Cloud controls final2

342 views

Published on

6fusion and Network Box webinar on cloud security related to regulatory requirements, such as HIPAA, CSA CCM, FedRAMP, and PCI.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
342
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cloud controls final2

  1. 1. Do you know your cloud controls? A"close"look"at"regulatory"requirements"for"cloud"security" Steven&Wolford& Chad&Walter& Director,&Informa4on&Security& Director,&Channel&Development& 6fusion& Network&Box&USA& swolford@6fusion.com& cwalter@networkboxusa.com&
  2. 2. Today’s Agenda•  Introduc6on"•  What"is"cloud?"•  Who"controls"cloud?"•  Cloud"types"•  Standards"impac6ng"security" •  CSA&CCM& •  FedRAMP& •  PCI& •  HIPAA&•  How"it"all"fits"together"•  Q&A"
  3. 3. Who We Are 6fusion" Network"Box"USA"6fusion&breaks&down&tradi4onal&IT&boundaries& Network&Box&USA&provides&comprehensive,&by&delivering&universal&metering&and&access&to& fully&managed&perimeter&internet&security&global&IT&infrastructure.& solu4ons.&The&Network&Box&Unified&Threat&& Management&(UTM)&solu4on&combines&The&unique&metering&algorithm,&Workload& numerous&applica4ons&such&as&firewall,&Alloca4on&Cube&(WAC),&creates&a&commercial& intrusion&preven4on&and&detec4on,&an4Qvirus,&standard&to&quan4fy&supply&and&demand&for& content&filtering,&an4Qspan,&an4Qphishing,&an4Qcompute&resources.&& spyware&and&VPN&into&one&single,& sophis4cated&mix&of&hardware&and&soSware.& Network&Box&USA&enables&businesses&of&all& sizes&to&secure&their&networks&easily&and&cost& effec4vely.& This&is&the&second&in&a&series&of&webinars&on&cloud&security.&We&will&let& you&shape&the&content&of&the&next&webinar&at&the&end&of&this&webinar.&&
  4. 4. What is “Cloud” Cloud&Consumer&Cloud&Auditor& Cloud&Broker& Cloud&Provider& Service&Orchestra4on& Cloud&Service& Management& Service&Layer& SaaS& Service&Security&Audit& Intermedia4on& PaaS& Business& Support& Security& IaaS& Privacy&Privacy&Impact& Service& Audit& Aggrega4on& Resource&Abstrac4on&and& Provisioning&/&Performance& Service& Control&Layer& Configura4on& Audit& Arbitrage& Physical&Resource&Layer& Hardware& Portability&/& Interoperability& Facility& Cloud&Carrier&
  5. 5. Who Controls “Cloud” Cloud&Consumer& SaaS& Applica4on&Layer& PaaS& Middleware&Layer& IaaS&SaaS& Opera4ng&System&Layer& PaaS& IaaS& Physical&Layer& Cloud&Provider&
  6. 6. Public Cloud Cloud&service& accessible&from&the& Internet& Enterprise& network&Public&consumers& Enterprise&accessing&workloads& consumers&accessing&from&the&Internet& workloads&from& enterprise&networks&
  7. 7. Private Cloud Enterprise&Network&Private&Cloud&
  8. 8. Community Cloud Community&is&defined&as&groups&of&consumers&with& similar&interests,&control&sets,&performance& characteris4cs&or&other&such&commonality&& Group&A&Public&Cloud&Provider& Group&B& Private&Cloud& Group&C&
  9. 9. Hybrid CloudOnQsite&Private&Cloud& OnQsite&Private&Cloud& OnQsite&Private&Cloud& OnQsite&Private&Cloud& OnQsite&Private&Cloud& Outsourced&Private&Cloud&OnQsite&Private&Cloud& OnQsite&Private&Cloud& OnQsite&Private&Cloud& Outsourced&Community& OnQsite&Private&Cloud& OnQsite&Community&Cloud& Cloud& Public&Cloud& Public&Cloud& Public&Cloud&
  10. 10. Know the Rules•  Regula6on" •  FedRAMP& •  PCI&DSS&v2.0& •  HIPAA&/&HITECH&•  Standard" •  SSAE&16&SOC&2& •  ISO/IEC&27001Q2005&•  Framework" •  CSA&CCM& •  COBIT&4.1&
  11. 11. CSA CCM / CAIQ“"As"a"framework,"the"CSA"CCM" provides"organiza6ons"with"the" needed"structure,"detail"and" clarity"rela6ng"to"informa6on" security"tailored"to"the"cloud" industry.”""The"CAIQ"“provides"a"set"of" ques6ons"a"cloud"consumer"and" cloud"auditor"may"wish"to"ask"of" a"cloud"provider."It"provides"a" series"of""yes"or"no""control" asser6on"ques6ons"which"can" then"be"tailored"to"suit"each" unique"cloud"customers" eviden6ary"requirements."”"
  12. 12. Compliance&(6&controls)& Data&Governance&(8&controls)& Facility&Security&(8&controls)& Human&Resources&(3&controls)& Informa4on&Security&(34&controls)&Provider" Consumer" Legal&(2&controls)& Opera4ons&Management&&(4&controls)& CCM – Control Areas Risk&Management&&(5&controls)& Release&Management&(5&controls)& Resiliency&(8&controls)& Security&Architecture&(15&controls)&
