AWS Security Blog

Learn About re:Invent 2015 Compliance Sessions

As I mentioned previously, the breakout sessions for the Security & Compliance track at re:Invent 2015 have been announced. And in my most recent re:Invent post, I focused on the AWS Identity and Access Management (IAM) sessions that will be offered as part of the Security & Compliance track.

Today, I want to highlight the AWS Compliance Summit at re:Invent as well as the compliance sessions that will be presented as part of the Security & Compliance track. If you are going to re:Invent this year, you can add these sessions to your schedule now.

GEN117 – AWS Compliance Summit

Want to learn more about Compliance in the cloud? Attend the AWS Compliance Summit, where key verticals such as Financial Services, Government and Public Sector, and Healthcare and Life Sciences will be discussed, along with customer use cases and prescriptive guidance from AWS subject matter experts.

SEC312 – Reliable Design and Deployment of Security and Compliance

No matter how you use AWS resources, you can design your AWS account to deliver a reliably secure and controlled environment. In this session, AWS Director of Risk and Compliance Chad Woolf and AWS Senior Risk and Compliance Strategist Tim Sandage will focus on “Secure by Design” principles and show how you can configure the AWS environment to provide reliable operation of security controls, such as:

  • Organizational governance
  • Asset inventory and control
  • Logical access controls
  • Operating system configuration
  • Database security
  • Applications security configurations

This session will focus on using AWS security features to architect securing and auditing the architecture capabilities of AWS cloud services such as AWS IAM, Amazon Elastic Compute Cloud (EC2), Amazon Elastic Block Storage (EBS), Amazon S3, Amazon Virtual Private Cloud (VPC), Amazon Machine Images (AMIs), and AWS CloudFormation templates. The session will include demonstrations with the governance perspective in mind and discuss how you can use AWS technology to create a secure and auditable environment.

SEC320 – AWS Security Beyond the Host: Leveraging the Power of AWS to Automate Security and Compliance

You’ve made the move to AWS and are now reaping the benefits of decreased costs and increased business agility. How can you reap those same benefits for your cloud security and compliance operations? Because building cloud-native applications requires different skill sets, architectures, integrations, and processes, implementing effective, scalable, and robust security for the cloud requires rethinking everything from your security tools to your team culture.

In this session, CEO Tim Prendergast will show you how to start down the path toward security and compliance automation. You also will hear how DevSecOps leaders such as Shannon Lietz at Intuit and Brett Lambo at Capital One are using AWS, DevOps, and automation to transform their security operations.

SEC304 – Architecting for HIPAA Compliance on AWS

This session wil bring together the interests of engineering, compliance, and security as you align healthcare workloads to the controls in the HIPAA Security Rule. AWS Principal Solutions Architect Bill Shinn and Emdeon CISO Haddon Bennett will discuss how to architect for HIPAA compliance using AWS, and introduce a number of new services added to the HIPAA program in 2015, such as Amazon Relational Database Service (RDS), Amazon DynamoDB, and Amazon Elastic MapReduce (EMR). You’ll hear from customers who process and store Protected Health Information on AWS, and how they satisfied their compliance requirements while maintaining agility.

This session will help security and compliance experts see what’s technically possible on AWS, and how implementing the Technical Safeguards in the HIPAA Security Rule is simple and familiar. We will map the Security Rule’s Technical Safeguards to AWS features and design patterns to help developers, operations teams, and engineers speak the language of their security and compliance peers.

SEC310 – Splitting the Check on Compliance and Security: Keeping Developers and Auditors Happy in the Cloud

Often times, developers and auditors can be at odds. The agile, fast-moving environments that developers enjoy will typically give auditors heartburn. The more controlled and stable environments that auditors prefer to demonstrate and maintain compliance are traditionally not friendly to developers or innovation. In this session, Netflix Director of Engineering of Cloud Security Jason Chan will walk through how Netflix moved its PCI and SOX environments to the cloud and  were able to leverage the benefits of the cloud and agile development to satisfy both auditors and developers. Topics covered will include shared responsibility, using compartmentalization and microservices for scope control, immutable infrastructure, and continuous security testing.

SEC204 – AWS GovCloud (US) Not Just For Govies: Meeting Requirements for US-Only Access

For some organizations, all the technical security features in the world can’t address an underlying need to restrict physical access of resources to citizens within the United States. GovCloud (US) was established to meet the needs of the US federal government, but it is available for any organization facing the challenge of restricting access in this way. Learn about the features available in GovCloud (US), how to onboard your workloads, and the options for using GovCloud (US) as one of multiple regions. Also, hear from government and commercial customers about their experience using GovCloud (US). This session’s presenters will be AWS General Manager of Government Cloud Solutions CJ Moses, AWS GovCloud Senior Business Development Manager Keith Brooks, Planet Labs Director of Engineering Troy Toman, and CSC Vice President Enterprise Services Solutions Jon Check.

SEC313 – Security and Compliance at Petabyte Scale: Lessons from the National Cancer Institute’s Cancer Genomics Cloud Pilot

Delivering petabyte-scale computational resources to a large community of users while meeting stringent security and compliance requirements presents a host of technical challenges. Seven Bridges Genomics met and overcame them when building the Cancer Genomics Cloud Pilot (CGC) for the National Cancer Institute. The CGC helps users to solve massive computational problems involving multidimensional data, which include:

  • Running diverse analyses in a reproducible manner.
  • Collaborating with other researchers.
  • Keeping personal data secure to comply with NIH regulations on controlled data sets.

AWS Technical Business Development Manager Angel Pizarro and Seven Bridges Genomics CTO Igor Bogicevic will highlight the lessons learned along the way, as well as best practices for constructing secure and compliant platform services using S3, Amazon Glacier, IAM, VPC, and Amazon Route 53.

SEC325 – Satisfy PCI Obligations While Continuing to Innovate

As an online payments provider, Stripe has always had a close relationship with PCI DSS. And as a partner to hundreds of thousands of online businesses, we take the security of our users’ personal information very seriously. But as a fast-growing startup company where fast innovation is a key advantage, Stripe also can’t let PCI control its operations. In this session, Stripe Software Engineer Evan Broder will discuss strategies Stripe has used that both make Stripe more secure and satisfy PCI (and other) obligations, all without slowing innovation. Though useful for PCI and other compliance obligations, these strategies can just as easily be applied to security needs across your organization.

I will post about the other sessions in the Security & Compliance track before re:Invent 2015 begins on October 6. Future posts will discuss sessions about:

  • Auditing
  • DDoS
  • Incident response
  • Key management
  • Overall security
  • Security architecture

– Craig