SlideShare ist ein Scribd-Unternehmen logo

Performing a Security Assessment of the Cloud using the Risk Management Framework_A Case Study__AWSPSSummit_Singapore

Amazon Web Services
Amazon Web Services

Build on AWS

1 von 33
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Hugh Barrett, VP Technical Solution, CISSP, CSSLP Telos Corporation Performing A Security Assessment of The Cloud Using Tools, Best Practices and The Risk Management Framework: A Case Study
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Setting the Stage Risk Management Framework, A Brief Overview Air-Gap Region Assessment “of” The Cloud Common Control Providers: Assessment “packages of” The CloudAssessment of your Workloads Xacta 360, The Automated Tool of Choice
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The Risk Management Framework
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Risk Management Framework Step 2: Select Security Controls Step 5: Authorize Systems Step 4: Assess Security Controls Step 3: Implement Controls Step 6: Monitor Security Controls Step 1: Categorize Systems Gathering information about the system or application Tailor your controls Apply overlays Apply inheritance How does my system or application implement each applicable security controls Independent validation that your system has implemented all controls Your risk exec and authorizing officials review and grant Authorization To Operate (ATO) Continuously monitor the system’s health as it pertains to the acceptable risk and mission/business
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Confidentiality, Integrity and Availability Confidentiality = Low, Moderate or High • How sensitive is the data that is processed by the system? • What is the impact to the mission/business if the data is compromised or stolen? Integrity = Low, Moderate or High • How accurate is your data and how it impacts the mission/business if altered incorrectly? Availability = Low, Moderate or High • What is the impact to the mission/business if the data is not available when needed?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NIST 800-53 Base Control Set AC-1.a.1.a AC-1.a.1.b AC-1.a.1.c AC-1.a.2.a AC-1.a.2.b AC-1.a.2.c AC-1.b.1.a AC-1.b.1.b AC-1.b.2.a AC-1.b.2.b Control Id Control ValidatorAC-1
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NIST 800-53 EXT More Granular Control Set AC-1 AC-1.a.1 AC-1.a.2 AC-1.b.1 AC-1.b.2 AC-1.a.1.a AC-1.a.1.b AC-1.a.1.c AC-1.a.2.a AC-1.a.2.b AC-1.a.2.c AC-1.b.1.a AC-1.b.1.b AC-1.b.2.a AC-1.b.2.b
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Information Type / Control Association Security Controls Confidentiality Integrity Availability L M H L M H L M H AC-1.a.1 - Access Control Policy and Procedures x x x x x x x x x AC-2 (1) - Automated System Account Management x x x x x AT-2 (2) - Insider Threat x x x x x AT-3.c - Role-Based Security Training x x x x x x AU-1.a.1 - Audit and Accountability Policy and Procedures x x x x x x x x x CA-7.c - Continuous Monitoring x x x x CM-3.b - Configuration Change Control x x x x x x CP-2 (6) - Alternate Processing / Storage Site x x x x IA-2 (1) - Network Access To Privileged Accounts x x x x x x x IR-9.f - Information Spillage Response x x
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Information Type Categorization Data Type Confidentiality Integrity Availability Business Example Financial Data M H L Employee Salary M L M Trade Secrets H H L Suppliers M L M Mission Example Targeting Data H H H Counter Intelligence H M M Mapping Data M H L Personal identifying Info H H L
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The Use Of Overlays Overlays are used to alter organizational defined control sets • Use alter controls based on specific business requirements • Add more rigor to the assessment • Require more stringent organizational values Example of overlays • Privacy • Financial • Defense • Intelligence
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common Control Providers Usually associated with enterprise systems or services • Authentication services • Corporate policies • Physical security Why have Common Control Providers • Reduces the amount of work associated with your assessment • Huge time saver • With the use of AWS shared responsibility model, it gets your systems to the cloud faster
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Applicable Controls
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolated Region
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolated Regions Air-gap Cloud 1Air-gap Cloud 2
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Air-Gapped Network is physically isolated from unsecured networks Reason • Complete control over who has access • Complete control over what workloads are deployed • Ability to enforce a process for vetting workloads before deployment • in addition • Ability to take advantage of all that the AWS cloud has to offer
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assessment of the Air-gap Region We needed automation, so we decided to use Xacta® 360 and Xacta® Continuum • Define a process • Enforce the process • Collaborate with AWS compliance team • Apply the Risk Management Framework • Supported multiple standard
