User Group Security Best Practices

Transcription

1 User Group 2015 Security Best Practices

2 Presenters Steve Kelley, COO 31 years experience building and managing operations and service delivery organizations in industrial robotics, medical devices, software development and IT services consulting businesses. Steve has extensive experience in networking, quality assurance, software development, disaster recovery services, and project management. He has worked with FDA GMP/GCP, FDA 21 CFR 820, SOX/SSAE16, FISMA, and HIPAA regulatory environments. Steve and Rob have worked together for over 20 years in several successful entrepreneurial ventures. Glen Balestrieri, Director of Managed Services With 26 years of management experience in Information Technology and Direct Sales allows, Glen is directly responsible for regulatory compliance, information systems security, systems engineering, systems maintenance and customer service. Glen holds a degree from American International College, with concentrations in networking, Linux, and Microsoft systems.

3 Security Best Practices Session Directives To discuss the security, speed and usability of the PopMedNet Private Cloud hosted at Lincoln Peak Partners. Session length is minutes including introductions, overview, presentation and Q&A. Q&A session will start 15 minutes before session ending

4 Presentation Overview In this presentation we will discuss: Securing the cloud. The Infrastructure behind the curtain Encryption systems in play, both at rest and in transit Compliance and what that means to PopMedNet Redundancy Application Data Flow and its Security

5 PMN Infrastructure and Security

6 Code Security Assessment

7 July 2, 2015 In June of 2015, Pivot Point Security conducted a static code review of Lincoln Peak Partner s PopMedNet applications as part of their software assurance process to provide assurance that the source code follows secure coding practices. Our code review methodology follows the testing approach recommended by the OWASP Application Security Verification Standard (ASVS). Findings are mapped to both the OWASP Top 10 and the Common Weakness Enumeration (CWE) project. We determined that the applications are secured in a manner consistent with secure coding practices and on par with similar applications that we have tested. While we did not identify any critical vulnerabilities during our testing, we did identify two areas of concern. After reviewing the issues with Lincoln Peak Partners, they indicated that these issues are actually mitigated by outside controls. Pivot Point Security has been architected to provide maximum levels of independent and objective information security expertise to our varied client base. The team responsible for conducting security assessments of this nature is led by a Certified Information Security Auditor/IRCA ISO Auditor and includes personnel appropriately qualified to render this opinion (e.g., Certified Information System Security Professionals, Microsoft Certified System Engineers, Certified Ethical Hackers, etc.) John Verry, CLA/CISA/CRISC Principal Enterprise Security Consultant

8

9 Security Overview Examples Redundant Firewalls Intrusion Detection Systems 24/7 Live Monitoring and Response Endpoint Security Antivirus and Malware Encryption in Use, at Rest and in Transit Vulnerability Scans Manual and Automatic Weekly Log File Auditing Third Party Pen Testing

10

11 Application Redundancy Lincoln Peak Partners FISMA Compliant Private Cloud Block Diagram MDPHnet / PopMedNet Users SSL Remote VPN Access INTERNET Admins SSL Remote VPN AccessLincoln Peak 10Mbps Commit (Burstable GB Segment) SSL/TLS SSL/TLS 1Mbps Commit (Burstable GB Segment) Dulles Vault DC Lincoln Peak Primary Phoenix DC Disaster Recovery Site Cold or Warm available SSL VPN Site to Site Tunnel Asynchronous Replication on Carpathia Backbone with RPO=15 minutes Lincoln Peak Partners partners with Carpathia Hosting to provide high reliability, secure managed services solution. Lincoln Peak is certified FISMA compliant and in process on SAS-70/SSAE-16. Carpathia Hosting is FISMA, SAS-70/SSAE-16, and SysTrust certified.

12 Backup with Redundancy Backup Policies Lincoln Peak Standard Operation Policy Backup and retention outlines the follow in the flow chart. Redundant backups assure your data remains intact during crisis situations. Lincoln Peak recognizes the need to customize policies for each individual customer. We can provide the flexibility you need to feel secure. All database backup are encrypted at rest and all data is encrypted in transit. This is an automated and monitored process.

13 Response Internet https/tls Ask a question Overview of Data Flow Investigators End User Web Browser https/tls Internet Ask a question Firewall VLAN 1 Response PMN Single Sign On Option PopMedNet Portal https/tls Ask a question https/tls Data Provider Data Mart Administrators Web Browser Administrators Firewall Firewall PMN Web Service https/tls 1.2 https/tls 1.2 VLAN 2 PMN Database Carpathia Hosting Firewall Firewall Response Internet DataMart Desktop Client Model Adaptors

14 User Group 2015 Security Best Practices