Do you know your cloud controls? A"close"look"at"regulatory"requirements"for"cloud"security"
Steven&Wolford&Director,&Informa4on&Security&
6fusion&[email protected]&
Chad&Walter&Director,&Channel&Development&
Network&Box&USA&[email protected]&
Today’s Agenda
• Introduc6on"
• What"is"cloud?"
• Who"controls"cloud?"
• Cloud"types"
• Standards"impac6ng"security"
• CSA&CCM&• FedRAMP&• PCI&• HIPAA&
• How"it"all"fits"together"
• Q&A"
Who We Are
Network"Box"USA"
This&is&the&second&in&a&series&of&webinars&on&cloud&security.&We&will&let&you&shape&the&content&of&the&next&webinar&at&the&end&of&this&webinar.&&
6fusion&breaks&down&tradi4onal&IT&boundaries&by&delivering&universal&metering&and&access&to&global&IT&infrastructure.&&The&unique&metering&algorithm,&Workload&Alloca4on&Cube&(WAC),&creates&a&commercial&standard&to&quan4fy&supply&and&demand&for&compute&resources.&&
6fusion"
Network&Box&USA&provides&comprehensive,&fully&managed&perimeter&internet&security&solu4ons.&The&Network&Box&Unified&Threat&Management&(UTM)&solu4on&combines&numerous&applica4ons&such&as&firewall,&intrusion&preven4on&and&detec4on,&an4Qvirus,&content&filtering,&an4Qspan,&an4Qphishing,&an4Qspyware&and&VPN&into&one&single,&sophis4cated&mix&of&hardware&and&soSware.&Network&Box&USA&enables&businesses&of&all&sizes&to&secure&their&networks&easily&and&cost&effec4vely.&
What is “Cloud”
Cloud&Provider&
Cloud&Consumer&
Cloud&Auditor& Cloud&Broker&
Cloud&Carrier&
Service&Intermedia4on&
Service&Aggrega4on&
Service&Arbitrage&
Service&Orchestra4on& Cloud&Service&Management&
Privacy&
Business&Support&
Provisioning&/&Configura4on&
Portability&/&Interoperability&
Service&Layer&
IaaS&
Resource&Abstrac4on&and&Control&Layer&
Physical&Resource&Layer&
PaaS&
SaaS&
Hardware&
Facility&
Security&Audit&
Privacy&Impact&Audit&
Performance&Audit&
Security&
Who Controls “Cloud”
Applica4on&Layer&
Middleware&Layer&
Opera4ng&System&Layer&
SaaS&
PaaS&
IaaS&
PaaS&
SaaS&
IaaS&
Cloud&Consumer&
Cloud&Provider&
Physical&Layer&
Public Cloud
Cloud&service&accessible&from&the&
Internet&
Enterprise&consumers&accessing&workloads&from&enterprise&networks&
Public&consumers&accessing&workloads&from&the&Internet&
Enterprise&network&
Enterprise&Network&
Private Cloud
Private&Cloud&
Community&is&defined&as&groups&of&consumers&with&similar&interests,&control&sets,&performance&characteris4cs&or&other&such&commonality&&
Community Cloud
Public&Cloud&Provider&
Private&Cloud&
Group&A&
Group&B&
Group&C&
Hybrid Cloud
OnQsite&Private&Cloud&OnQsite&Private&Cloud&OnQsite&Private&Cloud&
OnQsite&Private&Cloud&OnQsite&Private&Cloud&OnQsite&Community&Cloud&
OnQsite&Private&Cloud&OnQsite&Private&Cloud&
Outsourced&Private&Cloud&
OnQsite&Private&Cloud&OnQsite&Private&Cloud&Outsourced&Community&
Cloud&
Public&Cloud&Public&Cloud&Public&Cloud&
Know the Rules
• Regula6on"
• FedRAMP&• PCI&DSS&v2.0&• HIPAA&/&HITECH&
• Standard"
• SSAE&16&SOC&2&• ISO/IEC&27001Q2005&
• Framework"
• CSA&CCM&• COBIT&4.1&
CSA CCM / CAIQ
“"As"a"framework,"the"CSA"CCM"provides"organiza6ons"with"the"needed"structure,"detail"and"clarity"rela6ng"to"informa6on"security"tailored"to"the"cloud"industry.”"
"
The"CAIQ"“provides"a"set"of"ques6ons"a"cloud"consumer"and"cloud"auditor"may"wish"to"ask"of"a"cloud"provider."It"provides"a"series"of""yes"or"no""control"asser6on"ques6ons"which"can"then"be"tailored"to"suit"each"unique"cloud"customer's"eviden6ary"requirements."”"
CCM – Control Areas Co
mpliance&(6&con
trols)&
Human&Resou
rces&(3
&con
trols)&
Ope
ra4o
ns&M
anagem
ent&&(4&con
trols)&
Data&Governance&(8&con
trols)&
Inform
a4on
&Security
&(34&controls)&
Risk&M
anagem
ent&&(5&con
trols)&
Facility&Security&(8&con
trols)&
Legal&(2&controls)&
Release&Managem
ent&(5&controls)&
Resiliency&(8&con
trols)&
Security&Archite
cture&(15&controls)&
Consumer"
Provider"
FedRAMP
&Federal&Risk&and&Authoriza4on&Management&Program&&&“a&governmentQwide&program&that&provides&a&standardized&approach&to&security&assessment,&authoriza4on,&and&con4nuous&monitoring&for&cloud&products&and&services.”&
FedRAMP – Control Areas Access&Con
trol&(1
7&controls)&
Consumer"
Provider"
Awaren
ess&a
nd&Training&(4&con
trols)&
Audit&a
nd&Accou
ntability&(1
2&controls)&
Assessmen
t&and
&Autho
riza4
on&(6
&con
trols)&
Confi
gura4o
n&Managem
ent&(9&controls)&
Con4
ngen
cy&Plann
ing&(9&con
trols)&
Iden
4fica4o
n&and&Au
thoriza
4on&(8&con
trols)&
Incide
nt&Respo
nse&(8&con
trols)&
Mainten
ance&(6
&con
trols)&
Med
ia&Protec4on
&(6&con
trols)&
Physical&and
&Enviro
nmen
tal&(18&con
trols)&
Planning&(5
&con
trols)&
Person
nel&Security
&(8&con
trols)&
Risk&Assessm
ent&(4&controls)&
System
s&Acquisi4
on&(1
2&controls)&
System
s&Com
mun
ica4
on&(2
4&controls)&
System
&and
&Inform
a4on
&Integrity
&(12&controls)&
Payment Card Industry
“En44es&planning&to&use&cloud&compu4ng&for&their&PCI&DSS&environments&should&first&ensure&that&they&thoroughly&understand&the&details&of&the&services&being&offered,&and&perform&a&detailed&assessment&of&the&unique&risks&associated&with&each&service.&&&Addi4onally,&as&with&any&managed&service,&it&is&crucial&that&the&hosted&en4ty&and&provider&clearly&define&and&document&the&responsibili4es&assigned&to&each&party&for&maintaining&PCI&DSS&requirements&and&any&other&controls&that&could&impact&the&security&of&cardholder&data.”&
Firewall&
Track&and&mon
itor&A
ccess&
UUID&
Encrypt&T
ransmission&
Default&P
assw
ords&
Test&
Restrict&A
ccess&
An4Qvirus&
Stored
&Cardh
olde
r&Data&
Secure&Systems&/&App
lica4
ons&
Physical&access&
Person
nel&Security
&
PCI – Control Areas Consumer"
Provider"
HIPAA
HIPAA&Health&Insurance&Portability&&
and&Accountability&Act&&
HITECH&American&Recovery&and&Reinvestment&Act&–&
Health&Informa4on&Technology&for&Economic&and&Clinical&Health&&
&
Meaningful&Use&
Meaningful&Use&Guidelines&for&EHF&(2010)&
The&goal&of&HIPAA&was&to&protect&pa4ents’&confiden4ality&while&enabling&healthcare&organiza4ons&to&pursue&ini4a4ves&that&furthered&innova4on&and&pa4ent&care.&&However,&enforcement&was&very&limited.&
HITECH&contains&specific&incen4ves&designed&to&accelerate&the&adop4on&of&EHR&systems.&&It&broadens&the&scope&of&protec4ons&listed&under&HIPAA&and&increases&penal4es&for&nonQcompliance.&
CMS’&Meaningful&Use&program&provides&incen4ve&payouts&for&efficient&HER&use.&&The&program&provides&further&incen4ves&to&encourage&HIPAA&/&HITECH&compliance.&
A®ula4on&is&born:&&Passed&in&1996&to&simplify&the&administra4ve&processes&surrounding&the&increasing&amounts&of&ePHI.&&The&Security&Rule&was&enacted&2/20/03&and&provided&administra4ve,&technical&and&physical&safeguards.&
HIPAA&gets&some&teeth:&&HITECH&extended&the&security&rule&to&include:&• Civil&penal4es&• BA’s&must&comply&• Breach&no4fica4ons&are&mandatory&
And&gains&some&incen4ves:&&Meaningful&Use&includes&15&core&measures.&The&program&is&funded&with&$27bn&over&4&years&to&cover&akesta4ons.&
A&Brief&History&of&Healthcare&Security&Regula4on&
HIPAA – Control Areas
Administra4ve&Safeguards&(3
0&controls)&
Organiza
4onal&Safeguards&(12&con
trols)&
Physical&Safeguards&(12&con
trols)&
Technical&Safeguards&(12&con
trols)&
Consumer"
Provider"
Shared Responsibility
Integrated Compliance Taking"Requirements"
• FISMA/FedRAMP&• PCI&• HIPAA&• ISO&• Other&requirements&
Iden6fying"common"controls"
• Access&controls&• Passwords&• Encryp4on&• Training&• Risk&Assessments&
Documenta6on"
• Document&policy,&controls,&and&criteria&that&meet&minimum&requirements&across&standards&
• Integrated&Control&Framework&
Execute"integrated"program"
• Iden4fy&data&sources&• Define&&&assess&risk&• Develop&&&implement&controls&• Audit&&&correct&• Enforce,&monitor&&&support&
Questions
Thank You!
3rd""Webinar"in"the"Series"
• Timing:&Early&May&• Topic:&Baselining&and&advancing&
your&security&posture&• Details:&You&tell&us…&"
What"do"you"want"to"hear"about"in"
the"next"webinar?""
"
Email"us"at"[email protected]"
with"your"ideas!"
"
""
FedRAMP"
"
hZp://www.gsa.gov/portal/
category/102371"
"
Cloud"Security"Alliance"
"hZps://cloudsecurityalliance.org/"
"
PCI"
"
hZps://
www.pcisecuritystandards.org/""
"
HIPAA"
"hZp://www.hhs.gov/ocr/privacy/""
Resources& What’s&next?&
Top Related