Want to learn more about Compliance in the Cloud? Attend the AWS Compliance Summit, where key verticals such as Financial Services, Government and Public Sector, and Healthcare and Life Sciences will be discussed, along with customer use cases and prescriptive guidance from AWS subject matter experts.
5. The world’s largest track and trace
network for connecting the life
sciences supply chain and eliminating
counterfeit prescription drugs from the
global marketplace.
AWS Services We Use
Accomplishments in AWS
Regulated Workloads
1. Network-driven regulated workloads
195,000+ network entities generating tens of
millions of messages resulting in billions of
transactions
2. Serialized operations in production
at massive scale for global
compliance
3. Automated IQ, OQ, crowd-sourced
PQ (moving to automated)
EC2
RDS
Elasticache
CloudWatch
CloudTrail
Trusted Advisor
SQS
SNS
S3
DynamoDB
Route 53
CloudFormation
IAM
Kinesis
CloudSearch
Redshift
Data Translation
Distributed Network Tenancy
Pharma
Companies
Wholesale
Distributors
Dispensers
Repackagers
3PLs
CMOs/CPOs
Business Collaboration
B2B Relationship
Platforms
8. We are committed to improving
health and well-being around the
world. From developing new
therapies that treat and prevent
disease to helping people in need,
we are guided by a rich legacy and
inspired by a shared vision.
AWS Services We Use
250+ Applications supported by AWS
Infrastructure
1000+ EC2 Instances
617TB of S3 Storage
2TB of EBS Storage across our Merck
VPCs in 3 AWS regions (US, Ireland,
Singapore)
Accomplishments in AWS
Regulated Workloads How Did We Do It?
By Integrating ‘Cloud’ into:
• SDLC & Cloud Guidance
• Security Controls and Design
• Info Risk, Privacy & Data Mgmt
• Supplier Mgmt Considerations
1. Regulated R&D Application
running on AWS
2. Qualified AWS Infrastructure
per our SDLC Policies
10. Quality
Professional
s
• Independent Software Vendor
• Leader in Enterprise Quality
Management Solutions
• Serving Highly Regulated Industries
• Driving Control, Compliance & Product
Safety
Top 35 Pharma
Companies
Top 13 out
of 15
Medical
Device
Companies
700 Implementations
Over
650,000 Users
Over
30 Countries Across the World
More Than
14. Why AWS
• AWS Focus on Life
Sciences
• Proven Compliant
Validated Workloads
• Better Understanding of
Virtualization by the Audit
Community
• Life Sciences
Cooperation re: how to
respond to FDA requests
• Long History of
Innovation
EC2
S3
VPC
KMS / IAM
CloudWatch
CloudTrail
RDS
Glacier
Route 53
CloudFormation
Config
AutoScaling
AWS Services
Industry Factors
• Faster Time to Market
• Constant Innovation
• World-Wide Scalability
• Cost Advantages
Business Advantages
15. Bruce Kratz
VP Research & Development
bruce.kratz@spartasystems.com
Ivan Latanision
VP Product Management & Strategy
Ivan.latanision@spartasystems.com
We Help Protect Millions of Lives Everyday
17. What to Expect from the Session
Session for executives, quality & security
assurance managers, and other stakeholders.
Focus on using AWS cloud products.
Lessons learned from organizations who are already
using AWS in HCLS systems.
18. How is Compliance in AWS Different?
Traditional AWS
Infrastructure Devices Hardware Code
Delivery Processes Manual Automated
Software Architecture Embedded Distributed
Access Controls and
Logging
Disparate Harmonized
System Updates
Larger &
Infrequent
Smaller &
Continuous
Monitoring in Production
Periodic Polls of
Selected Samples
Real-Time Alarms on
Full Population
19. Considerations Using AWS in HCLS Systems
Purchasing Controls
Organization and Personnel
Design Controls
Validation
Production Environment Controls
Records and Reports
Auditing
20. Traditional P.O. Purchasing
1. Specify Server Requirements
2. Source server & OS
3. Submit request to Purchasing
4. Submit P.O. to vendor
5. Receive server shipment
6. Install server & OS
7. Configure OS
8. Qualify server & OS
9. Pay Invoice and depreciate asset as
CapEx
Purchasing Controls
Purchasing in AWS
1. Specify Server Requirements
2. Select matching EC2 Instance Type
& BYO qualified OS image
3. Launch Instance with your qualified
image with automatic logging
4. Pay for what you use as OpEx
PROMPT> ec2-run-instances ami-978d91fe
-k my-key-pair --instance-type t2.micro
< 5
minutes
> 2
weeks
21. Organization and Personnel
Awareness Training
Training per se
Employee
Qualification
Online Documentation
Self-paced Labs
Foundational Courses
Role-based Courses
Associate and Professional
Certifications
Update job
descriptions and
training plans for
cloud skills.
