GDPR - Top 10 AWS Security and Compliance Best Practices

GDPR
TOP 10 AWS CLOUD
SECURITY & COMPLIANCE
BEST PRACTICES

• Faisal Jawaid
Dir of Product Management
Security & Compliance
• Ahmed Khan
AWS Partner Manager – Strategic Sales
Meet Our Speakers

What we will learn today?
• Overview of GDPR
• How to inventory GDPR PII in your AWS & other databases?
• Article 5 Six Principals of GDPR Data Accountability
• Article 32 Security of Processing
• Article 25 Data Privacy by Design and by Default
• Article 28 Third Party Compliance
• Article 44 International Transfers
• TOP 10 AWS BEST PRACTICES for GDPR – Technical Controls
• Cloudnosys Security & Compliance Platform
• Q & A

GDPR
Overview of GDPR
1. One Law for privacy across 28 countries - EU 679/2017 (GDPR)
2. GDPR will implement from 25 May 2018
3. Accountability detailed data rights and restrictions on (See
Articles for details) – Data processors and Controllers both!
4. New GDPR framework is complex yet detailed
5. Data Scope: Beyond DOB, NI#, Biometric, Geo Locations, --
User Inferencing data (Identifiers)
6. Breach Notification – 72 Hours
7. The regulation establishes for enforcement: Business
Organization will only have to deal with one single data
protection authority.
8. Privacy by Design – Demonstrate testable controls, Information
Governance.
9. Must have specified, explicit and legitimate purposes to collect
and process data (Article 5)
10. The GDPR applies to all companies worldwide that process
personal data of European Union (EU) citizens.

Essentially any information relating to an individual who could be identified based on
one or more identifiers. GDPR online identifiers and combination of online and
unique identifiers
●Article 4 (1), “‘personal data’ means any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.”
●Recital – 30 Natural persons may be associated with online identifiers provided by their devices,
applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers
such as radio frequency identification tags. This may leave traces which, in particular when combined with
unique identifiers and other information received by the servers, may be used to create profiles of the
natural persons and identify them.
What is personal data of a Natural Person?

●Leverage AWS Macie
Service to identify PII and
classify your datasets in S3
●For other databases, like
Mongo, MS SQL, Oracle,
RDS etc. Use Dataguise,
Datasunrise, Imperva and
also free open source DB
Scanning tools on GitHub.
Obvious examples of personal data include:
• Full name
• Home address
• Email address (work email addresses are classed as personal data)
• Telephone number
• NI number (National Identity)
• Date of birth
• Driver’s license number
• Vehicle license plate
• Credit card number
• Geo locations
• IP Addresses
• Cookies
• RFID
• Race, Ethnic, Origin, Gender (Article 7-9 Consent)
First Inventory your PII data on AWS – How?

The purpose of GDPR is to improve the way personal data is stored and used. It is founded on six
principles of data accountability (Article 5), specifically that personal data shall be:
1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and, where necessary, kept up to date
5. Kept in a form which permits identification of Data Subjects for no longer than is necessary
6. Processed in a way that ensures appropriate security of the personal data
The Data Controller is responsible for, and must be able to demonstrate, compliance with these principles.
Also secure against, accidental loss, damage or destruction – Article -5
Article – 5
Six principles of data accountability

“the controller and the processor shall implement appropriate technical
and organisational measures to ensure a level of security appropriate
to the risk.”
What does this mean?
Implement a Risk Assessment process – Update Risk Register –
Privacy Impact Assessment (PIA) Article 35 – (Risk of Data Loss,
Breach etc.)
Article 32 – Security of Processing

Article 25 of the GDPR codifies both the concepts of privacy by design and privacy by
default. Under this Article a data controller is required to implement appropriate technical
and organisational measures both at the time of determination of the means for
processing and at the time of the processing itself in order to ensure data protection
principles such as data minimisation are met. Any such privacy by design measures may
include, for example, pseudonymisation or other privacy-enhancing technologies.
What this means?
- User does not have to inform you to secure their data (by Default)
- You must implement Encryption, Config Mngt, and IAM controls for the cloud
- (Technical) –AWS Security & Compliance Controls
Article – 25
Data Privacy by Design and by Default

