Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019

© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Establishing AWS as a trusted partner
Chris Pennisi
FSI Compliance Specialist
AWS
G R C 3 2 5

What does it mean to become a trusted partner?
• Becoming a trusted partner is not a feeling; it is a “calculation”
• If it is a calculation, then what do customers look for?
• But, before we go into that, it is important to recognize that customers are
looking for transparency and consistency at all stages of interaction

The five stages of assessing AWS
How do we work with you?
Do you have what I need to run critical workloads?
Can we be secure on AWS?
How can we be sure that others do not access our data?
Can you help us build?

Understanding the shared responsibility model

Can I choose where I place my data? And control it?
21 Regions
66 Availability Zones
158 Edge Locations

Region & number of AZs Announced Regions
Bahrain, Cape Town, Jakarta, and Milan
What about resilience?
AWS Availability Zone (AZ)AWS Region
A Region is a physical location in
the world where we have multiple
AZs
AZs consist of one or more discrete
data centers, each with redundant
power, networking, and connectivity,
and housed in separate facilities
Transit
Transit AZ
AZ
AZ
AZ
Data center Data center
Data center

What services does AWS provide?

What happens if AWS does not have the service that we
need?
48 82
160 280
516
722
1017
1430
1,957
2009 2011 2012 2013 2014 2015 2016 2017 2018
#Servicesandfeaturesreleased
AWS has been continually expanding its services to
support virtually any cloud workload, and it now has
more than 165 services across a range of functional areas
AWS service development is customer-driven

What is the AWS view of security?
• Security is job zero!
• “Keep humans away from the data.” —Steve Schmidt, AWS CISO
Security enhancements from
1M+ customer experiences
AWS industry-leading
security teams: 24/7,
365 days a year
Security infrastructure
built to satisfy the military,
global banks, and other high-
sensitivity organizations
Over 50 global
compliance certifications
and accreditations

Do you comply with global standards & regulations?
Certifications & attestations Laws, regulations, and privacy Alignments & frameworks
Cloud Computing Compliance Controls Catalogue (C5) 🇩🇪 ✓ CISPE 🇪🇺 ✓ CIS (Center for Internet Security) 🌐 ✓
Cyber Essentials Plus 🇬🇧 ✓ EU Model Clauses 🇪🇺 ✓ CJIS (US FBI) 🇺🇸 ✓
DoD SRG 🇺🇸 ✓ FERPA 🇺🇸 ✓ CSA (Cloud Security Alliance) 🌐 ✓
FedRAMP 🇺🇸 ✓ GLBA 🇺🇸 ✓ Esquema Nacional de Seguridad 🇪🇸 ✓
FIPS 🇺🇸 ✓ HIPAA 🇺🇸 ✓ EU-US Privacy Shield 🇪🇺 ✓
IRAP 🇦🇺 ✓ HITECH 🌐 ✓ FISC 🇯🇵 ✓
ISO 9001 🌐 ✓ IRS 1075 🇺🇸 ✓ FISMA 🇺🇸 ✓
ISO 27001 🌐 ✓ ITAR 🇺🇸 ✓ G-Cloud 🇬🇧 ✓
ISO 27017 🌐 ✓ My Number Act 🇯🇵 ✓ GxP (US FDA CFR 21 Part 11) 🇺🇸 ✓
ISO 27018 🌐 ✓ Data Protection Act – 1988 🇬🇧 ✓ ICREA 🌐 ✓
MLPS Level 3 🇨🇳 ✓ VPAT/Section 508 🇺🇸 ✓ IT Grundschutz 🇩🇪 ✓
MTCS 🇸🇬 ✓ Data Protection Directive 🇪🇺 ✓ MITA 3.0 (US Medicaid) 🇺🇸 ✓
PCI DSS Level 1 💳 ✓ Privacy Act [Australia] 🇦🇺 ✓ MPAA 🇺🇸 ✓
SEC Rule 17-a-4(f) 🇺🇸 ✓ Privacy Act [New Zealand] 🇳🇿 ✓ NIST 🇺🇸 ✓
SOC 1, SOC 2, SOC 3 🌐 ✓ PDPA - 2010 [Malaysia] 🇲🇾 ✓ Uptime Institute Tiers 🌐 ✓
PDPA - 2012 [Singapore] 🇸🇬 ✓ Cloud Security Principles 🇬🇧 ✓
🌐 = industry or global standard PIPEDA [Canada] 🇨🇦 ✓
Agencia Española de Protección de Datos 🇪🇸 ✓

