Compliance in the Clouds (ISACA CACS 2017)

Andrew Plato

President / CEO of Anitian

Meet the Speaker – Andrew Plato

• President / CEO of Anitian

• Principal at TrueBit CyberPartners

• 20+ years of experience in security

• Authored thousands of articles, documents, reports, etc.

• “Discovered” SQL injection in 1995

• Helped develop first in-line IPS engine (BlackICE)

What we doWe build great security

• Managed Security (MSSP): Virtual SOC, Managed Detection and Response

• Professional Services: Pentesting, compliance, risk assessments

• Virtual CISO: On-demand security

Why we do it We believe security is essential to growth, innovation, and prosperity

OVERVIEW

Intent

• Describe some of the issues that influence cloud compliance

• Dispel a few myths of compliance in the cloud

• Provide a strategy for meeting cloud compliance objectives

WHAT IS YOUR INTENTION?

Do you want to build secure and compliant environments, or do you want to be merely compliant?

MERELY COMPLIANT

• Ignore this presentation

• Hire the cheapest checkbox auditor you can find

• Good luck

SECURE AND COMPLIANT

• Sit tight, you are in the right place

ASSUMPTIONS

• This is a giant topic

• This presentation has a bias toward AWS and PCI compliance

• Topics apply to other hosts, and SaaS services

ROAD TO THE CLOUD

intelligent information securityA N I T I AN

REMEMBER THESE?

FORMER CIO

NOT A CHECKBOX

IT IS A JOURNEY

WITH A DESTINATION

CLOUD ISGOOD FOR BUSINESS

COMPLIANCEIS

GOOD FOR BUSINESS

COMPLIANT CLOUDSARE GOOD FOR BUSINESS

OF COURSE

IT IS NEVER THAT EASY

WHO DO YOU WANT TO BE TODAY?

CLOUD COMPLIANCE

THE CLOUD IS EASY TO HACK

THIS IS NOT THE PROBLEM

PRE-HARDENED IMAGES

LOTS OF TECH

THIS GUYIS THE PROBLEM

I GOT NOTHING

WE CANNOT CONTROL THE DATA

EXACTLY WHERE YOU PUT IT

COMPLIANCE IS EASIER IN THE CLOUD THAN

ON-PREMISE

On Premise Compliance Program

Cloud Compliance Program

CONSIDER PENETRATION TESTING

On-Premise

• Hire a pentester

• Conduct test

• Patch systems

• Retest

• Pass

• Hire a pentester

• Find out they know nothing about the cloud

• Hire another pentester

• Wait two weeks for approval from AWS

• Conduct test

• Find problems with third party image

• Pound fist on table

• Rearchitect entire cloud

• Retest

• Pass

HOSTING WITH A COMPLIANT PROVIDER MAKES US COMPLIANT

WHAT’S MISSING?

Security

Compliance

Security

Compliance

Security

Compliance

Security

Compliance

OH YEAH,SECURITY AND COMPLIANCE !

SECURITY AND COMPLIANCE

YOUR RESPONSIBILITY

CLOUD COMPLIANCE IS SHARED

ROAD TO CLOUD COMPLIANCE

1. WHAT EXACTLY ARE YOU MAKING COMPLIANT

I find your lack of scope

… disturbing.

2. INVENTORY

• Applications

• APIs

• Data

• Systems

• Access (remote)

• APIs

• Third party components

• Security controls

… everything

3A. SEGMENT AND ISOLATE

• Put the compliant systems in their own virtual private cloud (VPC)

• Precisely control ALL access between all other VPCs and the Internet

• Please do not peer your systems, route them

3B. SEGMENTATION and ISOLATION

YESIt is in

the CDE

YESIt is in-scope

for PCI

Does it process, store,

or transmit CHD?

Does it connect (in anyway)

to a CDE system?

Can it affect the security of the CDE at all?

Out of ScopeNO

4. GET THE COMPLIANCE PACKAGE

• Any (truly) compliant cloud service can provide attestation.

• AWS and Azure have packages you can request:

AWS: https://aws.amazon.com/compliance/contact/

Microsoft: https://www.microsoft.com/en-us/trustcenter/Compliance

• If your host cannot provide attestation, they are not compliant

• You will be on the hook to make them compliant…which may be impossible

Make sure it is a formal attestation of compliance…like this from the PCI Security Standards Council

Not this….

5. REVIEW THE RESPONSIBILTY MATRIX

• Service providers must provide

• a responsibility matrix

• What they are responsible for?

• What you are responsible for?

6.WHAT SERVICES ARE COVERED?

