COMPLIANCE IN THE CLOUD

Similar documents
This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

Accelerate GDPR compliance with the Microsoft Cloud Ole Tom Seierstad National Security Officer Microsoft Norway

Compliance & Security in Azure. April 21, 2018

Morgan Independent Software Vendor Lead

By 2020, a corporate no-cloud policy will be as rare as a no-internet policy is today. 1

Accelerate GDPR compliance with the Microsoft Cloud Agustín Corredera

Microsoft 365 Das modern Büro der Zukunft

U susret GDPR regulativi Dočekajmo spremni Maj 2018

Our Mission. Empower every person and every organization on the planet to achieve more.

Kimberly Nelson Executive Director Government Solutions US SLG. March 2017

Enterprise Mobility + Security

Introduction to AWS GoldBase

What is Dell EMC Cloud for Microsoft Azure Stack?

Hyper scale Infrastructure is the enabler

Closing Keynote: Addressing Data Privacy and GDPR on Microsoft Data Platform Technologies. Ronit Reger, Senior Program Manager at Microsoft

Altius IT Policy Collection Compliance and Standards Matrix

QBS Talks. June GDPR a Microsoft perspective Ole Kjeldsen, CTO Microsoft DK

Avanade Zerouno : Cloud Experience. Version 1.0 May 16, 2017 Author(s): Ivan Loreti

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Today s top THREAT ACTORS pose unique challenges

Altius IT Policy Collection Compliance and Standards Matrix

NIST Special Publication

FedRAMP Digital Identity Requirements. Version 1.0

10 Considerations for a Cloud Procurement. March 2017

Get Compliant with the New DFARS Cybersecurity Requirements

Klaus Schwab, Founder & Executive Chairman

Accelerate GDPR compliance with the Microsoft Cloud

PostgreSQL & The Cloud

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

Security & Compliance in the AWS Cloud. Amazon Web Services

Die intelligente Cloud als Kernelement der IT Transformation. Dr. Bernd Kiupel Business Group Lead Cloud & Enterprise, Microsoft Schweiz

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

ROADMAP TO DFARS COMPLIANCE

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

Microsoft Azure Security, Privacy, & Compliance

DFARS , NIST , CDI

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

NS2 Cloud Overview The Cloud Built for Federal Security and Export Controlled Environments. Hunter Downey, Cloud Solution Director

INTRODUCTION TO DFARS

About the DISA Cloud Playbook

What is Blockchain? Cryptographically Authentic Shared Distributed Ledger. Cryptographically Authentic Each transaction recorded in the database is

Building Trust in the Era of Cloud Computing

Cybersecurity Challenges

Microsoft Azure. The cloud platform for digital transformation

Compliance with NIST

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

SAC PA Security Frameworks - FISMA and NIST

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

Agency Guide for FedRAMP Authorizations

DISA CLOUD CLOUD SYMPOSIUM

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Cyber Security Challenges

Introductie Intercept

David Jenkins (QSA CISA) Director of PCI and Payment Services

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Executive Order 13556

Streamlined FISMA Compliance For Hosted Information Systems

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

IT-CNP, Inc. Capability Statement

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

Cybersecurity Risk Management

Intermedia s Private Cloud Exchange

ProCloud An Overview

The FAR Basic Safeguarding Rule

TRACKVIA SECURITY OVERVIEW

Special Publication

DFARS Cyber Rule Considerations For Contractors In 2018

DFARS Defense Industrial Base Compliance Information

Cyber Security Challenges

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Compliance with CloudCheckr

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Accelerating the HCLS Industry Through Cloud Computing

Cloud Security. Copyright Ramesh Nagappan. All rights reserved.

Altius IT Policy Collection

Cloud First Policy General Directorate of Governance and Operations Version April 2017

Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος

Cloud Computing, SaaS and Outsourcing

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

READ ME for the Agency ATO Review Template

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Auditing the Cloud. Paul Engle CISA, CIA

Your vision. Your cloud.

Cloud Transformation and Significance of Security

EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Tinker & The Primes 2017 Innovating Together

Cloud Customer Architecture for Securing Workloads on Cloud Services

Incident Response Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

Secure Esri Solutions in the AWS Cloud. CJ Moses, AWS Deputy CISO

FISMAand the Risk Management Framework

Copyright 2011 EMC Corporation. All rights reserved.

