CONTENT OUTLINE. Background... 3 Cloud Security... 3. Instance Isolation:... 4. SecureGRC Application Security... 5



Similar documents
Internal Medicine Associates of Memphis Achieves HIPAA compliance

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

VIEWABILL. Cloud Security and Operational Architecture. featuring RUBY ON RAILS

Amazon Web Services: Risk and Compliance May 2011

319 MANAGED HOSTING TECHNICAL DETAILS

THE BLUENOSE SECURITY FRAMEWORK

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

CloudCheck Compliance Certification Program

KeyLock Solutions Security and Privacy Protection Practices

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Amazon Web Services: Risk and Compliance January 2011

Live Guide System Architecture and Security TECHNICAL ARTICLE

Paxata Security Overview

Anypoint Platform Cloud Security and Compliance. Whitepaper

Real-Time Security for Active Directory

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Cloud Security Who do you trust?

White Paper How Noah Mobile uses Microsoft Azure Core Services

Security Practices, Architecture and Technologies

Amazon Web Services: Risk and Compliance January 2013

APIs The Next Hacker Target Or a Business and Security Opportunity?

Building Energy Security Framework

twilio cloud communications SECURITY ARCHITECTURE

HIPAA Privacy & Security White Paper

GoodData Corporation Security White Paper

Cloud S ecurity Security Processes & Practices Jinesh Varia

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Security and HIPAA Compliance

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Amazon Web Services: Risk and Compliance July 2012

BMC s Security Strategy for ITSM in the SaaS Environment

Security Information & Policies

Autodesk PLM 360 Security Whitepaper

Security Overview Enterprise-Class Secure Mobile File Sharing

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Projectplace: A Secure Project Collaboration Solution

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

QuickBooks Online: Security & Infrastructure

Cloud Portal Office Security Whitepaper. October 2013

NetIQ Privileged User Manager

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Secure and control how your business shares files using Hightail

DRUVA SECURITY OVERVIEW ICT AFRICA CAPE TOWN LEE MEPSTED EMEA CHANNEL MANAGER

Tenzing Security Services and Best Practices

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

An Oracle White Paper June Security and the Oracle Database Cloud Service

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Securing Amazon It s a Jungle Out There

HOW SECURE IS YOUR PAYMENT CARD DATA?

John Essner, CISO Office of Information Technology State of New Jersey

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Using AWS in the context of Australian Privacy Considerations October 2015

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Intel Enhanced Data Security Assessment Form

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Cloud Security and Managing Use Risks

Apteligent White Paper. Security and Information Polices

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Amazon Web Services: Risk and Compliance July 2015

Clever Security Overview

How To Create A Walkme.Com Walkthrus.Com Website And Help With Your Website Or App On A Pc Or Mac Or Ipad (For Pc) Or Mac (For Mac) Or Ipa (For Ipa) Or Pc

White Paper. BD Assurity Linc Software Security. Overview

WALKME WHITEPAPER. WalkMe Architecture

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cloud Security Who do you trust?

Security and Information Policies

Cloud IaaS: Security Considerations

Realities of Private Cloud Security

Using the Message Releasing Features of MailMarshal SMTP Technical White Paper October 15, 2003

Using NetIQ Security and Administration Products to Ensure HIPAA Compliance March 25, Contents

Integration With Third Party SIEM Solutions

Cloud Security. Are you on the train or the tracks? ISSA CISO Executive Forum April 18, Brian Grayek CISSP, CCSK, ITILv3

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Using NetIQ's Implementation of NetFlow to Solve Customer's Problems Lecture Manual

Digi Device Cloud: Security You Can Trust

Identity as a Service Powered by NetIQ Solution Overview Guide

MIGRATIONWIZ SECURITY OVERVIEW

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Hans Bos Microsoft Nederland.

The Impact of HIPAA and HITECH

SAS 70 Type II Audits

Netop Environment Security. Unified security to all Netop products while leveraging the benefits of cloud computing

PCI DSS and the A10 Solution

How To Buy Nitro Security

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Cloud Security Trust Cisco to Protect Your Data

HIPAA/HITECH Compliance Using VMware vcloud Air

Qualtrics. Security White Paper Lite. Defining our security processes. Revised February 23,

VMware vcloud Air Security TECHNICAL WHITE PAPER

Application Security Best Practices. Matt Tavis Principal Solutions Architect

Transcription:

Page 2 Disclaimer THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF THE LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON- DISCLOSURE AGREEMENT, EGESTALT TECHNOLOGIES INC. PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESSED OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT BE APPLICABLE IN SUCH CIRCUMSTANCES. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of egestalt Technologies, Inc., except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, via electronic, mechanical, or otherwise, without the prior written consent of authorized personnel of egestalt Technologies Inc. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. Information about and around HIPAA and HITECH continues to evolve and the information here is subject to change. This information is provided as is and without warranty. While every effort has been made to ensure that the information presented is correct, no such assurances are offered. HIPAA /HITECH rules and regulations are subject to lots of different interpretations and are subjective. You should not rely on this information solely for auditing or legal purposes, but simply use it as a means to raise your awareness. We are not legal subject matter experts and advise you to consult with your own legal counsel, auditors or advisors. Changes are periodically made to the information herein and may contain inaccuracies or typographical errors. These changes may be incorporated in new editions of this document. Changes or improvements may be made to the software described in this document at any time. 2012 egestalt Technologies Inc., all rights reserved. CONTENT OUTLINE Background... 3 Cloud Security... 3 Instance Isolation:... 4 SecureGRC Application Security... 5 Access Control:... 5 Instance Isolation:... 5 Customer data protection... 5 Security policies and strategies:... 6 Summary... 6

