How does AWS support businesses' regulatory compliance requirements?

AWS works with organizations to provide customers with information regarding the policies, processes and controls it has established and performs.

What help does AWS provide to its customers in today's complex regulatory environment with its ever-increasing number of regulations? In the same way that operating an IT environment is shared between AWS and its customers, satisfying regulatory compliance requirements is also shared. AWS focuses on managing the controls associated with the physical infrastructure deployed in the AWS environment that previously was managed by the customer in its on-premises data center.

AWS works with certifying organizations and independent auditors to provide customers with information regarding the policies, processes and controls established and performed by AWS. For example, AWS leverages its secure environment to process, maintain and store protected health information to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. It provides a whitepaper, Creating HIPAA-Compliant Medical Data Applications with AWS, that outlines how customers can use AWS to help satisfy their HIPAA regulatory compliance requirements.

With regulations such as the PCI Data Security Standard (PCI DSS), AWS complies with a set of controls important to companies (its customers) that handle credit card information. With respect to Federal Information Security Management Act (FISMA) standards, AWS complies with a wide range of specific controls required by U.S. government agencies. In addition to standards for health, credit card and government information, AWS complies with a number of other regulatory compliance standards, listed below, and informs its customers about the nature of the controls and security processes it has in place to help them meet those standards' requirements.

FedRAMP (Federal Risk and Authorization Management Program) -- Requires cloud service providers to conduct an independent security assessment to determine whether they meet a minimal set of requirements to be eligible to host government data.

FIPS 140-2 (Federal Information Processing Standard Publication 140-2) -- Specifies the requirements for cryptographic modules protecting sensitive information.

FISMA (Federal Information Security Management Act) -- Requires that all federal agencies document and implement controls for IT systems that support their operations and assets.

DIACAP (Department of Defense [DoD] Information Assurance Certification and Accreditation Process) -- A process for implementing information assurance controls and providing certification and accreditation for all DoD information systems.

HIPAA (Health Insurance Portability and Accountability Act) -- Requires healthcare providers to meet specific baseline standards when handling electronic protected health information.

SOX (Sarbanes-Oxley Act) -- Ensures that corporations have regular external audits to ensure that information provides a true representation of the corporation's financial position.

ISO 27001 (International Organization for Standardizations 27001) -- An information security management system standard that is intended to bring information security under explicit management control.

ITAR (International Traffic in Arms) -- A regulation that requires companies subject to ITAR export regulations to control unintended exports by restricting access to protected data to U.S. persons and restricting the physical location of that data to the U.S.

PCI DSS Level 1 (Payment Card Industry Data Security Standard Level 1) -- A set of worldwide security standards for merchants and service providers that deal with the storage, transmission or processing of cardholder information.

SOC 1 (Service Organization Controls 1) -- A series of accounting standards that measure the control of financial information in a service organization.

SOC 2 -- Allows third parties to provide an opinion on the security, availability, processing integrity or privacy of an organization's services or systems.

SOC 3 -- Assures users about the controls at a service organization that affect the security and processing integrity of its systems that process users' information and the privacy of that information.

CSA (Cloud Security Alliance) -- Provides a way to reference and document the security controls that exist in AWS' IaaS offerings.

MPAA (Motion Picture Association of America) -- Publishes a set of best practices for securely storing, processing and delivering protected media and content.

In addition to the regulatory standards supported by AWS, AWS has created AWS GovCloud (US) Region, which is designed to allow U.S. government agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory compliance requirements. Its framework adheres to ITAR regulations and FedRAMP requirements.

Bill Claybrook is a marketing research analyst who has more than 35 years of experience in the computer industry, the last dozen years in Linux, open source and cloud computing. Bill was research director for Linux and open source at The Aberdeen Group in Boston and a competitive analyst and Linux product marketing manager at Novell. He is currently president of New River Marketing Research and Directions on Red Hat. He holds a doctorate in computer science.

Dig Deeper on AWS compliance, governance, privacy and regulations