compliance in the clouds (isaca cacs 2017)
TRANSCRIPT
![Page 1: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/1.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Andrew Plato
President / CEO of Anitian
![Page 2: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/2.jpg)
![Page 3: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/3.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Meet the Speaker – Andrew Plato
• President / CEO of Anitian
• Principal at TrueBit CyberPartners
• 20+ years of experience in security
• Authored thousands of articles, documents, reports, etc.
• “Discovered” SQL injection in 1995
• Helped develop first in-line IPS engine (BlackICE)
![Page 4: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/4.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
What we doWe build great security
• Managed Security (MSSP): Virtual SOC, Managed Detection and Response
• Professional Services: Pentesting, compliance, risk assessments
• Virtual CISO: On-demand security
Why we do it We believe security is essential to growth, innovation, and prosperity
![Page 5: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/5.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
OVERVIEW
Intent
• Describe some of the issues that influence cloud compliance
• Dispel a few myths of compliance in the cloud
• Provide a strategy for meeting cloud compliance objectives
![Page 6: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/6.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
WHAT IS YOUR INTENTION?
Do you want to build secure and compliant environments, or do you want to be merely compliant?
MERELY COMPLIANT
• Ignore this presentation
• Hire the cheapest checkbox auditor you can find
• Good luck
SECURE AND COMPLIANT
• Sit tight, you are in the right place
![Page 7: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/7.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
ASSUMPTIONS
• This is a giant topic
• This presentation has a bias toward AWS and PCI compliance
• Topics apply to other hosts, and SaaS services
![Page 8: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/8.jpg)
ROAD TO THE CLOUD
![Page 9: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/9.jpg)
intelligent information securityA N I T I AN
![Page 10: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/10.jpg)
intelligent information securityA N I T I AN
![Page 11: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/11.jpg)
intelligent information securityA N I T I AN
REMEMBER THESE?
![Page 12: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/12.jpg)
intelligent information securityA N I T I AN
FORMER CIO
![Page 13: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/13.jpg)
intelligent information securityA N I T I AN
![Page 14: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/14.jpg)
intelligent information securityA N I T I AN
![Page 15: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/15.jpg)
intelligent information securityA N I T I AN
NOT A CHECKBOX
![Page 16: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/16.jpg)
intelligent information securityA N I T I AN
IT IS A JOURNEY
WITH A DESTINATION
![Page 17: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/17.jpg)
intelligent information securityA N I T I AN
CLOUD ISGOOD FOR BUSINESS
![Page 18: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/18.jpg)
intelligent information securityA N I T I AN
COMPLIANCEIS
GOOD FOR BUSINESS
![Page 19: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/19.jpg)
COMPLIANT CLOUDSARE GOOD FOR BUSINESS
![Page 20: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/20.jpg)
OF COURSE
IT IS NEVER THAT EASY
![Page 21: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/21.jpg)
WHO DO YOU WANT TO BE TODAY?
![Page 22: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/22.jpg)
CLOUD COMPLIANCE
MYTHS
![Page 23: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/23.jpg)
THE CLOUD IS EASY TO HACK
![Page 24: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/24.jpg)
THIS IS NOT THE PROBLEM
![Page 25: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/25.jpg)
PRE-HARDENED IMAGES
![Page 26: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/26.jpg)
LOTS OF TECH
![Page 27: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/27.jpg)
THIS GUYIS THE PROBLEM
![Page 28: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/28.jpg)
I GOT NOTHING
![Page 29: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/29.jpg)
WE CANNOT CONTROL THE DATA
![Page 30: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/30.jpg)
intelligent information securityA N I T I AN
![Page 31: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/31.jpg)
intelligent information securityA N I T I AN
EXACTLY WHERE YOU PUT IT
![Page 32: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/32.jpg)
COMPLIANCE IS EASIER IN THE CLOUD THAN
ON-PREMISE
![Page 33: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/33.jpg)
![Page 34: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/34.jpg)
On Premise Compliance Program
Cloud Compliance Program
![Page 35: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/35.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
CONSIDER PENETRATION TESTING
On-Premise
• Hire a pentester
• Conduct test
• Patch systems
• Retest
• Pass
AWS
• Hire a pentester
• Find out they know nothing about the cloud
• Hire another pentester
• Wait two weeks for approval from AWS
• Conduct test
• Find problems with third party image
• Pound fist on table
• Rearchitect entire cloud
• Retest
• Pass
![Page 36: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/36.jpg)
HOSTING WITH A COMPLIANT PROVIDER MAKES US COMPLIANT
![Page 37: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/37.jpg)
WHAT’S MISSING?
