secure applications and fedramp in the aws govcloud (us) region (sec204) | aws re:invent 2013
DESCRIPTION
This session covers the shared responsibility model for security and compliance specific to the AWS GovCloud (US) region. This presentation highlights the enhanced security offerings of AWS GovCloud (US), such as FIPS-140 Level 2 encryption, as well as the supported compliance regimes. It also reviews how our customers can build secure applications in GovCloud using the various security features such as IAM and VPC. This presentation also offers a brief overview of FedRAMP, explains the shared responsibility model through customer use cases, and covers how customers can obtain an Authority to Operate.TRANSCRIPT
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
SEC204 - Building Secure Applications and
Navigating FedRAMP in the AWS GovCloud (US)
Region
CJ Moses, GM – AWS Global Cloud Solutions
Chris Gile, Manager - AWS Federal Compliance Programs
Jennifer Gray - Federal Cloud Lead - HHS Enterprise Cloud Architect
Tom Soderstrom - CTO, Jet Propulsion Laboratory
November 13, 2013
AWS GovCloud (US)
• The AWS Government Community Cloud
for vetted U.S. Government and U.S. commercial
entities with ties to U.S. Government functions and services
• Built with U.S. government customers in mind and appropriate for: – U.S. Government agencies – US Federal, state and local entities
– U.S. Government contractors, systems integrators, and FFRDCs
– U.S. Companies with IT regulatory requirements
• Designed to allow U.S. government agencies and customers to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements
– Appropriate for Controlled Unclassified Information (CUI) or Unclassified data and workloads
AWS GovCloud (US)
• Data stays in CONUS – Region located in the Pacific Northwest
• Only approved AWS U.S. Persons have access to restricted areas, networks, and systems for administration
• AWS managed account provisioning; each potential customer is vetted to ensure they are a U.S. entity and not prohibited or restricted from exporting or from providing services by the U.S. government
• Data, Network and Machine Isolation – Mandatory virtual private cloud (Amazon VPC) segregation for all customers, which offers an
additional layer of isolation and protection
– Separate, isolated credentials database (AWS IAM)
– FIPS 140-2 hardware for endpoints and VPN
FedRAMP Overview
• FedRAMP Overview
• AWS FedRAMP Program
• Shared Responsibility Model & Achieving
Compliance with AWS
FedRAMP Overview
• OMB mandated FedRAMP compliance for government agencies using CSPs
• Government-wide program standardizing CSP security assessments
• Four approaches for CSPs to demonstrate compliance supporting agency needs
• All FedRAMP package types in FedRAMP repository can be leveraged by USG agencies
AWS’ FedRAMP Program
• Agency ATOs (2) granted by HHS May ’13 covering: – US East/West and GovCloud (US) Regions
– EC2, S3, EBS, VPC, and IAM services (more on the way!)
– Reviewed by HHS, CDC, NIH, & FDA
– FedRAMP-accredited 3PAO assessed AWS against all 297 Moderate FedRAMP controls
• Subsequent federal agency ATOs granted based on AWS FedRAMP packages – Our Agency ATOs can be leveraged by any customer
AWS’ FedRAMP Program
• Request AWS FedRAMP package via
FedRAMP PMO or directly from AWS
• So how do you achieve compliance
using the AWS FedRAMP package?
Security is a Shared Responsibility
Cross-service Controls
Service-specific Controls
Managed by
AWS
Managed by
Customer
Compliance of the Cloud
Compliance in the Cloud
Cloud Service Provider
Controls
Optimized Network/OS/App
Controls
Security is a Shared Responsibility
Customer Data
Users and Roles
Account Management
Applications
Firewalls
Network Configuration
Guest Operating System
Managed
by
Customer
Managed
by AWS
• Payment Card Industry (PCI)
Data Security Standard Level 1
• NIST 800-53 Controls &
multiple ATOs; FedRAMP
• DoD Compliant Controls and multiple
DIACAP ATOs
• SSAE 16 Types 1 & 2 (SAS 70)
• ISO 27001/ 2 Certification
• HIPAA and ITAR Compliant
• Customers implement their own set of
controls (shared controls)
• Customers document their implementation
of controls in SSP
• Customers conduct 3PAO assessment
• Multiple customers with Low/Mod ATOs
• Customers tell us High ATOs possible
Virtualization Layer
Compute Infrastructure
Storage Infrastructure
Network Infrastructure
Facilities Physical
Security
AWS Global Infrastructure
