This session delves into the partnership between TechnologyOne, Departments and Agencies within Federal Government and AWS, on how TechnologyOne's solution architecture achieved great economies of scale, to enable the efficient delivery of services to agencies, and how the Shared Responsibility Model guided this 3 way partnership to achieve ISM security requirements.
Speaker: Iain Rouse, Group Director, Cloud R&D, TechnologyOne
Level: 200
Partnering to Deliver Cost Efficient and Reliable Corporate Services to Agencies - AWS PS Summit Canberra 2017
1. Commercial in confidence
Jenny Johnson, Marketing Director
Aaron Hauck
Enterprise Engineer, ITSA
Iain Rouse
Group Director - Cloud, CISO
August 2017
Delivering Cost-Effective and Reliable
Corporate Services to Agencies
2. TechnologyOne Cloud
ISO/IEC 27001 ISO/IEC 27017 ISO/IEC 27018
SOC 1 SOC 2 UK G-Cloud
Rich Compliance and Strong Industry Recognition
Australian ISM New Zealand ISM
Competencies
• Education
• Government
• Public Sector
5. Public Sector SaaS Customers
Local Government
State Government
Education
Central Government
6. TechnologyOne Cloud
Cloud
Service
Platform
Built using Ci Anywhere
API Driven Automation
Major software releases, delivered twice a year
Trust Services Principles
Security
Availability
Privacy
Confidentiality
Core Service API
NetworkCompute
OS
Storage
QueueingMessaging
Licencing
Email Software
Services
Reports
Refreshes
Encryption
Backups
Insights
Releases
Monitoring Fixes
One global platform
Upgrades Auto Scale Self Healing
Processing Integrity
Software as
a Service
International Standards
ISO 27001
ISO 27017
ISO 27018
SSAE 16
ISAE 3402
SOC 1
SOC 2
IRAP
G-Cloud
PCI DSS
7.
8. TechnologyOne Cloud
AWSTechnologyOneAgencyCustomer
Responsible for Security
OF the Cloud
Compute
Database
Storage
Networking
International Standards
Responsible for Security
IN the Cloud Network
Data
Firewall
OS
International Standards
ISO 27001
ISO 27017
ISO 27018
SSAE 16
ISAE 3402
SOC 1
SOC 2
IRAP
Network
Software
Availability
Updates
Scalability
Durability
Responsible for Configuration
IN the Cloud
Reports
Refreshes
Templates Features
Approach Proven Fit
Consumes Software as a Service
14. PCI DSS 3.2
Requirement 10.5.5 - Use file-integrity monitoring or change-detection software on logs to
ensure that existing log data cannot be changed without generating alerts (although new
data being added should not cause an alert).
Information Security Manual 2016
Access Controls - Principle 3 - Detect and attribute any violations of information security
policy—including cyber security incidents, breaches and intrusions—by maintaining,
auditing and ensuring the availability and integrity of event logs.
Standards & Guidelines
Different standards, consistent requirements
15. Start With A New AWS Account
Separate Root Credentials
Auditability
Cross account access to S3 is implicitly denied by bucket ACLs
Absolute Control of IAM Policies
Create an Air Gap Between Applications and Data
Billing and Cost Management
Security
Privacy
Processing Integrity
Creating W.O.R.M. Buckets
Start with a New AWS Account
16. Ensure Contact Details Are Correct
MFA Root Credentials
Physical MFA Token
Locked in Fire Proof Safe
Cloud Trail Enabled - All Regions
Log Integrity Validation
Log File Encryption
Limit use of IAM users
Long lived access credentials – terrible idea!
Security
Privacy
Processing Integrity
Setting Up New Account
17. Read or Write vs Read and Write
Visualising Fine Grain Control
19. Consider the sensitivity of data
MFA Delete
Require Root credentials and MFA token to delete objects
Provides third layer of defence
Requires Root credentials to set up
Cloud Trail Data Level Event Logging
Records details of event, IAM, IP Address, time etc.
Assume Role events recorded in Cloud Trail
S3 Bucket Logging can capture other details
W.O.R.M. Bucket Optional Components
Security
Privacy
Processing Integrity
20. Machine Learning
Detect and alert on anomalous access patterns
Restrict access controls based on actual access
requirements
Identify and classify based on meta data
Big Data Blockchain
All data is cryptographically signed and chained
Distributed - No one system controls the chain
Collaborative time stamping - everyone agrees on a
sequence of events
Future Thoughts
Security
Privacy
Processing Integrity
21. By simply using
S3
IAM
CloudTrail
CloudFormation
Primitive AWS Services make this possible
Information Security Manual 2016
Access Controls - Principle 3 - Detect and attribute any violations of information security
policy—including cyber security incidents, breaches and intrusions—by maintaining,
auditing and ensuring the availability and integrity of event logs.
22. TechnologyOne Cloud
AWSTechnologyOneAgencyCustomer
Responsible for Security
OF the Cloud
Compute
Database
Storage
Networking
International Standards
Responsible for Security
IN the Cloud Network
Data
Firewall
OS
International Standards
ISO 27001
ISO 27017
ISO 27018
SSAE 16
ISAE 3402
SOC 1
SOC 2
IRAP
Network
Software
Availability
Updates
Scalability
Durability
Responsible for Configuration
IN the Cloud
Reports
Refreshes
Templates Features
Approach Proven Fit
Consumes Software as a Service
23. In Closing
Patterns help simplify the complex
AWS have taken care of the heavy lifting
Challenge your thinking
Explicit deny is how you start
Everything you allow is a conscious decision
Considering 4 simple AWS services solve a complex problem, the
question is what are you going to build on Monday?