How to Achieve Compliance in AWS

November 10, 2016 |
Decorative image of cloud on a keyboard

Today’s IT environments are highly regulated – various government entities, third-party standards and internal controls all contribute to various IT compliance challenges. IT leaders are looking for solution partners that can help mitigate some of these compliance concerns, or at least not make their overall compliance considerations more difficult.

For starters, the definition of cloud compliance is driven by how a cloud infrastructure will be regulated within a particular industry. It’s the similarities and differences between security and regulatory controls used to evaluate on-premises systems and cloud workloads. Basically, any controls that an enterprise may have for on-premises systems likely have an analog in a cloud environment. There are both national and global regulatory requirements for securing personal health data (HIPAA, HITECH), general privacy (PII, SPI), credit card information (PCI), sensitive industry data like ITAR and many, many more.

Cloud providers like Amazon Web Services understand these considerations, and have made massive strides to address these requirements with users of their services. Moreover, Cryptzone has created integrated solutions above and beyond basic AWS offerings to assist companies with their compliance challenges.

Cloud Security, A Shared Responsibility

AWS does a great job of defining how a shared responsibility model will work:

When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:

– Security measures that the cloud service provider (AWS) implements and operates – “security of the cloud”

– Security measures that the customer implements and operates, related to the security of customer content and applications that make use of AWS services – “security in the cloud”

While AWS manages security *OF* the cloud, security *IN* the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.

Simply, AWS will manage compute, storage, networking and databases – the parts of the infrastructure that make up the cloud, while the user will manage the platform, applications, identity and access management and operating systems that are in the infrastructure that AWS provides.

From a compliance perspective, it is important to note how these separate responsibilities impact compliance, and what tools are available to assist in meeting whatever compliance standards an enterprise is trying to adhere to. One of those tools is AppGate which provides a Software-Defined Perimeter (SDP) solution and a level of identity management.

AppGate’s Software-Defined Perimeter security solution dynamically assigns network permissions to each user, ensures that all endpoints attempting to access a given resource (whether in the cloud or on-premises) are authenticated and authorized prior to accessing any resources on the network. All unauthorized network resources are made invisible. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users. Using AppGate in conjunction with a trusted Identity Provider (IdP) creates a dynamic and regulated method of user access management that is easy to set up and maintain. Plus, AppGate’s logging features complement the data already provided by AWS. AppGate provides the visibility necessary to meet most of the standard compliance requirements for network traffic, with the ability to push logs securely to any enterprise-grade security information and event management (SIEM) solution.

Cloud compliance can be a barrier to moving workloads to the cloud, but it doesn’t have to be. Working with AWS and Cryptzone, enterprises have the tools available to overcome most common compliance concerns.

You can find more information about Cryptzone here. The Forrester Research whitepaper “Forrester – “No More Chewy Centers: The Zero Trust Model of Information Security” can be found here. You can also read additional Cryptzone blogs by going here.

Forrester Research, No More Chewy Centers: The Zero Trust Model of Information Security

Back to Blog Home

Chris Steffen

Christopher Steffen joined Cryptzone in October 2016 as the Technical Director to educate and promote information security and regulatory compliance as it relates to network access management and cloud computing solutions. Before joining the team at Cryptzone, Chris served as the Chief Evangelist – Cloud Security for Hewlett Packard Enterprise (HPE). He has also served in executive roles as the Director of Information Technology at Magpul Industries (a plastics manufacturing company) and as the Principal Technical Architect for Kroll Factual Data (a credit service provider). Steffen has presented at numerous conferences and has been interviewed by multiple online and print media sources. Steffen holds several technical certifications, including CISSP and CISA.

Leave a Reply

Your email address will not be published. Required fields are marked *