The document discusses applying the NIST 800-53 high impact controls on AWS for GDPR compliance. It describes how AWS and third-party security tools like Trend Micro can help customers automate compliance with these controls by leveraging AWS services for identity and access management, logging, networking, and security tools for intrusion prevention, firewalls, and more. An AWS CloudFormation template called the Enterprise Accelerator provides an automated reference deployment of Trend Micro with AWS to help customers meet key NIST controls and simplify GDPR compliance efforts.
13. AWS Identity & Access Management (IAM)
What is configured?
Base security, IAM and access configuration
for AWS account
Why?
• Manage user access
• Programmatically implement controls for
machines, roles, groups, data access
Control Families
• Access Control
• Audit & Accountability
• Configuration
Management
• Contingency Planning
• Identification &
Authentication
• System &
Communications
Protection
• System & Information
Integrity
CREATE_IN_PROGRESSCREATE_COMPLETE
14. AWS CloudTrail
What is configured?
Define S3 bucket, versioning enabled,
capture all events
Why?
• Automated audit of infrastructure and
change management
Control Families
• Access Control
• Audit & Accountability
• Configuration
Management
CREATE_IN_PROGRESSCREATE_COMPLETE
15.
16. Amazon SNS, AWS CloudWatch
What is configured?
Security alarms and notifications
Why?
• Automated exception notification and
configurable alarms
• Triggering incident response
Control Families
• Access Control
• Audit & Accountability
• Configuration
Management
CREATE_IN_PROGRESSCREATE_COMPLETE
17. VPC, NACL, Security Groups
What is configured?
Provides networking configuration for a standard
management VPC, enforces traffic with NACL
Why?
• Programmatic delivery of network infrastructure
and access controls
Control Families
• Access Control
CREATE_IN_PROGRESSCREATE_COMPLETE
23. Management and Visibility
What is configured?
Deploys Deep Security Manager to AWS
Why?
• Visibility of EC2 resources
• Single console with integrated threat
information
Applicable Controls
• Access Control
• Audit & Accountability
• Incident Response
• Risk Assessment
• System &
Communications
Protection
• System & Information
Integrity
CREATE_IN_PROGRESSCREATE_COMPLETE
24. File Controls
What is configured?
Anti-Malware, Integrity Monitoring, Log Inspection,
Application Control
Why?
• Discover and block malicious code
• Monitor files for changes
• Inspect existing logs for indications of unusual
activity
Applicable Controls
• Audit & Accountability
• Configuration
Management
• System & Information
Integrity
Applicable Controls
• Audit & Accountability
• Security Assessment
& Authorization
• Configuration
Management
• System & Information
Integrity
CREATE_IN_PROGRESSCREATE_COMPLETE
25. Network Controls
What is configured?
Intrusion detection & prevention, Firewall
Why?
• Add additional stateful controls to enhance
security groups and NACLs
• Add layer 7 visibility and inspection
Applicable Controls
• Security Assessment
& Authorization
• Audit & Accountability
• Configuration
Management
• Contingency Planning
• Identification &
Authentication
• System &
Communications
Protection
• System & Information
IntegrityCREATE_IN_PROGRESSCREATE_COMPLETE
The speed of change in the data center with virtualization and cloud is unrelenting.
Cloud Applications & Infrastructures have multiplied at an exponential rate.
There is no a change in semantics – Users are saying “What CANNOT be put in the Cloud” instead of “What CAN We Put in the Cloud” – seems cloud is the platform of choice and the numbers reflect this change.
IDC forecast Cloud Spend by the end of 2018 will $160bn globally – wit around $24Bn in western Europe alone.
Happy Days – Right!
With Cloud we get:
Operational Cost Saving
24x7 Service – improving uptime / reliability of IT
Flexibility of Delivery
Scalability
Increasing Speed of Access to New Technology
Low Cost of Adoption
No need to worry – no longer our Problem?
COMPLIANCE & REGULATION
Its doesn’t matter where or how you deliver the application or service – if you are in a regulated environment or handling PII data you must comply with the regulations.
there has been a lot of discussion if those organisations that have to comply with these regulations can use the cloud and still be compliant – the simple answer is YES
But challenge with most mandates is INTERPRETATION – not just be the company that it applies to but also the certifying body – being able to translate what Auditors ask for and mapping to Controls can be difficult when operating in a Cloud / Hybrid environment.
GDPR is coming in 2018 and will affect any organisation in Europe handling PII – get ahead of this mandate now and review against your Cloud policies to understand the shortfall
GDPR is meant to protect the privacy and personal data of end users and is less about cybersecurity and hacking.
The shared responsibility model puts the responsibility of managing data privacy and usage squarely in the domain of the customers
GDPR does not offer a manual for compliance, only general guidelines - these are written in legal terms as opposed to technological ones, making it challenging to know what exactly needs to be done in order to be compliant
What are appropriate measures?
What is an effective manner?
And who decides what are necessary safeguards? This is open to interpretation,
But there some basic things that you start to look at:
Access restrictions
Encryption
Monitoring & Logging
Minimal Footprint
Prevention & Detection
NIST guidelines adopt a multi-tiered approach to risk management through control compliance
The 800-53 guidelines were created to heighten the security of the information systems used within the federal government
It also helps to improve the security of your organization’s information systems by providing a fundamental baseline for developing a secure organizational infrastructure
The controls are broken into 3 classes based on impact – low, moderate, and high – and split into 18 different families
Alarms and triggering incident response
Unauthorized access
Changes to security groups
[if
Top cell: Should read: Amazon EC2 Instances, Availability Zones, Amazon RDS Databases, and Auto Scaling
· Second cell down: Should read: Elastic Load Balancing load balancers, Amazon S3 Bucket Policies, Security Groups, Amazon SNS, Amazon SQS, Amazon Cloud Watch
· Bottom cell: Third line of text onward should read: and AWS Service Catalog constraints