Useful Links & Resources
• AWS FedRAMP Package for AWS GovCloud (US) Region
• AWS FedRAMP SSP Template
• http://aws.amazon.com/compliance
• http://aws.amazon.com/compliance/#whitepapers
• http://aws.amazon.com/compliance/fedramp-faqs
• http://aws.amazon.com/security
• http://aws.amazon.com/documentation
CHIEF INFORMATION OFFICER DEPARTMENT OF HEALTH AND HUMAN SERVICES
OFFICE OF THE
U . S . D E P A R T M E N T O F H E A L T H A N D H U M A N S E R V I C E S
HHS Use Case Agency FedRAMP ATO Experience
Jennifer Gray
Key Drivers
• HHS Cloud Strategy
• FedRAMP Policy Memo
(OMB Policy Memo
December 8, 2011)
• Existing HHS Cloud
Systems using AWS
environment
• HHS FedRAMP Standard
Operating Procedures
12
Build Effective Team
• OCIO Senior Leadership
• HHS OIS Security Cloud Security
Team
• Operational Divisions (FDA, NIH,
CDC, OS)
• FedRAMP Program Management
Office
• Amazon Web Services (AWS) Risk
& Compliance Team
• 3PAO (Veris Group)
13
HHS OIS Cloud
Security Team
FDA
NIH
CDC AWS (CSP)
FedRAMP PMO
HHS FedRAMP Security Authorization Process
• Agency-wide FedRAMP
Standard Operating
Procedures
• Released by through HHS
CISO
• Defines how HHS will
authorize cloud services to
ensure they meet
FedRAMP requirements
14
HHS FedRAMP AWS Authorization Process
15
AWS Achieves HHS FedRAMP ATO
• FedRAMP Complete - May 20, 2013
• Worked with HHS FedRAMP Team to
ensure standard process aligns with
FedRAMP PMO expectations
• Consistent with FedRAMP CONOPs.
• Includes details about initial
documentation as well as periodic
updates
16
Key Lessons Learned
17
• Senior Management Sponsorship
• Merge FedRAMP process into
existing security assessment and
authorization processes
• Ensure all security artifacts are
provided at least one week prior to
reviews
• Develop full project schedule with all
key stakeholders in advance
• Develop FAQ post ATO
• Collect resource metrics for future
planning
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
SEC204 - Building Secure Applications and Navigating
FedRAMP in the AWS GovCloud (US) Region
Tom Soderstrom, Jet Propulsion Laboratory
November 13, 2013
1. JPL’s Journey
2. JPL’s Results
3. JPL’s Future
Agenda
1. JPL’s Journey
Why Cloud Computing?
Increased demand for IT. Cloud computing
promised:
• Additional, powerful options for IT
• Increased compute and storage capability
• Faster speed to market
• Lowering unit IT costs
• One size does not have to fit all
• Computing as secure as we have today
• Needed ITAR-certified cloud computing
22 Flicker by WSDOT
23
2. JPL’s Results
JPL used Cloud Computing for Outreach… and beyond
Microsoft
JPL used
cloud
computing
for mission
critical
operations
… but ITAR
approval took a
while, producing
separate ATOs
for
FISMA Moderate
and
ITAR
AWS GovCloud ATO (US Persons Only)
Accountable (CIO)
Letter of intent and compliance by JPL IT CTO
Concurrence by JPL IT Security and Infrastructure
Concurrence by NASA OCIO
Concurrence by Caltech Audit
Concurrence by NASA Office of Inspector General
Concurrence by JPL and NASA Export Control Office
Concurrence by Caltech/JPL Legal
Concurrence by additional key stakeholders
Adheres to JPL’s standard Policies and Procedures
Full 360 degree view
Quarterly reviews
Enables usage
Continuous
awareness
AWS GovCloud ATO (US Persons Only)
Accountable (CIO)
Letter of intent and compliance by JPL IT CTO
Concurrence by JPL IT Security and Infrastructure
Concurrence by NASA OCIO
Concurrence by Caltech Audit
Concurrence by NASA Office of Inspector General
Concurrence by JPL and NASA Export Control Office
Concurrence by Caltech/JPL Legal
Concurrence by additional key stakeholders
Adheres to JPL’s standard Policies and Procedures
AWS GovCloud Use Cases So Far
Radar Processing (large scale)
Virtual Workshops
Big Data analytics of JPL sensitive data
Storage and processing of Mars Exploration Rovers data
Rapid prototyping when some data is sensitive
User: “If it can handle ITAR, I don’t have to separate the
data, so I’ll get started now”
Cyber Security: “I can use my normal tools”
JPL wants Glacier next
1 2 3 4 5 6 7 8 9 10
$
Storage Years
DR Use Case Storage and Retrieval Costs Over 10 years
Glacier total costs
S3 total costs
SDSC total costs
JPL Private Cloud total costs
Denver total costs
Amazon Glacier Total Cost Comparison
3. JPL’s Future
:
Devices
+
Data
+
Processing
+
Clouds
MoonTours App shows new cloud-enabled architecture
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
SEC204