2. Of the changes catalyzed by cloud,
security is the most exciting.
3. Over A Million Active Customers
Running Every Imaginable Use Case
1500+
Government
Agencies
3600+
Education
Institutions
190 Countries
11,200+
Nonprofits
4. Rate of Customers Requesting
Compliance Reports and Certifications
50%
40%
36%
12%
17%
5%
50% 60% 64% 88% 83% 95%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Top 10 Top 25 Top 50 Top 100 Top 500 Top 5000
PercentageofCustomers
RequestingComplianceReports/Certs
Revenue Tier
No Compliance
Report
Requested
Compliance
Report
Requested
5. Customers
Based on our experience, I believe that we
can be even more secure in the AWS
cloud than in our own datacenters.
CTO
Space Agency
6. Industry Analysts
… We’ll also see organizations adopt cloud services
for the improved security protections and compliance
controls that they otherwise could not provide as
efficiently or effectively themselves.
Security’s Cloud Revolution is Upon Us Forrester
Research, Inc., August 2, 2013
7. Legacy Datacenters
• Big Perimeter
• End-to-End Ownership
• Build it all yourself
• Server-centric approach
• Self-managed Services
• Static Architecture
• De-centralized Administration
The security paradigm shifted
AWS
• Micro-Perimeters
• Own just enough
• Focus on your core value
• Service-Centric
• Platform Services
• Continuously Evolving
• Central Control Plane (API)
8. Security & compliance requirements from every
industry
Nothing better for the entire community than a tough set of customers…
Everyone’s Systems and Applications
Financial Health Care Government
Requirements Requirements
Security Infrastructure
Requirements
9. Security & compliance is a shared responsibility
Customer Applications & Content
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
AWS Foundation Services
AWS Global
Infrastructure
Customers
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Compute Storage Database Networking
Availability Zones
Regions
Edge Locations
Customers are
responsible for
their security
IN the Cloud
AWS is
responsible
for the security
OF the Cloud
10. Let AWS take care of the heavy lifting for you
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Application security
Service configuration
AuthN & acct management
Authorization policies
+ =
Customer
Customers get to choose the right level of security for their business.
As an AWS customer you can focus on your business and not be distracted by the muck.
14. Physical Security of Data Centers
Amazon has been building large-scale data centers for many years
Important attributes:
‒ Non-descript facilities
‒ Robust perimeter controls
‒ Strictly controlled physical access
‒ 2 or more levels of two-factor auth
Controlled, need-based access
All access is logged and reviewed
Separation of Duties
‒ Employees with physical access don’t have logical privileges
15. Network Security
Distributed Denial of Service (DDoS):
• Standard mitigation techniques in effect
for AWS API endpoints
Man in the Middle (MITM):
• All endpoints protected by SSL
• Fresh EC2 host keys generated at boot
IP Spoofing:
• Prohibited at host OS level
Unauthorized Port Scanning:
• Violation of AWS TOS
• Detected, stopped, and blocked
• Inbound ports blocked by default
Packet Sniffing:
• Promiscuous mode is ineffective
• Protection at hypervisor level
AWS reduces common attack vectors at the infrastructure level.
17. Your Role in Securing AWS is Well-Defined
Customer Data
Applications Identity
Access
Mgmt
OS Network Firewall
Client-side
Encryption
Server-side
Encryption
Network Traffic
Protection
Compute Storage Networking
AWS Global Infrastructure
(Regions, Azs, Edge Locations)
AWS: Security of the Cloud
Customer: Security in the Cloud
18. … but the security technology has lagged
Customer Data
Applications Identity
Access
Mgmt
OS Network Firewall
Client-side
Encryption
Server-side
Encryption
Network Traffic
Protection
Network Appliances
Host-based Agents
IP-based scanners
Log Analytics
DLP & Encryption
Manual Audits
These technologies don’t embrace cloud values…
19. Host-centric Security Strategies fail in AWS
Protecting the host while
ignoring the services is a bad
decision.
Your most critical data often
lives in S3, Glacier, RDS,
Redshift, and other key
services.
