As you look to go beyond your cloud and how you will manage governance for it, there are things you need to consider as you build your strategy. Come to this session to understand data protection policies, your relevant control areas, what shared responsibility means and what you need to do to put the right components together for your organisation's Cloud governance strategy.

1. 2013 AWS WWPS Summit
Canberra, Australia
Compliance, Governance & Security on the AWS Cloud
Mark Ryland
Chief Solutions Architect

2. 2013 AWS WWPS Summit,
Canberra – May 23
The Capability/Transparency Trade-up
What You Get
- Flexible, powerful , fully virtual environment
- High investment and capability in security
- Certifications, reports, attestations
- Reduced compliance ops burden
- A world class security team watching your
back!
What You Give Up
- Low-level operational details of
the physical infrastructure
- Control over low-level capabilities
- Ability to physically manage /
examine networks and servers

3. 2013 AWS WWPS Summit,
Canberra – May 23
Benefits of Scale Apply to Security and Compliance
The entire community benefits from tough
scrutiny, the world-class AWS security team,
market-leading capabilities, and constant
improvements
Everyone’s Systems and Applications
Security Infrastructure
Security Infrastructure
Requirements Requirements Requirements
Nothing better for the community than a
tough set of customers…

4. 2013 AWS WWPS Summit,
Canberra – May 23
Accreditation & Compliance, Old and New
Old world
• Functionally optional (you can build a
secure system without it)
• Audits done by an in-house team
• Not about actual security; check the box
• Check once a year
• Workload-specific security
New world
• Functionally necessary (no, you cannot
visit our data centers!)
• Audits done by third party auditors
• Superior security drives broad compliance
• Continuous monitoring, checking
• Security based on all workload scenarios

5. 2013 AWS WWPS Summit,
Canberra – May 23
Expert Audits: Validation Scalpels Approaching From 360º
SME
SME
SME
SME
SME
• Experts examine the system
with their particular focus
• Yet reviewed from a variety of
perspectives
• What emerges is an unusually
complete, comprehensive
view including overlapping
and non-overlapping elements
• All customers benefit from
variety, volume, velocity
SME=subject matter expert

6. 2013 AWS WWPS Summit,
Canberra – May 23
Customers Getting Certified
Customer
Controls Verified
Reliance
Practices
Controls
+
Customer
Controls
Reports
Tested

7. 2013 AWS WWPS Summit,
Canberra – May 23
System vs. Platform Certifications & ATOs
System/app/workload ATOs
• Traditional way of granting ATOs:
analyze entire stack from concrete
through application
• Not as efficient; harder to get re-use
• However, provides the only fast way to
achieve cloud value prop: greater agility
and more mission for the money
• Many gov’t examples: Tradeshift in the
UK; CDC BioSense 2.0 and Tradeworx
in the US; Swiss Topo; etc.
Platform certifications & ATOs
• E.g., FedRAMP in the USA; still need to
certify/authorize workload on top
• Make sense from a re-use and economies
of scale perspective
• However, waiting for platform certification
delays getting immediate value from the
cloud!
• This is the best solution for the longer
term, but don’t wait if you see compelling
value

8. 2013 AWS WWPS Summit,
Canberra – May 23
Spectrum of Approaches to Platform Certification
Progressive Conservative
“We don’t care about platform
certification. AWS provides compelling
mission value. We’ll issue our own ATO.”
“Our agency will authorize some low-
risk workloads on AWS but will wait for
platform certification before going big.”
“Our agency won’t
speak to AWS prior to
platform certification.”
“Our agency may move to platform
certification but AWS provides
compelling value. We’ll proceed
forward with our own ATO for now.”
“Our agency requires a platform
certification. We’ll start working
with AWS but will wait to deploy
operational workloads.”
Government PM
Government ISSO
Agency Security Official
Government COTR
Government ISSO

9. 2013 AWS WWPS Summit,
Canberra – May 23
Private Connections
Workload Migrations
Access Control Integration
Work with Existing
Management Tools
On-Premises Apps
Your Data Centers
Cloud Apps
Governance: Extension and Integration

10. 2013 AWS WWPS Summit,
Canberra – May 23
Active Directory
VMware Images
Network Configuration
Your Data
Your On-Premises Apps
Users & Access Rules
VM Import/Export
Your Private VPC
Our Storage
Your Cloud Apps
Direct Connect
VPC
IAM
Storage Gateway
Many Capabilities to Support Hybrid Architectures
Your Data Centers

