AWS alignment with Motion Picture of America Association (MPAA) Content Security Best
Practices – Application in the Cloud
The Motion Picture of America Association (MPAA) has established a set of best practices for Application and Cloud/Distributed Environment Security Guidelines. For additional information on MPAA content security best practices refer to: http://www.fightfilmtheft.org/best- practice.html. Media Companies can utilize these best practices as a way to assess risk and audit security of the content management. The table below documents AWS alignment with Motion Picture of America Association (MPAA) Content Security Model Guidelines released March 17, 2015. For additional information a reference to AWS third-party audited certifications and reports is provided. In alignment with the MPAA Best Content Security Best Practices, AWS has mapped the ISO 27002 and NIST 800-53 controls. Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 Development AS-1.0 Build security into the AWS applies a systematic SOC1 6.1 12.5 6.1 SA-3 Lifecycle entire Systems/Software approach to managing SOC1 6.3 14.1 6.2 SA-4 Development Lifecycle changes to ensure changes SOC1 6.4 6.3 SA-8 (SDLC). to customer-impacting SOC1 6.5 6.4 SA-11 Development AS-1.1 Test security across the aspects of a service are SOC1 6.6 6.5 SA-12 Lifecycle entire application and reviewed, tested and 6.6 infrastructure. approved. Development AS-1.2 Perform fuzz testing and Lifecycle defect remediation to AWS's change management discover security procedures have been loopholes in software, developed in alignment with operating systems or ISO 27001 standard. The networks by massive AWS SOC 1 Type 2 report inputting of random data provides details on the to the system in an specific control activities attempt to make it crash executed by AWS. (e.g., buffer overflow, cross-site scripting, denial of service attacks, format bugs, SQL injection). Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 Development AS-1.3 Perform bug tracking and Lifecycle defect remediation in conjunction with extensive black box testing, beta testing, and other proven debugging methods. Development AS-1.4 Provide training and user Lifecycle guides on additions and changes to the application. Authentication & AS-2.0 Implement secure Unique user identifiers are SOC1 2.1 9.1 7.1 AC-2 Access authentication. created as part of the SOC1 2.2 9.2 8.1 AC-3 Authentication & AS-2.1 Register user devices. onboarding workflow SOC1 2.3 9.3 8.2 AC-6 Access process in the AWS human SOC1 2.4 9.4 AC-7 Authentication & AS-2.2 Implement secure resources management SOC1 2.5 AC-8 Access password recovery. system. The device SOC1 4.3 AC-14 Authentication & AS-2.3 Follow the principle of provisioning process helps SOC1 4.4 IA-5 Access least privilege. ensure unique identifiers for SOC1 4.5 IA-6 Authentication & AS-2.4 Implement controls to devices. Both processes SOC1 4.6 IA-8 Access prevent brute force include manager approval to SOC1 4.7 attacks. establish the user account or SOC1 4.8 Authentication & AS-2.5 Implement and document device. Initial authenticators Access a process to secure key / are delivered to user’s in- cryptographic storage and person and to devices as ensure ongoing secure part of the provisioning management. process. Internal users can Authentication & AS-2.6 Enable an auto-expiration associate SSH public keys Access setting to expire all with their account. System external links to content account authenticators are after a user-defined time. provided to the requestor as Authentication & AS-2.7 Use human verification part of the account creation Access tools such as CAPTCHA or process after the identity of Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 reCAPTCHA with web the requestor is verified. applications. Minimum strength of Authentication & AS-2.8 Provide clients with the authenticators is defined by Access ability to limit the number AWS including password of times an asset may be length, requires complex downloaded or streamed passwords and password age by a particular user. requirements and content Authentication & AS-2.9 Confirm the upload and along with SSH key minimum Access download of all content bit length. and critical assets. Authentication & AS-2.10 Include a brief message on AWS Password policy and Access mobile applications to implementation is reviewed remind users to enable by independent third party device passwords and to auditors for our continued enable remote wipe and compliance with SOC, PCI device location software. DSS, ISO 27001 and FedRAMP. Secure Coding and AS-3.0 Perform penetration AWS provides customers the SOC1 3.4 8.1 1.2 AC-18 Systems testing / web application ability to use their own SOC1 3.6 8.2 1.3 AU-5 security testing prior to encryption mechanism for SOC1 10.4 8.3 1.4 CA-3 production deployment, nearly all services including 10.1 5.1 CA-9 and at least quarterly S3, EBS and EC2. VPC 12.2 5.2 SC-15 thereafter. Validate sessions are also encrypted. 12.6 5.3 SC-18 vulnerabilities were 13.1 10.6 SC-19 remediated with a retest. Internally, Boundary 13.2 11.1 SC-32 Secure Coding and AS-3.1 Perform vulnerability protection devices that 11.2 SC-7 Systems testing at least quarterly. employ rule sets, access 11.3 SI-10 Secure Coding and AS-3.2 Utilize cookies in a secure control lists (ACL), and SI-11 Systems manner, if they need to be configurations enforce the SI-2 used flow of information between SI-3 Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 Secure Coding and AS-3.3 Validate user input and network fabrics. Several SI-4 Systems implement secure error network fabrics exist at SI-8 handling. Amazon, each separated by Secure Coding and AS-3.4 Implement secure logging devices that control the flow Systems procedures. of information between Secure Coding and AS-3.5 Implement an SIEM fabrics. The flow of Systems (Security Information information between fabrics Event Management is established by approved System) to aggregate and authorizations, which exist analyze the disparate logs. as access control lists (ACL) Secure Coding and AS-3.6 Encrypt all content and which reside on these Systems client data at rest. devices. These devices Secure Coding and AS-3.7 Encrypt all content and control the flow of Systems client data in transit. information between fabrics Secure Coding and AS-3.8 Implement controls for as mandated by these ACLs. Systems secure session ACLs are defined, approved management. by appropriate personnel, Secure Coding and AS-3.9 Implement controls to managed and deployed Systems prevent SQL injection. using AWS ACL-manage tool. Secure Coding and AS-3.10 Implement controls to Amazon’s Information Systems prevent unvalidated URL Security team approves redirects and forwards. these ACLs. Approved Secure Coding and AS-3.11 Implement controls to firewall rule sets and access Systems prevent connections from control lists between anonymity networks (e.g., network fabrics restrict the Tor, Freenet, Netshade), if flow of information to possible. specific information system Secure Coding and AS-3.12 Implement controls to services. Access control lists Systems prevent IP address and rule sets are reviewed leakage. and approved, and are Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 Secure Coding and AS-3.13 Implement controls to automatically pushed to Systems prevent XSS (Cross-site boundary protection devices scripting). on a periodic basis (at least Secure Coding and AS-3.14 Allow senders the option every 24 hours) to ensure Systems to include session-based rule-sets and access control forensic (invisible) lists are up-to-date. watermarking for content. Secure Coding and AS-3.15 Implement a formal, AWS Network Management Systems documented content / is regularly reviewed by asset lifecycle. independent third party auditors as a part of AWS ongoing compliance with SOC, PCI DSS, ISO 27001 and FedRAMP.
AWS implements least
privilege throughout its infrastructure components. AWS prohibits all ports and protocols that do not have a specific business purpose. AWS follows a rigorous approach to minimal implementation of only those features and functions that are essential to use of the device. Network scanning is performed and any unnecessary ports or protocols in use are corrected. Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 Regular internal and external vulnerability scans are performed on the host operating system, web application and databases in the AWS environment utilizing a variety of tools. Vulnerability scanning and remediation practices are regularly reviewed as a part of AWS continued compliance with PCI DSS and FedRAMP. Organization & CS-1.0 Compliance with the AWS has an established SOC1 1.1 5.1 1.1 AC-1 Management MPAA Content Best information security SOC1 1.2 6.1 1.5 AC-18 Practices Common organization managed by the SOC2 9.3 2.5 AC-19 Guidelines is required. AWS Security team and is led SOC2 9.4 3.1 AT-1 Where stronger controls by the AWS Chief SOC2 9.8 3.7 AU-1 exist within the Information Security Officer SOC2 10.1 4.3 CA-1 Application Security and (CISO). AWS maintains and SOC2 10.3 5.4 CM-1 Cloud/Distributed provides security awareness SOC2 10.4 6.7 CP-1 Environment Guidelines, training to all information 7.3 IA-1 the stronger policy will system users supporting 8.1 IR-1 prevail. AWS. This annual security 8.4 MA-1 Organization & CS-1.1 Perform a third party awareness training includes 8.8 MP-1 Management security audit at least once the following topics; The 9.10 PE-1 per year (e.g., SSAE 16 purpose for security and 10.8 PL-1 Type 2, SOC 1, ISO awareness training, The 11.6 PS-1 27000/27001, MPAA). location of all AWS policies, 12.1 RA-1 Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 Organization & CS-1.2 Document and implement AWS incident response 12.3 SC-1 Management security and privacy procedures (including 12.4 SI-1 policies that are aligned instructions on how