SlideShare une entreprise Scribd logo

Accreditation of Commercial Software, Myths and Methods

Amazon Web Services
Amazon Web Services

This document summarizes a presentation on government accreditation and security myths related to commercial software. The presentation covers: - A short history of government accreditation requirements like FISMA, DoD, and intelligence community policies - Common myths and misconceptions around topics like FedRAMP certification, AWS GovCloud, DISA, and security best practices - Resources for understanding compliance requirements and addressing security issues like CIS benchmarks and hardened Amazon Machine Images The presentation aims to clarify accreditation processes and dispel myths in order to help technology firms and independent software vendors navigate requirements for government work.

1  sur  40
P U B L I C S E C T O R S U M M I T Washington DC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Accreditation of Commercial Software – Myths and Methods Toby Zellers Controlled Region Partner Manager AWS WWPS ISV Enablement S e s s i o n I D 3 0 8 9 6 7 Tim Sandage Sr. Security Partner Strategist AWS WWPS ISV Enablement
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Government Accreditation Toby Zellers Controlled Region Partner Manager AWS WWPS ISV Enablement S e s s i o n I D 3 0 8 9 6 7 Tim Sandage Sr. Security Partner Strategist AWS WWPS ISV Enablement
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Agenda Short History of Government Accreditation Customer Requirements Security & Accreditation Myths Resources
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T A secure system is one that does what it is supposed to - Gene Spafford
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Ancient History The Rainbow Series (1980s and 1990s)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T More Recent History
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Security is always excessive until it's not enough - Robbie Sinclair
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Compliance Mandates Government Agencies Flashlight Image © Robertsrob | Dreamstime.com Government - FISMA o Risk Management Framework DoD – formally DITSCAP/DIACAP o NOW - RISK Management Framework US Intelligence o ICD-503
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Compliance Mandates Technology Firms and ISVs More Public Sector Compliance Frameworks: o Criminal Justice Information Services Division (CJIS) o Defense Federal Acquisition Regulations Supplement (DFARS) o Internal Revenue Service Publication 1075 (IRS Pub 1075) o Payment Card Industry Data Security Standard (PCI-DSS) o Health Insurance Portability and Accountability Act (HIPPA) o Health Information Trust Alliance (HITRUST) Federal Risk and Authorization Management Program (FedRAMP) – High, Moderate, Low DISA Cloud Computing and Security Requirements Guide (SRG) – IL2, IL4, IL5, IL6 Flashlight Image © Robertsrob | Dreamstime.com
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T In God we trust. All others, we virus scan
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Cyber Security Myths o Passwords make us secure… o We virus check and vulnerability scans, we are safe… o We can wait to the end of the development cycle to meet with the accreditor… o You can trust any reputable source… “especially Open Source” o All AWS Services in every region are accredited… o My data is backed-up, we are good… o When in doubt, penetration test…
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Cyber Security o Penetration testing is just one tool o Promote best practices for security o Consider AWS Well Architected o Involve the security team o Available vs accredited vs approved o Backup is practice, restore is show
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T FedRAMP Myths ATO (Authorization to Operate) and Sponsors: o I can, and should, attain a FedRAMP/DoD ATO before I have secured customers that require it. o The sponsoring agency accepts the risk of the system/cloud service for the entire government. o A Joint Authorization Board (JAB) ATO means any federal or DoD agency/organization can use my workload/system immediately. o FedRAMP applies to state and local government, education, or nonprofit.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T FedRAMP Myths Amazon Linux: o We can use Amazon Linux for any federal workload. Pen testing External Services and Data: o I cannot connect my AWS FedRAMP-authorized boundary to non-authorized FedRAMP external service providers. o I can use AWS services in AWS US East/West or AWS GovCloud (US).
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T FedRAMP Myths FIPS Encryption: o I can get a FedRAMP ATO without my encryption being FIPS 140-2 Validated. o FIPS 140-2 compliant cryptography satisfies FedRAMP and DoD encryption controls. Showstoppers: o FedRAMP has some frequent criteria that are considered to be showstoppers if they are not met.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T FedRAMP o ATO and the Sponsor process o FIPS 140-2 Validated encryption vs. FIPS Compliant encryption o Amazon Linux o External Services and AWS Services o FedRAMP Showstoppers https://www.fedramp.gov/assets/resources/documents/CSP_A _FedRAMP_Authorization_Boundary_Guidance.pdf https://aws.amazon.com/compliance/services-in-scope/
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS GovCloud (US) Myths AWS GovCloud (US) Overview o Deploy in AWS GovCloud (US) = Automatic FedRAMP, ITAR, DOD SRG, DFARS, and CJIS Accreditation o IRS 1075 workloads can “ONLY” be authorized in AWS GovCloud (US). o To get FedRAMP, you need to be in AWS GovCloud (US).
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS GovCloud (US) o Automatic FedRAMP, ITAR, DOD SRG, DFARS, and CJIS Accreditation o IRS 1075 workloads o To get FedRAMP, you need to be in AWS GovCloud (US)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T DISA Myths DoD Provisional Authority (PA) and Sponsors: o DoD Defense Security/Cybersecurity Authorization Working Group (DSAWG) is the same as the FedRAMP JAB. o Achieving a DISA IL4/IL5 PA is a long process. o DISA will give me IL2 reciprocity once I achieve my FedRAMP Moderate ATO.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T DISA Myths DoD citizenship requirements: o DoD requires the same personnel requirements as FedRAMP DoD Showstoppers: o DoD has some frequent criteria that are considered to be showstoppers if they are not met
