2. 2018 Data Security and
Compliance Summit
November 14th – 15 th | Sonesta Fort Lauderdale
Beach
D ON’T M ISS TH IS EXCLUSIVE EVENT!
REGISTER NOW!
• Learn from industry experts
• Discuss your challenges and latest
hot topics
• Brainstorm with ControlCase execs
and team members
• Engage with your peers thru
networking and round-table
discussions
https://www.controlcase.com/events/
3. 11th APAC & MEA
annual global
conference
October 22nd – 23rd | J W Marriot Hotel, Dubai
D ON’T M ISS TH IS EXCLUSIVE EVENT!
REGISTER NOW!
• Learn from industry experts
• Discuss your challenges and latest
hot topics
• Brainstorm with ControlCase execs
and team members
• Engage with your peers thru
networking and round-table
discussions
https://www.controlcase.com/events/
5. 5
CORPORATE OVERVIEW
ControlCase™
Making Compliance Effortless
Over 500 clients across the
US, CEMEA, Europe, Latin
America and Asia/Pacific
regions, including Major
Retailers and Fortune 500
Companies
Headquartered in the
Washington, DC
metro area (Fairfax,
VA)
ControlCase office or
partnership locations
include the US, Canada,
Colombia, India, UK, KSA,
Japan, Indonesia, Vietnam,
Philippines, Kuwait,
Malaysia, Brazil and Dubai
Unique offerings
brings Peace of Mind
to Compliance
5
6. 6
PCI DSS
Qualified Security
Assessor (QSA) Company
ASV: Authorized Security
Vendor
ISO 27001 & 27002
International
Organization for
Standardization
SOC 1, SOC 2, SOC
3, & SOC for
Cybersecurity
Service Organization
Controls (AICPA)
HITRUST CSF
Health Information Trust
Alliance Common
Security Framework (CSF)
HIPAA
Health Insurance
Portability and
Accountability Act
NIST 800-53
National Institute of
Standards and Technology
GDPR
General Data Protection
Regulation
MARS-E
Minimum Acceptable
Risk Standards for
Exchanges
EI3PA
Experian Independent
Third Party Assessment
Microsoft SSPA
Supplier Security and
Privacy Assurance
Third Party Risk
Assessor
Shared Assessments
Program Certified product
licensee for SIG and AUP
PA-DSS
Payment Application
Qualified Security
Assessor (QSA)
CREDENTIALS
6
8. 8
What is a Container?
Containerization refers to an operating system
feature in which the kernel allows the existence
of multiple isolated user-space instances.
Popular Containerization Solutions:
1. AWS ECS
2. Docker
9. 9
Docker and AWS ECS
Docker is an open platform for containerization and
can be used to deploy containers for developers and
sysadmins
Amazon ECS is a highly scalable, high-
performance container orchestration service
to run Docker containers on the AWS cloud.
10. 10
Hosting Models
1. Physical Client Hosted
2. Datacenter Managed Service
3. Cloud Service Client hosted
4. Cloud hosted Container Service Providers
12. 12
Compliance from Container Context
Physical Client
Hosted
Datacenter Managed
Service
Cloud Client Hosted Service
Cloud Container Service
Providers
Hardware Client Responsibility
MSS Provider
Responsibility
MSS Provider Responsibility MSS Provider Responsibility
OS Layer Client Responsibility Client Responsibility Client Responsibility MSS Provider Responsibility
Container Layer Client Responsibility Client Responsibility Client Responsibility Client Responsibility
Application
Layer
Client Responsibility Client Responsibility Client Responsibility Client Responsibility
Compliance Responsibility Matrix in case of Different Container
Hosting Models
13. 13
AWS ECS and Compliance Responsibilities
Compliance Area Responsibility
Scoping Customer
Network Shared
Configuration Management Customer
Data Encryption at rest Customer
Data Encryption in transit Customer
Anti-Malware Customer
Application Security Customer
Logical Access Customer
Physical Security AWS
Logging and Monitoring Customer
Security Testing Customer
Policies and Procedures, Risk Assessment,
Third Party Management, Governance and
Compliance and Incident Response
Customer
14. 14
Top 10 Best Practices for Compliance
Container Compliance - Best Practices
1. Make developers aware to support the new way of developing, running, and
supporting applications made possible by containers.
2. Use container-specific host OSs
3. Group containers with the same purpose, sensitivity, and threat posture on a
single host OS
4. Harden Orchestrator configurations
5. Use container-specific vulnerability management tools
6. Implementing container-aware network, process monitoring and filtering and
Malware filtering
7. Use of mandatory access control
8. Segmentation of workloads
9. Only vetted, tested, validated, and digitally signed images upload and run
10. Separate environments for development, test, production, and other scenarios
16. 16
Achieving Compliance on AWS with CaaS
Compliance Area Responsibility Solutions
Scoping Customer CaaS
Network Shared
Configuration Management Customer CaaS
Data Encryption at rest Customer
Data Encryption in transit Customer
Anti-Malware Customer
Application Security Customer CaaS
Logical Access Customer
Physical Security AWS
Logging and Monitoring Customer CaaS
Security Testing Customer CaaS
Policies and Procedures, Risk Assessment, Third
Party Management, Governance and
Compliance
Customer CaaS
17. 17
Achieving Compliance on AWS with CaaS
Scoping:
Capability to identify and document Container instances running in customer AWS ECS
environment.
Configuration Management:
Method to identify security misconfiguration in Docker images.
Application Security:
Capability to conduct penetration testing on the applications hosted on AWS ECS
Container platforms. Ability to scan the Docker images while getting developed on AWS
platform to vet them before pushing to production repository
Logging & Monitoring:
This component can be integrated with the CloudWatch to collect, corelate and monitor
logs 24X7 by ControlCase GSOC Team.
Security Testing:
Vulnerability scanning on the Docker images, application containers using pre-approved
AMIs.
CaaS also has the capability to support Risk Assessments, Policies & Procedures, Third-
party Management as well as Governance & Compliance using a mix of technology and
assessor presence.
20. 2018 Data Security and
Compliance Summit
November 14th – 15 th | Sonesta Fort Lauderdale
Beach
D ON’T M ISS TH IS EXCLUSIVE EVENT!
REGISTER NOW!
• Learn from industry experts
• Discuss your challenges and latest
hot topics
• Brainstorm with ControlCase execs
and team members
• Engage with your peers thru
networking and round-table
discussions
https://www.controlcase.com/events/
21. 11th APAC & MEA
annual global
conference
October 22nd – 23rd | J W Marriot Hotel, Dubai
D ON’T M ISS TH IS EXCLUSIVE EVENT!
REGISTER NOW!
• Learn from industry experts
• Discuss your challenges and latest
hot topics
• Brainstorm with ControlCase execs
and team members
• Engage with your peers thru
networking and round-table
discussions
https://www.controlcase.com/events/