Welcome to the

AWS Financial Services Cloud Symposium

"We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.”- UK Financial Conduct Authority, FG 16-5, July 2016

“Insurance is a highly regulated industry where security, governance and compliance are key. Our internal compliance team conferred with both financial services regulators in the UK and our legal team, and they found that they could use AWS and remain compliant.”

- Adrian Hodgkison, Head of IT

Compliance with Regulation is Doable

AWS & Customer Regulated Workloads

*

*

*

*Also an AWS Customer

“It is a fallacy that Institutions can’t use cloud services

(because regulators don’t allow them)”

- G20 ITSG Meeting, Anonymous

https://aws.amazon.com/solutions/#industry

https://aws.amazon.com/financial-services

Regulated, audited, and sensitive data will be better fit to be stored and processed in the cloud.

AWS Security as a Platform for Compliance

DDOS Mitigation

Data Encryption

Inventory & Configuration

Monitoring & Logging

Identify & Access Control

Testing & Validation

Availability & Resiliency

AWS provides financial services customers a platform to engineer customized security

Security & Compliance at AWS is the highest priority. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations.

An advantage of the AWS cloud is that it allows customers to Scale and Innovate, while maintaining a secure environment.

So you can Customize Security for the platform to meet any number of compliance regimes that apply to your business process and geography.

AWS Security – Shared Responsibility Model• AWS and its customers share control over the IT environment, both parties have

responsibility for managing the IT environment.

• AWS’ part in this shared responsibility includes providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use.

• The customers’ responsibility includes configuring their IT environments in a secure and controlled manner for their purposes.

• While customers don’t share their use and configurations to AWS, AWS does share its security and control environment relevant to customers.

Client-side Data

Encryption

Server-side Data

Encryption

Network Traffic

Protection

Platform, Applications, Identity & AccessManagement

Operating System, Network & Firewall Configuration

Customer content

AWS Shared Responsibility

You get to define your controls IN the

cloud

AWS takes care of security OF the

cloud

aws.amazon.com/compliance/shared-responsibility-model

AWS Foundation Services

Compute Storage Database Networking

AWS Global

Infrastructure Regions

Availability Zones Edge

Locations

AWS SecurityProtection and

Certification

Security Features in the Customer Environment

Customer Security and Compliance

• Advanced security protection

• Enhanced auditability• EU Data Privacy• Financial Reporting• Financial Services• Healthcare/Life Sciences• Local requirements

Amazon Inspector AWS WAF AWS

ConfigRules

EU Model Clauses

Identity Management

Access Control

Usage Auditing

Key Storage

Monitoring and Logs

AWS Investment: Security

Audit & Certification Compliance Overview

Tao of Cloud Compliance

1. Partner: the cloud tech SMEs and the security/ compliance SMEs

2. Integrate: industry standards, independent benchmarking, regulatory requirements

3. Design and Package: Create a master design that meets internal and external requirements

4. Constrain: enforce deployment to that design

5. Deploy: mechanize a scalable governance and auditing program

Step 1: Partner the cloud tech SMEs and the security/ compliance SMEs

Customer Governance Model: Permanent Supervision

AWS Best Practices

Industry Standards

AWS Architecture for Standards

Internal & Regulatory Requirements

Service Documentation

AWS Workbooks

AWS Technology ResourcesClient-side Data

Encryption

Server-side Data

Encryption

Network Traffic

Protection

Platform, Applications, Identity & AccessManagement

Operating System, Network & Firewall Configuration

Customer content

AWS Foundation Services

Compute Storage Database Networking

AWS Global

Infrastructure Regions

Availability Zones Edge

Locations

AWS Agreements

Step 2: Integrate industry standards, independent benchmarking, regulatory requirements

Industry Standards and Benchmarking

CIS Amazon Web Services Foundations

Benchmark v1.0.0

Description

This document provides prescriptive guidance for

configuring security options for a subset of

Amazon Web Services with an emphasis on

foundational, testable, and architecture agnostic

settings.

FFIEC Assessment Guide for AWS

Step 3: Create a master design that meets internal and external requirements

Create a golden environment

Using baseline requirements to create a gold OS image

Configure use of AWS services, for example:

Amazon S3 Amazon EBS Amazon Redshift

Force SSE Turn on logging Specify retention Set Amazon Glacier archiving Prevent external access Specify overriding permissions Set event notifications

Define volume type Volume size limits IOPS performance

(input/output) Data location – regions Snapshot (backup) ID Encryption requirements

Cluster type (single or multi) Encryption (KMS or HSM) VPC location External access (yes/no) Security groups applied Create SNS topic Enforce Amazon CloudWatch

alarms

Step 4: Enforce deployment to that design

Enforce AWS Service Catalog

Allows administrators to create and manage catalogs of approved resources (products) that users can access via a personalized portal. Control which IT services and versions are available

Control the configuration of the available services

Control permission access by individual, group, department, or cost center.

Provisioning Team creates and manages Service Catalog

Products built from CloudFormation Templates

An AWS Service Catalog productis a deployable AWS

CloudFormation template.

Step 5: Mechanize a scalable governance and auditing program

Governance & Auditing Program

Tech Automation via CloudAutomate deployments, provisioning, and configurations of the AWS customer environments

CloudFormation Service CatalogStack

Template

Instances AppsResourcesStack

Stack

Design Package

Products Portfolios

DeployConstrain

Identity & Access Management

Set Permissions

Best Practices for a Strong Compliance Defense

1. How is the entity using the cloud?

2. Is the entity leveraging credible, third-party assessments?

3. Has the entity benchmarked their use of the cloud against CIS or another independent body?

4. How do they monitor use of the cloud?

5. How has application, logical access, resiliency, governance changed?

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Jodi Scrofani, Financial Services Compliance Strategist at AWS

Thank You!