Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Demystifying Cloud Security Compliance

Mirantis webinar about cloud security compliance. Watch the recording at

  • Login to see the comments

  • Be the first to like this

Demystifying Cloud Security Compliance

  1. 1. Copyright © 2019 Mirantis, Inc. All rights reserved Demystifying Cloud Security Compliance WEBINAR | August 28, 2019
  2. 2. 2 Bryan Langston - Director of Architecture Bryan leads the global architecture practice at Mirantis. He and his team consult with companies of all sizes across all industries to design world-class open cloud solutions. Jason James - Director of Security Jason has worked in the information security realm for over 20 years. His professional background has ranged from Military to the commercial realm as a Global CISO. He has focused in the GRC areas for most of career, helping companies become and stay compliant. Presenters
  3. 3. 3 A little housekeeping ● Please submit questions in the Questions panel. ● We’ll provide a link where you can download the slides at the end of the webinar.
  4. 4. 4 ● Navigating a Cloud Security Program ● Tools Selection ● File Integrity Monitoring ● Security Baseline ● Elevated Privilege Management ● Event Auditing Agenda
  5. 5. 5 Audience Poll
  6. 6. 6 Navigating a Cloud Security Program 1. Align with a framework 2. Understand the objective of an auditor 3. Understand the burden of proof for each control 4. Distinguish policy from process from technology 5. RACI: Who does what?
  7. 7. 7 Tools Selection The right tool is the one that works for you Open source vs. 3rd party / proprietary vs. home grown Which one should I use?
  8. 8. 8 What is it? The activity associated with monitoring changes in an operating system or application software from a known baseline. ● Cloud Control Matrix (CCM) control spec for AIS-04: ○ Policies and procedures shall be established and maintained in support of data security to include (confidentiality, integrity and availability) across multiple system interfaces, jurisdictions and business functions to prevent improper disclosure, alteration, or destruction. ● Solutions: auditd+rules, Wazuh, CloudPassage… ● Examples of resources to monitor: Linux password db, search paths, sudo config, SSHD config, Linux filesystem deletes... File Integrity Monitoring
  9. 9. 9 What is it? A defined configuration state ● CCM control spec for Governance and Risk Management (GRM-01): ○ Baseline security requirements shall be established for developed or acquired, organizationally-owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations. ○ Deviations from standard baseline configurations must be authorized following change management policies and procedures prior to deployment, provisioning, or use. ○ Compliance with security baseline requirements must be reassessed at least annually unless an alternate frequency has been established and authorized based on business needs. ● Solutions: Custom scripts/automation, CIS benchmarks, OpenSCAP + OVAL, XCCDF Security Baselines
  10. 10. 10 Elevated Privilege Management What is it? Authentication and tracking use of root permissions. ● CCM control spec for Infrastructure & Virtualization Security Audit Logging / Intrusion Detection (IVS-01): ○ Higher levels of assurance are required for protection, retention, and lifecycle management of audit logs, adhering to applicable legal, statutory or regulatory compliance obligations and providing unique user access accountability to detect potentially suspicious network behaviors and/or file integrity anomalies, and to support forensic investigative capabilities in the event of a security breach. ● Solutions: 3rd party tools, Beyond Trust, monitoring agents, log monitoring
  11. 11. 11 Event Auditing What is it? Tracking the 7 W’s of audit and compliance: Who, what, where, when, on what, from where, and where to. ● CCM control spec for Data Security & Information Lifecycle Management Classification (DSI-01): ○ Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization ● Solutions: Cloud Audit Data Framework (CADF)
  12. 12. 12 Summary ● The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) helps “humanize” security language ● Interpret controls to your use case ● Implement tools you can defend ● Document your process ● Maintain evidence of process performance
  13. 13. 14 Thank You! Q&A Download the slides from Watch the webinar recording at