ASD CERTIFICATION REPORT

Similar documents
t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Digital Health Cyber Security Centre

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

Cloud Security Standards Supplier Survey. Version 1

Security Principles for Stratos. Part no. 667/UE/31701/004

Information Security Controls Policy

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

General Data Protection Regulation

Cloud Security Standards

Magento Commerce Architecture and Security Model Last updated: Aug 2017

Twilio cloud communications SECURITY

ADIENT VENDOR SECURITY STANDARD

INFORMATION SECURITY AND RISK POLICY

SECURITY & PRIVACY DOCUMENTATION

WORKSHARE SECURITY OVERVIEW

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Data Protection and GDPR

Security Standards for Electric Market Participants

CYBER SECURITY POLICY REVISION: 12

Data Security and Privacy Principles IBM Cloud Services

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Security & Compliance in the AWS Cloud. Amazon Web Services

Streamlined FISMA Compliance For Hosted Information Systems

The Common Controls Framework BY ADOBE

Security by Design Running Compliant workloads in AWS

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Cloud Security Standards and Guidelines

Google Cloud & the General Data Protection Regulation (GDPR)

University of Sunderland Business Assurance PCI Security Policy

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

AUTHORITY FOR ELECTRICITY REGULATION

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

AWS Security. Stephen E. Schmidt, Directeur de la Sécurité

A company built on security

CCISO Blueprint v1. EC-Council

Layer Security White Paper

Granted: The Cloud comes with security and continuity...

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

SECURITY PRACTICES OVERVIEW

Version 1/2018. GDPR Processor Security Controls

Information Security Controls Policy

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Auditing the Cloud. Paul Engle CISA, CIA

Oracle Data Cloud ( ODC ) Inbound Security Policies

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Cyber Essentials Questionnaire Guidance

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

Training on Amazon AWS Cloud Computing. Course Content

01.0 Policy Responsibilities and Oversight

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

QuickBooks Online Security White Paper July 2017

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

IoT & SCADA Cyber Security Services

Cyber Security Program

Information Security Management Criteria for Our Business Partners

External Supplier Control Obligations. Cyber Security

Cyber Security Requirements for Electronic Safety and Security

Cloud First Policy General Directorate of Governance and Operations Version April 2017

Manchester Metropolitan University Information Security Strategy

It s still very important that you take some steps to help keep up security when you re online:

INFORMATION ASSET MANAGEMENT POLICY

Watson Developer Cloud Security Overview

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NYDFS Cybersecurity Regulations

ITG. Information Security Management System Manual

PCI DSS Compliance. White Paper Parallels Remote Application Server

ALIENVAULT USM FOR AWS SOLUTION GUIDE

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

PCI DSS Compliance and the Cloud

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

NEN The Education Network

Daxko s PCI DSS Responsibilities

Corporate Information Security Policy

The Honest Advantage

WHITE PAPER. Title. Managed Services for SAS Technology

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Xerox Audio Documents App

WHITE PAPER- Managed Services Security Practices

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

John Snare Chair Standards Australia Committee IT/12/4

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Introduction to AWS GoldBase

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

Advent IM Ltd ISO/IEC 27001:2013 vs

BUSINESS CONTINUITY MANAGEMENT

Verizon Software Defined Perimeter (SDP).

ISO27001:2013 The New Standard Revised Edition

Information Security Strategy

Transcription:

ASD CERTIFICATION REPORT Amazon Web Services Elastic Compute Cloud (EC2), Virtual Private Cloud (VPC), Elastic Block Store (EBS) and Simple Storage Service (S3) Certification Decision ASD certifies Amazon Web Services EC2, VPC, EBS and S3 for use up to, and including, UNCLASSIFIED (DLM) as per the Australia Government security classification scheme. This certification is valid for 24 months, expiring on 20 th April 2017. Certification is based on an independent IRAP assessment and corroborating ASD certification activities. Australian Government agencies must ensure any systems deployed on Amazon Web Service are independently certified and the system wholly accredited as per the Australian Government Information Security Manual. ASD also recommends agencies deploy to the Amazon Asia Pacific (Sydney) Region. Purpose The information provided in this report is for customers of Amazon Web Services, including Australian Government agencies, and intended to inform an accreditation decision by the customer. Customers of these services should understand that cyber incidents may still occur, however ASD can confirm that AWS have taken reasonable steps to implement Australian Government recommended information security controls. The purpose of the Information Security Registered Assessment Program (IRAP) assessment and ASD certification is to assess and highlight the security posture of the cloud service. Full compliance with all security controls is not essential for certification. Certification is based on the assessed security of the cloud service, untreated risks, as well as the security posture of the company and operations staff. Both the IRAP assessment and ASD certification are based on a snapshot in time view of the security applied to the cloud service against the agreed scope of the service. Customers of this cloud service need to perform accreditation based on the proposed use of the service and the risk appetite of the customer. This certification aims to inform the accreditation authority of information security risks, however customers must also consider financial, privacy, data ownership, data sovereignty and legal risks posed by the use of this cloud service. Page 1 of 6