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T DISA o DoD and FedRAMP Moderate reciprocity o DoD personnel requirements o DoD showstoppers DoD SRG
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T DISA Path to DoD Impact Level Provisional Authorization CSP has FedRAMP JAB P-ATO CSP has FedRAMP Non- DoD Agency P-ATO DoD assessed PA  CSP has achieved a FedRAMP JAB P-ATO which can be leveraged for reciprocity.  Easiest route to get DoD PA as the CSP is engaged in continuous monitoring through FedRAMP and has satisfied the FedRAMP baseline controls.  CSP has achieved a FedRAMP P- ATO with a non-DoD agency.  A 3PAO is required to review the agency FedRAMP Baseline and ensure the security controls have been satisfied for reciprocity.  Slightly more difficult due to the DoD not validating the FedRAMP baseline and the responsibility of continuous monitoring must be negotiated between the DoD and the FedRAMP agency Sponsor.  The 3PAO will work with a DoD authorized assessment organization to perform the assessment of the CSP hand-in- hand.  The FedRAMP Baseline and the DoD Impact Level overlays are required to be assessed.  Most difficult route to take by a CSP as the FedRAMP baseline has not been previously assessed or authorized. Also, it requires the DoD sponsor to take responsibility for all continuous monitoring duties.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T US Intelligence Community Myths o C2S is a cloud...C2S is a Region… o The government has firewalls between their classified networks and the Internet o All IC Agencies use the same Linux baseline o My product needs an ICD-503 ATO (just like a FedRAMP ATO) o Our product is used in production at Agency XYZ in the C2S Top Secret Region, so we are approved everywhere, right?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS & IC Marketplace Myths o Rules for AWS Marketplace for AWS GovCloud (US) and IC Marketplace are the same o I need FedRAMP to be in o IC Marketplace o AWS GovCloud (US) Marketplace o My company has a DoD Facility Clearance, so we will automatically be approved to Publish in the IC Marketplace o ICD-503 Accreditation is a pre-requisite for IC Marketplace
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T C2S and IC Marketplac e o C2S is a contract available to the IC o Title 50 of US Code defines the US IC o Each government agency has their own approval authority o Like FedRAMP and DoD SRG, ICD-503 is based on NIST SP800-53 controls o Ping icmp@amazon.com for details on IC Marketplace
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Other DoD Security Myths o A classified application shared by NCIS in collaboration with agency XYZ (part of the Intel community) needs to be compliant under: CJIS + ICD-503 + DoD SRG? o Our Agency can’t use AWS GovCloud (US) because we have users who are deployed OCONUS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T CIS Benchmarks and Hardened Amazon Machine Images Benchmarks: o Anyone can use CIS Benchmarks for consulting or their organization’s commercially-available tools. o The easiest way to harden a virtual machine image is to configure it myself or there is no easy way to secure an OS in the cloud. Secure Architectures: o Security baselines are set by AWS in a customer account.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T CIS Benchmarks and Hardened Amazon Machine Images o In order to use the CIS Benchmarks commercially, you must be a CIS SecureSuite Member o CIS Hardened Images are preconfigured to the security recommendations of the CIS Benchmarks o The CIS AWS Foundations Benchmark helps you address security and compliance considerations by building foundational security into your account and monitoring critical resources
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards - Gene Spafford
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Best URLs Ever! AWS Government https://aws.amazon.com/government-education/government Compliance https://aws.amazon.com/compliance AWS GovCloud (US) https://aws.amazon.com/govcloud-us AWS Marketplace https://aws.amazon.com/marketplace
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS Whitepapers Introduction to AWS Security & Security Processes AWS Security Best Practices AWS Well-Architected Framework: Security Pillar Cloud Adoption Framework: Security Perspective Overviews of AWS Security (6) Securing Data at Rest with Encryption Security at Scale - Governance in AWS - Logging in AWS https://aws.amazon.com/security/security-resources/
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T NIST Cyber Security Framework Mapping of NIST CSF to AWS Services and Features Describes whether a concern is addressed by AWS or the Customer https://aws.amazon.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Handy Email Aliases AWS GovCloud Business Development govcloud-bd@amazon.com AWS GovCloud Marketplace govcloudmp@amazon.com IC Marketplace icmp@amazon.com ATO on AWS ATOonAWS@amazon.com Worldwide Public Sector Emerging Partner Team aws-wwps-emerging-pdr@amazon.com
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T R E: I N F O R C E https://reinforce.awsevents.com/
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Related breakout sessions 295436 – Authority to Operate on AWS: Compliance as Code Ted Steffan and Tim Sandage/AWS 299937 – Security & Identify: the Continuous Mitigation & Diagnostic Journey on AWS Darren House/AWS and John Nemoto/CGI Federal
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Related breakout sessions 316557 – Achieve Compliance with Security by Default and by Design Andrew Plato/Anitian and Ignacio Martinez/Smartsheet 317684 – Hyperscale Security Data for Continuous Risk Monitoring Stephen Horvath and Amit Patel/Telos 302828 – Accelerate ATO & Simplify Compliance Through Automation Josh Hammer/AWS and Scott Horton/Palo Alto Networks
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Related breakout sessions 295507 – AWS Secret Region – Lessons Learned or DevSecOps Tyler Hayley/Joint Special Operations Command 302830 – Beyond Security Automation: How to Move Past Developing Ad-hoc Tools and Make Tools that Develop Automatically Brad Dispensa/AWS 316600 – Container Security and Avoiding the 2am Call Len Henry and Ramesh Jetty/AWS
Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Toby Zellers & Tim Sandage zellerst@amazon.com sandaget@amazon.com There is no such thing as perfect security, only varying levels of insecurity Salman Rushdie
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T

