Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ISO 27001 on AWS

The Scale Factory
February 23, 2023
Technology
0
270

ISO 27001 on AWS

In that session, we discussed why you might consider getting your business compliant, what that journey looks like, and how to think about applying Annex A controls to your AWS environment. We also shared some tips on how to make this whole process a bit easier.

The Scale Factory

February 23, 2023
Tweet

More Decks by The Scale Factory

See All by The Scale Factory
Disaster Recovery on AWS
scalefactory
0
73
Navigating the SaaS Transformation Journey
scalefactory
0
11
How does compliance drive success in SaaS sales?
scalefactory
0
87
How we passed our AWS certifications and why you should too
scalefactory
0
110
re:Invent 2021 re:cap
scalefactory
0
56
re:Invent 2020 re:cap
scalefactory
0
160
Secure SaaS Networking with AWS PrivateLink
scalefactory
0
350
Modern Infrastructure as Code with Pulumi
scalefactory
0
260
Architecture for Security on AWS
scalefactory
0
4.6k

Other Decks in Technology

See All in Technology
Ubieのアプリ開発を支える自動テスト
guchey
0
160
Renovate を使った ライブラリアップデート 仕組み化の取り組み
andpad
0
230
Warningアラートを放置しない!アラート駆動でログやメトリックを自動収集する仕組みによる恩恵
mashiike
2
170
GraphQLはどんな時に使うか
saboyutaka
33
7.6k
アジャイル開発と時代の流れに伴うサーバレスアーキテクチャの変化
yoshiitaka
6
3.3k
上流工程に挑戦!「俺の考えた最強サーバレス構成」が一瞬で敗北した件
kentosuzuki
2
140
DevOpsDays Taipei 2023 行前攻略
devopstaiwan
0
370
重厚長大な企業の内製開発組織で成果を出すためのサーバーレスアーキテクチャ / ServerlessDays Tokyo 2023
mongolyy
3
800
スタートアップのためのアジャイルプラクティス -論文100本ノック- #xpjug / Agile Practice for Startup - Papers -
kyonmm
PRO
0
260
TechNight#71 - Oracle Database 23c 新機能#1 JSON関連新機能
oracle4engineer
PRO
0
120
dbt_ベストプラクティス_完全に理解した.pdf
dach
2
110
Oracle Cloud Infrastructure:2023年9月度サービス・アップデート
oracle4engineer
PRO
0
160

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
184
15k
YesSQL, Process and Tooling at Scale
rocio
159
13k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.2k
Product Roadmaps are Hard
iamctodd
42
8.7k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
20k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.2k
Happy Clients
brianwarren
92
6.1k
Adopting Sorbet at Scale
ufuk
66
8.1k
A designer walks into a library…
pauljervisheath
199
17k
4 Signs Your Business is Dying
shpigford
172
21k

Transcript

  1. ISO 27001 ON AWS_
    ANDREW WASILCZUK | he/him/his

    View Slide

  2. $whoami
    Senior Consultant
    Information Security Manager
    Systems guy at heart

    View Slide

  3. GETTING TO
    KNOW YOU_

    View Slide

  4. ISO/IEC 27001
    Defines requirements for an ISMS
    Non-prescriptive
    Risk based approach

    View Slide

  5. WHY DO WE NEED
    ISO 27001?_

    View Slide

  6. SUPPLIER
    QUESTIONNAIRES_

    View Slide

  7. ANOTHER
    POLL_

    View Slide

  8. WITH
    COMPLIANCE_ Questionnaires are easier to answer
    …or avoided altogether
    Sales cycle is shorter
    Close bigger deals
    Reduce operational risks

    View Slide

  9. TWO
    PARTS_ ISO 27001
    Mandatory
    ISMS
    Requirements
    ISO 27002
    Optional
    Annex A
    Controls

    View Slide

  10. WHERE DO I START?_

    View Slide

  11. COMPLIANCE
    JOURNEY_
    Establish an ISMS
    Conduct a risk assessment
    Choose Annex A controls
    Establish an AWS account strategy
    Treat the risks (or have a plan)
    Collect evidence
    Schedule your audit
    1
    6
    2
    3
    4
    5
    7