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assessment of The Air-gap Region Steps performed to assess the air-gap region and services: 1. Detailed documentation of the region 2. Categorization of the data that will processed and stored 3. Select the controls and overlays 4. Needed a detailed description of how the air-gap region met each control 5. Each implementation must be independently validated by your assessors 6. Leadership has to assess risk associated with each failed control
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using Inheritance To Expedite the Assessment Air-gap Infrastructure Regions Edge Locations Availability Zones Storage Database NetworkingCompute Infrastructure assessed separately Security Package Inherited controls Inherited controls Inherited controls Security Package Each service assessed separately Required RMF documentation Required RMF documentation Security Assessment of Your Air-Gap Region Security assessment “of” the Cloud 856 Controls 737 Inherited Controls 119 Controls
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Infrastructure Common Control Providers Infrastructure Security Package EC2 Security Package IAM Security Package EBS Security Package RDS Security Package Workspaces Security Package S3 Security Package Security “packages” “of” the Cloud Provided controls Provided controls Provided controls Provided controls Provided controls Provided controls Responsible for security “in” the Cloud CustomerCustomer Workloads Inherit Controls From the “Packages of The Cloud”
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Responsible for security “in” the Cloud Customer Customer Implements Their Own Controls Responsible for security “of” the Cloud AWS Shared Controls Provided Through Assessment Packages Leverage the AWS Shared Responsibility Model for faster cloud compliance and deployment. While AWS manages security of the cloud, security in the cloud is the responsibility of the AWS customer. Xacta inherits the AWS security controls while enabling you to implement and manage security compliance for your own content, platform, applications, systems, and networks. Common Controls PE, MP, MA Implementing the AWS Shared Responsibility Model
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assessing Your Workload
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assessing Your Workload Steps performed to assess your workload: 1. Documentation of the system 2. Categorization of the data that will processed and stored 3. Select the controls and overlays 4. Utilize the AWS shared responsibility (Control Providers) 5. Detailed description of how the system meet each control 6. Each implementation must be independently validated by your assessors 7. Assess risk associated with each failed control
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assessing Your Workload Storage Database NetworkingComputeConsumer Facing Service Shared controls Shared controls Shared controls My Workload Workload will inherit some number of controls from the infrastructure EC2 S3 WorkSpaces IAM CloudTrail RDS Security Baseline Access Control Audit Control Media Protection Config Management Physical Control CloudFormation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Continuous Monitoring of Your Workload Identify Critical Controls Set up a schedule for reviewing controls Periodic vulnerability scans Monitor configuration changes
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tools Used
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. OutoftheBox implementationoftheAWSshared responsibilitymodel Xacta360 Provider Projects C-I-A, Low Moderate, High Data Categorization Support International Standards/Regulations Risk Management Risk Calculations ISO, NIST, CSF Automated Validation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Categorize your Information System
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Select Control Set
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Control Inheritance
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Implementation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assess Security Controls
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Useful RMF Document SP 800-37 - RMF Framework SP 800-39 - Managing Information Security Risk SP 800-30 - Guide For Conducting Risk Management SP 800-53 - Controls SP 800-137 - Continuous Monitoring SP 800-60 - Data Categorization SP 800-171 - Industrial Security
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank You! Now Open for Questions Stop by our Booth #xxx for more information Risk Management and Xacta 360

Empfohlen

Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxAdityaChawan4
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Introducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech TalksIntroducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech TalksAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security ChecklistAmazon Web Services
 

