Understanding The ASD’s Cloud Computing Security For .
Understanding the ASD’sCloud Computing Security forTenants in the Context ofAWSJune 2017
2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.NoticesThis document is provided for informational purposes only. It represents AWS’scurrent product offerings and practices as of the date of issue of this document,which are subject to change without notice. Customers are responsible formaking their own independent assessment of the information in this documentand any use of AWS’s products or services, each of which is provided “as is”without warranty of any kind, whether express or implied. This document doesnot create any warranties, representations, contractual commitments,conditions or assurances from AWS, its affiliates, suppliers or licensors. Theresponsibilities and liabilities of AWS to its customers are controlled by AWSagreements, and this document is not part of, nor does it modify, any agreementbetween AWS and its customers.
ContentsIntroduction1AWS Shared Responsibility approach to Managing Cloud Security2What does the shared responsibility model mean for the security of customercontent?3Understanding ASD Cloud Computing Security for Tenants in the Context ofAWS4General Risk Mitigations4IaaS Risk Mitigations27PaaS Risk Mitigations38SaaS Risk Mitigations40Further Reading41Document Revisions42
Amazon Web Services – Understanding the ASD’s Cloud Computing Security for Tenantsin the Context of AWSIntroductionThe Australian Signals Directorate (ASD) publishes the Cloud ComputingSecurity for Tenants paper to provide guidance on how an organisations’ cybersecurity team, cloud architects and business representatives can work togetherto perform a risk assessment and use cloud services securely. The paperhighlights the shared responsibility that organisations (referred to as Tenants)share with the cloud service providers (CSP) to design a solution that usessecurity best practices.This document addresses each risk identified in the Cloud Computing Securityfor Tenants paper, and describes the AWS services and features that you can useto mitigate those risks.Important: You should understand and acknowledge that that the risksdiscussed in this document cover only part of your responsibilities for securingyour cloud solution. For more information about the AWS Shared ResponsibilityModel, see AWS Shared Responsibility Approach to Managing Cloud Securitybelow.AWS provides you with a wide range of security functionality to protect yourdata in accordance with ASD’s Information Security Manual (ISM) controls,agency guidelines and policies. We are continually iterating on the security toolswe provide our customers, and regularly release enhancements to existingsecurity functionality. AWS has assessed ASD’s ISM controls against thefollowing services: Amazon Elastic Compute Cloud (Amazon EC2) – Amazon EC2provides resizable compute capacity in the cloud. It is designed to makeweb-scale computing easier for developers. For more information, gohere. Amazon Simple Storage Service (S3) – Amazon S3 provides a simpleweb services interface that can be used to store and retrieve any amountof data, at any time, from anywhere on the web. For more information,go here.Page 1
Amazon Web Services – Understanding the ASD’s Cloud Computing Security for Tenantsin the Context of AWS Amazon Virtual Private Cloud (VPC) – Amazon VPC provides theability for you to provision a logically isolated section of AWS where youcan launch AWS resources in a virtual network that you define. For moreinformation, go here. Amazon Elastic Block Store (EBS) – Amazon EBS provides highlyavailable, highly reliable, predictable storage volumes that can beattached to a running Amazon EC2 instance and exposed as a devicewithin the instance. For more information, go here.Important: AWS provides many services in addition to those listed above. Ifyou would like to use a service not listed above, you should evaluate yourworkloads for suitability. Contact AWS Sales and Business Development for adetailed discussion of security controls and risk acceptance considerations.Our global whitepapers have recommendations for securing your data that arejust as applicable to Australian government workloads on AWS. For a completelist of our security and compliance whitepapers, see the AWS Whitepaperswebsite.Our AWS Compliance website contains more specific discussions of security,AWS Risk and Compliance practices, certifications, and reports.If you need answers to questions that are not covered in the above resources,you can contact your account manager directly.AWS Shared Responsibility approach toManaging Cloud SecurityWhen you move your IT infrastructure to AWS, you will adopt a model ofshared responsibility between you and AWS (as shown in Figure 1). This sharedmodel helps relieve your operational burden because AWS operates, manages,and controls the IT components from the host operating system andvirtualization layer down to the physical security of the facilities in which theservices operate.Page 2
