Change Management, Auditing and Compliance in an AWS Hybrid Environment

Prof Wool: Best Practices for Amazon Web Services Security | Change Management, Auditing and Compliance in an AWS Hybrid Environment Subscribe

Best Practices for Amazon Web Services (AWS) Security: Lesson 3

Once you start using AWS for production applications, auditing and compliance considerations come into play, especially if these applications are processing data that is subject to regulations such as PCI, HIPAA, SOX etc. In this lesson, Professor Wool reviews AWS’s own auditing tools, CloudWatch and CloudTrail, which are useful for cloud-based applications. However if you are running a hybrid data center, you will likely need to augment these tools with solutions that can provide reporting, visibility and change monitoring across the entire environment. Professor Wool provides some recommendations for key features and functionally you’ll need to ensure compliance, and tips on what the auditors are looking for.

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello I'm professor wall and welcome to our introduction to Amazon security management series today's lesson will focus on change management auditing and compliance in an AWS hybrid environment so you have your Amazon estate you have your servers up there and maybe your teams have been already using it for development and test but now you're considering starting to use the end of the best environment for your production systems when you do that the questions of audit and compliance be proud much more significant and this is today's topic so let's look at a few things that you have at your disposal first of all there are some offerings from Amazon that you could use and are relevant so first we have a tool called cloud watch this is an offering from Amazon that is basically a health monitor and a lot of server for your instances basically it lets you track the operational setting and status of each of the instances to see if they're running on resources and so on if they're generating system messages and alarms so a useful tool to use mostly for an operational environment list so for an order to pay capability a second utility you can use from Amazon is called cloud trail this is really an audit system for API calls if you have an automated system that automatically modifies settings on your Amazon estates then using cloud trader you can see which API calls have been invoked and what they're doing so again this is something that is useful to to use when you're subject to on it now whether this is not all that you could hope for and you might need additional things and that's where you can turn to third-party solutions that augment the offering from Amazon and hear long in your Amazon in your regular regulation requirements so why do you need that well if you're servers in the Amazon estates are processing any kind of sensitive data for instance if you are processing credit cards you're subject to PCI if you are a publicly traded company then you're probably subject to Sox if you're managing medical data using those servers you're probably subject to HIPAA and so on and so forth there multiple regulations depending on which business you're in and to be able to use your Amazon Cloud for this type of data that estate becomes part of your audit and compliance reporting and you need the right tools and systems and solutions to help you along to meet those requirements and to provide the reporting that the auditors are going to ask you for so you want to find solutions that work in the hybrid environment that give you the same types of reporting that you get with your traditional firewalls you want the same reporting on your Hamazon firewalls what are the things that you might need from such a solution so obviously you need the regulatory compliance reporting but to do that the solutions also have to be able to analyze your setting properly and understand the security stance that is protecting your data and for that we need first and foremost visibility and if you need the third-party solution needs to be able to view the rules from all the security groups that are protecting each instance and all being the key factor here if you saw the previous class you realize that there is a many to many mapping between security groups and instances and that can lead to quite a bit of complexity just understanding what are the rules that are protecting a given instance is a complex task and of course it's critical to be able to demonstrate any kind of compliance so visibility of this type is key another thing that you need is the ability to search across the rules across your whole hybrid estate remember you have other firewalls protecting other pieces of your environment protecting your data centers protecting your remote offices you need to get a holistic view of all of these security protections to be able to meet your audit requirements and a third party solution should be able to search across the whole estate regardless of whether it's a traditional part of all or an AWS firewall you want the same capabilities and the same analysis powers another thing that is part of every part every type of regulation is tracking changes to the security policies so you need to be able in the Amazon environment to track changes to the security rules if somebody makes a change to a particular rule then that can have an impact on your regulatory compliance because that rule is associated with various instances that might be part of the or a mistake so you need alerting and monitoring of such changes you also need a learning monitoring for changes to the map in between security groups and instances if the mapping has changed if all of a sudden a security group that used to be associated with certain instances now is no longer associated with those instances then the protection is changed and this is an event that needs to be notified and audited and tracked so these types of things are some of the points that you might want to look at when you're evaluate in third-party solutions to augment the offering from Amazon protecting your cloud-based estate thank you for your attention and I hope to see you next time in another class

Videos

Prof Wool: Best Practices for Amazon Web Services Security | Change Management, Auditing and Compliance in an AWS Hybrid Environment Subscribe

Related videos

New! How to Manage Dynamic Objects in Cloud Environments

How to Intelligently Select the Security Groups to Modify...

The Right Way to Audit AWS Policies

Combining Security Groups and Network ACLs to Bypass AWS...