Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).
2. Session Topics
Resources Available Online
Hi! We’re Here to Help You
Things to Consider
FISMA Primer
Where to Begin
We’re In This Together
Putting the Solution Together
Public Sector Security Ecosystem
3. Resources Available Online
GSA: FedRAMP Home Page
http://www.gsa.gov/portal/category/102371
NIST: Computer Security Division – Resource Center
http://csrc.nist.gov/publications/PubsSPs.html
AWS Security and Compliance Center
http://aws.amazon.com/security/
New AWS: Risk Compliance Whitepaper, July 2012
AWS Architecture Center
http://aws.amazon.com/architecture/
AWS U.S. Federal Government
http://aws.amazon.com/federal/
Find AWS Partner Solution Providers
https://aws.amazon.com/solution-providers
4. Hi! We’re Here to Help You
Getting Started
Account Representatives
Partner Representatives
Solution Architects
Security and Compliance Team
Up and Running
Technical Account Managers
Premium Support Services
But most of all….
5. Our Public Sector Security Ecosystem
https://aws.amazon.com/solution-providers/
6. Things to Consider
You Understand Applicable Federal Regulations and
Data Protection Policies
FISMA, FERPA, HIPAA, CUI, PCI,...
Your Solution Is Suitable for Accreditation
Your Government Sponsor is a Full-Partner in the
Process
Business Owner
Information Assurance Team
7. Applicable CUI Information Domains
CUI Category CUI Category CUI Category
Agriculture Copyright Critical Infrastructure
Export Control (ITAR) Financial Immigration
Intelligence Law Enforcement Legal
Nuclear Patent Privacy
Proprietary (IP) Statistical Tax
Transportation
8. Solution Suitability for Accreditation
Designed and Implemented with FISMA Accreditation
as a primary goal.
Ability to configure or customize relevant control
areas:
Access Controls
Identification and Authorization
Audit Points and Audit Integrity
System and System Communication Protection
Etc…
9. FISMA Primer – 18 Controls
AC – Access Control PE - Physical and
AT – Awareness and Training Environmental Protection
AU – Audit and Accountability PL – Planning
CA – Security Assessment and PS – Personnel Security
Authorization RA – Risk Assessment
CM – Configuration SA – System and Services
Management Acquisition
CP – Contingency Planning SC – System and
IA – Identification and Communications Protection
Authentication SI – System and Information
IR – Incident Response Integrity
MA – Maintenance PM – Program Management
MP – Media Protection
10. FISMA Primer (cont.)
Customer Configured
Definition: The workload operator seeking accreditation
is required to proactively use and configure capabilities
implemented and maintained by AWS to be in
compliance with the control.
Customer Provided
Definition: The workload operator seeking accreditation
is required to implement, maintain, proactively use and
configure capabilities independently of AWS to be in
compliance with the control.
11. FISMA Primer (cont.)
Hybrid Controls
Definition: Shared implementation responsibility
between AWS and the workload operator seeking
accreditation.
12. We’re In This Together: Shared
Software
Responsibility
Firewalls/IDS/AV
Application
Customer Control &
Customer Responsibility
Data
Guest Operating System
Hypervisor
AWS Control &
Hardware
AWS Responsibility
Physical Infrastructure
13. Examples of “Customer Responsibilities”
Apply Your Information Management Program - that
integrates Information Assurance
Standardize Machine Images – create gold copy images
for production deployment/to launch new instances
Build and test in a sandbox environment – work out
the bugs, figure out how to break it, architect to be resilient
Do the same stuff you do in-house – quarterly patch
management, IDS/IPS, logging, tripwire, etc.