Recommandé

Breaking Language Barriers with AI - Web Summit 2018
Breaking Language Barriers with AI - Web Summit 2018Breaking Language Barriers with AI - Web Summit 2018
Breaking Language Barriers with AI - Web Summit 2018Boaz Ziniman
 
Build Intelligent Applications Using AI Services
Build Intelligent Applications Using AI ServicesBuild Intelligent Applications Using AI Services
Build Intelligent Applications Using AI ServicesAmazon Web Services
 
Trends in Digital Transformation by Joe Chung
Trends in Digital Transformation by Joe ChungTrends in Digital Transformation by Joe Chung
Trends in Digital Transformation by Joe ChungSameer Kenkare
 
Introduction to AWS Machine Learning Application Services - BDA202 - Atlanta ...
Introduction to AWS Machine Learning Application Services - BDA202 - Atlanta ...Introduction to AWS Machine Learning Application Services - BDA202 - Atlanta ...
Introduction to AWS Machine Learning Application Services - BDA202 - Atlanta ...Amazon Web Services
 
Deep dive on AWS Fargate - MAD202 - São Paulo AWS Summit.pdf
Deep dive on AWS Fargate - MAD202 - São Paulo AWS Summit.pdfDeep dive on AWS Fargate - MAD202 - São Paulo AWS Summit.pdf
Deep dive on AWS Fargate - MAD202 - São Paulo AWS Summit.pdfAmazon Web Services
 
Introduction to AWS ML Application Services - BDA202 - Anaheim AWS Summit
Introduction to AWS ML Application Services - BDA202 - Anaheim AWS SummitIntroduction to AWS ML Application Services - BDA202 - Anaheim AWS Summit
Introduction to AWS ML Application Services - BDA202 - Anaheim AWS SummitAmazon Web Services
 
AWS Startup Day Santiago - Tools For Building Your Startup
AWS Startup Day Santiago - Tools For Building Your StartupAWS Startup Day Santiago - Tools For Building Your Startup
AWS Startup Day Santiago - Tools For Building Your StartupAmazon Web Services LATAM
 
Transform with Cloud to drive your Future | AWS Summit Tel Aviv 2019
Transform with Cloud to drive your Future | AWS Summit Tel Aviv 2019Transform with Cloud to drive your Future | AWS Summit Tel Aviv 2019
Transform with Cloud to drive your Future | AWS Summit Tel Aviv 2019Amazon Web Services
 

Recommandé

Breaking Language Barriers with AI - Web Summit 2018
Breaking Language Barriers with AI - Web Summit 2018Breaking Language Barriers with AI - Web Summit 2018
Breaking Language Barriers with AI - Web Summit 2018Boaz Ziniman
 
Build Intelligent Applications Using AI Services
Build Intelligent Applications Using AI ServicesBuild Intelligent Applications Using AI Services
Build Intelligent Applications Using AI ServicesAmazon Web Services
 
Trends in Digital Transformation by Joe Chung
Trends in Digital Transformation by Joe ChungTrends in Digital Transformation by Joe Chung
Trends in Digital Transformation by Joe ChungSameer Kenkare
 
Introduction to AWS Machine Learning Application Services - BDA202 - Atlanta ...
Introduction to AWS Machine Learning Application Services - BDA202 - Atlanta ...Introduction to AWS Machine Learning Application Services - BDA202 - Atlanta ...
Introduction to AWS Machine Learning Application Services - BDA202 - Atlanta ...Amazon Web Services
 
Deep dive on AWS Fargate - MAD202 - São Paulo AWS Summit.pdf
Deep dive on AWS Fargate - MAD202 - São Paulo AWS Summit.pdfDeep dive on AWS Fargate - MAD202 - São Paulo AWS Summit.pdf
Deep dive on AWS Fargate - MAD202 - São Paulo AWS Summit.pdfAmazon Web Services
 
Introduction to AWS ML Application Services - BDA202 - Anaheim AWS Summit
Introduction to AWS ML Application Services - BDA202 - Anaheim AWS SummitIntroduction to AWS ML Application Services - BDA202 - Anaheim AWS Summit
Introduction to AWS ML Application Services - BDA202 - Anaheim AWS SummitAmazon Web Services
 
AWS Startup Day Santiago - Tools For Building Your Startup
AWS Startup Day Santiago - Tools For Building Your StartupAWS Startup Day Santiago - Tools For Building Your Startup
AWS Startup Day Santiago - Tools For Building Your StartupAmazon Web Services LATAM
 
Transform with Cloud to drive your Future | AWS Summit Tel Aviv 2019
Transform with Cloud to drive your Future | AWS Summit Tel Aviv 2019Transform with Cloud to drive your Future | AWS Summit Tel Aviv 2019
Transform with Cloud to drive your Future | AWS Summit Tel Aviv 2019Amazon Web Services
 