Empfohlen

Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxAdityaChawan4
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Introducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech TalksIntroducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech TalksAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security ChecklistAmazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
AWS - Security & Compliance
AWS - Security & ComplianceAWS - Security & Compliance
AWS - Security & ComplianceAmazon Web Services LATAM
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIsAmazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWSAmazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWSAmazon Web Services
 
AWS Security Week: Incident Response
AWS Security Week: Incident ResponseAWS Security Week: Incident Response
AWS Security Week: Incident ResponseAmazon Web Services
 
Advanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit GatewayAdvanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit GatewayAmazon Web Services
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...Amazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 
Deep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormationDeep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormationAmazon Web Services
 
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIsAmazon Web Services
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
AWS Security Week: Incident Response
AWS Security Week: Incident ResponseAWS Security Week: Incident Response
AWS Security Week: Incident ResponseAmazon Web Services
 
Advanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit GatewayAdvanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit GatewayAmazon Web Services
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...Amazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 

Was ist angesagt? (20)

AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
AWS - Security & Compliance
AWS - Security & ComplianceAWS - Security & Compliance
AWS - Security & Compliance
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
 
AWS Security Week: Incident Response
AWS Security Week: Incident ResponseAWS Security Week: Incident Response
AWS Security Week: Incident Response
 
Advanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit GatewayAdvanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit Gateway
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 

Ähnlich wie Performing a Security Assessment of the Cloud using the Risk Management Framework_A Case Study__AWSPSSummit_Singapore

Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...Amazon Web Services
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadAmazon Web Services
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day OneAmazon Web Services
 
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018Amazon Web Services
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDayAmazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
The Quest for Continuous ATO: A Case Study Featuring the US Intelligence Comm...
The Quest for Continuous ATO: A Case Study Featuring the US Intelligence Comm...The Quest for Continuous ATO: A Case Study Featuring the US Intelligence Comm...
The Quest for Continuous ATO: A Case Study Featuring the US Intelligence Comm...Amazon Web Services
 
Continuous Compliance for Modern Application Pipelines (GPSWS402) - AWS re:In...
Continuous Compliance for Modern Application Pipelines (GPSWS402) - AWS re:In...Continuous Compliance for Modern Application Pipelines (GPSWS402) - AWS re:In...
Continuous Compliance for Modern Application Pipelines (GPSWS402) - AWS re:In...Amazon Web Services
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAmazon Web Services
 
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...Amazon Web Services
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS Germany
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfAmazon Web Services
 
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Amazon Web Services
 
Too Many Tools? How AWS Systems Manager Bridges Operational Models - AWS Summ...
Too Many Tools? How AWS Systems Manager Bridges Operational Models - AWS Summ...Too Many Tools? How AWS Systems Manager Bridges Operational Models - AWS Summ...
Too Many Tools? How AWS Systems Manager Bridges Operational Models - AWS Summ...Amazon Web Services
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Amazon Web Services
 

Ähnlich wie Performing a Security Assessment of the Cloud using the Risk Management Framework_A Case Study__AWSPSSummit_Singapore (20)

Deep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormationDeep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormation
 
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
 
How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
The Quest for Continuous ATO: A Case Study Featuring the US Intelligence Comm...
The Quest for Continuous ATO: A Case Study Featuring the US Intelligence Comm...The Quest for Continuous ATO: A Case Study Featuring the US Intelligence Comm...
The Quest for Continuous ATO: A Case Study Featuring the US Intelligence Comm...
 
