This session covers the shared responsibility model for security and compliance specific to the AWS GovCloud (US) region. This presentation highlights the enhanced security offerings of AWS GovCloud (US), such as FIPS-140 Level 2 encryption, as well as the supported compliance regimes. It also reviews how our customers can build secure applications in GovCloud using the various security features such as IAM and VPC. This presentation also offers a brief overview of FedRAMP, explains the shared responsibility model through customer use cases, and covers how customers can obtain an Authority to Operate.
2. AWS GovCloud (US)
•
The AWS Government Community Cloud
for vetted U.S. Government and U.S. commercial
entities with ties to U.S. Government functions and services
•
Built with U.S. government customers in mind and appropriate for:
–
–
–
•
U.S. Government agencies – US Federal, state and local entities
U.S. Government contractors, systems integrators, and FFRDCs
U.S. Companies with IT regulatory requirements
Designed to allow U.S. government agencies and customers to move more
sensitive workloads into the cloud by addressing their specific regulatory
and compliance requirements
–
Appropriate for Controlled Unclassified Information (CUI) or Unclassified data and workloads
3. AWS GovCloud (US)
•
Data stays in CONUS
–
Region located in the Pacific Northwest
•
Only approved AWS U.S. Persons have access to restricted areas,
networks, and systems for administration
•
AWS managed account provisioning; each potential customer is vetted to
ensure they are a U.S. entity and not prohibited or restricted from exporting
or from providing services by the U.S. government
•
Data, Network and Machine Isolation
–
–
–
Mandatory virtual private cloud (Amazon VPC) segregation for all customers, which offers an
additional layer of isolation and protection
Separate, isolated credentials database (AWS IAM)
FIPS 140-2 hardware for endpoints and VPN
4. FedRAMP Overview
• FedRAMP Overview
• AWS FedRAMP Program
• Shared Responsibility Model & Achieving
Compliance with AWS
5. FedRAMP Overview
• OMB mandated FedRAMP compliance for
government agencies using CSPs
• Government-wide program standardizing CSP
security assessments
• Four approaches for CSPs to demonstrate
compliance supporting agency needs
• All FedRAMP package types in FedRAMP
repository can be leveraged by USG agencies
6. AWS’ FedRAMP Program
• Agency ATOs (2) granted by HHS May ’13
covering:
– US East/West and GovCloud (US) Regions
– EC2, S3, EBS, VPC, and IAM services (more on the
way!)
– Reviewed by HHS, CDC, NIH, & FDA
– FedRAMP-accredited 3PAO assessed AWS against
all 297 Moderate FedRAMP controls
• Subsequent federal agency ATOs granted
based on AWS FedRAMP packages
– Our Agency ATOs can be leveraged by any customer
7. AWS’ FedRAMP Program
• Request AWS FedRAMP package via
FedRAMP PMO or directly from AWS
• So how do you achieve compliance
using the AWS FedRAMP package?
