move away from the worry-based fiction of the cloud - aws washington d.c. symposium 2014

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014


AWS Security Assurance: DoD Community

Chris Gile

Bill [email protected]

[email protected]


Security in the Cloud

Bill MurraySr. Manager AWS Security Programs


Different Customer Viewpoints on Security

Public Affairskeep out of the news

Leaderprotect shareholder

value

CI{S}Opreserve the

confidentiality, integrity and availability of data


Security Is Our No.1 PriorityComprehensive Security Capabilities to Support Virtually Any Workload

PEOPLE & PROCEDURES

NETWORK SECURITY

PHYSICAL SECURITY

PLATFORM SECURITY


SECURITY IS SHARED


WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE


WHAT WE DO

FOR YOU

WHAT YOU DO YOURSELF


EVERY CUSTOMER HAS ACCESS

TO THE SAME SECURITY

CAPABILITIES

CHOOSE WHAT’S RIGHT FOR YOUR ENTERPRISE


“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers”

Tom Soderstrom – CTO NASA JPL


AWS SECURITY OFFERS MORE

VISIBILITY

AUDITABILITY

CONTROL


MORE VISIBILITY


CAN YOU MAP YOUR NETWORK?

WHAT IS IN YOUR ENVIRONMENT

RIGHT NOW?


TRUSTED ADVISOR


MORE AUDITABILITY


AWS CLOUDTRAILNOW IN

EU-W

EST


You are making API calls...

On a growing set of services around

the world…

CloudTrail is continuously recording API

calls…

And delivering log files to you


Security AnalysisUse log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns.

Track Changes to AWS ResourcesTrack creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes.

Troubleshoot Operational IssuesQuickly identify the most recent changes made to resources in your environment.

Compliance AidEasier to demonstrate compliance with internal policies and regulatory standards.


LOGSOBTAINED, RETAINED,

ANALYZED


MORE CONTROL


Defense in Depth

Multi level security• Physical security of the data centers• Network security• System security• Data security

DATA


AWS Security Delivers More Control & GranularityCustomize the implementation based on your business needs

AWS CloudHSM

Defense in depth

Rapid scale for security

Automated checks with AWS Trusted

Advisor

Fine grained access controls

Server side encryption

Multi-factor authentication

Dedicated instances

Direct connection, Storage Gateway

HSM-based key storage

AWS IAM

Amazon VPC

AWS Direct Connect

AWS Storage Gateway


LEAST PRIVILEGE PRINCIPLE

AT AWS



CONFINE ROLES ONLY TO THE MATERIALREQUIRED TO DO SPECIFIC WORK



SEPARATE NETWORKS FOR CORPORATE WORK VS. ACCESSING CUSTOMER DATA



MUST HAVE A BUSINESS NEED-TO-KNOW ABOUT SENSITIVE INFORMATION LIKE DATA CENTER

LOCATIONS



MUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER TO ACCESS DATA CENTERS


SIMPLE SECURITY CONTROLS

ARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT, AND EASIEST TO ENFORCE


AWS IAMIDENTITY & ACCESS MANAGEMENT

BEST PRACTIC

E


CONTROL WHO CAN DO WHAT

WITH YOUR AWS ACCOUNT


MFA DELETE PROTECTIONBEST P

RACTICE


YOUR DATA STAYSWHERE YOU PUT IT


USE MULTIPLE AZs

AMAZON S3

AMAZON DYNAMODB

AMAZON RDS MULTI-AZ

AMAZON EBS SNAPSHOTS

BEST PRACTIC

E


DATA ENCRYPTIONCHOOSE WHAT’S RIGHT FOR YOU:

Automated – AWS manages encryption Enabled – user manages encryption using AWS

Client-side – user manages encryption using their own mean


AWS CloudHSM

Managed and monitored by AWS, but you control the keys

Increase performance for applications that use HSMs for key storage or encryption

Comply with stringent regulatory and contractual requirements for key protection

EC2 Instance

AWS CloudHSM

AWS CloudHSM


ENCRYPT YOUR DATA

AWS CLOUDHSM

AMAZON S3 SSE

AMAZON GLACIER

AMAZON REDSHIFT

AMAZON RDS

BEST PRACTIC

E


MORE AUDITABILITY

MORE VISIBILITY

MORE CONTROL


IDC Survey

Attitudes and Perceptions Around Security and Cloud Services

Nearly 60% of organizations agreed that CSPs [Cloud Service Providers] provide better security than their own IT organization

Source: IDC 2013 U.S. Cloud Security Survey

Doc #242836, September 2013


AWS.AMAZON.COM /

SECURITY


RISK & COMPLIANCE

AUDITING SECURITY CHECKLIST

SECURITY PROCESSES

SECURITY BEST PRACTICES

AWS Security Whitepapers


AWS Security Assurance: DoD Community

Chris Gile


Increasing Security and

Operating Requirement

s

DoD Cloud Security Model(Administered via DISA)

15 FedRAMP Compliant CSP1

10 – IaaS, 3- PaaS, 2- SaaS

FedRAMP Authority to OperateCSM ATO Levels 1-2

(Public)

CSM ATO Levels 3-5

(NIPR)

CSM ATO Level 6 (SIPR)

1

2

3

4

5

6

Providers are a mix of IaaS, PaaS, SaaS(Initial Focus on IaaS)

3 ProvisionalAuthorizations

granted1

0 Provisional

Authorization granted2

100’s of Cloud Service Providers

(CSP)

