Modernizing Technology Governance
•Download as PPTX, PDF•
3 likes•422 views
Presentation from Todd Gleason of AWS at the Alert Logic Cloud Security Summit: Dallas on October 25, 2016.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Modernizing Technology Governance
Similar to Modernizing Technology Governance (20)
More from Alert Logic
More from Alert Logic (20)
Recently uploaded
Recently uploaded (20)
Modernizing Technology Governance
- 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Todd Gleason, Executive Cloud Strategist, AWS October, 25 2016 Modernizing Technology Governance Reducing Security Surface Area Through AWS Shared Responsibility and Applying Security-by-Design
- 2. Over A Million Active Customers and Every Imaginable Use Case 1500+ Government Agencies 3600+ Education Institutions 190 Countries 11,200+ Nonprofits Security is Job Zero
- 3. Customer - Financial Services "The financial services industry attracts some of the worst cyber criminals. We work closely with AWS to develop a security model, which we believe enables us to operate more securely in the public cloud than we can in our own data centers." CIO Capital One
- 4. Customer - PCI-DSS Using AWS, Vodafone created TopUp, a secure, PCI- compliant solution that makes it easy for its customers to buy credit for mobile phone SIM cards.
- 5. Customer - Healthcare Oscar Insurance built a technology and data-driven health insurance company from the ground up in just three months on AWS while meeting HIPAA compliance requirements.
- 6. The Forrester Wave™: Public Cloud Platform Service Providers' Security, Q4 2014 The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
- 7. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Assurance Programs
- 8. Certifications / Attestations Laws / Regulations / Privacy Alignments / Frameworks DoD SRG DNB [Netherlands] CIS FedRAMP EAR CLIA FIPS EU Model Clauses CJIS IRAP EU Data Protection Directive CMS EDGE ISO 9001 FERPA CMSR ISO 27001 GLBA CSA ISO 27017 HIPAA FDA ISO 27018 HITECH FedRAMP TIC MLPS Level 3 IRS 1075 FISC MTCS ITAR FISMA PCI DSS Level 1 My Number Act [Japan] G-Cloud SEC Rule 17-a-4(f) Privacy Act [Australia] GxP (FDA CFR 21 Part 11) SOC 1 Privacy Act [New Zealand] IT Grundschutz SOC 2 PDPA - 2010 [Malaysia] MITA 3.0 SOC 3 PDPA - 2012 [Singapore] MPAA UK Cyber Essentials U.K. DPA - 1988 NERC VPAT / Section 508 NIST EU-US Privacy Shield PHR Spanish DPA Authorization UK Cloud Security Principles Comprehensive Security and Compliance
- 9. Foundational Certifications ISO 9001 Global Quality Standard ISO 27001 Security Management Standard ISO 27017 Cloud Specific Controls ISO 27018 PII Specific Controls SOC 1 Audit Controls Report SOC 2 Compliance Controls Report SOC 3 General Controls Report PCI DSS Level 1 Payment Card Standards NIST 800-53 Risk Management Framework
- 10. Financial Services Compliance Enablers Federal Financial Institutions Examination Council (FFIEC) published a guide for financial services institutions, examiners, and advisors on the use and security architecture of AWS. U.S. Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations (OCIE) published an overview of the OCIE Cybersecurity Initiative on cybersecurity preparedness in the securities industry. Outlines customer compliance responsibilities in relation to AWS. U.S. Securities and Exchange Commission's (SEC) 17a- 4(f) & CFTC 1.31(b)-(c) Compliance Assessment Report for Amazon Glacier with Vault Lock
- 11. AWS Privacy and Data Security Now that the Safe Harbor compliance scheme has been ruled invalid, can customers still use AWS and comply with EU law? Yes – the EU data protection authorities’ approval of the AWS Data Protection Agreement and Model Clauses enable transfer of data outside Europe – including to the US
- 12. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Global Infrastructure
- 13. AWS Global Infrastructure 14 Regions 38 Availability Zones 63 Edge Locations You decide where you want to put content and controls
- 14. Requirements From Every Industry Nothing better for the entire community than a tough set of customers… Everyone’s Systems and Applications Financial Health Care Government Global Infrastructure Requirements Requirements Requirements
