SlideShare a Scribd company logo

093049ov4.pptx

Download as PPTX, PDF
N
NguyenNM

tranning

Technology
1 of 19
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Designing a Secure and Compliant Cloud Infrastructure 1 • Design Cloud Infrastructure for Security • Determine Organizational Compliance Needs
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Responsible Parties in Cloud Environments 2 On-premises Environment Cloud Environment Infrastructure and Security Services Managed by You Managed by You Infrastructure and Security Services Managed by CSP
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Corporate Security Policies 3 The security policy might include the following: • Goals or mission statement for cloud services: One or two sentences that clearly state the goals for using cloud services. • Data classification: This is a complex but essential component of a security policy. Data can be classified a number of ways, but some common classifications are: • Sensitive corporate data (corporate secrets). • Data that is protected by law such as personally identifiable information (PII), sensitive personal information (SPI), and HIPAA-related information. • Operational data that is used in performance of day-to-day operations. • Scope: This defines who and what the policy applies to. • Responsibilities: The section by role and current role-holder name who is responsible for key activities. • Policy statements: These are the specific, discrete statements that make up the policy.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Questions to Ask When Developing Security Policies 4 • What services, apps, and data should be put in the cloud? Why? • What services, apps, and data should not be put in the cloud? Why? • Is there already a corporate data classification policy that can be leveraged? • Are there any other applicable polices that can be leveraged? • How are industry peers handling their polices and making their choices? • What do standards bodies such as ISO, NIST, or the CSA recommend for security and data handling policies related to your industry? • Who should have authority to approve agreements with CSPs, and what type of approval change is required for CSP contracts? • Where can services and data be physically located? • What are our options for moving services, apps, and data from one provider to another, to a private cloud, or back to on-premises? • Can the CSPs protect corporate sensitive data to the standards defined by the corporate policy? • Who can make changes to configuration settings for infrastructure, services, and apps?
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Goals of Securing Cloud Solution Components 5 Goal Description Abuse and unallowed use of cloud resources Malicious users, either internal or external, from using your cloud resources for illicit, illegal, or unauthorized activities. Breaches and exploitation of shared resources Cloud technologies that may not have been designed to offer strong isolation in multi-tenant environments. Breaches and exploitation of cloud apps This includes credential theft or gaining access to integrated services and APIs. Access to resources by malicious insiders Cloud solutions must be projected from bad actors within your organization and the CSP. Data theft, loss, and leakage Data theft, loss, or leakage risk is common for both cloud and on- premises deployments. Account, service, and traffic hijacking Exploitations of service or app vulnerabilities can lead to accounts being compromised. Unknown risk profile Since cloud environments are controlled by CSPs, visibility may be reduced, making it difficult to calculate a risk profile and activate proper remediation techniques.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Need for a Holistic Security Approach 6 Security issue Prevention measure Abuse and unallowed use of cloud resources Consult with your CSP on how they mitigate these threats. Breaches and exploitation of shared resources Talk with your CSP and ask how each client is isolated from the others in the CSP’s multi-tenant shared infrastructure. Breaches and exploitation of cloud apps Analyze and implement highly secure models for cloud service interfaces such as using strong authentication methods combined with encryption of transmitted data. Attacks from malicious insiders Perform an assessment of your CSP’s hiring practices and policies. Data theft, loss, and leakage You should encrypt data to and from the CSP network to end-users. Account hijacking Prohibit the sharing of account credentials among users and across services both by policy and by design. Unknown risk profile Seek to reduce unknowns by working with your CSP.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Encryption and Decryption 7
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Apply Security to Achieve Defense-In-Depth 8 • To achieve true defense-in-depth, you must consider all components in use and any points of vulnerability. • Implement strong, policy-based management. • Monitor network activity and review security logs of the system, app, or service and those of any network security devices in the path of connectivity to it. • You should also perform, or have a third party perform, occasional vulnerability scanning and penetration testing.