Upload
amazon-web-services
View
733
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Security is your number one priority and it is ours too. With customers around the world across all industries, it is our top priority to ensure the underlying cloud infrastructure is secure and compliant. This presentation will address our shared security/responsibility model, specific compliance requirements such as FedRAMP, DISA/DoD Cloud Security Models, and detail the specific AWS compliance programs that supports our customers in these compliance environments.
Citation preview
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Federal Compliance Deep Dive: AWS Public Sector Security Assurance Programs
Chris GileSenior Manager
AWS Risk and [email protected]
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Shared Security Responsibility
• AWS & Customers both have security/compliance obligations
• Logical assessment & accreditation boundaries
Cross-service Controls
Service-specific Controls
Managed by AWS
Managed by Customer
Compliance of the Cloud
Compliance in the Cloud
Cloud Service Provider Controls
Optimized Network/OS/App Controls
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS FedRAMP Program
• AWS has two Agency ATOs granted by HHS; assessment reviewed by HHS, FDA, CDC, and NIH covering:
– All AWS US Regions (US East/West, & GovCloud (US))– EC2, S3, EBS, VPC, IAM– New: Amazon Redshift (US East/West only)
• Assessed against all FedRAMP-Moderate controls• Agency ATO packages have reciprocity with federal agencies• AWS will directly field FedRAMP package requests; agencies can still
request AWS FedRAMP package from FedRAMP PMO– AWS provides customers a FedRAMP SSP Template, inherited/shared control
matrix, as well as FedRAMP package
cloud.cio.gov/fedramp/amazon
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Building Solutions on AWS• Partners & Agencies can leverage FedRAMP compliant AWS• AWS’s FedRAMP package covers AWS infrastructure and underlying
management of services• Partner’s FedRAMP package includes inherited controls; shared
controls documents partner’s application/service built on AWS• To support partners we can provide:
– Partner FedRAMP package: ATO Letters, CIS spreadsheet, FIPS 199, etc.– SSP Template: Pre-populated with inherited control language, guidance on
completing shared controls– ATO Letters as stand-alone documents– Support: Security Solutions Architects, Security Assurance Architects,
Professional Services
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Documentation Support
• AWS Package is specific to the AWS Infrastructure
• Partner’s Package is specific to the Partner’s Application or managed services
• Inherited v. Shared Controls
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS DoD CSM Program• 2/6/14 Provisional Authorization for Levels 1-2 • DISA-managed Cloud Security Model (CSM)• 70 additional control enhancements overlaid on
FedRAMP Moderate• Partners have achieved MAC II Sensitive DIACAP ATOs
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Certifications & Compliance• AWS Environment
– SOC 1/2/3
– ISO 27001 Certification
– Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider
– FedRAMP (up to Moderate)
– AWS GovCloud (US) – ITAR compliant region
• Customers have deployed various compliant applications– Sarbanes-Oxley (SOX)
– HIPAA (healthcare)
– FISMA/FedRAMP (US Federal Government)
– DIACAP – up to MAC II Sensitive
– International Traffic in Arms Regulations (ITAR)
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Customer Resources• Whitepapers– Risk & Compliance Whitepaper– Overview of Security Processes– “Security at Scale” series• Governance in AWS• Logging in AWS• Template– FedRAMP SSP Template• Workbooks– FISMA-High– CJIS
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Other Compliance Programs
• FISMA-High– Workbook available for partners under NDA– 84 additional control enhancements; 21 inherited, 54
shared, 9 customer
• CJIS Workbook– Available under NDA– 121 security requirements; 10 inherited, 87 shared, and
24 customer-responsible requirements
• Both are partner-based approaches to build a portfolio of authorizations
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Compliance & Security Centers• Answers to many security and compliance
questions• Security whitepaper• Risk and Compliance whitepaper• Overview of Security Processes whitepaper• “Security at Scale” whitepaper series
• Security bulletins• Customer penetration testing requests• Security best practices• Request more information by contacting us
aws.amazon.com/securityaws.amazon.com/compliance
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Additional AWS Security & Compliance References• https://aws.amazon.com/security• https://aws.amazon.com/compliance• https://aws.amazon.com/compliance/#whitepapers • https://aws.amazon.com/compliance/fedramp-faqs• https://aws.amazon.com/govcloud-us • https://aws.amazon.com/documentation • https://aws.amazon.com/iam
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Questions?
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Thank YouChris Gile