    View Slide

  12. AUTOMATED
    COMPLIANCE
    PLATFORMS_
    TIP

    View Slide

  13. Policy templates
    Risk register
    Asset management
    Evidence collection
    Easier audits
    Multiple standards
    Vulnerability management
    AWS integration
    Vulnerability management
    Security awareness training
    On-boarding/off-boarding flows
    Vendor assessments
    Access review
    Endpoint monitoring

    View Slide

  14. RISK
    REDUCTION
    CYCLE_

    View Slide

  15. IMPLEMENTING
    ANNEX A CONTROLS
    ON AWS_

    View Slide

  16. THE SHARED RESPONSIBILITY MODEL_

    View Slide

  17. 8.15
    LOGGING_
    To record events, generate evidence, ensure the
    integrity of log information, prevent against
    unauthorized access, identify information security
    events that can lead to an information security
    incident and to support investigations.

    View Slide

  18. 8.15 LOGGING
    DEPENDENCIES_
    5.25 Assessment and decision on info sec events
    5.28 Collection of evidence
    5.37 Privacy & protection of PII
    8.10 Information deletion
    8.11 Data masking
    8.16 Monitoring activities
    8.17 Synchronised time sources

    View Slide

  19. 8.15 LOGGING
    GUIDELINES_
    Log structure & types of events to log
    Protected from de-activation (inc. by privileged
    users),
    Protected from deletion & modification
    Protected from failure of storage media
    Stored in-line with the data retention requirements
    Sensitive data in logs is protected
    Log analytics & anomalous behaviour detection

    View Slide

  20. View Slide

  21. 8.15 LOGGING
    GUIDELINES_
    Log structure & types of events to log
    Protected from de-activation (inc. by privileged
    users),
    Protected from deletion & modification
    Protected from failure of storage media
    Stored in-line with the data retention policy
    Sensitive data protection
    Log analytics & anomalous behaviour detection

    View Slide

  22. View Slide

  23. {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Action": [
    "cloudtrail:StopLogging",
    "cloudtrail:DeleteTrail"
    ],
    "Resource": "*",
    "Effect": "Deny"
    }
    ]
    }

    View Slide

  24. 8.15 LOGGING
    GUIDELINES_
    Log structure & types of events to log
    Protected from de-activation (inc. by privileged
    users),
    Protected from deletion & modification
    Protected from failure of storage media
    Stored in-line with the data retention policy
    Sensitive data protection
    Log analytics & anomalous behaviour detection

    View Slide

  25. View Slide

  26. 8.15 LOGGING
    GUIDELINES_
    Log structure & types of events to log
    Protected from de-activation (inc. by privileged
    users),
    Protected from deletion & modification
    Protected from failure of storage media
    Stored in-line with the data retention policy
    Sensitive data protection
    Log analytics & anomalous behaviour detection

    View Slide

  27. AWS ACCOUNT
    STRATEGY_

    View Slide

  28. AWS
    CONTROL TOWER_
    Centralised audit logging (AWS CloudTrail)
    AWS account management
    AWS IAM Identity Center
    Ready baked controls:
    Preventative (Service Control Policies)
    Detective (AWS Config)
    Proactive (AWS CloudFormation Hooks)
    Compliance dashboard

    View Slide

  29. YOUR NEXT STEPS_
    FREE CONSULTATION
    ISO 27001
    AWS READINESS
    ASSESSMENT
    A review of your current AWS
    practice.
    FREE CONSULTATION
    ISO 27001
    AWS RISK ASSESSMENT
    REVIEW
    A review of the AWS risks you’ve
    identified, and advice on risk
    treatment.

    View Slide

  30. FINAL
    POLL_

    View Slide

  31. KEEP IN
    TOUCH_
    http:/
    /www.scalefactory.com/
    https:/
    /github.com/scalefactory
    @scalefactory
    [email protected]

    View Slide