Log in to Skyline
Controls for ‘Health and Social Care Cloud Security – Good Practice Guide’
Ref | Security Principle | NHS Guidance | Applies To | Controls |
|---|---|---|---|---|
1 | Data in transit protection | The Cloud Provider should:-
| AWS | Utilise strong cryptography as defined by NIST SP800-57 to encrypt communication AWS establishes and manages cryptographic keys for required cryptography employed within the system boundary. AWS produces, controls, and distributes symmetric cryptographic keys using U.S. National Institute of Standards and Technology (NIST)-approved key management technology and processes in the AWS information system. AWS is designed to protect the confidentiality and integrity of transmitted data through the comparison of a cryptographic hash of data transmitted. This is done to help ensure that the message is not corrupted or altered in transit. Data that has been corrupted or altered in transit is immediately rejected. AWS provides several methods for customers to securely handle their data. Customers choose how their customer content is secured. We offer our customers strong encryption for customer content in transit or at rest, and we provide customers with the option to manage their own encryption keys. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" AWS offers the Amazon Virtual Private Cloud (VPC), which provides a private subnet within the AWS cloud, and the ability to use an IPsec Virtual Private Network (VPN) device to provide an encrypted tunnel between the Amazon VPC and your data center. "AWS enables customers to open a secure, encrypted channel to AWS servers using HTTPS (TLS/SSL). You can connect to an AWS access point (API endpoint) via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery." Undertake annual assessment against a recognised standard such as ISO to test the security of the communication "AWS has established a formal audit program that includes continual, independent internal and external assessments to validate the implementation and operating effectiveness of the AWS control environment. Internal and external audits are planned and performed according to the documented audit scheduled to review the continued performance of AWS against standards-based criteria and to identify general improvement opportunities. Standards-based criteria includes but is not limited to the ISO/IEC 27001, Federal Risk and Authorization Management Program (FedRAMP), the American Institute of Certified Public Accountants (AICPA): AT 801 (formerly Statement on Standards for Attestation Engagements [SSAE] 16), and the International Standards for Assurance Engagements No.3402 (ISAE 3402) professional standards. Compliance reports from these assessments are made available to customers to enable them to evaluate AWS. The AWS Compliance reports identify the scope of AWS services and regions assessed, as well the assessor’s attestation of compliance. A vendor or supplier evaluation can be performed by leveraging these reports and certifications. Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" |
The Service User should:-
| ISL |
| ||
2 | Asset protection and resilience |
|
|
|
2.1 | Physical location and legal jurisdiction | The Cloud Provider must:-
| AWS | Provide cloud infrastructure (which includes all hardware, software, networks and the physical data centres that house it all) within the UK, European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where covered by Privacy Shield "The AWS Cloud infrastructure is built around Regions and Availability Zones (“AZs”). A Region is a physical location in the world where we have multiple Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking and connectivity, housed in separate facilities. These Availability Zones offer you the ability to operate production applications and databases which are more highly available, fault tolerant and scalable than would be possible from a single data center. Please use this link for an up to date list of regions: https://aws.amazon.com/about-aws/global-infrastructure/ AWS customers can already transfer personal data from the EU to the US in a compliant way; The EU-US Privacy Shield aims to enable the compliant transfer of personal data from data controllers in the EU to data controllers (or processors) in the US. AWS offers customers a Data Processing Addendum, including Model Clauses (Data Processing Addendum) that was approved in 2015 by the EU data protection authorities, known as the Article 29 Working Party. This Data Processing Addendum enables our customers, when using AWS to transfer personal data outside the European Economic Area (EEA), to any country, including to the US. Additionally, WS is certified under the EU-US Privacy Shield. View the certification. More information here: https://aws.amazon.com/compliance/eu-us-privacy-shield-faq/" Provide independent validation that the data centres are actually physically located within the UK, European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where covered by Privacy Shield State the legal jurisdiction(s) to which your data is subject to. "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1 and 2 reports, ISO 27001 certification and PCI-DSS compliance reports. These reports and certifications are produced by independent third party auditors and attest to the design and operating effectiveness of AWS security controls. Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports. The local laws that apply in the jurisdiction where the content is located are an important consideration for some customers. However, customers also need to consider whether laws in other jurisdictions may apply to them depending upon where they – or their customers – are doing business. Customers should seek advice to understand the application of relevant laws to their business and operations. Please use this link to access the AWS Customer Agreement: https://aws.amazon.com/agreement/" |
The Service User should:-
| ISL |
| ||
2.2 | Data centre security | The Cloud Provider should:-
| AWS | "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1, 2 and 3 reports, ISO 27001, 27017 and 27018 certifications and PCI DSS compliance reports.
Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports - https://aws.amazon.com/artifact/" |
2.3 | Data at rest protection | The Cloud Provider should:-
| AWS | "AWS establishes and manages cryptographic keys for required cryptography employed within the AWS infrastructure. AWS produces, controls and distributes symmetric cryptographic keys using NIST approved key management technology and processes in the AWS information system. Customers retain control and ownership of their data, thus it is their responsibility to choose to encrypt the data. Customers choose how their customer content is secured. We offer our customers strong encryption for customer content in transit or at rest, and we provide customers with the option to manage their own encryption keys. AWS offers customers the ability to add an additional layer of security to data at rest in the cloud, providing scalable and efficient encryption features. This includes:
AWS KMS and AWS CloudHSM use FIPS 140-2 validated hardware security modules to protect the security of your keys. In addition, AWS provides APIs for you to integrate encryption and data protection with any of the services you develop or deploy in an AWS environment. " "AWS cryptographic processes are reviewed by independent third party auditors for our continued compliance with SOC, PCI DSS, ISO 27001 and FedRAMP. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" |
The Service User should:-
| ISL |
| ||
2.4 | Data sanitisation | The Cloud Provider should:-
| AWS | "AWS classifies all media entering AWS facilities as Critical and treats it accordingly, as high impact, throughout its life-cycle. To destroy data on storage devices as part of the decommissioning process in accordance with the AWS security standard, the following equipment use procedures are followed: -Every AWS datacenter facility contains one approved degaussing device and one approved disk destruction device; -Equipment containing storage media is checked to ensure that any data or software has been removed or securely overwritten prior to disposal or reuse; -The functionality of all media sanitization equipment is checked for operational readiness at regular intervals; -All Solid State Drives (SSDs) are wiped prior to crushing; -All hard drives and magnetic tapes are degaussed after being removed from a device and placed in a secure bin. -Degaussing and destruction device functionality is tested on a periodic basis to verify that the intended sanitization is being achieved. Portable storage devices (e.g. external hard drives, floppy disks, storage tapes, compact discs, digital video discs, USB flash/thumb drives, and diskettes except for those that are part of an approved device, such as a flash card that is part of a networking router) are not permitted for use within the system boundary. When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process. AWS tracks, documents, and verifies media sanitization and disposal actions. All media removal and disposal is performed by designated AWS personnel. Content is destroyed on storage devices as part of the decommissioning process in accordance with AWS security standards. AWS hosts are securely wiped or overwritten prior to provisioning for reuse. AWS media is securely wiped or degaussed and physically destroyed prior to leaving AWS Secure Zones. To validate AWS’ secure wipe processes and procedures, third party auditors review the guidance within the AWS Media Protection policy, observe degaussing equipment and secure shred bins located within AWS facilities, observe historical tickets which tracked the destruction of a hard drive within a data center and the process of a device being wiped and removed from the environment. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" |
2.5 | Equipment Disposal | The Cloud Provider should:-
| AWS | "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1, 2 and 3 reports, ISO 27001, 27017 and 27018 certifications and PCI DSS compliance reports.
Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports - https://aws.amazon.com/artifact/" "All media removal and disposal is performed by designated AWS personnel. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" |
2.6 | Physical resilience and availability
| The Cloud Provider should:-
| AWS | Note (2) is N/A due to our our Silver Service Classification. "AWS continuously monitors service usage to project infrastructure needs to support availability commitments and requirements. AWS maintains a capacity planning model to assess infrastructure usage and demands at least monthly, and usually more frequently (e.g., weekly). In addition, the AWS capacity planning model supports the planning of future demands to acquire and implement additional resources based upon current resources and forecasted requirements. AWS does commit to high levels of availability in its service level agreements (SLAs). AWS provides availability SLAs of 100% for Amazon Route 53, 99.9% for Amazon CloudFront and Amazon S3, 99.95% for Amazon RDS, 99.99% for Amazon EC2, Amazon EBS, Amazon ECS, and Amazon Fargate for Amazon ECS, and up to 99% for S3 Standard-IA. In addition, we provide a Service Health Dashboard that shows the current operational status of each of our services in real-time, so that our uptime and performance are fully transparent. Highly resilient systems, and therefore service availability, is a function of the system design. Through the use of Availability Zones and data replication, AWS customers can achieve extremely high recovery time and recovery point objectives, as well as service availability of 99.999% and more. If availability and performance are important design considerations for an application, customers should deploy the application across multiple Availability Zones in the same region for fault tolerance and low latency. Some AWS services, such as Amazon S3, are built to leverage all Availability Zones within the region and have a durability objective of 99.999999999%. These services can be used for highly durable storage across Availability Zones and persistent volume (Amazon EBS) snapshots. AWS offers service level agreements for certain AWS services. These may be updated from time to time. The service level agreements we currently offer are located at https://aws.amazon.com/compute/sla/, http://aws.amazon.com/s3-sla/, http://aws.amazon.com/cloudfront/sla, http://aws.amazon.com/route53/sla and http://aws.amazon.com/rds/sla. " "AWS operates our data centers in alignment with the Tier III+ guidelines, but we have chosen not to have a certified Uptime Institute based tiering level so that we have more flexibility to expand and improve performance. AWS' approach to infrastructure performance acknowledges the Uptime Institute's Tiering guidelines and applies them to our global data center infrastructure design to ensure the highest level of performance and availability for our customers. AWS then improves on the guidelines provided by the Uptime Institute to scale for global operations and produce an operating outcome for availability and performance that far exceeds that which would be achieved through the Uptime Institute tiering guidelines alone. Although we do not claim alignment with Tier 4, we can ensure that our systems have a fault tolerant sequence of operations with self-correcting mitigations in place. AWS has identified critical system components required to maintain the availability of the system and recover service in the event of outage. Critical system components are backed up across multiple, isolated locations known as Availability Zones. Each Availability Zone runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. Availability Zones are connected to each other with fast, private fiber-optic networking, enabling you to easily architect applications that automatically fail-over between Availability Zones without interruption. Please see the AWS Global Infrastructure page and the risk and compliance whitepaper for more details: https://aws.amazon.com/about-aws/global-infrastructure/ https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf" "At the moment of writing, the number of Availability Zones in the EEA regions are: London (3), Ireland (3), Frankfurt (3), Paris (3). Please refer to the aws global infrastructure page for more information - available at https://aws.amazon.com/about-aws/global-infrastructure/" |
The Service User should:-
| ISL | Note we are applying applicable guidance for our Silver Service Classification.
| ||
3 | Separation between users | The Cloud Provider should:-
| AWS | "Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them. Customers maintain full control over who has access to their data. Services which provide virtualized operational environments to customers (i.e., EC2) ensure that customers are segregated from one another and prevent cross-tenant privilege escalation and information disclosure via hypervisors and instance isolation. Different instances running on the same physical machine are isolated from each other via the hypervisor. In addition, the Amazon EC2 firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical random-access memory (RAM) is separated using similar mechanisms. Customer instances have no access to physical disk devices, but instead are presented with virtualized disks. The AWS proprietary disk virtualization layer automatically erases every block of storage before making it available for use, which protects one customer’s data from being unintentionally exposed to another. Customers can further protect their data using traditional filesystem encryption mechanisms, or, in the case of Amazon Elastic Block Store (EBS) volumes, by enabling AWS-managed disk encryption. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1, 2 and 3 reports, ISO 27001, 27017 and 27018 certifications and PCI DSS compliance reports.
Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports - https://aws.amazon.com/artifact/" |
The Service User should:
| ISL |
| ||
4 | Governance framework | The Cloud Provider should:-
| AWS | "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1, 2 and 3 reports, ISO 27001, 27017 and 27018 certifications and PCI DSS compliance reports.
Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports - https://aws.amazon.com/artifact/" "AWS is responsible for ensuring that good commercial IT practices are utilized in the design, development and operation of AWS Products. AWS considers maintaining customer trust and confidence of the utmost importance and therefore defines the quality attributes of AWS Products in terms of Availability, Integrity and Confidentiality. AWS has established a quality management system which meets or exceeds the best practice guidelines established by the International Organization for Standardization (ISO). In addition, the AWS control environment is subject to various internal and external risk assessments. AWS’ Compliance and Security teams have established an information security framework and policies based on the Control Objectives for Information and related Technology (COBIT) framework and have effectively integrated the ISO 27001 certifiable framework based on ISO 27002 controls, American Institute of Certified Public Accountants (AICPA) Trust Services Principles, the PCI DSS v3.2, and the National Institute of Standards and Technology (NIST) Publication 800-53 Rev 3 (Recommended Security Controls for Federal Information Systems). AWS maintains the security policy, provides security training to employees, and performs application security reviews. These reviews assess the confidentiality, integrity, and availability of data, as well as conformance to the information security policy. AWS management leads an information security program that identifies and establishes security goals that are relevant to business requirements. Annual evaluations are performed to allocate the resources necessary for performing information security activities within AWS to meet or exceed customer and service specifications. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" |
5 | Operational security |
|
|
|
5.1 | Configuration & change management | The Cloud Provider should:-
| AWS | "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1, 2 and 3 reports, ISO 27001, 27017 and 27018 certifications and PCI DSS compliance reports.
Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports - https://aws.amazon.com/artifact/" |
The Service User should:-
| ISL |
| ||
5.2 | Vulnerability Management | The Cloud Provider should:-
| AWS | "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1, 2 and 3 reports, ISO 27001, 27017 and 27018 certifications and PCI DSS compliance reports.
Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports - https://aws.amazon.com/artifact/" "AWS Security performs regular vulnerability scans on the host operating system, web application, and databases in the AWS environment using a variety of tools. External vulnerability assessments are conducted by an AWS approved third party vendor at least quarterly, and identified issues are investigated and tracked to resolution. Vulnerabilities that are identified are monitored and evaluated and countermeasures are designed, implemented, and operated to compensate for known and newly identified vulnerabilities. AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and proactively monitor vendors’ websites and other relevant outlets for new patches. AWS customers also have the ability to report issues to AWS via the AWS Vulnerability Reporting website at: http://aws.amazon.com/security/vulnerability-reporting/. AWS customers are responsible for all scanning, penetration testing, file integrity monitoring and intrusion detection for their Amazon EC2 and Amazon ECS instances and applications. Scans should include customer IP addresses and not AWS endpoints. AWS endpoints are tested as part of AWS compliance vulnerability scans. The AWS Security team notifies and coordinates with the appropriate Service Teams when conducting security-related activities within the system boundary. Activities include, vulnerability scanning, contingency testing, and incident response exercises. AWS performs external vulnerability assessments at least quarterly and identified issues are investigated and tracked to resolution. Additionally, AWS performs unannounced penetration tests by engaging independent third-parties to probe the defenses and device configuration settings within the system. AWS has been validated and certified by an independent auditor to confirm alignment with ISO 27001 certification standard. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" |
|
| The Service User should:-
| ISL |
|
5.3 | Protective monitoring | The Cloud Provider should:-
