secure applications and fedramp in the aws govcloud (us) region (sec204) | aws re:invent 2013

© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

SEC204 - Building Secure Applications and

Navigating FedRAMP in the AWS GovCloud (US)

Region

CJ Moses, GM – AWS Global Cloud Solutions

Chris Gile, Manager - AWS Federal Compliance Programs

Jennifer Gray - Federal Cloud Lead - HHS Enterprise Cloud Architect

Tom Soderstrom - CTO, Jet Propulsion Laboratory

November 13, 2013

AWS GovCloud (US)

• The AWS Government Community Cloud

for vetted U.S. Government and U.S. commercial

entities with ties to U.S. Government functions and services

• Built with U.S. government customers in mind and appropriate for: – U.S. Government agencies – US Federal, state and local entities

– U.S. Government contractors, systems integrators, and FFRDCs

– U.S. Companies with IT regulatory requirements

• Designed to allow U.S. government agencies and customers to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements

– Appropriate for Controlled Unclassified Information (CUI) or Unclassified data and workloads

AWS GovCloud (US)

• Data stays in CONUS – Region located in the Pacific Northwest

• Only approved AWS U.S. Persons have access to restricted areas, networks, and systems for administration

• AWS managed account provisioning; each potential customer is vetted to ensure they are a U.S. entity and not prohibited or restricted from exporting or from providing services by the U.S. government

• Data, Network and Machine Isolation – Mandatory virtual private cloud (Amazon VPC) segregation for all customers, which offers an

additional layer of isolation and protection

– Separate, isolated credentials database (AWS IAM)

– FIPS 140-2 hardware for endpoints and VPN

FedRAMP Overview

• FedRAMP Overview

• AWS FedRAMP Program

• Shared Responsibility Model & Achieving

Compliance with AWS

FedRAMP Overview

• OMB mandated FedRAMP compliance for government agencies using CSPs

• Government-wide program standardizing CSP security assessments

• Four approaches for CSPs to demonstrate compliance supporting agency needs

• All FedRAMP package types in FedRAMP repository can be leveraged by USG agencies

AWS’ FedRAMP Program

• Agency ATOs (2) granted by HHS May ’13 covering: – US East/West and GovCloud (US) Regions

– EC2, S3, EBS, VPC, and IAM services (more on the way!)

– Reviewed by HHS, CDC, NIH, & FDA

– FedRAMP-accredited 3PAO assessed AWS against all 297 Moderate FedRAMP controls

• Subsequent federal agency ATOs granted based on AWS FedRAMP packages – Our Agency ATOs can be leveraged by any customer

AWS’ FedRAMP Program

• Request AWS FedRAMP package via

FedRAMP PMO or directly from AWS

• So how do you achieve compliance

using the AWS FedRAMP package?

Security is a Shared Responsibility

Cross-service Controls

Service-specific Controls

Managed by

AWS

Managed by

Customer

Compliance of the Cloud

Compliance in the Cloud

Cloud Service Provider

Controls

Optimized Network/OS/App

Controls

Security is a Shared Responsibility

Customer Data

Users and Roles

Account Management

Applications

Firewalls

Network Configuration

Guest Operating System

Managed

by

Customer

Managed

by AWS

• Payment Card Industry (PCI)

Data Security Standard Level 1

• NIST 800-53 Controls &

multiple ATOs; FedRAMP

• DoD Compliant Controls and multiple

DIACAP ATOs

• SSAE 16 Types 1 & 2 (SAS 70)

• ISO 27001/ 2 Certification

• HIPAA and ITAR Compliant

• Customers implement their own set of

controls (shared controls)

• Customers document their implementation

of controls in SSP

• Customers conduct 3PAO assessment

• Multiple customers with Low/Mod ATOs

• Customers tell us High ATOs possible

Virtualization Layer

Compute Infrastructure

Storage Infrastructure

Network Infrastructure

Facilities Physical

Security

AWS Global Infrastructure

Useful Links & Resources

• AWS FedRAMP Package for AWS GovCloud (US) Region

• AWS FedRAMP SSP Template

• http://aws.amazon.com/compliance

• http://aws.amazon.com/compliance/#whitepapers

• http://aws.amazon.com/compliance/fedramp-faqs

• http://aws.amazon.com/security

• http://aws.amazon.com/documentation

awscompliance@amazon.com

CHIEF INFORMATION OFFICER DEPARTMENT OF HEALTH AND HUMAN SERVICES

OFFICE OF THE

U . S . D E P A R T M E N T O F H E A L T H A N D H U M A N S E R V I C E S

HHS Use Case Agency FedRAMP ATO Experience

Jennifer Gray

Key Drivers

• HHS Cloud Strategy

• FedRAMP Policy Memo

(OMB Policy Memo

December 8, 2011)