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Guidelines for Planning a Secure Cloud Infrastructure 9 • Consider all components in use and any points of vulnerability. • Encrypt data while it is in transit using network encryption such as IPSec, SSL/TLS, PKI, or other technologies. • Encrypt data that is being backed up. • Encrypt data while at rest using disk encryption, file encryption, database encryption, and other technologies. • Consider encrypting virtual machines. • Use a high bitstrength encryption for PKI and other encryption technologies for extra security. • Consider data movement when planning security. • Disable unneeded ports and services on infrastructure components. • Create and enforce strict account management policies that include timely account cleanup and deletion as well as account audits. • Use host-based, VM-based, and container-based software firewalls as appropriate. • Install antivirus and anti-malware on VMs and containers. • Make sure patching is done rapidly after appropriate validation, following security guidelines.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Activity: Planning a Secure Cloud Infrastructure for Deployment 10 • The Executive Steering Committee has stated that the cloud services need to be secure, and they asked you what security features you will use to implement security. • They also want to know if there are any potential security issues with having an app in the cloud and keeping the database on-premises. • In order to plan for a secure cloud infrastructure, you need to know the security options available in your cloud platforms. • This informs you of what options you have and if there are areas where security is lacking and needs additional effort. • You will review the security features of both cloud platforms.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Need for a Compliant Cloud Design 11 Compliance requirements: • HIPAA (Health Insurance Portability and Accountability Act). • Education: FERPA (Federal Education Rights and Privacy Act). • Email and cloud content: SCA (Stored Communications Act). • Consumer credit history: FCRA (Fair Credit Reporting Act). • Children's data and images: COPPA (Children’s Online Privacy Protection Act). • Internal financial records of public companies: SOX (Sarbanes-Oxley). • Protection of public data held by federal agencies: FISMA (Federal Information Security Management Act). • Payment Card Industry Data Security Standard PCI DSSPCI DSS.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Governance 12 Control Objectives for Information and Related Technology (COBIT) includes: • A framework for implementation and linking governance to business requirements. • Process descriptions for planning, building, running, and monitoring IT processes. • Control objectives, which are requirements that are considered necessary for management of IT services. • Maturity models that allow for processes to develop, evolve, and be refined. • Guidelines for management to help assign responsibilities, measure performance, and define objectives.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Compliance Responsibility 13 CSP Who is ultimately responsible for meeting regulatory compliance for your cloud? You are or
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Cloud Compliance and Governance Issues 14 Compliance-related issues that must be governed in most regulated industries include: • CSP compliance with data handling requirements set out by specific regulations such as PCI DSS or HIPAA. • Location, recoverability, and retention of data stored in the cloud. You must be able to locate regulated data, often including the physical device(s) it is stored on. • Physical and digital security. Data centers where regulated data is stored must meet physical security requirements. • Support and procedures for cross-border investigations. Multinational regulated organizations must comply with different regulations from the national entities they serve or store data in such as the United States and European Union.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Compliance Audit Requirements 15 Compliance Requirements
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Audit and Compliance Requirements 16 To meet audit and compliance requirements, an organization will need to follow a process that uses steps like these: • Identify compliance requirements such as corporate policies and standards, laws and regulations, SLAs, etc. • Implement policies, procedures, processes, and systems to satisfy those compliance requirements. • Monitor whether these policies, procedures, and processes are followed diligently.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Guidelines for Determining Organizational Compliance Needs for Deployment 17 • Evaluate CSPs for certifications in the areas where your organization must be compliant. • Remember that the onus of meeting compliance requirements is on the client. • Make sure cloud providers offer transparency of their infrastructure to customers. • Ask CSPs about audit results on their compliant storage practices and security ratings. • Ask CSPs to review recent compliance certification reports or audits. • Consider asking businesses in your field or industry that are using cloud services about their experience maintaining compliance in the cloud. • When considering compliance needs, ask about and research the following: • Scope of compliance needs. • CSP compliance certifications. • CSP SLAs. • Provider solvency and the well being of their business. • Data retention period for regulated data. • Incident management.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Activity: Determining Organizational Compliance Needs for Deployment 18 • Currently Rudison does not have any apps that have any compliance requirements. They have a new app that may store some healthcare-related data. • You will need to research both CSPs to see what compliance options they have.
Reflective Questions Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Reflective Questions 1. How are IT networks and assets you’ve worked with been designed to be secure? 2. How have systems or data you've worked with had to meet compliance needs? 19