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

Transcription:

COMPLIANCE IN THE CLOUD 3:45-4:30PM Scott Edwards, President, Summit 7 Dave Harris Society for International Affairs

COMPLIANCE IN THE CLOUD Scott Edwards scott.edwards@summit7systems.com 256-541-9638 Society for International Affairs

WHAT DOES IT TAKE TO GET A COMPLIANT PLATFORM? Corporate Technology Policies Chosen Platform Capabilities Compliant Platform Functional, Technical and Compliance Requirements Corporate Security Policies 3

DFARS 252.204-7012 87% of all DoD Contracts in 2017 3 Major Components Key Dates December 31, 2017 December 31, 2018 FAR Changes 1. 2. 3. Provide Adequate Security on all Covered Contractor Information Systems FedRAMP Moderate NIST SP 800-171 with mapping to NIST 800-53 Relevant Security Controls Rapidly Report Cyber Incidents to DoD at http://dibnet.dod.mil 72 Hours Medium Assurance Certificate Contract Flowdown Requirements

CUI / CDI CUI/CDI/CTI may be provided by the Government or developed in the performance of a contract 24 Categories / 83 Sub Categories listed in the CUI Registry at https://www.archives.gov/cui 2 Categories that almost all companies have Controlled Technical Information DoD 5230.24 Distribution Statements on Technical Documents Engineering drawings and Data, Technical Reports, Specifications, Data Sets, Analysis, etc. Procurement and Acquisition Information ANY information related to acquisition actions Cost and Pricing Information Contract Information Indirect Costs and Direct Labor Rates CUI Basic Protect CUI Basic at the Moderate level with the controls in NIST 800-171 CUI Specified (ITAR / HIPAA / etc.) May only be upgraded to CUI Specified by a designating agency May require additional controls beyond NIST 800-171 and FISMA Moderate

What Does Adequate Security Mean? Type 1 System Operated on Behalf of the Government Must Comply with 252.239-7010 Calls out the DISA Security Requirements Guide v1r3 Specifies that the NIST 800-53r4 Control Set must be Used If leveraging a Cloud Service Provider, the CSP must be FedRAMP Moderate and SRG L4 Type 2 System Operated by a Contractor, but not on behalf of the Government Specifies NIST 800-171 Control Set must be Used If leveraging a Cloud Service Provider, the CSP must be FedRAMP Moderate

Copyright 2017 Summit 7 Systems, Inc. All rights reserved. NIST SP.800-171 DFARS/FAR Timeline DFARS 252.204-7012 DoD Agencies begin 2 year effort of implementing and requiring NIST SP 800-171 New Contracts and Mods add DFARS 7012 to DoD Contracts DFARS 7012 Requires Full Compliance with NIST 800-171 2015 2016 2017 2018 Must Have an SSP & POAM! FAR 52.204-21 Modified & Added 15 NIST Controls New Contracts and Mods will add NIST 800-171 to Fed Contracts FAR 32 CFR 2002 Federal Agencies begin 2 year effort of implementing and requiring NIST 800-171 Anticipated Release of new FAR requiring full NIST 800-171 Compliance Anticipated: Full NIST 800-171 Compliance in all Federal Contracts

NIST 800-171 Compliance Chapter 3 Security Control Families Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity Policy Controls Technical Controls

Government National Worldwide Industry s Largest Compliance Portfolio Microsoft is meeting customer security needs with the industry's largest compliance portfolio ISO 27018 ISO 27001 Cloud Controls Matrix PCI DSS Level 1 * SOC 2 Type 2 SOC 1 Type 2 Shared Assessments Content Delivery and Security Association * HIPAA / HITECH European Union Model Clauses ENISA IAF EU-U.S. Privacy Shield Spain ENS Singapore MTCS Level 3 Australian Signals Directorate New Zealand GCIO Japan Financial Services China MLPS*, TRUCS*, GB 18030* Section 508 VPAT United Kingdom G-Cloud FedRAMP JAB P-ATO FIPS 140-2 21 CFR Part 11 FERPA DISA Level 2 DISA Level 4 DISA Level 5 CJIS IRS 1075 FISMA NIST 800-171

How do you approach Compliance? CSP manages You manage (shared responsibility to protect) You or CSP manages (Depends on Provider and Configuration) Data Governance and Rights Management Client End-points Account and Access Management Identity and Directory Infrastructure Application Network Controls Operating System Physical Hosts Physical Network Physical Datacenter Security SaaS PaaS IaaS On-Prem Privacy and Control Compliance Transparency Reliability / Availability

