Compliance and Cloud Computing

Similar documents
Cloud Security and Managing Use Risks

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

Security Issues in Cloud Computing

Cloud Security Introduction and Overview

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Services Overview

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Security aspects of e-tailing. Chapter 7

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

How To Protect Your Cloud Computing Resources From Attack

Governance, Risk, and Compliance (GRC) White Paper

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

BUSINESS MANAGEMENT SUPPORT

Managing Cloud Computing Risk

Cloud Computing Thunder and Lightning on Your Horizon?

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Cloud Security. DLT Solutions LLC June #DLTCloud

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Client Security Risk Assessment Questionnaire

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cloud Computing An Auditor s Perspective

Network Access Control and Cloud Security

HIPAA Security: Gap Analysis, Vulnerability Assessments, and Countermeasures

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

John Essner, CISO Office of Information Technology State of New Jersey

CLOUD BASED SCADA. Removing Implementation and Deployment Barriers. Liam Kearns Open Systems International, Inc.

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

INFORMATION PROTECTED

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

StratusLIVE for Fundraisers Cloud Operations

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

The Education Fellowship Finance Centralisation IT Security Strategy

Anatomy of a Cloud Computing Data Breach

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Cloud Computing--Efficiency and Security

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

Sensitive Data Management: Current Trends in HIPAA and HITRUST

Production in the Cloud

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

APPENDIX C - PRICING INDEX DIR-SDD-2514 VERIZON BUSINESS NETWORK SERVICES, INC SERVICES

Security Threat Risk Assessment: the final key piece of the PIA puzzle

How To Cloud Compute At The Cloud At The Cyclone Center For Cnc

A Secure System Development Framework for SaaS Applications in Cloud Computing

Click to edit Master title style

BIG SHIFT TO CLOUD-BASED SECURITY

FACING SECURITY CHALLENGES

BMC s Security Strategy for ITSM in the SaaS Environment

Federal Aviation Administration. efast. Cloud Computing Services. 25 October Federal Aviation Administration

How To Protect Your Cloud From Attack

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

Network Access Control and Cloud Security

The Elephant in the Room: What s the Buzz Around Cloud Computing?

Trend Micro Cloud Security for Citrix CloudPlatform

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

EARTHLINK BUSINESS. Simplify the Complex

Firewall Administration and Management

How To Protect Your Cloud From Attack

Cloud Security:Threats & Mitgations

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Cloud Security & Risk. Adam Cravedi, CISA Senior IT Auditor acravedi@compassitc.com

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

Clinical Trials in the Cloud: A New Paradigm?

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Information Security Policy

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

PCI Compliance for Cloud Applications

Cloud Computing Governance & Security. Security Risks in the Cloud

What Cloud computing means in real life

Managed Cloud Services

What is Penetration Testing?

Computer System Security Updates

Transcription:

Compliance and Cloud Computing Balaji Palanisamy Director, Southwest- US Coalfire Systems, Inc. July 24, 2014

Agenda Introduction Cloud Computing Basics Cloud Computing Threats Security vs. Compliance Practical insights into the provider s world Working Models for Cloud Adoption Summary QA 2

Coalfire Systems Coalfire offers demonstrated leadership in the key areas of IT Governance, Risk & Compliance (GRC) auditing, assessment and validation for PCI, HIPAA, ISO, FFIEC, FedRAMP, and NERC with offices across the U.S. and U.K. http://www.coalfire.com/careers/openings - We re Hiring 3

Why is Cloud Computing relevant to you? 4

Why is Cloud Computing relevant to you? 5

Why is Cloud Computing relevant to you? The adoption of Cloud computing is definitely on the rise according to: Gartner - http://www.gartner.com/newsroom/id/2613015 Forrester - https://www.forrester.com/benchmark+your+enterprise+cloud+a doption/fulltext/-/e-res117042 451Research - https://451research.com/images/stories/marketing/press_releas es/cloud_wave_5_press_release_final.pdf 6

Why is Cloud Computing relevant to you? The Federal Government http://cloud.cio.gov/document/federal-cloud-computing-strategy To harness the benefits of cloud computing, we have instituted a Cloud First policy. This policy is intended to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments. Texas Government http://governor.state.tx.us/news/press-release/15826/ Gov. Rick Perry today gave the keynote address at the Richardson Chamber of Commerce's Annual Meeting, and announced the state is investing $2.45 million through the Texas Enterprise Fund (TEF) in the Virtual Computing Environment Company (VCE) for the creation of a corporate headquarters in Richardson. This investment is expected to create at least 434 local jobs and generate an estimated $35 million in capital investment. 7

