This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

Security assurance

Your organization and the customers you serve need trust and confidence that you have implemented adequate security and data protection measures to meet your legal, regulatory, and compliance obligations. In the cloud, compliance responsibilities are shared with your Cloud Services Provider (CSP). Security assurance implies that commitments made to, or from, your organization have sufficient evidence that the required level of trustworthiness has been achieved. Commitments take many forms, including data confidentiality, availability of a service, and accuracy of processing. They include promises made to customers, suppliers, AWS partners, and employees. The most successful security assurance programs can provide that assurance on a continuous basis, and indeed deliver automated responses when failures are known or predicted.

All organizations require security assurance. Some may also have legal, regulatory, or contractual compliance requirements that are best met from evidence produced by the assurance activities. While compliance is a critical milestone, it isn't an end state. Your teams must integrate security and privacy assurance throughout the entire capability development lifecycle.

Start

Start by reviewing all the regulatory requirements that your organization must comply with. These can include global, local, industry, or sector-specific security and privacy regulations. Document, communicate, and track your requirements from a business risk management perspective. As you perform this exercise, determine if each of the regulatory requirements has been updated to enable the use of cloud services. Requirements that haven't been updated to reflect the differences between traditional on-premises environments and the cloud can hinder adoption. If you identify regulatory requirements that aren't cloud friendly, engage with an industry association or directly with the regulator to identify the problem. Then, you can propose changes to evolve and update the requirements.

Next, identify the controls you must implement. AWS assurance programs provide templates and control mappings to help customers establish the compliance of their environments running on AWS. Review these and document your controls into a comprehensive framework. Once you've established security and privacy controls to meet your requirements, develop enterprise-wide policies and standards to set expectations. Then, review to determine if the controls are implemented and operating effectively. You can use self-assessments, self-attestation, internal audits, or independent assessments by third parties to verify requirements and identify gaps or risks.

Traditional security assurance approaches involve gathering samples of evidence, sample testing performed by auditors, and evaluating the narrative of how systems work. This is often manual, periodic, time intensive, and can lack technical depth. This leads to reports being often out-of-date before they are published. The challenge with traditional assurance approaches is that systems are constantly changing, and it could take months or even years to manually assess controls for every scenario to verify control statements. Once your organization reaches this threshold of complexity, you must transition to the advance level of security assurance.

Advance

Compare and evaluate your traditional on-premises environments and security approaches to those enabled by the cloud. Many customers quickly determine that regulated and audited data is better suited for the cloud. Review your organization's security and compliance program to determine the number of compliance programs where you use independent auditors. Auditors can validate the presence and operation of controls and provide you with associated reports, such as a SOC 2 Type II compliance. Review the audit reports, compliance certifications, or attestations that your cloud vendor has obtained. This will help you understand the controls they have in place, how they have been validated, and that they are operating effectively. Compare your on-premises processes with AWS; note that AWS regularly achieves third-party validation for thousands of global compliance requirements.

The scale of AWS allows us to embed security capabilities and invest more than most large companies could afford themselves. We provide an environment that gives customers comprehensive visibility and control over their cloud environment and data that simplifies compliance identification, tracking, and reporting. Investigate how AWS can help your organization, security teams, regulators, and auditors get the technical depth and understanding to move regulated workloads to the cloud.

If you are using a non-AWS Cloud Service Provider (CSP), determine if the CSP undergoes security assessments by independent third parties, including the physical and environmental security of its hardware and data centers. Make sure that they've obtained certifications and accreditations from recognized accreditation bodies. To confirm controls are implemented and effective, review the CSP certification and accreditation documentation. This will give you assurance that the environmental security, security practices, and CSP cloud environment support your needs. By operating in an accredited cloud environment, you can reduce the scope and cost of audits you must perform. You can use the CSP's certifications and inherit security controls to simplify and streamline your compliance.

