This document discusses governance, risk, and compliance considerations for using AWS cloud services. It outlines AWS assurance programs that provide regular third-party security evaluations. It also describes the shared responsibility model where AWS is responsible for security of the cloud and customers are responsible for security in the cloud. The document provides examples of how AWS services like CloudTrail, Config, and Key Management Service provide visibility, auditability, and control to help customers meet their security and compliance needs.

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Karim Hopper, Solution Architecture APAC
27 May 2015
Governance, Risk and Compliance
Considerations for the Cloud
Hong Kong

2. Demonstrating Compliance

3. AWS Assurance Programs
Consistent, regular and exhaustive 3rd party evaluations

4. Customers control how they manage their own risks
AWS Managed and Audited Controls
SOC 1
AWS
SOC 2 PCI-DSS NIST 800-53 ISO 270001
Virtual Private
Cloud
Key
Management
Logging
AWS Provided, Customer Configured and Managed Controls
Other AWS features and services
Classification
Security Policy
Customer Provided and Managed Controls
Encryption
Governance
ITDaM
ITSM
Monitoring
Operations
Malware
Risk
Management
Customers
Customer Risk Appetite and Desired Control Environment
Business Risks Sourcing Risks
Technology
Risks
Security Risks Compliance

5. Compliance Programs
Reports and letters of attestation are available for a number of certifications
SOC 1 (Type 2) Controls safeguarding customer data; auditor validated over a 6 month period.
Evaluates control design, and evidence of controls working (Formerly SAS 70)
SOC 2 (Type 2) Provides additional transparency into AWS security and availability, including BCP
ISO 27001 Widely adopted global security standard for ISMS. Evaluates management of
information security risks that affect confidentiality, integrity and availability of
company and customer information
PCI DSS Level 3.0 Customers can run PCI compliant technology infrastructure for storing,
processing and transmitting credit card information to the cloud

6. Security Shared Responsibility Model
AWS is responsible
for the security OF
the cloud
AWS Foundation Services
AWS Global
Infrastructure
Regions
AWS
Availability Zones Edge Locations
Hypervisor Compute Storage Network

7. Customer applications and content
Security Shared Responsibility Model
AWS Foundation Services
Hypervisor Compute Storage Network
AWS Global
Infrastructure
Regions
AWS is responsible
for the security OF
the cloud
Platform, Applications, Identity and Access Management
Operating System, Network and Firewall Configuration
Client-side data
encryption
Server-side data
encryption
Network Traffic
Protection
The customer is
responsible for
configuring security
IN the cloud
CustomersAWS
Availability Zones Edge Locations

8. Data Locality
Customer chooses where to place data
AWS regions are geographically isolated by design
Data is not replicated to other AWS regions and doesn’t
move unless you choose to move it

9. AWS Employee Access
Staff vetting and enforcement of the principle of least privilege
• No logical access to customer instances
• Control-plane access limited and monitored
Bastion hosts, least privileged model, zoned data center access
• Access based on strict business needs
• Separate privileged account management systems

10. For more on compliance…
http://aws.amazon.com/compliance
•Whitepapers
•Work books
•Reference Architectures
•Security and privacy resources

11. Security is our #1 priority

12. “Based on our experience, I believe that we can be even more
secure in the AWS cloud than in our own data centers.”
Tom Soderstrom, CTO, NASA JPL
Nearly 60% of organizations agreed that CSPs [cloud service
providers] provide better security than their own IT organizations.
Source: IDC 2013 U.S. Cloud Security Survey
doc #242836, September 2013

13. AWS Security in Context
VISIBILITY
AUDITABILITY
CONTROL
AGILITY
Customer get more…
Through our…

14. Visibility

15. Visibility
Customers can see their entire infrastructure at a click of a mouse
Using AWS CloudTrail customers can continuously record activities happening on the AWS platform

16. Use cases enabled by AWS CloudTrail
Security Analysis
Use log files as an input into log management and analysis solutions to perform security analysis and to
detect user behavior patterns
Track Changes to AWS Resources
Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon
VPC security groups and Amazon EBS volumes
Troubleshoot Operational Issues
Identify the most recent actions made to resources in your AWS account
Compliance Aid
Easier to demonstrate compliance with internal policies and regulatory standards

17. Visibility
AWS Trusted Advisor
Recommends security best practices (identifies potential security issues)

18. Auditability

19. Auditability
The AWS Config Service lets customers audit the historical configuration of resources and
send notifications when those resources change
Use Cases
Security Analysis Am I safe?
Audit Compliance Where is the evidence?
Change Management What will this change affect?
Troubleshooting What has changed?

20. Auditability
AWS Config Service
Review the historical configuration of resources and send notifications when those resources change

21. Control

22. Control
AWS offers several flexible encryption options
KMI
Encryption Method
Key Storage
Key Management
KMI
Encryption Method
Key Storage
Key Management
KMI
Encryption Method
Key Storage
Key Management
Customer
Managed
AWS
Managed
AWS manages the method,
storage and KMI
AWS Key Management Service
AWS provides key storage
Customer manages encryption
method & management layer of
KMI
AWS CloudHSM
Customer controls everything
E.g. KMI / keys stored on-
premise and client side
encryption used
A B C

23. Control
AWS Key Management Service
• A managed service that makes it easy for you to create, control, and use your
encryption keys
• Integrated with AWS SDKs and AWS services including storage, compute and
database / data warehouse
• CloudTrail support
AWS CloudHSM
• Dedicated Safenet Luna-based solution (FIPS 2 compliant)

24. Control
Data Destruction
• Storage media destroyed before being permitted outside our datacenters
• Media destruction consistent with US Dept. of Defense Directive 5220.22

25. Control – Customers choose what they need
AWS
CloudHSM
Defense in depth
Application log file capture
Isolated, private networking environments
Fine grained access controls
Segregation of duties
Multi-factor authentication, identity federation
Single tenant / dedicated servers
Direct connections
HSM-based key storage
Multiple tiers of firewalls
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS delivers more control and granularity

26. Agility

27. New Security
Features year to date
RDS Encryption using KMS
Oracle TDE with
CloudHSM
S3 Endpoints in VPC
IAM Managed Policies
Glacier Vault Access
Policies
…

28. Chief Info.
Security
Officer
(CISO)
Operations
Engineering
Application Security
Compliance
CEO
Amazon.com
AWS Security Organization
Amazon’s Culture
•Everyone’s an owner
•Decentralize – security engineers are
embedded in service teams
•Executive accountability
•Metrics driven – measuring constantly
•Five Why’s to establish the cause of error
•Test Constantly
•Understand normal and then identify
anomalies

29. Thank you
aws.amazon.com/compliance
aws.amazon.com/security
http://www.linkedin.com/in/karimhopper