security and compliance in the cloud - ipma-waipma-wa.com/sites/default/files//page/2016/04/ipma...
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Curtis Bray, Manager, Solutions ArchitectureAWS Worldwide Public Sector
May 17, 2016
Security and Compliance in the CloudIPMA 2016
Agenda
Cloud computing overviewSecurity by Design• Golden Environments• User security modelsUsing AWS services to meet Compliance goalsHIPAA and CJIS on AWS
Many Forms of Compliance
AWS Global Infrastructure
12 Regions
32AvailabilityZones
54EdgeLocations
With AWS, Security Is a Shared Responsibility Customers concentrate on systems and apps while AWS manages infrastructure.
+ =
• Facilities• Physical security• Compute infrastructure• Storage infrastructure• Network infrastructure• Virtualization layer (EC2)• Hardened service endpoints• Rich IAM capabilities
• Network configuration• Security groups• OS firewalls• Operating systems• Application security• Proper service configuration• AuthN and account management• Authorization policies
More secure and compliant systems than any single entity could normally achieve on its own
Security expertise is a scarce resource; AWS oversees the big picture, letting your security team focus on a subset of overall security needs.
Security by Design – SbD
Security by Design (SbD) is a modern, security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. It is a systematic approach to ensure security; instead of relying on after-the-fact auditing, SbD provides control insights throughout the IT management process.
CloudTrailCloudHSM
IAMKMS
Config
Impact of Security by Design
SbD – Scripting your governance policyResult: Reliable technical implementation of administrative controls
SbD—modernizing tech governance
Identify regulatory requirements
Create Templates
Document desired security controls and responsibilities
Build Golden Image(s)
Enforce Security Controls
Phase 1 -Understand your Requirements
Phase 2 –Build a Secure Environment
Phase 3 –Enforce the use of Templates Enable Service
Catalog
Phase 4 –Validation
Continuously monitorAudit and certify
SbD—rationalize security requirementsAWS has partnered with CIS Benchmarks to create consensus-based, best-practice security configuration guides that will align to multiple security frameworks globally.
https://www.cisecurity.org/
The benchmarks are:• Recommended technical control rules
and values for hardening operating systems, middleware and software applications, and network devices.
• Distributed free of charge by CIS in PDF format.
• Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices.
SbD—automate security operationsAutomate deployments, provisioning, and configurations of the AWS customer environments.
CloudFormation AWS Service CatalogStack
Template
Instances AppsResources Stack
Stack
Design Package
Products Portfolios
DeployConstrain
IAM
Set Permissions
What you do in any IT environment• Firewall rules• Network ACLs• Network time pointers• Internal and external subnets• NAT rules• Gold OS images• Encryption algorithms for data
in transit and at rest
Golden code: Security translation to AWSAWS JSON translation
Gold image, NTP, and NAT
Network ACLs, subnets, firewall
rules
Create a golden environment
• Create a gold OS image• Configure use of AWS services, for example:
Amazon S3 Amazon EBS Amazon Redshift
• Force SSE• Turn on logging• Specify retention• Set Amazon Glacier
archiving• Prevent external access• Specify overriding
permissions• Set event notifications
• Define volume type• Volume size limits• IOPS performance
(input/output)• Data location – regions• Snapshot (backup) ID• Encryption requirements
• Cluster type (single or multi)• Encryption (KMS or HSM)• VPC location• External access (yes/no)• Security groups applied• Create SNS topic• Enforce Amazon
CloudWatch alarms
AWS Identity and Access Management (IAM)
• Allows fine-grained access control to AWS• Implement a Role-based Access Model• Use Multi-Factor Authentication devices• Supports Federation for SSO with your existing directory
• Active Directory• Any SAML-compliant Identity provider
Demo: IAM permission
Read Write List
Bob ü ü ü
Doug ü ü ü
Jim ü ü
Sara ü
Read Write List
Bob ü ü ü
Larry ü
Sam ü ü
Network resource
Server resources
AWS permissions
Who has access to a particular resource?Demo: IAM overview• Users, groups, and roles• User settings• Default IAM policies • Custom IAM policies• Account settings • Roles versus users
AWS Service Catalog
• Allows administrators to create and manage approved Portfolios of resources (products) that end users can access via a personalized portal.
• An AWS Service Catalog product is a deployable AWS CloudFormation template.
Provisioning Team creates and manages Service Catalog
Products built from CloudFormation Templates
Grant permissions to use AWS Service Catalog
• Workload owners can deploy templates and nothing more
Main.json CloudFormation
Template
Additional CloudFormation
Templates
AWS Service Catalog constraints specify IAM role used only for template deployment
Workload owner with limited IAM permissions
Demo: AWS Service CatalogDemo will include:
CloudFormation templates enforcement• Portfolios• Products • Permissions (IAM)
• Create/deploy• User launch
• Constraints• Tags
Closing the loop: AWS Config
• AWS Config continuously monitors your environment for changes to objects and security policies
• AWS Config Rules: a sweeping check of whether your security design is deployed in existing environments
• Accurate, complete audit
AWS Config RulesHow AWS Config Rules can be used to audit any environmentConfig Rule Config results
Demo: AWS Config RulesDemo will include:
• Account Configuration• Rule Creation• Public Rule Repository
AWS HIPAA Program
• Strong presence in healthcare and life sciences from our roots
• Business Associates and the January 2013 Omnibus Final Rule
• Started signing Business Associate Agreements (BAA) in Q2 2013
• Program is based on Shared Security Responsibility Model
AWS HIPAA Program is aligned to NIST 800-53 and FedRAMP Authorizations
AWS HIPAA Eligible Services• Customers may use all services within a “HIPAA Account”
• Customers may process, store, or transmit ePHI using only Eligible Services.
EC2 Elastic LoadBalancing S3EBS Amazon Glacier Amazon Redshift
Amazon DynamoDB
Amazon RDS for MySQL
Amazon RDS for Oracle
MySQL Oracle
Amazon EMR
AWS BAA configuration requirements
• Customers must encrypt ePHI in transit and at rest.
• Customers must use EC2 Dedicated Instances for instances processing, storing, or transmitting ePHI.
• Customers must record and retain activity related to use of and access to ePHI.
AWS GovCloud (US) is…
An isolated region of the AWS Cloud…
… intended for customers with strict regulatory and compliance needs and sensitive data/workloads.
Launched in August 2011 to meet needs of US Government customers and companies subject to ITAR regulation.
AWS GovCloud (US) features
Dedicated GovCloud Management Console
Separate AWS IAM and
authentication
Located in Pacific NW (Oregon)
Data, network, and machine isolation from other regions
AWS GovCloud (US) features
“Community Cloud” w/ vetted account holderswho are US persons
Multiple regulatory and compliance features
Managed by US persons on US soil
AWS GovCloud (US) compliance differentiation
Addresses regulatory and compliance requirements• FIPS 140-2 validated cryptographic endpoints for services• VPC mandatory for all customers/accounts
Certifications and accreditationsSame as other Regions, plus…• FedRAMP Agency ATO (Moderate level)• ITAR, CJIS and HIPPA compliant• DOD Security Requirement Guide (SRG) Levels 2 and 4
Additional ResourcesAmazon Web Services Cloud Compliance• https://aws.amazon.com/compliance/
SbD website and whitepaper• https://aws.amazon.com/compliance/security-by-design/
CIS Benchmarks• http://tinyurl.com/cisaws100
AWS Config Rules Repository• https://github.com/awslabs/aws-config-rules
Q & A
Remember to complete your evaluations!
Please visit AWS at booth 17 in the Vendor Pavilion