Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compliance in the Cloud

Published byAlfred Lenaerts Modified over 5 years ago

Similar presentations

Presentation on theme: "Compliance in the Cloud"— Presentation transcript:

1 Compliance in the Cloud
Jake Gibson MBA, CISSP, CISM, CISA

2 Security and Compliance in the Cloud
Why is this scary? What are the concerns? Bad experiences? Good experiences? Can we avoid it?

3 TRUST How do we build trust? Be aware of the pros/cons
Validate (tours, compliance reports, TPRM) Clear roles and responsibilities SLA Reviews Ongoing process, TPRM is routine

4 Cloud Refresher Private Cloud vs Public Cloud
What are the primary differences? What are the use cases surrounding each? What security & compliance factors should you take into account when evaluating the right cloud for your business?

5 Cloud Refresher On Premise Bare Metal Dedicated Infrastructure
Shared Infrastructure PaaS/IaaS Biggest differences are Roles & Responsibilities

6 Resolving Ambiguity Policies/Awareness Training
On Prem PaaS SaaS IaaS Policies/Awareness Training Client and End Point Controls Application Security Operating System Security Host/Storage Infrastructure Network Controls Physical Security Resolving Ambiguity Cloud Provider Cloud Customer

7 A bit about regulated industries
HIPAA PCI-DSS SOX GDPR NERC FISMA How does this impact your cloud service provider decisions?

8 Diving into Cloud Controls
Physical Visitor Validation/Entry Multi-Factor authentication Video Surveillance Natural Disaster Protection Power/Environmental Example: Proximity Cards / Cloning

9 Diving into Cloud Controls
Network Firewall IDS/IPS MDR DDoS Protection Segmentation Example: Target, lack of proper network segmentation

10 Diving into Cloud Controls
Hypervisor Isolation Logical Access Patch Management Host-Level Controls Example: Meltdown and Spectre

11 Diving into Cloud Controls
Logical Identity and Access Management Multi-Factor Authentication SIEM Example: Failure to disable/review access permissions

12 Diving into Cloud Controls
Administrative Background Checks Security Awareness Training Technical Training ITSM (ITIL) Processes Example: Misconfigurations and Phishing

13 But it all depends Policies/Awareness Training
On Prem PaaS SaaS IaaS Policies/Awareness Training Client and End Point Controls Application Security Operating System Security Host/Storage Infrastructure Network Controls Physical Security But it all depends Cloud Provider Cloud Customer

14 Questions to Ask a Potential Cloud Provider
What regulations are you compliant with? Are you compliant or certified/audited? Example: Client bounce Do you allow clients to tour your facility? Can I see where my data is? What is your breach notification policy? Have you ever had a breach? Do you offer a point of contact for security & compliance questions? How do you assist clients when they are going through an audit?

15 Key Roles & Responsibilities to Identify with a Cloud Provider
Who does what? What am I still on the hook for? Where does the line get drawn? Does it change for different services? (IaaS, PaaS, SaaS, etc.) Always get it in writing (SLA, MSA, etc.)

16 The Importance of Routine Reviews
Things change. Regular reviews are essential. Does your provider allow it? Many regulations are calling for this. Increasingly stringent requirements around TPRM Frequency is key. 3rd party audit assessments are a great place to start.

17 Colocation Private Cloud Enterprise Cloud Managed Services
Information Security Management System (ISMS) LightEdge’s overall security program Includes policies, procedures, and baseline security controls Internationally recognized Industry independent Maps to NIST well Certificate provided to clients Service Management System (SMS) LightEdge’s ITIL program Includes policies & procedures Change Management Configuration Management Incident Response Capacity Management Document & Record Management And more… Internationally recognized Industry independent Certificate provided to clients SSAE 18 SOC 1, 2, & 3 Articulates information about LightEdge’s control environment Financial (SOC 1) Security Availability Integrity Confidentiality Privacy Detailed 3rd party attestation of controls and compliance Widely accepted across many industries Reports provided to clients PCI DSS 3.2 Audit of payment card industry information security requirements Includes LightEdge information security controls Some controls remain the client’s responsibility Required by businesses accepting or processing credit cards Report provided to clients HIPAA AT 101 Attestation Report Independent audit of: HIPAA Security Rule HITECH Breach Notification Requirements Includes LightEdge information security controls Some controls remain the client’s responsibility Required by healthcare industry Report provided to clients Colocation Private Cloud Enterprise Cloud Managed Services

18 Building Blocks to Successful IT Security
TRUST COMPLIANCE VALIDATION ASSISTANCE

19 How we Build Trust 1. The most secure data centers around
Multiple locations with high-speed interconnectivity Comprehensive information security management system 24x7x365 video surveillance with archival footage Physical separation options available Multi-factor biometric authentication

20 How we Maintain Compliance
2. Data centers that comply with top industry standards & global regulations Rigorous regulatory compliance programs Internationally recognized security controls Third-party audited facilities Validation through annual audit reports

21 How we Achieve Validation
3. We live by the motto “Trust, but verify.” Third party audit reports provided to clients Thorough physical tours for clients to witness safeguards firsthand

22 How we Offer Assistance
4. Direct access to the CSO/CCO Trusted advisor willing to spend time with clients to talk through: Gap Analysis Auditor questions Facility tours Compliance control mapping Security best practices

Download ppt "Compliance in the Cloud"

Similar presentations

CONFIDENTIAL 1 Preparing for & Maintaining PCI Compliance.

CONFIDENTIAL 1 Preparing for & Maintaining PCI Compliance.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Common Question Who can benefit from Cloud? Every enterprise today can benefit from Cloud.

Common Question Who can benefit from Cloud? Every enterprise today can benefit from Cloud.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
1 1 Risk Management: How to Comply with Everything July 11, 2013.

1 1 Risk Management: How to Comply with Everything July 11, 2013.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
JARED BIRD Nagios: Providing Value Throughout the Organization.

JARED BIRD Nagios: Providing Value Throughout the Organization.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
Introduction to Cloud Computing and Secure Cloud Computing

Introduction to Cloud Computing and Secure Cloud Computing
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Security audits. Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security.

Security audits. Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Similar presentations

Ads by Google