Cloud controls final2
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Cloud controls final2

on

  • 172 views

6fusion and Network Box webinar on cloud security related to regulatory requirements, such as HIPAA, CSA CCM, FedRAMP, and PCI.

6fusion and Network Box webinar on cloud security related to regulatory requirements, such as HIPAA, CSA CCM, FedRAMP, and PCI.

Statistics

Views

Total Views
172
Views on SlideShare
172
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cloud controls final2 Presentation Transcript

  • 1. Do you know your cloud controls? A"close"look"at"regulatory"requirements"for"cloud"security" Steven&Wolford& Chad&Walter& Director,&Informa4on&Security& Director,&Channel&Development& 6fusion& Network&Box&USA& swolford@6fusion.com& cwalter@networkboxusa.com&
  • 2. Today’s Agenda•  Introduc6on"•  What"is"cloud?"•  Who"controls"cloud?"•  Cloud"types"•  Standards"impac6ng"security" •  CSA&CCM& •  FedRAMP& •  PCI& •  HIPAA&•  How"it"all"fits"together"•  Q&A"
  • 3. Who We Are 6fusion" Network"Box"USA"6fusion&breaks&down&tradi4onal&IT&boundaries& Network&Box&USA&provides&comprehensive,&by&delivering&universal&metering&and&access&to& fully&managed&perimeter&internet&security&global&IT&infrastructure.& solu4ons.&The&Network&Box&Unified&Threat&& Management&(UTM)&solu4on&combines&The&unique&metering&algorithm,&Workload& numerous&applica4ons&such&as&firewall,&Alloca4on&Cube&(WAC),&creates&a&commercial& intrusion&preven4on&and&detec4on,&an4Qvirus,&standard&to&quan4fy&supply&and&demand&for& content&filtering,&an4Qspan,&an4Qphishing,&an4Qcompute&resources.&& spyware&and&VPN&into&one&single,& sophis4cated&mix&of&hardware&and&soSware.& Network&Box&USA&enables&businesses&of&all& sizes&to&secure&their&networks&easily&and&cost& effec4vely.& This&is&the&second&in&a&series&of&webinars&on&cloud&security.&We&will&let& you&shape&the&content&of&the&next&webinar&at&the&end&of&this&webinar.&&
  • 4. What is “Cloud” Cloud&Consumer&Cloud&Auditor& Cloud&Broker& Cloud&Provider& Service&Orchestra4on& Cloud&Service& Management& Service&Layer& SaaS& Service&Security&Audit& Intermedia4on& PaaS& Business& Support& Security& IaaS& Privacy&Privacy&Impact& Service& Audit& Aggrega4on& Resource&Abstrac4on&and& Provisioning&/&Performance& Service& Control&Layer& Configura4on& Audit& Arbitrage& Physical&Resource&Layer& Hardware& Portability&/& Interoperability& Facility& Cloud&Carrier&
  • 5. Who Controls “Cloud” Cloud&Consumer& SaaS& Applica4on&Layer& PaaS& Middleware&Layer& IaaS&SaaS& Opera4ng&System&Layer& PaaS& IaaS& Physical&Layer& Cloud&Provider&
  • 6. Public Cloud Cloud&service& accessible&from&the& Internet& Enterprise& network&Public&consumers& Enterprise&accessing&workloads& consumers&accessing&from&the&Internet& workloads&from& enterprise&networks&
  • 7. Private Cloud Enterprise&Network&Private&Cloud&
  • 8. Community Cloud Community&is&defined&as&groups&of&consumers&with& similar&interests,&control&sets,&performance& characteris4cs&or&other&such&commonality&& Group&A&Public&Cloud&Provider& Group&B& Private&Cloud& Group&C&
  • 9. Hybrid CloudOnQsite&Private&Cloud& OnQsite&Private&Cloud& OnQsite&Private&Cloud& OnQsite&Private&Cloud& OnQsite&Private&Cloud& Outsourced&Private&Cloud&OnQsite&Private&Cloud& OnQsite&Private&Cloud& OnQsite&Private&Cloud& Outsourced&Community& OnQsite&Private&Cloud& OnQsite&Community&Cloud& Cloud& Public&Cloud& Public&Cloud& Public&Cloud&
  • 10. Know the Rules•  Regula6on" •  FedRAMP& •  PCI&DSS&v2.0& •  HIPAA&/&HITECH&•  Standard" •  SSAE&16&SOC&2& •  ISO/IEC&27001Q2005&•  Framework" •  CSA&CCM& •  COBIT&4.1&
  • 11. CSA CCM / CAIQ“"As"a"framework,"the"CSA"CCM" provides"organiza6ons"with"the" needed"structure,"detail"and" clarity"rela6ng"to"informa6on" security"tailored"to"the"cloud" industry.”""The"CAIQ"“provides"a"set"of" ques6ons"a"cloud"consumer"and" cloud"auditor"may"wish"to"ask"of" a"cloud"provider."It"provides"a" series"of""yes"or"no""control" asser6on"ques6ons"which"can" then"be"tailored"to"suit"each" unique"cloud"customers" eviden6ary"requirements."”"
  • 12. Compliance&(6&controls)& Data&Governance&(8&controls)& Facility&Security&(8&controls)& Human&Resources&(3&controls)& Informa4on&Security&(34&controls)&Provider" Consumer" Legal&(2&controls)& Opera4ons&Management&&(4&controls)& CCM – Control Areas Risk&Management&&(5&controls)& Release&Management&(5&controls)& Resiliency&(8&controls)& Security&Architecture&(15&controls)&