Keynote: What Transformation Really Means for the Enterprise - AWS Transforma...
Keynote: What Transformation Really Means for the Enterprise - AWS Transforma...Keynote: What Transformation Really Means for the Enterprise - AWS Transforma...
Keynote: What Transformation Really Means for the Enterprise - AWS Transforma...Amazon Web Services
 
AWS Transformation Day - Seattle 2018
AWS Transformation Day - Seattle 2018AWS Transformation Day - Seattle 2018
AWS Transformation Day - Seattle 2018Amazon Web Services
 
AWS Transformation Day - Minneapolis 2018
AWS Transformation Day - Minneapolis 2018AWS Transformation Day - Minneapolis 2018
AWS Transformation Day - Minneapolis 2018Amazon Web Services
 
AWS Startup Day Santiago - Pitch essentials
AWS Startup Day Santiago - Pitch essentialsAWS Startup Day Santiago - Pitch essentials
AWS Startup Day Santiago - Pitch essentialsAmazon Web Services LATAM
 
Drive Digital Transformation Using Machine Learning
Drive Digital Transformation Using Machine LearningDrive Digital Transformation Using Machine Learning
Drive Digital Transformation Using Machine LearningAWS Summits
 
AWS Startup Day Santiago - Taram: Fundraising Essentials
AWS Startup Day Santiago - Taram: Fundraising EssentialsAWS Startup Day Santiago - Taram: Fundraising Essentials
AWS Startup Day Santiago - Taram: Fundraising EssentialsAmazon Web Services LATAM
 
Authority to Operate on AWS: Compliance as Code
Authority to Operate on AWS: Compliance as CodeAuthority to Operate on AWS: Compliance as Code
Authority to Operate on AWS: Compliance as CodeAmazon Web Services
 
Procuring Cloud: Achieving Business Outcomes with AWS
Procuring Cloud: Achieving Business Outcomes with AWSProcuring Cloud: Achieving Business Outcomes with AWS
Procuring Cloud: Achieving Business Outcomes with AWSAmazon Web Services
 
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWSSecurity & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWSAmazon Web Services
 
Innovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Innovate - Cybersecurity: A Drive Force Behind Cloud AdoptionInnovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Innovate - Cybersecurity: A Drive Force Behind Cloud AdoptionAmazon Web Services
 
Simplify Compliance Through Automation
Simplify Compliance Through AutomationSimplify Compliance Through Automation
Simplify Compliance Through AutomationAmazon Web Services
 
From Unattended Ground Sensors (UGS) to Installations; Leveraging AWS IoT fo...
From Unattended Ground Sensors (UGS) to Installations; Leveraging AWS IoT fo... From Unattended Ground Sensors (UGS) to Installations; Leveraging AWS IoT fo...
From Unattended Ground Sensors (UGS) to Installations; Leveraging AWS IoT fo...Amazon Web Services
 
Cybersecurity: A Drive Force Behind Cloud Adoption
Cybersecurity: A Drive Force Behind Cloud AdoptionCybersecurity: A Drive Force Behind Cloud Adoption
Cybersecurity: A Drive Force Behind Cloud AdoptionAmazon Web Services
 
Top Cloud Security Myths – Dispelled!
Top Cloud Security Myths – Dispelled!Top Cloud Security Myths – Dispelled!
Top Cloud Security Myths – Dispelled!AWS Summits
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Amazon Web Services
 
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Amazon Web Services
 
AWS PROTECTED - Why This Matters to Australia.
AWS PROTECTED - Why This Matters to Australia.AWS PROTECTED - Why This Matters to Australia.
AWS PROTECTED - Why This Matters to Australia.Amazon Web Services
 
Automated Security Remediation
Automated Security RemediationAutomated Security Remediation
Automated Security RemediationAmazon Web Services
 
Cloud Management for Government Agencies: Enabling IT Transformation through ...
Cloud Management for Government Agencies: Enabling IT Transformation through ...Cloud Management for Government Agencies: Enabling IT Transformation through ...
Cloud Management for Government Agencies: Enabling IT Transformation through ...Amazon Web Services
 
Building Next Generation Cybersecurity with Today's Machine Learning Solutions
Building Next Generation Cybersecurity with Today's Machine Learning SolutionsBuilding Next Generation Cybersecurity with Today's Machine Learning Solutions
Building Next Generation Cybersecurity with Today's Machine Learning SolutionsAmazon Web Services
 
Essential Security Patterns
Essential Security PatternsEssential Security Patterns
Essential Security PatternsAmazon Web Services
 
Making Cloud Procurement Easy with AWS Marketplace, Automation, and Governance
Making Cloud Procurement Easy with AWS Marketplace, Automation, and GovernanceMaking Cloud Procurement Easy with AWS Marketplace, Automation, and Governance
Making Cloud Procurement Easy with AWS Marketplace, Automation, and GovernanceAmazon Web Services
 

Contenu connexe

Tendances

Keynote: What Transformation Really Means for the Enterprise - AWS Transforma...
Keynote: What Transformation Really Means for the Enterprise - AWS Transforma...Keynote: What Transformation Really Means for the Enterprise - AWS Transforma...
Keynote: What Transformation Really Means for the Enterprise - AWS Transforma...Amazon Web Services
 
AWS Transformation Day - Seattle 2018
AWS Transformation Day - Seattle 2018AWS Transformation Day - Seattle 2018
AWS Transformation Day - Seattle 2018Amazon Web Services
 