Developers
DBAs
Network & Security
Engineers
Business Analysts
Auditors
QA/RA Managers
22. Design Controls
HCLSOperations
Elastic Load
Balancing
Availability Zone B
Availability Zone A
HCLS
System End
User
DB
Server
Web
Server
App
Server
Define User
Requirements
Define
System SLA
Define App
Requirements
Define Data
Requirements
Select AZs for
Availability
SLA
Architect Ability
to Fail Over for
SLA
Architect Data +
Replication
Match App to
EC2 Instance
Type
HCLS
System
Engineer
23. Validation
Hardware Era Cloud EraVirtualization Era
Protocol-Driven
Manual Activities
Procedure-Driven
Manual Activities
Code-Driven
Automated Activities
24. Production Environment Controls
Automate deployment to
production with tools like
AWS CodePipeline.
Establish and monitor
control parameters
programmatically using
Amazon CloudWatch
alarms.
Record and justify
deviations from
automated processes.
Create end user SLAs
and support channels,
then feed their requests
into engineering.
HCLS end usersHCLS engineers
25. Records and Reports
Logs in CloudTrail and
CloudWatch
CloudFormation Templates
and custom code
Application validation records
Virtual infrastructure
qualification records
HCLS end user account info &
training records
HCLS engineer account info &
training records
AWS technical support cases
• Automated Logging vs
• Manual CreationGenerate
• Review
• Analyze
• Act, Present, or Submit
Use
• Keep originals or true copies
• Define retention schedule & locations
• Ensure protection & retrievability
Retain
• Record destruction authorizationDispose
26. Auditing
Review your…
AWS account credentials
IAM users
IAM groups
IAM roles
IAM providers for SAML and
OpenID Connect
Mobile apps
Amazon EC2 security
configurations
Resource-based policies in
other services like S3
Monitor activity in your AWS
account
Training records
27. In Summary
Infrastructure as Code is fundamentally transforming
HCLS IT compliance
Automation and shorter change cycles require rethinking
traditional SDLCs
Cloud skills are the new job skills qualifications
HCLS organizations are achieving more control with less
effort than ever before
28. Upcoming Sessions This Week
ARC305 - Self-service Cloud Services: How J&J Is Managing AWS at Scale for
Enterprise Workloads
ARC311 – Decoding the Genetic Blueprint of Life on a Cloud Connected Ecosystem,
ThermoFisher
BDT316 – Offloading ETL to Amazon EMR, Amgen
SEC304 - Architecting for HIPAA Compliance on AWS, Emdeon
SEC310 - Splitting the Check on Compliance and Security: Keeping Developers and
Auditors Happy in the Cloud
SEC312 - Reliable Design and Deployment of Security and Compliance
SEC313 – Security and Compliance at Petabyte Scale: Lessons from the National
Cancer Institute's Cancer Genomics Cloud Pilot
29. Helpful Resources
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/
Compliance Center Website: https://aws.amazon.com/compliance
Security Center: https://aws.amazon.com/security
Security Blog: https://blogs.aws.amazon.com/security/
AWS Audit Training: awsaudittraining@amazon.com
AWS Loft New York: Audit Days
Security By Design: https://aws.amazon.com/compliance/security-by-design
34. .
Largest direct bank
4th largest credit card issuer in the U.S.:
• $310.5 billion in assets
• $209.7 billion in loans
• $208.8 billion in deposits
• 65+ million accounts
• 46,000+ associates
• A FORTUNE 500 Company - #124
• Experimentation: e.g. mobile pilots,
hackathons
• Development & Test: e.g. online
banking, stream data processing
• Production: e.g. mobile banking app,
core banking platform
Accomplishments in AWS
Regulated Workloads
AWS Services We Use
• Compute: EC2, ELB,
• Storage: EBS, S3
• Database: RDS
• Network: VPC, DirectConnect,
Route53
• Admin & Security: IAM, CloudTrail,
CloudWatch, Config, CloudHSM,
KMS
• Deployment & Management:
CloudFormation
• Application & Mobile: SQS, SNS
How Did We Do It?