  • 13. FedRAMP&Federal&Risk&and&Authoriza4on&Management&Program&&&“a&governmentQwide&program&that&provides&a&standardized&approach&to&security&assessment,&authoriza4on,&and&con4nuous&monitoring&for&cloud&products&and&services.”&
  • 14. Access&Control&(17&controls)& Awareness&and&Training&(4&controls)& Audit&and&Accountability&(12&controls)& Assessment&and&Authoriza4on&(6&controls)& Configura4on&Management&(9&controls)& Con4ngency&Planning&(9&controls)& Iden4fica4on&and&Authoriza4on&(8&controls)& Incident&Response&(8&controls)& Maintenance&(6&controls)& Media&Protec4on&(6&controls)&Provider" Consumer" Physical&and&Environmental&(18&controls)& Planning&(5&controls)& Personnel&Security&(8&controls)& Risk&Assessment&(4&controls)& FedRAMP – Control Areas Systems&Acquisi4on&(12&controls)& Systems&Communica4on&(24&controls)& System&and&Informa4on&Integrity&(12&controls)&
  • 15. Payment Card Industry“En44es&planning&to&use&cloud&compu4ng&for&their&PCI&DSS&environments&should&first&ensure&that&they&thoroughly&understand&the&details&of&the&services&being&offered,&and&perform&a&detailed&assessment&of&the&unique&risks&associated&with&each&service.&&&Addi4onally,&as&with&any&managed&service,&it&is&crucial&that&the&hosted&en4ty&and&provider&clearly&define&and&document&the&responsibili4es&assigned&to&each&party&for&maintaining&PCI&DSS&requirements&and&any&other&controls&that&could&impact&the&security&of&cardholder&data.”&
  • 16. Firewall& Encrypt&Transmission& Restrict&Access& Track&and&monitor&Access& Default&Passwords& An4Qvirus&Provider" UUID& Consumer" Test& PCI – Control Areas Stored&Cardholder&Data& Secure&Systems&/&Applica4ons& Physical&access& Personnel&Security&
  • 17. HIPAA A&Brief&History&of&Healthcare&Security&Regula4on& A&regula4on&is&born:& &The&goal&of&HIPAA&was&to&protect& Passed&in&1996&to&simplify&the&pa4ents’&confiden4ality&while&enabling& administra4ve&processes&surrounding&healthcare&organiza4ons&to&pursue&ini4a4ves&that&furthered&innova4on&and& HIPAA& the&increasing&amounts&of&ePHI.& &pa4ent&care.& Health&Insurance&Portability&& The&Security&Rule&was&enacted&2/20/03&& and&Accountability&Act&& and&provided&administra4ve,&technical&However,&enforcement&was&very&limited.& and&physical&safeguards.& HITECH& American&Recovery&and&Reinvestment&Act&–& Health&Informa4on&Technology&for& HIPAA&gets&some&teeth:&HITECH&contains&specific&incen4ves&designed&to&accelerate&the&adop4on&of& Economic&and&Clinical&Health&& & & HITECH&extended&the&security&rule&to&EHR&systems.& include:&& •  Civil&penal4es&It&broadens&the&scope&of&protec4ons&listed&under&HIPAA&and&increases& Meaningful& •  BA’s&must&comply& •  Breach&no4fica4ons&are&mandatory&penal4es&for&nonQcompliance.& Use& Meaningful&Use&Guidelines& for&EHF&(2010)&CMS’&Meaningful&Use&program&provides& And&gains&some&incen4ves:&incen4ve&payouts&for&efficient&HER&use.& && Meaningful&Use&includes&15&core&The&program&provides&further&incen4ves& measures.&The&program&is&funded&with&to&encourage&HIPAA&/&HITECH& $27bn&over&4&years&to&cover&akesta4ons.&compliance.&
  • 18. Administra4ve&Safeguards&(30&controls)& Physical&Safeguards&(12&controls)&Provider" Consumer" HIPAA – Control Areas Technical&Safeguards&(12&controls)& Organiza4onal&Safeguards&(12&controls)&
  • 19. Shared Responsibility
  • 20. Integrated Compliance Taking"Requirements" • FISMA/FedRAMP& • PCI& • HIPAA& • ISO& • Other&requirements&Execute"integrated"program" Iden6fying"common"controls"• Iden4fy&data&sources& • Access&controls&• Define&&&assess&risk& • Passwords&• Develop&&&implement&controls& • Encryp4on&• Audit&&&correct& • Training&• Enforce,&monitor&&&support& • Risk&Assessments& Documenta6on" • Document&policy,&controls,&and&criteria&that& meet&minimum&requirements&across& standards& • Integrated&Control&Framework&
  • 21. Questions
  • 22. Thank You! Resources& What’s&next?&FedRAMP" 3rd""Webinar"in"the"Series" " •  Timing:&Early&May& hZp://www.gsa.gov/portal/ •  Topic:&Baselining&and&advancing& category/102371" your&security&posture&" •  Details:&You&tell&us…&Cloud"Security"Alliance" " "hZps://cloudsecurityalliance.org/" What"do"you"want"to"hear"about"in"" the"next"webinar?""PCI" " " Email"us"at"marke6ng@6fusion.com" hZps:// with"your"ideas!" www.pcisecuritystandards.org/"" "" ""HIPAA" "hZp://www.hhs.gov/ocr/privacy/""