狠狠撸

狠狠撸Share a Scribd company logo

PDA Presentation - MBodo

?Download as PPTX, PDF?
?
M
Matthew Bodo

This document discusses shortcuts and roadblocks to protecting data in the cloud. It begins with an overview of Amazon Web Services and certifications. It then discusses two common roadblocks: 1) focusing too much on qualifying the low-level cloud infrastructure instead of understanding AWS's shared responsibility model, and 2) enacting overly restrictive security policies that isolate cloud assets. The document proposes two shortcuts to avoid these roadblocks: 1) updating policies to allow for distributed management according to the shared responsibility model, and 2) using virtual private clouds and security zones to protect private assets within AWS instead of complete isolation. It concludes by emphasizing the importance of integrating identity and access management, auditing, and strategies for data at rest when managing cloud assets

1 of 11
Download to read offline
Shortcuts & Roadblocks Encountered on the path to protecting your data in the cloud Simplify, Unify, Optimize Life Science Compliance for Regulated Systems Amazon Web Services IaaS for Life Sciences
? “One 狠狠撸” intro to Amazon Web Services ? AWS Security, Certifications, and Compliance ? Responsibility Models ? Roadblock #1 – Qualify The Cloud! ? Shortcut #1 – Qualify The Cloud! ? Roadblock #2 – Lock down The Cloud! ? Shortcut #2 – Lock down The Cloud! ? Data Integrity Concerns ? Conclusion Agenda
AWS Explained in a 狠狠撸 … Non-Technical Explanation Amazon EC2 AWS Storage Gateway Amazon S3 Amazon Glacier Amazon RDS Amazon Redshift Amazon DynamoDB AWS Direct Connect Amazon VPC AWS IAM AWS IoT Amazon Kinesis Technobabble Nonsense Technical Explanation
Certifications / Attestations Laws, Regulations, and Privacy Alignments / Frameworks DoD SRG CS Mark [Japan] CJIS FedRAMP DNB [Netherlands] CLIA FIPS EAR CMS EDGE IRAP EU Model Clauses CMSR ISO 9001 FERPA CSA ISO 27001 GLBA FDA ISO 27017 HIPAA FedRAMP TIC ISO 27018 HITECH FISC MLPS Level 3 IRS 1075 FISMA MTCS ITAR G-Cloud PCI DSS Level 1 My Number Act [Japan] GxP (FDA CFR 21 Part 11) SEC Rule 17-a-4(f) U.K. DPA - 1988 IT Grundschutz SOC 1 VPAT / Section 508 MITA 3.0 SOC 2 EU Data Protection Directive MPAA SOC 3 Privacy Act [Australia] NERC Privacy Act [New Zealand] NIST PDPA - 2010 [Malaysia] PHR PDPA – 2012 [Singapore] UK Cyber Essentials Adapted from https://aws.amazon.com/compliance/
Your Data Platform, Applications, I&AM Operating Systems, Network & Firewall Configuration Server-side Encryption (File System and/or Data) Client-side Data Encryption & Data Integrity Authentication Network Traffic Protection (Encryption/Integrity/Identity) Adapted from https://aws.amazon.com/compliance/shared-responsibility-model/ Compute Storage NetworkingDatabase AWS Global Infrastructure Regions Availability Zones Edge Locations AWS Responsible for security “of” the Cloud Customer Responsible for security “in” the Cloud
? Scenario: Shared Responsibility Model not understood ? Efforts to qualify low-level infrastructure ensue ? Policies incongruent to service model are pushed ? Cycles wasted in trying to absorb AWS’s declared responsibilities Roadblock #1 – Qualify the Cloud!
? Scenario: Shared Responsibility Model is integrated into IT ? Policies are updated to allow distributed management ? Controls in place to govern Cloud Assets ? Definitions updated to allow for new CIs ? Maintain & Manage State of Control Shortcut #1 – Qualify the Cloud! Manage as independent assets Business as usual
? Enact strict “no trust/deny all” security policy on Cloud assets ? Cloud assets are isolated from traditional/on prem assets ? Islands of data pile up ? UID poses an issue/threat Roadblock #2 – Lock down The Cloud!
? For Private/Internal Assets ? Protect/Preserve via VPC ? Use Security Zones or Subnets within VPC ? Lockdown & Audit assets per normal methods (business as usual) Shortcut #2 – Lock down The Cloud! virtual private cloud VPC subnet PROD LIMS VPC subnet DEV LIMS corporate network users VPN connection AWS Direct Connect
? Be nimble, like Jack … but remember ? POCs can unexpectedly gain momentum ? Fragmentation likely to occur ? Integrate IAM early, review & audit often ? Consider corporate directory integration mandatory ? Strategies for Data at Rest Data Integrity Concerns AWS IAM AWS CloudTrail AWS Directory Service
? If your house is not in good order today: ? It will be even worse in the cloud! ? Assess compliance gaps, perceived or real, before moving to Cloud ? Implement bridges to gaps; be Cloud-Aware when doing so ? Treat AWS as an extension to your Corporate Datacenter ? It will be infinitely easier to manage ? Management of Cloud Assets should be the same as on-prem ? Except when it isn’t! Plan specifically for Cloud management Conclusion