What does it mean for cloud providers?
Legal:
● Standard Contractual Clauses for Controller to Processor - Transfers of Personal Data (sample
legal doc @ iapp.org)
● AWS is providing a GDPR BAA agreement now, please review.
Technical:
● Request CIS GDPR specific AWS Cloud scan results every month/quarter based on volume
from your third parties that are on AWS. Have that on your contract!
Article 28 – Third Party Compliance

Article 44 of the GDPR prohibits the transfer of personal data beyond EU/EEA,
unless the recipient country can prove it provides adequate data protection.
Descriptions of acceptable proof are detailed in Articles 45 – 49
● Whitelisted Jurisdictions: The European Commission can make a finding that a non-
EU/EEA jurisdiction enforces data protection laws that are essentially equivalent to the
GDPR. Currently, the following jurisdictions enjoy an Adequacy Decision: Andorra,
Argentina, Canada (some provinces), Faeroe Islands, Guernsey, Israel, the Isle of Man,
Jersey, New Zealand, Switzerland, and Uruguay.
● Privacy Shield Framework: The Framework, approved on July 16, 2016, allows U.S.
organizations to self-certify to the U.S. Department of Commerce and then publically commit
to comply with the Framework’s data protection requirements. The public commitment is
enforceable under U.S. law.
Article – 44 International Transfers

Summary : A quick checklist for your Cloud
Legal Responsibility and Obligations
Review AWS BAA for GDPR. Also AWS is working on improving Infrastructure services to be more
GDPR compliant by May 2018. Review Privacy Shield Framework –Self certify
Organizational Responsibilities
Assign a Data Protection officer which will govern and benchmark the program.
Technical Responsibility and Obligations
Inventory data, and implement strong controls to maintain data privacy. Pay attention to DLP, Encryption,
and CIS/PCI/HIPAA equivalent controls around AWS configuration monitoring. Audit trail management.
Implement cloud compliance automation to manage these controls and continually monitor in near real time.

• The Center for Internet Security is a non-profit
entity that harnesses the power of a global IT
community to safeguard private and public
organizations against cyber threats.
• CIS AWS Benchmarks
44 AWS Controls
• CIS - OS hardening & AWS
Configurations
• https://d0.awsstatic.com/whitepapers/compliance/A
WS_CIS_Foundations_Benchmark.pdf
– CIS Controls
© 2018 - Cloudnosys | Security, Compliance, Cost.
1. Unauthorized API calls
2. Management Console sign-in without MFA
3. Usage of “root” account
4. IAM policy changes
5. CloudTrail configuration changes
6. AWS Management Console authentication failures
7. Disabling or deletion of customer created CMKs
8. S3 bucket policy changes
9. AWS Config configuration changes
10. Security group changes
11. Changes to Network Access Control Lists (NACL)
12. Changes to network gateways
13. Route table changes
14. VPC changes
15. Ensure security contact information is registered
16. Ensure appropriate subscribers to each SNS topic

Cost of Breach – Security & Compliance
Average cost of a
data breach
$6.53M 56% 70%
Increase in theft of hard
intellectual property
Of consumers indicated
they’d avoid businesses
following a security breach
95% of all Cloud Breaches will be due to misconfigurations*
https://www.csid.com/resources/stats/data/breaches/
http://www.pwc.com/gx/en/issues/cyber-
Security/information-security-security-survey.html https://www.csid.com/resources/stats/data/breaches/
**By Gartner – Viveca Woods “Top Predictions for IT Organizations for 2016”

Company AWS
Service
@ Fault
Breach Details
S3 –
Public,
IAM
4 Million exposed. SQL database dumps, code, access
logs, customer billings address and phone numbers by
BroadSoft. (TPRM)
IAM, SG,
MFA
Administrative consoles of AWS were not password
protected, for Aviva and Gemalto, leading hackers to mine
Bit Coin on their EC2 instances.
S3 -
Public,
IAM
Viacom AWS Misconfiguration exposes Entire IT
Infrastructure, including passwords, access and secret
keys for their corporate AWS account.
S3,
MFA,
IAM
Dow Jones AWS misconfigurations left sensitive customer
financial data exposed.
S3 –
Public,
IAM
Accenture AWS misconfiguration exposes 40,000 plaintext
passwords. Verizon AWS exposed via Third Party (TPRM)
AWS Misconfigurations = GDPR Breach!