• Due diligence service-based
assessment
• Governance model and standards
playbook
• Security by design for workloads,
including in-house and third party
developed tools
36. We provide faster payment
connections to financial
institutions
We provide features and controls
to businesses that make the
payments system easier
Accomplishments in AWS
Regulated Workloads
1. Strong Authentication (MFA)
2. Identity Access Management
3. Segmentation/isolation of resources
IAM - Users, Access Policies
EC2, ECS - Scalability, Auto recovery
S3, RDS, ElastiCache - Storage,
Caching, Search
Redshift, EMR - Big Data, Data
Warehouse, Reporting
VPC, Route 53 - Isolation, Firewall,
Subnets
CloudFormation - Automation
How Did We Do It?
● Infrastructure as code - changes have clear
audit trail
● Iterative approach to infrastructure -
Evolved over time, kept up to date with
leading practices.
● Defined mapping of integrated compliance
requirements
● Avoid theater - Evaluate the
security/compliance goal and develop a
process that accomplishes goal while
allowing for rapid and easy development.
AWS Services We Use
41. Systems must be secure, redundant, and available
Innovative workflows: Documents associated with user profiles (S3)
Security: Security through encryption and narrow permissions scoping (IAM)
Redundancy / Business Continuity: Backups and snapshots
Combating Fraud: Data Science without a Data Science Infrastructure Team (Redshift)
42. Systems must be secure, redundant, and available
Innovative workflows: Documents associated with user profiles (S3)
Security: Security through encryption and narrow permissions scoping (IAM)
Redundancy / Business Continuity: Backups and snapshots
Combating Fraud: Data Science without a Data Science Infrastructure Team (Redshift)
43. Systems must be secure, redundant, and available
Innovative workflows: Documents associated with user profiles (S3)]
Security: Security through encryption and narrow permissions scoping (IAM)
Redundancy / Business Continuity: Backups and snapshots
Combating Fraud: Data Science without a Data Science Infrastructure Team (Redshift)
44. Systems must be secure, redundant, and available
Innovative workflows: Documents associated with user profiles (S3)]
Security: Security through encryption and narrow permissions scoping (IAM)
Redundancy / Business Continuity: Backups and snapshots
Combating Fraud: Data Science without a Data Science Infrastructure Team (Redshift)
48. About Intake Ecosystem
As part of its regulatory mission, FINRA requests and
receives information from broker-dealers
In addition to Market Big Data, millions of documents
submitted each year - documents can be up to 100’s of
gigabytes
Customers are uploading more and larger documents –
20% YoY submission growth
All document uploads must be auditable in case of
litigation
49. Requirements
Centralize all document intake into Unified Data Catalog leveraged by FINRA
users and applications
Leverage proven cloud-based services such as storage, security and network
infrastructure to deliver business functionality
FINRA must manage and control encryption in transit and at rest
Maintain focus on FINRA’s key mission of analyzing data while minimizing
operational overhead
50. Approach
Build a large file service which uses S3, KMS, and IAM policies to ensure
compliance with FINRA policies
Firms directly submit data to AWS with temporary write-only access to a fixed
location
Data is always encrypted, in transit and final destination
Leveraged FINRA’s Data Manager which provides a Unified Data Catalog
and usage tracking on top of AWS Storage
Large File
Service
Large File
Service
51. Lessons Learned
Refine and review architecture with your Security Team and AWS SME’s
Gigabyte uploads require security token refresh during the upload process
KMS keys are not replicated across regions, therefore a duplicate object in
another region requires re-encryption – this is on AWS’ roadmap!
Partner with your AWS Pro Serv and internal product teams to build your service layer
52. Future
Migrate all documents which are less than 5
years old to S3 and Glacier
Unified Data Catalog gives us new opportunities to
apply data mining, machine learning and
pattern-recognition across all documents
Move all existing Data Intake platforms and
applications to the cloud
54. What to Expect from the Session
- AWS services and tools gives financial services customers transparency
into AWS services and security configurations.
