AWS Security Certifications
Amazon Web Services (AWS) is an established cloud provider, with a variety of cloud services and hundreds of thousands of cloud customers. Alongside specific administrative and technical configuration or services such as the Dash HIPAA compliance automation platform, organization’s can use AWS for compliant workloads.
As one of the first movers in public cloud, Amazon has many established Compliance Programs that cover a wide range of national and global cybersecurity and administrative frameworks. Amazon Web Services has a number of security certifications from 3rd party or independent auditors (such as SOC and ISO standards), as well as alignments to more frameworks (such as HIPAA and GDPR) that do not have formal certifications.
AWS Client Security
AWS customers are able to take advantage of the established security standards that Amazon has already put into place. Since the cloud provider takes care of many physical safeguards required by HIPAA and other frameworks. Organizations do not need to worry about physical server security or employee access when they enter into certain arrangements with Amazon. This allows teams to focus product development and easily build and scale services.
At the same time, most major cloud providers including AWS follow a shared responsibility model when it comes to security and compliance in the cloud. This means that both AWS, as well as AWS customers are responsible for specific security safeguards when building applications and managing compliant workloads in the cloud.
Certifications and Attestations
AWS has the following compliance certifications and attestations that are assessed by a third-party, independent auditor and are the result of certification, audit report, or attestation of compliance:
Organizations are able to utilize the full suite of Amazon Web Services infrastructure to build applications and manage data in a manner that is compliant with the above frameworks. AWS customers are typically responsible for specific framework controls, such as organizational policies and technical implementation.
Laws and Regulations
For certain laws and regulations, AWS offers security features, enablers, and legal agreements (such as the AWS Data Processing Agreement and Business Associate Addendum) for supporting customer compliance.
The following laws and regulations have no formal certification available for cloud service provider within the law and regulatory domains, but can be supported by entering into certain agreements and implementing specific Amazon security features:
- Argentina Data Privacy
- IRS 1075
- My Number Act [Japan]
- U.K. DPA – 1988
- VPAT / Section 508
- Privacy Act [Australia]
- Privacy Act [New Zealand]
- PDPA – 2010 [Malaysia]
- PDPA – 2012 [Singapore]
- PHIPA [Ontario, Canada]
- PIPEDA [Canada]
- Spanish DPA Authorization
For these laws and regulations, organization’s must read Amazon’s guidelines and utilize services and protections as dictated via AWS agreements and regulatory requirements.
For example, HIPAA does not have an official certification. But AWS provides a business associates agreement (BAA) which clarifies security responsibilities and HIPAA eligible services. It is the cloud customer’s responsibility to make sure they are properly following this BAA and managing their responsibilities, in order to remain compliant with HIPAA.
Building an Internal Security Program
Built-in security programs from Amazon Web Services give organizations a great start for building around compliance and regulatory frameworks. Ultimately, it is up to the organization to build and maintain a Security Plan that maps to applicable security frameworks, employee workflow, and technologies of the organization.
Organization’s should build administrative policies that define standard operating procedures and proper controls for security frameworks. More importantly, administrative policies should be understandable and actually followed by your security team and staff. Dash allows organizations to build customized administrative policies based around security best practices and the team.
Technical controls need to be implemented to match specific security frameworks and regulations. This means for regulations such as HIPAA/HITECH, organization’s must configure AWS services or appropriate solutions for requirements including audit logging, disaster recovery, vulnerability scanning. By establishing smart DevOps practices or utilizing the Dash platform, customers can automate technical compliance controls and continually monitor their cloud environment.