Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security
Complexity and Challenges 2
Complexity and Challenges Compliance Regulatory entities are just now catching up. Prior to recently we had to read between the existing controls that did not touch on the cloud. PCI DSS Virtualization Guidelines NIST 800-125 Guide to Security for Full Virtualization NIST 800-144 Guidelines on Security and Privacy in Public Cloud Computing Complexity of management functions to secure in a multi-tenant community/public/hybrid cloud, dependencies and interconnections. Flexibility of cloud s self-service, pooling and elasticity while maintaining compliance. Meeting Regulatory Compliance is very expensive and timelines are challenging. Hand-off responsibilities contractually ownership vs. custodians Security Maintenance support & Expertise Cost for Security Tools are less expensive Risk Transfer 3
Due Diligence & Liability Prior to Service Provider engagement Are existing policies, procedures, processes and controls strong enough to secure our sensitive information? What drives us to be in compliance? Are we in compliance, what is our level of risk? What internal controls need to be re-evaluated and addressed? What roles and responsibilities am I willing to transfer? What are my deliverable expectations from a provider? Is data ownership and custodianship defined? 4
Provider Manages Provider Manages Provider Manages You Manage Provider Manages You Manage You Manage Cloud Security Colocation Infrastructure IaaS Platform PaaS Software SaaS Applications Applications Applications Applications Data Data Data Data Runtime Runtime Runtime Runtime Middleware Middleware Middleware Middleware O/S O/S O/S O/S Virtualization Virtualization Virtualization Virtualization Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking Facility Facility Facility Facility 5
Domain Consideration Security Governance, Disaster Recovery, Contractual Ownership Compliance as a Service Secure Connectivity Network Perimeter Security Solutions + DDOS Mitigation Managed Services Information Services Colocation Cloud Platforms Data Management Alerting & Reporting Policies & Standards Hybrid Connectivity Monitoring Controlled Operations Vulnerability Management Physical & Environmental Asset Management Infrastructure Protection Storage & Segmentation Hypervisor Control Identity Management Application & End-point Presentation & Mobility Lifecycle 6
Common Missteps Failing to isolate sensitive network assets Not having a security / compliance process in place Not following policy and procedure when in place Access control negligence Ignoring warnings from antiintrusion software Failing to identify a threat Involving third party vendors that do not follow your process 7 7
Cloud Segmentation 8
Assurance Application Policies Security Assurance Applications Availability Confidentiality Machine Policies Authorization Auditability Integrity VM s with Network Resource Pools Infrastructure Policies Service Provider requirements Will my resources be up and running? Can my data be altered by unauthorized access? Is environment access restricted to business need only? How is access control ensured? How are the controls monitored and verified? How am I segmented from other customers?
Best Practices Restrict Access to Business Need Logically Segment or Dedicate Entire Environment Encrypt Data at Rest and Over Transmission Monitor, Audit and Report Vulnerability Management Security Maintenance Integrity Controls Contractual Roles and Responsibilities Understand Provider Cloud Definition Transfer of Risk & Analysis Validation 10
Compliance is challenging, but achievable with the right strategy and the right resources. Communicate internally between business units, information technology, security departments and the provider to understand process, requirements and security controls. Learn your compliance requirements, plan with an experienced provider and communicate expectations with associates, vendors and partners. 11
anna.sharack@viawest.com www.linkedin.com/in/annaleailg/ 12 ViaWest, Inc. Confidential. All Rights Reserved.