- AWS services and tools offer financial services customers ease of
audibility and streamline compliance requirements.
55. Risk Measures Critical to Moving to the Cloud
(Direct Customer Feedback)
GLBA
National
Regulations
PCI-DSS
Corporate Governance
Data Protection
Basel 3
58. The Next Big Thing in GRC
1. The right Security By Design tech - AWS
2. SbD Whitepaper
3. AWS GoldBase
4. FFIEC & OCIE Audit Guides
5. IT Auditor Days & Training Courses
AWS
CloudTrailAWS
CloudHSM
AWS IAM
AWS
KMS
AWS
Config
60. The Next Big Thing in GRC
1. The right Security By Design tech - AWS
2. SbD Whitepaper
3. AWS GoldBase
4. FFIEC & OCIE Audit Guides
5. IT Auditor Days & Training Courses
AWS
CloudTrailAWS
CloudHSM
AWS IAM
AWS
KMS
AWS
Config
61. IT Auditor Days
Customer
June 3, 2015
“I appreciated the firsthand view of the controls (access
management, logging/auditing) available for governance. The
training would not only be helpful for technology, but for
risk/compliance and internal audit teams as well.”
Coming soon to San Francisco, London, and Berlin
RegulatorsNew
IT AUDITOR DAY FOR U.S. FINANCIAL SERVICES REGULATORS
Thursday, December 3, 2015
AWS Loft | 350 West Broadway | New York, NY 10005
Amazon Web Services (AWS) offers a number oftools that allow customers transparencyand ease
of auditabilityof their AWS environment.AWS also recognizes thatthe regulatorycommunityis
critical to the auditing process ofits customers.
That is why we are offering a free invitation-only seminar to U.S. financial services regulators that
includes an introduction to and auditing of AWS's services.This hands -on training will introduce AWS
services and apply practical exercises to demonstrate how AWS can enable customers to implement
industrybestpractices for security and fulfill auditobjectives related to Organizational Governance,
AssetConfiguration,Logical Access Controls,Operating Systems,Databases and Applications
Security Configurations.
By the end of the day, you will understand how customers are using AWS and the technical control
features of AWS that can demonstrate a repeatable,reportable,and auditable architecture,and the
evidence supplied to demonstrate it.
WORKSHOP DETAILS
WHEN: Thursday, December 3,2015
TIME: 10:30 AM TO 5:00 PM (EST)
WHERE: AWS Loft, 350 West Broadway, New York, NY 10013
TO RSVP: Click here
WHO SHOULD ATTEND
U.S. financial services regulators who are responsible for auditing financial services organizations
who are AWS customers.
This is a closed event for U.S. Financial Services Regulators Only: the Federal Reserve, the
Federal Reserve of New York, the Securities Exchange Commission, the Office of the
Comptroller of the Currency, the U.S. Commodity Futures Trading Commission, the Federal
Deposit Insurance Corporation, the Consumer Financial Protection Bureau, the National Credit
Union Administration, and the National Association of Insurance Commissioners.
PREREQUISITES
We recommend,butdo not require,that attendees ofthis cours e have some familiaritywith general
December 3, 2015
62. Related Sessions
• SEC 312 - Reliable Design and Deployment of
Security and Compliance (1:30 p.m.
Wednesday/Delfino 4005)
• SEC 302 - IAM Best Practices to Live By (1:30 p.m.
Wednesday – see the replay)
• SEC 324 –Security Insights into Your Application
Deployments (5:30 p.m. Wednesday)
• SEC305 - How to Become a Policy Ninja in 60
Minutes or Less (11:00 p.m. Thursday)
• SEC314 - Full Configuration Visibility and Control
with AWS Config (5:30 p.m. Thursday/Palazzo K)
63. Helpful Resources
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/
Compliance Center Website: https://aws.amazon.com/compliance
Security Center: https://aws.amazon.com/security
Security Blog: https://blogs.aws.amazon.com/security/
AWS Audit Training: awsaudittraining@amazon.com
AWS Loft New York: Audit Days
Security By Design: https://aws.amazon.com/compliance/security-by-design
68. City of Houston, Public Works
& Engineering
AWS Services We Use
Accomplishments in AWS Regulated Workloads
1. Utility billing system for 500,000 customers and $1.2 billion in annual
revenue.
