Contenu connexe Similaire à AWS FSI Symposium 2017 NYC- Shared Reponsibility & AWS Compliance (20) Plus de Amazon Web Services (20) AWS FSI Symposium 2017 NYC- Shared Reponsibility & AWS Compliance1. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
John McDonald, Global Financial Services Security & Compliance Architect for AWS
June 22, 2017
The Shared Responsibility Model
and AWS Compliance
Compliance with Confidence
2. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
16 Regions – 42 Availability Zones – 68 Edge Locations Region & Number of Availability Zones
AWS GovCloud (2) EU
Ireland (3)
US West Frankfurt (2)
Oregon (3) London (2)
Northern California (3)
Asia Pacific
US East Singapore (2)
N. Virginia (5) Ohio (3) Sydney (2), Tokyo (3)
Seoul (2), Mumbai (2)
Canada
Central (2) China
Beijing (2)
South America
São Paulo (3) New regions coming soon
Paris, Ningxia, Stockholm
AWS Global Infrastructure
3. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CUSTOMER
CUSTOMER DATA
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
RESPONSIBILITY
FOR SECURITY
“IN” THE CLOUD
COMPUTE STORAGE DATABASE NETWORKIN
G
CLIENT-SIDE DATA
ENCRYPTION & DATA
INTEGRITY AUTHENTICATION
SERVER-SIDE ENCRYPTION
(FILE SYSTEM AND / OR
DATA)
NETWORKING TRAFFIC
PROTECTION (ENCRYPTION
/ INTEGRITY / IDENTITY)
RESPONSIBILITY
FOR SECURITY
“OF” THE CLOUD AWS GLOBAL
INFRA-
STRUCTURE
EDGE
LOCATIONS
REGIONS
AVAILABILITY ZONES
AWS Shared Responsibility Model – Overview
5. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer-focused
We have designed our compliance processes
to be as user-friendly as possible and ensure
our own controls meet the highest bar
Comprehensive
We provide a broad toolkit to support
governance, risk, and controls that harnesses
automation to meet audit demands
Configurable
We work with you to develop a compliance
program that can adapt to changing
regulations and operations
Complementary
We view regulatory compliance as an obligation
we collectively address and not a revenue
opportunity
$
We help customers rapidly develop effective compliance programs
Our Programmatic Approach
6. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compliance
Dashboards &
Monitoring
FinServ Specific
Contracts
Global Regulatory
Engagement
Rigorous Auditing of
AWS Services
Transparency into
AWS Controls
What We Provide How Customers Benefit
Certifications and
Audit Reports
Catalogue of AWS
Services
Centralized
Control over
Services
We work behind the scenes to facilitate and de-complex compliance
Core Compliance Principles at Work
7. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Terms &
Conditions Transparency
Compliance/
Security Tools
& Services
Security &
Continuity
Support
Industry
Expertise
Shaping the
Regulatory
Landscape
Guidance and programs to help our
customers quickly set up sustainable
compliance programs
Tools and support to help our
customers manage audit demands
Mechanisms to advocate for—
and share best practices with—our
customers
Support ranging from low-touch to strategic guidance
Our Compliance Framework
8. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Our approach is designed to make contracting as straightforward as possible:
• Cloud services terms for outsourcing and third-party management
• Terms to address global and regional compliance objectives
• No contract lock-in
Regulatory
Audit Rights
AWS Audit
Commitments
EU Model
Clauses
Data Protection
Agreements
Customer
Compliance
Briefings
Resources to help customers
with documentation
Contractual terms that meet the needs of financial services institutions
Terms & Conditions
9. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Documentation of
controls relevant to
specific AWS
services
Information
regarding AWS
policies, processes,
and controls
Validation
that AWS controls
are operating
effectively
What is it?
A globally available, no-cost portal that provides on-
demand access to AWS’ most recent external
security and compliance certifications
Global Certifications and Attestations
How does it work?
Customers can review reports, align AWS controls to
their own control frameworks, and use the reports to
verify that AWS controls are operating effectively
Customer Compliance Briefings
To provide additional insight into our controls, we also conduct
deep dive sessions directly with customers.
Use AWS Artifact for easy access to compliance documentation
Transparency
10. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security &
Governance
Architecture Review
increases reliability of
existing and new applications
AWS Trusted Advisor
provides security and fault
tolerance recommendations
Technical Account
Manager enables enterprise-
grade response times
Operations Support
provides root-cause
analysis and reporting
Infrastructure Event
Management provides
real-time support for
migrations and planned
events
Foundational Objectives
Increased
availability
Enhanced data
protection
Rigorous access
and identity management
Reduce infrastructure risk and increase confidence in your applications
Security & Continuity Support
11. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Best Practices
Enablers to help customers
address regulatory
frameworks and maintain a
compliance-ready
environment.
Training &
Certification
Industry-tailored technical
and compliance training
to accelerate cloud
adoption
Professional Services
Specialists with industry and technology
experience that customers engage to
define and implement a roadmap to
compliance.
AWS Partner
Competency
Global program comprising
financial services technology
and consulting companies that
can help customers comply with
different financial services
industry regulations.Market Segment Expertise
Resources include former regulators and
compliance officers, security experts, and
technology specialists with industry
experience
Conferences & Affiliations
Relationships with leading industry
security and compliance groups like
FS-ISAC
AWS
Global
Financial
Services
Our Financial Services team provides access to a range of resources
Deep Industry Expertise
12. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Educate regulars to
help examiners audit
AWS environments
Country-by-country impact
assessments to map how
financial institutions need to
operate
Region- and country-
specific compliance guides
to document key policy
changes and responses
Regulatory policy
evaluations to assess the
potential impact of regulations
Facilitate dialogue
between the industry
and its regulators
Ongoing engagement
with regulators
Influence policy and
enforcement
Assess and
communicate policy
Shape regulatory
landscape to reflect
changes in technology Provide customers with
the space and feedback
channels they need to
innovate
We engage with regulators, both to guide and to communicate policy
Regulatory Engagement
14. Architecture artifacts
(design choices, narrative,
etc.) committed to common
repositories
Complete solutions account
for automation
Solution architectures are
living audit/compliance
artifacts and evidence in a
closed loop
Evolved Security
Architecture
Practice
AWS
CodeCommit
AWS
CodePipeline Jenkins
Security architecture can now be part of the “maker” team
Evolving the Practice of Security Architecture
15. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS has a prescriptive approach to adoption of cloud services
AWS Cloud Adoption Framework
The AWS Cloud Adoption Framework (AWS CAF) organizers guidance into six areas of focus, which
span your entire organization.
• We describe each of these areas of focus as Perspectives.
• Perspectives each encompass distinct responsibilities owned by functionally related stakeholders.
Three Perspectives address
Business Stakeholders:
• Business
• People
• Governance
Three Perspectives address
Technology Stakeholders:
• Platform
• Security
• Operations
16. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance in the Cloud
Customer risk appetite and desired control environment
Customers decide on
the appropriate
controls and processes
to manage and monitor
the effectiveness of
their customized
controls.
Based on the
Customers’ controls,
companies can identify
and document controls
operated by AWS.
17. AWS Key Management
Service (KMS)
Managed service to create
and control encryption keys
AWS Identity &
Access Mgmt. (IAM)
Securely control access to
AWS services and
resources for your users
Amazon Inspector
Automated application
security assessment service
AWS Service Catalog &
CloudFormation
AWS tools to manage
approved services and golden
environments across all
accounts, Lines of Business,
user bases.
AWS Cloud Hardware
Security Module (HSM)
Hardware-based keys storage
for regulatory compliance
AWS Direct Connect
Dedicated network connection
between your network and one
of the AWS Direct Connect
locations
AWS EC2 Systems
Manager
Fleet management for
vulnerability scanning and
patching.
AWS Shield
Managed Distributed Denial
of Service (DDoS) protection
service that safeguards web
applications running on AWS
Amazon Virtual Private
Cloud (VPC)
Logically isolated section of the
AWS cloud where you launch
AWS resources in a virtual
network that you define
AWS Organizations
Policy-based management
for multiple AWS accounts
AWS WAF
Tool designed to filter
malicious web traffic
Automating administrative tasks to support comprehensive governance
Compliance / Security Tools & Services
AWS Config &
Config Rules
AWS resource inventory,
configuration history, and
configuration change
notifications & preventive rules.
18. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudFormation Service CatalogStack
Template
Instances AppsResources
Stack
Stack
Design Package
Products Portfolios
DeployConstrain
Identity & Access
Management
Set Permissions
Automate deployments, provisioning, and configurations
Security by Design Automates Security Operations
19. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1: Operations
Three Lines of Defense using AWS Services
2: Supervisory 3: Audit
AWS
CloudTrail
Amazon
CloudWatch
Amazon
Inspector
Amazon
SNS
ConfigRules
AWS
Config
AWS
CloudTrail
AWS Artifact
AWS KMS
AWS IAM
Amazon
VPC
AWS Shield AWS WAF
AWS
CloudFormation
AWS
Service Catalog
AWS
Organizations
ConfigRules
AWS Trusted
Advisor
Amazon
SNS
20. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Systems Integrators & Consultants Financial Services Providers
Specialized firms who have experience in migrating FSI to the cloud
Financial Services Competency Partners
21. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure
Security
Logging &
Monitoring
Identity &
Access Control
Configuration &
Vulnerability Mgmt
Data
Protection
A comprehensive set of offerings across multiple areas of concern
AWS Marketplace Security Partnerships
22. Contact our Financial Services Security &
Compliance Leaders
View client testimonials at our Security &
Compliance for Financial Services homepage
https://aws.amazon.com/financial-services/security-compliance/
Consult the AWS Security & Compliance Quick
Reference Guide
https://d0.awsstatic.com/whitepapers/compliance/AWS_Complia
nce_Quick_Reference.pdf
Explore the AWS Artifact portal https://aws.amazon.com/artifact/
View our webinar on automating compliance in the
cloud
https://aws.amazon.com/financial-services/security-compliance/
Learn more about our security & compliance
accelerators
https://aws.amazon.com/quickstart/
awscompliance@amazon.com
Where to learn more about AWS’ security & compliance resources
Getting Started
23. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you
John McDonald, Global Financial Services Security & Compliance Architect for AWS
johnemcd@amazon.com