Background Mr. Nathan Joy (IRAP 1037) conducted an IRAP assessment of the AWS EC2, VPC, EBS and S3 cloud services between January and October 2014. ASD conducted certification activities for these services between November 2014 and March 2015. ASD has assessed the security of these services to be suitable for data at UNCLASSIFIED (DLM) as per the Australian Government security classification scheme. This ASD Certification expires on 20 th April 2017, or sooner should re-certification be triggered. ASD reserves the right to conduct ad-hoc certification activities inside this certification period. Reasons for re-certification inside this certification period could include, but not be limited to: Changes in information security policies, including associated risk assessments Detection of new or emerging threats to the cloud services The discovery that controls are not operating effectively or as expected The occurrence of a major cyber security incident, directly or indirectly System architectural changes Significant changes to the company profile, including company partners Changes to the cloud service. Definitions AWS defines the cloud services contained in this certification as follows: 1. Amazon Elastic Compute Cloud (EC2) is a web service that provides resizable compute capacity in the cloud, where you can obtain and configure capacity. 2. Amazon Virtual Private Cloud (VPC) enables the provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. 3. Amazon Elastic Block Store (EBS) offers persistent storage for Amazon EC2 instances. 4. Amazon Simple Storage Service (S3) provides secure, durable, highly-scalable object storage. Assessment Scope The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (Reference: The NIST Definition of Cloud Computing Special Publication 800-145.) ASD does recognise differing payment models for cloud services outside the NIST definition. IRAP Assessments and ASD Certifications are conducted passively, in partnership with the cloud provider, to fact find and provide transparency into the security functionality and controls of the cloud service. These activities do not include penetration testing, active vulnerability assessments, deep dive code review or any other active activities. Page 2 of 6

Out of Scope This certification does not include client-side connections to these services. The customer should ensure components outside the scope are separately assessed, certified and accredited independent of this certification. Amazon CloudWatch, Amazon CloudTrail and Amazon Config, as well as other Amazon services are not included in this certification. Agencies should consider logging services and identity management as part of their cloud procurement and conduct rigorous risk assessments, including understanding the risks of poor logging, before procuring these services. The IRAP Assessor did not find the following communications systems and devices in the AWS cloud platform and, hence, deemed them out of scope of the assessment: Radio Frequency and Infrared Devices Fax Machine and Multifunction Devices Telephones and Telephone Systems Mobile Devices Shared Security Responsibility in the Cloud Security in the cloud is reliant on both the provider and the customer. Amazon Web Services details the division of this security responsibility in the below graphic (aws.amazon.com/security/sharing-the-security-responsibility/): Page 3 of 6

Physical Security At the time of this certification AWS operates in 11 regions. ASD recommends Australian Government Agencies deploy to the Asia Pacific (Sydney) Region, and not transfer data between regions. Physical certification for the relevant Sydney Data Centre was sighted by the IRAP Assessor and ASD Certification Authority. IRAP Assessment Findings Application Whitelisting AWS have mitigated the risk of not implementing application whitelisting on AWS Linux hypervisor hosts as per the ASD guidance The Top 4 in a Linux Environment. Compensating security controls, including compliance with ISM control 1460 and use of a tightly controlled software deployment mechanism, are designed to protect AWS Linux hypervisor hosts from running unauthorised software. In addition, agencies have the responsibility to implement application whitelisting for their virtual machines running in the AWS cloud, as per the Shared Responsibility Model. (Reference: ISM Controls 0843, 0845, 0846, 0848, 0849, 0851, 0955, 1392, 1391, 0957, 1353, 1354, 1460) Secure Sockets Layer Amazon was found to support the use of SSL, while ASD recommends only TLS. Agencies should include this non-compliance in associated risk assessments and accreditation. (Reference: ISM Controls 0482, 1447, 1139) IT Security Framework and Change Management AWS have senior executive personnel with related security management roles and responsibilities, and a defined and effective IT security team. AWS have developed and maintain an effective information security framework and documentation suite. Most documentation can be found at amazon.com or is available under a non-disclosure agreement. This documentation is developed within AWS and is not outsourced. AWS applies a systematic approach to change management, reviewing, testing, approving and communicating changes to services which could impact customers. Incident Response AWS has a significant Incident Response Plan, which is tested regularly, updated annually and as lessons are learnt. The IRAP Assessment highlighted that in the event of a significant incident, AWS could require the involvement of external parties. Agencies should consider this in their risk assessment and accreditation process. AWS Access Management All AWS user accounts are reviewed at least quarterly and all group owners review and remove users who no longer require group membership, based on job functions and roles. Appropriate approvals for requests to establish accounts are documented and retained. Passphrase AWS should implement passphrase length controls as described in the ISM. (Reference: ISM Control 0421) Page 4 of 6

