Bryan Langston - Director of Architecture
Bryan leads the global architecture practice at Mirantis. He and
his team consult with companies of all sizes across all industries
to design world-class open cloud solutions.
Jason James - Director of Security
Jason has worked in the information security realm for over 20
years. His professional background has ranged from Military to
the commercial realm as a Global CISO. He has focused in the
GRC areas for most of career, helping companies become and
A little housekeeping
● Please submit questions in the
● We’ll provide a link where you
can download the slides at the
end of the webinar.
Navigating a Cloud Security Program
1. Align with a framework
2. Understand the objective of an
3. Understand the burden of proof for
4. Distinguish policy from process from
5. RACI: Who does what?
The right tool is the one that works for you
3rd party / proprietary
Which one should I use?
What is it? The activity associated with monitoring changes in an
operating system or application software from a known baseline.
● Cloud Control Matrix (CCM) control spec for AIS-04:
○ Policies and procedures shall be established and maintained in support of data
security to include (conﬁdentiality, integrity and availability) across multiple
system interfaces, jurisdictions and business functions to prevent improper
disclosure, alteration, or destruction.
● Solutions: auditd+rules, Wazuh, CloudPassage…
● Examples of resources to monitor: Linux password db, search
paths, sudo conﬁg, SSHD conﬁg, Linux ﬁlesystem deletes...
File Integrity Monitoring
What is it? A deﬁned conﬁguration state
● CCM control spec for Governance and Risk Management (GRM-01):
○ Baseline security requirements shall be established for developed or acquired,
organizationally-owned or managed, physical or virtual, applications and infrastructure
system and network components that comply with applicable legal, statutory, and
regulatory compliance obligations.
○ Deviations from standard baseline conﬁgurations must be authorized following change
management policies and procedures prior to deployment, provisioning, or use.
○ Compliance with security baseline requirements must be reassessed at least annually
unless an alternate frequency has been established and authorized based on business
● Solutions: Custom scripts/automation, CIS benchmarks, OpenSCAP
+ OVAL, XCCDF
Elevated Privilege Management
What is it? Authentication and tracking use of root permissions.
● CCM control spec for Infrastructure & Virtualization Security
Audit Logging / Intrusion Detection (IVS-01):
○ Higher levels of assurance are required for protection, retention, and lifecycle
management of audit logs, adhering to applicable legal, statutory or regulatory
compliance obligations and providing unique user access accountability to
detect potentially suspicious network behaviors and/or ﬁle integrity anomalies,
and to support forensic investigative capabilities in the event of a security
● Solutions: 3rd party tools, Beyond Trust, monitoring agents,
What is it? Tracking the 7 W’s of audit and compliance:
Who, what, where, when, on what, from where, and where to.
● CCM control spec for Data Security & Information Lifecycle
Management Classiﬁcation (DSI-01):
○ Data and objects containing data shall be assigned a classiﬁcation by the data
owner based on data type, value, sensitivity, and criticality to the organization
● Solutions: Cloud Audit Data Framework (CADF)
● The Cloud Security Alliance Cloud Controls Matrix
(CSA CCM) helps “humanize” security language
● Interpret controls to your use case
● Implement tools you can defend
● Document your process
● Maintain evidence of process performance
Download the slides from bit.ly/mirantis-compliance-webinar
Watch the webinar recording at