20. Security by Design – SbD
• Systematic approach to ensure security
• Formalizes AWS account design
• Automates security controls
• Streamlines auditing
AWS
CloudTrail
AWS
CloudHSM
AWS IAM
AWS KMS
AWS
Config
Amazon
Inspector
Provides control insights throughout
the IT management process
21. Amazon Virtual Private Cloud (VPC)
Specify your private IP address range into
one or more public or private subnets
Protect your Instances with stateful filters
for inbound and outbound traffic using
Security Groups
Control inbound and outbound access to
and from individual subnets using stateless
Network Access Control Lists
Bridge your VPC and your onsite IT
infrastructure with an industry standard
encrypted IPSEC VPN connection
Create a logically isolated environment in Amazon’s highly scalable
infrastructure
24. AWS Key Management Service (KMS)
• Centralized control of YOUR encryption keys
• Designed for Scalability and Throughput
• Is a multi-tenant service
• Integrated with other AWS services including
Amazon EBS, Amazon S3, and Amazon Redshift
• Integrated with CloudTrail – logs key usage
• Easily implement and audit key creation, rotation,
usage policies
25. CloudHSM
Hardware Security Modules: real hardware in the cloud.
• Secure, Reliable & Durable Key Storage: available in multiple
AZs and Regions, or replicate to on premise HSMs
• Tamper-resistant and Tamper Evident
• Customer controlled hardware security module within your VPC
• Only customer has access to keys (including Amazon
administrators who manage and maintain the appliance).
• Common Criteria EAL4+, NIST FIPS 140-2 Level 2.
27. Key governance questions
• What do I have?
• How it is performing?
• Who is controlling it?
• What is it costing me?
• Is it secure and compliant?
• Are changes occurring with the right processes and
protections?
28. The AWS cloud allows for advanced governance
Manual auditing in a
simple world
Governance in a complex
world
Thick procedure manuals Software-enforced
processes
Periodic surveys Alarming/triggering
Few truly automated
controls
Ubiquitous, software-driven,
predictable controls
Sample testing, hoping Full population monitoring,
test of 1
29. AWS and governance
AWS capabilities and services provide key building blocks
for systems that answer these questions
Better answers than ever before in traditional infrastructure
Integration challenges remain, but don’t be constrained by
on-prem systems when leveraging the cloud
31. AWS Config Relationships
Resources are related to each other
• Permissions applied to a server or instance
• Amazon EBS volume attached to an
Amazon EC2 instance
• Network interfaces
• An instance is contained in subnet or VPC
32. AWS Config Rules
• Flexible rules evaluated continuously and retroactively
• Dashboard and reports for common goals
• Customizable remediation
• API automation
33. AWS Config Rules benefits
Continuous monitoring for
unexpected changes
Shared compliance across
your organization
Simplified management of
configuration changes
36. Why?
Securing infrastructure is often expensive and hard to do
effectively.
• Inspector is automated, repeatable, and designed to
reduce cost.
• Use AWS security knowledge to strengthen customer
servers, services, and infrastructure.
• Delivery of actionable findings that are carefully explained
and help their resolution.
37. Features
• Configuration Scanning and Activity Monitoring Engine
• Selectable built-in rules
• Security findings – guidance and management
• Automatable via APIs
37
38. Rule packages
• CVE (common vulnerabilities and exposures)
• Network security best practices
• Authentication best practices
• Operating system security best practices
• Application security best practices
• PCI DSS 3.0 readiness
43. PCI Overview
AWS is a Level 1 service provider (the highest level)
Compliant with new released DSS version 3.1 published in
April 2015.
https://aws.amazon.com/compliance/pci-dss-level-1-faqs/
44. PCI Package Use Case
Customer wants to process,
store or transmit credit card
information using AWS
Customer wants to learn more
about AWS PCI Compliance
Customer is being audited by their
QSA (Qualified Security Assessor)
Customer is preparing for an
audit and/or monitoring their
environment for PCI compliance
PCI Package:
What we Provide
AWS provides customers and customer’s auditors with:
• Attestation of Compliance (AoC)
• PCI Responsibility Summary
AWS PCI Responsibility Summary provides:
• Description of the in-scope services
• Customer implementation considerations
• Overview of shared responsibility
45. Additional resources for Customers
aws.amazon.com/compliance
AWS Certifications and FAQs
SOC 1 FAQs ISO 27001
FAQs
PCI DSS
Level 1 FAQs
FEDRamp
FAQs
ISO 9001
FAQs
DoD CSM
FAQs
46. Conclusions
Security is critical
We’re creating tools to make it
easier
We’re creating ways to help
you build a world-class team
You can move fast and stay
safe
Security is a Path and not a Destiny. We understand that Security and governance are often the top issues identified when we talk to our customers. Based on our experience of working with millions of customers running every imaginable use case, that includes requirements for stringent Security and Compliance controls, we really advise and highly recommend our customers to invest in security review early in the process. Get your security folks talk to our security folks and understand security and compliance. Security is really not on or off. It’s a spectrum of options that you can choose from that is right for your application.