Conduct a Risk Assessment - to determine level of
security controls you require
Role Based Access Controls – restrict access to system
components based upon need to know
14. Examples of “Customer Responsibilities” (cont.)
Use Encryption – for data in transit, for data at rest,
file system
Key Management – rotate keys used to access your
resources (AWS does not hold these…you do)
Setup Monitoring/Alerting – collect metrics and
enable alerting for when events occur
Vulnerability Scans – allowed via a permission
process (else we’ll kill/block the source of scans)
Prepare for Failure – create backups, store data
in more than one location, test backups, have a
contingency system ready
15. Together
Putting the Solution
Physical Security HW, SW, Network Certifications
Datacenters in Systematic change SOC 1 Type 2
nondescript facilities management (formerly SAS-70)
Physical access Phased updates ISO 27001
strictly controlled deployment
PCI DSS for
Must pass two-factor Safe storage EC2, S3, EBS, VPC,
authentication at decommission RDS, ELB, IAM
least twice for floor
Automated FISMA Moderate
access
monitoring and self- Compliant Controls
Physical access audit
HIPAA & ITAR
logged and audited
Advanced network Compliant
protection Architecture
Amazon Physical Infrastructure (GSS)
(Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire
Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial
Fiber/Network Capacity, Infrastructure Control Systems and Services)
1. In-Scope Service Feature operated under common service control process.
2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency
machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.
16. Together
Putting the Solution
Amazon VPC Architecture
with DirectConnect
Infrastructure
Compute Services Network Services Building Blocks
Amazon EC2 Amazon VPC Storage Services
HPC Clusters1 Elastic Load Balancers1 Amazon S3
Auto Scaling1 Amazon Route 531 Amazon EBS
VM Import1 Direct Connect1
Amazon Physical Infrastructure (GSS)
(Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire
Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial
Fiber/Network Capacity, Infrastructure Control Systems and Services)
1. In-Scope Service Feature operated under common service control process.
2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency
machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.
17. Users and Groups within Accounts
Together
Putting the Solution
Unique security credentials
Access keys
Login/Password
MFA device
Policies control access to AWS APIs
Deep integration into S3
policies on objects and buckets
AWS Management Console now supports User log on
Not for Operating Systems or Applications
use LDAP, Active Directory, ADFS, etc...
Identity and Access Management1 Cross Service
(IAM w/ Multi-Factor Authentication) Features
Infrastructure
Compute Services Network Services Building Blocks
Amazon EC2 Amazon VPC Storage Services
HPC Clusters1 Elastic Load Balancers1 Amazon S3
Auto Scaling1 Amazon Route 531 Amazon EBS
VM Import1 Direct Connect1
Amazon Physical Infrastructure (GSS)
(Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire
Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial
Fiber/Network Capacity, Infrastructure Control Systems and Services)
1. In-Scope Service Feature operated under common service control process.
2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency
machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.
18. AWS Multi-Factor Authentication
• Helps prevent anyone with unauthorized knowledge of your
credentials from impersonating you
• Additional protection for account information and critical APIs
• Physical and virtual MFA devices supported via RFC 6238
• Works with
Account (root) identity
IAM Users
• Integrated into
AWS Management Console
Key pages on the AWS Portal
MFA-protected API access (new feature)
S3 secure delete
A recommended opt-in security feature!
19. Customer Workload Business/
AWS Network Layer – Configuration Touch Points Mission
Together
Putting the Solution
Services
Libraries and SDKs1 Web Interface2 Command Line Tools to Access
Java, .Net, Ruby, PHP Management Console Interface1 AWS Services
Identity and Access Management1 Cross Service
(IAM w/ Multi-Factor Authentication) Features
Infrastructure
Compute Services Network Services Building Blocks
Amazon EC2 Amazon VPC Storage Services
HPC Clusters1 Elastic Load Balancers1 Amazon S3
Auto Scaling1 Amazon Route 531 Amazon EBS
VM Import1 Direct Connect1
Amazon Physical Infrastructure (GSS)
(Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire
Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial
Fiber/Network Capacity, Infrastructure Control Systems and Services)
1. In-Scope Service Feature operated under common service control process.
2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency
machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.