- 15. AWS Foundational Security Applies to Every Customer AWS maintains a formal control environment • SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70) • SOC 2 Type II and SOC 3 report • ISO Certification (27001, 270017, 270018) • Certified PCI DSS Level 1 Service Provider • FedRAMP Authorization • HIPAA and MPAA capable Accredited experts audit and validate the AWS cloud AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS is responsible for the security OF the Cloud Auditor
- 16. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shared Responsibility
- 17. Security is a Shared Responsibility Customer Applications & Content Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud NetworkingDatabasesStorageCompute Edge Locations Availability Zones Regions AWS Global Infrastructure Foundation Services
- 18. AWS Shared Security Responsibility Infrastructure Services Platform Services Abstracted Services Security is Shared and Classified by Ownership
- 19. AWS Shared Responsibility: for Infrastructure Services Customer Data Platform & Application Management Operating system, network, and firewall configuration Data Confidentiality Encryption at-rest / in-transit, authentication Data Availability HA, DR/BC, Resource Scaling Data Integrity Access control, Version control, Backups CustomerIAMAWSIAM Managed by AWS Managed by customersAWS Endpoints NetworkingDatabasesStorageCompute Edge Locations Availability Zones Regions AWS Global Infrastructure Foundation Services
- 20. AWS • Foundation Services (Network, Compute, Storage) • AWS Global Infrastructure • AWS Endpoints Infrastructure Services – Example Amazon EC2 Customer • Customer Data • Customer Application • Operating System • Network & Firewall (VPC) • Customer IAM • AWS IAM (Users, Groups, Roles, Policies) • High-Availability / Scaling • Instance Management • Data Protection (In-transit, At-rest, Backup)
- 21. AWS Shared Responsibility: for Platform Services Customer Data Client-side data encryption & data integrity authentication Network traffic protection encryption / integrity / identity Customer IAM AWSIAM Managed by customers Managed by AWS Platform & Application Management Firewall Configuration Operating system & Network Configuration AWS Endpoints NetworkingDatabasesStorageCompute Edge Locations Availability Zones Regions AWS Global Infrastructure Foundation Services
- 22. AWS • Foundation Services (Network, Compute, Storage) • AWS Global Infrastructure • AWS Endpoints • Operating System • Instance Management • Platform / Application (Aurora, MS SQL, Oracle, MySQL, PostgreSQL) Platform Services – Example RDS Customer • Customer Data • Firewall (VPC) • Customer IAM (DB Users, Table Permissions) • AWS IAM (Users, Groups, Roles, Policies) • High-Availability / Scaling • Data Protection (In-transit, At-rest, Backup)
- 23. AWS Shared Responsibility: for Abstracted Services Customer Data Client-side data encryption, data integrity and authentication AWSIAM Managed by customers Client-side data encryption provided by platform (protection of data at-rest) Network traffic encryption provided by platform (protection of data in-transit) Platform & Application Management Operating system, network, and firewall configuration Managed by AWS AWS Endpoints NetworkingDatabasesStorageCompute Edge Locations Availability Zones Regions AWS Global Infrastructure Foundation Services
- 24. AWS • Foundation Services • (Network, Compute, Storage) • AWS Global Infrastructure • AWS Endpoints • Platform / Application • Data Protection (In-transit, At-rest) • High-Availability / Scaling Platform Services – Example S3 Customer • Customer Data • Data Protection (In-transit, At-rest) • AWS IAM (Users, Groups, Roles, Policies)
- 25. Approaches to Auditing AWS services are regularly assessed against industry standards and requirements. Policy or procedure controls are the responsibility of the customer. Manage AWS services similar to traditional infrastructure services. Access to AWS services should be treated like other privileged administrator access.