Example – AWS services covered under PCI-DSS• Auto Scaling• AWS CloudFormation• Amazon CloudFront• AWS CloudHSM• AWS CloudTrail• AWS Config• AWS Direct Connect• Amazon DynamoDB• AWS Elastic Beanstalk• Amazon Elastic Block

Store (EBS)• Amazon Elastic Compute

Cloud (EC2)• Amazon EC2 Container

Service (ECS)

• Elastic Load Balancing (ELB)

• Amazon Elastic MapReduce (EMR)

• Amazon Glacier• AWS Key Management

Service (KMS)• AWS Identity and Access

Management (IAM)• Amazon Redshift• Amazon Relational

Database Service (RDS)• Amazon Route 53• Amazon SimpleDB• Amazon Simple Storage

Service (S3)• Amazon Simple Queue

Service (SQS)• Amazon Simple

Workflow Service (SWF)• Amazon Virtual Private

Cloud (VPC)• AWS WAF - Web

Application Firewall

7. BUILD A ROADMAP

• Identify the items you must make compliant

• Figure out the cloud-version of the controls you need

• NGFW & intrusion detection

• Endpoint security

• Integrity monitoring

• Configuration management

• Encryption

• Rewrite policies to reference the cloud

• Engage cloud experienced vendors for services, like pentesting

7B. ROADMAP

8. CONSULT BEST PRACTICE GUIDES

• Every provider offers best practice guides for compliance

• Reference architectures

• Configurations

• Design strategies

• For example, Anitian wrote a definitive guide for PCI compliance at AWS in collaboration with the AWS compliance team

9. TRANSLATE THE STANDARDS INTO CLOUD

• Most compliance standards were written in an era before cloud.

• Consider this example from the PCI-DSS11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.

Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.

• You have to translate this into cloud technologies and designs

10. DIAGRAM YOUR CLOUD ENVIRONMENT & DATA FLOWS

11. TAG IT

• PLEASE tag your resources in a logical manner

• Tagging greatly helps with…everything

• AWS best practices:https://aws.amazon.com/premiumsupport/knowledge-center/ec2-resource-tags/

• Azure: https://azure.microsoft.com/en-us/documentation/articles/resource-group-using-tags

12. MOVE TOWARD DISPOSABLE INFRASTRUCTURE

A new approach to cloud with huge security and compliance benefits:

1. Fully automate the build of your environment

a. System and storage instantiation

b. Configuration, hardening, patching

c. Code deployment

2. On a regular basis, recreate the whole environment

3. Migrate from old to new (automatically)

4. Destroy the original

• Disposable IT forces formality and structure

• It also has huge security benefits

CONCLUSION

YOU STILL NEED ALL THE STANDARD CONTROLS

• Cloud does not change the fact that you still need controls…

• Firewall / NGFW (IDS/IPS)

• SIEM

• File Integrity Monitoring

• Endpoint Anti-virus

• Vulnerability Management

• Patch management

• Encryption

• Key Management

• Whether it is you running it, or somebody else, they still must be present

FINAL THOUGHTS

• Where is your data?

• What exactly are you making compliant

• This is not easy, but you do not need to make it difficult

• Resistance is futile, the cloud is now

EMAIL: andrew.plato@anitian.com

TWITTER: @andrewplato

@AnitianSecurity

WEB: www.anitian.com

BLOG: blog.anitian.com

SLIDES: bit.ly/anitian

CALL: 888-ANITIAN

Compliance in the Clouds (ISACA CACS 2017)

Technology

Transcript of Compliance in the Clouds (ISACA CACS 2017)

ISACA NL Chapter

NETWORK OF CLEANING STATIONS FOR TANK CONTAINERS ... - cacs… Tank cleaning_Slovakia LQP.pdf · –CACS members - Třanovice, Bohumín, Střelice u Brna •Poland ... •agreement

Introduction to - isaca-kc.org Meetings/ISACA... · 9/8/2010 · Introduction to COBIT Presentation for the ISACA Kansas City Chapter 10/12/2008. ISACA Kansas City Chapter Presentation.

ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson

Isaca y Cobit

Mergers and Acquisitions Consulting Firms I CACS

CACS 2017 CONFERENCE REPORT - ISACA · PDF fileCONFERENCE REPORT. CACS CONFERENCE REPORT ... service query response, ... is peppered with tunes from Jimi Hendrix to The Grateful Dead,

ISACA Enterprise - ISACA Ghanaisacaghana.org/wp-content/uploads/2016/06/ISACA-Enterprise... · • Access to all ISACA Member Benefits ( • New Member Application Fee (US$ 10) Waived

Cache-Oblivious Algorithms - CACS Home

EURO CACS/ISRM 2015 - Information Assurance | ISACA · PDF fileEURO CACS/ISRM 2015 GROW YOUR NETWORK. ENHANCE YOUR KNOWLEDGE. Advance your expertise and enhance your skillset. Share

Latin Cacs 2013

Feature - ISACA

Waratek ISACA Webinar

Isaca conference threat_modeling_marco_morana_short.pdf

ISACA Latin CACS e ISRM - Brochure

Cacs na isaca session 414 ulf mattsson may 10 final

Clouds Clouds Clouds

CaCS recovery - cgi.com · the entire collections life cycle, CaCS recovery extends the power of CaCS ... business process services firms in the world. CGi and its affiliated

Cadence Tutorial -- Presented by Chaitanya Emmela cxe1177@cacs VLSI Research Group CACS.

Capiìtulo 4 ISACA