aws re:invent 2016: chalk talk: applying security-by-design to drive compliance and audit assertion...
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Todd Gleason, Kristen Haught, Balaji Palanisamy, Aaron Richmond
November 2016
Chalk Talk: GPSCT308
Applying Security by Design to Drive
Compliance and Audit Assertion
What to expect from the session
• Overview of AWS Assurance programs
• Overview of Security by Design (SbD)
• Demonstration of SbD and automated controls
• Q&A
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Assurance Programs
Certifications / Attestations Laws / Regulations / Privacy Alignments / Frameworks
DoD SRG DNB [Netherlands] CIS
FedRAMP EAR CLIA
FIPS EU Model Clauses CJIS
IRAP EU Data Protection Directive CMS EDGE
ISO 9001 FERPA CMSR
ISO 27001 GLBA CSA
ISO 27017 HIPAA FDA
ISO 27018 HITECH FedRAMP TIC
MLPS Level 3 IRS 1075 FISC
MTCS ITAR FISMA
PCI DSS Level 1 My Number Act [Japan] G-Cloud
SEC Rule 17-a-4(f) Privacy Act [Australia] GxP (FDA CFR 21 Part 11)
SOC 1 Privacy Act [New Zealand] IT Grundschutz
SOC 2 PDPA - 2010 [Malaysia] MITA 3.0
SOC 3 PDPA - 2012 [Singapore] MPAA
UK Cyber Essentials U.K. DPA - 1988 NERC
VPAT / Section 508 NIST
EU-US Privacy Shield PHR
Spanish DPA Authorization UK Cloud Security Principles
Comprehensive security and compliance
Foundational Certifications
ISO 9001
Global Quality
Standard
ISO 27001
Security
Management
Standard
ISO 27017
Cloud Specific
Controls
ISO 27018
PII Specific
Controls
SOC 1
Audit Controls
Report
SOC 2
Compliance
Controls Report
SOC 3
General Controls
Report
PCI DSS Level 1
Payment Card
Standards
NIST 800-53
Risk Management
Framework
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security by Design
Keys to Cloud Security
Cloud goes beyond the traditional elements of security and adds…
• Agility
• Automation
Visibility Auditability Controllability
What is Security by Design (SbD)?
Modern, systematic, security assurance approach
Formalizes AWS account design, automates security
controls, and streamlines auditing
Provides security control built in throughout the AWS
IT management process
Effective security is ubiquitous and automatic…
Why Is This Important?
Modern day IT environments present challenges to managing security and meeting
compliance requirements due to the volume of information that needs to be safeguarded
and the dynamic connectivity of data, applications, and users. A reliable security approach
is needed to ensure data is protected and available to authorized users and systems.
Confidentiality Integrity Availability
Why―Modernize Technology Governance
The majority of technology governance relies predominantly
on administrative and operational security controls with
LIMITED technology enforcement.
Assets
ThreatVulnerability
RiskAutomation is needed to
enforce governance through
technology enablement.
Approaching Security by Design
Understand your
requirements
1
Build a “secure
environment” that fits
your requirements
2
Enforce the use of
the templates
3
Perform validation
activities
4
Impact of Security by Design
Creates a forcing function that cannot be overridden by users
Establishes reliable operation of controls
Enables continuous and real-time auditing
Result
Automated environment enabling enforcement of security and
compliance polices and a functionally reliable governance model.
Nerd version - Represents the technical scripting of your
governance policy
AWS Security and Compliance Resources
AWS Risk & Compliance
Introduction to AWS Security
AWS Security Overview
AWS Security Best Practices
Security at Scale whitepapers
Customer penetration testing requests
Security Partner Solutions
Request more information by contacting us
aws.amazon.com/securityaws.amazon.com/compliance
Demo
Demo – Automating Security Operations
1. Auto-deploy PCI environment from template
2. Simulate threats
3. Notification of threats
4. Automated mitigation of threats
5. Continuous audit for compliance
AWS Services Highlighted
AWS CloudTrail
Amazon CloudWatch
AWS CloudFormation
Amazon Kinesis
Amazon EC2
ALB/ELB
AWS Service Catalog
AWS Config
Amazon SNS
AWS Lambda
Auto Scaling
AWS WAF
Thank you!
Remember to complete
your evaluations!