Page 3 Security elements in SecureGRC Background Cloud Security Cloud technology has been the result of an imagination quite powerful. Moving to the cloud for businesses trying to leverage IT services is more or less inevitable due to cost efficiencies, ease of management and separation of responsibilities between the business and the cloud services provider. Cloud infrastructure has indeed been a very attractive proposition to many enterprises, small or large, from the features that cloud infrastructure providers offer today. But cloud security is sometimes raised as a matter of concern. Therefore, when egestalt took its information security and compliance services to the cloud, it made sure that the SecureGRC services offered were after a thorough due diligence to ensure complete privacy and security of customers, partners and businesses using the cloud based services. While SecureGRC was designed and built with Security architecture enmeshed into the application architecture, the consideration was equally important to identify and host the services in a cloud infrastructure that would meet SecureGRC s intense security requirements. SecureGRC is a service offered by egestalt Technologies for effectively managing information security through appropriate governance, risk management, and compliance solutions. SecureGRC11 supports HIPAA/HITCH compliance and PCI DSS. This whitepaper details the secure components built into the product. The framework allows easy interface to add any regulation or standard. The service is offered from the cloud based on Software-as-a-service model. If are concerned as to how safe would it be for depending on the cloud infrastructure in safeguarding your security posture and compliance information from, this whitepaper is all about dealing with such concerns. egestalt decided to host SecureGRC services on AWS (Amazon Web Services) after diligent evaluation of the secure infrastructure deployed by AWS, as egestalt s compliances services need to be built on strong foundation of confidentiality, integrity and availability. Why AWS Cloud infrastructure? AWS is compliant with various certifications and third-party attestations such as SOC 1/SSAE 16/ISAE 3402 (replacing the earlier SAS70 Type II), SOC 2, PCI DSS Level 1, ISO 27001, and FISMA. The Flexibility and customer control that the AWS platform provides permits the deployment of solutions that meet industry-specific certification requirements such as healthcare applications to measure compliance levels with HIPAA / HITECH Security and Privacy Rules or the Payment Card Industry Data Security Standards (PCI-DSS), or a wide range of compliance regulations and standards such as FISMA, COBiT, ISO 27K, etc., on AWS. With Amazon s many years of experience in designing, constructing, and operating large-scale data centres throughout the world, its infrastructure

Page 4 Instance Isolation: and the location is accessible within Amazon only to those who have a legitimate business need to have such. A variety of physical barriers in these data centres add to ensuring only authorized access. AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services. Amazon Web Services has successfully completed SOC 1/SSAE 16/ISAE 3402 (replacing the earlier SAS70 Type II), SOC 2 audits. This certifies that a service organization has had an in depth audit of its controls. Security exception monitoring mechanisms provide adequate protection for SecureGRC against Distributed Denial of Service (DDOS) attacks, Man-in-themiddle (MITM) attacks, IP Spoofing, unauthorized Port Scanning, packet sniffing, etc. Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage. AWS provides a highly scalable, reliable, and inexpensive data storage infrastructure that offers dependable backup solutions. AWS Architecture enables their customers to use a single code base with dynamic virtual partitioning of the system. The information is virtually partitioned in the cloud. Virtual partitioning helps to isolate the data for each customer and easy data manageability. To ensure privacy and security of data of each client that uses our cloud services, different instances running on the same physical machine are isolated from each other via the Xen hypervisor. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets must pass through this layer, thus an instance s neighbours have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms. Customer instances have no access to raw disk devices, but instead are presented with virtualized disks. The AWS proprietary disk virtualization layer automatically resets every block of storage used by the customer, ensuring that one customer s data are never unintentionally exposed to another.