As your company matures and advances its security assurance capabilities, there will most likely be changes in your environment, and you'll need a higher frequency of assurance activities. These provide you with an ability to detect drift and reduce the chance that you'll miss deviations. Use tools and automation capabilities to continuously monitor and evaluate your environment to verify the operating effectiveness of your controls and demonstrate compliance with regulations and open standards.

Operating in an AWS environment, allows customers to take advantage of embedded, automated tools such as AWS Audit Manager, AWS Security Hub, AWS Config, and AWS CloudTrail for validating compliance. Use these tools to reduce the effort needed to perform audits, and make these tasks routine, ongoing, and automated. Evolve the role of compliance in your company from one of a necessary administrative burden, to one that manages your risk and improves your security posture.

Apply cloud-specific verification techniques to your audits. Contemporary control frameworks and language are focused towards on-premises environments, and your security IT auditing techniques must be updated for the cloud. Prepare for auditing security in the cloud by identifying the differences between auditing in the cloud and on-premises. Provide your team and your auditors with education and tools to audit for security in the cloud using a risk-based approach. ISACA has launched the Certificate in Cloud Auditing Knowledge (CCAK), a vendor-neutral technical training, and credentialing for cloud auditing. The AWS Cloud Audit Academy program enables organizations to establish common audit knowledge between customers and external IT auditors. You'll be able to apply security auditing best practices and use AWS services to assess industry-recognized frameworks, standards, and statutory regulations. This will help reduce time-to-market for regulated workloads.

Excel

As you reach the excel stage, your organization will be the most mature. You now build security and privacy compliance into all business processes. You also monitor legislative and regulatory developments to proactively understand and address new regulatory requirements. And, you partner with regulatory entities and associations to proactively shape positive, enabling regulations. You demand that regulators and auditors become familiar with the advanced tools and security that you're using. You contribute to and use existing security compliance frameworks and controls instead of building frameworks for a particular sector or industry. Your environment is based upon infrastructure, policy, and compliance as code, with immutable infrastructure, detailed logging, and anomaly detection.

Your organization will move away from traditional assurance methods; they will be less effective as your complexity grows. You're implementing new assurance models, and embedding application security reviews and comprehensive verification and validation (V&V) review, analysis, and testing. These reviews check that the requirements are correctly defined, and validate that the security requirements have been met. You use emerging technologies, such as automated reasoning and provable security to perform assurance activities.

Automated reasoning infers the future behavior of computer systems, considering all possible actions, requests, and configurations, and provides the highest levels of security assurance. For example, the AWS Automated Reasoning Group (ARG) is developing mathematical proofs of certain aspects of a system. A mathematical proof might be used to prove that there's no instance of a weak cryptographic key being used anywhere in the entire system. In this case however, the objective of contemporary audits is to achieve "reasonable assurance". In the contemporary approach, auditors can't evaluate all the code or all of the instances where keys are being used. Automated reasoning provides much greater assurance, as the mathematical proof can examine the entire system. This provides a much higher bar than today's most advanced control measures, such as automated controls, preventive controls, or detective controls.

You also use AWS services that have integrated ARG capabilities such as AWS Zelkova. This service provides insight into access control permissions and uses automated reasoning to analyze policies and the future consequences of policies. This includes AWS Identity and Access Management (IAM), Amazon Simple Storage Service (Amazon S3), and other resource policies. These policies dictate who can (or can't) do what with which resources. AWS Zelkova is used by Amazon Macie, Amazon GuardDuty, Amazon S3, and AWS IoT Device Defender to automatically derive the questions you ask about your policies, which increases confidence in your security configurations. Another example is AWS Tiros, which maps connections between network mechanisms, including open internet connectivity. It checks all network pathways and data permission levels in milliseconds. Amazon Inspector uses VPC Reachability Analyzer to determine network reachability. AWS offers tools and services that provide higher levels of assurance about the security of your infrastructure and data than traditional approaches or on-premises tools.