to with security industry report internal and external frameworks for security incidents). Information Security Management (e.g., ISO- Systems within AWS are 27001, ISO-22307, CoBIT). extensively instrumented to Organization & CS-1.3 Document and implement monitor key operational and Management information security security metrics. Alarms are baselines for every configured to automatically component of the notify operations and infrastructure (e.g., management personnel Hypervisors, operating when early warning systems, routers, DNS thresholds are crossed on servers, etc.). key metrics. When a Organization & CS-1.4 Document and implement threshold is crossed, the Management personnel security AWS incident response procedures that align with process is initiated. The the organization’s current Amazon Incident Response information security team employs industry- procedures. standard diagnostic Organization & CS-1.5 Require all employees, procedures to drive Management contractors, and third resolution during business- parties to sign impacting events. Staff confidentiality / non- operates 24x7x365 coverage disclosure agreements to detect incidents and when going through the manage the impact to onboarding process. resolution. Organization & CS-1.6 Document and implement Management procedures for conducting AWS roles & Responsibilities security due diligence are reviewed by Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 when offloading independent external functionality or services to auditors during audits for a third party. our SOC, PCI DSS, ISO 27001 Organization & CS-1.7 Document and implement and FedRAMP compliance Management segregation of duties for business critical tasks. Organization & CS-1.8 Provide clients with Management information regarding locations for their content and data. Organization & CS-1.9 Develop a documented Management procedure for responding to requests for client data from governments or third parties. Organization & CS-1.10 Establish policies and Management procedures for labeling, handling, and securing containers that contain data and other containers. Organization & CS-1.11 Establish procedures for Management the secure deletion of content/data, including archived and backed-up content/data. Organization & CS-1.12 Establish, document and Management implement scenarios to clients in which client content/data may be moved from one physical location to another. Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 Organization & CS-1.13 Establish, document and Management implement additional key management features, controls, policies and procedures. Organization & CS-1.14 Train personnel regarding Management all policies and procedures. Organization & CS-1.15 Establish a process to Management notify clients when material changes are made to security/privacy policies. Organization & CS-1.16 Plan, prepare and measure Management the required system performance to ensure acceptable service levels. Organization & CS-1.17 Develop and maintain Management additional requirements for incident response and immediate notification to the client in the event of any unauthorized access to systems or content. Operations CS-2.0 Secure datacenter utilities Physical access is controlled SOC1 5.1 11.1 1.1 PE-1 services and both at the perimeter and at SOC1 5.3 11.2 1.5 PE-18 environmental conditions. building ingress points by SOC1 5.4 11.5 2.5 PE-2 Operations CS-2.1 Ensure the data center has professional security staff SOC1 5.5 3.1 PE-3 appropriate perimeter and utilizing video surveillance, SOC1 5.6 3.7 PE-4 physical security controls. intrusion detection systems SOC1 5.7 4.3 PE-5 Operations CS-2.2 Develop, document and and other electronic means. SOC1 5.8 5.4 PE-6 maintain additional All entrances to AWS data SOC1 5.9 6.7 PE-8 Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 requirements for business centers, including the main SOC1 5.10 7.3 PE-9 continuity planning. entrance, the loading dock, SOC1 5.11 8.1 PL-8 Operations CS-2.3 Develop, document and and any roof doors/hatches, SOC1 5.12 8.4 PS-1 maintain additional are secured with intrusion SOC1 10.4 8.8 change and configuration detection devices that sound 9.2 controls. alarms and create an alarm 9.4 Operations CS-2.4 Maintain a complete in AWS centralized physical 9.10 inventory of all critical security monitoring too if a 10.8 assets, including door is forced open or held 11.6 ownership of the asset. open. 12.1 Operations CS-2.5 Maintain an inventory of 12.3 all critical supplier In addition to electronic relationships. mechanisms, AWS data Operations CS-2.6 Develop and maintain centers utilize trained service level agreements security guards 24x7, who (SLA’s) with clients, are stationed in and around partners, and service the building. All alarms are providers. investigated by a security guard with root cause documented for all incidents. All alarms are set to auto-escalate if response does not occur within SLA time.
