![Page 1: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/1.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud Security & ComplianceA focus on Governance
Tim RainsRegional Leader, Security & Compliance Business AccelerationWorldwide Public Sector, Amazon Web Services
![Page 2: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/2.jpg)
Agenda
Traditional Information Security Governance
Security & Compliance Game Changers
Governance Improved
![Page 3: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/3.jpg)
Initially contemplating the cloud
• On-premises control equivalency: support for current controls/vendors?
• Data protection: what controls prevent unauthorized access?
• Multi-tenancy: is there any new risk from other tenants?
• Data residency: will our data move outside of a specific country/region?
• Resilience: can it meet our requirements?
• Governance: support for the framework(s), policies and controls that help us manage risk?
![Page 4: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/4.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traditional Information Security Governance
![Page 5: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/5.jpg)
Traditional Governance Flow
Strategy
![Page 6: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/6.jpg)
Traditional Governance Flow
Strategy
Policy
![Page 7: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/7.jpg)
Traditional Governance Flow
Project Team
Strategy
Policy
![Page 8: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/8.jpg)
Traditional Governance Flow
Project Team Governance
Strategy
Policy
![Page 9: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/9.jpg)
Traditional Governance Flow
Project Team Governance Check
Strategy
Policy
![Page 10: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/10.jpg)
Traditional Governance Flow
Project Team Governance Check
Strategy Governance
Policy Audit
![Page 11: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/11.jpg)
Traditional Governance Flow
Project Team Governance Check Release!
Strategy Governance
Policy Audit
![Page 12: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/12.jpg)
Traditional Governance Flow
Project Team Governance Check Release!
Strategy Governance Archive
Policy Audit
![Page 13: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/13.jpg)
Traditional Governance Flow
Project Team Governance Check Release!
Strategy GovernancePolicy Archive
Policy Audit
![Page 14: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/14.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security & Compliance Game Changers
![Page 15: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/15.jpg)
Zoom In: AWS Region Zoom In: AWS AZ
Sample Region
Datacenter Datacenter
Datacenter
Sample Availability Zone
Availability Zone
B
Availability Zone
A
Availability Zone
C
• Independent geographic areas, isolated from other Regions (security boundary)
• Customer chooses in which Region(s) to deploy services
• Regions are comprised of multiple Availability Zones (AZs), which enables the deployment of high-
availability architecture
• AZs are independent failure zones; physically separated; on separate low risk flood plains
• Discrete Uninterruptible Power Supply (UPS); Onsite backup generation facilities
• Built for continuous availability
![Page 16: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/16.jpg)
AWS Global InfrastructureThe AWS Cloud spans 66 Availability Zones within 21 geographic Regions around the world, with announced plans for 12 more Availability Zones and four more Regions in Bahrain, Cape Town, Jakarta, and Milan.
![Page 17: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/17.jpg)
AWS CloudFront & Route 53 Edge InfrastructureAmazon CloudFront uses a global network of 180 Points of Presence (169 Edge Locations and 11 Regional Edge Caches) in 69 cities across 30 countries.