Microsoft SaaS Platforms Office 365 Commercial Office 365 GCC Customer Access All Government / Contractors Office 365 GCC High Government / Contractors Office 365 GCC High DoD DoD Agencies FedRAMP Moderate Moderate Moderate Moderate DISA Level 2 Level 2 Level 4 Level 5 ITAR Capable No No Yes Yes All Platforms can be made NIST 800-171 Compliant with proper policy and configuration Some features in Office 365 Commercial are not yet available in Office 365 GCC Office 365 GCC Requires a valid and approved DS-2032 Statement of Registration form

Microsoft IaaS / PaaS Platform Customer Access Azure Commercial Government / Contractors Azure Government Government / Contractors FedRAMP Moderate High High Azure Government DoD DoD Agencies DISA Level 2 Level 4 Level 5 ITAR Capable No Yes Yes All Platforms can be made NIST 800-171 Compliant with proper policy and configuration Some features in Azure Commercial are not yet available in Azure Government Azure Government Requires a valid and approved DS-2032 Statement of Registration form

Key Office 365 Security Features Advanced Security Management Advanced Threat Protection Advanced Threat Analytics Azure Information Protection (Data Classification) Customer Lockbox Data Loss Prevention ediscovery Mobile Device Management / Intune Office 365 Multifactor Authentication

Lessons Learned CUI / CDI Lessons Learned Every Defense Industrial Base company has CUI / CDI content Outside of CUI / CDI needs, ITAR content is a major driver. Office 365 Lessons Learned Office 365 GCC High (Level 4) Environments take 6 weeks to provision Custom Office 365 Deployment and Migration takes 4 9 Months Templated Office 365 Deployments take 4-6 Weeks Industry Lessons Learned 87% of all contracts released in 2017 have the DFARS 7012 Clause Every DIB company we have talked to has at least 1 contract with the DFARS 7012 clause in it Corporate IT and Security Policies are not well understood or implemented Mobile Devices are ubiquitous and BYOD is the standard

COMPLIANCE IN THE CLOUD David Harris dharriscom@gmail.com (253) 495-7974 Society for International Affairs

COMPLIANCE IN THE CLOUD

Compliance in the Cloud WHO IS AT RISK? Types of clouds, approach of cloud vendors, risk. 1 AGENDA CLOUD TYPES /= DATA TYPES What types of data can I place into which kind of clouds? 2 3 CLOUD SECURITY STANDARDS What do I hold my cloud vendor accountable to and what do I look for in Trade Compliance insight? CLOUD RESIDENCY ISSUES 4 How do I know where and export is occurring and where it is initiated? What are the residency issues I need to be concerned with?. VALUE INTEGRATION How do I leverage electronic policy and enterprise release rules when using 5 the cloud?

WHO IS AT RISK? Are the Cloud Vendor s at Risk? Generally, only for their own technology/technical data Multiple AO s have been developed to address the Cloud Vendor and limiting or negating their risk as to Trade Control.

Most of The Cloud is made up of SaaS vendors. SaaS Software as a Service The publisher of the content to the cloud is considered the exporter in most cases. Although this can change with encryption and release/use when decrypted. What is published to The Cloud is subject to Trade Control Compliance when applicable. If the wrong party gets access to the information and a disclosure ensues, it is the publisher of the information who may be most at risk of an export violation. IaaS Infrastructure as a Service

CLOUD TYPES /= DATA TYPES What types of data can I place into which kind of clouds? SaaS Software as a Service - Execute Applications PaaS Platform as a Service - Develop applications using a common platform IaaS Infrastructure as a service - Provide an Infrastructure for applications and platforms

CLOUD SECURITY STANDARDS What do I hold my cloud vendor accountable to and what do I look for in Trade Compliance insight? 1. The SLA (Service Level Agreement) 2. Record keeping and forensics 3. Cloud access, performance and global availability 4. Compatibility with your infrastructure 5. Federation of your existing SOA and BPM (Business Process Management) 6. Understanding of Trade Control sensitivities 7. Disclosure and restriction of resource allocation to your servers and data 8. DDTC Registration 9. Disaster Recovery and Fault Planning 10.Computing and Cyber security standards and certifications

CLOUD RESIDENCY ISSUES How do I know where an export is occurring and where it is initiated? What are the residency issues I need to be concerned with?. The Right Information From the Right place To the Right place, The Right Person, The Right Company, For the Right Reason, Aligned to the Right authority Right Away!

VALUE INTEGRATION How do I leverage electronic policy and enterprise release rules when using the cloud and/or Microservices? Federation throughout the extended ecosystem requires technology and business process management alignment for success. The culture must adopt a new way of thinking about and leveraging the value of data.

My Skill Cloud

QUESTIONS ANDANSWERS Thank you David Harris dharriscom@gmail.com (253) 495-7974 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback