Jodi Scrofani Global Financial Services Compliance Strategist for AWS takes us on a journey of Security and Compliance mechanisms, that are mandatory in the Financial Services Industry, and explains how they are addressed by customers today on the AWS Cloud. She explains the AWS Shared Security Model, gives a detailed overview of audit and certifications achieved by AWS, and shows best practices and steps that FSI customers should take to ensure compliance and security.

1. Welcome to the
AWS Financial Services Cloud Symposium

2. "We see no fundamental reason why cloud services (including public
cloud services) cannot be implemented, with appropriate
consideration, in a manner that complies with our rules.”
- UK Financial Conduct Authority, FG 16-5, July 2016
“Insurance is a highly regulated industry where security, governance
and compliance are key. Our internal compliance team conferred with
both financial services regulators in the UK and our legal team, and
they found that they could use AWS and remain compliant.”
- Adrian Hodgkison, Head of IT
Compliance with Regulation is Doable

3. AWS & Customer Regulated Workloads
*
*
*
*Also an AWS Customer

4. “It is a fallacy that Institutions
can’t use cloud services
(because regulators don’t allow
them)”
- G20 ITSG Meeting, Anonymous

5. https://aws.amazon.com/solutions/#industry
https://aws.amazon.com/financial-services
Regulated, audited, and sensitive
data will be better fit to be stored
and processed in the cloud.

6. AWS Security as a Platform for Compliance
DDOS Mitigation
Data Encryption
Inventory & Configuration
Monitoring & Logging
Identify & Access Control
Testing & Validation
Availability & Resiliency
AWS provides financial
services customers a
platform to engineer
customized security

7. Security & Compliance at AWS is the highest priority. As an AWS customer,
you will benefit from a data center and network architecture built to meet
the requirements of the most security-sensitive organizations.
An advantage of the AWS cloud is that it allows customers to Scale and
Innovate, while maintaining a secure environment.
So you can Customize Security for the platform to meet any number of
compliance regimes that apply to your business process and geography.

8. AWS Security – Shared Responsibility Model
• AWS and its customers share control over the IT environment, both parties have
responsibility for managing the IT environment.
• AWS’ part in this shared responsibility includes providing its services on a highly
secure and controlled platform and providing a wide array of security features
customers can use.
• The customers’ responsibility includes configuring their IT environments in a secure
and controlled manner for their purposes.
• While customers don’t share their use and configurations to AWS, AWS does share its
security and control environment relevant to customers.

9. Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & AccessManagement
Operating System, Network & Firewall Configuration
Customer content
AWSSharedResponsibility
You get to define
your controls IN the
cloud
AWS takes care of
security OF the
cloud
aws.amazon.com/compliance/shared-responsibility-model
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones Edge
Locations

10. AWS Security
Protection and
Certification
Security Features in the
Customer Environment
Customer Security and
Compliance
• Advanced security
protection
• Enhanced auditability
• EU Data Privacy
• Financial Reporting
• Financial Services
• Healthcare/Life Sciences
• Local requirements
Amazon
Inspector AWS WAF AWS
Config
Rules
EU Model Clauses
Identity
Management
Access
Control
Usage
Auditing
Key
Storage
Monitoring
and Logs
AWS Investment: Security

11. Audit & Certification Compliance Overview

12. Tao of Cloud Compliance
1. Partner: the cloud tech SMEs and the security/
compliance SMEs
2. Integrate: industry standards, independent
benchmarking, regulatory requirements
3. Design and Package: Create a master design that
meets internal and external requirements
4. Constrain: enforce deployment to that design
5. Deploy: mechanize a scalable governance and auditing
program

13. Step 1: Partner the cloud tech SMEs and the
security/ compliance SMEs

14. CustomerGovernance Model: Permanent Supervision
 AWS Best Practices
 Industry Standards
 AWS Architecture for Standards
 Internal & Regulatory Requirements
 Service Documentation
 AWS Workbooks
 AWS Technology Resources
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & AccessManagement
Operating System, Network & Firewall Configuration
Customer content
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones Edge
Locations
AWS Agreements

15. Step 2: Integrate industry standards,
independent benchmarking, regulatory
requirements

16. Industry Standards and Benchmarking
CIS Amazon Web Services Foundations
Benchmark v1.0.0
Description
This document provides prescriptive guidance for
configuring security options for a subset of
Amazon Web Services with an emphasis on
foundational, testable, and architecture agnostic
settings.

17. FFIEC Assessment Guide for AWS

18. Step 3: Create a master design that
meets internal and external
requirements

19. Create a golden environment
 Using baseline requirements to create a gold OS image
 Configure use of AWS services, for example:
Amazon S3 Amazon EBS Amazon Redshift
 Force SSE
 Turn on logging
 Specify retention
 Set Amazon Glacier archiving
 Prevent external access
 Specify overriding permissions
 Set event notifications
 Define volume type
 Volume size limits
 IOPS performance
(input/output)
 Data location – regions
 Snapshot (backup) ID
 Encryption requirements
 Cluster type (single or multi)
 Encryption (KMS or HSM)
 VPC location
 External access (yes/no)
 Security groups applied
 Create SNS topic
 Enforce Amazon CloudWatch
alarms

20. Step 4: Enforce deployment to that design

21. Enforce AWS Service Catalog
Allows administrators to create and manage catalogs of approved resources
(products) that users can access via a personalized portal.
 Control which IT services and versions are available
 Control the configuration of the available services
 Control permission access by individual, group, department, or cost center.
Provisioning Team creates and
manages Service Catalog
Products built from
CloudFormation Templates
An AWS Service Catalog product
is a deployable AWS
CloudFormation template.

22. Step 5: Mechanize a scalable governance
and auditing program

23. Governance & Auditing Program

24. Tech Automation via Cloud
Automate deployments, provisioning, and configurations of the AWS customer
environments
CloudFormation Service CatalogStack
Template
Instances AppsResources
Stack
Stack
Design Package
Products Portfolios
DeployConstrain
Identity & Access
Management
Set Permissions

25. Best Practices for a Strong Compliance Defense
1. How is the entity using the cloud?
2. Is the entity leveraging credible, third-party assessments?
3. Has the entity benchmarked their use of the cloud against
CIS or another independent body?
4. How do they monitor use of the cloud?
5. How has application, logical access, resiliency, governance
changed?

26. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jodi Scrofani, Financial Services Compliance Strategist at AWS
Thank You!