Amazon Web Services – Understanding the ASD’s Cloud Computing Security for Tenantsin the Context of AWSAs part of the shared model, you are responsible for managing the guestoperating system (including updates and security patches to the guest operatingsystem) and associated application software, as well as the configuration of theAWS provided security group firewall and other security-related features. Youwill also generally connect to the AWS environment through services that youacquire from third parties (for example, internet service providers). As AWSdoes not provide these connections, they are part of your area of responsibility.You should consider the security of these connections and the securityresponsibilities of such third parties in relation to your systems.Figure 1: The AWS Shared Responsibility ModelWhat does the shared responsibility model mean forthe security of customer content?When evaluating the security of a cloud solution, it is important for you tounderstand and distinguish between: Security measures that AWS implements and operates – “security of thecloud” Security measures that you implement and operate, related to thesecurity of your content and applications that make use of AWS services– “security in the cloud”.Page 3
Amazon Web Services – Understanding the ASD’s Cloud Computing Security for Tenantsin the Context of AWSWhile AWS manages the security of the cloud, security in the cloud is yourcustomer responsibility, as you retain control of what security you choose toimplement to protect your own content, platform, applications, systems andnetworks – no differently than you would for applications in an on-site datacentre.Understanding ASD Cloud ComputingSecurity for Tenants in the Context of AWSThe following sections describe the AWS compliance and AWS offerings thatcan help you, as the Tenant, mitigate the risks identified in the CloudComputing Security for Tenants paper.General Risk Mitigations1 – GeneralRequirementUse a cloud service that has been assessed, certified and accredited against theISM at the appropriate classification level, addressing mitigations in thedocument Cloud Computing Security for Cloud Service Providers.AWS ResponseAn independent IRAP assessor examined the controls of in-scope AWS services’people, process, and technology to ensure they address the needs of the ISM.AWS has been certified for Unclassified DLM (UD) workloads by the AustralianSignals Directorate (ASD) as the Certification authority and is an inauguralmember of the ASD Certified Cloud Services List (CCSL).2 – GeneralRequirementImplement security governance involving senior management directing andcoordinating security-related activities including robust change management, aswell as having technically skilled staff in defined security roles.Page 4
Amazon Web Services – Understanding the ASD’s Cloud Computing Security for Tenantsin the Context of AWSAWS ResponseAWS customers are required to maintain adequate governance over the entireIT control environment regardless of how IT is deployed. This is true for bothon premise and cloud deployments. Leading practices include: Develop an understanding of required compliance objectives andrequirements (from relevant sources) Establish a control environment that meets those objectives andrequirements Understand the validation required based on the organization’s risktolerance. Verify the operating effectiveness of their control environment.AWS provides options to apply various types of controls and verificationmethods.Strong customer compliance and governance might include the following basicapproach:1. Review information available from AWS together with other informationto understand as much of the entire IT environment as possible, and thendocument all compliance requirements.2. Design and implement control objectives to meet the enterprisecompliance requirements.3. Identify and document controls owned by outside parties.4. Verify that all control objectives are met and all key controls are designedand operating effectively.Approaching compliance governance in this manner will help you gain a betterunderstanding of your control environment, and will help you clearly delineatethe verification activities that you need to perform.You can run nearly anything on AWS that you would run on premise, includingwebsites, applications, databases, mobile apps, email campaigns, distributeddata analysis, media storage, and private networks. AWS provides services thatare designed to work together so that you can build complete solutions. An oftenoverlooked benefit of migrating workloads to AWS is the ability to achieve aPage 5