AWS Transformation Day - Minneapolis 2018
AWS Transformation Day - Minneapolis 2018AWS Transformation Day - Minneapolis 2018
AWS Transformation Day - Minneapolis 2018Amazon Web Services
 
Drive Digital Transformation Using Machine Learning
Drive Digital Transformation Using Machine LearningDrive Digital Transformation Using Machine Learning
Drive Digital Transformation Using Machine LearningAWS Summits
 
AWS Startup Day Santiago - Taram: Fundraising Essentials
AWS Startup Day Santiago - Taram: Fundraising EssentialsAWS Startup Day Santiago - Taram: Fundraising Essentials
AWS Startup Day Santiago - Taram: Fundraising EssentialsAmazon Web Services LATAM
 

Tendances (6)

Keynote: What Transformation Really Means for the Enterprise - AWS Transforma...
Keynote: What Transformation Really Means for the Enterprise - AWS Transforma...Keynote: What Transformation Really Means for the Enterprise - AWS Transforma...
Keynote: What Transformation Really Means for the Enterprise - AWS Transforma...
 
AWS Transformation Day - Seattle 2018
AWS Transformation Day - Seattle 2018AWS Transformation Day - Seattle 2018
AWS Transformation Day - Seattle 2018
 
AWS Transformation Day - Minneapolis 2018
AWS Transformation Day - Minneapolis 2018AWS Transformation Day - Minneapolis 2018
AWS Transformation Day - Minneapolis 2018
 
AWS Startup Day Santiago - Pitch essentials
AWS Startup Day Santiago - Pitch essentialsAWS Startup Day Santiago - Pitch essentials
AWS Startup Day Santiago - Pitch essentials
 
Drive Digital Transformation Using Machine Learning
Drive Digital Transformation Using Machine LearningDrive Digital Transformation Using Machine Learning
Drive Digital Transformation Using Machine Learning
 
AWS Startup Day Santiago - Taram: Fundraising Essentials
AWS Startup Day Santiago - Taram: Fundraising EssentialsAWS Startup Day Santiago - Taram: Fundraising Essentials
AWS Startup Day Santiago - Taram: Fundraising Essentials
 

Similaire à Accreditation of Commercial Software, Myths and Methods

Authority to Operate on AWS: Compliance as Code
Authority to Operate on AWS: Compliance as CodeAuthority to Operate on AWS: Compliance as Code
Authority to Operate on AWS: Compliance as CodeAmazon Web Services
 
Procuring Cloud: Achieving Business Outcomes with AWS
Procuring Cloud: Achieving Business Outcomes with AWSProcuring Cloud: Achieving Business Outcomes with AWS
Procuring Cloud: Achieving Business Outcomes with AWSAmazon Web Services
 
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWSSecurity & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWSAmazon Web Services
 
Innovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Innovate - Cybersecurity: A Drive Force Behind Cloud AdoptionInnovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Innovate - Cybersecurity: A Drive Force Behind Cloud AdoptionAmazon Web Services
 
Simplify Compliance Through Automation
Simplify Compliance Through AutomationSimplify Compliance Through Automation
Simplify Compliance Through AutomationAmazon Web Services
 
From Unattended Ground Sensors (UGS) to Installations; Leveraging AWS IoT fo...
From Unattended Ground Sensors (UGS) to Installations; Leveraging AWS IoT fo... From Unattended Ground Sensors (UGS) to Installations; Leveraging AWS IoT fo...
From Unattended Ground Sensors (UGS) to Installations; Leveraging AWS IoT fo...Amazon Web Services
 
Cybersecurity: A Drive Force Behind Cloud Adoption
Cybersecurity: A Drive Force Behind Cloud AdoptionCybersecurity: A Drive Force Behind Cloud Adoption
Cybersecurity: A Drive Force Behind Cloud AdoptionAmazon Web Services
 
Top Cloud Security Myths – Dispelled!
Top Cloud Security Myths – Dispelled!Top Cloud Security Myths – Dispelled!
Top Cloud Security Myths – Dispelled!AWS Summits
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Amazon Web Services
 
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Amazon Web Services
 
AWS PROTECTED - Why This Matters to Australia.
AWS PROTECTED - Why This Matters to Australia.AWS PROTECTED - Why This Matters to Australia.
AWS PROTECTED - Why This Matters to Australia.Amazon Web Services
 
Cloud Management for Government Agencies: Enabling IT Transformation through ...
Cloud Management for Government Agencies: Enabling IT Transformation through ...Cloud Management for Government Agencies: Enabling IT Transformation through ...
Cloud Management for Government Agencies: Enabling IT Transformation through ...Amazon Web Services
 
Building Next Generation Cybersecurity with Today's Machine Learning Solutions
Building Next Generation Cybersecurity with Today's Machine Learning SolutionsBuilding Next Generation Cybersecurity with Today's Machine Learning Solutions
Building Next Generation Cybersecurity with Today's Machine Learning SolutionsAmazon Web Services
 
Making Cloud Procurement Easy with AWS Marketplace, Automation, and Governance
Making Cloud Procurement Easy with AWS Marketplace, Automation, and GovernanceMaking Cloud Procurement Easy with AWS Marketplace, Automation, and Governance
Making Cloud Procurement Easy with AWS Marketplace, Automation, and GovernanceAmazon Web Services
 