| AWS | "AWS utilizes automated monitoring systems to provide a high level of service performance and availability. Proactive monitoring is available through a variety of online tools both for internal and external use. Systems within AWS are extensively instrumented to monitor key operational metrics. Alarms are configured to notify operations and management personnel when early warning thresholds are crossed on key operational metrics. An on-call schedule is used such that personnel are always available to respond to operational issues. This includes a pager system so alarms are quickly and reliably communicated to operations personnel. AWS provides near real-time alerts when the AWS monitoring tools show indications of compromise or potential compromise, based upon threshold alarming mechanisms determined by AWS service and Security teams. AWS correlates information gained from logical and physical monitoring systems to enhance security on an as-needed basis. Upon assessment and discovery of risk, Amazon disables accounts that display atypical usage matching the characteristics of bad actors. The AWS Security team extracts all log messages related to system access and provides reports to designated officials. Log analysis is performed to identify events based on defined risk management parameters. AWS logging and monitoring processes are reviewed by independent third party auditors for our continued compliance with SOC, PCI DSS, ISO 27001 and FedRAMP compliance." |
The Service User should:-
| ISL |
| ||
5.4 | Incident management | The Cloud Provider should:-
| AWS | "AWS' incident response program, plans and procedures have been developed in alignment with ISO 27001 standard. AWS has been validated and certified by an independent auditor to confirm alignment with ISO 27001 certification standard. The AWS SOC reports provides details on the specific control activities executed by AWS. All data stored by AWS on behalf of customers has strong tenant isolation security and control capabilities. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" "AWS has implemented a formal, documented incident response policy and program. The policy addresses purpose, scope, roles, responsibilities, and management commitment. AWS utilises a three-phased approach to manage incidents:
To ensure the effectiveness of the AWS Incident Management plan, AWS conducts incident response testing. This testing provides excellent coverage for the discovery of previously unknown defects and failure modes. In addition, it allows the Amazon Security and Service teams to test the systems for potential customer impact and further prepare staff to handle incidents such as detection and analysis, containment, eradication, and recovery, and post-incident activities. The Incident Response Test Plan is executed annually, in conjunction with the Incident Response plan. The test plan includes multiple scenarios, potential vectors of attack, the inclusion of the systems integrator in reporting and coordination (when applicable), as well as varying reporting/detection avenues (i.e. customer reporting/detecting, AWS reporting/detecting). AWS Incident Management planning, testing and test results are reviewed by third party auditors. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" |
The Service User should:-
| ISL |
| ||
6 | Personnel security | The Cloud Provider should:-
| AWS | "Background checks are performed as part of the Company’s hiring verification processes and include education, previous employment, and, in some cases, criminal and other background checks (including screening against global sanctions watchlists) as permitted by law and regulation for employees commensurate with the employee’s position and level of access to AWS facilities. All persons working with AWS information must, at a minimum, meet the screening process for pre-employment background checks and sign a Non-Disclosure Agreement prior to being granted access to AWS information. All personnel supporting systems and devices within the system boundary must sign a non-disclosure agreement prior to being granted access. In alignment with ISO 27001 standard, all AWS employees complete periodic role based training that includes AWS Security training and requires an acknowledgement to complete. Compliance audits are periodically performed to validate that employees understand and follow the established policies. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" |
The Service User should:-
| ISL |
| ||
7 | Secure development | The Cloud Provider should:-
| AWS | "The AWS system development lifecycle incorporates industry best practices which include formal design reviews by the AWS Security Team, threat modeling and completion of a risk assessment. Refer to the AWS Overview of Security Processes for further details. AWS has procedures in place to manage new development of resources. Refer to ISO 27001 standard, Annex A, domain 14 for additional details. AWS has been validated and certified by an independent auditor to confirm alignment with ISO 27001 certification standard. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" |
8 | Supply chain security | The Cloud Provider should:-
| AWS |
|
9 | Secure user management |
|
|
|
9.1 | Authentication of [admin] users to management interfaces and support channels | The Cloud Provider should:-