More Related Content

PDA Presentation - MBodo

  • 1. Shortcuts & Roadblocks Encountered on the path to protecting your data in the cloud Simplify, Unify, Optimize Life Science Compliance for Regulated Systems Amazon Web Services IaaS for Life Sciences
  • 2. ? “One 狠狠撸” intro to Amazon Web Services ? AWS Security, Certifications, and Compliance ? Responsibility Models ? Roadblock #1 – Qualify The Cloud! ? Shortcut #1 – Qualify The Cloud! ? Roadblock #2 – Lock down The Cloud! ? Shortcut #2 – Lock down The Cloud! ? Data Integrity Concerns ? Conclusion Agenda
  • 3. AWS Explained in a 狠狠撸 … Non-Technical Explanation Amazon EC2 AWS Storage Gateway Amazon S3 Amazon Glacier Amazon RDS Amazon Redshift Amazon DynamoDB AWS Direct Connect Amazon VPC AWS IAM AWS IoT Amazon Kinesis Technobabble Nonsense Technical Explanation
  • 4. Certifications / Attestations Laws, Regulations, and Privacy Alignments / Frameworks DoD SRG CS Mark [Japan] CJIS FedRAMP DNB [Netherlands] CLIA FIPS EAR CMS EDGE IRAP EU Model Clauses CMSR ISO 9001 FERPA CSA ISO 27001 GLBA FDA ISO 27017 HIPAA FedRAMP TIC ISO 27018 HITECH FISC MLPS Level 3 IRS 1075 FISMA MTCS ITAR G-Cloud PCI DSS Level 1 My Number Act [Japan] GxP (FDA CFR 21 Part 11) SEC Rule 17-a-4(f) U.K. DPA - 1988 IT Grundschutz SOC 1 VPAT / Section 508 MITA 3.0 SOC 2 EU Data Protection Directive MPAA SOC 3 Privacy Act [Australia] NERC Privacy Act [New Zealand] NIST PDPA - 2010 [Malaysia] PHR PDPA – 2012 [Singapore] UK Cyber Essentials Adapted from https://aws.amazon.com/compliance/
  • 5. Your Data Platform, Applications, I&AM Operating Systems, Network & Firewall Configuration Server-side Encryption (File System and/or Data) Client-side Data Encryption & Data Integrity Authentication Network Traffic Protection (Encryption/Integrity/Identity) Adapted from https://aws.amazon.com/compliance/shared-responsibility-model/ Compute Storage NetworkingDatabase AWS Global Infrastructure Regions Availability Zones Edge Locations AWS Responsible for security “of” the Cloud Customer Responsible for security “in” the Cloud
  • 6. ? Scenario: Shared Responsibility Model not understood ? Efforts to qualify low-level infrastructure ensue ? Policies incongruent to service model are pushed ? Cycles wasted in trying to absorb AWS’s declared responsibilities Roadblock #1 – Qualify the Cloud!
  • 7. ? Scenario: Shared Responsibility Model is integrated into IT ? Policies are updated to allow distributed management ? Controls in place to govern Cloud Assets ? Definitions updated to allow for new CIs ? Maintain & Manage State of Control Shortcut #1 – Qualify the Cloud! Manage as independent assets Business as usual
  • 8. ? Enact strict “no trust/deny all” security policy on Cloud assets ? Cloud assets are isolated from traditional/on prem assets ? Islands of data pile up ? UID poses an issue/threat Roadblock #2 – Lock down The Cloud!
  • 9. ? For Private/Internal Assets ? Protect/Preserve via VPC ? Use Security Zones or Subnets within VPC ? Lockdown & Audit assets per normal methods (business as usual) Shortcut #2 – Lock down The Cloud! virtual private cloud VPC subnet PROD LIMS VPC subnet DEV LIMS corporate network users VPN connection AWS Direct Connect
  • 10. ? Be nimble, like Jack … but remember ? POCs can unexpectedly gain momentum ? Fragmentation likely to occur ? Integrate IAM early, review & audit often ? Consider corporate directory integration mandatory ? Strategies for Data at Rest Data Integrity Concerns AWS IAM AWS CloudTrail AWS Directory Service
  • 11. ? If your house is not in good order today: ? It will be even worse in the cloud! ? Assess compliance gaps, perceived or real, before moving to Cloud ? Implement bridges to gaps; be Cloud-Aware when doing so ? Treat AWS as an extension to your Corporate Datacenter ? It will be infinitely easier to manage ? Management of Cloud Assets should be the same as on-prem ? Except when it isn’t! Plan specifically for Cloud management Conclusion