- 26. Part of Your Compliance Work is Done Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities Network configuration Security groups OS firewalls Operating systems Application security Service configuration Account management Authorization policies + = Customer Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck. Secure, compliant workloads
- 27. What Does This Mean For You? You benefit from an environment built for the most security sensitive organizations AWS manages and validates testing against more than 3000 security controls so you don’t have to You can define the right security controls for your workload sensitivity You always have full ownership and control of your data
- 28. Familiar Security Model Validated and driven by customers’ security experts Benefits all customers PEOPLE & PROCESS SYSTEM NETWORK PHYSICAL Closing the Loop – AWS Shared Responsibility Our pace of innovation, comprehensive security and compliance features allows you to measurably improve your security program.
- 29. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security by Design
- 30. What is Security? Practice of protecting your intellectual property from unauthorized access, use, or modification. What are the key things that come to your mind when talking about Security? • Visibility • Auditability • Controllability • Agility • Automation Cloud goes beyond the traditional elements of security and adds…
- 31. What is Security by Design (SbD)? Modern, systematic security assurance approach Formalizes AWS account design, automates security controls and streamlines auditing Provides security control built in throughout the AWS IT management process Effective Security is ubiquitous and automatic…
- 32. Why is this important? Modern day IT environments present challenges to managing security and meeting compliance requirements due to the volume of information that needs to be safeguarded and the dynamic connectivity of data, applications, and users. A reliable security approach is needed to ensure data is safeguarded and available to authorized users and systems. Confidentiality Integrity Availability
- 33. Why - Modernize Technology Governance The majority of technology governance relies predominantly on administrative and operational security controls with LIMITED technology enforcement. Assets ThreatVulnerability RiskAutomation is needed to dominate governance through technology enablement.
- 34. Approaching Security by Design Understand your requirements Build a “secure environment” that fits your requirements 1 Enforce the use of the templates Perform validation activities 2 3 4
- 35. Impact of Security by Design Creates a forcing function that cannot be overridden by users Establishes reliable operation of controls Enables continuous and real-time auditing Represents the technical scripting of your governance policy Result Automated environment enabling enforcement of security and compliance polices and a functionally reliable governance model.
- 36. AWS Security & Compliance Resources AWS Risk & Compliance Introduction to AWS Security AWS Security Overview AWS Security Best Practices Security at Scale Whitepapers Customer penetration testing requests Security Partner Solutions Request more information by contacting us aws.amazon.com/security aws.amazon.com/compliance
- 37. Thank you!
Editor's Notes
- Security is a Path and not a Destiny. We understand that Security and governance are often the top issues identified when we talk to our customers. Based on our experience of working with millions of customers running every imaginable use case, that includes requirements for stringent Security and Compliance controls, we really advise and highly recommend our customers to invest in security review early in the process. Get your security folks talk to our security folks and understand security and compliance. Security is really not on or off. It’s a spectrum of options that you can choose from that is right for your application.
- Capital One is using AWS to reduce its data centers from eight to three by 2018. Capital One is one of the nation’s largest banks and offers credit cards, checking and savings accounts, auto loans, rewards, and online banking services for consumers and businesses. The bank is using or experimenting with nearly every AWS service to develop, test, build, and run its most critical workloads, including its new flagship mobile-banking application. Rob Alexander, Capital One's chief information officer, says, "The financial service industry attracts some of the worst cyber criminals. We work closely with AWS to develop a security model, which we believe enables us to operate more securely in the public cloud than we can in our own data centers." Capital One selected AWS for its security model and for the ability to provision infrastructure on the fly, the elasticity to handle purchasing demands at peak times, its high availability, and its pace of innovation.
- …Vodafone created a compliant, secure solution on AWS that can scale to handle thousands of daily transactions while reducing capital expenditures by 30 percent. Vodafone Italy is a leading mobile communications company. Using AWS, Vodafone created TopUp, a secure, PCI-compliant solution that makes it easy for its customers to buy credit for mobile phone SIM cards.
- Oscar Insurance built a technology and data-driven health insurance company from the ground up in just three months on AWS while meeting HIPAA compliance requirements. The company uses AWS to run its insurance platform, customer databases, and analytics solution. Using AWS, Oscar Insurance processed more than 25 million historical insurance claims in hours and launched its platform on time for open enrollment.
