Suche senden
Hochladen
Performing a Security Assessment of the Cloud using the Risk Management Framework_A Case Study__AWSPSSummit_Singapore
•
1 gefällt mir
•
762 views
Amazon Web Services
Folgen
Build on AWS
Weniger lesen
Mehr lesen
Melden
Teilen
Melden
Teilen
1 von 33
Empfohlen
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptx
AdityaChawan4
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
Amazon Web Services
Cloud Security Demystified
Cloud Security Demystified
Michael Torres
Introducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech Talks
Amazon Web Services
Introduction to AWS Security
Introduction to AWS Security
Amazon Web Services
Introduction to AWS Security
Introduction to AWS Security
Amazon Web Services
AWS Security Checklist
AWS Security Checklist
Amazon Web Services
Empfohlen
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptx
AdityaChawan4
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
Amazon Web Services
Cloud Security Demystified
Cloud Security Demystified
Michael Torres
Introducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech Talks
Amazon Web Services
Introduction to AWS Security
Introduction to AWS Security
Amazon Web Services
Introduction to AWS Security
Introduction to AWS Security
Amazon Web Services
AWS Security Checklist
AWS Security Checklist
Amazon Web Services
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
Amazon Web Services
AWS - Security & Compliance
AWS - Security & Compliance
Amazon Web Services LATAM
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
Fundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
Intro to AWS: Security
Intro to AWS: Security
Amazon Web Services
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon Web Services
AWS Security by Design
AWS Security by Design
Amazon Web Services
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
Security Best Practices on AWS
Security Best Practices on AWS
Amazon Web Services
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
Amazon Web Services
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
AWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
Security & Compliance in AWS
Security & Compliance in AWS
Amazon Web Services
AWS Security Week: Incident Response
AWS Security Week: Incident Response
Amazon Web Services
Advanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit Gateway
Amazon Web Services
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
Amazon Web Services
Introduction to Incident Response on AWS
Introduction to Incident Response on AWS
Amazon Web Services
AWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
Amazon GuardDuty Lab
Amazon GuardDuty Lab
Amazon Web Services
Getting Started with Amazon Inspector
Getting Started with Amazon Inspector
Amazon Web Services
Deep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormation
Amazon Web Services
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
Amazon Web Services
Weitere ähnliche Inhalte
Was ist angesagt?
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
Amazon Web Services
AWS - Security & Compliance
AWS - Security & Compliance
Amazon Web Services LATAM
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
Fundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
Intro to AWS: Security
Intro to AWS: Security
Amazon Web Services
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon Web Services
AWS Security by Design
AWS Security by Design
Amazon Web Services
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
Security Best Practices on AWS
Security Best Practices on AWS
Amazon Web Services
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
Amazon Web Services
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
AWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
Security & Compliance in AWS
Security & Compliance in AWS
Amazon Web Services
AWS Security Week: Incident Response
AWS Security Week: Incident Response
Amazon Web Services
Advanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit Gateway
Amazon Web Services
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
Amazon Web Services
Introduction to Incident Response on AWS
Introduction to Incident Response on AWS
Amazon Web Services
AWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
Amazon GuardDuty Lab
Amazon GuardDuty Lab
Amazon Web Services
Getting Started with Amazon Inspector
Getting Started with Amazon Inspector
Amazon Web Services
Was ist angesagt?
(20)
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
AWS - Security & Compliance
AWS - Security & Compliance
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Fundamentals of AWS Security
Fundamentals of AWS Security
Intro to AWS: Security
Intro to AWS: Security
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
AWS Security by Design
AWS Security by Design
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Security Best Practices on AWS
Security Best Practices on AWS
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
AWS Secrets Manager
AWS Secrets Manager
Security & Compliance in AWS
Security & Compliance in AWS
AWS Security Week: Incident Response
AWS Security Week: Incident Response
Advanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit Gateway
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
Introduction to Incident Response on AWS
Introduction to Incident Response on AWS
AWS Security Best Practices
AWS Security Best Practices
Amazon GuardDuty Lab
Amazon GuardDuty Lab
Getting Started with Amazon Inspector
Getting Started with Amazon Inspector
Ähnlich wie Performing a Security Assessment of the Cloud using the Risk Management Framework_A Case Study__AWSPSSummit_Singapore
Deep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormation
Amazon Web Services
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
Amazon Web Services
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
Amazon Web Services
Securing Your Customers Data From Day One
Securing Your Customers Data From Day One
Amazon Web Services
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
Amazon Web Services
Securing Your Customers Data From Day One
Securing Your Customers Data From Day One
Amazon Web Services LATAM
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
Amazon Web Services
How AI is disrupting the world
How AI is disrupting the world
Amazon Web Services
Managing Security on AWS
Managing Security on AWS
Amazon Web Services
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
Amazon Web Services
The Quest for Continuous ATO: A Case Study Featuring the US Intelligence Comm...
The Quest for Continuous ATO: A Case Study Featuring the US Intelligence Comm...
Amazon Web Services
Continuous Compliance for Modern Application Pipelines (GPSWS402) - AWS re:In...
Continuous Compliance for Modern Application Pipelines (GPSWS402) - AWS re:In...
Amazon Web Services
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
Amazon Web Services
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Amazon Web Services
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS Germany
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Amazon Web Services
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Amazon Web Services
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Amazon Web Services
Too Many Tools? How AWS Systems Manager Bridges Operational Models - AWS Summ...
Too Many Tools? How AWS Systems Manager Bridges Operational Models - AWS Summ...
Amazon Web Services
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Amazon Web Services
Ähnlich wie Performing a Security Assessment of the Cloud using the Risk Management Framework_A Case Study__AWSPSSummit_Singapore
(20)
Deep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormation
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
Gaining Better Observability of Your VMs with Amazon CloudWatch - AWS Online ...
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
Securing Your Customers Data From Day One
Securing Your Customers Data From Day One
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
Securing Your Customers Data From Day One
Securing Your Customers Data From Day One
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
How AI is disrupting the world
How AI is disrupting the world
Managing Security on AWS
Managing Security on AWS
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
The Quest for Continuous ATO: A Case Study Featuring the US Intelligence Comm...
The Quest for Continuous ATO: A Case Study Featuring the US Intelligence Comm...
Continuous Compliance for Modern Application Pipelines (GPSWS402) - AWS re:In...
Continuous Compliance for Modern Application Pipelines (GPSWS402) - AWS re:In...
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Too Many Tools? How AWS Systems Manager Bridges Operational Models - AWS Summ...
Too Many Tools? How AWS Systems Manager Bridges Operational Models - AWS Summ...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Mehr von Amazon Web Services
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
Open banking as a service
Open banking as a service
Amazon Web Services
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
Computer Vision con AWS
Computer Vision con AWS
Amazon Web Services
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
Tools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
How to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
Building a web application without servers
Building a web application without servers
Amazon Web Services
Fundraising Essentials
Fundraising Essentials
Amazon Web Services
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
Mehr von Amazon Web Services
(20)
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Open banking as a service
Open banking as a service
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Computer Vision con AWS
Computer Vision con AWS
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Tools for building your MVP on AWS
Tools for building your MVP on AWS
How to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Building a web application without servers
Building a web application without servers
Fundraising Essentials
Fundraising Essentials
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Performing a Security Assessment of the Cloud using the Risk Management Framework_A Case Study__AWSPSSummit_Singapore
1.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Hugh Barrett, VP Technical Solution, CISSP, CSSLP Telos Corporation Performing A Security Assessment of The Cloud Using Tools, Best Practices and The Risk Management Framework: A Case Study
2.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Agenda Setting the Stage Risk Management Framework, A Brief Overview Air-Gap Region Assessment “of” The Cloud Common Control Providers: Assessment “packages of” The CloudAssessment of your Workloads Xacta 360, The Automated Tool of Choice
3.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. The Risk Management Framework
4.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Risk Management Framework Step 2: Select Security Controls Step 5: Authorize Systems Step 4: Assess Security Controls Step 3: Implement Controls Step 6: Monitor Security Controls Step 1: Categorize Systems Gathering information about the system or application Tailor your controls Apply overlays Apply inheritance How does my system or application implement each applicable security controls Independent validation that your system has implemented all controls Your risk exec and authorizing officials review and grant Authorization To Operate (ATO) Continuously monitor the system’s health as it pertains to the acceptable risk and mission/business
5.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Confidentiality, Integrity and Availability Confidentiality = Low, Moderate or High • How sensitive is the data that is processed by the system? • What is the impact to the mission/business if the data is compromised or stolen? Integrity = Low, Moderate or High • How accurate is your data and how it impacts the mission/business if altered incorrectly? Availability = Low, Moderate or High • What is the impact to the mission/business if the data is not available when needed?
