Building a Security & Compliance Strategy with the Cloud

Transcription

1 Building a Security & Compliance Strategy with the Cloud

2 AGENDA Introductions Definition and Overview Current Threat Landscape Current Compliance Landscape Shared Responsibility Five Steps Final Thoughts Questions 2

3 SAJEEV PRELIS National Director Risk Management & Security MBA, MS, QSA, PCIP, CCSFP, CISA, CGEIT, CRISC Over 20 years of IT Risk, Compliance, and Data Security experience. 12 years with Accretive Solutions Industries: banking, healthcare, retail, manufacturing, entertainment, oil & gas, telecom, and service providers. JEFF SCHILLING Chief Security Officer ARMOR Former Chief of Operations of the DOD s Global NetOps Center for JTF-GNO (Cyber Command) Former Global SOC Director for U.S. Army Cyber Command Former Director of Global Incident Response, SecureWorks 3

4 ACCRETIVE SOLUTIONS OVERVIEW Accretive Solutions is a national professional services firm providing Consulting, Staffing and Outsourcing solutions to a variety of organizations from start-ups to the Fortune 500. Accounting & Finance Governance & Compliance Information Technology Business Transformation CONSULTING PROFESSIONALS MARKETS NATIONWIDE CLIENTS 4

5 ARMOR OVERVIEW Born in the cloud in ,200 clients in 42 countries 24x7x365 Security Operations Center Data centers in Dallas, Phoenix, London, Amsterdam, and Singapore ISO certified SOC II annual audit AWS Security Competency and Microsoft Azure Gold Partner PCI, HITRUST, GDPR compliance C E R T I F I E D FOR 5

6 6 WHAT IS THE CLOUD

7 CLOUD DEFINITION Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST Definition 7 Three Cloud Service Delivery Models: 1. Infrastructure as a Service (IaaS) 2. Platform as a Service (PaaS) 3. Software as a Service (SaaS) Four Cloud Service Deployment Models 1. Public 2. Private 3. Community 4. Hybrid

8 SECURITY vs. COMPLIANCE Security (Program) A collection of controls designed to mitigate risk and protect data. Compliance Reporting on how your security program meets a minimum specific set of requirements. We can t stress this enough: Security Compliance 8

9 COMPLIANCE-DRIVEN vs. RISK-DRIVEN SECURITY Company A Goal: Bare minimum to meet compliance standard Objective: Maintain the bare minimum to pass compliance audits/assessments Culture: Viewed as additional work to prepare for an audit/assessment. Check the Box for compliance Talent: High IT resource turnover, hard to attract and retain security experience. Assessment Cost and Time: Increases due to lack of compliance in routine areas, can result in frequent extensions and extra reporting to key stakeholders (clients, banks, boards) Risk: High - More potential for incidents/breaches, fines, fraud, poor market reputation, or loss of business Company B Goal: Strong security practices using compliance requirements as a foundation Objective: Keep the company s data secure Culture: Built into standard operating procedures. Compliance becomes a natural byproduct of strong security practices Talent: Low turnover, easy to attract and retain security experience Assessment time and cost: Typically decreases relative to other companies of equal size and industry, makes it easier to achieve multiple compliance standards and increase market reputation / confidence Risk: Low - Less potential for incidents/breaches, good market reputation, increased business opportunities 9

10 10 CURRENT THREAT LANDSCAPE

11 2017 GLOBAL CYBERSECURITY CHALLENGES 40% INCREASE IN HACKS Days Dwell Sophisticated intelligence integration, automation, and threat hunting should be the end-state goal for organizations facing significant business risks and exposure to cyber attacks. Per Mandiant M-Trends 2017 report 3.2M 910BN 3.2M RECORD BREACHES YTD 910BN Record breaches in the last 10 years. $355 AVERAGE HEALTHCARE LOSS Healthcare companies lose an average of $355 per each stolen record $4M $4M AVERAGE COST OF DATA BREACH Per Ponemon Institute. Cost of Breaches: $129 AVERAGE TRANSPORTATION LOSS Transportation companies may lose $129 per record 11

12 CURRENT CYBER SECURITY OUTLOOK Cloud Services Internet of Thinks (IoT) Ransomware 2016 TRENDS Known Vulnerabilities Spear Phishing Data Security is being discussed in every board room Companies cannot pass on the responsibility for protecting their data do your due diligence 12

