Everything you wanted to know about compliance but were afraid to ask - GRC208 - AWS re:Inforce 2019

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Everything you wanted to know about
compliance but were afraid to ask
Scott Paddock
Security Solutions Architect
AWS
G R C 2 0 8

What’s on deck?
• What are these compliance things?
• How we go about compliance
• What this work means
• How to get help

“All I want is compliance with
my wishes, after reasonable
discussion.”
―Winston Churchill

Some examples
https://aws.amazon.com/compliance/programs/

Let’s dive in!
Here are some common regulated industries
• Financial: Banks/finance/brokers
• Insurance
• Healthcare
• Government/public sector
• Energy
• Education

A closer look
Financial customers may need
• PCI: Payment Card Industry Data Security Standard (PCI DSS)
• FFIEC: The Federal Financial Institutions Examination Council
• SEC (specifically, SEC Rule 17a-4(f)): A Securities and Exchange Commission
regulation
• FISC (Japan): The Center for Financial Industry Information Systems

A closer look
Healthcare customers care about
• HIPAA: Health Insurance Portability and Accountability Act of 1996
• HITECH: Health Information Technology for Economic and Clinical Health Act
• HITRUST CSF: Health Information Trust Alliance Common Security Framework
• GxP: Good [fill-in-the-blank] Practices
Trivia: Do you know the difference
between these two symbols?

A closer look
Government/public sector customers may ask about
• FedRAMP: Federal Risk and Authorization Management Program
• CJIS: Criminal Justice Information Systems
• FIPS: Federal Information Processing Standards
• NIST: National Institute of Standards and Technology

A closer look
Any customer may ask about
• ISO: International Organization for Standardization
• SOC: Standard Occupational Classification system standards
• CSA: Canadian Standards Association
• GDPR: General Data Protection Regulation
Full list: https://aws.amazon.com/compliance/programs/

Our approach
• Elephant in the room: ALL of these involve the shared responsibility model for
our customers
• We focus on quality over quantity by pursuing security certifications with the
most benefit to our customers
• We minimize the burden of an audit on our service teams and support
functions by scaling evidence collection; we aim to invent and simplify through
automation
• Our new Regions are compliant at launch and obtain the right credentials to
demonstrate compliance
• We earn trust with our customers by proactively raising the bar of our security
control environment; we set the precedent

Compliance assets
There are >50 certifications/regulations/frameworks that we support presently;
many of these have a consumable output
These can be in the form of
Certifications, like ISO or FedRAMP
Attestations, like PCI or HIPAA
We provide these materials to our
customers via a service called AWS
Artifact

Specifically,our approach includes
• Policy: Defines expectations for all kinds of resources
• Processes: Monitor and document alignment to objectives
• Controls: Mitigate risk and enforce policy
• Verification: Internal/external checking of conformity
• Certifications: Attestation of compliance from a trusted source
And we share the output materials from
this work with our customers to help
them in their governance and oversight

But wait, there’s more!
AWS compliance page: https://aws.amazon.com/compliance/
Contains more great stuff
• The Compliance Center and Atlas.aws (What? A top-level domain of *.aws?
Yes!)
• How to leverage AWS Artifact and Amazon GuardDuty for compliance
• Virtual data center tour
• FAQs
• White papers
• Yada, yada, yada…

Outliers
Legal things, like EU’s DPA (not to worry; I’ll explain)
RFI/RFP/proposals and questionnaires

Enablement
Example
Successful addition of one standard (TISAX) saved one
customer $1.2 million and unblocked a $100 million
opportunity/industry

“Having on-premises control makes you [feel] secure and compliant. That’s false. Having
services like AWS make you more secure and more compliant.”
—Bruce Kantor, Senior Director of IT Infrastructure and Security
The most sensitive workloads run on AWS
“With AWS, DNAnexus enables enterprises worldwide to perform genomic analysis and
clinical studies in a secure and compliant environment at a scale not previously
possible.”
—Richard Daly, CEO
“We determined that security in AWS is superior to our on-premises data center across
several dimensions, including patching, encryption, auditing and logging, entitlements,
and compliance.”
—John Brady, CISO

There’s so much more
• Cloud Adoption Framework
• Immersion Days
• Enterprise accelerators
• Automation of compliance efforts
• Partners!
• https://aws.amazon.com/health/healthcare-partners/
• https://aws.amazon.com/financial-services/partner-solutions/risk/

Thank you!
Scott Paddock
spaddock@amazon.com

Everything you wanted to know about compliance but were afraid to ask - GRC208 - AWS re:Inforce 2019

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Everything you wanted to know about compliance but were afraid to ask - GRC208 - AWS re:Inforce 2019

Similar to Everything you wanted to know about compliance but were afraid to ask - GRC208 - AWS re:Inforce 2019 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Everything you wanted to know about compliance but were afraid to ask - GRC208 - AWS re:Inforce 2019