Now that we’ve seen how compliance reports can equate to significantly increased revenue growth rates, the next question is, what is the opportunity for growth in this area? The answer – a lot! In fact, a significant percentage of AWS customers have yet to request a compliance report or certification – if you extrapolate the growth trending noted in that Top 10 customer tier, just imagine how much revenue growth potential there is if more of your customers better understand AWS compliance and therefore feel comfortable moving additional workloads onto AWS?! So let’s get started -
We have to remove the name of NASA/JPL but can speak to it in the class.
People wanted cloud just to meet the bar – be as good as what they were accustomed to in their own datacenter.
AWS is not comfortable just meeting the bar, but focuses on raising it.
And the analysts agree.
Forrester Research identified in their Security’s Cloud Revolution is Upon Us report that we will see organizations adopting the cloud as a route to simplified and improved security and compliance controls.
DC Cloud
Few, Big perimeters many tiny perimeters
Own it all own just enough
Build everything yourself build your core competency
Servers no servers (LAMBDA)
Self-operated services platform services
Static continuously evolving
Security is NOT the same as the legacy DC
When big institutions submit stringent security requirements to us, and review the audit findings of our compliance auditors, we frequently build their requirements and incorporate their feedback into the platform. EVERYBODY benefits from them. We don’t build “one off” solutions for anyone, so everybody benefits from the improvements made for any customer. In many cases, this results in a better security profile than what each individual firm could accomplish on their own.
In the past year we have released more than 165 security-related features or service enhancements (nearly 40% of overall feature releases) .
There are never enough great security professional in your organization, but the cloud can help.
The Shared Responsibility model hugely reduces the total “security surface area” that customer security experts need to take care of for themselves. They rely on us for all the low level infrastructure security. With that narrower focus, customer security teams have a “reduced security surface area,” and can devote more of their attention to OS and application level security.
Their experts can focus and achieve better results in the areas that are more closely related to the differentiated value for their business or mission, as opposed to the generic “undifferentiated heavy lifting” that applies to low-level security and compliance work as well as infrastructure management itself.
Talking points
AWS is relentless in ensuring that security is a top priority and works hard to ensure that it is providing a secure environment for our customers to operate in.
At the same time there is a level of security that the customer must take responsibility for when operating in a cloud environment.
This leads to the shared responsibility model for security.
AWS looks after the security OF the cloud, and you look after your security IN the cloud.
Talking points
AWS side of the responsibility
Leverage our culture of having a secure environment and constant improvement
Perform regular audits
Ensure that access and end points are protected
Leverage security recommendations from customers and make them available to all customers.
Customers
Use AWS resources to configure security
Customers have the ability to implement their own controls
Leverage our partner network to find security solutions that meet their operating needs
When you take the security piece that Amazon owns and offers to every customer, and add it to the security that customers can implement you get a complete and compliant solution that meets the needs of the customers.
This approach allows customers to focus on the level of security that is appropriate for their business. It also allows customers to focus more on how their applications function, how they are secured, and continuing to extend the areas that differentiate them as a business because they are relieved of a significant part of the overall security process.
How does AWS illustrate the Security controls that we operate on behalf of our customers?
//Additional information regarding technology-specific security features can be found in Appendix A at the end of this slide deck.
It’s no secret that AWS innovates! Nearly 40% of overall releases are security capabilities. As in features that help customers help themselves to secure and evaluate themselves.
Some security-centric services and features are:
AWS Cloud Trail - AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. Provides insights on how cloud resources are being used and by whom.
AWS Config - AWS Config provides you with a detailed inventory of your AWS resources and their current configuration, and continuously records configuration changes.
