Security and Compliance for Australia and New Zealand

Yes. At AWS, security is our highest priority. AWS has been built to be the most flexible and secure cloud computing environment available today. Our world-class core infrastructure is built to satisfy the security requirements for military, global banks, and other high-sensitivity organisations. AWS uses the same secure hardware and software to build and operate each of our regions, so all of our customers benefit from the only commercial cloud that has had its service offerings and associated supply chain vetted and accepted as secure enough for top-secret workloads. This is backed by a deep set of cloud security tools, with more than 230 security, compliance, and governance services and key features.

There are hundreds and thousands of active customers using AWS services in Australia and New Zealand each month, including those running highly secure workloads on AWS. Some examples include the Commonwealth Bank of Australia (CBA), the National Bank of Australia (NAB), Bank of New Zealand, nib insurance, the Commonwealth Scientific Industrial Research Organisation (CSIRO), Origin Energy, Trustpower, Telstra, Vodafone New Zealand, Australian Securities and Investments Commission (ASIC), New Zealand Ministry of Health, and the Australian Taxation Office (ATO).

Further to this, 97 AWS services have been assessed at PROTECTED level, the highest Australian government data classification attainable for public cloud services.

Security and compliance is a shared responsibility between AWS and the customer. AWS is responsible for the security and compliance 'of' the cloud, and implements security controls to secure the underlying infrastructure that runs the AWS services and hosts and connects customer resources.AWS customers are responsible for security of their applications 'in' the cloud and should determine, design, and implement the appropriate security controls based on the sensitivity of their data, their security and compliance needs, and the AWS services they select.

We are committed to providing access to the latest information and training materials to educate our customers on best practices of security in the cloud.

The CLOUD Act does not grant law enforcement agencies unfettered access to data stored in the cloud. The CLOUD Act’s scope is to enable U.S. law enforcement to seek evidence about U.S. crimes, namely, a crime affecting a U.S. citizen or a crime committed in the United States. AWS also provides industry leading encryption and key management services that give our customers a range of options to encrypt data, and to manage encryption/decryption keys. Content that has been encrypted is rendered useless without the applicable decryption keys. As with all services built on AWS, the customer always owns and controls the data.

AWS data centres are secure by design and our controls make that possible. Before AWS builds a data centre, we spend countless hours considering potential threats and designing, implementing, and testing controls to ensure the systems, technology, and people we deploy counteract risk. To help customers to fulfill their own audit and regulatory requirements, AWs provides insight into some of our physical and environmental controls here.

AWS does not access or use customer content for any purpose without a customer’s consent. AWS never uses customer content or derives information from it for marketing or advertising. Customers maintain full control of their content and responsibility for configuring access to AWS services and resources. AWS provides an advanced set of access, encryption, and logging features to help customers do this effectively. We provide Application Programming Interfaces (APIs) for customers to configure access control permissions for any of the services they develop or deploy in an AWS environment.

AWS will not move or replicate customer content of the customers’ chosen AWS Region(s) without their consent, except in each case as necessary to comply with the law or a binding order of a governmental body. AWS customers choose the AWS Region(s) in which their content is stored and the type of storage. Customers can replicate and back up their content in more than one AWS Region.

The rapid increase in work from home arrangements has forced companies and consumers to quickly adopt new technologies, placing pressure on organisations to ensure that they are still meeting their security requirements, with less time to review technology. The introduction of new technology systems is also driving an increased focus on training and security within organisations.

Many of our customers have also shared with us that moving their workforce to home for the first time has blended consumer technologies with corporate data; for companies that didn’t already have virtual desktop infrastructure or widely rolled out corporate laptops (or corporate images on personal devices), some parts of the workforce have had to share computers with children going to school online. This increased the need to focus on more of the workforce being located outside the traditional network boundary and decide how to handle the access to data from a wider range of devices and locations.

We are committed to helping organisations understand the best and most secure ways to use cloud technology, and ensure they have the right security posture and processes in place to maintain the highest security standards.