20. Amazon VPC Architecture
NAT Private Customer’s isolated
AWS resources
Public Private Subnets
Internet Router
VPN
Gateway
Amazon
Web Services
Cloud
Secure VPN
Connection over
AWS DirectConnect
Customer’s
Network
21. Business/
Together
Putting the Solution
Customer Workload
AWS Network Layer – Configuration Touch Points Mission
Services
Customer Operating Systems
AWS Virtualization Layer – Configuration Touch Points
Customer Storage
AWS Storage Layer – Configuration Touch Points
Libraries and SDKs1 Web Interface2 Command Line Tools to Access
Java, .Net, Ruby, PHP Management Console Interface1 AWS Services
Identity and Access Management1 Cross Service
(IAM w/ Multi-Factor Authentication) Features
Infrastructure
Compute Services Network Services Building Blocks
Amazon EC2 Amazon VPC Storage Services
HPC Clusters1 Elastic Load Balancers1 Amazon S3
Auto Scaling1 Amazon Route 531 Amazon EBS
VM Import1 Direct Connect1
Amazon Physical Infrastructure (GSS)
(Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire
Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial
Fiber/Network Capacity, Infrastructure Control Systems and Services)
1. In-Scope Service Feature operated under common service control process.
2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency
machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.
22.
23.
24. Business/
Together
Putting the Solution
Customer Workload
AWS Network Layer – Configuration Touch Points Mission
Services
Customer Application
Customer Operating Systems
AWS Virtualization Layer – Configuration Touch Points
Customer Storage
AWS Storage Layer – Configuration Touch Points
Libraries and SDKs1 Web Interface2 Command Line Tools to Access
Java, .Net, Ruby, PHP Management Console Interface1 AWS Services
Identity and Access Management1 Cross Service
(IAM w/ Multi-Factor Authentication) Features
Infrastructure
Compute Services Network Services Building Blocks
Amazon EC2 Amazon VPC Storage Services
HPC Clusters1 Elastic Load Balancers1 Amazon S3
Auto Scaling1 Amazon Route 531 Amazon EBS
VM Import1 Direct Connect1
Amazon Physical Infrastructure (GSS)
(Datacenters, Network Devices, Servers, Dark Fiber, Raw Storage Devices, Security Systems, Fire
Suppression, UPS/Backup Power Systems, Environmental Control Systems, Reserved Commercial
Fiber/Network Capacity, Infrastructure Control Systems and Services)
1. In-Scope Service Feature operated under common service control process.
2. Amazon GSA IaaS BPA Partner Apptis provides FIPS 140-2 validated encryption when accessing from agency
machines configured in agreement with United States Government Configuration Baseline (USGCB) baselines.
25. Virtual Firewall & IDS
Appliance
AWS VPC Gateway Company
Over DirectConnect Network
Company VPN Gateway
Security Group A
HTTP/HTTPS DMZ - 10.254.1.0/24 , 10.254.2.0/24
Policy B
53
”
DNS
ud
lo
SC
Company.com AWS Management MFA
”
W
PC
Console
“A
“V
Elastic Load Balancer
Logs IAM Add-on
Security Group B Security Group B
WEB
10.30.1.X Policy C IAM
Security Policy
Auto Scaling Group A
Security Group
Security Group C Security Group C S3 Bucket
Business
10.20.1.X Policy D
Auto Scaling Group B
LDAP DC
S3 Bucket
Security Group D Security Group D Backups IAM Add-on
Data Svc
10.10.1.X
Backups
YourDBSvr YourDBSvr
Availability Zone #1 Availability Zone #2
AWS Virtual Private Cloud
FERPA: Family Educational Rights and Privacy Act of 1974 (FERPA)HIPAA: Health Information Portability and Accountability Act 1996GLB: Gramm-Leach-Bliley Act - Protect the financial information of consumers.HSA: Homeland Security Act 2002 - Created the Department of Homeland Security and many data-related requirementsCUI: Controlled but Unclassified InformationNASD Rule 3110: National Association of Securities Dealers (NASD) must control customer account information.PCI: Payment Card Industry Data Security Standard - requirements for enhancing payment account data security.