220 likes | 239 Views
Explore the challenges and benefits of security and compliance in the cloud, and learn how to build trust, evaluate cloud providers, and ensure regulatory compliance. Discover key controls and responsibilities, as well as the importance of routine reviews and certifications.
E N D
Compliance in the Cloud Jake Gibson MBA, CISSP, CISM, CISA
Security and Compliance in the Cloud • Why is this scary? • What are the concerns? • Bad experiences? • Good experiences? • Can we avoid it?
TRUST • How do we build trust? • Be aware of the pros/cons • Validate (tours, compliance reports, TPRM) • Clear roles and responsibilities • SLA Reviews • Ongoing process, TPRM is routine
Cloud Refresher • Private Cloud vs Public Cloud • What are the primary differences? • What are the use cases surrounding each? • What security & compliance factors should you take into account when evaluating the right cloud for your business?
Cloud Refresher • On Premise • Bare Metal • Dedicated Infrastructure • Shared Infrastructure • PaaS/IaaS • Biggest differences are Roles & Responsibilities
SaaS • PaaS • IaaS • On Prem • Policies/Awareness Training • Client and End Point Controls • Application Security • Operating System Security • Host/Storage Infrastructure • Network Controls • Physical Security Resolving Ambiguity • Cloud Provider • Cloud Customer
A bit about regulated industries • HIPAA • PCI-DSS • SOX • GDPR • NERC • FISMA • How does this impact your cloud service provider decisions?
Diving into Cloud Controls • Physical • Visitor Validation/Entry • Multi-Factor authentication • Video Surveillance • Natural Disaster Protection • Power/Environmental • Example: Proximity Cards / Cloning
Diving into Cloud Controls • Network • Firewall • IDS/IPS • MDR • DDoS Protection • Segmentation • Example: Target, lack of proper network segmentation
Diving into Cloud Controls • Hypervisor • Isolation • Logical Access • Patch Management • Host-Level Controls • Example: Meltdown and Spectre
Diving into Cloud Controls • Logical • Identity and Access Management • Multi-Factor Authentication • SIEM • Example: Failure to disable/review access permissions
Diving into Cloud Controls • Administrative • Background Checks • Security Awareness Training • Technical Training • ITSM (ITIL) Processes • Example: Misconfigurations and Phishing https://www.ibm.com/security/resources/xforce/xfisi/
SaaS • PaaS • IaaS • On Prem • Policies/Awareness Training • Client and End Point Controls • Application Security • Operating System Security • Host/Storage Infrastructure • Network Controls • Physical Security But it all depends • Cloud Provider • Cloud Customer
Questions to Ask a Potential Cloud Provider • What regulations are you compliant with? • Are you compliant or certified/audited? • Example: Client bounce • Do you allow clients to tour your facility? • Can I see where my data is? • What is your breach notification policy? • Have you ever had a breach? • Do you offer a point of contact for security & compliance questions? • How do you assist clients when they are going through an audit?
Key Roles & Responsibilities to Identify with a Cloud Provider • Who does what? • What am I still on the hook for? • Where does the line get drawn? • Does it change for different services? (IaaS, PaaS, SaaS, etc.) • Always get it in writing (SLA, MSA, etc.)
The Importance of Routine Reviews • Things change. • Regular reviews are essential. • Does your provider allow it? • Many regulations are calling for this. • Increasingly stringent requirements around TPRM • Frequency is key. • 3rd party audit assessments are a great place to start.
Information Security Management System (ISMS) • LightEdge’s overall security program • Includes policies, procedures, and baseline security controls • Internationally recognized • Industry independent • Maps to NIST 800-53 well • Certificate provided to clients • Service Management System (SMS) • LightEdge’s ITIL program • Includes policies & procedures • Change Management • Configuration Management • Incident Response • Capacity Management • Document & Record Management • And more… • Internationally recognized • Industry independent • Certificate provided to clients • SSAE 18 SOC 1, 2, & 3 • Articulates information about LightEdge’s control environment • Financial (SOC 1) • Security • Availability • Integrity • Confidentiality • Privacy • Detailed 3rd party attestation of controls and compliance • Widely accepted across many industries • Reports provided to clients • PCI DSS 3.2 • Audit of payment card industry information security requirements • Includes LightEdge information security controls • Some controls remain the client’s responsibility • Required by businesses accepting or processing credit cards • Report provided to clients • HIPAA AT 101 Attestation Report • Independent audit of: • HIPAA Security Rule • HITECH Breach Notification Requirements • Includes LightEdge information security controls • Some controls remain the client’s responsibility • Required by healthcare industry • Report provided to clients Colocation Private Cloud Enterprise Cloud Managed Services
Building Blocks to Successful IT Security VALIDATION ASSISTANCE TRUST COMPLIANCE
How we Build Trust • 1. The most secure data centers around • Multiple locations with high-speed interconnectivity • Comprehensive information security management system • 24x7x365 video surveillance with archival footage • Physical separation options available • Multi-factor biometric authentication
How we Maintain Compliance • 2. Data centers that comply with top industry standards & global regulations • Rigorous regulatory compliance programs • Internationally recognized security controls • Third-party audited facilities • Validation through annual audit reports
How we Achieve Validation • 3. We live by the motto “Trust, but verify.” • Third party audit reports provided to clients • Thorough physical tours for clients to witness safeguards firsthand
How we Offer Assistance • 4. Direct access to the CSO/CCO • Trusted advisor willing to spend time with clients to talk through: • Gap Analysis • Auditor questions • Facility tours • Compliance control mapping • Security best practices