—can generate a faster pace of
delivery, continuous improvement cycles, and broad access to
services.”
Australian Government Digital Transformation (DTA)
Secure Cloud Strategy, 2017
“When we start with the assumption that all our services should
run in the public cloud with no more locally managed servers . . .
we get the resilience and backups of some of the most cyber-
aware and heavily invested companies in the world . . .”
UK National Health Service (NHS) Policy Paper, 2018
“Public ICT facilities and services can be tested and deployed
quicker, and maintained more cost effectively, than if
government agencies own and run unique computing facilities
themselves.”
Philippine Cloud-First Policy, 2017
“Using public cloud services means agencies can better manage
their risks, reducing the impact of any single event.”
New Zealand Cloud-First Policy
“The use of cloud technology could lead to advantages such as
a reduction in operating and maintenance costs, and the
ability to run systems around the clock without having to
provide for expensive dedicated backups and standbys.”
Prime Minister Lee Hsien Loong, Singapore

Cloud first, cloud by default, and cloud native
Cited benefits
• Cost saving/better way to manage
cost
• Agility, speed, continuous
improvement
• Elasticity, scalability
• Improve resiliency
• Technology capability
• Operational efficiency
• Security

Legacy
systems
Budget
Skill/expertise Security
Top concerns in cloud adoption

Cloud security accreditations

A snapshot of current accreditation schemes
Security Requirements Auditing Process Authorization Maintenance
US/FedRAMP NIST 800-53, 199 3rd Party Auditor/NIST SP 800-
37
JAB Provisional ATO, Agency
ATO
Continuous monitoring,
ongoing assessment
AU/IRAP & IRAP Protected Information Security Manual 3rd Party Auditor (IRAP
accredited)
ACSC Annual assessment
China/MLPS GB/T 28448/Cybersecurity Law GB/T 28449/36627 Gov’t
Auditors (MPS accredited)
MPS Review Panel Annual assessment
Germany/C5 BSI IT-Grundschutz Catalogues 3rd Party Auditor N/A Annual assessment
India/CSP Empanelment RFP (ISO 27001/17/18, 20000-1,
TIA)
Gov’t Auditor (STQC) Meity Annual assessment
Korea/KISA Cloud
Assurance Program
KISA-defined standards; Cloud
Computing Act
KISA Auditor Authorizing Committee Continuous monitoring,
annual assessment
Korea/K-ISMS Korean ISMS standard KISA Auditor K-ISMS Committee Annual surveillance audit, 3-
year re-cert
SG/MTCS L3/GovTech
Authorization
MTCSS (SS 584) / ISO 27001
/GovTech Reqmt
3rd Party Auditor (IMDA
accredited)/GovTech
IMDA/ESG/GovTech Annual surveillance audit; 3-
year re-cert
Japan METI/MIC CSP
Certification Registration
New control criteria based on
existing common standards in
development
3rd Party Auditor (METI/MIC
accredited)
METI/MIC to-be-determined
agency
Annual surveillance audit, 3-
year re-cert

Challenges
Develop &
maintain
Types of
workloads,
how to decide
Skill/expertise
Authorization
policy
Time to
authorization
Addition of
new services

A journey to authorization

“Innovation almost always is not successful the first
time out. You try something and it doesn’t work and
it takes confidence to say we haven’t failed yet. . . .
Ultimately you become commercially successful.”
Clayton Christensen
Professor, Harvard Business School

Design criteria
Efficient to operate and maintain
Timeliness
Resources (skills/expertise)
Cost
Effective
Addressing the dynamic nature of cloud
technology
Maximize reuse (inherit, leverage)
Existing certification and attestation
schemes
International and industry-recognized
standards
Practical—no perfect security
“We must continually strike the right
balance between security and usability.”
Prime Minister Lee Hsien Loong, Singapore,
GovTech Conference, 2018

International accreditations
Security Requirements Auditing Process Authorization Maintenance
ISO Certification ISO/IEC 27001/17/18 ISO Accredited Auditor ISO-Accredited Certification
Bodies
Annual surveillance audit; 3-
year re-cert
AICPA SOC 1 & 2 Organizational Policy; SSAE-18;
Trust Service Criteria
SSAE-18/CPA Firm’s Auditor Auditing Firm (CPA and
Partners)
Six-month cycle of continuous
assessment
ISO/IEC 27001, based on
ISO/IEC 27000 family of
standards, in operation since
1997 (starting with BS 7799-
2)
SOC 1 & 2 in operation since
1992, starting with SAS 70
Reporting

