08448380779 Call Girls In Civil Lines Women Seeking Men
093049ov4.pptx
1. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Designing a Secure and Compliant Cloud Infrastructure
1
• Design Cloud Infrastructure for Security
• Determine Organizational Compliance Needs
2. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Responsible Parties in Cloud Environments
2
On-premises Environment Cloud Environment
Infrastructure and
Security Services
Managed by You Managed
by You
Infrastructure and
Security Services
Managed
by CSP
3. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Corporate Security Policies
3
The security policy might include the following:
• Goals or mission statement for cloud services: One or two sentences that clearly
state the goals for using cloud services.
• Data classification: This is a complex but essential component of a security policy.
Data can be classified a number of ways, but some common classifications are:
• Sensitive corporate data (corporate secrets).
• Data that is protected by law such as personally identifiable information (PII), sensitive
personal information (SPI), and HIPAA-related information.
• Operational data that is used in performance of day-to-day operations.
• Scope: This defines who and what the policy applies to.
• Responsibilities: The section by role and current role-holder name who is responsible
for key activities.
• Policy statements: These are the specific, discrete statements that make up the
policy.
4. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Questions to Ask When Developing Security Policies
4
• What services, apps, and data should be put in the cloud? Why?
• What services, apps, and data should not be put in the cloud? Why?
• Is there already a corporate data classification policy that can be leveraged?
• Are there any other applicable polices that can be leveraged?
• How are industry peers handling their polices and making their choices?
• What do standards bodies such as ISO, NIST, or the CSA recommend for security and
data handling policies related to your industry?
• Who should have authority to approve agreements with CSPs, and what type of
approval change is required for CSP contracts?
• Where can services and data be physically located?
• What are our options for moving services, apps, and data from one provider to
another, to a private cloud, or back to on-premises?
• Can the CSPs protect corporate sensitive data to the standards defined by the
corporate policy?
• Who can make changes to configuration settings for infrastructure, services, and
apps?
5. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Goals of Securing Cloud Solution Components
5
Goal Description
Abuse and unallowed use of
cloud resources
Malicious users, either internal or external, from using your cloud
resources for illicit, illegal, or unauthorized activities.
Breaches and exploitation of
shared resources
Cloud technologies that may not have been designed to offer strong
isolation in multi-tenant environments.
Breaches and exploitation of
cloud apps
This includes credential theft or gaining access to integrated services and
APIs.
Access to resources by malicious
insiders
Cloud solutions must be projected from bad actors within your
organization and the CSP.
Data theft, loss, and leakage Data theft, loss, or leakage risk is common for both cloud and on-
premises deployments.
Account, service, and traffic
hijacking
Exploitations of service or app vulnerabilities can lead to accounts being
compromised.
Unknown risk profile Since cloud environments are controlled by CSPs, visibility may be
reduced, making it difficult to calculate a risk profile and activate proper
remediation techniques.
6. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Need for a Holistic Security Approach
6
Security issue Prevention measure
Abuse and unallowed use of
cloud resources
Consult with your CSP on how they mitigate these threats.
Breaches and exploitation of
shared resources
Talk with your CSP and ask how each client is isolated from the others in the
CSP’s multi-tenant shared infrastructure.
Breaches and exploitation of
cloud apps
Analyze and implement highly secure models for cloud service interfaces
such as using strong authentication methods combined with encryption of
transmitted data.
Attacks from malicious
insiders
Perform an assessment of your CSP’s hiring practices and policies.
Data theft, loss, and leakage You should encrypt data to and from the CSP network to end-users.
Account hijacking Prohibit the sharing of account credentials among users and across services
both by policy and by design.
Unknown risk profile Seek to reduce unknowns by working with your CSP.
7. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Encryption and Decryption
7
8. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Apply Security to Achieve Defense-In-Depth
8
• To achieve true defense-in-depth, you must consider all components in use and any
points of vulnerability.
• Implement strong, policy-based management.
• Monitor network activity and review security logs of the system, app, or service and
those of any network security devices in the path of connectivity to it.
• You should also perform, or have a third party perform, occasional vulnerability
scanning and penetration testing.
9. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Guidelines for Planning a Secure Cloud Infrastructure
9
• Consider all components in use and any points of vulnerability.
• Encrypt data while it is in transit using network encryption such as IPSec, SSL/TLS, PKI, or
other technologies.
• Encrypt data that is being backed up.
• Encrypt data while at rest using disk encryption, file encryption, database encryption, and
other technologies.
• Consider encrypting virtual machines.
• Use a high bitstrength encryption for PKI and other encryption technologies for extra
security.
• Consider data movement when planning security.
• Disable unneeded ports and services on infrastructure components.
• Create and enforce strict account management policies that include timely account
cleanup and deletion as well as account audits.
• Use host-based, VM-based, and container-based software firewalls as appropriate.
• Install antivirus and anti-malware on VMs and containers.
• Make sure patching is done rapidly after appropriate validation, following security
guidelines.
10. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Activity: Planning a Secure Cloud
Infrastructure for Deployment
10
• The Executive Steering Committee has stated that the cloud services need to be
secure, and they asked you what security features you will use to implement security.
• They also want to know if there are any potential security issues with having an app
in the cloud and keeping the database on-premises.
• In order to plan for a secure cloud infrastructure, you need to know the security
options available in your cloud platforms.
• This informs you of what options you have and if there are areas where security is
lacking and needs additional effort.
• You will review the security features of both cloud platforms.
11. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Need for a Compliant Cloud Design
11
Compliance requirements:
• HIPAA (Health Insurance Portability and Accountability Act).
• Education: FERPA (Federal Education Rights and Privacy Act).
• Email and cloud content: SCA (Stored Communications Act).
• Consumer credit history: FCRA (Fair Credit Reporting Act).
• Children's data and images: COPPA (Children’s Online Privacy Protection Act).
• Internal financial records of public companies: SOX (Sarbanes-Oxley).
• Protection of public data held by federal agencies: FISMA (Federal Information
Security Management Act).
• Payment Card Industry Data Security Standard PCI DSSPCI DSS.
12. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Governance
12
Control Objectives for Information and Related Technology (COBIT) includes:
• A framework for implementation and linking governance to business requirements.
• Process descriptions for planning, building, running, and monitoring IT processes.
• Control objectives, which are requirements that are considered necessary for
management of IT services.
• Maturity models that allow for processes to develop, evolve, and be refined.
• Guidelines for management to help assign responsibilities, measure performance,
and define objectives.
13. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Compliance Responsibility
13
CSP
Who is ultimately responsible for meeting
regulatory compliance for your cloud?
You are
or
14. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Cloud Compliance and Governance Issues
14
Compliance-related issues that must be governed in most regulated industries include:
• CSP compliance with data handling requirements set out by specific regulations
such as PCI DSS or HIPAA.
• Location, recoverability, and retention of data stored in the cloud. You must be able
to locate regulated data, often including the physical device(s) it is stored on.
• Physical and digital security. Data centers where regulated data is stored must meet
physical security requirements.
• Support and procedures for cross-border investigations. Multinational regulated
organizations must comply with different regulations from the national entities they
serve or store data in such as the United States and European Union.
15. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Compliance Audit Requirements
15
Compliance
Requirements
16. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Audit and Compliance Requirements
16
To meet audit and compliance requirements, an organization will need to follow a
process that uses steps like these:
• Identify compliance requirements such as corporate policies and standards, laws and
regulations, SLAs, etc.
• Implement policies, procedures, processes, and systems to satisfy those compliance
requirements.
• Monitor whether these policies, procedures, and processes are followed diligently.
17. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Guidelines for Determining Organizational
Compliance Needs for Deployment
17
• Evaluate CSPs for certifications in the areas where your organization must be
compliant.
• Remember that the onus of meeting compliance requirements is on the client.
• Make sure cloud providers offer transparency of their infrastructure to customers.
• Ask CSPs about audit results on their compliant storage practices and security ratings.
• Ask CSPs to review recent compliance certification reports or audits.
• Consider asking businesses in your field or industry that are using cloud services
about their experience maintaining compliance in the cloud.
• When considering compliance needs, ask about and research the following:
• Scope of compliance needs.
• CSP compliance certifications.
• CSP SLAs.
• Provider solvency and the well being of their business.
• Data retention period for regulated data.
• Incident management.
18. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Activity: Determining Organizational
Compliance Needs for Deployment
18
• Currently Rudison does not have any apps that have any compliance requirements.
They have a new app that may store some healthcare-related data.
• You will need to research both CSPs to see what compliance options they have.
19. Reflective Questions
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Reflective Questions
1. How are IT networks and assets you’ve worked with been designed to be
secure?
2. How have systems or data you've worked with had to meet compliance
needs?
19