Continuous Compliance for Modern Application Pipelines (GPSWS402) - AWS re:In...
Continuous Compliance for Modern Application Pipelines (GPSWS402) - AWS re:In...Continuous Compliance for Modern Application Pipelines (GPSWS402) - AWS re:In...
Continuous Compliance for Modern Application Pipelines (GPSWS402) - AWS re:In...
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
 
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
 
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
 
Too Many Tools? How AWS Systems Manager Bridges Operational Models - AWS Summ...
Too Many Tools? How AWS Systems Manager Bridges Operational Models - AWS Summ...Too Many Tools? How AWS Systems Manager Bridges Operational Models - AWS Summ...
Too Many Tools? How AWS Systems Manager Bridges Operational Models - AWS Summ...
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Performing a Security Assessment of the Cloud using the Risk Management Framework_A Case Study__AWSPSSummit_Singapore

  • 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Hugh Barrett, VP Technical Solution, CISSP, CSSLP Telos Corporation Performing A Security Assessment of The Cloud Using Tools, Best Practices and The Risk Management Framework: A Case Study
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Setting the Stage Risk Management Framework, A Brief Overview Air-Gap Region Assessment “of” The Cloud Common Control Providers: Assessment “packages of” The CloudAssessment of your Workloads Xacta 360, The Automated Tool of Choice
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The Risk Management Framework
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Risk Management Framework Step 2: Select Security Controls Step 5: Authorize Systems Step 4: Assess Security Controls Step 3: Implement Controls Step 6: Monitor Security Controls Step 1: Categorize Systems Gathering information about the system or application Tailor your controls Apply overlays Apply inheritance How does my system or application implement each applicable security controls Independent validation that your system has implemented all controls Your risk exec and authorizing officials review and grant Authorization To Operate (ATO) Continuously monitor the system’s health as it pertains to the acceptable risk and mission/business
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Confidentiality, Integrity and Availability Confidentiality = Low, Moderate or High • How sensitive is the data that is processed by the system? • What is the impact to the mission/business if the data is compromised or stolen? Integrity = Low, Moderate or High • How accurate is your data and how it impacts the mission/business if altered incorrectly? Availability = Low, Moderate or High • What is the impact to the mission/business if the data is not available when needed?
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NIST 800-53 Base Control Set AC-1.a.1.a AC-1.a.1.b AC-1.a.1.c AC-1.a.2.a AC-1.a.2.b AC-1.a.2.c AC-1.b.1.a AC-1.b.1.b AC-1.b.2.a AC-1.b.2.b Control Id Control ValidatorAC-1
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NIST 800-53 EXT More Granular Control Set AC-1 AC-1.a.1 AC-1.a.2 AC-1.b.1 AC-1.b.2 AC-1.a.1.a AC-1.a.1.b AC-1.a.1.c AC-1.a.2.a AC-1.a.2.b AC-1.a.2.c AC-1.b.1.a AC-1.b.1.b AC-1.b.2.a AC-1.b.2.b
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Information Type / Control Association Security Controls Confidentiality Integrity Availability L M H L M H L M H AC-1.a.1 - Access Control Policy and Procedures x x x x x x x x x AC-2 (1) - Automated System Account Management x x x x x AT-2 (2) - Insider Threat x x x x x AT-3.c - Role-Based Security Training x x x x x x AU-1.a.1 - Audit and Accountability Policy and Procedures x x x x x x x x x CA-7.c - Continuous Monitoring x x x x CM-3.b - Configuration Change Control x x x x x x CP-2 (6) - Alternate Processing / Storage Site x x x x IA-2 (1) - Network Access To Privileged Accounts x x x x x x x IR-9.f - Information Spillage Response x x
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Information Type Categorization Data Type Confidentiality Integrity Availability Business Example Financial Data M H L Employee Salary M L M Trade Secrets H H L Suppliers M L M Mission Example Targeting Data H H H Counter Intelligence H M M Mapping Data M H L Personal identifying Info H H L
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The Use Of Overlays Overlays are used to alter organizational defined control sets • Use alter controls based on specific business requirements • Add more rigor to the assessment • Require more stringent organizational values Example of overlays • Privacy • Financial • Defense • Intelligence
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common Control Providers Usually associated with enterprise systems or services • Authentication services • Corporate policies • Physical security Why have Common Control Providers • Reduces the amount of work associated with your assessment • Huge time saver • With the use of AWS shared responsibility model, it gets your systems to the cloud faster
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Applicable Controls
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolated Region
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolated Regions Air-gap Cloud 1Air-gap Cloud 2