| AWS | "Controls in place limit access to systems and data and provide that access to systems or data is restricted and monitored per the AWS access policy. In addition, customer data is and server instances are logically isolated from other customers by default. Privileged user access controls are reviewed by an independent auditor during the AWS SOC, ISO 27001, PCI, ITAR, and FedRAMP audits. AWS provides a centralized mechanism called AWS Identity and Access Management (IAM) for creating and managing individual users within your AWS Account. A user can be any individual, system, or application that interacts with AWS resources, either programmatically or through the AWS Management Console or AWS Command Line Interface (CLI). Each user has a unique name within the AWS Account, and a unique set of security credentials not shared with other users. AWS IAM eliminates the need to share passwords or keys, and enables you to minimize the use of your AWS Account credentials. The AWS Identity and Access Management (IAM) service provides identity federation to the AWS Management Console. Multi-factor authentication is an optional feature that a customer can utilize. Refer to the AWS website for additional details - http://aws.amazon.com/mfa. AWS Identity and Access Management (IAM) supports identity federation for delegated access to the AWS Management Console or AWS APIs. With identity federation, external identities (federated users) are granted secure access to resources in your AWS account without having to create IAM users. These external identities can come from your corporate identity provider (such as Microsoft Active Directory or from the AWS Directory Service). AWS supports a very important and powerful use case with AWS Identity and Access Management (IAM) roles in combination with IAM users to enable cross-account API access or delegate API access within an account. This functionality gives better control and simplifies access management when managing services and resources across multiple AWS accounts. You can enable cross-account API access or delegate API access within an account or across multiple accounts without having to share long-term security credentials. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" "AWS develops and maintains customer support procedures that include metrics to verify performance. When a customer contacts AWS to report that AWS services do not meet their quality objectives, their issues are immediately investigated and, where required, commercially reasonable actions are taken to resolve them. The customer support quality system includes, but is not limited to, procedures for reviewing and evaluating customer complaints, engaging necessary internal AWS resources and teams, and communicating the final disposition of the issue back to the customer. Depending on contract requirements, AWS maintains procedures for notifying customers of customer-impacting issues using the AWS Service Health Dashboard (available at http://status.aws.amazon.com/). The AWS Service Health Dashboard publishes up-to-the-minute information on service availability, where customers can subscribe to an RSS feed to be notified of interruptions to each individual service and a full status history of each individual service health. AWS Support provides support for users of Amazon Web Services. All users have access to account and billing help in the AWS Support Center within the AWS Console. In addition, customers with some support plans have access to additional features, including AWS Trusted Advisor and an API for programmatic access to support cases and Trusted Advisor. "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1, 2 and 3 reports, ISO 27001, 27017 and 27018 certifications and PCI DSS compliance reports.
Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports - https://aws.amazon.com/artifact/" |
The Service User should:-
| ISL |
| ||
9.2 | Separation and access control within management interfaces | The Cloud Provider should:-
| AWS | "In order to allow for a more comprehensive monitoring of inbound and outbound communications and network traffic, AWS has strategically placed a limited number of access points to the cloud. These customer access points are called API endpoints, and they allow secure HTTP access (HTTPS), which allows you to establish a secure communication session with your storage or compute instances within AWS. To support customers with FIPS cryptographic requirements, the SSL-terminating load balancers in AWS GovCloud (US) are FIPS 140-2-compliant. In addition, AWS has implemented network devices that are dedicated to managing interfacing communications with Internet service providers (ISPs). AWS employs a redundant connection to more than one communication service at each Internet-facing edge of the AWS network. These connections each have dedicated network devices. API calls to launch and terminate instances, change firewall parameters, and perform other functions are all signed by customers’ Amazon Secret Access Key, which could be either the root AWS Account’s Secret Access Key or the Secret Access key of a user created with AWS Identity and Access Management (IAM). Without access to customers’ Secret Access Key, Amazon EC2 API calls cannot be made on a customer’s behalf. In addition, API calls can be encrypted with TLS/SSL to maintain confidentiality and customers can use TLS/SSL-protected API endpoints. AWS IAM policies enable customers to further control which specific APIs an AWS IAM user has permission to call to manage a specific resource. In AWS, assuming a role is a security principle that enables the user to assign policies that grant permissions to perform actions on AWS resources. Unlike with a user account, you don’t sign in to a role. Instead, you are already signed in as a user, and then you switch to the role, temporarily giving up your original user permissions and assuming the permissions of the role. When you are done using the role, you revert to your user’s permissions again. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1, 2 and 3 reports, ISO 27001, 27017 and 27018 certifications and PCI DSS compliance reports.
Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports - https://aws.amazon.com/artifact/" |
The Service User should:-
| ISL |
| ||
10 | [End User] Identity and authentication Notes
| Two factor authentication The Cloud Provider should:-
| AWS | "AWS Identity and Access Management (IAM) provides you with controls and features to provide confidence that authenticated and authorised users have access to specified services and interfaces. AWS IAM allows you to create multiple users and manage the permissions for each of these users within your AWS Account. A user is an identity (within an AWS Account) with unique security credentials that can be used to access AWS Services. AWS IAM eliminates the need to share passwords or keys, and makes it easy to enable or disable a user’s access as appropriate. AWS IAM enables you to implement security best practices, such as least privileged, by granting unique credentials to every user within your AWS Account and only granting permission to access the AWS services and resources required for the users to perform their jobs. AWS IAM is secure by default; new users have no access to AWS until permissions are explicitly granted. Multi-factor authentication is an optional feature that a customer can utilize. Refer to the AWS website for additional details - http://aws.amazon.com/mfa. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1, 2 and 3 reports, ISO 27001, 27017 and 27018 certifications and PCI DSS compliance reports.
Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports - https://aws.amazon.com/artifact/" |
TLS client certificate The Cloud Provider should:-
| AWS | N/A - TLS client certificate not used | ||
TLS client certificate The Service User should:-
| ISL | N/A - TLS client certificate not used | ||
11 | External interface protection | The Cloud Provider should:-
| AWS | "Boundary protection devices that employ rule sets, access control lists (ACL), and configurations enforce the flow of information between network fabrics. Several network fabrics exist at Amazon, each separated by devices that control the flow of information between fabrics. The flow of information between fabrics is established by approved authorisations, which exist as access control lists (ACL) which reside on these devices. These devices control the flow of information between fabrics as mandated by these ACLs. ACLs are defined, approved by appropriate personnel, managed and deployed using AWS ACL-manage tool. Amazon’s Information Security team approves these ACLs. Approved firewall rule sets and access control lists between network fabrics restrict the flow of information to specific information system services. Access control lists and rule sets are reviewed and approved, and are automatically pushed to boundary protection devices on a periodic basis (at least every 24 hours) to ensure rule-sets and access control lists are up-to-date. AWS Network Management is regularly reviewed by independent third-party auditors as a part of AWS ongoing compliance with SOC, PCI DSS, and ISO 27001. Regular internal and external vulnerability scans are performed on the host operating system, web application and databases in the AWS environment utilizing a variety of tools. Vulnerability scanning and remediation practices are regularly reviewed as a part of AWS continued compliance with PCI DSS and FedRAMP. AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance and availability. AWS monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1, 2 and 3 reports, ISO 27001, 27017 and 27018 certifications and PCI DSS compliance reports.
Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports - https://aws.amazon.com/artifact/" |
The Service User should:-
| ISL |
| ||
12 | Secure service administration | The Cloud Provider should:-
| AWS | "Amazon personnel with a business need to access the management plane are required to first use multi-factor authentication, distinct from their normal corporate Amazon credentials, to gain access to purpose-built administration hosts. These administrative hosts are systems that are specifically designed, built, configured, and hardened to protect the management plane. All such access is logged and audited. When an employee no longer has a business need to access the management plane, the privileges and access to these hosts and relevant systems are revoked. AWS developers and administrators on the Amazon Corporate network who need to access AWS cloud components must explicitly request access through the AWS access management system. All requests are reviewed and approved by the appropriate owner or manager. AWS employs automated mechanisms to facilitate the monitoring and control of remote access methods. Auditing occurs on the systems and devices, which are then aggregated and stored in a proprietary tool for review and incident investigation. The AWS Production network is segregated from the Amazon Corporate network and requires a separate set of credentials for logical access. The Amazon Corporate network relies on user IDs, passwords, and Kerberos, while the AWS Production network requires SSH public-key authentication through a bastion host. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1, 2 and 3 reports, ISO 27001, 27017 and 27018 certifications and PCI DSS compliance reports.
Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports - https://aws.amazon.com/artifact/" |
13 | Audit information for users | The Cloud Provider should:-
| AWS | "AWS has identified auditable event categories across systems and devices within the AWS system. Service teams configure the auditing features to record continuously the security-related events in accordance with requirements. Audit records contain a set of data elements in order to support necessary analysis requirements. In addition, audit records are available for AWS Security team or other appropriate teams to perform inspection or analysis on demand, and in response to security-related or business-impacting events. AWS deploys monitoring devices throughout the environment to collect critical information on unauthorised intrusion attempts, usage abuse, and network and application bandwidth usage. AWS provides near real-time alerts when the AWS monitoring tools show indications of compromise or potential compromise, based upon threshold alarming mechanisms determined by AWS service and Security teams. Processes are implemented to protect audit information and audit tools from unauthorised access, modification, and deletion. Audit records contain a set of data elements in order to support necessary analysis requirements. In addition, audit records are available to authorised users for inspection or analysis on demand, and in response to security-related or business-impacting events. System activities, including administrator access and approvals, are logged, retained for a defined period of time and protected from unauthorised modifications.
AWS has been validated and certified by an independent auditor to confirm alignment with ISO 27001 certification standard. AWS SOC reports provides additional details on the specific control activities executed by AWS to prevent unauthorised access to AWS resources. Please refer to the AWS Security & Compliance Whitepapers (available at https://aws.amazon.com/compliance/resources/), and the following AWS Audit Reports, for additional details: PCI 3.2, ISO 27001, ISO 27017, ISO 27018, SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, HIPAA, NIST 800-53, C5" "Auditing for most layers and controls above the physical controls remains the responsibility of the customer. The definition of AWS-defined logical and physical controls is documented in the SOC 1 Type II report, and the report is available for review by audit and compliance teams. AWS ISO 27001 and other certifications are also available for auditors to review. Customers retain control of their own guest operating systems, software and applications and are responsible for developing logical monitoring of the conditions of these systems. In alignment with ISO 27001 standards, AWS information systems utilize internal system clocks synchronized via NTP (Network Time Protocol). AWS CloudTrail provides a simple solution to log user activity that helps alleviate the burden of running a complex logging system. Refer to aws.amazon.com/cloudtrail for additional details. AWS Cloudwatch provides monitoring for AWS cloud resources and the applications customers run on AWS. Refer to aws.amazon.com/cloudwatch for additional details. AWS also publishes our most up-to-the-minute information on service availability on the Service Health Dashboard. Refer to status.aws.amazon.com." "Customers can validate the security controls in place within the AWS environment through AWS certifications and reports, including the AWS Service Organization Control (SOC) 1, 2 and 3 reports, ISO 27001, 27017 and 27018 certifications and PCI DSS compliance reports.
Report are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports - https://aws.amazon.com/artifact/" |
The Service User should:-
| ISL |
| ||
14 | Secure use of the service | The Service User should:-
| ISL |
|
Skyline is designed and developed by Informatica