8. Security is a Shared Responsibility
Optimized Network/OS/App
Controls
Service-specific Controls
Managed by
Customer
Compliance in the Cloud
Cross-service Controls
Cloud Service Provider
Controls
Compliance of the Cloud
Managed by
AWS
9. Security is a Shared Responsibility
Customer Data
•
Customers implement their own set of
controls (shared controls)
•
Customers document their implementation
of controls in SSP
•
Customers conduct 3PAO assessment
•
Multiple customers with Low/Mod ATOs
•
Customers tell us High ATOs possible
•
Payment Card Industry (PCI)
Data Security Standard Level 1
•
NIST 800-53 Controls &
multiple ATOs; FedRAMP
•
DoD Compliant Controls and multiple
DIACAP ATOs
•
SSAE 16 Types 1 & 2 (SAS 70)
•
ISO 27001/ 2 Certification
•
HIPAA and ITAR Compliant
Users and Roles
Account Management
Applications
Managed
by
Customer
Firewalls
Network Configuration
Guest Operating System
Virtualization Layer
Compute Infrastructure
Storage Infrastructure
Network Infrastructure
Managed
by AWS
Facilities Physical
Security
AWS Global Infrastructure
11. OFFICE OF THE
CHIEF INFORMATION OFFICER
DEPARTMENT OF HEALTH AND HUMAN SERVICES
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
HHS Use Case
Agency FedRAMP ATO Experience
Jennifer Gray
12. Key Drivers
• HHS Cloud Strategy
• FedRAMP Policy Memo
(OMB Policy Memo
December 8, 2011)
• Existing HHS Cloud
Systems using AWS
environment
• HHS FedRAMP Standard
Operating Procedures
12
13. Build Effective Team
• OCIO Senior Leadership
• HHS OIS Security Cloud Security
Team
• Operational Divisions (FDA, NIH,
CDC, OS)
• FedRAMP Program Management
Office
• Amazon Web Services (AWS) Risk
& Compliance Team
• 3PAO (Veris Group)
FDA
FedRAMP
PMO
NIH
HHS OIS
Cloud
Security
Team
AWS
(CSP)
CDC
13
14. HHS FedRAMP Security Authorization Process
• Agency-wide FedRAMP
Standard Operating
Procedures
• Released by through HHS
CISO
• Defines how HHS will
authorize cloud services to
ensure they meet
FedRAMP requirements
14
16. AWS Achieves HHS FedRAMP ATO
• FedRAMP Complete - May 20, 2013
• Worked with HHS FedRAMP Team to
ensure standard process aligns with
FedRAMP PMO expectations
• Consistent with FedRAMP CONOPs.
• Includes details about initial
documentation as well as periodic
updates
16
17. Key Lessons Learned
•
•
•
•
•
•
Senior Management Sponsorship
Merge FedRAMP process into
existing security assessment and
authorization processes
Ensure all security artifacts are
provided at least one week prior to
reviews
Develop full project schedule with all
key stakeholders in advance
Develop FAQ post ATO
Collect resource metrics for future
planning
17
21. Why Cloud Computing?
Increased demand for IT. Cloud computing
promised:
• Additional, powerful options for IT
• Increased compute and storage capability
• Faster speed to market
• Lowering unit IT costs
• One size does not have to fit all
• Computing as secure as we have today
• Needed ITAR-certified cloud computing
27. … but ITAR
approval took a
while, producing
separate ATOs
for
FISMA Moderate
and
ITAR
28. AWS GovCloud ATO (US Persons Only)
Accountable (CIO)
Letter of intent and compliance by JPL IT CTO
Concurrence by JPL IT Security and Infrastructure
Concurrence by NASA OCIO
Concurrence by Caltech Audit
Concurrence by NASA Office of Inspector General
Concurrence by JPL and NASA Export Control Office
Concurrence by Caltech/JPL Legal
Concurrence by additional key stakeholders
Adheres to JPL’s standard Policies and Procedures
30. AWS GovCloud ATO (US Persons Only)
Accountable (CIO)
Letter of intent and compliance by JPL IT CTO
Concurrence by JPL IT Security and Infrastructure
Concurrence by NASA OCIO
Concurrence by Caltech Audit
Concurrence by NASA Office of Inspector General
Concurrence by JPL and NASA Export Control Office
Concurrence by Caltech/JPL Legal
Concurrence by additional key stakeholders
Adheres to JPL’s standard Policies and Procedures
31. AWS GovCloud Use Cases So Far
Radar Processing (large scale)
Virtual Workshops
Big Data analytics of JPL sensitive data
Storage and processing of Mars Exploration Rovers data
Rapid prototyping when some data is sensitive
User: “If it can handle ITAR, I don’t have to separate the
data, so I’ll get started now”
Cyber Security: “I can use my normal tools”
JPL wants Glacier next
32. Amazon Glacier Total Cost Comparison
DR Use Case Storage and Retrieval Costs Over 10 years
Glacier total costs
$
S3 total costs
SDSC total costs
JPL Private Cloud total costs
Denver total costs
1
2
3
4
5
6
Storage Years
7
8
9
10