Locking Down the Cloud Security is Not a Myth

Similar documents
Vendor Security Questionnaire

Effective Strategies for Managing Cybersecurity Risks

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

University of Pittsburgh Security Assessment Questionnaire (v1.7)

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

SoftLayer Security and Compliance:

CipherCloud CASB+ Connector for ServiceNow

Compliance Is Security. Presented by: Jeff Hall Optiv Security

The Realities of Data Security and Compliance: Compliance Security

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Exploring Emerging Cyber Attest Requirements

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Data Classification, Security, and Privacy

Cybersecurity Auditing in an Unsecure World

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

McAfee Database Security

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Auditing the Cloud. Paul Engle CISA, CIA

HITRUST Common Security Framework - Are you prepared?

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Guidelines for Data Protection

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Altius IT Policy Collection Compliance and Standards Matrix

Protecting Your Cloud

Altius IT Policy Collection Compliance and Standards Matrix

Is Your Compliance Strategy Putting Your Business at Risk?

What It Takes to be a CISO in 2017

Watson Developer Cloud Security Overview

Total Security Management PCI DSS Compliance Guide

Data Security: Public Contracts and the Cloud

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

GLBA, information security and incident response a compliance perspective

PROFESSIONAL SERVICES (Solution Brief)

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

The Need For A New IT Security Architecture: Global Study On The Risk Of Outdated Technologies

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Cloud Computing, SaaS and Outsourcing

Security Terminology Related to a SOC

Security Operations & Analytics Services

The Evolution of Data Center Security, Risk and Compliance

HITRUST CSF: One Framework

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Compliance Audit Readiness. Bob Kral Tenable Network Security

Cybersecurity in Higher Ed

InfoSec Risks from the Front Lines

You Might Know Us As. Copyright 2016 TierPoint, LLC. All rights reserved.

IBM Internet Security Systems October Market Intelligence Brief

Information Security Risk Strategies. By

Run the business. Not the risks.

Why the cloud matters?

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Daxko s PCI DSS Responsibilities

Peer Collaboration The Next Best Practice for Third Party Risk Management

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

01.0 Policy Responsibilities and Oversight

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Cyber Fraud What can you do about it?

Achieving PCI Compliance: Long and Short Term Strategies

Accelerating the HCLS Industry Through Cloud Computing

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

CYBERSECURITY: E-COMMERCE, GOVERNANCE AND APPLIED CERTIFICATIONS A ROUNDTABLE DISCUSSION 15 DECEMBER 2015

Cybersecurity and Nonprofit

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

Balancing Between Risk and Compliance

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

The Open Group. Cybersecurity Risk Management

VMware, SQL Server and Encrypting Private Data Townsend Security

Cyber Risks in the Boardroom Conference

Cybersecurity The Evolving Landscape

2017 Annual Meeting of Members and Board of Directors Meeting

Compliance in 5 Steps

PROTECTING BRANDS IN CYBERSPACE

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Introduction to AWS GoldBase

10 FOCUS AREAS FOR BREACH PREVENTION

Cover Slide. Third Party Risk and the Role of the Cyber Security/IT Risk Officer. Robert Satchmo Anderson

Data Security, Integrity and Accessibility in the Cloud

DeMystifying Data Breaches and Information Security Compliance

Securing Your Secured Data

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

CRYPTTECH. Cost-effective log management for security and forensic analysis, ensuring compliance with mandates and storage regulations

CONTINUOUS COMPLIANCE. Your next cloud compliance audit could be your last. With LayerV s Continuous Compliance Service you re covered

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

HIPAA Compliance & Privacy What You Need to Know Now

SECURITY PRACTICES OVERVIEW

Operational Network Security

SOC Reporting / SSAE 18 Update July, 2017

Building a Security & Compliance Strategy with the Cloud

THREE COLOCATION MYTHS HEALTHCARE PROVIDERS SHOULD LEAVE BEHIND. Exploring Security, Compliance, and Performance in Healthcare IT

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

Transcription:

Locking Down the Cloud Security is Not a Myth Kurt Hagerman Director of Information Security - FireHost Session ID: SPO2-R35 Session Classification: Intermediate

Agenda Background The Secure Cloud is Not a Myth Perimeter Security Host Security Supporting Security Services Secure Administrative Access Your Security Program and Compliance Challenges and Solutions

Fighting the REAL Threats Threats over time by percent of breaches 2012 Data Breach Investigations Report Verizon/US Secret Service

The Cloud Market is Between a Rock and a Hard Place Rock = Relentless Security Threats (Partial list from the month of December 2012 alone) Verizon (3,000,000 accounts compromised) HP (100,000 customer accounts compromised) Wells Fargo, US Bank, PNC, BB&T, Citi, Bank of America (DDoS) U.S. Army (36,000 machines controlled within Command Center) Tumblr (8,600 blocks defaced including USA Today, Reuters and CNET) Pizza Hut ( thousands of customer records leaked) Security Pain Prospects Face Internal security capabilities External threats growing exponentially Limited view of external threats

The Cloud Market is Between a Rock and a Hard Place Hard Place = Demanding Compliance Requirements (Partial list) PCI DSS 2.0 (Payment Card Industry Data Security Standard) HIPAA (Health Insurance Portability and Accountability Act) HITRUST CSF (HIPAA, NIST, ISO, PCI, FTC and COBIT) ISO 27001:2005 (International Organization of Standardization) SSAE16 SOC 1 Type II, SOC 2 Type II, SOC 3 (Service Organization Control) Compliance Pain Prospects Face Zero to little internal capabilities 3rd party audit required so no dead bodies allowed Mixed internal IT environments = complex compliance scope Compliance requirements continue to evolve Compliance is the bare minimum requirement for security

The Secure Cloud is Not a Myth Build for security and compliance Follow security best practices vs. chasing compliance guidelines Deploy multiple security countermeasures using a layered approach Perimeter, Host, Supporting, Admin Access Physical Security DDoS/DoS Mitigation IP Reputation Filtering Web Application Firewalls Intrusion Detection/Prevention Isolated Security Zones Hypervisor-based Firewalls Secure Remote Access Multi-Factor Authentication Vulnerability Monitoring Logging and log review Anti-Virus Patching Encryption

Perimeter Security

Host Security

Supporting Security Services

Secure Administrative Access

Compliance Challenges for Cloud Multiple compliance framework and regulatory requirements to meet Diverse data types being handled (Credit card, health, financial, PII, etc.) Communication of compliance assistance to customers Tracking changes in compliance requirements Questions around data sovereignty Continuous requests for audit support

Compliance Requirements = Common Controls Your Compliance PCI, HIPAA, GLBA, FFIEC, etc. Data Sovereignty & Privacy Business Continuity Contracting & SLAs

Compliance Challenge Solutions Treat all data as sensitive (after all, it s all 1 s and 0 s to the systems) Develop a Common Security Framework (CSF) of controls based on industry standard frameworks; enabling efficient compliance adoption and validation reporting Provide clear responsibility matrices to customers Future proof compliance iterations via your CSF Guarantee data sovereignty Be auditor friendly - Be organized and transparent - implement a continuous audit program

Summary Security threats and compliance requirements are challenges for Cloud Use a layered approach to secure the cloud Ensure isolation between customer and management environments Implement a physically isolated secure storage area network for better security and performance Develop a Common Security Framework for your security program Continuously monitor and audit

Thanks for your participation Kurt Hagerman Director of Information Security FireHost kurt.hagerman@firehost.com 877.262.3473 x8073

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback