AWS Regulatory Compliance: PCI DSS, FedRAMP, ISO, SOX…

Amazon Web Services  (AWS) regulatory compliance is innately a part of the powerful cloud platform. DinoCloud is an Premier AWS Partner helping companies from many industries and the public sector achieve, monitor, and maintain compliance of their systems and storage architectures with the latest PCI DSS standards.

We also guide enterprises through SSAE 18, FedRAMP, SOX, SOC 1, SOC 2, ISO 27001,  and other standards. Beyond our PCI cloud compliance experts, we have a world-class team of cloud engineers at the ready to keep you on the cutting edge of compliance in the cloud.

We judge the success of our security and compliance program primarily by one thing: our customers’ success. Adeptly and efficiently achieving high marks on compliance reports in the areas of systems and data security and processing  is our goal. AWS not only helps you achieve compliance and offer your customers secure services and transactions, it does so innately so that you realize savings, expedite compliance tasks, and gain scalability.

We determined that security in AWS is superior to our on-premises data center across several dimensions, including patching,encryption, auditing and logging, entitlements, and compliance.

John Brady

CISO, FINRA (Financial Industry Regulatory Authority)

AWS Shared Responsibility Model

As the trend continues upward with more and more businesses each day moving to the cloud, data security and regulatory compliance are critical. Often enterprises are quite concerned about taking their IT out of onsite or shared servers and into the cloud. But they (or you) need not fear because the top cloud solutions including AWS are certified compliant with regulations such as ISO, PCI DSS, and SOC 2. But it is critical to note that AWS offers the compliant host layer and physical infrastructure, but AWS customers are responsible for being compliant in how they utilize services, employ applications and store data.

AWS Shared Responsibility Model

One of the reasons that cloud compliance is such a concern to new adoptees of the technology is that it is a highly dynamic environment. Application development teams can rapidly deploy new resources and infrastructure changes. What might be compliant one day (or hour) ago is no longer. The manual approach that is followed in traditional IT environments using a point-in-time measure of compliance is not useful or relevant in the cloud.

But AWS regulatory compliance is completely built-in giving companies the power to manage security and compliance continuously. Maintaining AWS compliance requires that teams adopt the concepts of “continuous security” and “continuous compliance”. AWS infrastructure facilitates this through utilities and tools that address security and compliance programmatically and, therefore, automatically. Cloud provider APIs create possibilities for a complete paradigm shift to automated security. For example, AWS Config enales an enterprise to use AWS APIs to access infrastructure metadata and continuously monitor and analyze if changes inject compliance anomalies.

In addition to security and regulatory compliance being innately supported, your risks are reduced by moving your infrastructure to a constantly evolving and maturing data center and network architecture built to meet the requirements of the most security-sensitive organizations. Your cloud compliance is expedited because of AWS’ premier security services designed by highly-experienced engineers who stay on the pulse of security trends across the globe.

AWS cloud technology and its security innovate rapidly, continually incorporating feedback providing more and more insight into your environment. You benefit from a highly sophisticated security architecture that scale with your business with lower upfront expenses and operational costs than if you manage your own infrastructure.

AWS Cloud Compliance Reduces Pressure on Compliance Officers

Regulations such as PCI DSS have regular updates become more stringent. Globally, oversight of more and more industries is becoming commonplace and they bring hefty fines and the threat of loss of customer confidence if companies fail to comply, or worse, experience security breaches. Compliance officers are tasked with immense duties to monitor and account for increasingly complex business processes and IT environments. AWS relieves much of that pressure surrounding hardware, networking, and software as they are already in compliance. This enables compliance officers to focus improving their organizations’ controls, auditing procedures, and compliance risk remediation projects.

In addition to the Shared Responsibility Model, AWS makes compliance an more effective and efficient process through use of cloud compliance services, such as AWS Artifact and AWS Config that keep you in control. 

AWS Artifact

This is the hub for AWS compliance reporting. The self-service portal offers on-demand compliance reports and online agreements for a variety of regulations:

  • SOC
  • PCI
  • Certifications such as ISO.

Inside this AWS portal, you can review, accept, and manage agreements and apply them across all your AWS accounts

AWS Config

This is the catalyst for continuous compliance enabling automation of your organization’s compliance needs. 

It is from the AWS management console and offers the Amazon Simple Notification Service (SNS) to receive alerts if a change introduces an issue that no longer complies with your established rules. 

Combine the power of AWS Config with AWS Lambda to revert or execute future changes to ensure continual compliance.

AWS Regulatory Compliance Examples

PCI DSS Compliance

AWS is certified as a PCI DSS Level 1 Service Provider, the highest level of assessment per Coalfire Systems Inc., an independent Qualified Security Assessor (QSA). 

Payment Card Industry Data Security Standard (PCI DSS) is a standard, not a law. It requires all organizations that handle or process payment bank or credit card information to follow guidelines. It is administered by an independent association of major payment card brands including Visa, MasterCard, American Express, and JCB. 

While it is not a law, failure to adhere to these rules can result in fines from the acquiring bank, penalties such as increased transaction fees, and even termination of card processing. But, worse than failing to comply with PCI DSS is having lax IT and security infrastructure or business processes that result in a data breach that leaves your company with a complete loss of trust by your customers.

HIPAA / HITECH Compliance

Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health Act {HITECH) are laws of the US that apply to healthcare providers such as doctors, hospitals, and health insurance companies. It is mandatory to report breaches which can lead to fines, loss of customer confidence, and lawsuits. 

Jointly, HIPAA and HITECH protect patients’ health information (PHI)  by requiring organizations to maintain IT environments, security systems, and operational processes that prevent breaches online and offline. Data encryption is a key tool to prevent online data exposure.

If you plan to include PHI on AWS services, you must accept and manage the AWS Business Associate Addendum (AWS BAA) through AWS Artifact. Healthcare applications may use any AWS service, but only services covered by the AWS BAA can be used to store, process, and transmit PHI.

FedRAMP Compliance

The Federal Risk & Authorization Management Program (FedRAMP) applies to all US government organizations. It mandates standard approaches to security assessment and continuous monitoring for cloud products and services that are authorized for use by US government entities. 

AWS has undergone an independent security assessment conducted by a third-party assessment organization to ensure that authorizations are compliant with the Federal Information Security Management Act (FISMA). 

AWS GovCloud (US) and AWS US East West have been granted authorizations, address the FedRAMP security controls (NIST SP 800-53), use required FedRAMP templates for the security packages posted in the secure FedRAMP Repository, are assessed by an accredited independent third party assessor (3PAO), and maintain continuous.

SOX Compliance

The Sarbanes–Oxley Act (SOX) is a US law that regulates publicly traded companies. Specifically SOX places direct responsibility for accounting and financial misdeeds. 

This responsibility extends to contracted third parties such as a cloud provider. That is why it is vital to choose a cloud environment that offers SAS 70 or SSAE 16 auditing standards. 

AWS System and Organization Controls (SOC) Reports are independent examination reports that declare how AWS achieves key compliance controls and objectives to help you and your auditors understand the AWS controls established to support operations and compliance. There are five AWS SOC Reports:

  • AWS SOC 1 Report
  • AWS SOC 2 Security, Availability & Confidentiality Report
  • AWS SOC 2 Security, Availability & Confidentiality Report (Amazon DocumentDB only)
  • AWS SOC 2 Privacy Type I Report
  • AWS SOC 3 Security, Availability & Confidentiality Report.

AWS services are designed for security and compliance

Security and compliance are built into our service development lifecycle

AWS services are designed for security and compliance

DinoCloud is your cloud compliance partner working with your regulatory compliance consultant and internal organizations to help your company and its customers avoid fraud in digital transactions involving transfer of funds and avoid hefty fines and other negative consequences that come with failing to comply.

Get in touch

(*) Required fields