Student Track - AWS Summit 2019 - Introduzione
Student Track - AWS Summit 2019 - IntroduzioneStudent Track - AWS Summit 2019 - Introduzione
Student Track - AWS Summit 2019 - IntroduzioneAmazon Web Services
 
Automate Security Event Management Using Trust-Based Decision Models - AWS Su...
Automate Security Event Management Using Trust-Based Decision Models - AWS Su...Automate Security Event Management Using Trust-Based Decision Models - AWS Su...
Automate Security Event Management Using Trust-Based Decision Models - AWS Su...Amazon Web Services
 
Top Cloud Security Myths Dispelled
Top Cloud Security Myths DispelledTop Cloud Security Myths Dispelled
Top Cloud Security Myths DispelledAmazon Web Services
 
Learn How to Become Migration Ready: Accelerate and Optimize Your Cloud Adoption
Learn How to Become Migration Ready: Accelerate and Optimize Your Cloud AdoptionLearn How to Become Migration Ready: Accelerate and Optimize Your Cloud Adoption
Learn How to Become Migration Ready: Accelerate and Optimize Your Cloud AdoptionAmazon Web Services
 

Similaire à Accreditation of Commercial Software, Myths and Methods (20)

Authority to Operate on AWS: Compliance as Code
Authority to Operate on AWS: Compliance as CodeAuthority to Operate on AWS: Compliance as Code
Authority to Operate on AWS: Compliance as Code
 
Procuring Cloud: Achieving Business Outcomes with AWS
Procuring Cloud: Achieving Business Outcomes with AWSProcuring Cloud: Achieving Business Outcomes with AWS
Procuring Cloud: Achieving Business Outcomes with AWS
 
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWSSecurity & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
 
Innovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Innovate - Cybersecurity: A Drive Force Behind Cloud AdoptionInnovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Innovate - Cybersecurity: A Drive Force Behind Cloud Adoption
 
Simplify Compliance Through Automation
Simplify Compliance Through AutomationSimplify Compliance Through Automation
Simplify Compliance Through Automation
 
From Unattended Ground Sensors (UGS) to Installations; Leveraging AWS IoT fo...
From Unattended Ground Sensors (UGS) to Installations; Leveraging AWS IoT fo... From Unattended Ground Sensors (UGS) to Installations; Leveraging AWS IoT fo...
From Unattended Ground Sensors (UGS) to Installations; Leveraging AWS IoT fo...
 
Cybersecurity: A Drive Force Behind Cloud Adoption
Cybersecurity: A Drive Force Behind Cloud AdoptionCybersecurity: A Drive Force Behind Cloud Adoption
Cybersecurity: A Drive Force Behind Cloud Adoption
 
Top Cloud Security Myths – Dispelled!
Top Cloud Security Myths – Dispelled!Top Cloud Security Myths – Dispelled!
Top Cloud Security Myths – Dispelled!
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
 
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
 
AWS PROTECTED - Why This Matters to Australia.
AWS PROTECTED - Why This Matters to Australia.AWS PROTECTED - Why This Matters to Australia.
AWS PROTECTED - Why This Matters to Australia.
 
Automated Security Remediation
Automated Security RemediationAutomated Security Remediation
Automated Security Remediation
 
Cloud Management for Government Agencies: Enabling IT Transformation through ...
Cloud Management for Government Agencies: Enabling IT Transformation through ...Cloud Management for Government Agencies: Enabling IT Transformation through ...
Cloud Management for Government Agencies: Enabling IT Transformation through ...
 
Building Next Generation Cybersecurity with Today's Machine Learning Solutions
Building Next Generation Cybersecurity with Today's Machine Learning SolutionsBuilding Next Generation Cybersecurity with Today's Machine Learning Solutions
Building Next Generation Cybersecurity with Today's Machine Learning Solutions
 
Essential Security Patterns
Essential Security PatternsEssential Security Patterns
Essential Security Patterns
 
Making Cloud Procurement Easy with AWS Marketplace, Automation, and Governance
Making Cloud Procurement Easy with AWS Marketplace, Automation, and GovernanceMaking Cloud Procurement Easy with AWS Marketplace, Automation, and Governance
Making Cloud Procurement Easy with AWS Marketplace, Automation, and Governance
 
Student Track - AWS Summit 2019 - Introduzione
Student Track - AWS Summit 2019 - IntroduzioneStudent Track - AWS Summit 2019 - Introduzione
Student Track - AWS Summit 2019 - Introduzione
 
Automate Security Event Management Using Trust-Based Decision Models - AWS Su...
Automate Security Event Management Using Trust-Based Decision Models - AWS Su...Automate Security Event Management Using Trust-Based Decision Models - AWS Su...
Automate Security Event Management Using Trust-Based Decision Models - AWS Su...
 
