Compliance & Security in Azure. April 21, 2018

Similar documents
This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

Morgan Independent Software Vendor Lead

Accelerate GDPR compliance with the Microsoft Cloud Ole Tom Seierstad National Security Officer Microsoft Norway

Microsoft 365 Das modern Büro der Zukunft

COMPLIANCE IN THE CLOUD

Closing Keynote: Addressing Data Privacy and GDPR on Microsoft Data Platform Technologies. Ronit Reger, Senior Program Manager at Microsoft

By 2020, a corporate no-cloud policy will be as rare as a no-internet policy is today. 1

Our Mission. Empower every person and every organization on the planet to achieve more.

U susret GDPR regulativi Dočekajmo spremni Maj 2018

Kimberly Nelson Executive Director Government Solutions US SLG. March 2017

Avanade Zerouno : Cloud Experience. Version 1.0 May 16, 2017 Author(s): Ivan Loreti

What is Dell EMC Cloud for Microsoft Azure Stack?

Today s top THREAT ACTORS pose unique challenges

Accelerate GDPR compliance with the Microsoft Cloud Agustín Corredera

Klaus Schwab, Founder & Executive Chairman

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Accelerate GDPR compliance with the Microsoft Cloud

QBS Talks. June GDPR a Microsoft perspective Ole Kjeldsen, CTO Microsoft DK

Introduction to AWS GoldBase

Microsoft Azure. The cloud platform for digital transformation

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Matt Holden-Milner Richard Willmott

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

Microsoft + SUSE This partnership gets stronger every day

HITRUST CSF: One Framework

Building Trust in the Era of Cloud Computing

PROFESSIONAL SERVICES (Solution Brief)

10 Considerations for a Cloud Procurement. March 2017

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Security & Compliance in the AWS Cloud. Amazon Web Services

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Dublin* Amsterdam. London

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Your vision. Your cloud.

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

Hyper scale Infrastructure is the enabler

Enterprise Mobility + Security

MIS Week 9 Host Hardening

Microsoft Azure Security, Privacy, & Compliance

Four Deadly Traps of Using Frameworks NIST Examples

Introductie Intercept

Information Security Risk Strategies. By

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

How to Establish Security & Privacy Due Diligence in the Cloud

SAC PA Security Frameworks - FISMA and NIST

Cloud Security. Copyright Ramesh Nagappan. All rights reserved.

PostgreSQL & The Cloud

Model Approach to Efficient and Cost-Effective Third-Party Assurance

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Accelerating the HCLS Industry Through Cloud Computing

Effective Strategies for Managing Cybersecurity Risks

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Exploring Emerging Cyber Attest Requirements

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

Module 6: Network and Information Security and Privacy. Session 3: Information Security Methodology. Presenter: Freddy Tan

Die intelligente Cloud als Kernelement der IT Transformation. Dr. Bernd Kiupel Business Group Lead Cloud & Enterprise, Microsoft Schweiz

Agenda. I. Related Policies to Cloud Computing. Cloud Security Certification Scheme in KOREA. Guidelines for Information Security of Cloud Computing

Building a Resilient Security Posture for Effective Breach Prevention

University of Pittsburgh Security Assessment Questionnaire (v1.7)

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Cloud Customer Architecture for Securing Workloads on Cloud Services

DFARS , NIST , CDI

Building a Security & Compliance Strategy with the Cloud

AXCIENT FUSION: TECHNICAL WHITE PAPER

Compliance with NIST

HITRUST Common Security Framework - Are you prepared?

HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

Tips for Passing an Audit or Assessment

CloudTrust Protocol Orientation and Status

Your Trusted Partner in Europe European Business Reliance Centre

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Microsoft Azure: Using the Public Cloud to solve the Big Questions

Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for the US Government

Azure: The Cloud On Your Terms. Herns Hermida Cloud and Enterprise Business Lead Microsoft Philippines

BHConsulting. Your trusted cybersecurity partner

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

NIST Special Publication

Your vision, your results, your cloud

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

SYSTEM SECURITY PLAN (SSP) [Official Company Name]

Cloud Computing, SaaS and Outsourcing

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

What is Blockchain? Cryptographically Authentic Shared Distributed Ledger. Cryptographically Authentic Each transaction recorded in the database is

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Peer Collaboration The Next Best Practice for Third Party Risk Management

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Transcription:

Compliance & Security in Azure April 21, 2018

Presenter Bio Jeff Gainer, CISSP Senior Information Security & Risk Management Consultant Senior Security Architect Have conducted multiple Third-Party risk assessments of cloud platforms including Office 365 and Azure 1

Session Agenda Compliance How Microsoft goes about their process Shared responsibility model for cloud computing How you go about the process Security Controls What are security controls Use of Azure Security Blueprints to help Security architecture walkthrough 2

01 Compliance

Compliance Before We Get Started Compliance in this context means conforming to a set of requirements that have been determined by a governing body Quick Survey to the Group.By a Show of Hands WHO HAS A COMPLIANCE REQUIREMENT TO INCLUDE IN YOUR TECHNOLOGY DEPLOYMENT, SUCH AS HIPAA/HITECH, PCI-DSS, FFIEC, GLBA, ETC? WHO HAS BEEN TOLD YOU CAN T MOVE THAT SAME TECHNOLOGY TO THE CLOUD BECAUSE OF IT? 4

