security assurance and governance in aws (sec203) | aws re:invent 2013

© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

Security Assurance and Governance in AWS

Chad Woolf, Director, AWS Risk and Compliance

November 13, 2013

Better Security in the Cloud

“…We’ll also see organizations adopt cloud services

for the improved security protections and

compliance controls that they otherwise could not

provide as efficiently or effectively themselves.”

- Security’s Cloud Revolution Is Upon Us,

Forrester Research, Inc., August 2, 2013

Better Security in AWS

Cross-service Controls

Service-specific Controls

Managed by

AWS

Managed by

Customer

Security of the Cloud

Security in the Cloud

Cloud Service Provider

Controls

Optimized

Network/OS/App Controls

Request reports at:

aws.amazon.com/compliance/#contact

Governance, Security, Compliance

Enablers

Governance in AWS

AWS Security Best

Practices

AWS Auditing Security

Checklist

AWS Risk and Compliance

AWS

Compliance

Forum

AWS Trusted

Advisor

Security at Scale: Governance in AWS

1. Financial Control

2. IT Asset Identification

3. Asset Configuration and

Management

4. Logical Access Control

5. Physical Access Control

6. Data Encryption

7. Network Configuration and

Management

8. Security Logging and

Monitoring

9. Security Incident Response

10. Disaster Recovery

Get this whitepaper at:

aws.amazon.com/compliance/

Examples Governance

Domain

On-prem

Challenge

AWS Enabler Control Provided

8. Security

Logging and

Monitoring

Centralized

logging of user

actions taken

against a set of IT

resources

AWS CloudTrail

Provides logging of API or

console actions (e.g., logs when

someone changes a bucket

policy, stops and instance, etc.)

Advanced monitoring

capabilities of actions

taken and changes

made

10. Disaster

Recovery

Producing point in

time, usable

incremental

backups

EBS Snapshots

Point-in-time full volume copies of

Amazon EBS data into persistent

storage of Amazon S3

Anytime incremental

point-in-time backup of

server data

Examples Governance

Domain

On-prem

Challenge

AWS Enabler Control Provided

8. Security

Logging and

Monitoring

Centralized

logging of user

actions taken

against a set of IT

resources

AWS CloudTrail

Provides logging of API or

console actions (e.g., logs when

someone changes a bucket

policy, stops and instance, etc.)

Advanced monitoring

capabilities of actions

taken and changes

made

10. Disaster

Recovery

Producing point in

time, usable

incremental

backups

EBS Snapshots

Point-in-time full volume copies of

Amazon EBS data into persistent

storage of Amazon S3

Anytime incremental

point-in-time backup of

server data

Security at Scale: Governance in AWS

1. Financial Control

2. IT Asset Identification

3. Asset Configuration and

Management

4. Logical Access Control

5. Physical Access Control

6. Data Encryption

7. Network Configuration and

Management

8. Security Logging and

Monitoring

9. Security Incident Response

10. Disaster Recovery

Get this whitepaper at:

aws.amazon.com/compliance/

Scaling Security

AWS Compliance Forum

Join the AWS Compliance Forum by emailing

us at: awscompliance@amazon.com

Governance Tool: AWS Trusted Advisor

• Online service from AWS Support

– Analyzes account for various kinds of

issues and possible concerns

– Soon available as an API for integration

with your tools or 3rd party solutions

• Four categories:

– Cost savings

– Security

– Fault tolerance

– Performance

Innovative Governance Tool: AWS

Trusted Advisor Since 1/1/2013:

• 10,000 + customers

• 700,000 recommendations reviewed

• $140M in annualized savings

Learn more about Trusted Advisor at:

https://aws.amazon.com/premiumsupport/trustedadvisor/

Compliance Case Studies

Case: Pegasystems

Company: Provides software for business process management,

CRM, and case management

Challenge: Pega tech is used cross-functionally across the

healthcare industry; all data is considered PHI

Results: Pega and their customers are HIPAA compliant on AWS

Case: NASDAQ FinQloud

Company: provides products and services to manage the entire life

cycle of a trade

Challenge: Securely storing and managing vast amounts of data with

strict compliance requirements

Results: NASDAQ and FinQloud customers meets stringent SEC

17a-4 requirements for financial record retention

Case: Cognia

Company: Global communications platform for call centers to capture

communications data

Challenge: must comply with PCI DSS so their customers can

process payment card data on the platform

Results: PCI certified on AWS

AWS: centralized security controls - visible, testable, automated

Resource Links AWS Compliance site - provides AWS Compliance Forum links, descriptions of

audit reports available, contact links, and relevant whitepapers

http://aws.amazon.com/

compliance/

AWS Security Center – provides links to a detailed whitepaper on how we

manage security at AWS and provides links to contact AWS Security

http://aws.amazon.com/

security/

AWS Security Blog – posts contain security best practices for AWS services,

how-to guides, compliance milestones, and customer and partner stories

http://blogs.aws.amazon

.com/security/

AWS Trusted Advisor - information on the tool, the nature of the checks, and

how to access it

https://aws.amazon.com

/premiumsupport/trusted

advisor/

Case studies – features of a wide range of companies doing amazing things on

AWS

http://aws.amazon.com/

solutions/case-

studies/all/

Recommended Sessions

• SEC402 - Intrusion Detection in the Cloud

• SEC204 - Building Secure Applications and Navigating FedRAMP in the

AWS GovCloud (US) Region

• ARC308 - Architecting for End-to-End Security in the Enterprise

• SEC306 - Implementing Bullet-Proof HIPAA Solutions on AWS

• SEC206 - Taking the Fear Out of PCI DSS Compliance in the Cloud

• ENT206 - Using AWS Enterprise Support to the Fullest

• SEC201 - Overview of AWS Identity and Access Management (IAM)

“Come talk security with AWS” Event - between 4 and 6pm on Thursday in Toscana 3605.

Please give us your feedback on this

presentation

As a thank you, we will select prize

winners daily for completed surveys!

SEC203