Top Cloud Security Myths Dispelled
Top Cloud Security Myths DispelledTop Cloud Security Myths Dispelled
Top Cloud Security Myths Dispelled
 
Learn How to Become Migration Ready: Accelerate and Optimize Your Cloud Adoption
Learn How to Become Migration Ready: Accelerate and Optimize Your Cloud AdoptionLearn How to Become Migration Ready: Accelerate and Optimize Your Cloud Adoption
Learn How to Become Migration Ready: Accelerate and Optimize Your Cloud Adoption
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Accreditation of Commercial Software, Myths and Methods

  • 1. P U B L I C S E C T O R S U M M I T Washington DC
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Accreditation of Commercial Software – Myths and Methods Toby Zellers Controlled Region Partner Manager AWS WWPS ISV Enablement S e s s i o n I D 3 0 8 9 6 7 Tim Sandage Sr. Security Partner Strategist AWS WWPS ISV Enablement
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Government Accreditation Toby Zellers Controlled Region Partner Manager AWS WWPS ISV Enablement S e s s i o n I D 3 0 8 9 6 7 Tim Sandage Sr. Security Partner Strategist AWS WWPS ISV Enablement
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Agenda Short History of Government Accreditation Customer Requirements Security & Accreditation Myths Resources
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T A secure system is one that does what it is supposed to - Gene Spafford
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Ancient History The Rainbow Series (1980s and 1990s)
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T More Recent History
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Security is always excessive until it's not enough - Robbie Sinclair
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Compliance Mandates Government Agencies Flashlight Image © Robertsrob | Dreamstime.com Government - FISMA o Risk Management Framework DoD – formally DITSCAP/DIACAP o NOW - RISK Management Framework US Intelligence o ICD-503
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Compliance Mandates Technology Firms and ISVs More Public Sector Compliance Frameworks: o Criminal Justice Information Services Division (CJIS) o Defense Federal Acquisition Regulations Supplement (DFARS) o Internal Revenue Service Publication 1075 (IRS Pub 1075) o Payment Card Industry Data Security Standard (PCI-DSS) o Health Insurance Portability and Accountability Act (HIPPA) o Health Information Trust Alliance (HITRUST) Federal Risk and Authorization Management Program (FedRAMP) – High, Moderate, Low DISA Cloud Computing and Security Requirements Guide (SRG) – IL2, IL4, IL5, IL6 Flashlight Image © Robertsrob | Dreamstime.com
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T In God we trust. All others, we virus scan
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Cyber Security Myths o Passwords make us secure… o We virus check and vulnerability scans, we are safe… o We can wait to the end of the development cycle to meet with the accreditor… o You can trust any reputable source… “especially Open Source” o All AWS Services in every region are accredited… o My data is backed-up, we are good… o When in doubt, penetration test…
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Cyber Security o Penetration testing is just one tool o Promote best practices for security o Consider AWS Well Architected o Involve the security team o Available vs accredited vs approved o Backup is practice, restore is show
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T FedRAMP Myths ATO (Authorization to Operate) and Sponsors: o I can, and should, attain a FedRAMP/DoD ATO before I have secured customers that require it. o The sponsoring agency accepts the risk of the system/cloud service for the entire government. o A Joint Authorization Board (JAB) ATO means any federal or DoD agency/organization can use my workload/system immediately. o FedRAMP applies to state and local government, education, or nonprofit.
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T FedRAMP Myths Amazon Linux: o We can use Amazon Linux for any federal workload. Pen testing External Services and Data: o I cannot connect my AWS FedRAMP-authorized boundary to non-authorized FedRAMP external service providers. o I can use AWS services in AWS US East/West or AWS GovCloud (US).
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T FedRAMP Myths FIPS Encryption: o I can get a FedRAMP ATO without my encryption being FIPS 140-2 Validated. o FIPS 140-2 compliant cryptography satisfies FedRAMP and DoD encryption controls. Showstoppers: o FedRAMP has some frequent criteria that are considered to be showstoppers if they are not met.
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T FedRAMP o ATO and the Sponsor process o FIPS 140-2 Validated encryption vs. FIPS Compliant encryption o Amazon Linux o External Services and AWS Services o FedRAMP Showstoppers https://www.fedramp.gov/assets/resources/documents/CSP_A _FedRAMP_Authorization_Boundary_Guidance.pdf https://aws.amazon.com/compliance/services-in-scope/
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS GovCloud (US) Myths AWS GovCloud (US) Overview o Deploy in AWS GovCloud (US) = Automatic FedRAMP, ITAR, DOD SRG, DFARS, and CJIS Accreditation o IRS 1075 workloads can “ONLY” be authorized in AWS GovCloud (US). o To get FedRAMP, you need to be in AWS GovCloud (US).
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS GovCloud (US) o Automatic FedRAMP, ITAR, DOD SRG, DFARS, and CJIS Accreditation o IRS 1075 workloads o To get FedRAMP, you need to be in AWS GovCloud (US)
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T DISA Myths DoD Provisional Authority (PA) and Sponsors: o DoD Defense Security/Cybersecurity Authorization Working Group (DSAWG) is the same as the FedRAMP JAB. o Achieving a DISA IL4/IL5 PA is a long process. o DISA will give me IL2 reciprocity once I achieve my FedRAMP Moderate ATO.
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T DISA Myths DoD citizenship requirements: o DoD requires the same personnel requirements as FedRAMP DoD Showstoppers: o DoD has some frequent criteria that are considered to be showstoppers if they are not met
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T DISA o DoD and FedRAMP Moderate reciprocity o DoD personnel requirements o DoD showstoppers DoD SRG
