AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Federal Compliance Deep Dive: AWS Public Sector Security Assurance Programs
Chris GileSenior Manager
AWS Risk and [email protected]
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Shared Security Responsibility
• AWS & Customers both have security/compliance obligations
• Logical assessment & accreditation boundaries
Cross-service Controls
Service-specific Controls
Managed by AWS
Managed by Customer
Compliance of the Cloud
Compliance in the Cloud
Cloud Service Provider Controls
Optimized Network/OS/App Controls
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS FedRAMP Program
• AWS has two Agency ATOs granted by HHS; assessment reviewed by HHS, FDA, CDC, and NIH covering:
– All AWS US Regions (US East/West, & GovCloud (US))– EC2, S3, EBS, VPC, IAM– New: Amazon Redshift (US East/West only)
• Assessed against all FedRAMP-Moderate controls• Agency ATO packages have reciprocity with federal agencies• AWS will directly field FedRAMP package requests; agencies can still
request AWS FedRAMP package from FedRAMP PMO– AWS provides customers a FedRAMP SSP Template, inherited/shared control
matrix, as well as FedRAMP package
cloud.cio.gov/fedramp/amazon
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Building Solutions on AWS• Partners & Agencies can leverage FedRAMP compliant AWS• AWS’s FedRAMP package covers AWS infrastructure and underlying
management of services• Partner’s FedRAMP package includes inherited controls; shared
controls documents partner’s application/service built on AWS• To support partners we can provide:
– Partner FedRAMP package: ATO Letters, CIS spreadsheet, FIPS 199, etc.– SSP Template: Pre-populated with inherited control language, guidance on
completing shared controls– ATO Letters as stand-alone documents– Support: Security Solutions Architects, Security Assurance Architects,
Professional Services
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Documentation Support
• AWS Package is specific to the AWS Infrastructure
• Partner’s Package is specific to the Partner’s Application or managed services
• Inherited v. Shared Controls
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS DoD CSM Program• 2/6/14 Provisional Authorization for Levels 1-2 • DISA-managed Cloud Security Model (CSM)• 70 additional control enhancements overlaid on
FedRAMP Moderate• Partners have achieved MAC II Sensitive DIACAP ATOs
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Certifications & Compliance• AWS Environment
– SOC 1/2/3
– ISO 27001 Certification
– Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider
– FedRAMP (up to Moderate)
– AWS GovCloud (US) – ITAR compliant region
• Customers have deployed various compliant applications– Sarbanes-Oxley (SOX)
– HIPAA (healthcare)
– FISMA/FedRAMP (US Federal Government)
– DIACAP – up to MAC II Sensitive
– International Traffic in Arms Regulations (ITAR)
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Customer Resources• Whitepapers– Risk & Compliance Whitepaper– Overview of Security Processes– “Security at Scale” series• Governance in AWS• Logging in AWS• Template– FedRAMP SSP Template• Workbooks– FISMA-High– CJIS
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Other Compliance Programs
• FISMA-High– Workbook available for partners under NDA– 84 additional control enhancements; 21 inherited, 54
shared, 9 customer
• CJIS Workbook– Available under NDA– 121 security requirements; 10 inherited, 87 shared, and
24 customer-responsible requirements
• Both are partner-based approaches to build a portfolio of authorizations
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Compliance & Security Centers• Answers to many security and compliance
questions• Security whitepaper• Risk and Compliance whitepaper• Overview of Security Processes whitepaper• “Security at Scale” whitepaper series
• Security bulletins• Customer penetration testing requests• Security best practices• Request more information by contacting us
aws.amazon.com/securityaws.amazon.com/compliance
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Additional AWS Security & Compliance References• https://aws.amazon.com/security• https://aws.amazon.com/compliance• https://aws.amazon.com/compliance/#whitepapers • https://aws.amazon.com/compliance/fedramp-faqs• https://aws.amazon.com/govcloud-us • https://aws.amazon.com/documentation • https://aws.amazon.com/iam
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Questions?
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Thank YouChris Gile
Top Related