security and compliance in the cloud - ipma-waipma-wa.com/sites/default/files//page/2016/04/ipma...
TRANSCRIPT
![Page 1: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Curtis Bray, Manager, Solutions ArchitectureAWS Worldwide Public Sector
May 17, 2016
Security and Compliance in the CloudIPMA 2016
![Page 2: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/2.jpg)
Agenda
Cloud computing overviewSecurity by Design• Golden Environments• User security modelsUsing AWS services to meet Compliance goalsHIPAA and CJIS on AWS
![Page 3: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/3.jpg)
Many Forms of Compliance
![Page 4: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/4.jpg)
AWS Global Infrastructure
12 Regions
32AvailabilityZones
54EdgeLocations
![Page 5: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/5.jpg)
With AWS, Security Is a Shared Responsibility Customers concentrate on systems and apps while AWS manages infrastructure.
+ =
• Facilities• Physical security• Compute infrastructure• Storage infrastructure• Network infrastructure• Virtualization layer (EC2)• Hardened service endpoints• Rich IAM capabilities
• Network configuration• Security groups• OS firewalls• Operating systems• Application security• Proper service configuration• AuthN and account management• Authorization policies
More secure and compliant systems than any single entity could normally achieve on its own
Security expertise is a scarce resource; AWS oversees the big picture, letting your security team focus on a subset of overall security needs.
![Page 6: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/6.jpg)
Security by Design – SbD
Security by Design (SbD) is a modern, security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. It is a systematic approach to ensure security; instead of relying on after-the-fact auditing, SbD provides control insights throughout the IT management process.
CloudTrailCloudHSM
IAMKMS
Config
![Page 7: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/7.jpg)
Impact of Security by Design
SbD – Scripting your governance policyResult: Reliable technical implementation of administrative controls
![Page 8: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/8.jpg)
SbD—modernizing tech governance
Identify regulatory requirements
Create Templates
Document desired security controls and responsibilities
Build Golden Image(s)
Enforce Security Controls
Phase 1 -Understand your Requirements
Phase 2 –Build a Secure Environment
Phase 3 –Enforce the use of Templates Enable Service
Catalog
Phase 4 –Validation
Continuously monitorAudit and certify
![Page 9: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/9.jpg)
SbD—rationalize security requirementsAWS has partnered with CIS Benchmarks to create consensus-based, best-practice security configuration guides that will align to multiple security frameworks globally.
https://www.cisecurity.org/
The benchmarks are:• Recommended technical control rules
and values for hardening operating systems, middleware and software applications, and network devices.
• Distributed free of charge by CIS in PDF format.
• Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices.
![Page 10: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/10.jpg)
SbD—automate security operationsAutomate deployments, provisioning, and configurations of the AWS customer environments.
CloudFormation AWS Service CatalogStack
Template
Instances AppsResources Stack
Stack
Design Package
Products Portfolios
DeployConstrain
IAM
Set Permissions
![Page 11: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/11.jpg)
What you do in any IT environment• Firewall rules• Network ACLs• Network time pointers• Internal and external subnets• NAT rules• Gold OS images• Encryption algorithms for data
in transit and at rest
Golden code: Security translation to AWSAWS JSON translation
Gold image, NTP, and NAT
Network ACLs, subnets, firewall
rules
![Page 12: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/12.jpg)
Create a golden environment
• Create a gold OS image• Configure use of AWS services, for example:
Amazon S3 Amazon EBS Amazon Redshift
• Force SSE• Turn on logging• Specify retention• Set Amazon Glacier
archiving• Prevent external access• Specify overriding
permissions• Set event notifications
• Define volume type• Volume size limits• IOPS performance
(input/output)• Data location – regions• Snapshot (backup) ID• Encryption requirements
• Cluster type (single or multi)• Encryption (KMS or HSM)• VPC location• External access (yes/no)• Security groups applied• Create SNS topic• Enforce Amazon
CloudWatch alarms
![Page 13: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/13.jpg)
AWS Identity and Access Management (IAM)
• Allows fine-grained access control to AWS• Implement a Role-based Access Model• Use Multi-Factor Authentication devices• Supports Federation for SSO with your existing directory
• Active Directory• Any SAML-compliant Identity provider
![Page 14: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/14.jpg)
Demo: IAM permission
Read Write List
Bob ü ü ü
Doug ü ü ü
Jim ü ü
Sara ü
Read Write List
Bob ü ü ü
Larry ü
Sam ü ü
Network resource
Server resources
AWS permissions
Who has access to a particular resource?Demo: IAM overview• Users, groups, and roles• User settings• Default IAM policies • Custom IAM policies• Account settings • Roles versus users
![Page 15: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/15.jpg)
AWS Service Catalog
• Allows administrators to create and manage approved Portfolios of resources (products) that end users can access via a personalized portal.