Point-in-time versus continuous assurance

“Cloud service providers offer robust
security features and internationally
recognized certifications that would be a
challenge for any one organization to
deliver on its own.”
Government of Canada Cloud Adoption Strategy,
2018 update

Inherit global security and compliance controls

German BSI C5
Leverage
existing
standards
• 17 thematic sections
• Uses recognized
security standards
Self-
disclosure
• Surrounding
parameters for
transparency
• Enable customer
decision beyond
control compliance
Verification
process
• Minor addition to
cloud provider’s
existing assurance
• Recognizes SOC 2
Report
• ISO/IEC 27001:2013
• CSA Cloud Controls Matrix 3.01
• AICPA Trust Service Principles Criteria 2014
• ANSSI Référentiel Secure Cloud 2.0 (Draft)
• IDW ERS FAIT 5 04.11.201 [Generally accepted
accounting principles for the outsourcing of
accounting-related services including cloud
computing], November 2014 version)
• BSI IT-Grundschutz Catalogues, v14, 2014
• BSI SaaS Sicherheitsprofile [BSI SaaS security profiles]
• Data location, place of jurisdiction, certifications and
duties of investigation and disclosure toward
government agencies, and system description.
• “A[n] SOC 2 report proves that a cloud provider complies
with the requirements of the catalogue and that the
statements made on transparency are correct. This report
is based on the internationally recognised attestation
system of the ISAE 3000, which is used by public auditors.
When auditing the annual financial statements, the
auditors are already on site, and auditing according to the
Cloud Computing Compliance Controls Catalogue (C5) can
be performed with not too great additional effort.” - BSI
Ref:
https://www.bsi.bund.de/EN/Topics/Clou
dComputing/Compliance_Controls_Catalo
gue/Compliance_Controls_Catalogue_nod
e.html

Data classification
Traditional approach
• Sensitivity or strategic nature of the
data or information, which is
labeled as unclassified,
confidential, secret, or top secret
• Evaluated security level of the IT
systems, based on the security
functions and features
implemented, and the
completeness and correctness of
the implementation against a set of
security requirements and
evaluation criteria
• Security clearance of individuals
using the IT system for processing
the classified information
Challenges
• Requires the IT systems to be
relatively stable, with very few
changes over a long period of time
• A re-evaluation of the IT system will
be necessary whenever there are
changes introduced to update or
upgrade the functions or security of
the system
• Evaluation requires substantial
testing, which often takes between
12 and 24 months, depending on
the complexity of the systems
involved
• Internet/cloud-era systems are
highly connected and require
timely updates in response to
vulnerabilities, detection, and new
attacks

Data classification with cloud deployment models
Cloud Deployment Models Examples Data Examples Legal Scope
Tier 1: Non-sensitive
or public data
(unclassified); low
impact
Level 1: Basic Security—Cloud infrastructures in
conformance with security best practices standards
and guidelines
Open data, public data, non-
sensitive administrative
information, website hosting
public information
Public and private
businesses
Tier 2: Restricted or
administrative;
medium impact
Level 2: Strong Security—Level 1 plus additional
security controls, e.g., strong identity
authentication (MFA), mandated data encryption,
and high-availability architecture requirements
Restricted matters, business or
administrative data, emails, client
support and CRM systems,
financial records, and medical
records; citizens’ identity and
social security data
Public and private
businesses
Tier 3: High impact;
government highly
confidential or above
Level 3: In-Depth Protection—Level 2 plus
additional security controls, e.g., encrypted private
network link to the CSP’s data center or network
access points, virtual network separation between
departments, use of dedicated instances
Government documents and
applications dealing with matters
of international negotiations;
technical matter of military
nature or requiring higher
protection
National defense;
foreign mission and
trade of the state
national intelligence