Amazon Web Services – Understanding the ASD’s Cloud Computing Security for Tenantsin the Context of AWShigher level of security, at scale, by utilizing the many governance-enablingfeatures offered. For the same reasons that delivering infrastructure in the cloudhas benefits over on-premise delivery, cloud-based governance offers a lowercost of entry, easier operations, and improved agility by providing moreoversight, security control, and central automation.The Governance at Scale whitepaper describes how you can achieve a high levelof governance of your IT resources using AWS.3 – GeneralRequirementImplement and annually test an incident response plan covering data spills,electronic discovery, and how to obtain and analyse evidence, e.g. timesynchronised logs, hard disk images, memory snapshots and metadata.AWS ResponseAWS recognizes the importance of customers implementing and testing anincident response plan. Using AWS, you can requisition compute power,storage, and other services in minutes and have the flexibility to choose thedevelopment plan or programming model that makes the most sense for theproblems you’re trying to solve. You pay only for what you use, with no up-frontexpenses or long-term commitments, making AWS a cost-effective way todeliver applications plus conduct incident response tests and simulations inrealistic environments. This presentation from AWS re:Invent 2015 conferenceprovides further details on incident response simulation on AWS.The AWS platform includes a range of monitoring services that can be leveragedas part of your incident detection and response capability some. In-scopeservices include the following: Page 6CloudWatchCloudWatch LogsCloudWatch EventsCloudtrailTrusted AdvisorElastic Load Balancer LogsS3 logsCloudfront logsVPC Flow Logs
Amazon Web Services – Understanding the ASD’s Cloud Computing Security for Tenantsin the Context of AWS Simple Notification ServiceLambda4 – GeneralRequirementUse ASD-approved cryptographic controls to protect data in transit between theTenant and the CSP, e.g. application layer TLS or IPsec VPN with approvedalgorithms, key length, and key management.AWS ResponseAWS allows customers to use their own encryption mechanisms for nearly allthe services, including S3, EBS, and EC2. IPSec tunnels to VPC are alsoencrypted. Customers may also use third-party encryption technologies. Inaddition, customers can leverage AWS Key Management Systems (KMS) tocreate and control encryption keys (refer to https://aws.amazon.com/kms/). Allof the AWS APIs are available via TLS-protected endpoints which provide serverauthentication.AWS cryptographic processes are reviewed by independent third party auditorsfor our continued compliance with SOC, PCI DSS, ISO 27001 and FedRAMP.For Tenants leveraging the Amazon Elastic Load Balancer in their solutions, ithas security features relevant to this mitigation. Elastic Load Balancing has allthe advantages of an on‐premises load balancer, plus several security benefits: Takes over the encryption and decryption work from the Amazon EC2instances and manages it centrally on the load balancerOffers clients a single point of contact, and can also serve as the first lineof defense against attacks on your networkWhen used in an Amazon VPC, supports creation and management ofsecurity groups associated with your Elastic Load Balancing to provideadditional networking and security optionsSupports end‐to‐end traffic encryption using TLS (previously SSL) onthose networks that use secure HTTP (HTTPS) connections. When TLS isused, the TLS server certificate used to terminate client connections canbe managed centrally on the load balancer, rather than on everyindividual instance.HTTPS/TLS uses a long‐term secret key to generate a short‐term session key tobe used between the server and the browser to create the ciphered (encrypted)Page 7
Amazon Web Services – Understanding the ASD’s Cloud Computing Security for Tenantsin the Context of AWSmessage. Amazon Elastic Load Balancing configures your load balancer with apre‐defined cipher set that is used for TLS negotiation when a connection isestablished between a client and your load balancer. The pre‐defined cipher setprovides compatibility with a broad range of clients and uses strongcryptographic algorithms. However, some customers may have requirements forallowing only specific ciphers and protocols (such as PCI, SOX, etc.) from clientsto ensure that standards are met. In these cases, Amazon Elastic Load Balancingprovides options for selecting different configurations for TLS protocols andciphers. You can choose to enable or disable the ciphers depending on yourspecific requirements.To help ensure the use of newer and stronger cipher suites when establishing asecure connection, you can configure the load balancer to have the final say inthe cipher suite selection during the client‐server negotiation. When the ServerOrder Preference option is selected, the load balancer will select a cipher suitebased on the server’s prioritization of cipher suites rather than the client’s. Thisgives you more control over the level of security that clients use to connect toyour load balancer.For even greater communication privacy, Amazon Elastic Load Balancer allowsthe use of Perfect Forward Secrecy, which uses session keys that are ephemeraland not stored anywhere. This prevents the decoding of captured data, even ifthe secret long‐term key itself is compromised.5 – GeneralRequirementUse ASD-approved cryptographic controls to protect data at rest on storagemedia in transit via post/courier between the tenant and the CSP whentransferring data as part of on-boarding or off-boarding.AWS ResponseSnowball is a petabyte-scale data transport solution that uses secure appliancesto transfer large amounts of data into and out of the AWS cloud. Using Snowballaddresses common challenges with large-scale data transfers, including highnetwork costs, long transfer times, and security concerns. Transferring datawith Snowball is simple, fast, secure, and can be as little as one-fifth the cost ofhigh-speed Internet.Page 8
