Tag Archives: mpaa

Frequently Asked Questions About Compliance in the AWS Cloud

Post Syndicated from Chad Woolf original https://blogs.aws.amazon.com/security/post/Tx2M9XYV2FNQ483/Frequently-Asked-Questions-About-Compliance-in-the-AWS-Cloud

Every month, AWS Compliance fields thousands of questions about how to achieve and maintain compliance in the cloud. Among other things, customers are eager to take advantage of the cost savings and security at scale that AWS offers while still maintaining robust security and regulatory compliance. Because regulations across industries and geographies can be complex, we thought it might be helpful to share answers to some of the frequently asked questions we hear about compliance in the AWS cloud, as well as to clear up potential misconceptions about how operating in the cloud might affect compliance.

Is AWS compliant with [Program X]?

Context is required to answer this question. In all cases, customers operating in the cloud remain responsible for complying with applicable laws and regulations, and it is up to you to determine whether AWS services meet applicable requirements for your business. To help you make this determination, we have enacted assurance programs across multiple industries and jurisdictions to inform and support AWS customers. We think about these assurance programs across the following three broad categories.

1. Certifications and attestations

Compliance certifications and attestations (evidence showing that something is true) are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance.

Assurance programs in this category include:

2. Laws and regulations

AWS customers remain responsible for complying with applicable compliance laws and regulations. In some cases, AWS offers functionality (such as security features), enablers, and legal agreements (such as the AWS Data Processing Agreement and Business Associate Agreement) to support customer compliance. Requirements under applicable laws and regulations may not be subject to certification or attestation.

Assurance programs in this category include:

3. Alignments and frameworks

Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function. AWS provides functionality (such as security features) and enablers (including compliance playbooks, mapping documents, and whitepapers) for these types of programs.

Requirements under specific alignments and frameworks may not be subject to certification or attestation; however, some alignments and frameworks are covered by other compliance programs. (for instance, NIST guidelines can be mapped to applicable FedRAMP security baselines).

Assurance programs in this category include:

How does AWS separate the responsibilities that they cover from the ones I still need to maintain around my compliance program?

AWS operates on the AWS Shared Responsibility Model. While AWS manages security of the cloud, customers remain responsible for compliance and security in the cloud. You retain control of the security you choose to implement to protect your content, platform, applications, systems, and networks, and you are responsible for meeting specific compliance and regulatory requirements.

Learn more about the AWS Shared Responsibility Model by watching the following video.

What’s an example of an AWS community focused on compliance?

AWS recently released a publicly available GitHub repository for AWS Config Rules. All members of the AWS community can contribute to this repository to help make effective and useful Config Rules. You can tap into the collective ingenuity and expertise of the entire AWS community to automate your compliance checks. For more information, see Announcing the AWS Config Rules Repository: A New Community-Based Source of Custom Rules for AWS Config.

What is AWS’s formal security incident response plan?

AWS’s formally documented incident response plan addresses purpose, scope, roles, responsibilities, and management commitment. It has been developed in alignment with ISO 27001 and NIST 800-53 standards. AWS has implemented the following three-phased approach to incident management:

  1. AWS detects an incident.  
  2. Specialized teams address the incident.
  3. AWS conducts a postmortem and deep root-cause analysis of the incident.

Mechanisms are in place to allow the customer support team to be notified of operational issues that impact the customer experience. A Service Health Dashboard is available and maintained by the customer support team to alert customers to any issues that may be of broad impact. The AWS incident management program is reviewed by independent external auditors during audits of AWS’s SOC, PCI DSS, ISO 27001, and FedRAMP compliance.

How often does AWS issue SOC reports and when does the next one become available?

AWS issues two SOC 1 and SOC 2 reports covering 6-month periods each year (the first report covers October 1 through March 31, and the other covers April 1 through September 30). There are many factors that play into the release date of the report, but we target early May and early November each year to release new reports. Our downloadable AWS SOC 3 Report is issued annually and is released along with the May SOC 1 and SOC 2 reports.

Please contact us with questions about using AWS products in a compliant manner, or if you’d like to learn more about compliance in the cloud, see the AWS Cloud Compliance website.

– Chad

To Serve Users

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2014/05/14/to-serve-users.html

(Spoiler alert: spoilers regarding a 1950s science fiction short story that you may
not have read appear in this blog post.)

Mitchell
Baker announced
today that Mozilla Corporation (or maybe Mozilla Foundation? She doesn’t
really say…) will begin implementing proprietary software by default
in Firefox at the behest of wealthy and powerful media companies
.
Baker argues this serves users: that Orwellian phrasing caught
my attention most.

image from Twilight Zone Episode, To Serve Man, showing the book with the alien title on the front and its translation.

In the old science
fiction story, To Serve Man
(which later was adapted for the
The Twilight Zone
), aliens come to earth and freely share
various technological advances, and offer free visits to the alien world.
Eventually, the narrator, who remains skeptical, begins translating one of
their books. The title is innocuous, and even well-meaning: To Serve Man. Only
too late does the narrator realize that the book isn’t about service to
mankind, but rather — a cookbook.

It’s in the same spirit that Baker seeks to serve Firefox’s users
up on a platter to the MPAA, the RIAA, and like-minded wealthy for-profit
corporations. Baker’s only defense appears to be that other browser
vendors have done the same, and cites specifically for-profit companies such as
Apple, Google, and Microsoft.

Theoretically speaking, though, the Mozilla Foundation is supposed to be a
501(c)(3)
non-profit charity which told the IRS
its charitable purpose was:
to keep the Internet a universal platform that is accessible by anyone
from anywhere, using any computer, and … develop open-source
Internet applications. Baker fails to explain how switching Firefox to
include proprietary software fits that mission. In fact, with a bit of
revisionist history, she says that open source was merely an
“approach” that Mozilla Foundation was using, not their
mission.

Of course, Mozilla Foundation is actually a thin non-profit shell wrapped
around a much larger entity called the Mozilla Corporation, which is a for-profit
company. I have always been dubious about this structure,
and actions like this that make it obvious that “Mozilla”
is focused on being a for-profit company, competing with other for-profit
companies, rather than a charity serving the public (at least, in the way
that I mean “serving”).

Meanwhile, I greatly appreciate that various Free Software communities
maintain forks and/or alternative wrappers around many web browser
technologies, which, like Firefox, succumb easily to for-profit corporate
control. This process (such as Debian’s iceweasel fork and GNOME’s
ephiphany interface to Webkit) provide an nice “canary in the
coalmine” to confirm there is enough software-freedom-respecting code
still released to make these browsers usable by those who care about
software freedom and reject the digital restrictions management that
Mozilla now embraces. OTOH, the one item that Baker is right about: given
that so few people oppose proprietary software, there soon may not be much
of a web left for those of us who stand firmly for software freedom.
Sadly, Mozilla announced today their plans to depart from curtailing that
distopia and will instead help accelerate its onset.

Related Links:

My
comment on Gerv’s blog post
, which criticizes this one.
FSF’s
condemnation of Mozilla’s support of DRM