System-Specific

ATO

John DoeDoD DAA

The DoD provisionally authorized

commercial CSP offering is eligible to be included in

the Enterprise Cloud Service

Catalog

1 Source: http://www.gsa.gov/portal/content/131931

2 Provisional ATO granted as of 2/15/2014

Cloud Services ProviderDoD Cloud Security Model (CSM) - ATO Process

http://www.gsa.gov/portal/content/131931


Shared Security Responsibility

• AWS & Customers both have security/compliance obligations

• Logical assessment & accreditation boundaries

• How are our ATOs consumed?– Agencies & Partners

Cross-service Controls

Service-specific Controls

Managed by AWS

Managed by Customer

Compliance of the Cloud

Compliance in the Cloud

Cloud Service Provider Controls

Optimized Network/OS/App Controls


Availability Zone C

Sample US Region

- Multiple Isolated locations within a Region

- Availability Zone = 1 or more “data center”

- Independent Failure Zone

- Physically separated

- On separate Low Risk Flood Plains

- Discrete UPS

- Onsite backup generation facilities

- Fed from different segments of utility provider

- Redundantly connected to multiple tier-1 ISP’s

- No “Disaster Recovery Datacenter”

- Built for Continuous Availability

- Customer decides Availability Zone for Compute

~ DoD Data Center

Availability Zone B

Availability Zone A

AWS Availability Zone (AZ) View


AWS FedRAMP Program• AWS has two Agency ATOs granted by HHS; assessment reviewed by HHS, FDA, CDC, and NIH covering:

– All AWS US Regions (US East/West, & GovCloud (US))

– EC2, S3, EBS, VPC, IAM

– New: Amazon Redshift (US East/West only)

• Assessed against all FedRAMP-Moderate controls (298)

• Agency ATO packages have reciprocity with federal agencies

• AWS will directly field FedRAMP package requests from all customers, though agencies can still request AWS FedRAMP package from FedRAMP PMO if desired

– AWS provides customers a FedRAMP SSP Template, inherited/shared control matrix, as well as FedRAMP package

• AWS Security Assurance supports the lifecycle of customer engagements with supporting personnel and resources

cloud.cio.gov/fedramp/amazon

http://cloud.cio.gov/fedramp/amazon




AWS DoD CSM Program• 2/6/14 Provisional Authorization for Levels 1-2 • DISA managed Cloud Security Model (CSM)• 68 additional control enhancements overlaid on

FedRAMP Moderate• Partners have achieved MAC II Sensitive DIACAP ATOs


Building Solutions on AWS• Partners & Agencies can leverage FedRAMP compliant AWS• AWS’ FedRAMP package covers AWS infrastructure and underlying

management of services• Partner’s FedRAMP package includes inherited controls; shared

controls documents partner’s application/service built on AWS• To support partners we can provide:

– Partner FedRAMP package: ATO Letters, CIS spreadsheet, FIPS 199, etc.– SSP Template: Pre-populated with inherited control language, guidance on

completing shared controls– ATO Letters as stand alone documents– Support: Security Solutions Architects, Security Assurance Architects,

Professional Services


AWS Documentation Support

• AWS Package is specific to the AWS Infrastructure

• Partner’s Package is specific to the Partner’s Application or managed services

• Inherited vs. Shared Controls


Certifications & Compliance• AWS Environment

– SOC 1/2/3

– ISO 27001 Certification

– Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider

– FedRAMP (up to Moderate)

– AWS GovCloud (US) – ITAR compliant region

• Customers have deployed various compliant applications– Sarbanes-Oxley (SOX)

– HIPAA (healthcare)

– FISMA/FedRAMP (US Federal Government)

– DIACAP – up to MAC II Sensitive

– International Traffic in Arms Regulations (ITAR)


Customer Resources• Whitepapers

– Risk & Compliance Whitepaper– Overview of Security Processes– “Security at Scale” series

• Governance in AWS• Logging in AWS

• Template– FedRAMP SSP Template

• Workbooks– FISMA-High– CJIS


Other Compliance Programs

• FISMA-High Handbook– Workbook available for partners under NDA– 84 additional control enhancements [21 inherited, 54

shared, 9 customer]

• CJIS Handbook– Available under NDA– 121 security requirements; 10 inherited, 87 shared,

and 24 customer-responsible requirements

• Both are partner-based approaches to build a portfolio of authorizations


AWS Compliance & Security Centers• Answers to many security and compliance

questions• Security whitepaper• Risk and Compliance whitepaper• Overview of Security Processes whitepaper• “Security at Scale” whitepaper series

• Security bulletins• Customer penetration testing requests• Security best practices• Request more information by contacting us

aws.amazon.com/securityaws.amazon.com/compliance

http://aws.amazon.com/security/

http://aws.amazon.com/compliance


Additional AWS Security & Compliance References

• https://aws.amazon.com/security• https://aws.amazon.com/compliance• https://aws.amazon.com/compliance/#whitepapers • https://aws.amazon.com/compliance/fedramp-faqs• https://aws.amazon.com/govcloud-us • https://aws.amazon.com/documentation • https://aws.amazon.com/iam

[email protected]

https://aws.amazon.com/security

http://aws.amazon.com/compliance

http://aws.amazon.com/compliance/

http://aws.amazon.com/compliance/fedramp-faqs

http://aws.amazon.com/govcloud-us

http://aws.amazon.com/documentation

http://aws.amazon.com/iam

mailto:[email protected]



Thank YouChris Gile

Bill [email protected]

[email protected]

move away from the worry-based fiction of the cloud - aws washington d.c. symposium 2014

Travel

aws government

aws cloudtrail

aws security assurance

manager aws security

aws storage gateway

deletion of aws resources

security automated checks

security public affairs