Compliance and Security in a Cloud-First Era

Transcription

1 Compliance and Security in a Cloud-First Era

2

3

4

5

6 Regions: Dublin (EU-West) 3 x Availability Zones Launched in 2007 Frankfurt (EU-Central) 2 x Availability Zones Launched 2014 Edge Locations: Amsterdam, The Netherlands (2), Dublin, Ireland, Frankfurt, Germany (3), London, England (3), Madrid, Spain, Marseille, France, Milan, Italy, Paris, France (2), Stockholm, Sweden, and Warsaw, Poland Direct Connect POPs: Dublin, London, Frankfurt

7

8

9 Customers shared responsibility Customer applications & content Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Customers are responsible for their security IN the Cloud AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations AWS is responsible for the security OF the Cloud

10 Customers Customer content Platform & Applications Management Operating System, Network & Firewall Configuration Client-Side Data encryption & Data Integrity Authentication Server-Side Encryption Fire System and/or Data Network Traffic Protection Encryption / Integrity / Identity Customer IAM Managed by AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Optional Opaque data: 1 s and 0 s (in transit/at rest) Availability Zones Regions Edge Locations AWS IAM Managed by

11 Customers Client-Side Data encryption & Data Integrity Authentication Customer content Network Traffic Protection Encryption / Integrity / Identity Optional Opaque data: 1 s and 0 s (in transit/at rest) Platform & Applications Management Operating System, Network Configuration Firewall Configuration Customer IAM Managed by Managed by AWS Foundation Services Compute Storage Database Networking AWS IAM AWS Global Infrastructure Availability Zones Regions Edge Locations

12 Customers Managed by Optional Opaque Data: 1 s and 0 s (in flight / at rest) AWS Foundation Services Customer content Client-Side Data Encryption & Data Integrity Authentication Server Side Encryption by the Platform Protection of Data at Rest Network Traffic Protection by the Platform Protection of Data at in Transit Platform & Applications Management Operating System, Network & Firewall Configuration Compute Storage Database Networking AWS IAM Managed by AWS Global Infrastructure Availability Zones Regions Edge Locations

13

14 Security cannot be a blocker of innovative business

15

16

17 We ll also see organizations adopt cloud services for the improved security protections and compliance controls that they otherwise could not provide as efficiently or effectively themselves. - Security s Cloud Revolution Is Upon Us, Forrester Research, Inc., August 2, 2013

18 Singapore MTCS

19

20

21

22

23

24

25

26

27 Customers Your own accreditation Your own certifications Your own external audits Customer scope and effort is reduced Better results through focused efforts AWS Foundation Services Compute Storage Database Networking Built on AWS consistent baseline controls AWS Global Infrastructure Availability Zones Regions Edge Locations

28 TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA

29 Defining the information domain Structure analysis Modeling the domain Based on the whitepaper IT Grundschutz compliance on Amazon Web Services. TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 30

30 Source: BSI-Standard 100-1, Information Security Management Systems (ISMS), Version 1.5, p. 10 TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 31

31 Information domain: infrastructure, organization, staff and technical objects that are used for information processing. Organization Infrastructure IT systems Applications Employees Information domain can include: entire institutions or single areas or focus on e.g. certain applications. Information domain is essentially the scope of an ISMS and the related certification. Noteworthy: IT Grundschutz is certified on the basis of ISO 27001; therefore, IT Grundschutz is fully compatible with ISO and TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 32

32 Detailed description of any part of the information domain. Generally based on a network plan. When using external providers ( outsourcing ), interfaces must be included in the documentation. Result: a list of components that are relevant for the IT Grundschutz methodology. In an AWS context, the components are located both at the customer and at AWS. TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 33

33 Security IN the cloud Responsibility of the customer As customers retain control of what security they choose to implement to protect their own: content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter Security OF the cloud Security of the cloud refers to how AWS manages the security of the cloud s underlying infrastructure. AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the AWS services operate Conclusion - IT Grundschutz modules to be addressed by the customer (security in the cloud) Modules to be delivered by AWS (security of the cloud). TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 34

34 Replicating the information domain using the modules and related instructions found in the IT Grundschutz catalogues. Modules are used for structuring the recommendations of the IT- Grundschutz catalogues into: technical components or organizational measures, with respective security measures. Based on protection requirements of the components. Examples for modules that need to be addressed by the customer: M 1.11 Outsourcing M 1.12 Archiving TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 35

35 The customer does not have to implement the respective modules if a task has been completely transferred to AWS. Some modules need to be addressed by both sides. Examples for modules that need to be addressed by AWS: M 2.1 General building M 2.2 Electric cabling M 2.9 Data centers M 2.12 IT-cabling The Whitepaper IT Grundschutz compliance on Amazon Web Services contains more details on modules. TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 36

36 Contents of the whitepaper: Abstract Section 1 Customer View Description of the IT-Grundschutz catalogues to be modeled Modules to be addressed by the customer Implementing catalogue M 1.11 Outsourcing Modules to be delivered by AWS Section 2 AWS View Description of what needs to be provided by the customer Covering requirements with existing AWS certifications or measures AWS Alignment to BSI IT-Grundschutz TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 37

37

38

39

40 Company: UK-based global communications platform for call centers to capture communications data Challenge: must comply with PCI DSS so their customers can process payment card data on the platform Results: PCI certified on AWS; also SOC 1 Type 2 audited, ISO certified

41 Company: France-based insurance and healthcare coverage company, responsible for secure use and storage of confidential customer information Challenge: move critical IT to AWS and comply with the Solvency II Directive (EU insurance regulation) Results: Moved to AWS, realized cloud benefits (financial, security, scalability, availability, resiliency) and remain fully compliant with Solvency II and other compliance requirements. They are moving their other environments onto AWS.

42

43

44

45

46 awscompliance