For security-conscious businesses, SOC 2 compliance is a minimum requirement when considering a cloud-based SaaS or PaaS solution. In this session, AWS and Deloitte deliver a joint workshop designed to help customers who are considering or undergoing SOC 2 compliance be successful, from initiation to delivery. The workshop is interactive, with practical activities derived from real-life challenges that occur throughout the audit life cycle, including planning, scoping, control development, and audit execution. Customers walk away with confidence to execute their own SOC audit to validate the security and compliance of their own cloud applications.
Kristen
Speaker Notes: Introduce why we decided to do this Chalk Talk
We want to share what we’ve learned with you.
Owner: TBD
MISTY
Concept 1 | Control responsibility is shared
Speaker Notes:
To comprehend this key concept we will discuss deployment scenarios and then walkthrough the control assessment methodology performed to complete the control coverage.
DEV
Concept 4 | Translate / Map your security process and controls to SOC 2
Concept 5 | Update your security processes and controls based on your new environment
CC 5.2: …For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
AWSCA-2.1: User access to the internal Amazon network is not provisioned unless an active record is created in the HR System by Human Resources. Access is automatically provisioned with least privilege per job function. First time passwords are set to a unique value and changed immediately after first use.
AWSCA-2.3: IT access privileges are reviewed on a quarterly basis by appropriate personnel.
AWSCA-2.4: User access to Amazon systems is revoked within 24 hours of the employee record being terminated (deactivated) in the HR System by Human Resources.
Concept 4 | Translate / Map your security process and controls to SOC 2
Concept 5 | Update your security processes and controls based on your new environment
CC 5.2: …For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
AWSCA-2.1: User access to the internal Amazon network is not provisioned unless an active record is created in the HR System by Human Resources. Access is automatically provisioned with least privilege per job function. First time passwords are set to a unique value and changed immediately after first use.
AWSCA-2.3: IT access privileges are reviewed on a quarterly basis by appropriate personnel.
AWSCA-2.4: User access to Amazon systems is revoked within 24 hours of the employee record being terminated (deactivated) in the HR System by Human Resources.
Misty
Concept 4 | Translate / Map your security process and controls to SOC 2
Concept 5 | Update your security processes and controls based on your new environment
CC 5.2: …For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
AWSCA-2.1: User access to the internal Amazon network is not provisioned unless an active record is created in the HR System by Human Resources. Access is automatically provisioned with least privilege per job function. First time passwords are set to a unique value and changed immediately after first use.
AWSCA-2.3: IT access privileges are reviewed on a quarterly basis by appropriate personnel.
AWSCA-2.4: User access to Amazon systems is revoked within 24 hours of the employee record being terminated (deactivated) in the HR System by Human Resources.
Concept 4 | Translate / Map your security process and controls to SOC 2
Concept 5 | Update your security processes and controls based on your new environment
AWSCA-1.6: KMS-Specific - Roles and responsibilities for KMS cryptographic custodians are formally documented and agreed to by those individuals when they assume the role or when responsibilities change.
AWSCA-4.1: EC2-Specific – Upon initial communication with an AWS-provided Linux AMI, AWS enables secure communication by SSH configuration on the instance, by generating a unique host-key and delivering the key's fingerprint to the user over a trusted channel.
AWSCA-4.2: EC2-Specific – Upon initial communication with an AWS-provided Windows AMI, AWS enables secure communication by configuring Windows Terminal Services on the instance by generating a unique self-signed server certificate and delivering the certificate's thumbprint to the user over a trusted channel.
AWSCA-4.3: VPC-Specific - Amazon enables secure VPN communication to a VPN Gateway by providing a shared secret key that is used to establish IPSec Associations.
AWSCA-4.4: S3-Specific - S3 generates and stores a one-way salted HMAC of the customer encryption key. This salted HMAC value is not logged.
AWSCA-4.6: KMS-Specific - AWS Services that integrate with AWS KMS for key management use a 256-bit data key locally to protect customer content.
AWSCA-4.7: KMS-Specific - The key provided by KMS to integrated services is a 256-bit key and is encrypted with a 256-bit AES master key unique to the customer’s AWS account.
AWSCA-4.9: KMS-Specific - KMS endpoints can only be accessed by customers using TLS with cipher suites that support forward secrecy.
AWSCA-4.10: KMS-Specific - Keys used in AWS KMS are only used for a single purpose as defined by the key usage parameter for each key.
AWSCA-4.11: KMS-Specific - Customer master keys created by KMS are rotated on a defined frequency if enabled by the customer.
AWSCA-5.13: All AWS production media is securely decommissioned and physically destroyed prior to leaving AWS Secure Zones.
AWSCA-7.1: S3-Specific – S3 compares user provided checksums to validate the integrity of data in transit. If the customer provided MD5 checksum does not match the MD5 checksum calculated by S3 on the data received, the REST PUT will fail, preventing data that was corrupted on the wire from being written into S3.
Dev
Speaking Notes: If you walk away with one thing from this session; it would be the conceptual process for supporting the achievement of a SOC (Service Organization Controls) attestation.
Concept 1 | Control responsibility is shared
Concept 2 | Identify the processes and controls needed to secure your scoped environment
--look to your controls framework (or if you don’t work w/ your product team to identify the controls in place)
Concept 3 | Validate service provider SOC2 report(s) to ensure inherited and shared control coverage
Concept 4 | Translate / Map your security process and controls to SOC 2
Concept 5 | Updated your security processes and controls based on your new environment
Identified Shared Responsibility
Identified What Needs to be done to Securre
Do all responsibility owners do those things?
Fill in gaps
Map