Cloud Deployment Models Examples Data Examples Legal Scope
Tier 1: Non-sensitive
or public data
(unclassified); low
impact
Level 1: Basic Security—Cloud infrastructures in
conformance with security best practices standards
and guidelines
Open data, public data, non-
sensitive administrative
information, website hosting
public information
Public and private
businesses
Tier 2: Restricted or
administrative;
medium impact
Level 2: Strong Security—Level 1 plus additional
security controls, e.g., strong identity
authentication (MFA), mandated data encryption,
and high-availability architecture requirements
Restricted matters, business or
administrative data, emails, client
support and CRM systems,
financial records, and medical
records; citizens’ identity and
social security data
Public and private
businesses
Tier 3: High impact;
government highly
confidential or above
Level 3: In-Depth Protection—Level 2 plus
additional security controls, e.g., encrypted private
network link to the CSP’s data center or network
access points, virtual network separation between
departments, use of dedicated instances
Government documents and
applications dealing with matters
of international negotiations;
technical matter of military
nature or requiring higher
protection
National defense;
foreign mission and
trade of the state
national intelligence
Data classification with cloud deployment models
Apply FedRAMP or custom approach
Tier-3: 3rd Party audit of additional &
enhanced security controls to ensure
compliance
Continuous monitoring and configuration
management; ongoing assessment.
Apply C5 or MTCS approach
Tier-1: Verification of ISO 27001/17/18
certifications and SOC 1 & 2 Reports +
Self-Disclosure
Tier-2: 3rd Party audit of additional
security controls to ensure compliance
Annual re-verification

Balancing speed (for innovation) and security
Efficient to operate and maintain
Timeliness
Resources (skills/expertise)
Cost
Effective
Addressing the dynamic nature of cloud
technology
Maximize reuse (inherit,
leverage)
Existing certification and attestation
schemes
International and industry- recognized
standards
Practical—no perfect security
Develop &
maintain
Types of
workloads,
how to decide
Skill/expertise
Authorization
policy
Time to
authorization
Addition of
new services

Security is a shared responsibility
DatabaseStorageCompute Networking
Edge locationsRegions
Avail. Zones
AWS Global
Infrastructure
Customers are responsible
for security in the cloud
AWS is responsible for
security of the Cloud
Customer data
Platform, applications,
Identity & access management
Operating system, network &
Firewall configuration
Client-side data
encryption & data
integrity authen
Server-side encryption
(file system and/or
data)
Network traffic
protection (encryption
/integrity/identity)

What the shared responsibility model means to you
Establish a government-wide cloud
security policy and/or internal security
guidelines
• Reinforce government’s commitment to the
customer side of the shared responsibility
model
• Ensure adequate execution of this
responsibility at every level within the cloud
environment
Re-engineer IT operation and support
processes
• Ensure proper accountability of security and
operational responsibilities in the cloud
environment
• Execute with adequate security and risk
governance oversights
“Fundamental 're-engineering' of Government to provide better and faster public
services: PM Lee”, Oct. 2, 2018, The Straits Times, Singapore
Ref: https://www.straitstimes.com/singapore/government-e-services-to-be-
created-faster-and-more-cost-efficiently-with-rollout-of

Outcomes
Realize benefits of Cloud First Policy
earlier with faster cloud adoption
Workload tiering allows for up to 90% to migrate
faster with internationally certified and validated
CSPs—realizing the benefits of the Cloud First
Policy
Better risk management, better returns
of security investment
Learn from migration of non-sensitive, lower-
impact workloads to apply on higher-impact,
more critical systems to ensure overall better
protection
Increase focus on implementing user-
side of Shared Responsibility Model.

Government stories and case studies (a snapshot)
Ref: https://aws.amazon.com/solutions/case-studies/government-education/all-government-education-
nonprofit/

In closing …
• Gaining security assurance of CSP is
an important step toward cloud
adoption but not the only step that
ensures security
• Security accreditation must not
become a showstopper
• Learn from early cloud adopters in
both public and commercial sectors
• Adopt international standards and
industry best practices
• Use the 80/20 principle
• Allow low-medium impact workloads to move
fast
• Focus resources on high-impact critical
workloads
• Both aspects of the shared
responsibility model need attention
and actions—internal re-
engineering/changes
• Cloud security is also a journey

What’s next
Learn more about AWS Compliance
https://aws.amazon.com/compliance/
Read the whitepapers/blogs
AWS Smart Cloud Native Policy whitepaper
https://pages.awscloud.com/public_sector_aws-smart-cloud-native-policy-whitepaper.html
Data Classification - Secure cloud adoption
https://d1.awsstatic.com/whitepapers/compliance/AWS_Data_Classification.pdf
Logical Separation – An evaluation of US DoD security requirements for sensitive workloads
https://aws.amazon.com/blogs/security/how-aws-meets-a-physical-separation-requirement-
with-a-logical-separation-approach/
The Five Ways Organizations Initially Get Compromised and Tools to Protect Yourself
https://aws.amazon.com/blogs/publicsector/the-five-ways-organizations-initially-get-
compromised-and-tools-to-protect-yourself/

Thank you!
Meng-Chow Kang
mengchow@amazon.com

Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019

Similar to Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019