Secure Administration and Network Security While AWS complies with those controls relating to Secure Administration and Network Security, agencies must ensure any systems being deployed on to the Amazon cloud platform are also ISM compliant. (Reference: ISM Controls relating to Secure Administration and Network Security) Product Security The IRAP Assessment found AWS did not comply with Product Selection ISM requirements. AWS do ensure all components meet the strict Amazon functional security requirements and specifications prior to and during deployment. (Reference: ISM Controls 0279, 0280, 0282, 0289, 0293, 0294, 1168) Maintenance The IRAP Assessor validated that AWS schedules, performs, documents and reviews records of maintenance and repairs on AWS components. AWS only provides access to data centres and associated information for vendors, contractors and visitors with a legitimate business requirement. All visitors are escorted throughout the visit. Cabling Australian Data Centres hosting AWS do not comply with ISM cabling requirements. Cabling colours match the AWS Internal Cabling Procedures and do not align to the requirements in the ISM. Instead of the entire system consisting of one cabling colour for the security domain, AWS has implemented differing colours to highlight critical cabling over non-critical. Agencies should consider this a low risk for inclusion in agency risk assessment documentation, with a better security outcome achieved by Amazon s processes given the operating environment. Media Labelling AWS did not comply with ISM controls relating to Labelling Media. AWS considers all customer data as sensitive and hence all media is treated as sensitive. ASD considers this a strong security outcome. (Reference: ISM Controls 0332, 0333, 0334) Customer Responsibilities Customers connecting to this cloud service must conduct an assessment, certification and accreditation of customer-side systems connecting to the service. Customers must ensure they are aware of the scope of this assessment as described in the Cloud Service Scope, and aware of their responsibilities under the AWS Shared Responsibility Model (graphic above). In addition, agencies should ensure they implement those ISM controls which pertain to the agency, which may include, but not be limited to: Risk Assessment Australian Government agencies deploying ICT systems in the AWS platform must conduct due diligence and accreditation, including a risk assessment. Agencies should read Amazon Compliance and Security Whitepaper in conjunction with other security documentation to inform this risk assessment and understand their role in the Shared Responsibility Model. Agencies must also consider their security posture against ASD s Cloud Computing Security for Tenants. (Reference: ISM Controls 1210, 0872) Configuration and Support Page 5 of 6

Agencies are responsible for configuration of their AWS services. EC2 requires considerable configuration, including the patching of the guest operating system on each instance as well as any software installed. Through S3 agencies will need to configure each storage bucket and backup options. Agency IT staff should become familiar with these configuration options and make recommendations to agency staff procuring AWS, in line with agency IT policies and your organisation s needs. In addition AWS offer differing support models based on the agency s per/month purchase. There is considerable AWS training available online, including configuration demonstrations. Some security warnings will be displayed during configuration and these should be reviewed carefully. Cryptography AWS provides customers with the ability to use encryption for AWS cloud services. Agencies must ensure that data is adequately encrypted. (Reference: ISM Cryptography Chapter) Data Transfer and Content Filtering While AWS has implemented data transfer controls that detect and mitigate unauthorised or malicious activity from transiting a security boundary, agencies must note that these controls relate to the protection of AWS underlying infrastructure. Agencies must ensure they adequately protect deployed information systems. (Reference: ISM Data Transfer and Content Filtering Chapters) Access Control Agencies should comply with the Access Control requirements of the ISM. (Reference: ISM Access Control Chapter) Working Off-Site Agencies should consider the security implications before they permit staff and/or contractors to access government information on the AWS platform from outside Agency premises (Reference: ISM Working Off-Site Chapter) Incident Response Plan Agencies must develop an Incident Response Plan as per the ISM. The IRP should detail how to monitor, handle and respond to an incident regarding agency data in the cloud. In addition the IRP should consider how to conduct incident forensics, in partnership with the cloud service provider. Agencies should develop a policy to enable reporting of incidents and vulnerabilities to AWS (via the AWS Vulnerability Reporting website). Business Continuity Plan and Data Ownership Agencies must consider the ability to maintain the integrity, availability and confidentiality of agency data in the event the agency is required to move the data to a different cloud provider, or in-source data, in the future. Other Compliance Certifications Details of other compliance certifications held by Amazon Web Services can be found at aws.amazon.com/compliance/ Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback