cloud controls final2
DESCRIPTION
6fusion and Network Box webinar on cloud security related to regulatory requirements, such as HIPAA, CSA CCM, FedRAMP, and PCI.TRANSCRIPT
Do you know your cloud controls? A"close"look"at"regulatory"requirements"for"cloud"security"
Steven&Wolford&Director,&Informa4on&Security&
6fusion&[email protected]&
Chad&Walter&Director,&Channel&Development&
Network&Box&USA&[email protected]&
Today’s Agenda
• Introduc6on"
• What"is"cloud?"
• Who"controls"cloud?"
• Cloud"types"
• Standards"impac6ng"security"
• CSA&CCM&• FedRAMP&• PCI&• HIPAA&
• How"it"all"fits"together"
• Q&A"
Who We Are
Network"Box"USA"
This&is&the&second&in&a&series&of&webinars&on&cloud&security.&We&will&let&you&shape&the&content&of&the&next&webinar&at&the&end&of&this&webinar.&&
6fusion&breaks&down&tradi4onal&IT&boundaries&by&delivering&universal&metering&and&access&to&global&IT&infrastructure.&&The&unique&metering&algorithm,&Workload&Alloca4on&Cube&(WAC),&creates&a&commercial&standard&to&quan4fy&supply&and&demand&for&compute&resources.&&
6fusion"
Network&Box&USA&provides&comprehensive,&fully&managed&perimeter&internet&security&solu4ons.&The&Network&Box&Unified&Threat&Management&(UTM)&solu4on&combines&numerous&applica4ons&such&as&firewall,&intrusion&preven4on&and&detec4on,&an4Qvirus,&content&filtering,&an4Qspan,&an4Qphishing,&an4Qspyware&and&VPN&into&one&single,&sophis4cated&mix&of&hardware&and&soSware.&Network&Box&USA&enables&businesses&of&all&sizes&to&secure&their&networks&easily&and&cost&effec4vely.&
What is “Cloud”
Cloud&Provider&
Cloud&Consumer&
Cloud&Auditor& Cloud&Broker&
Cloud&Carrier&
Service&Intermedia4on&
Service&Aggrega4on&
Service&Arbitrage&
Service&Orchestra4on& Cloud&Service&Management&
Privacy&
Business&Support&
Provisioning&/&Configura4on&
Portability&/&Interoperability&
Service&Layer&
IaaS&
Resource&Abstrac4on&and&Control&Layer&
Physical&Resource&Layer&
PaaS&
SaaS&
Hardware&
Facility&
Security&Audit&
Privacy&Impact&Audit&
Performance&Audit&
Security&
Who Controls “Cloud”
Applica4on&Layer&
Middleware&Layer&
Opera4ng&System&Layer&
SaaS&
PaaS&
IaaS&
PaaS&
SaaS&
IaaS&
Cloud&Consumer&
Cloud&Provider&
Physical&Layer&
Public Cloud
Cloud&service&accessible&from&the&
Internet&
Enterprise&consumers&accessing&workloads&from&enterprise&networks&
Public&consumers&accessing&workloads&from&the&Internet&
Enterprise&network&
Enterprise&Network&
Private Cloud
Private&Cloud&
Community&is&defined&as&groups&of&consumers&with&similar&interests,&control&sets,&performance&characteris4cs&or&other&such&commonality&&
Community Cloud
Public&Cloud&Provider&
Private&Cloud&
Group&A&
Group&B&
Group&C&
Hybrid Cloud
OnQsite&Private&Cloud&OnQsite&Private&Cloud&OnQsite&Private&Cloud&
OnQsite&Private&Cloud&OnQsite&Private&Cloud&OnQsite&Community&Cloud&
OnQsite&Private&Cloud&OnQsite&Private&Cloud&
Outsourced&Private&Cloud&
OnQsite&Private&Cloud&OnQsite&Private&Cloud&Outsourced&Community&
Cloud&
Public&Cloud&Public&Cloud&Public&Cloud&
Know the Rules
• Regula6on"
• FedRAMP&• PCI&DSS&v2.0&• HIPAA&/&HITECH&
• Standard"
• SSAE&16&SOC&2&• ISO/IEC&27001Q2005&
• Framework"
• CSA&CCM&• COBIT&4.1&
CSA CCM / CAIQ
“"As"a"framework,"the"CSA"CCM"provides"organiza6ons"with"the"needed"structure,"detail"and"clarity"rela6ng"to"informa6on"security"tailored"to"the"cloud"industry.”"
"
The"CAIQ"“provides"a"set"of"ques6ons"a"cloud"consumer"and"cloud"auditor"may"wish"to"ask"of"a"cloud"provider."It"provides"a"series"of""yes"or"no""control"asser6on"ques6ons"which"can"then"be"tailored"to"suit"each"unique"cloud"customer's"eviden6ary"requirements."”"
CCM – Control Areas Co
mpliance&(6&con
trols)&
Human&Resou
rces&(3
&con
trols)&
Ope
ra4o
ns&M
anagem
ent&&(4&con
trols)&
Data&Governance&(8&con
trols)&
Inform
a4on
&Security
&(34&controls)&
Risk&M
anagem
ent&&(5&con
trols)&
Facility&Security&(8&con
trols)&
Legal&(2&controls)&
Release&Managem
ent&(5&controls)&
Resiliency&(8&con
trols)&
Security&Archite
cture&(15&controls)&
Consumer"
Provider"
FedRAMP
&Federal&Risk&and&Authoriza4on&Management&Program&&&“a&governmentQwide&program&that&provides&a&standardized&approach&to&security&assessment,&authoriza4on,&and&con4nuous&monitoring&for&cloud&products&and&services.”&
FedRAMP – Control Areas Access&Con
trol&(1
7&controls)&
Consumer"
Provider"
Awaren
ess&a
nd&Training&(4&con
trols)&
Audit&a
nd&Accou
ntability&(1
2&controls)&
Assessmen
t&and
&Autho
riza4
on&(6
&con
trols)&
Confi
gura4o
n&Managem
ent&(9&controls)&
Con4
ngen
cy&Plann
ing&(9&con
trols)&
Iden
4fica4o
n&and&Au
thoriza
4on&(8&con
trols)&
Incide
nt&Respo
nse&(8&con
trols)&
Mainten
ance&(6
&con
trols)&
Med
ia&Protec4on
&(6&con
trols)&
Physical&and
&Enviro
nmen
tal&(18&con
trols)&
Planning&(5
&con
trols)&
Person
nel&Security
&(8&con
trols)&
Risk&Assessm
ent&(4&controls)&
System
s&Acquisi4
on&(1
2&controls)&
System
s&Com
mun
ica4
on&(2
4&controls)&
System
&and
&Inform
a4on
&Integrity
&(12&controls)&
Payment Card Industry
“En44es&planning&to&use&cloud&compu4ng&for&their&PCI&DSS&environments&should&first&ensure&that&they&thoroughly&understand&the&details&of&the&services&being&offered,&and&perform&a&detailed&assessment&of&the&unique&risks&associated&with&each&service.&&&Addi4onally,&as&with&any&managed&service,&it&is&crucial&that&the&hosted&en4ty&and&provider&clearly&define&and&document&the&responsibili4es&assigned&to&each&party&for&maintaining&PCI&DSS&requirements&and&any&other&controls&that&could&impact&the&security&of&cardholder&data.”&
Firewall&
Track&and&mon
itor&A
ccess&
UUID&
Encrypt&T
ransmission&
Default&P
assw
ords&
Test&
Restrict&A
ccess&
An4Qvirus&
Stored
&Cardh
olde
r&Data&
Secure&Systems&/&App
lica4
ons&
Physical&access&
Person
nel&Security
&
PCI – Control Areas Consumer"
Provider"
HIPAA
HIPAA&Health&Insurance&Portability&&
and&Accountability&Act&&
HITECH&American&Recovery&and&Reinvestment&Act&–&
Health&Informa4on&Technology&for&Economic&and&Clinical&Health&&
&
Meaningful&Use&
Meaningful&Use&Guidelines&for&EHF&(2010)&
The&goal&of&HIPAA&was&to&protect&pa4ents’&confiden4ality&while&enabling&healthcare&organiza4ons&to&pursue&ini4a4ves&that&furthered&innova4on&and&pa4ent&care.&&However,&enforcement&was&very&limited.&
HITECH&contains&specific&incen4ves&designed&to&accelerate&the&adop4on&of&EHR&systems.&&It&broadens&the&scope&of&protec4ons&listed&under&HIPAA&and&increases&penal4es&for&nonQcompliance.&
CMS’&Meaningful&Use&program&provides&incen4ve&payouts&for&efficient&HER&use.&&The&program&provides&further&incen4ves&to&encourage&HIPAA&/&HITECH&compliance.&
A®ula4on&is&born:&&Passed&in&1996&to&simplify&the&administra4ve&processes&surrounding&the&increasing&amounts&of&ePHI.&&The&Security&Rule&was&enacted&2/20/03&and&provided&administra4ve,&technical&and&physical&safeguards.&
HIPAA&gets&some&teeth:&&HITECH&extended&the&security&rule&to&include:&• Civil&penal4es&• BA’s&must&comply&• Breach&no4fica4ons&are&mandatory&
And&gains&some&incen4ves:&&Meaningful&Use&includes&15&core&measures.&The&program&is&funded&with&$27bn&over&4&years&to&cover&akesta4ons.&
A&Brief&History&of&Healthcare&Security&Regula4on&
HIPAA – Control Areas
Administra4ve&Safeguards&(3
0&controls)&
Organiza
4onal&Safeguards&(12&con
trols)&
Physical&Safeguards&(12&con
trols)&
Technical&Safeguards&(12&con
trols)&
Consumer"
Provider"
Shared Responsibility
Integrated Compliance Taking"Requirements"
• FISMA/FedRAMP&• PCI&• HIPAA&• ISO&• Other&requirements&
Iden6fying"common"controls"
• Access&controls&• Passwords&• Encryp4on&• Training&• Risk&Assessments&
Documenta6on"
• Document&policy,&controls,&and&criteria&that&meet&minimum&requirements&across&standards&
• Integrated&Control&Framework&
Execute"integrated"program"
• Iden4fy&data&sources&• Define&&&assess&risk&• Develop&&&implement&controls&• Audit&&&correct&• Enforce,&monitor&&&support&
Questions
Thank You!
3rd""Webinar"in"the"Series"
• Timing:&Early&May&• Topic:&Baselining&and&advancing&
your&security&posture&• Details:&You&tell&us…&"
What"do"you"want"to"hear"about"in"
the"next"webinar?""
"
Email"us"at"[email protected]"
with"your"ideas!"
"
""
FedRAMP"
"
hZp://www.gsa.gov/portal/
category/102371"
"
Cloud"Security"Alliance"
"hZps://cloudsecurityalliance.org/"
"
PCI"
"
hZps://
www.pcisecuritystandards.org/""
"
HIPAA"
"hZp://www.hhs.gov/ocr/privacy/""
Resources& What’s&next?&