Why the Cloud can be Compliant and Secure

Why the Cloud can beCompliant and Secure Presented by: Jeff Reich Chief Risk Officer Layered Technologies

Agenda ● Abstract Review ● Layered Technologies Overview ● Speaker Overview ● What is a secure cloud? ● Table Stakes ● Compliance vs Security ● Components of Security 2Layered Technologies Complying To The Higher Standard

Abstract This session addresses misconceptions about security in the cloud and examines critical differences between compliance and security, including how compliance does not always ensure secure environments. To establish a secure cloud, one must make risk-based decisions that embrace compliance but also address practicalities and technical capabilities. While achieving compliance is considered “table stakes,” cloud security is an investment and must be continuous. The audience will learn about key security components, such as social engineering, patching, system interfaces and more. The presentation will also address the importance of grouping similar organizations in the cloud because they share common security control needs.Complying To The Higher Standard .3

About Layered Tech •  First to offer full PCI support in market (since 2005) Leadership •  Compliance cloud solu7on with built-‐in security posi7on in and controls compliant hos7ng •  Comprehensive consul7ng and audit services (and partners) Market-‐leading •  One of first virtual private data center offers cloud/virtualiza7on •  Robust community cloud plaOorm with built-‐in security and controls Tiered managed •  Monitoring up to full management services for client •  “LT Anywhere” extension choice High-‐touch and •  Managed service team specializa7on process-‐driven client •  Unified system support for problem diagnos7cs support •  Disciplined change and log management Global reach •  3 primary and 9 secondary data centers Only service provider to offer Compliance Guaranteed: our compliance clients are guaranteed to pass 100 percent of every IT audit or assessment sanc7oned by the relevant industry or regulatory en7ty. 4

Jeff Reich ●  Over 30 years in Cyber Security, Risk Management, Physical Security and other areas ●  Leadership roles in technology and financial services organizations ●  Founding member of Cloud Security Alliance ●  CRISC, CISSP, CHS-III certifications,… ●  ISSA Distinguished FellowComplying To The Higher Standard .5

What is a Secure Cloud? ● First, let’s agree on what a cloud is… ● 5-4-3 ●  5 Essential Characteristics ●  4 Deployment Models ●  3 Service ModelsComplying To The Higher Standard .6

Let’s Agree on the Cloud According to NIST: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Source: The NIST Definition of Cloud Computing Authors: Peter Mell and Tim Grance Special Publication 800-145 7Layered Technologies Complying To The Higher Standard

5 Essential Characteristics ● On-demand self-service ● Broad network access ● Resource pooling ● Rapid elasticity ● Measured Service 8Layered Technologies Complying To The Higher Standard

4 Deployment Models ● Private cloud ● Community cloud ● Public cloud ● Hybrid cloud 9Layered Technologies Complying To The Higher Standard

3 Service Models ● Cloud Software as a Service (SaaS) ● Cloud Platform as a Service (PaaS) ● Cloud Infrastructure as a Service (IaaS) 10Layered Technologies Complying To The Higher Standard

Table Stakes ●  Your compliance needs may include, but are not limited to: ●  PCI-DSS ●  HIPAA ●  FISMA ●  SOX ●  GLB ●  FedRAMP ●  Industry Standards ●  Corporate Policies ●  and many, many moreComplying To The Higher Standard . 11

Compliance vs Security Your Compliant Secure Best Practices Practices PracticesComplying To The Higher Standard . 12

Managing Costs Around Controls Potential Cost of Losses Controls $ Good Business Sense Tree of FUD Level of ControlsComplying To The Higher Standard . 13

Risk Management in the Cloud ●  First mistake of many cloud prospects ●  How am I managing risks now? ●  Risk picture may not improve ●  What are the most valuable information or process assets for your organization? ●  Disclosure Confidentiality ●  Modification Integrity ●  Denial of Access Availability 14Layered Technologies Complying To The Higher Standard

Components of Security ●  Trust ●  Verification ●  Policies, Standards, Guidelines and Procedures ●  Situational Awareness ●  Training ●  Testing ●  Lather, rinse, repeat,…Complying To The Higher Standard . 15

Components of Cloud Security ●  Trust ●  Verification ●  Policies, Standards, Guidelines and Procedures ●  Situational Awareness ●  Training ●  Testing ●  Lather, rinse, repeat,…Complying To The Higher Standard . 16

Components of Cloud Security Your provider should offer: ●  Policies ●  Validation ●  Transparency ●  Demonstration of compliance ●  Compliance support For more information, see www.cloudsecurityalliance.orgComplying To The Higher Standard . 17

Finding a Cloud Environment Private Hybrid Community Public Greater Control Iaas PaaS SaaS Greater Exposure 18Layered Technologies Complying To The Higher Standard

Contact Me ● Jeff Reich ● 972-379-8567 ● jeff.reich@layeredtech.com ● Twitter: @jnreich ● Skype: jnreich ● www.layeredtech.com 19Layered Technologies Complying To The Higher Standard

Why the Cloud can be Compliant and Secure

by InnoTech

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Why the Cloud can be Compliant and Secure Presentation Transcript