Amazon Web Services – Understanding the ASD’s Cloud Computing Security for Tenantsin the Context of AWSSnowball encrypts all data with AES-256-bit encryption. You manage yourencryption keys by using the AWS Key Management Service (AWS KMS). Yourkeys are never sent to or stored on the appliance. Further details on the AWSKMS are available in this paper.In addition to using a tamper-resistant enclosure, Snowball uses an industrystandard Trusted Platform Module (TPM) with a dedicated processor designedto detect any unauthorized modifications to the hardware, firmware, orsoftware. AWS inspects every appliance for any signs of tampering and to verifythat no changes were detected by the TPM.When the data transfer job has been processed and verified, AWS performs asoftware erasure of the Snowball appliance that follows the National Institute ofStandards and Technology (NIST) guidelines for media sanitization.Snowball uses an innovative, E Ink shipping label designed to ensure theappliance is automatically sent to the correct AWS facility and which also helpsin tracking. When you have completed your data transfer job, you can track it byusing Amazon SNS, text messages, and the console.6 – GeneralRequirementUse a corporately approved and secured computer, multi-factor authentication,a strong passphrase, least access privileges and encrypted network traffic toadminister (and, if appropriate, access) the cloud service.AWS ResponseAll of the AWS APIs are available via TLS-protected endpoints that provideserver authentication. For more information on our region end points, go here.AWS requires that all API requests be signed—using a cryptographic hashfunction. If you use any of the AWS SDKs to generate requests, the digitalsignature calculation is done for you; otherwise, you can have your applicationcalculate it and include it in your REST or Query requests by following thedirections in our documentation.Page 9
Amazon Web Services – Understanding the ASD’s Cloud Computing Security for Tenantsin the Context of AWSNot only does the signing process help protect message integrity by preventingtampering with the request while it is in transit, it also helps protect againstpotential replay attacks. A request must reach AWS within 15 minutes of thetime stamp in the request. Otherwise, AWS denies the request.The most recent version of the digital signature calculation process is SignatureVersion 4, which calculates the signature using the HMAC-SHA256 protocolAWS Identity and Access Management (IAM) enables you to securely controlaccess to AWS services and resources for your users. Using IAM, you can createand manage AWS users and groups, and use permissions to allow and denytheir access to AWS resources.To get started using IAM, go to the AWS Management Console and get startedwith these IAM Best Practices.You can set a password policy on your AWS account to specify complexityrequirements and mandatory rotation periods for your IAM users' passwords.You can use a password policy to do these things: Set a minimum password length. Require specific character types, including uppercase letters, lowercaseletters, numbers, and non-alphanumeric characters. Be sure to remindyour users that passwords are case sensitive. Allow all IAM users to change their own passwords.Note: When you allow your IAM users to change their own passwords,IAM automatically allows them to view the password policy. IAM usersneed permission to view the account's password policy in order to createa password that complies with the policy. Require IAM users to change their password after a specified period oftime (enable password expiration). Prevent IAM users from reusing previous passwords. Force IAM users to contact an account administrator when the user hasallowed his or her password to expire.Page 10
Amazon Web Services – Understanding the ASD’s Cloud Computing Security for Tenantsin the Context of AWSAWS Multi-Factor Authentication (MFA) is a simple best practice that adds anextra layer of protection on top of your user name and password. With MFAenabled, when a user signs in to an AWS web
Amazon Elastic Compute Cloud (Amazon EC2) – Amazon EC2 provides resizable compute capacity in the cloud. It is designed to make web-scale computing easier for developers. For more information, go here. Amazon Simple Storage Service (S3) – Amazon S3 provides a simple web services in
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
MARCH 1973/FIFTY CENTS o 1 u ar CC,, tonics INCLUDING Electronics World UNDERSTANDING NEW FM TUNER SPECS CRYSTALS FOR CB BUILD: 1;: .Á Low Cóst Digital Clock ','Thé Light.Probé *Stage Lighting for thé Amateur s. Po ROCK\ MUSIC AND NOISE POLLUTION HOW WE HEAR THE WAY WE DO TEST REPORTS: - Dynacó FM -51 . ti Whárfedale W60E Speaker System' .
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.