Recommended

The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThis account is closed
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Danny Miller
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30This account is closed
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
 
Compliance in the Cloud
Compliance in the CloudCompliance in the Cloud
Compliance in the CloudRapidScale
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldMaria Colgan
 

Recommended

The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThis account is closed
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Danny Miller
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30This account is closed
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
 
Compliance in the Cloud
Compliance in the CloudCompliance in the Cloud
Compliance in the CloudRapidScale
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldMaria Colgan
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaAchSulav
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaAchSulav
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing RisksMarc Vael
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it securityEast Midlands Cyber Security Forum
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
093049ov16.pptx
093049ov16.pptx093049ov16.pptx
093049ov16.pptxNguyenNM
 
Hybrid Cloud - Key Benefits & Must Have Requirements
Hybrid Cloud - Key Benefits & Must Have RequirementsHybrid Cloud - Key Benefits & Must Have Requirements
Hybrid Cloud - Key Benefits & Must Have RequirementsJamcracker Inc
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentParshant Tyagi
 
Itmgen 4317 security
Itmgen 4317 securityItmgen 4317 security
Itmgen 4317 securityCisco
 
Cloud security
Cloud securityCloud security
Cloud securityAdeel Javaid
 
Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and ComplianceQuadrisk
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityPyingkodi Maran
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think Uni Systems S.M.S.A.
 
SRWE_Module_12.pptx
SRWE_Module_12.pptxSRWE_Module_12.pptx
SRWE_Module_12.pptxNguyenNM
 
SRWE_Module_14.pptx
SRWE_Module_14.pptxSRWE_Module_14.pptx
SRWE_Module_14.pptxNguyenNM
 

More Related Content

Similar to 093049ov4.pptx

Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaAchSulav
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaAchSulav
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing RisksMarc Vael
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
093049ov16.pptx
093049ov16.pptx093049ov16.pptx
093049ov16.pptxNguyenNM
 
Hybrid Cloud - Key Benefits & Must Have Requirements
Hybrid Cloud - Key Benefits & Must Have RequirementsHybrid Cloud - Key Benefits & Must Have Requirements
Hybrid Cloud - Key Benefits & Must Have RequirementsJamcracker Inc
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentParshant Tyagi
 
Itmgen 4317 security
Itmgen 4317 securityItmgen 4317 security
Itmgen 4317 securityCisco
 
Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and ComplianceQuadrisk
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think Uni Systems S.M.S.A.
 

Similar to 093049ov4.pptx (20)

Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav Acharya
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav Acharya
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing Risks
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
093049ov16.pptx
093049ov16.pptx093049ov16.pptx
093049ov16.pptx
 
Hybrid Cloud - Key Benefits & Must Have Requirements
Hybrid Cloud - Key Benefits & Must Have RequirementsHybrid Cloud - Key Benefits & Must Have Requirements
Hybrid Cloud - Key Benefits & Must Have Requirements
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviroment
 
Itmgen 4317 security
Itmgen 4317 securityItmgen 4317 security
Itmgen 4317 security
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and Compliance
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think
 

More from NguyenNM

SRWE_Module_12.pptx
SRWE_Module_12.pptxSRWE_Module_12.pptx
SRWE_Module_12.pptxNguyenNM
 
SRWE_Module_14.pptx
SRWE_Module_14.pptxSRWE_Module_14.pptx
SRWE_Module_14.pptxNguyenNM
 
readme_vap902.pdf
readme_vap902.pdfreadme_vap902.pdf
readme_vap902.pdfNguyenNM
 
chuong 1 tts.ppt
chuong 1 tts.pptchuong 1 tts.ppt
chuong 1 tts.pptNguyenNM
 
093049ov10.pptx
093049ov10.pptx093049ov10.pptx
093049ov10.pptxNguyenNM
 
093049ov5.pptx
093049ov5.pptx093049ov5.pptx
093049ov5.pptxNguyenNM
 

More from NguyenNM (6)

SRWE_Module_12.pptx
SRWE_Module_12.pptxSRWE_Module_12.pptx
SRWE_Module_12.pptx
 
SRWE_Module_14.pptx
SRWE_Module_14.pptxSRWE_Module_14.pptx
SRWE_Module_14.pptx
 
readme_vap902.pdf
readme_vap902.pdfreadme_vap902.pdf
readme_vap902.pdf
 
chuong 1 tts.ppt
chuong 1 tts.pptchuong 1 tts.ppt
chuong 1 tts.ppt
 
093049ov10.pptx
093049ov10.pptx093049ov10.pptx
093049ov10.pptx
 
093049ov5.pptx
093049ov5.pptx093049ov5.pptx
093049ov5.pptx
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