What core frameworks and standards do you meet?
CSA
Cloud Security
Alliance controls
Annual
ISO 9001
Global quality
standard
Annual
ISO 27001
Security management controls
Annual
ISO 27017
Cloud-specific
controls
Annual
ISO 27018
Personal data
protection
annual
PCI DSS Level 1
Payment card standards
Annual
SOC 1
Audit controls report
Biannual
SOC 2
Security, availability, &
confidentiality report
Biannual
SOC 3
General controls
report
Annual

Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS Security Hub
Centrally view and manage security alerts and
automate compliance checks
AWS Control Tower
Automates the setup and governance of a secure,
compliant multi-account AWS environment
New services, now available
in preview
AWS Identity & Access
Management (IAM)
AWS Single Sign-On
AWS Directory Service
Amazon Cognito
AWS Organizations
AWS Secrets Manager
AWS Resource Access
Manager
AWS Security Hub
Amazon GuardDuty
AWS Config
AWS CloudTrail
Amazon
CloudWatch
VPC flow logs
AWS Systems Manager
AWS Shield
AWS WAF – Web
application firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private
Cloud (Amazon VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
AWS Certificate Manager
Amazon Macie
Server-side encryption
AWS Config rules
AWS Lambda
What services can we use to be secure?

How can we encrypt our data?
AWS KMS High standardsUbiquitous
AWS encryption services are integrated into dozens of our services and
meet the strictest industry requirements

How does AWS manage information requests?
Notification EncryptionValid requests
Amazon does not disclose customer information unless we’re required
to do so to comply with a legally valid and binding order
Where we need to act publicly to protect customers, we do

How does AWS manage administrative access?
Process controlsTechnology
controls
AWS strictly controls our infrequent administrative access to services
This process has executive oversight within AWS and is validated by independent third parties
Automation

How does AWS secure the hypervisor?
Experience
AWS has over a decade of experience securing our virtualization technology
We provide a deep level of isolation within the cloud
Customization &
innovation
Isolation

How can you help us build?
Best practice document
Enablers to help customers
understand and use AWS services
to build workloads
Training & certification
Tailored technical, security,
compliance, and business training to
accelerate cloud adoption
Professional Services
Specialists with industry and technology
experience that customers engage to define
and implement a migration or compliance
program
AWS Partner Competency
Global program comprising technology and
consulting companies that can help customers
shift critical workloads to the cloud and
comply with industry regulations, where
necessary
In-house industry expertise
Resources include former regulators, compliance
officers, information security experts, governance and
audit professionals, traders, and technology specialists
with industry experience
Industry affiliations
Relationships with leading industry associations, as
well as a program of AWS-led industry events

How do we assess our workloads?
Review
process
Consistent Technology
portfolio
Security Reliability
Performance
efficiency
Cost
optimization
Operations
5 pillars
of review
Application
to your
portfolio
24 < 7
The AWS Well-Architected review

Can you help us with operational support?
Technical account
manager (TAM)
Designated technical point of contact
for all necessary AWS expertise
Support
concierge
Dedicated team of enterprise account specialists
to help with billing and account subjects
SMEs
Cloud support engineers, solutions architects,
and product teams are available for guidance
Trusted
advisor (TA)
Online resource to help you reduce cost, increase
performance, and improve security
by optimizing your AWS environment
Personal
health
dashboard
(PHD)
Delivers alerts and remediation
guidance when AWS experiences
events that may impact your
environment
Support
API
Programmatic access to AWS Support
Center features to create, manage, and
close your support cases and
operationally manage your TA check
requests and status
Infrastructure event
management (IEM)
Focused planning and support for
business-critical events
(e.g., launches or migrations)
Well-Architected
review
Detailed review of your architecture
guidance on how
to best design your systems
Architecture
support
Consultative reviews of your
application architecture and how to
align it with AWS
Operations
support
Consultative reviews of your cloud operations
and advice for optimizationTraining
Credits for online, self-paced labs
provided through an AWS training
provider
Abuse
team
Assists you when AWS resources are impacted
by things such as spam, port scanning, distributed
denial of service attacks (DDoS), or malware

The five stages of assessing AWS
Understand the shared responsibility model
Review the AWS infrastructure & service portfolio
Review the AWS security attestation & security services
Understand how we manage data security
Leverage the AWS portfolio of services & tools

Thank you!
Chris Pennisi
pennisic@amazon.com

Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019

Similar a Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019