You, RightScale, and the Universe of Compliance

652 views

Published on

We are in a world of transition. Most of the compliance standards are slow to catch up to this change, and you hear a lot of FUD (Fear, Uncertainty and Doubt) with regards to what you "have to do" to meet them. This talk is about understanding "What" some of the most universal standards are truly asking for, and then discussing "How" can you accomplish this with your environment and RightScale.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

You, RightScale, and the Universe of Compliance

  1. 1. You, RightScale, and the Universe ofCompliancePhil CoxDirector of Security and Compliance, RightScale
  2. 2. 2# SARBANES-OXLEY Massachusetts Privacy Law - 201 CMR 17Talk with the Experts.
  3. 3. 3# We are in a world of transitionTalk with the Experts.
  4. 4. 4# From Consumerization of IT and BYODTalk with the Experts.
  5. 5. 5# To Arab SummerTalk with the Experts.
  6. 6. 6# The world around us is changing technically and it affects us allTalk with the Experts.
  7. 7. 7# Compliance standards are slow to catch upTalk with the Experts.
  8. 8. 8# PCI - 1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zoneTalk with the Experts.
  9. 9. 9# There is a lot of FUD (Fear, Uncertainty and Doubt) with regards to what you "have to do" to meet themTalk with the Experts.
  10. 10. 10# This is my point of view from ~15 years of experience as a Consultant/Assessor and a Practitioner …Talk with the Experts.
  11. 11. 11# We’ll identify what the standards and regulations really “Want”Talk with the Experts.
  12. 12. 12# We’ll then identify “How” can RightScale help you meet those requirementsTalk with the Experts.
  13. 13. 13# Side Note You need to know if you are you shooting for “letter of the law” or “intent of the law” complianceTalk with the Experts.
  14. 14. 14# And a way we go …Talk with the Experts.
  15. 15. 15# Want #1: Governance – Verifiable and RepeatableTalk with the Experts.
  16. 16. 16# You have identified business drivers and know what you want to accomplishTalk with the Experts.
  17. 17. 17# You have taken the time to document what you want, so it is repeatableTalk with the Experts.
  18. 18. 18# You have evidence that you do what you say you doTalk with the Experts.
  19. 19. 19# How #1 This is your governance structure. I can chat with you, but this is on you.Talk with the Experts.
  20. 20. 20# Want #2 Build it right – Design and ArchitectureTalk with the Experts.
  21. 21. 21# It is entirely possible to design and architect something that is not securable!Talk with the Experts.
  22. 22. 22# How #2 Engage RightScale Professional Services We ARE as good as it gets!Talk with the Experts.
  23. 23. 23# How #2 The support portal for webinars and whitepapersTalk with the Experts.
  24. 24. 24# Want #3 Deploy it correctly and securelyTalk with the Experts.
  25. 25. 25# How #3 Leverage Multi-Cloud Images, ServerTemplates, RightScripts/Chef TemplatesTalk with the Experts.
  26. 26. 26# Added advantage Meet governance requirements - Documented with version controlTalk with the Experts.
  27. 27. 27# Want #4 Patch it appropriatelyTalk with the Experts.
  28. 28. 28# How #4 Use RightScale to configure the system to be consistent with your process and policyTalk with the Experts.
  29. 29. 29# Want #5 Audit/Watch what is happeningTalk with the Experts.
  30. 30. 30# How #5 Operational Audit Entries via API or DashboardTalk with the Experts.
  31. 31. 31# How #5 Configure syslog/event logs to your SIEMTalk with the Experts.
  32. 32. 32# Want #6 Proactive vulnerability managementTalk with the Experts.
  33. 33. 33# How #6 Use RightScale to deploy agents (e.g., CloudPassage Halo, TrendMicro Deep Security, etc.)Talk with the Experts.
  34. 34. 34# How #6 Use RightScale API to get all active internal and external IP’s regardless of Cloud and feed to Vulnerability Scanner (SAINT, Nessus, etc.)Talk with the Experts.
  35. 35. 35# Want #7 Audit and ReviewTalk with the Experts.
  36. 36. 36# How #7 Use the Infrastructure Audit report to show Security Group settingsTalk with the Experts.
  37. 37. 37# Infrastructure Audit reportTalk with the Experts.
  38. 38. 38# How #7 Verify Users and RolesTalk with the Experts.
  39. 39. 39# Users on an AccountTalk with the Experts.
  40. 40. 40# Want #8 Incident Response and ManagementTalk with the Experts.
  41. 41. 41# How #8 RightScale gives you a “single view” into your “IaaS world”Talk with the Experts.
  42. 42. 42# Want #9 Governance – EvidenceTalk with the Experts.
  43. 43. 43# How #9 RightScale give you Events, Version Control, Self-Documenting configsTalk with the Experts.
  44. 44. 44# Want #10 You tell me … Anything I missed?Talk with the Experts.
  45. 45. 45# Questions about RightScale Security?Talk with the Experts.
  46. 46. 46# Our “Security Questionnaire Response” is the place to start!Talk with the Experts.
  47. 47. 47# Quick Case Study: CareCloud and HIPAATalk with the Experts.
  48. 48. 48# HIPAA data is in datacenter currentlyTalk with the Experts.
  49. 49. 49# Customer needs will require moving HIPAA data to cloudTalk with the Experts.
  50. 50. 50# Q: What is the trick? A: No trick, just proper designTalk with the Experts.
  51. 51. 51# Punch line: Can do HIPAA in the cloud, just need to design and operate it correctly!Talk with the Experts.
  52. 52. 52# Questions?Talk with the Experts.

×