AWS April Webinar Series - Security Best Practices: Compliance Beyond the Check Box
-
Upload
amazon-web-services -
Category
Technology
-
view
593 -
download
2
Transcript of AWS April Webinar Series - Security Best Practices: Compliance Beyond the Check Box
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
4/28/2015
Compliance Beyond the
Checkbox
Bill Shinn
AWS Principal Security Solutions Architect
St. James’s Place Migrates FCA Compliant Resources
St. James’s Place is a U.K. wealth-management
company managing over £52 billion of client funds.
We were able to double our capacity
during the peak tax season, and then
contract it back down when it was no
longer required.
Andy Montgomery
Head of Division for IT Operations and Solution
Design, St James’s Place
”
“ Needed flexible IT resources that could
scale with the business as its customer
base grows by 50% every year.
SJP had to ensure that any new solution
would provide a high level of data security
and comply with Financial Conduct
Authority (FCA) regulations
Migrated 85 percent of its applications to
AWS and expects a full migration by 2016.
Orion Health – Cloud-based Health Information Exchange
Orion Health is an award-winning health specific
software company that develops modern and creative
solutions for healthcare organizations across the globe.
“AWS, with its HIPAA compliance
capability - and some of the work we're
doing with Logicworks - was key in our
decision in moving to AWS.
Dave Bennett
EVP of Healthier Populations
Orion Health
”
“ Needed to scale Health Information
Exchange for Cal INDEX to handle millions
of patient records and improve population
health management
Needed a secure solution architected for
HIPAA-compliance
Partnered with AWS Marketplace
Healthcare Competency partner
Logicworks
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity Data Infrastructure
Customer applications & contentYou get to define
your controls IN
the Cloud
AWS takes care
of the security
OF the Cloud
You
AWS And You Share Responsibility for Security
What this means
You benefit from an environment built for the most security
sensitive organizations
You get to define the right security controls for your
workload sensitivity & compliance requirements
You always have full ownership and control of your data
Typical Compliance Domains
Physical
Security
Data
Center
Operations
Data
Center
Personnel
Application
Security
Data
Security
Identity
Mgmt
Risk Mgmt
Compliance
Mgmt
Incident
Response
Disaster
Recovery
Change
Mgmt
Network
Security
System
Security
Asset
MgmtMonitoring
Out of scope Reduced ScopeTools to
help
Let’s you
concentrate on
Security Cartography – Rosetta Stone?
Many custom control frameworks are based on NIST 800-53
or ISO 27001 (“control coverage”)
CCM v3.0.1 includes a comprehensive mapping (AICPA, BITS AUP/SIG,COBIT, NIST 800-53, ISO27001, HIPAA Security Rule,
PCI DSS 3.0)
Shared Assessment SIG maps to ISO27001
NIST 800-53 Appendix H includes a “SECURITY CONTROL
MAPPINGS FOR ISO/IEC 27001 AND 15408”
Security Cartography – NIST vs. HIPAA
NIST SP 800-66 - Appendix D: Security Rule Standards and Implementation Specifications
Crosswalk
Asset Management
ISO 27001:2013
A.8 Asset management
A.8.1 Responsibility for Assets
NIST 800-53 rev 4
Configuration Management (CM)
CM-8 Information System Component Inventory
Access Control
ISO 27001:2013
A.9 Access control
A.9.2 User access management
A.9.2.3 Management of privileged access rights
NIST 800-53
Access Control (AC)
(AC-3) Access Enforcement
Access Control
ISO 27001:2013
A.12 Operations security
A.12.4 Logging and Monitoring
NIST 800-53
Auditing and Accountability (AU)
(AU-12) Audit Generation