6.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. NIST 800-53 Base Control Set AC-1.a.1.a AC-1.a.1.b AC-1.a.1.c AC-1.a.2.a AC-1.a.2.b AC-1.a.2.c AC-1.b.1.a AC-1.b.1.b AC-1.b.2.a AC-1.b.2.b Control Id Control ValidatorAC-1
7.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. NIST 800-53 EXT More Granular Control Set AC-1 AC-1.a.1 AC-1.a.2 AC-1.b.1 AC-1.b.2 AC-1.a.1.a AC-1.a.1.b AC-1.a.1.c AC-1.a.2.a AC-1.a.2.b AC-1.a.2.c AC-1.b.1.a AC-1.b.1.b AC-1.b.2.a AC-1.b.2.b
8.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Information Type / Control Association Security Controls Confidentiality Integrity Availability L M H L M H L M H AC-1.a.1 - Access Control Policy and Procedures x x x x x x x x x AC-2 (1) - Automated System Account Management x x x x x AT-2 (2) - Insider Threat x x x x x AT-3.c - Role-Based Security Training x x x x x x AU-1.a.1 - Audit and Accountability Policy and Procedures x x x x x x x x x CA-7.c - Continuous Monitoring x x x x CM-3.b - Configuration Change Control x x x x x x CP-2 (6) - Alternate Processing / Storage Site x x x x IA-2 (1) - Network Access To Privileged Accounts x x x x x x x IR-9.f - Information Spillage Response x x
9.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Information Type Categorization Data Type Confidentiality Integrity Availability Business Example Financial Data M H L Employee Salary M L M Trade Secrets H H L Suppliers M L M Mission Example Targeting Data H H H Counter Intelligence H M M Mapping Data M H L Personal identifying Info H H L
10.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. The Use Of Overlays Overlays are used to alter organizational defined control sets • Use alter controls based on specific business requirements • Add more rigor to the assessment • Require more stringent organizational values Example of overlays • Privacy • Financial • Defense • Intelligence
11.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Common Control Providers Usually associated with enterprise systems or services • Authentication services • Corporate policies • Physical security Why have Common Control Providers • Reduces the amount of work associated with your assessment • Huge time saver • With the use of AWS shared responsibility model, it gets your systems to the cloud faster
12.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Applicable Controls
13.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Isolated Region
14.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Isolated Regions Air-gap Cloud 1Air-gap Cloud 2
15.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Air-Gapped Network is physically isolated from unsecured networks Reason • Complete control over who has access • Complete control over what workloads are deployed • Ability to enforce a process for vetting workloads before deployment • in addition • Ability to take advantage of all that the AWS cloud has to offer
16.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Assessment of the Air-gap Region We needed automation, so we decided to use Xacta® 360 and Xacta® Continuum • Define a process • Enforce the process • Collaborate with AWS compliance team • Apply the Risk Management Framework • Supported multiple standard
17.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Assessment of The Air-gap Region Steps performed to assess the air-gap region and services: 1. Detailed documentation of the region 2. Categorization of the data that will processed and stored 3. Select the controls and overlays 4. Needed a detailed description of how the air-gap region met each control 5. Each implementation must be independently validated by your assessors 6. Leadership has to assess risk associated with each failed control
18.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Using Inheritance To Expedite the Assessment Air-gap Infrastructure Regions Edge Locations Availability Zones Storage Database NetworkingCompute Infrastructure assessed separately Security Package Inherited controls Inherited controls Inherited controls Security Package Each service assessed separately Required RMF documentation Required RMF documentation Security Assessment of Your Air-Gap Region Security assessment “of” the Cloud 856 Controls 737 Inherited Controls 119 Controls
19.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. AWS Infrastructure Common Control Providers Infrastructure Security Package EC2 Security Package IAM Security Package EBS Security Package RDS Security Package Workspaces Security Package S3 Security Package Security “packages” “of” the Cloud Provided controls Provided controls Provided controls Provided controls Provided controls Provided controls Responsible for security “in” the Cloud CustomerCustomer Workloads Inherit Controls From the “Packages of The Cloud”
20.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Responsible for security “in” the Cloud Customer Customer Implements Their Own Controls Responsible for security “of” the Cloud AWS Shared Controls Provided Through Assessment Packages Leverage the AWS Shared Responsibility Model for faster cloud compliance and deployment. While AWS manages security of the cloud, security in the cloud is the responsibility of the AWS customer. Xacta inherits the AWS security controls while enabling you to implement and manage security compliance for your own content, platform, applications, systems, and networks. Common Controls PE, MP, MA Implementing the AWS Shared Responsibility Model
21.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Assessing Your Workload
22.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Assessing Your Workload Steps performed to assess your workload: 1. Documentation of the system 2. Categorization of the data that will processed and stored 3. Select the controls and overlays 4. Utilize the AWS shared responsibility (Control Providers) 5. Detailed description of how the system meet each control 6. Each implementation must be independently validated by your assessors 7. Assess risk associated with each failed control
23.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Assessing Your Workload Storage Database NetworkingComputeConsumer Facing Service Shared controls Shared controls Shared controls My Workload Workload will inherit some number of controls from the infrastructure EC2 S3 WorkSpaces IAM CloudTrail RDS Security Baseline Access Control Audit Control Media Protection Config Management Physical Control CloudFormation
24.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Continuous Monitoring of Your Workload Identify Critical Controls Set up a schedule for reviewing controls Periodic vulnerability scans Monitor configuration changes
25.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Tools Used
26.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. OutoftheBox implementationoftheAWSshared responsibilitymodel Xacta360 Provider Projects C-I-A, Low Moderate, High Data Categorization Support International Standards/Regulations Risk Management Risk Calculations ISO, NIST, CSF Automated Validation
27.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Categorize your Information System
28.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Select Control Set
29.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Control Inheritance
30.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Implementation
31.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Assess Security Controls
32.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Useful RMF Document SP 800-37 - RMF Framework SP 800-39 - Managing Information Security Risk SP 800-30 - Guide For Conducting Risk Management SP 800-53 - Controls SP 800-137 - Continuous Monitoring SP 800-60 - Data Categorization SP 800-171 - Industrial Security
33.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Thank You! Now Open for Questions Stop by our Booth #xxx for more information Risk Management and Xacta 360