Compliance How Microsoft goes about the process Azure compliance offerings are grouped into four segments: Globally Applicable US Government Industry Region/Country CSA STAR (3) ISO 20000-1:2011 ISO 22301:2012 ISO 27001:2013 ISO 27017:2015 ISO 27018:2014 ISO 9001:2015 SOC 1 Type 2 SOC 2 Type 2 SOC 3 WCAG 2.0 (ISO 40500:2012) Compliance Reports Trust Documents CJIS DFARS DoD DISA SRG Level 2 / 4 / 5 DoE 10 CFR Part 810 EAR FedRAMP Moderate / High FIPS 140-2 IRS 1075 ITAR NIST Cyber Framework (CSF) NIST SP 800-171 Section 508 VPATs 23 NYCRR 500 CDSA FERPA FFIEC GLBA GxP (21 CFR Part 11) HIPAA and the HITECH Act HITRUST MARS-E PCI DSS Level 1 Shared Assessments Sarbanes Oxley (SOX) 8 Other International Regs Argentina Australia Canada China (3) EN 301 549 EU / UK (6) Germany (2) India Japan (2) Netherlands New Zealand Singapore Spain (2) Includes SOC & ISO Reports, FedRAMP and Various Assessment Reports Includes FAQs, White Papers, Pen Test Results, and Compliance Guides for the list of services approved to use for each Compliance requirement 5

Compliance Shared responsibility model Cloud computing requires that the cloud service provider (CSP) and customer be responsible for the security and operation of certain layers of the cloud offering based on the cloud model. On-Prem: Customer is both accountable and responsible for all aspects of security and operations. IaaS: The CSP manages buildings, servers, networking hardware, and hypervisor layers. The customer is responsible for securing and managing the operating system, network configuration, applications, identity, clients, and data. PaaS: The CSP owns the IaaS layers and is additionally responsible to manage and secure the network controls along with some application and identity controls. The customer is still responsible for securing and managing applications, identity, clients, and data. SaaS: The CSP provides the application to the customer. The customer continues to be accountable to ensure that data is classified correctly, along with managing their users and end-point devices. Azure is responsible for security of the cloud, while the customer is responsible for security in the cloud. 6

Compliance How you go about the process Performing a compliance due diligence review for Azure 1. Determine which regulation influencers are in scope for the technology deployment. 2. Acquire the Microsoft Azure Compliance Offerings document from the Microsoft Service Trust Portal. 3. Identify the in scope regulations in the document and identify the available Azure artifacts to be used for the assurance review. 4. Confirm that the services in your planned Azure architecture are in scope of the Azure Compliance Offering. If not included, then may need to rearchitect with in scope services or determine the risk of non-compliance for your organization. 5. Perform the compliance assurance due diligence review using the Azure Compliance Offering artifacts to identify any compliance gaps in the Azure platform. 7

02 Security Controls

Security Controls to Support Compliance Security controls are safeguards used to prevent, detect, and respond to security risks to physical property, information, systems, or other assets. A set of techniques that address many of the various compliance requirements Available as a framework or catalog of controls: ISO 27002:2013 Code of Practice for Information Security Controls NIST SP800-53r5 Security and Privacy Controls for Federal Systems & Organizations CIS - 20 Critical Security Controls Access Control Awareness and Training Audit and Accountability Assessment and Authorization Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environment Protection Personnel Security Risk Assessment System and Services Acquisition System and Communication Protection System and Information Integrity 9

Security Controls Using Azure Services Azure offers Compliance Blueprints for some of the more popular regulations that describe the shared responsibility model and use of Azure Security Services to address them: US Department of Defense (DoD) FedRAMP FFIEC Cybersecurity Standard Healthcare (HIPAA and HITRUST) NIST Cybersecurity Framework (CSF) PCI Data Security Standard (PCI-DSS) UK National Cyber Security Centre (NCSC) It s All About Protecting Data and Controlling Access with Proactive Monitoring 10

Security Controls Using Azure Services Access w/ WAF Control Audit and Accountability Configuration Management APPLICATION Contingency Planning Identification and Authentication Incident Response Media Protection TDE Physical STORAGE and Environment Protection System and Communication Protection System and Information Integrity NetSecGroup NetSecGroup SSE NetSecGroup HTTPS App Gateway Security Controls Addressed: Access Control Audit & Accountability Configuration Management Contingency Planning Identification & Authentication Incident Response System & Communication Protection System & Information Integrity VNet 11

Summary Azure realizes that to gain and retain customers, they need to be regulation ready. There is a comprehensive approach in addressing the compliance need. Compliance and security is a shared responsibility between Azure and the customer. Not all Azure services may be compliant to every regulation yet. Many security controls expected to address regulations can be achieved within the platform. Key Resources for use in compliance and security efforts include: Service Trust Portal (STP) Regulation Specific Shared Responsibility Matrices Azure Compliance Blueprints 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback