Compliance in the Cloud Jake Gibson MBA, CISSP, CISM, CISA
Security and Compliance in the Cloud Why is this scary? What are the concerns? Bad experiences? Good experiences? Can we avoid it?
TRUST How do we build trust? Be aware of the pros/cons Validate (tours, compliance reports, TPRM) Clear roles and responsibilities SLA Reviews Ongoing process, TPRM is routine
Cloud Refresher Private Cloud vs Public Cloud What are the primary differences? What are the use cases surrounding each? What security & compliance factors should you take into account when evaluating the right cloud for your business?
Cloud Refresher On Premise Bare Metal Dedicated Infrastructure Shared Infrastructure PaaS/IaaS Biggest differences are Roles & Responsibilities
Resolving Ambiguity Policies/Awareness Training On Prem PaaS SaaS IaaS Policies/Awareness Training Client and End Point Controls Application Security Operating System Security Host/Storage Infrastructure Network Controls Physical Security Resolving Ambiguity Cloud Provider Cloud Customer
A bit about regulated industries HIPAA PCI-DSS SOX GDPR NERC FISMA How does this impact your cloud service provider decisions?
Diving into Cloud Controls Physical Visitor Validation/Entry Multi-Factor authentication Video Surveillance Natural Disaster Protection Power/Environmental Example: Proximity Cards / Cloning
Diving into Cloud Controls Network Firewall IDS/IPS MDR DDoS Protection Segmentation Example: Target, lack of proper network segmentation
Diving into Cloud Controls Hypervisor Isolation Logical Access Patch Management Host-Level Controls Example: Meltdown and Spectre
Diving into Cloud Controls Logical Identity and Access Management Multi-Factor Authentication SIEM Example: Failure to disable/review access permissions
Diving into Cloud Controls Administrative Background Checks Security Awareness Training Technical Training ITSM (ITIL) Processes Example: Misconfigurations and Phishing https://www.ibm.com/security/resources/xforce/xfisi/
But it all depends Policies/Awareness Training On Prem PaaS SaaS IaaS Policies/Awareness Training Client and End Point Controls Application Security Operating System Security Host/Storage Infrastructure Network Controls Physical Security But it all depends Cloud Provider Cloud Customer
Questions to Ask a Potential Cloud Provider What regulations are you compliant with? Are you compliant or certified/audited? Example: Client bounce Do you allow clients to tour your facility? Can I see where my data is? What is your breach notification policy? Have you ever had a breach? Do you offer a point of contact for security & compliance questions? How do you assist clients when they are going through an audit?
Key Roles & Responsibilities to Identify with a Cloud Provider Who does what? What am I still on the hook for? Where does the line get drawn? Does it change for different services? (IaaS, PaaS, SaaS, etc.) Always get it in writing (SLA, MSA, etc.)
The Importance of Routine Reviews Things change. Regular reviews are essential. Does your provider allow it? Many regulations are calling for this. Increasingly stringent requirements around TPRM Frequency is key. 3rd party audit assessments are a great place to start.
Colocation Private Cloud Enterprise Cloud Managed Services Information Security Management System (ISMS) LightEdge’s overall security program Includes policies, procedures, and baseline security controls Internationally recognized Industry independent Maps to NIST 800-53 well Certificate provided to clients Service Management System (SMS) LightEdge’s ITIL program Includes policies & procedures Change Management Configuration Management Incident Response Capacity Management Document & Record Management And more… Internationally recognized Industry independent Certificate provided to clients SSAE 18 SOC 1, 2, & 3 Articulates information about LightEdge’s control environment Financial (SOC 1) Security Availability Integrity Confidentiality Privacy Detailed 3rd party attestation of controls and compliance Widely accepted across many industries Reports provided to clients PCI DSS 3.2 Audit of payment card industry information security requirements Includes LightEdge information security controls Some controls remain the client’s responsibility Required by businesses accepting or processing credit cards Report provided to clients HIPAA AT 101 Attestation Report Independent audit of: HIPAA Security Rule HITECH Breach Notification Requirements Includes LightEdge information security controls Some controls remain the client’s responsibility Required by healthcare industry Report provided to clients Colocation Private Cloud Enterprise Cloud Managed Services
Building Blocks to Successful IT Security TRUST COMPLIANCE VALIDATION ASSISTANCE
How we Build Trust 1. The most secure data centers around Multiple locations with high-speed interconnectivity Comprehensive information security management system 24x7x365 video surveillance with archival footage Physical separation options available Multi-factor biometric authentication
How we Maintain Compliance 2. Data centers that comply with top industry standards & global regulations Rigorous regulatory compliance programs Internationally recognized security controls Third-party audited facilities Validation through annual audit reports
How we Achieve Validation 3. We live by the motto “Trust, but verify.” Third party audit reports provided to clients Thorough physical tours for clients to witness safeguards firsthand
How we Offer Assistance 4. Direct access to the CSO/CCO Trusted advisor willing to spend time with clients to talk through: Gap Analysis Auditor questions Facility tours Compliance control mapping Security best practices