This presentation discusses how the cloud can be made compliant and secure. It begins with an overview of Layered Technologies and the speaker. It then defines key cloud concepts like deployment models and service models. The presentation emphasizes that while compliance is important, security requires additional risk-based practices. It outlines components needed for cloud security, including policies, validation, transparency and compliance support from providers. Managing costs through risk assessment and focusing on important assets is presented as important for security.

1. Why the Cloud can be
Compliant and Secure
Presented by:
Jeff Reich
Chief Risk Officer
Layered Technologies

2. Agenda
● Abstract Review
● Layered Technologies Overview
● Speaker Overview
● What is a secure cloud?
● Table Stakes
● Compliance vs Security
● Components of Security
2
Layered Technologies Complying To The Higher Standard

3. Abstract
This session addresses misconceptions about security in the
cloud and examines critical differences between compliance
and security, including how compliance does not always
ensure secure environments. To establish a secure cloud,
one must make risk-based decisions that embrace
compliance but also address practicalities and technical
capabilities. While achieving compliance is considered
“table stakes,” cloud security is an investment and must be
continuous. The audience will learn about key security
components, such as social engineering, patching, system
interfaces and more. The presentation will also address the
importance of grouping similar organizations in the cloud
because they share common security control needs.
Complying To The Higher Standard .3

4. About
Layered
Tech
• First
to
offer
full
PCI
support
in
market
(since
2005)
Leadership
• Compliance
cloud
solu7on
with
built-­‐in
security
posi7on
in
and
controls
compliant
hos7ng
• Comprehensive
consul7ng
and
audit
services
(and
partners)
Market-­‐leading
• One
of
first
virtual
private
data
center
offers
cloud/virtualiza7on
• Robust
community
cloud
plaOorm
with
built-­‐in
security
and
controls
Tiered
managed
• Monitoring
up
to
full
management
services
for
client
• “LT
Anywhere”
extension
choice
High-­‐touch
and
• Managed
service
team
specializa7on
process-­‐driven
client
• Unified
system
support
for
problem
diagnos7cs
support
• Disciplined
change
and
log
management
Global
reach
• 3
primary
and
9
secondary
data
centers
Only
service
provider
to
offer
Compliance
Guaranteed:
our
compliance
clients
are
guaranteed
to
pass
100
percent
of
every
IT
audit
or
assessment
sanc7oned
by
the
relevant
industry
or
regulatory
en7ty.
4

5. Jeff Reich
● Over 30 years in Cyber Security, Risk Management,
Physical Security and other areas
● Leadership roles in technology and financial services
organizations
● Founding member of Cloud Security Alliance
● CRISC, CISSP, CHS-III certifications,…
● ISSA Distinguished Fellow
Complying To The Higher Standard .5

6. What is a Secure Cloud?
● First, let’s agree on what a cloud is…
● 5-4-3
● 5 Essential Characteristics
● 4 Deployment Models
● 3 Service Models
Complying To The Higher Standard .6

7. Let’s Agree on the Cloud
According to NIST:
Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared
pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and
services) that can be rapidly provisioned and
released with minimal management effort or service
provider interaction. This cloud model is composed
of five essential characteristics, three service
models, and four deployment models.
Source: The NIST Definition of Cloud Computing Authors: Peter Mell and Tim Grance
Special Publication 800-145
7
Layered Technologies Complying To The Higher Standard

8. 5 Essential Characteristics
● On-demand self-service
● Broad network access
● Resource pooling
● Rapid elasticity
● Measured Service
8
Layered Technologies Complying To The Higher Standard

9. 4 Deployment Models
● Private cloud
● Community cloud
● Public cloud
● Hybrid cloud
9
Layered Technologies Complying To The Higher Standard

10. 3 Service Models
● Cloud Software as a Service
(SaaS)
● Cloud Platform as a Service (PaaS)
● Cloud Infrastructure as a Service
(IaaS)
10
Layered Technologies Complying To The Higher Standard

11. Table Stakes
● Your compliance needs may include, but are not limited to:
● PCI-DSS
● HIPAA
● FISMA
● SOX
● GLB
● FedRAMP
● Industry Standards
● Corporate Policies
● and many, many more
Complying To The Higher Standard . 11

12. Compliance vs Security
Your
Compliant Secure
Best
Practices Practices
Practices
Complying To The Higher Standard . 12

13. Managing Costs Around Controls
Potential Cost of
Losses Controls
$ Good
Business
Sense
Tree of FUD
Level of Controls
Complying To The Higher Standard . 13

14. Risk Management in the Cloud
● First mistake of many cloud prospects
● How am I managing risks now?
● Risk picture may not improve
● What are the most valuable information or process assets
for your organization?
● Disclosure Confidentiality
● Modification Integrity
● Denial of Access Availability
14
Layered Technologies Complying To The Higher Standard

15. Components of Security
● Trust
● Verification
● Policies, Standards, Guidelines and Procedures
● Situational Awareness
● Training
● Testing
● Lather, rinse, repeat,…
Complying To The Higher Standard . 15

16. Components of Cloud Security
● Trust
● Verification
● Policies, Standards, Guidelines and Procedures
● Situational Awareness
● Training
● Testing
● Lather, rinse, repeat,…
Complying To The Higher Standard . 16

17. Components of Cloud Security
Your provider should offer:
● Policies
● Validation
● Transparency
● Demonstration of compliance
● Compliance support
For more information, see www.cloudsecurityalliance.org
Complying To The Higher Standard . 17

18. Finding a Cloud Environment
Private Hybrid Community Public
Greater Control
Iaas
PaaS
SaaS
Greater Exposure
18
Layered Technologies Complying To The Higher Standard

19. Contact Me
● Jeff Reich
● 972-379-8567
● jeff.reich@layeredtech.com
● Twitter: @jnreich
● Skype: jnreich
● www.layeredtech.com
19
Layered Technologies Complying To The Higher Standard