  13. 13. FedRAMP&Federal&Risk&and&Authoriza4on&Management&Program&&&“a&governmentQwide&program&that&provides&a&standardized&approach&to&security&assessment,&authoriza4on,&and&con4nuous&monitoring&for&cloud&products&and&services.”&
  14. 14. Access&Control&(17&controls)& Awareness&and&Training&(4&controls)& Audit&and&Accountability&(12&controls)& Assessment&and&Authoriza4on&(6&controls)& Configura4on&Management&(9&controls)& Con4ngency&Planning&(9&controls)& Iden4fica4on&and&Authoriza4on&(8&controls)& Incident&Response&(8&controls)& Maintenance&(6&controls)& Media&Protec4on&(6&controls)&Provider" Consumer" Physical&and&Environmental&(18&controls)& Planning&(5&controls)& Personnel&Security&(8&controls)& Risk&Assessment&(4&controls)& FedRAMP – Control Areas Systems&Acquisi4on&(12&controls)& Systems&Communica4on&(24&controls)& System&and&Informa4on&Integrity&(12&controls)&
  15. 15. Payment Card Industry“En44es&planning&to&use&cloud&compu4ng&for&their&PCI&DSS&environments&should&first&ensure&that&they&thoroughly&understand&the&details&of&the&services&being&offered,&and&perform&a&detailed&assessment&of&the&unique&risks&associated&with&each&service.&&&Addi4onally,&as&with&any&managed&service,&it&is&crucial&that&the&hosted&en4ty&and&provider&clearly&define&and&document&the&responsibili4es&assigned&to&each&party&for&maintaining&PCI&DSS&requirements&and&any&other&controls&that&could&impact&the&security&of&cardholder&data.”&
  16. 16. Firewall& Encrypt&Transmission& Restrict&Access& Track&and&monitor&Access& Default&Passwords& An4Qvirus&Provider" UUID& Consumer" Test& PCI – Control Areas Stored&Cardholder&Data& Secure&Systems&/&Applica4ons& Physical&access& Personnel&Security&
  17. 17. HIPAA A&Brief&History&of&Healthcare&Security&Regula4on& A&regula4on&is&born:& &The&goal&of&HIPAA&was&to&protect& Passed&in&1996&to&simplify&the&pa4ents’&confiden4ality&while&enabling& administra4ve&processes&surrounding&healthcare&organiza4ons&to&pursue&ini4a4ves&that&furthered&innova4on&and& HIPAA& the&increasing&amounts&of&ePHI.& &pa4ent&care.& Health&Insurance&Portability&& The&Security&Rule&was&enacted&2/20/03&& and&Accountability&Act&& and&provided&administra4ve,&technical&However,&enforcement&was&very&limited.& and&physical&safeguards.& HITECH& American&Recovery&and&Reinvestment&Act&–& Health&Informa4on&Technology&for& HIPAA&gets&some&teeth:&HITECH&contains&specific&incen4ves&designed&to&accelerate&the&adop4on&of& Economic&and&Clinical&Health&& & & HITECH&extended&the&security&rule&to&EHR&systems.& include:&& •  Civil&penal4es&It&broadens&the&scope&of&protec4ons&listed&under&HIPAA&and&increases& Meaningful& •  BA’s&must&comply& •  Breach&no4fica4ons&are&mandatory&penal4es&for&nonQcompliance.& Use& Meaningful&Use&Guidelines& for&EHF&(2010)&CMS’&Meaningful&Use&program&provides& And&gains&some&incen4ves:&incen4ve&payouts&for&efficient&HER&use.& && Meaningful&Use&includes&15&core&The&program&provides&further&incen4ves& measures.&The&program&is&funded&with&to&encourage&HIPAA&/&HITECH& $27bn&over&4&years&to&cover&akesta4ons.&compliance.&
  18. 18. Administra4ve&Safeguards&(30&controls)& Physical&Safeguards&(12&controls)&Provider" Consumer" HIPAA – Control Areas Technical&Safeguards&(12&controls)& Organiza4onal&Safeguards&(12&controls)&
  19. 19. Shared Responsibility
  20. 20. Integrated Compliance Taking"Requirements" • FISMA/FedRAMP& • PCI& • HIPAA& • ISO& • Other&requirements&Execute"integrated"program" Iden6fying"common"controls"• Iden4fy&data&sources& • Access&controls&• Define&&&assess&risk& • Passwords&• Develop&&&implement&controls& • Encryp4on&• Audit&&&correct& • Training&• Enforce,&monitor&&&support& • Risk&Assessments& Documenta6on" • Document&policy,&controls,&and&criteria&that& meet&minimum&requirements&across& standards& • Integrated&Control&Framework&
  21. 21. Questions
  22. 22. Thank You! Resources& What’s&next?&FedRAMP" 3rd""Webinar"in"the"Series" " •  Timing:&Early&May& hZp://www.gsa.gov/portal/ •  Topic:&Baselining&and&advancing& category/102371" your&security&posture&" •  Details:&You&tell&us…&Cloud"Security"Alliance" " "hZps://cloudsecurityalliance.org/" What"do"you"want"to"hear"about"in"" the"next"webinar?""PCI" " " Email"us"at"marke6ng@6fusion.com" hZps:// with"your"ideas!" www.pcisecuritystandards.org/"" "" ""HIPAA" "hZp://www.hhs.gov/ocr/privacy/""

×