Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
-
Upload
amazon-web-services -
Category
Technology
-
view
707 -
download
1
description
Transcript of Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Security Assurance and Governance in AWS
Chad Woolf, Director, AWS Risk and Compliance
November 13, 2013
Better Security in the Cloud
“…We’ll also see organizations adopt cloud services
for the improved security protections and
compliance controls that they otherwise could not
provide as efficiently or effectively themselves.”
- Security’s Cloud Revolution Is Upon Us,
Forrester Research, Inc., August 2, 2013
Better Security in AWS
Cross-service Controls
Service-specific Controls
Managed by
AWS
Managed by
Customer
Security of the Cloud
Security in the Cloud
Cloud Service Provider
Controls
Optimized
Network/OS/App Controls
Request reports at:
aws.amazon.com/compliance/#contact
Governance, Security, Compliance
Enablers
Governance in AWS
AWS Security Best
Practices
AWS Auditing Security
Checklist
AWS Risk and Compliance
AWS
Compliance
Forum
AWS Trusted
Advisor
Security at Scale: Governance in AWS
1. Financial Control
2. IT Asset Identification
3. Asset Configuration and
Management
4. Logical Access Control
5. Physical Access Control
6. Data Encryption
7. Network Configuration and
Management
8. Security Logging and
Monitoring
9. Security Incident Response
10. Disaster Recovery
Get this whitepaper at:
aws.amazon.com/compliance/
Examples Governance
Domain
On-prem
Challenge
AWS Enabler Control Provided
8. Security
Logging and
Monitoring
Centralized
logging of user
actions taken
against a set of IT
resources
AWS CloudTrail
Provides logging of API or
console actions (e.g., logs when
someone changes a bucket
policy, stops and instance, etc.)
Advanced monitoring
capabilities of actions
taken and changes
made
10. Disaster
Recovery
Producing point in
time, usable
incremental
backups
EBS Snapshots
Point-in-time full volume copies of
Amazon EBS data into persistent
storage of Amazon S3
Anytime incremental
point-in-time backup of
server data
Examples Governance
Domain
On-prem
Challenge
AWS Enabler Control Provided
8. Security
Logging and
Monitoring
Centralized
logging of user
actions taken
against a set of IT
resources
AWS CloudTrail
Provides logging of API or
console actions (e.g., logs when
someone changes a bucket
policy, stops and instance, etc.)
Advanced monitoring
capabilities of actions
taken and changes
made
10. Disaster
Recovery
Producing point in
time, usable
incremental
backups
EBS Snapshots
Point-in-time full volume copies of
Amazon EBS data into persistent
storage of Amazon S3
Anytime incremental
point-in-time backup of
server data
Security at Scale: Governance in AWS
1. Financial Control
2. IT Asset Identification
3. Asset Configuration and
Management
4. Logical Access Control
5. Physical Access Control
6. Data Encryption
7. Network Configuration and
Management
8. Security Logging and
Monitoring
9. Security Incident Response
10. Disaster Recovery
Get this whitepaper at:
aws.amazon.com/compliance/
Scaling Security
Governance Tool: AWS Trusted Advisor
• Online service from AWS Support
– Analyzes account for various kinds of
issues and possible concerns
– Soon available as an API for integration
with your tools or 3rd party solutions
• Four categories:
– Cost savings
– Security
– Fault tolerance
– Performance
Innovative Governance Tool: AWS
Trusted Advisor Since 1/1/2013:
• 10,000 + customers
• 700,000 recommendations reviewed
• $140M in annualized savings
Learn more about Trusted Advisor at:
https://aws.amazon.com/premiumsupport/trustedadvisor/
Compliance Case Studies
Case: Pegasystems
Company: Provides software for business process management,
CRM, and case management
Challenge: Pega tech is used cross-functionally across the
healthcare industry; all data is considered PHI
Results: Pega and their customers are HIPAA compliant on AWS
Case: NASDAQ FinQloud
Company: provides products and services to manage the entire life
cycle of a trade
Challenge: Securely storing and managing vast amounts of data with
strict compliance requirements
Results: NASDAQ and FinQloud customers meets stringent SEC
17a-4 requirements for financial record retention
Case: Cognia
Company: Global communications platform for call centers to capture
communications data
Challenge: must comply with PCI DSS so their customers can
process payment card data on the platform
Results: PCI certified on AWS
AWS: centralized security controls - visible, testable, automated
Resource Links AWS Compliance site - provides AWS Compliance Forum links, descriptions of
audit reports available, contact links, and relevant whitepapers
http://aws.amazon.com/
compliance/
AWS Security Center – provides links to a detailed whitepaper on how we
manage security at AWS and provides links to contact AWS Security
http://aws.amazon.com/
security/
AWS Security Blog – posts contain security best practices for AWS services,
how-to guides, compliance milestones, and customer and partner stories
http://blogs.aws.amazon
.com/security/
AWS Trusted Advisor - information on the tool, the nature of the checks, and
how to access it
https://aws.amazon.com
/premiumsupport/trusted
advisor/
Case studies – features of a wide range of companies doing amazing things on
AWS
http://aws.amazon.com/
solutions/case-
studies/all/
Recommended Sessions
• SEC402 - Intrusion Detection in the Cloud
• SEC204 - Building Secure Applications and Navigating FedRAMP in the
AWS GovCloud (US) Region
• ARC308 - Architecting for End-to-End Security in the Enterprise
• SEC306 - Implementing Bullet-Proof HIPAA Solutions on AWS
• SEC206 - Taking the Fear Out of PCI DSS Compliance in the Cloud
• ENT206 - Using AWS Enterprise Support to the Fullest
• SEC201 - Overview of AWS Identity and Access Management (IAM)
“Come talk security with AWS” Event - between 4 and 6pm on Thursday in Toscana 3605.
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
SEC203