- The strength of security has been validated in the industry and by our customers. Forrester contacted 13 cloud providers, but only 4 agreed to participate. AWS participated because of its confidence in its security controls, and its belief that transparency in security is in the best interest of its customers. AWS demonstrated a broad set of security capabilities in data center security, certifications, and network security AWS excelled in customer satisfaction, security services partnerships, and a large install base AWS led in the size of its development and technical support staff
- Cloud Service Provider or the user?
- AWS has the longest-standing, most comprehensive compliance profile in the market We innovate broadly and deeply in control features to help our customers’ meet compliance needs Our security features make moving to the AWS cloud a compelling control option in managing compliance Certifications / Attestations: Certifications and Attestations are performed by a third-party independent auditor and results in a certification, audit report, or attestation of compliance. Please select a region and then select an assurance program. In addition, the flexibility and control that the AWS platform provides allows customers to deploy solutions that meet several industry-specific standards. These include, but are not limited, to those listed in column two and three of this table. Laws, Regulations, and Privacy: Customers maintain compliance with applicable Laws and Regulations, AWS Customers organizations can / must self-certify or create a contract (e.g. HIPAA BAA). No formal certification is available to (or distributable by) a cloud service provider within these law and regulatory domains. Alignments / Frameworks: These are published security or compliance requirements specific to the customer’s industry or function. AWS supports customers seeking alignment by providing functionality (such as security features) and enablers (including compliance playbooks, mapping documents, and whitepapers). Formal “direct” certification of these programs is either 1) not available to cloud providers or 2) represents a smaller subset of requirements already demonstrable by our current formal certification/attestation programs.
- The underlying physical infrastructure and the AWS Management Environment for all US Regions and GovCloud has been audited and received compliance certifications for SOC, ISO, PCI-DSS, FedRAMP (NIST 800-53 Rev. 4 – Moderate Impact Level) and DoD SRG (Security Requirements Guide) US East/West holds a DoD Level 2 Provisional Authorization and covers: EC2, EBS, S3, VPC, IAM, and Redshift. AWS GovCloud (US) holds DoD PAs at Level 2 and 4. These PAs cover: EC2, EBS, S3, VPC, and IAM, and Redshift (at L2 only). SOC 1 (Type 2) A description of the AWS control environment and external audit of AWS defined controls and objectives SOC 2 (Type 2) External audit of AWS controls that meet the AICPA Trust Services Security Principle and Criteria ISO/IEC 27001:2013 Global security standard for Information Security Management System (ISMS) ISO/IEC 27017:2015 Security control best practices, based on ISO/IEC 27002, designed specifically for cloud services ISO/IEC 27018:2014 Security control best practices to protect personally identifiable information (PII) in public clouds acting as PII processors PCI Data Security Standard (PCI DSS) 3.1 Level 1 Information security standard required for organizations that process credit card payments NIST 800-53, Rev. 4 Security Control Baseline for Moderate Impact Levels Security and Privacy Controls for Federal Information Systems and Organizations controls and more services
- The Federal Financial Institutions Examination Council (FFIEC) published a guide for financial services institutions, examiners, and advisors on the use and security architecture of AWS. Learn about their recommended use and guidance in relation to client data. The U.S. Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations (OCIE) published an overview of the OCIE Cybersecurity Initiative on cybersecurity preparedness in the securities industry. It outlines customer compliance responsibilities in relation to AWS.
- AWS customers retain ownership and control of their content. They choose which location to store their data and it doesn’t move unless the customer decides to move it. Regardless of where a request for customer content comes, we are vigilant about our customers’ privacy and have implemented sophisticated technical and physical measures to prevent unauthorized access. We have a world-class team of security experts monitoring our systems 24/7 to protect customer content. We will not disclose customer content in response to requests unless required to do so to comply with a legally valid and binding order, such as a subpoena or a court order. Additionally, we would notify the customer before disclosing their content so they could seek protection from disclosure, unless prohibited by law.