Physical access points to
server locations are recorded by closed circuit television camera (CCTV) as defined in the AWS Data Center Physical Security Policy. Images are retained Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 for 90 days, unless limited to 30 days by legal or contractual obligations. AWS Physical Security Mechanisms are reviewed by independent external auditors during audits for our SOC, PCI DSS, ISO 27001 and FedRAMP compliance. Data Security CS-3.0 Implement a process to Boundary protection devices SOC1 3.1 11.2 1.1 AC-3 provide all relevant logs are configured in a deny-all SOC1 3.2 12.1 1.2 AC-4 requested for good cause mode. Boundary protection SOC1 3.3 1.3 AC-5 to clients in a format that devices that employ rule SOC1 3.5 1.4 AU-8 can be easily exported sets, access control lists SOC1 3.6 6.4 CA-3 from the platform for (ACL), and configurations SOC1 3.9 10.4 CA-9 analysis in the event of a enforce the flow of SOC1 3.10 12.5 CM-6 security incident. information between SOC1 3.11 CM-7 Data Security CS-3.1 Consider providing the network fabrics. These SOC1 3.12 SC-19 capability to use system devices are configured in SOC1 3.13 SC-5 geographic location as an deny-all mode, requiring an SOC1 3.14 SC-7 additional authentication approved firewall set to SOC1 3.15 SI-4 factor. allow for connectivity. Refer SOC1 3.16 Data Security CS-3.2 Provide the capability to to DS-2.0 for additional SOC1 7.1 control the physical information on Management SOC1 7.2 location/geography of of AWS Network Firewalls. SOC1 7.3 storage of a client’s There is no inherent e-mail SOC1 7.4 content/data, if requested. capability on AWS Assets SOC1 7.5 Data Security CS-3.3 Establish procedures to and port 25 is not utilized. A SOC1 7.6 ensure that non- Customer (e.g. studio, SOC1 7.7 production data must not processing facility etc.) can SOC1 7.8 be replicated to utilize a system to host e- SOC1 10.4 production environments. mail capabilities, however in Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 Data Security CS-3.4 Establish, document and that case it is the Customer's implement a published responsibility to employ the procedure for exiting the appropriate levels of spam service arrangement with and malware protection at a client, including e-mail entry and exit points assurance to sanitize all and update spam and computing systems of malware definitions when client content/data once new releases are made the client contract has available. terminated. Data Security CS-3.5 Establish and document Amazon assets (e.g. laptops) policies and procedures are configured with anti- for secure disposal of virus software that includes equipment, categorized by e-mail filtering and malware asset type, used outside detection. the organization’s premises. AWS Network Firewall Data Security CS-3.6 Implement a synchronized management and Amazon's time service protocol (e.g., anti-virus program are NTP) to ensure all systems reviewed by independent have a common time third party auditors as a part reference. of AWS ongoing compliance Data Security CS-3.7 Design and configure with SOC, PCI DSS, ISO 27001 network and virtual and FedRAMP. environments to restrict and monitor traffic between trusted and untrusted connections. Data Security CS-3.8 Design, develop and deploy multi-tenant applications, systems, and components such that Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53 v.3.1 Rev4 client content and data is appropriately segmented.
Data Security CS-3.9 Use secure and encrypted
communication channels when migrating physical servers, applications, and content data to/from virtual servers. Data Security CS-3.10 Implement technical measures and apply defense-in-depth techniques (e.g., deep- packet analysis, traffic throttling, black-holing) for detection and timely response to network- based attacks associated with unusual ingress/egress traffic patterns (e.g., NAC spoofing and ARP poisoning attacks and/or DDOS attacks). Data Security CS-3.11 Establish and document controls to secure virtualized environments.