The document discusses Security by Design (SbD), an approach to formalize AWS account design, automate security controls, and streamline auditing to manage compliance in the cloud. SbD aims to build security into every layer from the start instead of relying on retroactive auditing. The presentation outlines how SbD can be used to modernize technology governance through automating deployments, security operations, and continuous compliance monitoring.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jodi Scrofani, Global Financial Services Compliance Strategist, AWS
Jack Koons, Industry Director, Global Security Solutions, Unisys
August 11, 2016
Compliance in the Cloud Using
Security by Design

2. Problem Statement
Increasing complexity (mobility, system connectivity)
causes increasing difficulty in managing risk and security
and demonstrating compliance.

3. Current State‒Technology Governance
Policies
Procedures and
Guidelines
Standards

4. Issues–Technology Governance
The majority of technology governance processes relies
predominantly on administrative and operational security
controls with LIMITED technology enforcement.
Assets
ThreatVulnerability
Risk
AWS has an opportunity to innovate and
advance technology governance services.

5. Flexibility and Complexity
What is the regulatory
requirement?
What's in scope or out
of scope?
How to verify the
standards are met?

6. Security by Design
Security by Design (SbD) is a security
assurance approach that formalizes AWS
account design, automates security controls,
and streamlines auditing.
Instead of relying on auditing security
retroactively, SbD provides built-in security
control throughout the AWS IT management
process.
AWS Identity &
Access Management
AWS CloudTrail
Amazon
CloudWatch
AWS Config rules
AWS Trusted
Advisor
AWS CloudHSMAWS KMS
AWS Directory
Service

7. Security by Design‒Design Principles
• Build security in every layer
• Design for failures
• Implement auto healing
• Think parallel
• Plan for breach
• Don't fear constraints
• Leverage different storage options
• Design for cost
• Treat Infrastructure as code
− Modular
− Versioned
− Constrained
Developing new risk mitigation capabilities, which go beyond global security
frameworks, by treating risks, eliminating manual processes, and optimizing
evidence and audit ratifications processes through rigid automation

8. SbD‒Eco-system
Security by Design (SbD)
AWS CloudFormation
AWS Config rules
Amazon Inspector

9. SbD‒Modernize Tech Governance (MTG)
Why?
Complexity is growing, making the old way to
govern technology obsolete
You need automation AWS offers to manage
security

10. Goal‒Modernize Tech Governance (MTG)
Adopting “prevent” controls, making
“detect” controls more powerful and
comprehensive

11. SbD‒Modernizing Technology Governance (MTG)
1.2 Identify Workloads Moving to AWS
2.1 Rationalize
Security Requirements
2.2 Define Data
Protections and Controls
2.3 Document
Security Architecture
3.1 Build/deploy
Security Architecture
1. Decide what
to do (Strategy)
2. Analyze and
Document
(outside of AWS)
1.1 Identify Stakeholders
3. Automate,
Deploy & Monitor
3.2 Automate
Security Operations
4. Certify
3.3 Continuous
Monitor
4.1 Audit and Certification
3.4 Testing and
Game Days

12. SbD–Rationalize Security Requirements
AWS has partnered with CIS Benchmarks to create consensus-based, best-practice security
configuration guides which align to multiple security frameworks globally.
https://www.cisecurity.org/
The Benchmarks are:
• Recommended technical control
rules/values for hardening operating
systems, middleware, and software
applications, and network devices
• Distributed free of charge by CIS in .pdf
format
• Used by thousands of enterprises as the
basis for security configuration policies and
the de facto standard for IT configuration
best practices

13. SbD–AWS CIS Benchmark Scope
Foundational Benchmark
CloudTrail
Config & Config
rules
KMS
IAM CloudWatch
Amazon S3
Amazon SNS
Three-tier Web Architecture
Amazon
EC2
Elastic Load
Balancing
Amazon
VPC
AWS Direct
Connect
Amazon
Elastic Block
Store
CloudHSM Amazon Glacier Amazon
Route 53
VPN
Gateway
Amazon
CloudFront

14. Define Data Protections and Controls

15. Document Security Architecture
https://getcompliant.allgress.com

16. Unisys Stealth(cloud) for Amazon Web
Services (AWS)
Advanced Security for Advanced Threats
Jack Koons, Industry Director, Global Security Solutions
Contact: Jack.Koons@Unisys.Com

17. Why Unisys Stealth(cloud) for AWS?
Enhanced Security
Micro-segment your AWS
deployment using cryptography
Ease of use
Intuitive interface to
define and modify
access control
Enhanced Control
Access control based on roles,
rather than IP addresses and
ports

18. With Unisys Stealth(cloud) for AWS, you can…
App servers
Web servers
Databases
Recruitment app
PCI app
…do all this, without losing access to common AWS services.
Route 53
S3 storage

19. A large US state government
uses Stealth to securely
segment state agencies in the
same datacenter
A US government agency
uses Stealth for secure
telecommuting
Large science company is
implementing Stealth to protect
its process control
environment and safeguard its
IP
A healthcare organization is
using Stealth to verify secure
transmission of data between
multiple hospitals
Industry leader in graphical
processors secures remote
access to virtual desktops,
and segments the internal
network with COI to secure
to sensitive data
Brazil service provider to
public sector social services
uses Stealth to securely
transmit copies of disk images
between multiple sites
PCI DSS compliance for
point-of-sale environment;
conventional approach of
buying new switches and
firewalls was too expensive
Unisys uses Stealth to secure
and protect our high-value
application and database
servers, for secure remote
telecommuting and
regional isolation
Stealth Clients with “Zero Tolerance” for
Breaches

20. Unisys Security Portfolio: Addressing the
Needs of Your Evolving Security Landscape
PHYSICAL
SECURITY
LOGICAL
SECURITY

21. © 2016 Unisys Corporation. All rights reserved.
Thank You!
To know more, visit us at www.unisys.com/stealth
Jack Koons, Industry Director, Global Security Solutions
Contact: Jack.Koons@Unisys.Com

22. SbD–Automate Security Operations
Automate deployments, provisioning, and configurations of
the AWS customer environments
CloudFormation AWS Service
Catalog
Stack
Template
Instances AppsResources
Stack
Stack
Design Package
Products Portfolios
DeployConstrain
IAM
Set Permissions

23. CloudTrail
Amazon
EMR
Amazon
Kinesis
Amazon
VPC
ELB S3 AWS
Lambda
ConfigCloudWatch
AWS IoT
Other
Services
Add-on for AWS
Splunk App for AWS
Explore Analyze Dashboard Alert
Use Cases for AWS:
Security Intelligence (CloudTrail, CloudWatch,
Amazon VPC)
Operational Intelligence (CloudWatch, ELB, etc.)
DevOps Intelligence (CloudWatch, Lambda)
Big Data Insights (Amazon Kinesis, EMR, AWS IoT, S3)
Continuous Monitor–Splunk

24. CloudTrail
Resource Activity
Splunk App for AWS–Visualize & Monitor
CloudTrail User
Activity

25. SbD‒Modernizing Technology Governance (MTG)
Automate
Governance
Automate
Deployments
Automate Security
Operations
Continuous
Compliance

26. Closing the Loop
SbD‒Modernizing Technology Governance
Result: Reliable technical implementation and enforcement
of operational and administrative controls

27. AWS Resources
Amazon Web Services Cloud Compliance
• https://aws.amazon.com/compliance/
SbD website and whitepaper–to wrap your head around this
• https://aws.amazon.com/compliance/security-by-design/

28. Remember to complete
your evaluations!