093049ov4.pptx

  • 1. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Designing a Secure and Compliant Cloud Infrastructure 1 • Design Cloud Infrastructure for Security • Determine Organizational Compliance Needs
  • 2. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Responsible Parties in Cloud Environments 2 On-premises Environment Cloud Environment Infrastructure and Security Services Managed by You Managed by You Infrastructure and Security Services Managed by CSP
  • 3. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Corporate Security Policies 3 The security policy might include the following: • Goals or mission statement for cloud services: One or two sentences that clearly state the goals for using cloud services. • Data classification: This is a complex but essential component of a security policy. Data can be classified a number of ways, but some common classifications are: • Sensitive corporate data (corporate secrets). • Data that is protected by law such as personally identifiable information (PII), sensitive personal information (SPI), and HIPAA-related information. • Operational data that is used in performance of day-to-day operations. • Scope: This defines who and what the policy applies to. • Responsibilities: The section by role and current role-holder name who is responsible for key activities. • Policy statements: These are the specific, discrete statements that make up the policy.
  • 4. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Questions to Ask When Developing Security Policies 4 • What services, apps, and data should be put in the cloud? Why? • What services, apps, and data should not be put in the cloud? Why? • Is there already a corporate data classification policy that can be leveraged? • Are there any other applicable polices that can be leveraged? • How are industry peers handling their polices and making their choices? • What do standards bodies such as ISO, NIST, or the CSA recommend for security and data handling policies related to your industry? • Who should have authority to approve agreements with CSPs, and what type of approval change is required for CSP contracts? • Where can services and data be physically located? • What are our options for moving services, apps, and data from one provider to another, to a private cloud, or back to on-premises? • Can the CSPs protect corporate sensitive data to the standards defined by the corporate policy? • Who can make changes to configuration settings for infrastructure, services, and apps?
  • 5. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Goals of Securing Cloud Solution Components 5 Goal Description Abuse and unallowed use of cloud resources Malicious users, either internal or external, from using your cloud resources for illicit, illegal, or unauthorized activities. Breaches and exploitation of shared resources Cloud technologies that may not have been designed to offer strong isolation in multi-tenant environments. Breaches and exploitation of cloud apps This includes credential theft or gaining access to integrated services and APIs. Access to resources by malicious insiders Cloud solutions must be projected from bad actors within your organization and the CSP. Data theft, loss, and leakage Data theft, loss, or leakage risk is common for both cloud and on- premises deployments. Account, service, and traffic hijacking Exploitations of service or app vulnerabilities can lead to accounts being compromised. Unknown risk profile Since cloud environments are controlled by CSPs, visibility may be reduced, making it difficult to calculate a risk profile and activate proper remediation techniques.
  • 6. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Need for a Holistic Security Approach 6 Security issue Prevention measure Abuse and unallowed use of cloud resources Consult with your CSP on how they mitigate these threats. Breaches and exploitation of shared resources Talk with your CSP and ask how each client is isolated from the others in the CSP’s multi-tenant shared infrastructure. Breaches and exploitation of cloud apps Analyze and implement highly secure models for cloud service interfaces such as using strong authentication methods combined with encryption of transmitted data. Attacks from malicious insiders Perform an assessment of your CSP’s hiring practices and policies. Data theft, loss, and leakage You should encrypt data to and from the CSP network to end-users. Account hijacking Prohibit the sharing of account credentials among users and across services both by policy and by design. Unknown risk profile Seek to reduce unknowns by working with your CSP.
  • 7. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Encryption and Decryption 7
  • 8. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Apply Security to Achieve Defense-In-Depth 8 • To achieve true defense-in-depth, you must consider all components in use and any points of vulnerability. • Implement strong, policy-based management. • Monitor network activity and review security logs of the system, app, or service and those of any network security devices in the path of connectivity to it. • You should also perform, or have a third party perform, occasional vulnerability scanning and penetration testing.