● Cannot humanly scan thousands of Configurations
● Need Automation & New tooling
● Implement a Third Party Risk Management program
for the cloud that includes contract language for 44 CIS
Controls.
Missing Link in AWS GDPR Cloud Security

AWS Shared Security Model
YOU

GDPR Top 10 AWS Best Practices for
Security and Compliance
• Faisal Jawaid
Dir of Product Management
Security & Compliance

#1 Use IAM and not the “Root Account”
An API key are credentials passed in by computer programs
calling an application programming interface (API) to identify the
calling program, its developer, or its user to the Web site.
• The “Root” account has access to everything! Not
restricted.
• For Administrative Tasks, create users with Admin rights
using IAM
• Update billing and contact information
that would be required to recover the account.
1 in 3 customers have root API access keys enabled!

#2 Review permissions, use strong passwords
AWS Identity and Access Management (IAM) enables you
to securely control access to AWS services and resources
for your users. Using IAM, you can create and manage AWS
users and groups, and use permissions to allow and deny
their access to AWS resources.
• Review IAM policies on Users, Groups and Roles.
Does your user really need access to all of these services?
• Do your Third Party Applications need all of these
permissions?
• How many people have unrestricted access?
• Use the IAM policy generator and policy simulator for assistance.

#3 Enable Multi Factor Authentication
MFA is an extra layer of security that requires not only a
password and username but also something that only, and only,
that user has on them.
• MFA is available to all IAM users,
including the root account.
• MFA options are Token Based and Text
Message – SMS based.
• Token based options include hardware
Devices, and virtual software options,
such as Google Authenticator, etc.

#4 Don’t leave the front door open
A Security Group acts as a virtual firewall for your instance
to control inbound and outbound traffic. Each instance in
a subnet in your VPC could be assigned to a different set
of security groups.
• Open VPC’s affects:
Amazon Elastic Load Balancing
Amazon RDS
Amazon ElastiCache
Amazon RedShift
• Monitor Security Groups regularly
• AWS WAF is a web application firewall that helps protect your web
applications from common web exploits that could affect application
availability, compromise security, or consume excessive resources.

#5 Build a secure Amazon Machine Image (AMI)
An Amazon Machine Image (AMI) provides the information
required to launch an instance, which is a virtual server in the
Amazon Elastic Compute Cloud (EC2).
These instances are entirely customer managed, so their
security falls onto the customer.
• Disabling password-only access to hosts. Use ssh-
keys.
• Disabling remote “root” account logins. Do we want to
allow root access?
• Ensure only required applications and services are
enabled
30% of Customers OS Harden their AMI’s.

#6 Encrypt your Data at REST and on Transit.
Cryptographic best practices discourage extensive reuse of encryption
keys.
Both SSL 2.0 and 3.0 have been deprecated by the IETF (in 2011 and
2015, respectively).
• TLS 1.3 is latest version of TLS, what version are you on?
• Use the Key Management Service to encrypt your data
on AWS
• Enable automatic key rotation for an existing
Customer Master Key (CMK).

#7 Monitor Unauthorized Access
AWS CloudTrail is a service that enables governance,
compliance, operational auditing, and risk auditing of your AWS
account.
The CloudWatch Alarms feature allows you to watch
CloudWatch metrics and to receive notifications.
• CloudTrail is designed to record API activity.
• CloudWatch can send notifications based on
configuration.
• Simple Notification Service can be used in conjunction to
receive alerts.

#8 Use the Simple Token Service for Vendors
The AWS Security Token Service (STS) is a web service that
enables you to request temporary, limited-privilege credentials for
AWS Identity and Access Management (IAM) users or for users
that you authenticate (federated users).
• Can be used in place of privileged
IAM user Access Keys
• Temporary credentials
• Allows for 3rd parties such as
Cloudnosys to access your
AWS accounts more securely (TPRM!)