2. Collect and store 3.7 billion water meter reads annually.
3. Advanced analytics provide early leak detection, conserving water.
4. AWS PCI Compliance ensures that a system of this magnitude is
secure.
5. Additional initiatives moved to AWS: ReBuild Houston, Electronic
Plan Review.
• Amazon EC2
• Amazon VPC
• Amazon Access Control
69. Albert "Scotty" Ellis, CISSP
Assistant Director, Center for Collaborative and
Interactive Technologies
70. GIVING LIFE TO POSSIBLE
EC2
VPC
IAM
CloudTrail
CloudWatch
Glacier
Accomplishments in AWS
Regulated Workloads How Did We Do It?
An interlocking combination of the
services and personnel training.
Making distinct compliance levels
our infrastructure as per our various
site/application requirements.
AWS Services We Use
1. Better security. Better
functionality. A win-win.
2. Easier planning, better cost
control, more automation.
3. Faster feature development.
EBS
AWS CLI
SES
SNS
RDS
Route 53
71. Albert "Scotty" Ellis, CISSP
Assistant Director, Center for Collaborative and Interactive
Technologies
Baylor College of Medicine
Email: alellis@bcm.edu
82. Records Management
Records Schedule
Privacy Act
Paperwork Reduction Act
Section 508 and Accessibility Standards
Federal Acquisition Regulation
Anti-deficiency Act
Economy Act
E-Government Act
Computer Matching Act
National Cyber Protection System
Guidance for Agency Use of Third-Party Websites and Applications
Social Media and Web-Based Interactive Technologies
Office of Management Budget Circular A-130 Appendix 3
Federal Information Security and Management Act
Federal Information Processing Standard (FIPS) 199
Federal Information Processing Standard (FIPS) 200
Federal Information Processing Standard (FIPS) 140-2
Special Publication 800-37
Special Publication 800-53 Revision 4
Special Publication 800-60 Volume 1
Special Publication 800-60 Volume 2
83. Special Publication 800-18
Special Publication 800-137
Special Publication 800-171
Special Publication 800-133
Special Publication 800-95
EINSTEIN Compliance
FedRAMP
OMB Guidance on third party websites and applications
OMB Memo M-14-04
OMB Memo M-15-01
Trusted Internet Connection 2.o Reference Architecture
Pages in total:
4006
84. My friend, you can clearly see
the intention of FIPS 140-2
Annex A was to deprecate
SHA-1 on the lunar new
year...
107. What to Expect from the Session
• What is the AWS/FedRAMP –TIC Overlay Pilot?
• What can I use to build my TIC overlay
assessment using AWS?
• How can I audit and capture flow logs to ease
satisfying more than one TIC Capability?
• How can I automate enforcing TIC Capabilities
using AWS?
108. What is the Trusted Internet Connection (TIC)?
As outlined by OMB Memorandum M-08-05
• Optimize and standardize
• Reduce & consolidate
• Enhanced monitoring and situational awareness of external network
connections.
112. Use VPC flow logs and other AWS audit sources to ease
satisfying more than one TIC Capability with a single
configuration change
AWS CloudTrailAmazon
CloudWatch
AWS VPC Amazon S3AWS Elastic Load
Balancing
113. Look for Upcoming AWS Customer Resources
AWS/TIC Overlay Use Case and
Whitepaper
Gold Base
TIC Connection Scenarios using
AWS
116. Success!
“AWS answered the call of the Department of Homeland Security (DHS)
Trusted Internet Connections (TIC) Program Management Office (PMO)
and FedRAMP PMO for CSPs to participate in their FedRAMP - TIC
Overlay Pilots in order to help develop a solution towards data security and
network connections between federal agency networks and cloud service
providers.
AWS successfully completed the pilot and provided their assessment of
addressing the controls identified in the Draft FedRAMP-TIC Overlay to
DHS TIC and FedRAMP PMO to develop further guidance on TIC Ready
CSP solution.”
Matthew Goodrich, FedRAMP Director, US General Services Administration
Sara Mosely, Branch Chief, US Department of Homeland Security, Trusted Internet Connection
117. Want More Info?
Email: awscompliance@amazon.com
Subject: AWS/FedRAMP -TIC Overlay Pilot
Copy of Draft FedRAMP-TIC Overlay
https://www.fedramp.gov/draft-fedramp-tic-overlay/