AWS Key Management Services - AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
Amazon S3 Server Side Encryption with Customer-provided Keys (SSE-C). - Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) Server-side encryption is about protecting data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key.
SSO to AWS Management Console and Support Center
Sharing AWS CloudTrail Log Files Between Accounts
Amazon WorkSpaces added support for multi-factor authentication (MFA)
Others such as granular domain permissions in Amazon CloudSearch, tracking console sign-in events in AWS CloudTrail, and enhanced password management and credential reports in AWS IAM.
Cloud HSM - The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud.
Physical Security
Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the AWS platform and infrastructure. AWS datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
AWS only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by AWS employees is logged and audited routinely.
DDOS - AWS API endpoints are hosted on large, Internet-scale, world-class infrastructure that benefits from the same engineering expertise that has built Amazon into the world’s largest online retailer. Proprietary DDoS mitigation techniques are used. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.
Man in the Middle (MITM) Attacks. All of the AWS APIs are available via SSL-protected endpoints which provide server authentication. Amazon EC2 AMIs automatically generate new SSH host certificates on first boot and log them to the instance’s console. You can then use the secure APIs to call the console and access the host certificates before logging into the instance for the first time. We encourage you to use SSL for all of your interactions with AWS.
IP Spoofing. Amazon EC2 instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
How does AWS illustrate the Security controls that we operate on behalf of our customers?
Much like beowulf clusters and HPC environments, hosts are becoming less relevant and more like request routers and job processors, and less the center of your data universe.
Remember: the cloud is about loosely coupled services and creating elasticity in your infrastructure, while leveraging services to retaining the resiliency and security of your data and workflows.
By focus-locking your security strategy on the host, you will expose your critical services, data, and control-plane to emerging attacks.
We are doing the same with security in AWS. We’re designing security and compliance to not simply in OS and application controls as done in the last few decades; we’re designing it in everything about the IT environment; the permissions, the logging, the use of approved machine images, the trust relationships, the changes made, enforcing encryption, and more. We’re converting manual, administrative controls to technically enforced controls with the assurance that, if designed properly, the controls are operating 100% of the time. We call this “Secure by Design” or SbD. AWS is a modern platform that allows you to formalize the design of security controls in the platform itself. It simplifies system use for administrators and those running IT, and makes your AWS environment much simpler to audit. It’s creating an environment where there are no control findings at the audit (similar to having no quality findings at the end of a manufacturing process). It’s a systematic way to security assurance, and gives you insight to how things are operating and insight into how to respond to emerging threats.
I recently had a discussion with a company CISO about managing his on-premise environment. I asked, "how long would it take to inventory your assets?" He said, "if I started today, it would be 100 years after you are dead." Manually tracking assets is an example of a control that is so ineffective that you can't rely on it for providing any assurance at all.
So, in general, looking at what you have is simple in AWS. But how are they related to each other?
AWS CloudTrail. Provides logging of API or console actions (e.g., logs when someone changes a bucket policy, stops and instance, etc.)
Splunk Dashboard for CloudTrail,
showing the log activity with some summarized info
Control provided:
Advanced monitoring capabilities of actions taken and changes made across entire AWS environment
Record AWS API calls for your account and delivers log files to you.
Logs delivered (as JSON data) to your S3 Bucket
Region-by-Region API log isolation
Optionally log multiple AWS accounts to your bucket (ie, cross-account)
Currently covers API access to: EC2, EBS, EMR, Kinesis, AutoScaling, ELB, Redshift, RDS, VPC, SWF, CloudFormation, CloudFront, CloudTrail, CloudWatch, Direct Connect, Elastic Beanstalk, IAM, OpsWorks, STS, SQS
No cost beyond storage of logs
Currently supports 20 services throughout our 8 standard regions (GovCloud coverage is separate).
We are regularly adding support for additional services in order to provide a complete auditing solution.
AWS KMS provides customers with centralized control of their encryption keys and is integrated with other AWS services including Amazon EBS, Amazon S3, and Amazon Redshift to make it simple to encrypt data with encryption keys that customers manage. It’s also integrated with AWS CloudTrail to provide logs of all key usage. It provides a simple view into all of the key usage in a customer’s organization and lets customers easily implement key creation, rotation, usage policies, and enables login from the AWS Management Console or by using the API.