11. 2013 AWS WWPS Summit,
Canberra – May 23
AWS Ecosystem Builds on Existing Management Tools
Single Pane of Glass
Workload MigrationInventory / patch VMs
App 1
Your Data Center
App 2
Your Data Center
VMs
AWS EC2

12. AWS Cloud Governance Service Enablers
Governance Area AWS Technologies
Roles and Responsibilities • Identity and Access Management: Groups, Policies, Roles
Configuration Management • Private, “hardened” AMIs
• Cloud Formation Templates
• Elastic Beanstalk
• OpsWorks
Financial Controls • Linked Accounts, Consolidated Billing
• Tagging of resources
• CloudWatch Billing Alarms
Monitoring and Reporting • Cloud Watch
• Cloud Watch Alarms
• Simple Notification Service

13. AWS Cloud Governance Service Enablers (cont.)
Governance Area AWS Technologies
Information Assurance:
Processing
• Corporate “Gold master” AMIs (operating system images)
• VPC network isolation for all workloads
• Dedicated EC2 Instances
• CloudHSM service
Information Assurance:
Storage
• S3 AES 256 bit server-side encryption, client-side encryption
• EBS Volume Encryption
• RDS database encryption features
• Complete destruction of all storage media on decommissioning
Information Assurance Transmission • SSL termination for all AWS endpoints
• HW/SW VPN Connections
• DirectConnect

14. AWS Cloud Governance Service Enablers (cont.)
Governance Area AWS Technologies
Network Security • Private addressing (Virtual Private Cloud)
• Network ACLs
• Security Groups
• Virtual Private Gateways
Access Controls • Identity and Access Management Policies across all services
• S3 Bucket Policies
• EC2 Instance Roles
Identification and Authentication • Identity and Access Management
• Federated Identity Management (AWS as relying party)
• Multi-Factor Authentication
• Group Policies and Roles
• Strong password policies

15. AWS Cloud Governance Service Enablers (cont.)
Governance Area AWS Technologies
Disaster Recovery and Continuity of
Operations
Data
• EBS Snapshots
• S3 Near-Line Storage
• Glacier Near-Offline Storage
• Storage Gateway
• Bulk Data Import/Export
• Managed AWS No-SQL/SQL Database Services
• Extensive 3rd Party Solutions
Workload
• Elastic load Balancers, EC2 Auto Scaling, CloudWatch
• Route 53 – Health Checks, Latency Based Routing
• Cloud Front – Content Delivery Network
• Multi-AZ, Multi-Region Workload Deployment

16. 2013 AWS WWPS Summit,
Canberra – May 23
AWS Governance Tool: Trusted Advisor
• Online service from AWS Support
– Analyzes account for various kinds of
issues and possible concerns
– Soon available as an API for integration
with your tools or 3rd party solutions
• Four categories:
– Cost savings
– Security
– Fault tolerance
– Performance

17. 2013 AWS WWPS Summit,
Canberra – May 23
Security is a Shared Responsibility
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
• Re-focus your security professionals on a subset of the problem
• Take advantage of high levels of uniformity and automation

18. Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption & Data
Integrity Authentication
Server-side Encryption
(File System and/or Data)
Network Traffic Protection
(Encryption/Integrity/Identity)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Data
AmazonCustomer
• Payment Card Industry (PCI)
Data Security Standard Level 1
• NIST 800-53 Controls &
multiple ATOs; FedRAMP
• DoD Compliant Controls and
multiple DIACAP ATOs
• SSAE 16 Types 1 & 2 (SAS 70)
• ISO 27001/ 2 Certification
• HIPAA and ITAR Compliant
• Customers implement their
own set of controls
• Multiple customers with
FISMA GSS/MA Low/
Moderate ATOs
• Customers and partners
working on FISMA GSS/MA
High ATOs

19. 2013 AWS WWPS Summit,
Canberra – May 23
Dimensions of Shared Responsibility & Control
1. Operation within the Service: The functions the customer controls and
configurations they choose (e.g., in EC2, RDS)
2. Security Configurability: The tools AWS gives customers to configure their
security stance (e.g., access policies, security groups) vary considerably from
service to service
3. Security Features Which Span Services: Some security configuration
features are global (e.g., IAM), others service-specific
4. Cross-Layer Security Controls: Means by which customers integrate their
existing controls into AWS (e.g., key management, Active Directory, Drupal
user management) and vice versa (e.g., IAM Roles for Instances)

20. 2013 AWS WWPS Summit
Canberra, Australia
Thank you!
Mark Ryland
markry@amazon.com