aws webcast - aws compliance forum introduction

19
AWS INTERNAL ONLY © 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved. AWS INTERNAL ONLY © 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved. AWS Compliance Forum Introduction October 22, 2013 Session

Upload: amazon-web-services

Post on 07-Sep-2014

1.472 views

Category:

Technology


3 download

DESCRIPTION

Amazon Web Services (AWS) has developed a customer compliance forum to facilitate in-depth compliance discussions between you and with AWS Compliance. The webinar focuses on the AWS shared responsibility security model and how your organization can achieve security and compliance within your use of AWS services. This initial AWS Compliance Forum webinar will provide an overview of AWS compliance programs, use cases, and the various compliance verticals AWS can support both through current certification and attestations (i.e., PCI, SOC, FedRAMP, and ISO) as well as areas AWS can illustrate use cases for workloads related to Life Sciences, Financial Services, and state/federal government compliance requirements. From there we will discuss the goals of the AWS Compliance Forum and plans for future webinars and small-group compliance discussions.

TRANSCRIPT

Page 1: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

AWS Compliance Forum Introduction

October 22, 2013

Session

Page 2: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Your cloud compliance comfort and the AWS Compliance Forum tenets

Connect you with AWS specialists

Connect you with other AWS customers

Provide you with industry/standard-specific compliance resources

Not comfortable

23%

Somewhat comfortable65%

Very comfortable

12%

Page 3: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Delivering on the AWS Compliance Forum tenets

What you shared How we plan to meet your needs

97% of you want to connect with AWS specialists on how to architect your environment for compliance

Who:• AWS Security Solutions Architects• AWS Compliance Architects• AWS Security, Risk, Compliance consultantsHow:• Case studies• Use-case reference architectures• Discussion groups

98% want to connect with other AWS customers navigating compliance in the cloud

Who:• Customers in your industry• Customers pursuing similar compliance certificationsHow:• Small discussion groups based on industry and/or certification• ‘Anonymized’ stories about successes and challenges

99% want to learn how to interpret and implement your specific control requirements in the cloud

Who:• AWS Compliance Architects• AWS Security, Risk, Compliance consultantsHow:• One-on-one connection points between you and AWS• Use-case reference architectures

Page 4: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Which are you most interested in?

A. Connecting with AWS Security Solutions Architect

B. Connecting with AWS Compliance Architect

C. Connecting with AWS Security, Risk and Compliance

professional services consultant

Page 5: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Sample of Industries Using AWS

http://aws.amazon.com/solutions/case-studies/all/

Page 6: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Dutch National Bank – A Key Milestone for the Cloud

Page 7: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Security is a Shared Responsibility

Virtualization Layer

Compute Infrastructure

Storage Infrastructure

Network Infrastructure

Facilities Physical Security

AWS Global Infrastructure

Customer Data

Users and Roles

Account Management

Applications

Firewalls

Network Configuration

Guest Operating SystemManaged by

Customer

Managed by AWS

Page 8: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Building a Robust Program Understand your Cloud Boundary

Amazon EC2 Route 53 Amazon VPC

Amazon S3 Amazon EBS DynamoDB

What services are you using? What is the Business Case / Use Case?

For example: For example:

• Big Data Analytics• High performance Compute• Sensitive Data Archiving &

Storage• Web Applications

Page 9: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Building a Robust Program – Your Control Set

Cross-service Controls

Service-specific Controls

Managed by AWS

Managed by Customer

Compliance of the Cloud

Compliance in the Cloud

Cloud Service Provider Controls

Optimized Network/OS/App Controls

Page 10: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Compliance of the Cloud – CSP Controls

InternalControls

IndustryStandards

Identify All Controls

+

Validate CSP Controls

Cross-service Controls

Service-specific Controls

Cloud Service Provider Controls

Optimized Network/OS/App Controls

Page 11: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Compliance in the Cloud – Cross Service Controls

IAM

Control Implementation Guidance

Multi-factor authentication must be used to secure IAM users

http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html

Cross-service Controls

Service-specific Controls

Cloud Service Provider Controls

Optimized Network/OS/App Controls

Page 12: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Compliance in the Cloud – Service-specific Controls

Amazon S3

Control Implementation Guidance

Server Side Encryption (SSE) is enabled for all objects classified per [customer] data classification policy as Confidential.

http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html

Cross-service Controls

Service-specific Controls

Cloud Service Provider Controls

Optimized Network/OS/App Controls

Page 13: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Compliance in the Cloud – Traditional, AWS Optimized

Control Implementation Guidance

1. Harden machine images

2. Use an approved OS image

[Customer] Server Secure hardening rules

Optimized by AWS: Share Private AMIshttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

Cross-service Controls

Service-specific Controls

Cloud Service Provider Controls

Optimized Network/OS/App Controls

Page 14: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Scaling Security in Growth

Page 15: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Scaling Security in Scope

Cloud Service Provider Controls

Cross Service Security Controls

Service Specific Controls

Network/OS/App Controls

Cloud Service Provider Controls

Cross Service Security Controls

Service Specific Controls

Network/OS/App Controls

New service specific Control

New Network/OS/App

Control

On-boarded Service New Service Assessment

Page 16: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Additional Resources

• Available at aws.amazon.com/compliance– AWS Risk & Compliance Whitepaper– AWS Auditing Security Checklist for AWS

• Available at aws.amazon.com/security– AWS Security Whitepaper

Page 17: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Key Takeaways

1.Global companies are innovating on AWS with regulated

data.

2.You can be more secure in the AWS cloud by:

a.Using the secure AWS cloud infrastructure

b.Using the automated software controls AWS services provide

3.Layered assurance provides an effective approach to

cloud security

Page 18: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

What’s next?

Compliance-requirement-specific webinars with AWS

specialists

Segmenting industry-specific discussion groups with

other AWS Compliance Forum customers

Compliance-requirement-specific and industry-specific

control mapping workbooks

Page 19: AWS Webcast - AWS Compliance Forum Introduction

AWS INTERNAL ONLY© 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Copyright © 2013 Amazon Web Services, Inc. and its affiliates. All rights reserved.

This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc.

Commercial copying, lending, or selling is prohibited.

Questions? Email us at [email protected]