Hardware Security Modules (HSM) provide a solution where you can centrally and securely store and manage keys utilized by your applications.
Cloud HSM allows you to implement the same HSM solution that you may already have in an on-premise data center. This solution allows you to have the same security for our cloud applications as you have for your on-premise applications. The cloud HSM solution possesses all the same attributes as a HSM that would be implemented in an on-premise data center, without the need to buy the physical infrastructure.
***Bullets
EAL4 – Evaluation Assurance Level. International standard stating that the solution has been methodically designed, tested, and reviewed.
NIST FIPS 140-2 – Is a national standards classification stating that the solution meets a certain cryptographic state.
How does AWS illustrate the Security controls that we operate on behalf of our customers?
And why does it make more sense that using a traditional on-premise environment? The need for automation and control performance consistency will demand a move into an environment that is automated, transparent, and auditable with 100% control coverage.
The reasons are becoming more obvious to auditors:
Physical procedure manuals do not provide enforceable control. I think we all realize this. When was the last time you pulled a SOP manual for anything other than to feel the thud factor? In my 12 years of auditing and consulting with E&Y, there were very few times someone even knew where the procedure manual was, let alone know the content. In the new world this won’t work: instead, we are scripting processes – you can’t do your job outside of the proscribed coded process.
Surveys do not provide authoritative governance. We all know this. They are subjective, and are subject to human error on many levels. Why we ever relied on surveys to do any sort of real control monitoring seems rather ridiculous to me. Now, we’re automating environments and alarming on instances of control failure vs. asking people if controls have failed.
Automated controls need to be pervasive. Automation of controls will be the only real way to reduce IT risk in today’s complex IT environment.
Sample testing of controls will no longer be a valid audit strategy. Testing a sample of "25" is rapidly becoming statistically invalid and seems archaic considering today’s complex IT environment. The scale of the systems will require control automation, allowing auditors to do a very effective "test of 1."
Today we’re going to explore the topic of advanced governance and show you how it can be done in AWS.
How does AWS illustrate the Security controls that we operate on behalf of our customers?
How does AWS illustrate the Security controls that we operate on behalf of our customers?
Inspector is a combination of service / host-based client that aims to provide an overall assessment of the security posture of a distributed system, usually running on top of AWS. Security posture here includes overall AWS services configuration (EC2 security groups, VPCs, S3 buckets, IAM users/roles, ...), host configuration, software running on these hosts, as well as host to host interactions.
Its primary intended benefit is to allow service teams, as well as external customers, to easily assess the security posture of their software and systems on their own as they progress through development, as well as on a regular basis during production for auditing purposes.
The secondary benefit is to help Application Security Engineers and Penetration Testers to focus on the most complex problems by offloading the checking of low-hanging fruits to an automated system. The automatic generation of a threat model / DFD will also help the engineers get up to speed and understand the targeted systems faster and better, by relying on real observed information rather than information gathered from engineers recollection of how their systems work.
A third benefit is to provide the foundations to allow easy monitoring of various elements on a host or AWS account for forensics, troubleshooting or active auditing purposes. The user simply needs to focus on implementing the actions to take rather than on performing the actual monitoring.
Shared responsibility model, Shift in separated model, AWS and Customer responsibilities.
WHAT’S IN IT FOR THE CUSTOMER
I want to convince you that everyone should run this and reduce their overheads in addressing security manually.
Running internet and internal facing services is hard. There are always changes, new patches, new issues to address. Wouldn’t it be great if there was a service to do the lifting for you.
There is a lot information to understand when trying to secure your services, expert area, security engineers are not common. Many companies don’t have them on their teams and need to bring in external help. wouldn’t it be helpful if someone could distill it for you.
When you spend money on security (or bring in external help), a service like Inspector allows you to focus on the new or unique feature areas of your product over the infrastructural areas
Agent Based – focused on the instances rather than AWS Configuration -> See AWS Config & Config Rules for more in that area.
Test your infrastructure and applications for potential security issues..
Provides guidance based on any findings identified.
Choice of policy packages for assessing infrastructure and applications.
Audits are slow, riddled with spreadsheets and paperwork, and disrupt the innovation cycle or completely stop it during the audit period.
Expert Audits - The best solution is to validate CSP security is to get accredited experts to do it for you. This is using a very sharp tool for a very specific job.