- Cloud Service Provider or the user?
- List talking points from global infrastructure security slides Highly secure facilities and infrastructure Independent regions for data privacy compliance Build on constantly improving security baseline Build on compliant infrastructure Extensive network and security monitoring Foundational security applies to every customer AWS makes no secondary use of customer content. Manage your privacy objectives any way that you want. Customer chooses where to place data AWS regions are geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless you choose to move it.
- When big institutions submit stringent security requirements to us, and review the audit findings of our compliance auditors, we frequently build their requirements and incorporate their feedback into the platform. EVERYBODY benefits from them. We don’t build “one off” solutions for anyone, so everybody benefits from the improvements made for any customer. In many cases, this results in a better security profile than what each individual firm could accomplish on their own. In the past year we have released more than 165 security-related features or service enhancements (nearly 40% of overall feature releases) .
- Because AWS and its customers share control over the IT environment, both parties have responsibility for managing the IT environment. The responsibility of AWS includes providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use. The customer’s responsibility includes configuring their IT environments in a secure and controlled manner for their purposes. While customers don’t communicate about their use and configurations to AWS, AWS does communicate about its security and control environment relevant to customers. AWS communicates by: Obtaining industry certifications and independent third-party attestations. Publishing information about AWS security and control practices in whitepapers and website content. Providing certificates, reports, and other documentation directly to AWS customers under NDA (as required). Additional details about the AWS Compliance assurance programs at www.aws.amazon.com/compliance. We also recommend you review the AWS Security Whitepaper, located at www.aws.amazon.com/security. Expert Auditors The best solution for validating content security policy (CSP) security is to get accredited experts to do it for you. This is using a very sharp tool for a very specific job. Auditors are constantly moving through the AWS environment. There is seldom a day when professional third-party auditors are not engaging deeply with AWS physical and logical security controls: testing, validating, finding ways to improve security, documenting all of this, and generating the rich body of evidence that backs up the auditing result. CSP auditors understand the cloud in general, they understand where AWS fits in the cloud landscape, they understand the risks, and they understand the relevant customer use cases in depth. They interpret the traditional standards for you, applying them to AWS in a way that makes sense. They can do a much better job than most audit functions at companies with limited experience in doing this specifically. Multiple certifications and reports offered by AWS provide you with the ability to triangulate on risk and controls if there isn't a report that meets your exact needs. With one report or certification, it's a great set of data, but with many (overlapping but subtly different controls, different audit types and periods, different points in time), you can get the visibility you need.
- Cloud Service Provider or the user?
- There are never enough great security professional in your organization, but the cloud can help. The Shared Responsibility model hugely reduces the total “security surface area” that customer security experts need to take care of for themselves. They rely on us for all the low level infrastructure security. With that narrower focus, customer security teams have a “reduced security surface area,” and can devote more of their attention to OS and application level security. Their experts can focus and achieve better results in the areas that are more closely related to the differentiated value for their business or mission, as opposed to the generic “undifferentiated heavy lifting” that applies to low-level security and compliance work as well as infrastructure management itself. Talking points AWS is relentless in ensuring that security is a top priority and works hard to ensure that it is providing a secure environment for our customers to operate in. At the same time there is a level of security that the customer must take responsibility for when operating in a cloud environment. This leads to the shared responsibility model for security. AWS looks after the security OF the cloud, and you look after your security IN the cloud. Talking points AWS side of the responsibility Leverage our culture of having a secure environment and constant improvement Perform regular audits Ensure that access and end points are protected Leverage security recommendations from customers and make them available to all customers. Customers Use AWS resources to configure security Customers have the ability to implement their own controls Leverage our partner network to find security solutions that meet their operating needs
- From a shared security responsibility perspective, AWS services can be classified into three categories: Infrastructure, Container, and Abstracted services. Each category comes with a slightly different security ownership model based on how you interact and access the functionality.
