You, RightScale, and the Universe of Compliance
•Download as PPTX, PDF•
0 likes•411 views
We are in a world of transition. Most of the compliance standards are slow to catch up to this change, and you hear a lot of FUD (Fear, Uncertainty and Doubt) with regards to what you "have to do" to meet them. This talk is about understanding "What" some of the most universal standards are truly asking for, and then discussing "How" can you accomplish this with your environment and RightScale.
Recommended
Recommended
More Related Content
Viewers also liked
Viewers also liked (9)
Similar to You, RightScale, and the Universe of Compliance
Similar to You, RightScale, and the Universe of Compliance (20)
More from RightScale
More from RightScale (20)
Recently uploaded
Recently uploaded (20)
You, RightScale, and the Universe of Compliance
- 1. You, RightScale, and the Universe of Compliance Phil Cox Director of Security and Compliance, RightScale
- 2. 2# SARBANES-OXLEY Massachusetts Privacy Law - 201 CMR 17 Talk with the Experts.
- 3. 3# We are in a world of transition Talk with the Experts.
- 4. 4# From Consumerization of IT and BYOD Talk with the Experts.
- 5. 5# To Arab Summer Talk with the Experts.
- 6. 6# The world around us is changing technically and it affects us all Talk with the Experts.
- 7. 7# Compliance standards are slow to catch up Talk with the Experts.
- 8. 8# PCI - 1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone Talk with the Experts.
- 9. 9# There is a lot of FUD (Fear, Uncertainty and Doubt) with regards to what you "have to do" to meet them Talk with the Experts.
- 10. 10# This is my point of view from ~15 years of experience as a Consultant/Assessor and a Practitioner … Talk with the Experts.
- 11. 11# We’ll identify what the standards and regulations really “Want” Talk with the Experts.
- 12. 12# We’ll then identify “How” can RightScale help you meet those requirements Talk with the Experts.
- 13. 13# Side Note You need to know if you are you shooting for “letter of the law” or “intent of the law” compliance Talk with the Experts.
- 14. 14# And a way we go … Talk with the Experts.
- 15. 15# Want #1: Governance – Verifiable and Repeatable Talk with the Experts.
- 16. 16# You have identified business drivers and know what you want to accomplish Talk with the Experts.
- 17. 17# You have taken the time to document what you want, so it is repeatable Talk with the Experts.
- 18. 18# You have evidence that you do what you say you do Talk with the Experts.
- 19. 19# How #1 This is your governance structure. I can chat with you, but this is on you. Talk with the Experts.
- 20. 20# Want #2 Build it right – Design and Architecture Talk with the Experts.
- 21. 21# It is entirely possible to design and architect something that is not securable! Talk with the Experts.
- 22. 22# How #2 Engage RightScale Professional Services We ARE as good as it gets! Talk with the Experts.
- 23. 23# How #2 The support portal for webinars and whitepapers Talk with the Experts.
- 24. 24# Want #3 Deploy it correctly and securely Talk with the Experts.
- 25. 25# How #3 Leverage Multi-Cloud Images, ServerTemplates, RightScripts/Chef Templates Talk with the Experts.
- 26. 26# Added advantage Meet governance requirements - Documented with version control Talk with the Experts.
- 27. 27# Want #4 Patch it appropriately Talk with the Experts.
- 28. 28# How #4 Use RightScale to configure the system to be consistent with your process and policy Talk with the Experts.
- 29. 29# Want #5 Audit/Watch what is happening Talk with the Experts.
- 30. 30# How #5 Operational Audit Entries via API or Dashboard Talk with the Experts.
- 31. 31# How #5 Configure syslog/event logs to your SIEM Talk with the Experts.
- 32. 32# Want #6 Proactive vulnerability management Talk with the Experts.
- 33. 33# How #6 Use RightScale to deploy agents (e.g., CloudPassage Halo, TrendMicro Deep Security, etc.) Talk with the Experts.
- 34. 34# How #6 Use RightScale API to get all active internal and external IP’s regardless of Cloud and feed to Vulnerability Scanner (SAINT, Nessus, etc.) Talk with the Experts.
- 35. 35# Want #7 Audit and Review Talk with the Experts.
- 36. 36# How #7 Use the Infrastructure Audit report to show Security Group settings Talk with the Experts.
- 37. 37# Infrastructure Audit report Talk with the Experts.
- 38. 38# How #7 Verify Users and Roles Talk with the Experts.
- 39. 39# Users on an Account Talk with the Experts.
- 40. 40# Want #8 Incident Response and Management Talk with the Experts.
- 41. 41# How #8 RightScale gives you a “single view” into your “IaaS world” Talk with the Experts.
- 42. 42# Want #9 Governance – Evidence Talk with the Experts.
- 43. 43# How #9 RightScale give you Events, Version Control, Self-Documenting configs Talk with the Experts.
- 44. 44# Want #10 You tell me … Anything I missed? Talk with the Experts.
- 45. 45# Questions about RightScale Security? Talk with the Experts.
- 46. 46# Our “Security Questionnaire Response” is the place to start! Talk with the Experts.
- 47. 47# Quick Case Study: CareCloud and HIPAA Talk with the Experts.
- 48. 48# HIPAA data is in datacenter currently Talk with the Experts.
- 49. 49# Customer needs will require moving HIPAA data to cloud Talk with the Experts.
- 50. 50# Q: What is the trick? A: No trick, just proper design Talk with the Experts.
- 51. 51# Punch line: Can do HIPAA in the cloud, just need to design and operate it correctly! Talk with the Experts.
- 52. 52# Questions? Talk with the Experts.
Editor's Notes
- Matt has over 12 years experience operating a variety of different datacenter and cloud environments with a heavy focus on automation, reliability and systems performance.Currently at Nextdoor.com, Matt serves as the primary architect for the Production and Development cloud environments serving thousands of Nextdoor.com private neighborhoods. Before Nextdoor, worked at Netflix in the IT Operations team as the Sr. Systems Architect for an internal cloud project based on Cloud.com and RightScale software/service solutions.
- Is VPN internal? What about SSL VPN? What about HTTPS? Can it be internal on a public multi-tenant system?
- Big problem is that many of the “checkers” are at odds as to what is the right answer.
- Pragmatically is should be the latter, but in reality it is often the former that you will be judged on. Need to keep that in mind.
- With that, here we go …
- The combination allows the complete automation of a “secure as possible” system and application
- Unpatched systems are a MAJOR source of compromise. Using RightScale to ensure that all system are under management correctly is a HUGE win.Question: What percentage of systems that are not running up to date anti-virus?Answer: Zero. There is NO acceptable excuse for out of date softwareSimilarly, there is NO acceptable excuse for a system that is open, unpatched, and unmonitored.Caveat: Mitigating controls – IT IS YOUR RISK ACCEPTANCE – If not patched, then blocked or heavily monitored (pref both)
- Trend Micro OSSEC is a good free solution used by manyMany commercial solutions exist: Splunk, QRadar, …
- With some pre-planning you could use our API to be able to pull massive forensics data on multiple cloud resources to give you huge gains in the forensics process.
- This is available to any current customer or qualified prospect