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T DISA Path to DoD Impact Level Provisional Authorization CSP has FedRAMP JAB P-ATO CSP has FedRAMP Non- DoD Agency P-ATO DoD assessed PA  CSP has achieved a FedRAMP JAB P-ATO which can be leveraged for reciprocity.  Easiest route to get DoD PA as the CSP is engaged in continuous monitoring through FedRAMP and has satisfied the FedRAMP baseline controls.  CSP has achieved a FedRAMP P- ATO with a non-DoD agency.  A 3PAO is required to review the agency FedRAMP Baseline and ensure the security controls have been satisfied for reciprocity.  Slightly more difficult due to the DoD not validating the FedRAMP baseline and the responsibility of continuous monitoring must be negotiated between the DoD and the FedRAMP agency Sponsor.  The 3PAO will work with a DoD authorized assessment organization to perform the assessment of the CSP hand-in- hand.  The FedRAMP Baseline and the DoD Impact Level overlays are required to be assessed.  Most difficult route to take by a CSP as the FedRAMP baseline has not been previously assessed or authorized. Also, it requires the DoD sponsor to take responsibility for all continuous monitoring duties.
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T US Intelligence Community Myths o C2S is a cloud...C2S is a Region… o The government has firewalls between their classified networks and the Internet o All IC Agencies use the same Linux baseline o My product needs an ICD-503 ATO (just like a FedRAMP ATO) o Our product is used in production at Agency XYZ in the C2S Top Secret Region, so we are approved everywhere, right?
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS & IC Marketplace Myths o Rules for AWS Marketplace for AWS GovCloud (US) and IC Marketplace are the same o I need FedRAMP to be in o IC Marketplace o AWS GovCloud (US) Marketplace o My company has a DoD Facility Clearance, so we will automatically be approved to Publish in the IC Marketplace o ICD-503 Accreditation is a pre-requisite for IC Marketplace
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T C2S and IC Marketplac e o C2S is a contract available to the IC o Title 50 of US Code defines the US IC o Each government agency has their own approval authority o Like FedRAMP and DoD SRG, ICD-503 is based on NIST SP800-53 controls o Ping icmp@amazon.com for details on IC Marketplace
  • 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Other DoD Security Myths o A classified application shared by NCIS in collaboration with agency XYZ (part of the Intel community) needs to be compliant under: CJIS + ICD-503 + DoD SRG? o Our Agency can’t use AWS GovCloud (US) because we have users who are deployed OCONUS
  • 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T CIS Benchmarks and Hardened Amazon Machine Images Benchmarks: o Anyone can use CIS Benchmarks for consulting or their organization’s commercially-available tools. o The easiest way to harden a virtual machine image is to configure it myself or there is no easy way to secure an OS in the cloud. Secure Architectures: o Security baselines are set by AWS in a customer account.
  • 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T CIS Benchmarks and Hardened Amazon Machine Images o In order to use the CIS Benchmarks commercially, you must be a CIS SecureSuite Member o CIS Hardened Images are preconfigured to the security recommendations of the CIS Benchmarks o The CIS AWS Foundations Benchmark helps you address security and compliance considerations by building foundational security into your account and monitoring critical resources
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards - Gene Spafford
  • 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Best URLs Ever! AWS Government https://aws.amazon.com/government-education/government Compliance https://aws.amazon.com/compliance AWS GovCloud (US) https://aws.amazon.com/govcloud-us AWS Marketplace https://aws.amazon.com/marketplace
  • 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T AWS Whitepapers Introduction to AWS Security & Security Processes AWS Security Best Practices AWS Well-Architected Framework: Security Pillar Cloud Adoption Framework: Security Perspective Overviews of AWS Security (6) Securing Data at Rest with Encryption Security at Scale - Governance in AWS - Logging in AWS https://aws.amazon.com/security/security-resources/
  • 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T NIST Cyber Security Framework Mapping of NIST CSF to AWS Services and Features Describes whether a concern is addressed by AWS or the Customer https://aws.amazon.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf
  • 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Handy Email Aliases AWS GovCloud Business Development govcloud-bd@amazon.com AWS GovCloud Marketplace govcloudmp@amazon.com IC Marketplace icmp@amazon.com ATO on AWS ATOonAWS@amazon.com Worldwide Public Sector Emerging Partner Team aws-wwps-emerging-pdr@amazon.com
  • 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T R E: I N F O R C E https://reinforce.awsevents.com/
  • 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Related breakout sessions 295436 – Authority to Operate on AWS: Compliance as Code Ted Steffan and Tim Sandage/AWS 299937 – Security & Identify: the Continuous Mitigation & Diagnostic Journey on AWS Darren House/AWS and John Nemoto/CGI Federal
  • 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Related breakout sessions 316557 – Achieve Compliance with Security by Default and by Design Andrew Plato/Anitian and Ignacio Martinez/Smartsheet 317684 – Hyperscale Security Data for Continuous Risk Monitoring Stephen Horvath and Amit Patel/Telos 302828 – Accelerate ATO & Simplify Compliance Through Automation Josh Hammer/AWS and Scott Horton/Palo Alto Networks
  • 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Related breakout sessions 295507 – AWS Secret Region – Lessons Learned or DevSecOps Tyler Hayley/Joint Special Operations Command 302830 – Beyond Security Automation: How to Move Past Developing Ad-hoc Tools and Make Tools that Develop Automatically Brad Dispensa/AWS 316600 – Container Security and Avoiding the 2am Call Len Henry and Ramesh Jetty/AWS
  • 39. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T Toby Zellers & Tim Sandage zellerst@amazon.com sandaget@amazon.com There is no such thing as perfect security, only varying levels of insecurity Salman Rushdie
  • 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R S U M M I T