Editor's Notes

  • #7: When the Shared Responsibility model is not understood, an organization may tend to gravitate towards doing only what it knows today, meaning there may be policies or procedures that are incongruent or not practical to apply when it comes to a cloud vendor such as Amazon. Lower level infrastructure, such as the supporting utilities, physical security, logical security, physical infrastructure, attached storage, and so on, are now managed by the vendor, in this case, AWS. The need to manage a system level topography below what is within the Customer’s realm of responsibility is no longer a directly manageable activity. Many attempts to attempt to convince or coerce a cloud vendor such as AWS will likely result in wasted time and effort, and lead to frustration with cloud vendors as a whole. At this point, I would strongly recommend relying upon the contractual agreement and obligations your organization has entered into with your cloud provider, and ensure those obligations, at minimum, meet the requirements of your organization’s quality policy.
  • #10: In the case of managing assets that are internal to the organization, such as an enterprise LIMS system, one would want to control and lock down assets the same way that traditional assets are managed. The large difference, in this particular scenario, is that the assets are hosted external to the corporate network. In this case, it is the VPN connection or the AWS Direct Connect which needs to be configured to properly allow data in motion to be handled the same as it is handled between different geographical locations in corporate offices. The assumption is that the company will treat off-prem assets the same as on-prem assets. At the end of the day, in each area of the VPC, you would want to apply the same logical restrictions on your assets running in the cloud as you would running on your corporate network; that is to say, you wouldn’t want to treat them much differently. External assets would need to be evaluated on a case by case basis, taking into account data criticality, operational risk, regulatory risk, etc etc.
  • #11: Jack be nimble, jack be quick, jack provisioned a datacenter with just one click. Keep keen eye over what projects your AWS infrastructure are supporting Keep an eye on how many version(s) of the same solution are floating around – this will avoid the discussion of “are my data CORRECT” Understand your IAM strategy. Integrate IAM as quickly as possible. Dispel any attribution issues as early as possible. Scenario – data are being pushed via Kinesis Firehose into an S3 bucket and a RedShift table for real time analysis of a manufacturing environment – you’d want to be certain that the datapoints you’re collecting can be properly attributed to the correct origin – the correct data generating device or person.