Why is Cloud Computing relevant to you? The adoption of Cloud Computing is definitely on the rise and we (Information Security professionals) need to prepare ourselves to: gain competence and practical exposure to these environments; analyze risks that are unique to the world of Cloud Computing; and guide and influence Cloud adoption within your organizations. 8

Cloud Computing Basics 9

Cloud Computing Basics What is Cloud Computing? According to NIST 800-145 : Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 10

Cloud Computing Basics Image Courtesy : cloudsecurityalliance.org 11

Cloud Computing Basics Five (5) Essential Characteristics On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service 12

Cloud Computing Basics Four (4) Deployment Models Private Public Community Hybrid 13

Cloud Computing Basics Three (3) Service Models Infrastructure as a Service Platform as a Service Software as a Service 14

Cloud Computing Models Service Models -Security Based on Span of Control 15 Image Courtesy : pcisecuritystandards.org

Cloud Computing Models Service Models -Security Based on Span of Control Image Courtesy : pcisecuritystandards.org 16

Cloud Computing Models Real World Scenarios Managed Services E.g. Physical Security, Patch management, Anti- Virus management, Firewall Management Extending in house infrastructure E.g. Database Management, Network Monitoring, Batch Scheduling (X)as a Service E.g. Identity, Storage, Encryption Chaining of providers E.g. AirBnB Travel, NetFlix Entertainment Operational Challenges Upgrades, Migrations, Disaster Recovery 17

Cloud Computing Threats 18

Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches Image Courtesy : Verizon Breach Report 19

Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss Intellectual Property Sales Information Mailing addresses Postings on Social media Health Information 20

Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking User Names and Passwords Phone Numbers Personal Profiles Security Questions for remembering passwords 21

Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs Image Courtesy : Verizon Breach Report 22

Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service Image Courtesy : CloudSecurity alliance.org 23

Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 24

Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 25

Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 26

Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues 27

Security versus Compliance 28

Security versus Compliance Compliance is often mistaken for this rigid set of rules, unbending and binary. A necessary evil to get around to do your job, like the barricade in the picture. When in reality it is only a baseline. Compliance raises the minimum bar across your environment to address a baseline amount of risk. You build and add to it as time goes on. If compliance is your goal, as one of my customer s put it it is a case of when we get breached not if we get breached. 29

Security versus Compliance Why is Compliance a baseline? Established for the small business owner As well as for the big banks and wall street firms 30

Practical insights into the provider s world 31

Practical insights into the provider s world Focus is on protecting all customers Two layers of security Security infrastructure built to protect the core and dedicated to the core Security infrastructure built to protect customers and shared between customers Customization may be difficult. E.g. Web Application Firewalls 32

Practical insights into the provider s world Upgrades and Migration plans are time consuming Customer education is important Stability is a core operating principle 33

Practical insights into the provider s world Not all providers invest in a Security Operations Center (SOC) The ones that do have a SOC, may not have organizational independence Customer s security posture depends on the mix of services consumed 34

Working Models for Cloud Adoption 35

Working Models Payment Island Identify and extract IT workflows and Data flows that handle sensitive data Move the underlying IT infrastructure to a cloud provider Apply enhanced security controls that could not be applied within the corporate network Allow only controlled interactions with other corporate applications 36

Working Models Security as a Service Identify core security functions that require investment Review cloud based offerings for ease of adoption and cost benefits Improve security posture by leveraging appropriate cloud services Services that could be delivered efficiently from the cloud include DDOS mitigation, email SPAM filtering, Vulnerability Scanning 37

Working Models Extending Organizational controls Identify existing controls that apply to the CSP Identify points of interaction with the cloud service provider Ensure there is a RACI matrix between the two organizations for each control For controls that need to be managed in-house extend/integrate current toolsets and processes with the cloud service provider May not always be simple but has the advantage of providing an organizational view 38

In Summary Cloud adoption can be a business advantage Cloud adoption risks are unique to your organization and.. Due Diligence is of utmost importance Consider Cloud specific controls for comparing apples to oranges 39

Balaji Palanisamy Director Southwest Region (Dallas, TX) (972) 763-8021 Balaji.Palanisamy@coalfire.com 40

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information