Clarke Rodgers (CISO, SCOR Velogica)'s presentation on SCOR's journey to SOC2/TYPE2 via AWS at the NYC Alert Logic Cloud Security Summit on June 14th, 2016.
2. About
⢠SCOR Velogica
ď§ Business unit within SCOR Global Life Americas
ď§ Location: Charlotte, NC
ď§ Home to the Velogica automated life insurance underwriting
Service. (B2B)
ď§ Over 2.5 million underwriting recommendations have been
issued by the Velogica Service since its inception.
⢠Our Customers
ď§ Direct Life Insurers
ď§ Focused on Velogica platformâs business agility and security of
their customerâs data.
3. Challenge
Business Problem
ď§ Security questionnaires & related due diligence taking up too much
time and resources during sales cycle. How do we prove to our
future and existing clients that we have best in class security?
4. Solution
Business Solution
ď§ Obtain an internationally recognized and accepted third party
assurance report attesting to the security controls in place at
SCOR Velogica.
ď§ Provide report to clients (and prospective clients) in lieu of
spreadsheet exchanges, meetings, etc..
ď§ Do it quickly.
5. What is SOC2/Type2?
⢠Set of standards (Trust Principles) developed by the
AICPA covering:
- Security (base report)
- Confidentiality (additive)
- Availability (additive)
- Processing Integrity (additive)
- Privacy (additive)
⢠Controls are reviewed and tested annually (at
minimum) by a third party auditing firm.
⢠Becoming the de-facto standard of third party
assurance reports for security controls.
learn more at www.aicpa.org
6. SOC2 by way of AWS
For SCOR Velogica, the best path to achieving SOC2/T2 attestation
was to move to AWS by:
ď§ Focusing on OUR expertise: the controls, development & operations that
are key to our business (e.g. the Velogica web service)
ď§ Relying on best of breed trusted third parties (e.g. AWS, 2nd Watch & Alert
Logic) to do what THEY do best:
ď§ AWS â cloud computing infrastructure, management platform &
services.
ď§ 2nd Watch â (MCSP) professional services [design& migration]
and managed cloud operations.
ď§ Alert Logic â (MSSP) security monitoring, log correlation and
24/7 security operations.
7. Key Decisions â SCOR Velogica AWS Migration
1. Develop cloud expertise
internally?
2. Migrate to AWS platforms &
services or perform a âlift and
shiftâ of our existing platform?
3. How do we
communicate/educate our clients
on the move?
Pro tip: Donât assume everyone knows that Amazon is in
the datacenter business. ď
9. A note about Trust
The more you know about a provider, and their ability to be
transparent about their services instills trust in their offerings
and ability to execute.
We:
1. Reviewed (under NDA) available assurance reports for
each key provider.
2. Made site visits, interviewed key personnel and asked
detailed questions that mattered the most to our business.
3. Met with current customers to get their insights on the
providers.
It is YOUR responsibility to thoroughly vet your providers.
10. For your further investigation
AWS
ď§ Has more certified platforms and services (for your workloads) than
any other cloud provider⌠and the list keeps growing.
ď§ Internal operations are validated and published (under NDA) for
customer review (see aws.amazon.com/compliance for more info)
2nd Watch
ď§ Maintains SOC2/Type2 attestation.
ď§ Audited by AWS under partner program agreement.
Alert Logic
ď§ Maintains SOC1/Type2 and SOC2/Type2 attestations.
ď§ Audited by AWS under partner program agreement.
11. Our Enhanced Security Posture in AWS
If it logs, we
log it.
If it can be
encrypted,
we encrypt
it.
12. SCOR Velogicaâs Cloud Security Program
Each member of
the team excels
at their
individual
strengths,
making the
entire team
stronger.
SCOR
Velogica
AWS
Alert
Logic
2nd
Watch
Foundational cloud platform with resilient
architecture. Security baked into every product and
service. API driven. Strong security partner ecosystem.
Security operations expertise. Threat & vulnerability
management, log monitoring & correlation. Security
intelligence & threat research, etcâŚ
Secure cloud design and best practices. Patching,
Antivirus, Web Proxy, Active Directory, Hardened builds,
IAM, Infrastructure & application monitoring, etcâŚ
Overall Responsibility of Program. Secure application
development, Access Review, Security Awareness,
Incident Response coordination, Reporting, Client
interaction, etc...
Oversight of the entire program is the customerâs (your) responsibility. If your
vendors arenât measuring up, find different ones, coach the ones you have or
do it yourself.
13. So what does âAll-in AWSâ mean exactly?
Three pieces of
our critical
infrastructure
NOT in AWS:
⢠Desk Phones.
⢠Internet
Connection.
⢠Printers.
ď§ Secure MFA access to AWS Workspaces from
anywhere on any supported device.
ď§ Customer facing Velogica Web Service - in AWS.
ď§ All application development â in AWS.
ď§ All customer billing & operations â in AWS.
ď§ All core infrastructure (e.g. Active Directory, network
file shares, etc..) â in AWS.
ď§ Business Continuity - in AWS.
ď§ Disaster Recovery â in AWS.
All new technology products and services purchases are either AWS friendly or
other third party SaaS offerings (e.g. Office 365). If not, we donât buy it!
14. Non SOC2 related benefits of our move to AWS
ď§ Failure is cheap.
ď§ Granular control over our costs.
ď§ Real time detailed inventory of everything we have.
ď§ Built in metrics of what is being used and what isn't.
We are at the cusp of the cloud computing revolution. It is really
just starting and weâve positioned ourselves to take full advantage
of all the innovations yet to come. Exciting times!
15. Next steps for SCOR Velogica
ď§ Maintain SOC2/Type 2
ď§ Exploit the AWS platform to our business advantage:
ď§ Continue the automation of our entire software development
lifecycle.
ď§ Build an automated, event driven security program to
address human errors/misconfiguration.
ď§ Duplicate the application environment when needed to
support international expansion of the Velogica platform
ď§ Continue maturing our DevOps/DevSecOps culture
within the development & infrastructure/ops teams.
ď§ Training & Certification path for everyone who wants it.
16. Final Thoughts: What business are you in?
At SCOR Velogica, we provide the leading automated
life insurance underwriting platform in the industry. We
are experts in automated life insurance underwriting.
We are not:
ď§ In the datacenter management business.
ď§ In the enterprise infrastructure/cloud management
business.
ď§ In the security monitoring/threat analytics and log
review business.
There are others who will operate in the above spaces
with an expertise that will be hard to match, because
that is their focus.
17. Resources
⢠AWS Compliance - https://aws.amazon.com/compliance/
⢠AWS Security - https://aws.amazon.com/security/
⢠AWS Contact for SOC1, SOC2 & PCI Compliance packages -https://aws.amazon.com/compliance/contact/
⢠PCI FAQs, including which AWS services are in scope -https://aws.amazon.com/compliance/pci-dss-level-1-faqs/
⢠Introduction to AWS Security - https://d0.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf
⢠Cloud Security Whitepaper â https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf
⢠Cloud Security Best Practices - https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
⢠AWS Well Architected Framework - https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf
⢠AWS Cloud Adoption Framework Documents:
o https://d0.awsstatic.com/whitepapers/Maturity_Perspective_v1.0.pdf
o https://d0.awsstatic.com/whitepapers/Process_Perspective_v1.0.pdf
o https://d0.awsstatic.com/whitepapers/Operations_Perspective_v1.0.pdf
o https://d0.awsstatic.com/whitepapers/AWS_CAF_People_Perspective.pdf
o https://d0.awsstatic.com/whitepapers/Platform_Perspective.pdf
o https://d0.awsstatic.com/whitepapers/Business_Perspective_v1.0.pdf
o https://d0.awsstatic.com/whitepapers/aws_cloud_adoption_framework.pdf
⢠AWS Blogs to Read Every Day - https://aws.amazon.com/blogs/aws/ ; https://blogs.aws.amazon.com/security/
⢠AWS Case Studies - https://aws.amazon.com/solutions/case-studies/enterprise-it/?hp=tile
⢠AWS Global Infrastructure -https://aws.amazon.com/about-aws/global-infrastructure/?hp=tile
⢠Example of what can be done in AWS that canât be matched on premise (from Security perspective) - https://securosis.com/blog/event-driven-security-on-aws-a-
practical-example
⢠Must attend events: https://aws.amazon.com/summits/ ;https://reinvent.awsevents.com/
⢠Training Resources (other than official AWS courses): https://cloudacademy.com/
⢠Books â Consumption Economics by J.T. Wood & The Phoenix Project by Gene Kim and Kevin Behr