#9 Secure your S3 buckets
Amazon S3 is object storage built to store and retrieve any amount of data
from anywhere – web sites and mobile apps, corporate applications, and
data from IoT sensors or devices.
• Check your Bucket Access Control Lists regularly
• Watch for all grantees, including Authenticated Users
• Found API Keys, are usually used to open S3 buckets.
• Amazon Macie is available to protect data stored in Amazon S3,
recognizes sensitive data such as personally identifiable information
(PII) or intellectual property, and provides you with dashboards and
alerts that give visibility into how this data is being accessed or moved

#10 Conduct a Vulnerability Assessment
The main objective of the vulnerability assessment is to find as
much vulnerability as possible that an attacker can use to cause
damage to an organization.
• Vulnerability assessments can be run against your assets
in the cloud.
• There are many tools, services and a combination of both
available.
• Customers can fine tune their existing security controls,
after the assessment.

What Next?
• Knowing Top 10 or CIS-44, or 150 control is
not enough
• Writing SOPs and Policies are not enough
• Automation is the new “cloud norm” which
drives enforcement and accountability.

Introducing…
CLOUDNOSYS
AWS SECURITY & COMPLIANCE
PLATFORM

Cloudnosys Security and Compliance Platform
CloudEye Continuously Secure your cloud services and automate
compliance. Over 150+ Cloudnosys best practice rules track and monitor
your AWS services for security and compliance violations. Dashboard and
reports keep you fully informed of any Risks. – Agentless!
• Continuous Security & Compliance Scanning
• Alert on Vulnerabilities
• Audit Reports on Security and Compliance
• Fast Remediation
• Supports GDPR, PCI-DSS, HIPPA, AWS CIS Benchmark and FISMA
mandates

We mapped the regulatory controls and associated testing for you
CloudEye Continuously scan
your cloud services and
automate compliance.
1- Helps you fully
demonstrate Compliance to
your Auditors
2- Reduce efforts from
months to few minutes
3- Be up and running in 5
minutes
AWS Control Workbooks for Compliance
1. Unauthorized API calls
2. Management Console sign-in without MFA
3. Usage of “root” account
4. IAM policy changes
5. CloudTrail configuration changes
6. AWS Management Console authentication failures
7. Disabling or deletion of customer created CMKs
8. S3 bucket policy changes
9. AWS Config configuration changes
10. Security group changes
11. Changes to Network Access Control Lists (NACL)
12. Changes to network gateways
13. Route table changes
14. VPC changes
15. Ensure security contact information is registered
16. Ensure appropriate subscribers to each SNS topic
Your compliance reports
ready in minutes

Security and Compliance
Dashboards shows, alerts,
violations and how to remediate
these quickly to mitigate risks.
This is generated on the fly after
scanning for all Cloud Services and
Availability Zones.
Dashboards:
Compliance and Security

Reporting: Compliance and Security
Security and Compliance reports shows, alerts, violations and how to
remediate these quickly to avoid any Cyber attacks. This is generated on the
fly after scanning all Cloud Services

How It Works
An AWS native cloud solution that automates key cloud security processes and enables consistent
enforcement of security policies, best practices and compliance requirements across an
organization’s AWS cloud infrastructure.

Sample Cost Savings Report
© 2018 - Cloudnosys | Enterprise Cloud Diagnostics and Remediation.
Cost savings reports
are calculated in
seconds after user
set some schedules
to turn off some
machines on a
schedule.

Summary: What we learned today?
• Cloud Security for GDPR has Shared Responsibility.
• Automation is key to maintain best GDPR compliance posture
• Third Party Risk Management – AWS CIS 44 Rule Enforcement
• Make DevOps accountable for security through automation – CI/CD
• Measure your progress through KPIs via Automation
• Learn and enforce AWS CIS-44 Controls for starters
• Create a baseline by benchmarking AWS through Cloudnosys Platform

Q & A - ANY QUESTIONS?
Type in your questions in chat box now…
Try Cloudnosys
For 14 Days Free
Start monitoring,
optimizing and securing
your AWS.
No Limits evaluation.
info@Cloudnosys.com

GDPR - Top 10 AWS Security and Compliance Best Practices

In this document