AWS Compliance, Governance and Security

AWS Compliance, Governance and Security

AWS compliance and security have become reasons for companies to move to the cloud versus avoid it (e.g., AWS is secure enough for the CIA). Accordingly, AWS has continued to add new and improve existing services to help customers maintain security, governance and compliance of their cloud resources on its platform. When customers leverage AWS, compliance responsibilities are shared. AWS is responsible for ensuring compliance of its infrastructure. Customers are responsible for ensuring compliance of anything placed on top of it.

To help customers improve compliance, governance and security, AWS introduced three new services at re:Invent 2014 this week. Since first class compliance and security starts with encryption, AWS Key Management Service (KMS) was introduced. KMS is a managed service to create and control the encryption keys used to protect and secure data. KMS uses hardware security modules to secure the keys. KMS is also integrated into AWS CloudTrail to provide visibility into encryption key management and rotation. AWS Key Managed Services is currently available.

Because good governance also requires visibility into an organization’s cloud resources and configurations, AWS Config was announced to the market. AWS Config is a fully managed service that provides companies with visibility into their AWS resources, as well as their AWS configurations. AWS Config also enables customers to audit and troubleshoot any changes that have been made to their AWS environment, including configurations, via CloudTrail. AWS Config is currently available to customers as a preview.

Standardized product delivery is also part of good governance. Thus, AWS Service Catalog was introduced. The AWS Service Catalog enables users to discover and provision applications and/or resources in AWS through a personalized web portal. Users can easily browse and launch approved products from the service catalog created. Companies can also control what users have access to what AWS applications and resources to ensure compliance with the organization’s business practices. The AWS Service Catalog will be available to customers in early 2015.

Below are the other independent, third-party controls, policies and processes available on/used by AWS. They include:

1 – Cloud Security Alliance (CSA)
Questionnaire to document and reference what security controls exist within AWS.

2 – Federal Information Processing Standard (FIPS) 140-2
U.S. government security standard for cryptographic modules protecting sensitive data.

3 – Federal Risk and Authorization Management Program (FedRAMP)
Security requirements for cloud services provided to U.S. federal agencies.

4 – Federal Information Security Management Act (FISMA)
Framework to protect U.S. government assets, information and operations against man-made or natural threats.

5 – Health Insurance Portability and Accountability Act (HIPAA)
Requirements to maintain, process and store protected health information.

6 – International Organization for Standardization (ISO) 27001
Requirements for managing company and customer information based on real or perceived risks and threats.

7 – International Traffic in Arms Regulations (ITAR)
Restricted access of protected data to U.S. persons and restricted physical location of that data to the U.S.

8 – Motion Picture Association of America (MPAA)
Best practices for securely delivering, processing and storing protected content and media.

9 – Payment Card Industry (PCI) Data Security Standard (DSS) Level 1
Requirements for processing, storing and transmitting credit card information in the cloud.

10 – Service Organization Controls (SOC) 1
Service organization’s controls over financial reporting.

11 – Service Organization Controls (SOC) 2
Service organization’s controls over availability, confidentiality, processing, privacy and security.

12 – Service Organization Controls (SOC) 3
Report on if organization achieved the trusted services criteria (does not include auditor’s controls/tests like SOC 2).

All contents copyright © 2014, Josh Lowry. All rights reserved.


One Response to AWS Compliance, Governance and Security

  1. Mark Kousons says:

    Can you write a more in-depth post on this subject?


Leave Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: