automating compliance defense in the cloud - september 2016 webinar series

22
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Getting Started with Automating Compliance Defense in the Cloud

Upload: amazon-web-services

Post on 15-Apr-2017

878 views

Category:

Technology


1 download

TRANSCRIPT

Page 1: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Getting Started with Automating Compliance Defense in the Cloud

Page 2: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

What are you going to take-away

AWS Shared Responsibility

Know the cloud governance steps

How to use cloud services to create a persistent state of compliance

Best practices for a strong compliance defense

Page 3: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Poll Question

To understand the make up of today’s audience, please select the option that best describes your role.

Page 4: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

https://aws.amazon.com/solutions/#industryhttps://aws.amazon.com/financial-services

Regulated, audited, and sensitive data will be better fit to be stored and processed in the cloud.

Page 5: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

AWS Shared Responsibility

You get to define your controls IN

the cloud

AWS takes care of security OF the

cloud

aws.amazon.com/compliance/shared-responsibility-model

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones Edge Locations

Page 6: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Tao of Cloud Compliance

1. Partner the cloud tech SMEs and the security/ compliance SMEs2. Integrate industry standards, independent benchmarking,

regulatory requirements3. Design and Package: Create a master design that meets internal

and external requirements4. Constrain: Enforce deployment to that design5. Deploy: Mechanize a scalable governance and auditing program

Page 7: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Step 1: Partner the cloud tech SMEs and the security/ compliance SMEs

Page 8: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Customer Governance Model: Permanent Supervision AWS Best Practices Industry Standards AWS Architecture for Standards Internal & Regulatory Requirements Service Documentation AWS Workbooks AWS Technology Resources

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones Edge Locations

Page 9: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Poll Question

Within your organization, how closely does your compliance department work with your information technology team?

Page 10: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Step 2: Integrate industry standards, independent benchmarking, regulatory requirements

Page 11: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Industry Standards and Benchmarking

CIS Amazon Web Services Foundations Benchmark v1.0.0

DescriptionThis document provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.

Page 12: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

FFIEC Assessment Guide for AWS

Page 13: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Poll Question

Has your organization leveraged CIS benchmarks to implement industry-standard best practices?

Page 14: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Step 3: Create a master design that meets internal and external requirements

Page 15: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Create a golden environment

Using baseline requirements to create a gold OS image Configure use of AWS services, for example:

Amazon S3 Amazon EBS Amazon Redshift

Force SSE Turn on logging Specify retention Set Amazon Glacier

archiving Prevent external access Specify overriding

permissions Set event notifications

Define volume type Volume size limits IOPS performance

(input/output) Data location – regions Snapshot (backup) ID Encryption requirements

Cluster type (single or multi) Encryption (KMS or HSM) VPC location External access (yes/no) Security groups applied Create SNS topic Enforce Amazon

CloudWatch alarms

Page 16: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Poll Question

What are your greatest challenges prohibiting the automation of controls throughout your organization?

Page 17: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Step 4: Enforce deployment to that design

Page 18: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Enforce AWS Service Catalog

Allows administrators to create and manage catalogs of approved resources (products) that users can access via a personalized portal.

Control which IT services and versions are availableControl the configuration of the available servicesControl permission access by individual, group, department, or cost center.

Provisioning Team creates and manages Service Catalog

Products built from CloudFormation Templates

An AWS Service Catalog product is a deployable AWS

CloudFormation template.

Page 19: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Step 5: Mechanize a scalable governance and auditing program

Page 20: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Governance & Auditing Program

Page 21: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

Best Practices for a Strong Compliance Defense

1. How is the entity using the cloud?

2. Is the entity leveraging credible, third-party assessments?

3. Has the entity benchmarked their use of the cloud against CIS or another independent body?

4. How do they monitor use of the cloud?

5. How has application, logical access, resiliency, governance changed?

Page 22: Automating Compliance Defense in the Cloud - September 2016 Webinar Series

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Jodi Scrofani, Financial Services Compliance Strategist at AWS

Thank You!