1 / 22

Compliance in the Cloud Jake Gibson MBA, CISSP, CISM, CISA

Explore the challenges and benefits of security and compliance in the cloud, and learn how to build trust, evaluate cloud providers, and ensure regulatory compliance. Discover key controls and responsibilities, as well as the importance of routine reviews and certifications.

sbenjamin
Download Presentation

Compliance in the Cloud Jake Gibson MBA, CISSP, CISM, CISA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compliance in the Cloud Jake Gibson MBA, CISSP, CISM, CISA

  2. Security and Compliance in the Cloud • Why is this scary? • What are the concerns? • Bad experiences? • Good experiences? • Can we avoid it?

  3. TRUST • How do we build trust? • Be aware of the pros/cons • Validate (tours, compliance reports, TPRM) • Clear roles and responsibilities • SLA Reviews • Ongoing process, TPRM is routine

  4. Cloud Refresher • Private Cloud vs Public Cloud • What are the primary differences? • What are the use cases surrounding each? • What security & compliance factors should you take into account when evaluating the right cloud for your business?

  5. Cloud Refresher • On Premise • Bare Metal • Dedicated Infrastructure • Shared Infrastructure • PaaS/IaaS • Biggest differences are Roles & Responsibilities

  6. SaaS • PaaS • IaaS • On Prem • Policies/Awareness Training • Client and End Point Controls • Application Security • Operating System Security • Host/Storage Infrastructure • Network Controls • Physical Security Resolving Ambiguity • Cloud Provider • Cloud Customer

  7. A bit about regulated industries • HIPAA • PCI-DSS • SOX • GDPR • NERC • FISMA • How does this impact your cloud service provider decisions?

  8. Diving into Cloud Controls • Physical • Visitor Validation/Entry • Multi-Factor authentication • Video Surveillance • Natural Disaster Protection • Power/Environmental • Example: Proximity Cards / Cloning

  9. Diving into Cloud Controls • Network • Firewall • IDS/IPS • MDR • DDoS Protection • Segmentation • Example: Target, lack of proper network segmentation

  10. Diving into Cloud Controls • Hypervisor • Isolation • Logical Access • Patch Management • Host-Level Controls • Example: Meltdown and Spectre

  11. Diving into Cloud Controls • Logical • Identity and Access Management • Multi-Factor Authentication • SIEM • Example: Failure to disable/review access permissions

  12. Diving into Cloud Controls • Administrative • Background Checks • Security Awareness Training • Technical Training • ITSM (ITIL) Processes • Example: Misconfigurations and Phishing https://www.ibm.com/security/resources/xforce/xfisi/

  13. SaaS • PaaS • IaaS • On Prem • Policies/Awareness Training • Client and End Point Controls • Application Security • Operating System Security • Host/Storage Infrastructure • Network Controls • Physical Security But it all depends • Cloud Provider • Cloud Customer

  14. Questions to Ask a Potential Cloud Provider • What regulations are you compliant with? • Are you compliant or certified/audited? • Example: Client bounce • Do you allow clients to tour your facility? • Can I see where my data is? • What is your breach notification policy? • Have you ever had a breach? • Do you offer a point of contact for security & compliance questions? • How do you assist clients when they are going through an audit?

  15. Key Roles & Responsibilities to Identify with a Cloud Provider • Who does what? • What am I still on the hook for? • Where does the line get drawn? • Does it change for different services? (IaaS, PaaS, SaaS, etc.) • Always get it in writing (SLA, MSA, etc.)

  16. The Importance of Routine Reviews • Things change. • Regular reviews are essential. • Does your provider allow it? • Many regulations are calling for this. • Increasingly stringent requirements around TPRM • Frequency is key. • 3rd party audit assessments are a great place to start.

  17. Information Security Management System (ISMS) • LightEdge’s overall security program • Includes policies, procedures, and baseline security controls • Internationally recognized • Industry independent • Maps to NIST 800-53 well • Certificate provided to clients • Service Management System (SMS) • LightEdge’s ITIL program • Includes policies & procedures • Change Management • Configuration Management • Incident Response • Capacity Management • Document & Record Management • And more… • Internationally recognized • Industry independent • Certificate provided to clients • SSAE 18 SOC 1, 2, & 3 • Articulates information about LightEdge’s control environment • Financial (SOC 1) • Security • Availability • Integrity • Confidentiality • Privacy • Detailed 3rd party attestation of controls and compliance • Widely accepted across many industries • Reports provided to clients • PCI DSS 3.2 • Audit of payment card industry information security requirements • Includes LightEdge information security controls • Some controls remain the client’s responsibility • Required by businesses accepting or processing credit cards • Report provided to clients • HIPAA AT 101 Attestation Report • Independent audit of: • HIPAA Security Rule • HITECH Breach Notification Requirements • Includes LightEdge information security controls • Some controls remain the client’s responsibility • Required by healthcare industry • Report provided to clients Colocation Private Cloud Enterprise Cloud Managed Services

  18. Building Blocks to Successful IT Security VALIDATION ASSISTANCE TRUST COMPLIANCE

  19. How we Build Trust • 1. The most secure data centers around • Multiple locations with high-speed interconnectivity • Comprehensive information security management system • 24x7x365 video surveillance with archival footage • Physical separation options available • Multi-factor biometric authentication

  20. How we Maintain Compliance • 2. Data centers that comply with top industry standards & global regulations • Rigorous regulatory compliance programs • Internationally recognized security controls • Third-party audited facilities • Validation through annual audit reports

  21. How we Achieve Validation • 3. We live by the motto “Trust, but verify.” • Third party audit reports provided to clients • Thorough physical tours for clients to witness safeguards firsthand

  22. How we Offer Assistance • 4. Direct access to the CSO/CCO • Trusted advisor willing to spend time with clients to talk through: • Gap Analysis • Auditor questions • Facility tours • Compliance control mapping • Security best practices

More Related