© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Curtis Bray, Manager, Solutions ArchitectureAWS Worldwide Public Sector

May 17, 2016

Security and Compliance in the CloudIPMA 2016

Agenda

Cloud computing overviewSecurity by Design• Golden Environments• User security modelsUsing AWS services to meet Compliance goalsHIPAA and CJIS on AWS

Many Forms of Compliance

AWS Global Infrastructure

12 Regions

32AvailabilityZones

54EdgeLocations

With AWS, Security Is a Shared Responsibility Customers concentrate on systems and apps while AWS manages infrastructure.

+ =

• Facilities• Physical security• Compute infrastructure• Storage infrastructure• Network infrastructure• Virtualization layer (EC2)• Hardened service endpoints• Rich IAM capabilities

• Network configuration• Security groups• OS firewalls• Operating systems• Application security• Proper service configuration• AuthN and account management• Authorization policies

More secure and compliant systems than any single entity could normally achieve on its own

Security expertise is a scarce resource; AWS oversees the big picture, letting your security team focus on a subset of overall security needs.

Security by Design – SbD

Security by Design (SbD) is a modern, security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. It is a systematic approach to ensure security; instead of relying on after-the-fact auditing, SbD provides control insights throughout the IT management process.

CloudTrailCloudHSM

IAMKMS

Config

Impact of Security by Design

SbD – Scripting your governance policyResult: Reliable technical implementation of administrative controls

SbD—modernizing tech governance

Identify regulatory requirements

Create Templates

Document desired security controls and responsibilities

Build Golden Image(s)

Enforce Security Controls

Phase 1 -Understand your Requirements

Phase 2 –Build a Secure Environment

Phase 3 –Enforce the use of Templates Enable Service

Catalog

Phase 4 –Validation

Continuously monitorAudit and certify

SbD—rationalize security requirementsAWS has partnered with CIS Benchmarks to create consensus-based, best-practice security configuration guides that will align to multiple security frameworks globally.

https://www.cisecurity.org/

The benchmarks are:• Recommended technical control rules

and values for hardening operating systems, middleware and software applications, and network devices.

• Distributed free of charge by CIS in PDF format.

• Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices.

SbD—automate security operationsAutomate deployments, provisioning, and configurations of the AWS customer environments.

CloudFormation AWS Service CatalogStack

Template

Instances AppsResources Stack

Stack

Design Package

Products Portfolios

DeployConstrain

IAM

Set Permissions

What you do in any IT environment• Firewall rules• Network ACLs• Network time pointers• Internal and external subnets• NAT rules• Gold OS images• Encryption algorithms for data

in transit and at rest

Golden code: Security translation to AWSAWS JSON translation

Gold image, NTP, and NAT

Network ACLs, subnets, firewall

rules

Create a golden environment

• Create a gold OS image• Configure use of AWS services, for example:

Amazon S3 Amazon EBS Amazon Redshift

• Force SSE• Turn on logging• Specify retention• Set Amazon Glacier

archiving• Prevent external access• Specify overriding

permissions• Set event notifications

• Define volume type• Volume size limits• IOPS performance

(input/output)• Data location – regions• Snapshot (backup) ID• Encryption requirements

• Cluster type (single or multi)• Encryption (KMS or HSM)• VPC location• External access (yes/no)• Security groups applied• Create SNS topic• Enforce Amazon

CloudWatch alarms

AWS Identity and Access Management (IAM)

• Allows fine-grained access control to AWS• Implement a Role-based Access Model• Use Multi-Factor Authentication devices• Supports Federation for SSO with your existing directory

• Active Directory• Any SAML-compliant Identity provider

Demo: IAM permission

Read Write List

Bob ü ü ü

Doug ü ü ü

Jim ü ü

Sara ü

Read Write List

Bob ü ü ü

Larry ü

Sam ü ü

Network resource

Server resources

AWS permissions

Who has access to a particular resource?Demo: IAM overview• Users, groups, and roles• User settings• Default IAM policies • Custom IAM policies• Account settings • Roles versus users

AWS Service Catalog

• Allows administrators to create and manage approved Portfolios of resources (products) that end users can access via a personalized portal.

• An AWS Service Catalog product is a deployable AWS CloudFormation template.

Provisioning Team creates and manages Service Catalog

Products built from CloudFormation Templates

Grant permissions to use AWS Service Catalog

• Workload owners can deploy templates and nothing more

Main.json CloudFormation

Template

Additional CloudFormation

Templates

AWS Service Catalog constraints specify IAM role used only for template deployment

Workload owner with limited IAM permissions

Demo: AWS Service CatalogDemo will include:

CloudFormation templates enforcement• Portfolios• Products • Permissions (IAM)

• Create/deploy• User launch

• Constraints• Tags

Closing the loop: AWS Config

• AWS Config continuously monitors your environment for changes to objects and security policies

• AWS Config Rules: a sweeping check of whether your security design is deployed in existing environments

• Accurate, complete audit

AWS Config RulesHow AWS Config Rules can be used to audit any environmentConfig Rule Config results

Demo: AWS Config RulesDemo will include:

• Account Configuration• Rule Creation• Public Rule Repository

AWS HIPAA Program

• Strong presence in healthcare and life sciences from our roots

• Business Associates and the January 2013 Omnibus Final Rule

• Started signing Business Associate Agreements (BAA) in Q2 2013

• Program is based on Shared Security Responsibility Model

AWS HIPAA Program is aligned to NIST 800-53 and FedRAMP Authorizations

AWS HIPAA Eligible Services• Customers may use all services within a “HIPAA Account”

• Customers may process, store, or transmit ePHI using only Eligible Services.

EC2 Elastic LoadBalancing S3EBS Amazon Glacier Amazon Redshift

Amazon DynamoDB

Amazon RDS for MySQL

Amazon RDS for Oracle

MySQL Oracle

Amazon EMR

AWS BAA configuration requirements

• Customers must encrypt ePHI in transit and at rest.

• Customers must use EC2 Dedicated Instances for instances processing, storing, or transmitting ePHI.

• Customers must record and retain activity related to use of and access to ePHI.

AWS GovCloud (US) is…

An isolated region of the AWS Cloud…

… intended for customers with strict regulatory and compliance needs and sensitive data/workloads.

Launched in August 2011 to meet needs of US Government customers and companies subject to ITAR regulation.

AWS GovCloud (US) features

Dedicated GovCloud Management Console

Separate AWS IAM and

authentication

Located in Pacific NW (Oregon)

Data, network, and machine isolation from other regions

AWS GovCloud (US) features

“Community Cloud” w/ vetted account holderswho are US persons

Multiple regulatory and compliance features

Managed by US persons on US soil

AWS GovCloud (US) compliance differentiation

Addresses regulatory and compliance requirements• FIPS 140-2 validated cryptographic endpoints for services• VPC mandatory for all customers/accounts

Certifications and accreditationsSame as other Regions, plus…• FedRAMP Agency ATO (Moderate level)• ITAR, CJIS and HIPPA compliant• DOD Security Requirement Guide (SRG) Levels 2 and 4

Additional ResourcesAmazon Web Services Cloud Compliance• https://aws.amazon.com/compliance/

SbD website and whitepaper• https://aws.amazon.com/compliance/security-by-design/

CIS Benchmarks• http://tinyurl.com/cisaws100

AWS Config Rules Repository• https://github.com/awslabs/aws-config-rules

Q & A

Remember to complete your evaluations!

Please visit AWS at booth 17 in the Vendor Pavilion