Compliance and Security in a Cloud-First Era
Regions: Dublin (EU-West) 3 x Availability Zones Launched in 2007 Frankfurt (EU-Central) 2 x Availability Zones Launched 2014 Edge Locations: Amsterdam, The Netherlands (2), Dublin, Ireland, Frankfurt, Germany (3), London, England (3), Madrid, Spain, Marseille, France, Milan, Italy, Paris, France (2), Stockholm, Sweden, and Warsaw, Poland Direct Connect POPs: Dublin, London, Frankfurt
Customers shared responsibility Customer applications & content Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Customers are responsible for their security IN the Cloud AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations AWS is responsible for the security OF the Cloud
Customers Customer content Platform & Applications Management Operating System, Network & Firewall Configuration Client-Side Data encryption & Data Integrity Authentication Server-Side Encryption Fire System and/or Data Network Traffic Protection Encryption / Integrity / Identity Customer IAM Managed by AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Optional Opaque data: 1 s and 0 s (in transit/at rest) Availability Zones Regions Edge Locations AWS IAM Managed by
Customers Client-Side Data encryption & Data Integrity Authentication Customer content Network Traffic Protection Encryption / Integrity / Identity Optional Opaque data: 1 s and 0 s (in transit/at rest) Platform & Applications Management Operating System, Network Configuration Firewall Configuration Customer IAM Managed by Managed by AWS Foundation Services Compute Storage Database Networking AWS IAM AWS Global Infrastructure Availability Zones Regions Edge Locations
Customers Managed by Optional Opaque Data: 1 s and 0 s (in flight / at rest) AWS Foundation Services Customer content Client-Side Data Encryption & Data Integrity Authentication Server Side Encryption by the Platform Protection of Data at Rest Network Traffic Protection by the Platform Protection of Data at in Transit Platform & Applications Management Operating System, Network & Firewall Configuration Compute Storage Database Networking AWS IAM Managed by AWS Global Infrastructure Availability Zones Regions Edge Locations
Security cannot be a blocker of innovative business
We ll also see organizations adopt cloud services for the improved security protections and compliance controls that they otherwise could not provide as efficiently or effectively themselves. - Security s Cloud Revolution Is Upon Us, Forrester Research, Inc., August 2, 2013
Singapore MTCS
Customers Your own accreditation Your own certifications Your own external audits Customer scope and effort is reduced Better results through focused efforts AWS Foundation Services Compute Storage Database Networking Built on AWS consistent baseline controls AWS Global Infrastructure Availability Zones Regions Edge Locations
TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA
Defining the information domain Structure analysis Modeling the domain Based on the whitepaper IT Grundschutz compliance on Amazon Web Services. TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 30
Source: BSI-Standard 100-1, Information Security Management Systems (ISMS), Version 1.5, p. 10 TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 31
Information domain: infrastructure, organization, staff and technical objects that are used for information processing. Organization Infrastructure IT systems Applications Employees Information domain can include: entire institutions or single areas or focus on e.g. certain applications. Information domain is essentially the scope of an ISMS and the related certification. Noteworthy: IT Grundschutz is certified on the basis of ISO 27001; therefore, IT Grundschutz is fully compatible with ISO 27001 and 27002. TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 32
Detailed description of any part of the information domain. Generally based on a network plan. When using external providers ( outsourcing ), interfaces must be included in the documentation. Result: a list of components that are relevant for the IT Grundschutz methodology. In an AWS context, the components are located both at the customer and at AWS. TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 33
Security IN the cloud Responsibility of the customer As customers retain control of what security they choose to implement to protect their own: content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter Security OF the cloud Security of the cloud refers to how AWS manages the security of the cloud s underlying infrastructure. AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the AWS services operate Conclusion - IT Grundschutz modules to be addressed by the customer (security in the cloud) Modules to be delivered by AWS (security of the cloud). TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 34
Replicating the information domain using the modules and related instructions found in the IT Grundschutz catalogues. Modules are used for structuring the recommendations of the IT- Grundschutz catalogues into: technical components or organizational measures, with respective security measures. Based on protection requirements of the components. Examples for modules that need to be addressed by the customer: M 1.11 Outsourcing M 1.12 Archiving TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 35
The customer does not have to implement the respective modules if a task has been completely transferred to AWS. Some modules need to be addressed by both sides. Examples for modules that need to be addressed by AWS: M 2.1 General building M 2.2 Electric cabling M 2.9 Data centers M 2.12 IT-cabling The Whitepaper IT Grundschutz compliance on Amazon Web Services contains more details on modules. TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 36
Contents of the whitepaper: Abstract Section 1 Customer View Description of the IT-Grundschutz catalogues to be modeled Modules to be addressed by the customer Implementing catalogue M 1.11 Outsourcing Modules to be delivered by AWS Section 2 AWS View Description of what needs to be provided by the customer Covering requirements with existing AWS certifications or measures AWS Alignment to BSI IT-Grundschutz TÜV TRUST IT GmbH Unternehmensgruppe TÜV AUSTRIA Page 37
Company: UK-based global communications platform for call centers to capture communications data Challenge: must comply with PCI DSS so their customers can process payment card data on the platform Results: PCI certified on AWS; also SOC 1 Type 2 audited, ISO 27001 certified http://d36cz9buwru1tt.cloudfront.net/cognia-case-study.pdf
Company: France-based insurance and healthcare coverage company, responsible for secure use and storage of confidential customer information Challenge: move critical IT to AWS and comply with the Solvency II Directive (EU insurance regulation) Results: Moved to AWS, realized cloud benefits (financial, security, scalability, availability, resiliency) and remain fully compliant with Solvency II and other compliance requirements. They are moving their other environments onto AWS. http://aws.amazon.com/solutions/case-studies/smatis/
https://run.qwiklab.com/
awscompliance