• An AWS Service Catalog product is a deployable AWS CloudFormation template.
Provisioning Team creates and manages Service Catalog
Products built from CloudFormation Templates
![Page 16: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/16.jpg)
Grant permissions to use AWS Service Catalog
• Workload owners can deploy templates and nothing more
Main.json CloudFormation
Template
Additional CloudFormation
Templates
AWS Service Catalog constraints specify IAM role used only for template deployment
Workload owner with limited IAM permissions
![Page 17: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/17.jpg)
Demo: AWS Service CatalogDemo will include:
CloudFormation templates enforcement• Portfolios• Products • Permissions (IAM)
• Create/deploy• User launch
• Constraints• Tags
![Page 18: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/18.jpg)
Closing the loop: AWS Config
• AWS Config continuously monitors your environment for changes to objects and security policies
• AWS Config Rules: a sweeping check of whether your security design is deployed in existing environments
• Accurate, complete audit
![Page 19: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/19.jpg)
AWS Config RulesHow AWS Config Rules can be used to audit any environmentConfig Rule Config results
![Page 20: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/20.jpg)
Demo: AWS Config RulesDemo will include:
• Account Configuration• Rule Creation• Public Rule Repository
![Page 21: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/21.jpg)
AWS HIPAA Program
• Strong presence in healthcare and life sciences from our roots
• Business Associates and the January 2013 Omnibus Final Rule
• Started signing Business Associate Agreements (BAA) in Q2 2013
• Program is based on Shared Security Responsibility Model
AWS HIPAA Program is aligned to NIST 800-53 and FedRAMP Authorizations
![Page 22: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/22.jpg)
AWS HIPAA Eligible Services• Customers may use all services within a “HIPAA Account”
• Customers may process, store, or transmit ePHI using only Eligible Services.
EC2 Elastic LoadBalancing S3EBS Amazon Glacier Amazon Redshift
Amazon DynamoDB
Amazon RDS for MySQL
Amazon RDS for Oracle
MySQL Oracle
Amazon EMR
![Page 23: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/23.jpg)
AWS BAA configuration requirements
• Customers must encrypt ePHI in transit and at rest.
• Customers must use EC2 Dedicated Instances for instances processing, storing, or transmitting ePHI.
• Customers must record and retain activity related to use of and access to ePHI.
![Page 24: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/24.jpg)
AWS GovCloud (US) is…
An isolated region of the AWS Cloud…
… intended for customers with strict regulatory and compliance needs and sensitive data/workloads.
Launched in August 2011 to meet needs of US Government customers and companies subject to ITAR regulation.
![Page 25: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/25.jpg)
AWS GovCloud (US) features
Dedicated GovCloud Management Console
Separate AWS IAM and
authentication
Located in Pacific NW (Oregon)
Data, network, and machine isolation from other regions
![Page 26: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/26.jpg)
AWS GovCloud (US) features
“Community Cloud” w/ vetted account holderswho are US persons
Multiple regulatory and compliance features
Managed by US persons on US soil
![Page 27: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/27.jpg)
AWS GovCloud (US) compliance differentiation
Addresses regulatory and compliance requirements• FIPS 140-2 validated cryptographic endpoints for services• VPC mandatory for all customers/accounts
Certifications and accreditationsSame as other Regions, plus…• FedRAMP Agency ATO (Moderate level)• ITAR, CJIS and HIPPA compliant• DOD Security Requirement Guide (SRG) Levels 2 and 4
![Page 28: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/28.jpg)
Additional ResourcesAmazon Web Services Cloud Compliance• https://aws.amazon.com/compliance/
SbD website and whitepaper• https://aws.amazon.com/compliance/security-by-design/
CIS Benchmarks• http://tinyurl.com/cisaws100
AWS Config Rules Repository• https://github.com/awslabs/aws-config-rules
![Page 29: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/29.jpg)
Q & A
![Page 30: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/30.jpg)
Remember to complete your evaluations!
![Page 31: Security and Compliance in the Cloud - IPMA-WAipma-wa.com/sites/default/files//page/2016/04/IPMA Amazon.pdfSecurity and Compliance in the Cloud IPMA 2016. ... RDS for MySQL Amazon](https://reader031.vdocuments.site/reader031/viewer/2022022008/5ade0c077f8b9a9d4d8e0d5b/html5/thumbnails/31.jpg)
Please visit AWS at booth 17 in the Vendor Pavilion