AWS customers inherit the latest security controls operated by AWS, strengthening their own compliance and certification programs, while also receiving access to tools they can use to reduce time to run their own specific security assurance requirements. These measures include:

• Control. Customers have ownership and control over their content through simple, powerful tools that enable them to determine where their content will be stored, secure their content in transit and at rest, and manage user access to their AWS services and resources.
• Strong encryption. AWS has industry leading encryption services that give customers a range of options to encrypt data in-transit and at rest, and to manage encryption and decryption keys – because encrypted content is rendered useless without the applicable decryption keys.
• Compliance programs. AWS supports more security standards and compliance certifications than any other offering, including IRAP, PCI-DSS, HIPAA/HITECH, GDPR, FIPS 140-2, and NIST 800-171, helping satisfy compliance requirements for virtually every regulatory agency around the globe, including in Australia and New Zealand. 
• Contractual protections. AWS never accesses or uses customer content for any purpose except as agreed by customers.
• Information request safeguards. AWS will not disclose customer content unless required to do so to comply with the law or a binding order of a government body. When AWS receives a request for data, we have tools to challenge it and a long track record of doing so. AWS will give customers reasonable notice of any government requests to disclose their content to allow them to seek a protective order or other appropriate remedy, unless AWS is legally prohibited from doing so. AWS informs customers about the types and volume of information requests we receive.
  

AWS is an enabler and driver of economic growth, but we aren’t just helping organisations to innovate and grow, we are helping them build skills and capability to keep up with change and help ensure they maintain the highest levels of security in the cloud.

Recent research commissioned by AWS and conducted by AlphaBeta also reveals cybersecurity will be one of the top five in demand skills across Asia-Pacific by 2025. The new AWS Security and Privacy Knowledge Hub for Australia and New Zealand is part of our ongoing commitment to invest in education and initiatives that support our customers, partners, and industry to improve their skills so they can unlock the full potential of the cloud. The new AWS Security and Privacy Knowledge Hub for Australia and New Zealand is all about building knowledge, capability, and security skills through local information, expert advice, and practical resources.

AWS is committed to addressing the skills gap in Australia and New Zealand and continues to provide individuals and organisations the latest in education and training for individuals to develop and enhance their security skills and address critical cybersecurity needs in their organisations. AWS Training and Certification offers over 40 courses, self-paced labs, an AWS Certified Security – Specialty certification, and other resources to raise everyone’s security competence in IT and security departments. These training offerings are designed for a broad range of learners, such as DevOps engineers, cloud architects, solutions architects, developers, compliance personnel, auditors, IT business analysts, or existing security engineers looking to improve their knowledge.

Given that customers maintain control of their content when using AWS, customers retain the responsibility to monitor their own environment for privacy breaches and to notify regulators and affected individuals as required under applicable law. Only the customer is able to manage this responsibility.

Customers can also choose to leverage AWS Identity Services, enabling them to securely manage identities, resources, and permissions at scale. For applications running on AWS, customers can use fine-grained access controls to grant employees, applications, and devices the access they need to AWS services and resources within easily deployed governance guardrails. AWS Identity Services provide flexible options for where and how customers manage employee, partner, and customer identities – authentication is performed outside of AWS and customers are responsible for monitoring the use of their identity providers.

Additionally, recent amendments to both the Australian and New Zealand Privacy Acts introduced notifiable privacy breach schemes. These schemes aim to give affected individuals the opportunity to take steps to protect their personal information following a privacy breach.

AWS offers both Australian Notifiable Data Breaches (ANDB) and New Zealand Notifiable Data Breach (NZNDB) addenda to customers who are subject to these Privacy Acts and are using AWS to store and process personal information covered by these privacy breach schemes. These addenda address customers’ need for notification if a security event affects their data. These addenda are offered as two types, either account-only (i.e., applying to a specific AWS account) or AWS Organization (i.e., applying to the management and all member accounts in an AWS Organization).

These addenda are available online as click-through agreements in AWS Artifact, which is a customer-facing audit and compliance portal that can be accessed from the AWS Management Console. In AWS Artifact, customers can review and activate the relevant addendum for those AWS accounts used to store and process personal information covered by these privacy breach schemes.