This session dissects two public sector regulations (FERPA and CJIS) to demonstrate how you can use encryption when building on AWS to comply with regulatory requirements and enforce the principle of least privilege. Specifically, we cover how the AWS shared responsibility model offers an opportunity for you to keep regulated data private while taking advantage of the security, scalability, reliability, and innovation of the AWS Cloud.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scalable encryption: A key to public
sector compliance
Patrick J. Woods, DIT, CISM
Security Assurance Lead – US Public Sector
Amazon Web Services
G R C 3 4 2

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Why encrypt?
Encryption challenges using legacy technology
Background of CJIS and FERPA origins and requirements
How to leverage AWS KMS to achieve compliance and a more sophisticated
security posture

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data breaches since 2013 by the numbers1
Over 14.7 billion records have been lost or stolen
Nearly 6.3 million records every day
Statistically, over 260,000 records will be lost or stolen during this session
Of these incidents, only ~4 percent of incidents involve encrypted data
1- Breachliveindex.com

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encryption security gains
Principle of least privilege
Limits exposure of regulated or sensitive data
Protection from outsiders, insiders, and third parties

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why organizations don’t encrypt
Encryption isn’t scalable across multiple disparate legacy technologies
Proper encryption demands efficient and strong key management

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
CJIS security policy
CJIS – Criminal Justice Information Services
Policies are written and voted on through the Advisory Policy Board (APB)
Policy is published annually by the FBI CJIS Division
Governance and enforcement is distributed
FBI CJIS Division
State CJIS system agencies
Local agencies
US Code of Federal Regulations, Title 28 Part 20

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
FERPA
Federal Educational Rights and Privacy Act
Oversight provided by the US Department of Education as well as state education
boards and agencies
US Code of Federal Regulations, Title 34 Part 99

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Comparison
CJIS
Protected data:
• CHRI – Criminal History Record Information
• CJI – Criminal Justice Information
Applicability:
Applies to all agencies receiving protected data
from FBI CJIS
Data protection requirements:
• Hundreds of prescriptive controls
• Two paths relative to third parties
Audits:
Triennial audit cycles
FERPA
Protected data:
Education records
Applicability:
Applies to all educational agencies/
institutions receiving federal funding
Data protection requirements:
• No specific controls
• “Reasonable methods”
Audits:
Largely ad hoc

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Comparison
CJIS
Access permitted for:
• Administration of criminal justice
• As authorized under state or federal law
• (IT support is an exception)
Encryption standard:
• FIPS 140-2 – In-transit
• FIPS 140-2 or FIPS 197 – At-rest
FERPA
Access permitted for:
• Parent/student review
• Legitimate educational interest
• (IT support is an exception)
Encryption standard:
No specific standard beyond
“reasonable measures”
Both CJIS and FERPA require technical controls to restrict the scope of who has access and contractual and
training requirements for those who must have access

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Third-party access – CJIS
Contractual/physical
Assumptions:
• The contractor has a legitimate operational
need to access the CJI in clear text to support
the authorized agency
• The data will be stored and transmitted in
clear text within the boundary of the CJIS-
defined “physically secure location”
Technical/logical
Assumptions:
• The contractor has no legitimate operational
need to know the CJI in clear text to support
the authorized agency
• The data will be stored and transmitted in an
encrypted state
CJIS provides two methods for data protection as it relates to the involvement of a third-party

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Third-party access – CJIS
Contractual/physical
Compliance requirements:
• Fingerprint-based background checks of all
contractor employees with “unescorted
access to unencrypted CJI” or access to the
“physically secure location”
• Annual or bi-annual security awareness
training for all contractor employees with
“unescorted access to unencrypted CJI” or
access to the “physically secure location”
• Physical security controls “sufficient to protect
CJI” with regular validation of the CJIS-defined
“physically secure location”
• Agreement/contract incorporating the CJIS
security addendum
Technical/logical
Compliance requirements:
• The data will be encrypted in-transit and at-
rest using CJIS-compliant encryption, and the
encryption keys will be managed by the
authorized agency or cleared partner
• Strong encryption becomes the primary data
protection control with any inherited physical
controls as secondary and complementary

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Third-party access – FERPA
Contractual/physical
Assumptions:
• The contractor has a “legitimate educational
interest” to access the educational data in
clear text to support the authorized
agency/institution
• The data will be stored and transmitted in
clear text
Technical/logical
Assumptions:
• The contractor has no “legitimate educational
interest” to access the educational data in
clear text to support the authorized
agency/institution
• The data will be stored and transmitted in an
encrypted state

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Third-party access – FERPA
Contractual/physical
Compliance requirements:
• “Reasonable measures” inclusive of
contractors and their personnel
• Security and awareness training
• Contract language establishing contractual
control for agency/institution
• Regular reviews of contractors to determine
compliance
Technical/logical
Compliance requirements:
• The data will be encrypted using strong
encryption, and the encryption keys will be
managed by the authorized agency or
authorized partner
• Strong encryption becomes the primary data
protection control with any inherited physical
controls as secondary and complementary

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Advantages to using scalable encryption to comply
Significantly reduces the number of personnel with access to your data
Demonstrates the adoption of best practice to protect data
Empowers you with control over your own compliance and security
Reduces compliance complexity

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Methods to encrypt on AWS
Bring your own encryption (client-side)
AWS Marketplace third-party providers
AWS native tools
With any of these methods, effective key management is essential

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Key Management Service (KMS)
Provides a secure, resilient, and scalable method to create and manage your own
encryption keys
Built on FIPS 140-2-validated hardware to meet the CJIS requirements
All access to the key is controlled by the agency or trusted partner, and all use is
tracked and auditable
Over 40 AWS services with direct AWS KMS integration
Integrate with your own applications through AWS Encryption SDK

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use case #1: Amazon DynamoDB (global scale DB)
DynamoDB integrates with AWS
KMS to support the encryption-
at-rest server-side encryption
feature

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use case #2: Manage application secrets

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
For more information on AWS KMS
https://aws.amazon.com/kms/

24. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Patrick Woods, DIT, CISM
woop@amazon.com