CSP auditors understand cloud in general, they understand where AWS plays in the cloud landscape, they understand risk, and they understand the customer use cases in depth. They interpret the traditional standards for you, applying them to AWS in a way that makes sense. They can do a much better job than most audit functions at companies with limited experience in doing this specifically.
Multiple certifications and reports offered by AWS provides the ability for you to triangulate on risk and controls if there isn't a report that meets your exact needs. With one report or certification, it's a good data point, but with multiple (overlapping but subtly different controls, different audit types and periods, different points in time), you can get the visibility you need.
As of today, AWS infrastructure has been audited to meet controls for workloads requiring
HIPAA
SOC 1/SSAE 16/ISAE 3402 (formerly SAS70)
SOC 2 Security & Availability
SOC 3
PCI DSS Level 1
ISO 27001
ISO 9001FedRAMP(SM)
DIACAP
ITAR
FIPS 140-2
CSA
MPAA
AUS IRAP
Singapore M
But we can’t stop there…
AWS GovCloud is an AWS Region designed to allow US government agencies and contractors to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements, such as ITAR, which governs how organizations manage and store defense-related data.
Previously, government agencies with data subject to compliance regulations such as the International Traffic in Arms Regulations (ITAR), which governs how organizations manage and store defense-related data, were unable to process and store data in the cloud that the federal government mandated be accessible only by U.S. persons.
Because AWS only allows US Persons to physically and logically access the AWS GovCloud network, government agencies can now manage more heavily regulated data in AWS while remaining compliant with US Persons only access requirements.
AWS does not manage physical and logical access controls beyond the AWS network. It is the responsibility of customers to manage end user access controls to their content in the AWS GovCloud Region.
What is ITAR?
ITAR is the International Traffic in Arms Regulations, which is a set of United States government regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML) and related technical data.
The primary issue that impacts AWS is the requirement that all ITAR controlled data must be stored in an environment physically and logically accessible to US Persons only. A US Person is defined as a US citizen or permanent resident.
In this Region, AWS complies with US Persons only physical and logical access requirements for the AWS network, and therefore enables others to use the AWS GovCloud Region to process and store ITAR data.
Unlike ISO 27001, there is no formal ITAR certification. However, AWS has conducted a third-party review of the AWS GovCloud ITAR compliance program. This third party has published a favorable letter of attestation regarding AWS’ compliance with the stated ITAR objectives. This letter is provided to customers who enter into an AWS GovCloud Enterprise Agreement.
AWS FISMA compliant?
Yes, AWS is able to meet Federal FISMA Low and Moderate certifications. AWS has attained Authority to Operate (ATO) under FISMA Low at several agencies (Department of Education, Recovery and Transparency Board) and can make those control mappings available as part of the Certification & Accreditation process. Additionally, AWS was granted the ATO at the FISMA Moderate level by the GSA. AWS will continue pursuing certifications that make it easier for enterprises, businesses and government agencies to use and benefit from our services.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low and moderate risk impact levels.
Why is FedRAMP important?
The Cloud First policy mandates that agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. And the Office of Management and Budgets (OMB) mandate states that agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo , OMB). One of the major benefits of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.
Overview:
PCI is the Payment Card Industry Data Security Standard. It is a set of security requirements designed to ensure that all companies which process, store or transmit credit card information maintain a consistent level of data security related to card holder data. This standard is administered and managed by the PCI Security Standards Council, an independent body created by the major payment card brands (Visa, MasterCard, and American Express).
We have been successfully validated as a Level 1 service provider. Meaning that our customers may host their applications on our PCI-compliant technology.
Use Cases (Why):
We often find customer requesting our PCI Compliance package to share with their auditors, most commonly their chosen QSA, Qualified Security Assessor.
Selling Points:
Our PCI Compliance Package provides AWS customers, and their auditors if appropriate with two documents. One being the Attestation of Compliance, referred to as the AoC, and the PCI Responsibility Summary. The AWS PCI Responsibility Summary provides customers with a description of the in-scope services, customer implementation considerations, as well as provides an overview to our customers with relation to the shared responsibility between them and AWS for meeting the PCI requirements.
Individual compliance certifications can be covered later in the presentation with current information available at aws.amazon.com/compliance