  • 9. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Guidelines for Planning a Secure Cloud Infrastructure 9 • Consider all components in use and any points of vulnerability. • Encrypt data while it is in transit using network encryption such as IPSec, SSL/TLS, PKI, or other technologies. • Encrypt data that is being backed up. • Encrypt data while at rest using disk encryption, file encryption, database encryption, and other technologies. • Consider encrypting virtual machines. • Use a high bitstrength encryption for PKI and other encryption technologies for extra security. • Consider data movement when planning security. • Disable unneeded ports and services on infrastructure components. • Create and enforce strict account management policies that include timely account cleanup and deletion as well as account audits. • Use host-based, VM-based, and container-based software firewalls as appropriate. • Install antivirus and anti-malware on VMs and containers. • Make sure patching is done rapidly after appropriate validation, following security guidelines.
  • 10. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Activity: Planning a Secure Cloud Infrastructure for Deployment 10 • The Executive Steering Committee has stated that the cloud services need to be secure, and they asked you what security features you will use to implement security. • They also want to know if there are any potential security issues with having an app in the cloud and keeping the database on-premises. • In order to plan for a secure cloud infrastructure, you need to know the security options available in your cloud platforms. • This informs you of what options you have and if there are areas where security is lacking and needs additional effort. • You will review the security features of both cloud platforms.
  • 11. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Need for a Compliant Cloud Design 11 Compliance requirements: • HIPAA (Health Insurance Portability and Accountability Act). • Education: FERPA (Federal Education Rights and Privacy Act). • Email and cloud content: SCA (Stored Communications Act). • Consumer credit history: FCRA (Fair Credit Reporting Act). • Children's data and images: COPPA (Children’s Online Privacy Protection Act). • Internal financial records of public companies: SOX (Sarbanes-Oxley). • Protection of public data held by federal agencies: FISMA (Federal Information Security Management Act). • Payment Card Industry Data Security Standard PCI DSSPCI DSS.
  • 12. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Governance 12 Control Objectives for Information and Related Technology (COBIT) includes: • A framework for implementation and linking governance to business requirements. • Process descriptions for planning, building, running, and monitoring IT processes. • Control objectives, which are requirements that are considered necessary for management of IT services. • Maturity models that allow for processes to develop, evolve, and be refined. • Guidelines for management to help assign responsibilities, measure performance, and define objectives.
  • 13. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Compliance Responsibility 13 CSP Who is ultimately responsible for meeting regulatory compliance for your cloud? You are or
  • 14. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Cloud Compliance and Governance Issues 14 Compliance-related issues that must be governed in most regulated industries include: • CSP compliance with data handling requirements set out by specific regulations such as PCI DSS or HIPAA. • Location, recoverability, and retention of data stored in the cloud. You must be able to locate regulated data, often including the physical device(s) it is stored on. • Physical and digital security. Data centers where regulated data is stored must meet physical security requirements. • Support and procedures for cross-border investigations. Multinational regulated organizations must comply with different regulations from the national entities they serve or store data in such as the United States and European Union.
  • 15. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Compliance Audit Requirements 15 Compliance Requirements
  • 16. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Audit and Compliance Requirements 16 To meet audit and compliance requirements, an organization will need to follow a process that uses steps like these: • Identify compliance requirements such as corporate policies and standards, laws and regulations, SLAs, etc. • Implement policies, procedures, processes, and systems to satisfy those compliance requirements. • Monitor whether these policies, procedures, and processes are followed diligently.
  • 17. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Guidelines for Determining Organizational Compliance Needs for Deployment 17 • Evaluate CSPs for certifications in the areas where your organization must be compliant. • Remember that the onus of meeting compliance requirements is on the client. • Make sure cloud providers offer transparency of their infrastructure to customers. • Ask CSPs about audit results on their compliant storage practices and security ratings. • Ask CSPs to review recent compliance certification reports or audits. • Consider asking businesses in your field or industry that are using cloud services about their experience maintaining compliance in the cloud. • When considering compliance needs, ask about and research the following: • Scope of compliance needs. • CSP compliance certifications. • CSP SLAs. • Provider solvency and the well being of their business. • Data retention period for regulated data. • Incident management.
  • 18. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Activity: Determining Organizational Compliance Needs for Deployment 18 • Currently Rudison does not have any apps that have any compliance requirements. They have a new app that may store some healthcare-related data. • You will need to research both CSPs to see what compliance options they have.
  • 19. Reflective Questions Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Reflective Questions 1. How are IT networks and assets you’ve worked with been designed to be secure? 2. How have systems or data you've worked with had to meet compliance needs? 19