- With these services, you can architect and build a cloud infrastructure using technologies similar to and largely compatible with on-premises solutions. You control the operating system, and you configure and operate any identity management system that provides access to the user layer of the virtualization stack. For certain compliance requirements, you might require an additional layer of protection between the services from AWS and your operating systems and platforms, where your applications and data reside. You can impose additional controls, such as protection of data at rest, and protection of data in transit, or introduce a layer of opacity between services from AWS and your platform. The opacity layer can include data encryption, data integrity authentication, software- and data-signing, secure time-stamping, and more.
- For AWS container services, AWS manages the underlying infrastructure and foundation services, the operating system and the application platform. For example, Amazon RDS for Oracle is a managed database service in which AWS manages all the layers of the container, up to and including the Oracle database platform. For services such as Amazon RDS, the AWS platform provides data backup and recovery tools; but it is your responsibility to configure and use tools in relation to your business continuity and disaster recovery (BC/DR) policy.
- You are responsible for managing your data (including classifying your assets), and for using IAM tools to apply ACL-type permissions to individual resources at the platform level, or permissions based on user identity or user responsibility at the IAM user/group level. For some services, such as Amazon S3, you can also use platform-provided encryption of data at rest, or platform-provided HTTPS encapsulation for your payloads for protecting your data in transit to and from the service.
- When you take the security piece that Amazon owns and offers to every customer, and add it to the security that customers can implement you get a complete and compliant solution that meets the needs of the customers. This approach allows customers to focus on the level of security that is appropriate for their business. It also allows customers to focus more on how their applications function, how they are secured, and continuing to extend the areas that differentiate them as a business because they are relieved of a significant part of the overall security process.
- First of all, no matter who you are, you get to benefit from all the controls that AWS has put in place for the largest, most security sensitive organizations in the world. You get this at no extra cost, you don’t have to do anything to get this – it’s just all part of the service. Also, performing audits is a time consuming and expensive affair. We validate our environment against over 2400+ security controls – we also get audited by third parties. If you like to see the controls and how we are managing against them, you can request a copy of our SOC 2 report available to you under NDA. SOC 2 is a widely recognized reporting standard established by the American Institute of Certified Public Accountants. You have the flexibility to define what are the right set of security controls for your workload. More sensitive workloads will demand more stringent controls, less sensitive workloads will demand less. At the same time you remain in full control and have full ownership of your data. You decide where it goes, where it is stored, where it gets processed and how it gets transmitted.
- At AWS security is a top priority. We build our security program on many of the same tenets as you do. Our data centers are designed with the highest physical security requirements in mind, and access to those data centers is restricted to a very small number of individuals. In the same way you do, we lock down our network and systems, and have well defined processes and people controls to make sure our data centers operate in an efficient and secure manner. Our security measures have been driven by security experts from across our largest, most advanced customers, including Shell, NASDAQ, and GE, and have been validated by a wide range of security experts and accreditation bodies. These organizations with very high security standards set the bar for AWS security, but the great thing about security in AWS is that everyone gets to benefit from the security controls that we have put in place. Whether you are a small startup, a mid sized enterprise, or the largest company you get to take advantage of the security controls that we have put in place to satisfy Our pace of innovation, comprehensive security and compliance features, and the agility customers gain from our platform allows you to measurably improve your security program as you migrate from traditional IT delivery models.
- Cloud Service Provider or the user?
- At AWS, we strive to make security as familiar as what you are doing today. AWS offers tools for keeping track of and monitoring your AWS cloud resources, so you have instant visibility into your inventory as well as your user and application activity. We will discuss AWS CloudTrail in later module. With AWS Config service, you can easily discover all of your AWS resources and view the configuration of each. You can receive notifications each time a configuration changes as well as dig into the configuration history to perform incident analysis. We will discuss AWS Config in later module. AWS provides various options for encrypting data at rest and in transit. We will discuss in more detail about these options and services like AWS Key Management Service (KMS) and AWS CloudHSM in later modules.
- Rather than attempting to bolt-on security retroactively, SbD automates and enforces security best-practices throughout the AWS lifecycle. By completely automating all aspects of AWS deployment by leveraging services like CloudFormation, CodeCommit and CodeDeploy, security and compliance in the cloud can be made more efficient and ubiquitous.