• Existing HHS Cloud

Systems using AWS

environment

• HHS FedRAMP Standard

Operating Procedures

12

Build Effective Team

• OCIO Senior Leadership

• HHS OIS Security Cloud Security

Team

• Operational Divisions (FDA, NIH,

CDC, OS)

• FedRAMP Program Management

Office

• Amazon Web Services (AWS) Risk

& Compliance Team

• 3PAO (Veris Group)

13

HHS OIS Cloud

Security Team

FDA

NIH

CDC AWS (CSP)

FedRAMP PMO

HHS FedRAMP Security Authorization Process

• Agency-wide FedRAMP

Standard Operating

Procedures

• Released by through HHS

CISO

• Defines how HHS will

authorize cloud services to

ensure they meet

FedRAMP requirements

14

HHS FedRAMP AWS Authorization Process

15

AWS Achieves HHS FedRAMP ATO

• FedRAMP Complete - May 20, 2013

• Worked with HHS FedRAMP Team to

ensure standard process aligns with

FedRAMP PMO expectations

• Consistent with FedRAMP CONOPs.

• Includes details about initial

documentation as well as periodic

updates

16

Key Lessons Learned

17

• Senior Management Sponsorship

• Merge FedRAMP process into

existing security assessment and

authorization processes

• Ensure all security artifacts are

provided at least one week prior to

reviews

• Develop full project schedule with all

key stakeholders in advance

• Develop FAQ post ATO

• Collect resource metrics for future

planning

© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

SEC204 - Building Secure Applications and Navigating

FedRAMP in the AWS GovCloud (US) Region

Tom Soderstrom, Jet Propulsion Laboratory

November 13, 2013

1. JPL’s Journey

2. JPL’s Results

3. JPL’s Future

Agenda

1. JPL’s Journey

Why Cloud Computing?

Increased demand for IT. Cloud computing

promised:

• Additional, powerful options for IT

• Increased compute and storage capability

• Faster speed to market

• Lowering unit IT costs

• One size does not have to fit all

• Computing as secure as we have today

• Needed ITAR-certified cloud computing

22 Flicker by WSDOT

23

2. JPL’s Results

JPL used Cloud Computing for Outreach… and beyond

Microsoft

JPL used

cloud

computing

for mission

critical

operations

… but ITAR

approval took a

while, producing

separate ATOs

for

FISMA Moderate

and

ITAR

AWS GovCloud ATO (US Persons Only)

Accountable (CIO)

Letter of intent and compliance by JPL IT CTO

Concurrence by JPL IT Security and Infrastructure

Concurrence by NASA OCIO

Concurrence by Caltech Audit

Concurrence by NASA Office of Inspector General

Concurrence by JPL and NASA Export Control Office

Concurrence by Caltech/JPL Legal

Concurrence by additional key stakeholders

Adheres to JPL’s standard Policies and Procedures

Full 360 degree view

Quarterly reviews

Enables usage

Continuous

awareness

AWS GovCloud ATO (US Persons Only)

Accountable (CIO)

Letter of intent and compliance by JPL IT CTO

Concurrence by JPL IT Security and Infrastructure

Concurrence by NASA OCIO

Concurrence by Caltech Audit

Concurrence by NASA Office of Inspector General

Concurrence by JPL and NASA Export Control Office

Concurrence by Caltech/JPL Legal

Concurrence by additional key stakeholders

Adheres to JPL’s standard Policies and Procedures

AWS GovCloud Use Cases So Far

Radar Processing (large scale)

Virtual Workshops

Big Data analytics of JPL sensitive data

Storage and processing of Mars Exploration Rovers data

Rapid prototyping when some data is sensitive

User: “If it can handle ITAR, I don’t have to separate the

data, so I’ll get started now”

Cyber Security: “I can use my normal tools”

JPL wants Glacier next

1 2 3 4 5 6 7 8 9 10

$

Storage Years

DR Use Case Storage and Retrieval Costs Over 10 years

Glacier total costs

S3 total costs

SDSC total costs

JPL Private Cloud total costs

Denver total costs

Amazon Glacier Total Cost Comparison

3. JPL’s Future

:

Devices

+

Data

+

Processing

+

Clouds

MoonTours App shows new cloud-enabled architecture

Please give us your feedback on this

presentation

As a thank you, we will select prize

winners daily for completed surveys!

SEC204