13 DID YOU KNOW? 68% OF FUNDS LOST AS A RESULT OF A CYBER ATTACK WERE DECLARED UNRECOVERABLE 170 DAYS Average time to detect a malicious or criminal attack 176% Increase in the number of cyber attacks, with an average of 138 successful attacks per week. $12.7 MILLION Average annualized cost of a cyber crime attack in the US. 96% increase from 2010 May 12,

14 14 PHISHING EXAMPLE

15 PHISHING EXAMPLE 2 (1) Original Received: Checked separate Docusign application nothing there (2) Sent a separate retyped the client address from CRM Source. (3) Response received seconds after sending: Called the client their account had been compromised. 15

16 Big Data Big Data is extremely large data sets that may be analyzed computationally to reveal patterns, trends, and associations, especially relating to human behavior and interactions Data, Data Every ware Production Servicers Test Servers Dev Servers Decommissioned servers Backups Third parties Printers, phones, tablets FUN FACT: Google is estimated to hold somewhere between EXABYTES of data. 16

17 17 COMPLIANCE LANDSCAPE

18 COMPLIANCE LANDSCAPE SOC 1 & 2 System Organization Control PCI DSS Payment Card Industry Data Security Standard HITRUST Common Security Framework (CSF) for Healthcare SOX Sarbanes-Oxley 404 HIPAA Health Insurance Portability and Accountability Act FFIEC The Federal Financial Institutions Examination Council ISO International Organization for Standardization FCPA Foreign Corrupt Practices Act FISMA Federal Information Security Management Act NERC CIP Guidelines to help protect power grids. GDPR Replacement to Safe Harbor State Privacy Laws Varies by state 18

19 19 SHARED RESPONSIBILITY CONSIDERATIONS

20 UNDERSTANDING SHARED RESPONSIBILITY 95% OF CLOUD SECURITY FAILURES THROUGH 2020 WILL BE THE CUSTOMERS FAULT. That means the biggest threat to your cloud is you don t know what you don t know. Top Strategic Predictions for 2016 and Beyond Gartner

21 21 FIVE STEPS FOR MAINTAINING COMPLIANCE AND IMPROVING SECURITY PRACTICES

22 KNOW WHAT YOUR SECURING You have to know what you re defending before you can defend it. Through a bit of self-reflection, you can do just that. Questions to ask: What are we securing? (Be thorough) How do we purge data in a secure fashion? How much security do we need? Where do we secure it? (On-premises, cloud) How do we monitor security 22

23 DETERMINE YOUR INTERNAL CAPABILITIES Just like knowing your data, it s critical to know your internal capabilities and limitations. Questions to ask: What is your budget capacity today and in the future? How do you attract and keep sought after resources? How do you train staff on the latest tools and techniques? 23

24 CHOOSE YOUR SERVICE PROVIDER CAREFULLY If you ve elected to outsource services, it s essential that you complete due diligence before handing over your data to a third party. Third party due diligence aspects to consider: Review the provider s shared responsibility matrix to verify covered tasks. You ll be responsible for anything not covered. Verify geographic data housing considerations. 24 Where does the data reside? (On shore vs. Off shore) How effective is their network operations center (NOC)? How good are they at supporting forensic needs (e.g. adequate log details, access to logs, law enforcement support)?

25 MONITOR AND MAINTAIN Maintenance is key when ensuring security and compliance in the cloud. Keeping an eye on the people and processes protecting your data will ensure consistent and reliable coverage. Periodic maintenance includes: Review of vendor responsibility matrices Incorporating proper security controls into your corporate DNA Frequent testing of internal staff on security best practices 25

26 PLAN FOR WHEN NOT IF No matter how much you spend, educate, monitor and plan, you ll neve be 100% secure. However, there is a surefire way to stay ahead of threats. Threat prevention steps: Identify your threat vectors Write / review / test your incident responses / DR BCP / communication plans Test, test and test again Never stop training your employees on the importance of security and the roles they play 26

27 FINAL THOUGHTS Know where you stand: Not everyone is ready to go to the cloud Do your due diligence on your partners Make data security part of your culture Implement a monitoring program Plan for WHEN 27

28 28 QUESTIONS