Europe
Edge locations: Amsterdam, The Netherlands (2); Berlin, Germany (2); Copenhagen, Denmark; Dublin, Ireland; Frankfurt, Germany (8); Helsinki, Finland; London, England (9); Madrid, Spain (2); Manchester, England; Marseille, France; Milan, Italy; Munich, Germany (2); Oslo, Norway; Palermo, Italy; Paris, France (5); Prague, Czech Republic; Stockholm, Sweden (3); Vienna, Austria; Warsaw, Poland; Zurich, Switzerland
Regional Edge caches: Frankfurt, Germany; London, England
![Page 18: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/18.jpg)
Things are different in the cloud
On AWS On-premises
Big perimeter
End-to-End ownership
Build it all yourself
Server-centric approach
De-centralised administration
Focus on physical assets
Multiple (manual) processes
Micro-perimeters
Own just enough
Focus on your core values
Service-centric approach
Focus on protecting data
Central control plane (API)
Everything is automated
![Page 19: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/19.jpg)
Game changer: everything is automated
![Page 20: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/20.jpg)
COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
DEPLOY TO
PRODUCTION ENVIRONMENT
MANAGE RUNTIME
SOURCE CONTROL BUILD
TESTING &
STAGINGPRODUCTION MAINTAIN
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
S e c u r e d e v e l o p m e n t l i f e c y c l e a p p l i e s e q u a l l y t o
a p p l i c a t i o n s a n d i n f r a s t r u c t u r e a s c o d e
The changing nature of security
![Page 21: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/21.jpg)
Game changer: API-driven
• Authoritative - the interface to, and between, AWS services
• Auditable – always know what, and who, is doing what
• Secure – verified integrity, authenticated, no covert channels
• Fast - can be read and manipulated in sub-second time
• Precise – defines the state of all infrastructure and services
• Evolving – continuously improving
• Uniform - provides consistency across disparate components
• Automatable - enables some really cool capabilities
![Page 22: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/22.jpg)
AWS CloudTrail
Store/
Archive
Troubleshoot
Monitor & alarm
You are making
API calls
On a growing set of
AWS services around
the world
CloudTrail is
continuously
recording API calls
AWS Management Console
SDK CLIVPC
Redshift
![Page 23: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/23.jpg)
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Config and AWS Config Rules
A continuous recording and assessment service
Changing resources
AWS Config
Config Rules
History, Snapshot
Notifications
API Access
Normalized
Answer the questions:
How are my resources configured over time?
Is a change that just occurred to a resource, compliant?
![Page 24: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/24.jpg)
Automating Responses Based on Multiple Controls
Detect
Investigate
RespondLambda
function
Amazon
CloudWatch
Events
Amazon GuardDuty
Amazon
Inspector
AWS CloudTrail
VPC Flow Logs
AWS Config
AWS APIs
Team
collaboration
(Slack etc.)
Amazon Macie
![Page 25: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/25.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Governance Improved
![Page 26: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/26.jpg)
Governance At The Speed Of Cloud
Strategy
Policy
![Page 27: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/27.jpg)
Governance At The Speed Of Cloud
Project Team
Strategy
Policy
![Page 28: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/28.jpg)
Governance At The Speed Of Cloud
Project Team
Strategy
Policy
Automated Checks
![Page 29: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/29.jpg)
Governance At The Speed Of Cloud
Project Team
Strategy
Policy
Automated Checks
![Page 30: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/30.jpg)
Governance At The Speed Of Cloud
Project Team Release!
Strategy
Policy
Automated Checks
![Page 31: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/31.jpg)
Governance At The Speed Of Cloud
Project Team Release!
Strategy
Policy
Automated Checks
Compliance Data
![Page 32: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/32.jpg)
Governance At The Speed Of Cloud
Project Team Release!
Strategy Governance
Policy
Automated Checks
Compliance Data
![Page 33: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/33.jpg)
Governance At The Speed Of Cloud
Project Team Release!
Strategy Governance
Policy
Automated Checks
Compliance Data
![Page 34: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/34.jpg)
Governance At The Speed Of Cloud
Project Team Release!
Strategy Governance
Policy
Automated Checks
Compliance Data
![Page 35: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/35.jpg)
Governance At The Speed Of Cloud
Project Team Release!
Strategy Governance
Policy Ops
Automated Checks
Compliance Data
![Page 36: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/36.jpg)
Governance At The Speed Of Cloud
Project Team Release!
Strategy Governance
Policy Ops
Audit
Automated Checks
Compliance Data
![Page 37: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/37.jpg)
Governance At The Speed Of Cloud
Project Team Release!
Strategy Governance
Policy Ops
Audit
Automated Checks
Compliance Data
![Page 38: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/38.jpg)
Certifications, Attestations, Standards
GLACIER VAULT LOCK
& SEC RULE 17A-4(F)
SOC 1
SOC 2
SOC 3
PSN
![Page 39: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/39.jpg)
General Data Protection Regulation
https://aws.amazon.com/compliance/gdpr-center
![Page 40: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/40.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://amazonmr.au1.qualtrics.com/jfe/form/SV_9RILSIJHhzBi5zn
Survey: Please Give Us Feedback!
![Page 41: Cloud Security & Compliance A focus on Governance€¦ · Game changer: API-driven • Authoritative - the interface to, and between, AWS services • Auditable –always know what,](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec8025947519f609703219f/html5/thumbnails/41.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Thank you!
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.