Page 5 SecureGRC Application Security Access Control: Instance Isolation: Customer data protection The innovative and granular Access Controls (Label Based and Role Based Access Controls) give the control to the end user to protect their data. LBAC model applies labels (Access Domain and Access Level) to users to define which account/customer the user can access. RBAC model applies roles to users so that access to any feature/data in the system will be based on the Role defined in the system. All interactions and user/client identification is through SSL/HTTPS. The password policy enforced is as per de facto industry usage with password expiry, strength and validation aspects built in.. Multi-Tenant Architecture of SecureGRC TM enables the customers and partners to use a single code base with dynamic virtual partitioning of the system. The information is virtually partitioned in the cloud. Virtual partitioning helps to isolate the data for each customer and easy data manageability. SecureGRC Customers data is in a database and spread across multiple tables. Database access is restricted to the Database Administrator. Virtual partitioning is done by using Role-based and Label-based access control. SecureGRC cloud services covers information relating to accounts and processes, regulatory controls or standards mapped to different clients, password policy, user management accounts, role-based module access rights, assessment templates and the associated response data and documentary attachments, reviewed data from auditors, assessment data such as gaps identified, corrective steps undertaken, etc. A Keystore is installed on SecureGRC to encrypt files. Keystore is a database of keys in which, Private keys have a certificate chain associated with them, which authenticates the corresponding public key. A keystore also contains certificates from trusted entities. Different Keystore has been implemented in different environments such as Quality Assurance, Development, and Production. The Keystore file being password protected and changed every few months programmatically that ensures absolute security of the data. The data while being sent from the customer premises to the cloud is encrypted using 3-DES symmetric encryption. Types of files that are encrypted include- evidence files, security scan outputs. Security scan configuration XML, Policy files not supplied out of the box by SecureGRC, customer or partner uploaded documents. With client and server side authentication, the data in transit will be secure. SecureGRC tokenizes all individually identifiable data of customers. The tokenization information is segregated from the actual data so as to make it

Page 6 practically impossible for anyone trying to make sense of the data outside of the programmatically implemented access control mechanism of SecureGRC. SecureGRC Customer data in the cloud is secured using the state-of-art encryption mechanisms. Vulnerability Scan data and all other security related data in the file system are encrypted as part of secure storage. SecureGRC Customer may use a separate customer specific key to encrypt all their data for which a new Keystore is generated for 3-DES symmetric encryption. Customer Keystore is password protected and is not stored in SecureGRC. {This is a feature under development and will be available in a future release}. On the cloud, the data will not be accessible to either the egestalt employees or the Cloud-Service provider personnel. Only Production operations Admin or the Database Admin will have access to the SecureGRC Server or Database and no one else will access to customer data. Each customer s data will be completely isolated from any other customers. The cloud provider s strong security measures as explained under other questions, provides a strong and secure framework. Secured continuous replication of the data ensures the data persistence. Security policies and strategies: Summary After the initial UserID creation and password generation, the customer after logging into SecureGRC with the assigned password will be required to change the password before proceeding further in using the services from SecureGRC. In the event of attending to reported bugs, the support team from egestalt will be allowed access to your data only on written authorization from you, where you will not allow them to use your User ID or PWD. But on your logging in, the team will analyse the data or other bugs. All such activities will be logged for monitoring the activities on SecureGRC. As access to the different modules in SecureGRC is role-based, access to various modules is highly restricted. This ensures integrity and confidentiality of data. For access to dashboards and reports on information security and compliance is strictly limited on a need-to-know basis. Cloud technology has been the result of an imagination quite powerful. Cloud infrastructure has indeed been a very attractive proposition to many enterprises, small or large, from the features that cloud infrastructure providers offer today. But cloud security is a matter of concern holding them back in quickly adopting the cloud services. Therefore, when egestalt took its information security and compliance services to the cloud, it made sure that the SecureGRC services offered were after a thorough due diligence. While SecureGRC was designed and built with Security architecture enmeshed into the application architecture, the consideration was equally important to identify and host the services in a cloud infrastructure that would meet SecureGRC s intense security requirements.

Page 7 egestalt Technologies Inc. Head Quarters: 3080 Olcott Street, Suite #200-B, Santa Clara, California 95054 Phone: +1 (408) 689 2586 info@egestalt.com About egestalt Technologies Inc.: egestalt Technologies is a world-class, innovation driven leader of cloud-computing based business solutions for information security and IT-GRC management. egestalt is headquartered in Santa Clara, California, and has offices throughout the US, Asia-Pacific and Middle East. To learn more about SecureGRC versions from egestalt and how we can help you protect your healthcarerelated organization, visit http://www.egestalt.com, call us at +1-(408)-689-2586, or email at sales@egestalt.com. egestalt SecureGRC was given a rating of 4.5 stars (out of a maximum 5) with 5 stars for Features, Support and Value for money by SC magazine in June 2012. In Feb. 2012 egestalt President Anupam Sahai was named a Channel Chief by Everything Channel's CRN. egestalt has been ranked in the Top 10 Vendors for Compliance Management and Data Access & Security by Hypatia Research, Q4 2011. egestalt was nominated Breakthrough Technology Vendor at XChange Americas, Aug. 2010, and selected by SiliconIndia among the "Top 10 Security Companies to Watch." egestalt s SecureGRC application was voted runner-up in the Managed Services Category at XChange Tech Innovators, Nov. 2010. In Sept. 2011 it was selected by Everything Channel as a 2011 CRN Emerging Technology Vendor as well as a 2011 Tech Innovator for Managed Services. For the second year in a row egestalt Technologies (www.egestalt.com), a provider of IT security monitoring and compliance management for SMBs and enterprises was selected by UBM Channel and CRN as a 2012 Emerging Technology Vendor. To learn more about Aegify Security Posture Management and Aegify SecureGRC compliance management tools from egestalt and how we can help you protect your organization, visit http://www.egestalt.com, call us at +1-(408)-689-2586, or email at mailto:sales@egestalt.com.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information