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Air-Gapped Network is physically isolated from unsecured networks Reason • Complete control over who has access • Complete control over what workloads are deployed • Ability to enforce a process for vetting workloads before deployment • in addition • Ability to take advantage of all that the AWS cloud has to offer
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assessment of the Air-gap Region We needed automation, so we decided to use Xacta® 360 and Xacta® Continuum • Define a process • Enforce the process • Collaborate with AWS compliance team • Apply the Risk Management Framework • Supported multiple standard
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assessment of The Air-gap Region Steps performed to assess the air-gap region and services: 1. Detailed documentation of the region 2. Categorization of the data that will processed and stored 3. Select the controls and overlays 4. Needed a detailed description of how the air-gap region met each control 5. Each implementation must be independently validated by your assessors 6. Leadership has to assess risk associated with each failed control
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using Inheritance To Expedite the Assessment Air-gap Infrastructure Regions Edge Locations Availability Zones Storage Database NetworkingCompute Infrastructure assessed separately Security Package Inherited controls Inherited controls Inherited controls Security Package Each service assessed separately Required RMF documentation Required RMF documentation Security Assessment of Your Air-Gap Region Security assessment “of” the Cloud 856 Controls 737 Inherited Controls 119 Controls
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Infrastructure Common Control Providers Infrastructure Security Package EC2 Security Package IAM Security Package EBS Security Package RDS Security Package Workspaces Security Package S3 Security Package Security “packages” “of” the Cloud Provided controls Provided controls Provided controls Provided controls Provided controls Provided controls Responsible for security “in” the Cloud CustomerCustomer Workloads Inherit Controls From the “Packages of The Cloud”
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Responsible for security “in” the Cloud Customer Customer Implements Their Own Controls Responsible for security “of” the Cloud AWS Shared Controls Provided Through Assessment Packages Leverage the AWS Shared Responsibility Model for faster cloud compliance and deployment. While AWS manages security of the cloud, security in the cloud is the responsibility of the AWS customer. Xacta inherits the AWS security controls while enabling you to implement and manage security compliance for your own content, platform, applications, systems, and networks. Common Controls PE, MP, MA Implementing the AWS Shared Responsibility Model
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assessing Your Workload
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assessing Your Workload Steps performed to assess your workload: 1. Documentation of the system 2. Categorization of the data that will processed and stored 3. Select the controls and overlays 4. Utilize the AWS shared responsibility (Control Providers) 5. Detailed description of how the system meet each control 6. Each implementation must be independently validated by your assessors 7. Assess risk associated with each failed control
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assessing Your Workload Storage Database NetworkingComputeConsumer Facing Service Shared controls Shared controls Shared controls My Workload Workload will inherit some number of controls from the infrastructure EC2 S3 WorkSpaces IAM CloudTrail RDS Security Baseline Access Control Audit Control Media Protection Config Management Physical Control CloudFormation
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Continuous Monitoring of Your Workload Identify Critical Controls Set up a schedule for reviewing controls Periodic vulnerability scans Monitor configuration changes
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tools Used
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. OutoftheBox implementationoftheAWSshared responsibilitymodel Xacta360 Provider Projects C-I-A, Low Moderate, High Data Categorization Support International Standards/Regulations Risk Management Risk Calculations ISO, NIST, CSF Automated Validation
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Categorize your Information System
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Select Control Set
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Control Inheritance
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Implementation
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assess Security Controls
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Useful RMF Document SP 800-37 - RMF Framework SP 800-39 - Managing Information Security Risk SP 800-30 - Guide For Conducting Risk Management SP 800-53 - Controls SP 800-137 - Continuous Monitoring SP 800-60 - Data Categorization SP 800-171 - Industrial Security
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank You! Now Open for Questions Stop by our Booth #xxx for more information Risk Management and Xacta 360