Find out more about compliance in the cloud

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Stefan Krantz, Solutions Architect, AWS
Thomas Stig Jacobsen, Web Architect, Lunar Way
Compliance in the Cloud Using
Security by Design

2. Problem Statement
Increasing complexity (mobility, system connectivity)
causes increasing difficulty in managing risk and security
and demonstrating compliance.

3. Current State – Technology Governance
Policies
Procedures and
Guidelines
Standards

4. Issues – Technology Governance
The majority of technology governance processes relies
predominantly on administrative and operational security
controls with LIMITED technology enforcement.
Assets
ThreatVulnerability
Risk
AWS has an opportunity to innovate and
advance Technology Governance Services.

5. Account Support
Support
Managed
Services
Professional
Services
Partner
Ecosystem
Training &
Certification
Solution
Architects
Account
Management
Security & Pricing
Reports
Technical Acct.
Management
Marketplace
Business
Applications
DevOps Tools
Business
Intelligence
Security
Networking
Database &
Storage
SaaS
Subscriptions
Operating
Systems
Mobile
Build, Test,
Monitor Apps
Push
Notifications
Build, Deploy,
Manage APIs
Device Testing
Identity
Enterprise
Applications
Document
Sharing
Email &
Calendaring
Hosted
Desktops
Application
Streaming
Backup
Game
Development
3D Game
Engine
Multi-player
Backends
Mgmt. Tools
Monitoring
Auditing
Service Catalog
Server
Management
Configuration
Tracking
Optimization
Resource
Templates
Automation
Analytics
Query Large
Data Sets
Elasticsearch
Business
Analytics
Hadoop/Spark
Real-time Data
Streaming
Orchestration
Workflows
Managed
Search
Managed ETL
Artificial
Intelligence
Voice & Text
Chatbots
Machine
Learning
Text-to-Speech
Image Analysis
IoT
Rules Engine
Local Compute
and Sync
Device
Shadows
Device
Gateway
Registry
Hybrid
Devices & Edge
Systems
Data Integration
Integrated
Networking
Resource
Management
VMware on
AWS
Identity
Federation
Migration
Application
Discovery
Application
Migration
Database
Migration
Server
Migration
Data Migration
Infrastructure Regions
Availability
Zones
Points of
Presence
Compute Containers
Event-driven
Computing
Virtual
Machines
Simple Servers Auto Scaling Batch
Web
Applications
Storage Object Storage Archive Block Storage
Managed File
Storage
Exabyte-scale
Data Transport
Database MariaDB
Data
Warehousing
NoSQLAurora MySQL Oracle SQL ServerPostgreSQL
Application
Services
Transcoding Step Functions Messaging
Security
Certificate
Management
Web App.
Firewall
Identity &
Access
Key Storage &
Management
DDoS
Protection
Application
Analysis
Active Directory
Dev Tools
Private Git
Repositories
Continuous
Delivery
Build, Test, and
Debug
Deployment
Networking
Isolated
Resources
Dedicated
Connections
Load Balancing Scalable DNSGlobal CDN
The AWS
Platform

6. Flexibility and Complexity
What is the regulatory
requirement?
What's in-scope or out-
of-scope?
How to verify the
standards are met?

7. Security by Design
Security by Design (SbD) is a security
assurance approach that formalizes AWS
account design, automates security controls,
and streamlines auditing.
Instead of relying on auditing security
retroactively, SbD provides security control
built in throughout the AWS IT management
process.
Identity & Access
Management
CloudTrail
CloudWatch
Config Rules
Trusted Advisor
Cloud HSMKey Management
Service
Directory Service

8. Security by Design - Design Principles
• Build security in every layer
• Design for failures
• Implement auto-healing
• Think parallel
• Plan for Breach
• Don't fear constraints
• Leverage different storage options
• Design for cost
• Treat Infrastructure as Code
• Modular
• Versioned
• Constrained
Developing new risk mitigation capabilities, which go beyond global security frameworks,
by treating risks, eliminating manual processes, optimizing evidence and audit ratifications
processes through rigid automation
AWS Config Rules Examples:
https://github.com/awslabs/aws-config-rules

9. SbD - Eco-system
Security by Design (SbD)
AWS CloudFormation
AWS Config Rules
Amazon Inspector

10. SbD - Modernize Tech Governance (MTG)
Why?
Complexity is growing, making the old way to
govern technology obsolete
You need automation that AWS offers to manage
security

11. Goal - Modernize Tech Governance (MTG)
Adopting “Prevent” controls, making
“Detect” controls more powerful and
comprehensive

12. SbD - Modernizing Technology Governance (MTG)
1.2 Identify Your Workloads Moving to AWS
2.1 Rationalize
Security Requirements
2.2 Define Data
Protections and Controls
2.3 Document
Security Architecture
3.1 Build/deploy
Security Architecture
1. Decide what
to do (Strategy)
2. Analyze and
Document
(outside of AWS)
1.1 Identify Stakeholders
3. Automate,
Deploy & Monitor
3.2 Automate
Security Operations
4. Certify
3.3 Continuous
Monitor
4.1 Audit and Certification
3.4 Testing and
Game Days

13. Industry Standards and Benchmarking
CIS Amazon Web Services Foundations
Benchmark v1.0.0
Description
This document provides prescriptive guidance
for configuring security options for a subset of
Amazon Web Services with an emphasis on
foundational, testable, and architecture agnostic
settings.