- AWS provides a comprehensive set of tools and services to enable organizations to operate securely in the cloud, but making effective use of these technologies requires a calculated and formalized approach to incorporate secure design practices within every component in your AWS environment and the AWS environment itself.
- Instructor Notes: Intro and Overview Cloud security at AWS is the highest priority. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. These workshop are designed to innovate and advance Technology Governance by providing a mechanism to effectively dominate governance through technology enablement. AWS customers will be empowered to drive security, compliance and audit assertions across their executives; board of directors and regulators through AWS technology innovations and partner ecosystem by ensuing Governance Automation in the cloud. Assimilate and leverage Shared Responsibly Model Understand and manage AWS Security Services Implement and design using AWS services through Security by Design strategies Manage, secure and audit the use of AWS services using real-time risk management processes Leverage the shared compliance across multiple security frameworks (e.g. PCI, HIPPA, NIST, ISO, SOC, etc.) Identify AWS services and tools to help automate, monitor, and manage security operations on AWS
- Phase 1 – Understand your requirements. Outline your policies, and then document the controls you inherit from AWS, document the controls you own and operate in your AWS environment, and decide on what security rules you want to enforce in your AWS IT environment. Phase 2 – Build a “secure environment” that fits your requirements and implementation. Define the configuration you require in the form of AWS configuration values, such as encryption requirements (forcing server side encryption for S3 objects), permissions to resources (which roles apply to certain environments), which compute images are authorized (based on hardened images of servers you have authorized), and what kind of logging needs to be enabled (such as enforcing the use of CloudTrail on all resources for which it is available). Since AWS provides a mature set of configuration options (with new services being regularly released), we provide some templates for you to leverage for your own environment. These security templates (in the form of AWS CloudFormation Templates) provide a more comprehensive rule set that can be systematically enforced. We have developed templates that provide security rules that conform to multiple security frameworks and leading practices. These pre-packaged industry template solutions are provided to customers as a suite of templates or as stand alone templates based on specific security domains (e.g. access control, security services, network security, etc.) Phase 3 – Enforce the use of the templates. Enable Service Catalog, and enforce the use of your template in the catalog. This is the step, which enforces the use of your “secure environment” in new environments that are being created, and prevents anyone from creating an environment that doesn’t adhere to your “secure environment” standard rules or constraints. This effectively operationalizes the remaining customer account security configurations of controls in preparation for audit readiness. Phase 4 – Perform validation activities. Deploying AWS through Service Catalog and the “secure environment” templates creates an audit- ready environment. The rules you defined in your template can be used as an audit guide. AWS Config allows you to capture the current state of any environment, which can then be compared with your “secure environment” standard rules. This provides audit evidence gathering capabilities through secure “read access” permissions, along with unique scripts, which enable audit automation for evidence collection. Customers will be able to convert traditional manual administrative controls to technically enforced controls with the assurance that, if designed and scoped properly, the controls are operating 100% at any point in time - versus traditional audit sampling methods or point-in-time reviews.
- Answers to many security and compliance questions can be found in the listed
- The standard business model is changing rapidly Companies used to be built for the long haul But now, success is powered by rapid-paced innovation and the ability to get disruptive products to market first You’re used to balancing resources between keeping things running and the development of new initiatives. But merely keeping the lights on doesn't differentiate you from your competitors. Meanwhile, you’re faced with a massive increase in cyber threats, globalization demands introducing new scale and complexity pressures a failure to engage IT in key technology investments Sources: Here's what your tech budget is being spent on, ZDNet, 11 November 2014 Where Do Firms Go When They Die?, The Atlantic, 12 April 2015 3. Gartner
- However, there is an opportunity to break free of your existing constraints. What if you could focus your attention and resources on differentiating your company in the marketplace? What if you could innovate at startup-like speed? And finally, what if you could dramatically reduce the risks inherent in your present infrastructure? If this is the working definition of success, let’s talk about how we’re going to achieve it.