Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compliance in the Cloud

Similar presentations


Presentation on theme: "Compliance in the Cloud"— Presentation transcript:

1 Compliance in the Cloud
Jake Gibson MBA, CISSP, CISM, CISA

2 Security and Compliance in the Cloud
Why is this scary? What are the concerns? Bad experiences? Good experiences? Can we avoid it?

3 TRUST How do we build trust? Be aware of the pros/cons
Validate (tours, compliance reports, TPRM) Clear roles and responsibilities SLA Reviews Ongoing process, TPRM is routine

4 Cloud Refresher Private Cloud vs Public Cloud
What are the primary differences? What are the use cases surrounding each? What security & compliance factors should you take into account when evaluating the right cloud for your business?

5 Cloud Refresher On Premise Bare Metal Dedicated Infrastructure
Shared Infrastructure PaaS/IaaS Biggest differences are Roles & Responsibilities

6 Resolving Ambiguity Policies/Awareness Training
On Prem PaaS SaaS IaaS Policies/Awareness Training Client and End Point Controls Application Security Operating System Security Host/Storage Infrastructure Network Controls Physical Security Resolving Ambiguity Cloud Provider Cloud Customer

7 A bit about regulated industries
HIPAA PCI-DSS SOX GDPR NERC FISMA How does this impact your cloud service provider decisions?

8 Diving into Cloud Controls
Physical Visitor Validation/Entry Multi-Factor authentication Video Surveillance Natural Disaster Protection Power/Environmental Example: Proximity Cards / Cloning

9 Diving into Cloud Controls
Network Firewall IDS/IPS MDR DDoS Protection Segmentation Example: Target, lack of proper network segmentation

10 Diving into Cloud Controls
Hypervisor Isolation Logical Access Patch Management Host-Level Controls Example: Meltdown and Spectre

11 Diving into Cloud Controls
Logical Identity and Access Management Multi-Factor Authentication SIEM Example: Failure to disable/review access permissions

12 Diving into Cloud Controls
Administrative Background Checks Security Awareness Training Technical Training ITSM (ITIL) Processes Example: Misconfigurations and Phishing

13 But it all depends Policies/Awareness Training
On Prem PaaS SaaS IaaS Policies/Awareness Training Client and End Point Controls Application Security Operating System Security Host/Storage Infrastructure Network Controls Physical Security But it all depends Cloud Provider Cloud Customer

14 Questions to Ask a Potential Cloud Provider
What regulations are you compliant with? Are you compliant or certified/audited? Example: Client bounce Do you allow clients to tour your facility? Can I see where my data is? What is your breach notification policy? Have you ever had a breach? Do you offer a point of contact for security & compliance questions? How do you assist clients when they are going through an audit?

15 Key Roles & Responsibilities to Identify with a Cloud Provider
Who does what? What am I still on the hook for? Where does the line get drawn? Does it change for different services? (IaaS, PaaS, SaaS, etc.) Always get it in writing (SLA, MSA, etc.)

16 The Importance of Routine Reviews
Things change. Regular reviews are essential. Does your provider allow it? Many regulations are calling for this. Increasingly stringent requirements around TPRM Frequency is key. 3rd party audit assessments are a great place to start.

17 Colocation Private Cloud Enterprise Cloud Managed Services
Information Security Management System (ISMS) LightEdge’s overall security program Includes policies, procedures, and baseline security controls Internationally recognized Industry independent Maps to NIST well Certificate provided to clients Service Management System (SMS) LightEdge’s ITIL program Includes policies & procedures Change Management Configuration Management Incident Response Capacity Management Document & Record Management And more… Internationally recognized Industry independent Certificate provided to clients SSAE 18 SOC 1, 2, & 3 Articulates information about LightEdge’s control environment Financial (SOC 1) Security Availability Integrity Confidentiality Privacy Detailed 3rd party attestation of controls and compliance Widely accepted across many industries Reports provided to clients PCI DSS 3.2 Audit of payment card industry information security requirements Includes LightEdge information security controls Some controls remain the client’s responsibility Required by businesses accepting or processing credit cards Report provided to clients HIPAA AT 101 Attestation Report Independent audit of: HIPAA Security Rule HITECH Breach Notification Requirements Includes LightEdge information security controls Some controls remain the client’s responsibility Required by healthcare industry Report provided to clients Colocation Private Cloud Enterprise Cloud Managed Services

18 Building Blocks to Successful IT Security
TRUST COMPLIANCE VALIDATION ASSISTANCE

19 How we Build Trust 1. The most secure data centers around
Multiple locations with high-speed interconnectivity Comprehensive information security management system 24x7x365 video surveillance with archival footage Physical separation options available Multi-factor biometric authentication

20 How we Maintain Compliance
2. Data centers that comply with top industry standards & global regulations Rigorous regulatory compliance programs Internationally recognized security controls Third-party audited facilities Validation through annual audit reports

21 How we Achieve Validation
3. We live by the motto “Trust, but verify.” Third party audit reports provided to clients Thorough physical tours for clients to witness safeguards firsthand

22 How we Offer Assistance
4. Direct access to the CSO/CCO Trusted advisor willing to spend time with clients to talk through: Gap Analysis Auditor questions Facility tours Compliance control mapping Security best practices


Download ppt "Compliance in the Cloud"

Similar presentations


Ads by Google