14. Define Data Protections and Controls

15. SbD – Automate Security Operations
Automate deployments, provisioning, and configurations of
the AWS customer environments
CloudFormation Service CatalogStack
Template
Instances AppsResources
Stack
Stack
Design Package
Products Portfolios
DeployConstrain
Identity & Access
Management
Set Permissions

16. LUNAR WAY
CASE STUDY

17. (NOT) BEING A BANK
• Fintech a new area of business – and hype
• Unknown requirements from the regulators
• Security and compliance
• Compliance and security
• Regulations has the catch up

18. • The use of a public cloud
• Fulfilment of national and EU regulations
• Data protection and location (soon GDPR)
• Data encryption and encryption key control
COMPLIANCE CONSIDERATIONS

19. • The use of multiple AWS accounts
• The use of public and private subnets
• Minimizing the surface of attack
• Deployment of tight security groups
• 2-factor all the things!
SECURITY CONSIDERATIONS

20. INFRASTRUCTURE OVERVIEW

21. INFRASTRUCTURE OVERVIEW

22. • AWS Config to ensure continuous compliance
• Default rules and custom rules
• Default rules: AWS best practises
• Custom rules: AWS Lambda and AWS SDKs
CONTINUOUS COMPLIANCE

23. • Cover your security policy with AWS Config rules
• Create AWS Lambda functions that makes sense for
your environment.
CONTINUOUS COMPLIANCE

24. • AWS Config saves a lot of time of manual
compliance checks
• You need to implement your own rules into
AWS Lambda
• Implementing your own rules are easy!
• Implement more rules and maybe look more
into AWS Organizations
BENEFITS AND NEXT STEPS

25. AWS CloudTrail
EMR Kinesis VPC ELB S3 Lambda
AWS ConfigAWS CloudWatch
IoT
Other
Services
Add-on for AWS
Splunk App for AWS
Explore Analyze Dashboard Alert
Use Cases for AWS:
Security Intelligence (Cloudtrail, Cloudwatch, VPC)
Operational Intelligence (CloudWatch, ELB, etc.)
DevOps Intelligence (CloudWatch, Lambda)
Big Data Insights (Kinesis, EMR, IoT, S3)
Continuous Monitor – Splunk

26. AWS CloudTrail
Resource Activity
Splunk App for AWS – Visualize & Monitor
AWS CloudTrail
User Activity

27. SbD - Modernizing Technology Governance (MTG)
Automate
Governance
Automate
Deployments
Automate Security
Operations
Continuous
Compliance

28. Closing the Loop
SbD - Modernizing Technology Governance
Result: Reliable technical implementation and enforcement
of operational and administrative controls

29. AWS Global Regulatory Compliance Resources
Terms & Conditions to Support Regulatory Requirements
Industry Regulatory, Security, & Governance Expertise On Staff
Using AWS in
the Context of
Australian
Privacy
Considerations
Using AWS in
the Context of
Malaysian
Privacy
Consideration
s
Using AWS in
the Context of
New Zealand
Privacy
Consideration
s
Using AWS in
the Context of
Singapore
Privacy
Consideration
s
AWS
European
Union Data
Protection
AWS
US FFIEC
Audit Guide
Regional Compliance Guides
AWS Enterprise Support
• 24/7 Access
• Enterprise-grade Response Times
• Designated Technical Account
Managers
• Support Concierge
• AWS Trusted Advisor – Full Checks
Suite
• Infrastructure Event Management
• Enterprise Architectural Support
• Operations Support
• AWS Support API
• 3rd Party Software Support
IT Grundschutz
Compliance on
AWS
OCIE
Cybersecurity
Workbook for
AWS
AWS CIS
Foundation
Benchmark
s
FISC
Guidelines
on AWS
Active Regulatory Engagement Worldwide
• Regional Informational Roundtables for Regulatory
Agencies
• Regional Compliance Guides
• Policy Initiatives
• Former Regulators
• Former Top 5 Investment Bank Compliance Officers
• Financial Services Information Security Professionals
• Financial Services Governance & Audit Professionals
• EU Model Clauses
• Data Sovereignty/Residency
• Regional Regulatory Supervision
• Reversibility
awscompliance@amazon.com

30. AWS Resources
Amazon Web Services Cloud Compliance
• https://aws.amazon.com/compliance/
AWS Compliance Whitepaper:
• https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_an
d_Compliance_Whitepaper.pdf
SbD website and whitepaper – to wrap your head around this
• https://aws.amazon.com/compliance/security-by-design/
AWS Security Best Practices:
• https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Be
st_Practices.pdf

31. Thank You!