![Page 38: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/38.jpg)
Security
Compliance
Security
Compliance
Security
Compliance
Security
Compliance
YOU
M
AN
AG
E
YOU
M
AN
AG
E
YOU
M
AN
AG
E
YOU
M
AN
AG
E
OH YEAH,SECURITY AND COMPLIANCE !
![Page 39: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/39.jpg)
SECURITY AND COMPLIANCE
YOUR RESPONSIBILITY
![Page 40: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/40.jpg)
intelligent information securityA N I T I AN
CLOUD COMPLIANCE IS SHARED
![Page 41: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/41.jpg)
ROAD TO CLOUD COMPLIANCE
![Page 42: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/42.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
1. WHAT EXACTLY ARE YOU MAKING COMPLIANT
I find your lack of scope
… disturbing.
![Page 43: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/43.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
2. INVENTORY
• Applications
• APIs
• Data
• Systems
• Access (remote)
• APIs
• Third party components
• Security controls
… everything
![Page 44: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/44.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
3A. SEGMENT AND ISOLATE
• Put the compliant systems in their own virtual private cloud (VPC)
• Precisely control ALL access between all other VPCs and the Internet
• Please do not peer your systems, route them
![Page 45: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/45.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
NO
3B. SEGMENTATION and ISOLATION
YESIt is in
the CDE
YESIt is in-scope
for PCI
NO
Does it process, store,
or transmit CHD?
Does it connect (in anyway)
to a CDE system?
Can it affect the security of the CDE at all?
YES
Out of ScopeNO
![Page 46: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/46.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
4. GET THE COMPLIANCE PACKAGE
• Any (truly) compliant cloud service can provide attestation.
• AWS and Azure have packages you can request:
AWS: https://aws.amazon.com/compliance/contact/
Microsoft: https://www.microsoft.com/en-us/trustcenter/Compliance
• If your host cannot provide attestation, they are not compliant
• You will be on the hook to make them compliant…which may be impossible
![Page 47: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/47.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Make sure it is a formal attestation of compliance…like this from the PCI Security Standards Council
![Page 48: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/48.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Not this….
![Page 49: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/49.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
5. REVIEW THE RESPONSIBILTY MATRIX
• Service providers must provide
• a responsibility matrix
• What they are responsible for?
• What you are responsible for?
![Page 50: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/50.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
6.WHAT SERVICES ARE COVERED?
Example – AWS services covered under PCI-DSS• Auto Scaling• AWS CloudFormation• Amazon CloudFront• AWS CloudHSM• AWS CloudTrail• AWS Config• AWS Direct Connect• Amazon DynamoDB• AWS Elastic Beanstalk• Amazon Elastic Block
Store (EBS)• Amazon Elastic Compute
Cloud (EC2)• Amazon EC2 Container
Service (ECS)
• Elastic Load Balancing (ELB)
• Amazon Elastic MapReduce (EMR)
• Amazon Glacier• AWS Key Management
Service (KMS)• AWS Identity and Access
Management (IAM)• Amazon Redshift• Amazon Relational
Database Service (RDS)• Amazon Route 53• Amazon SimpleDB• Amazon Simple Storage
Service (S3)• Amazon Simple Queue
Service (SQS)• Amazon Simple
Workflow Service (SWF)• Amazon Virtual Private
Cloud (VPC)• AWS WAF - Web
Application Firewall
![Page 51: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/51.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
7. BUILD A ROADMAP
• Identify the items you must make compliant
• Figure out the cloud-version of the controls you need
• NGFW & intrusion detection
• Endpoint security
• Integrity monitoring
• Configuration management
• Encryption
• Rewrite policies to reference the cloud
• Engage cloud experienced vendors for services, like pentesting
![Page 52: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/52.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
7B. ROADMAP
![Page 53: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/53.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
8. CONSULT BEST PRACTICE GUIDES
• Every provider offers best practice guides for compliance
• Reference architectures
• Configurations
• Design strategies
• For example, Anitian wrote a definitive guide for PCI compliance at AWS in collaboration with the AWS compliance team
![Page 54: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/54.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
9. TRANSLATE THE STANDARDS INTO CLOUD
• Most compliance standards were written in an era before cloud.
• Consider this example from the PCI-DSS11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
• You have to translate this into cloud technologies and designs
![Page 55: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/55.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
10. DIAGRAM YOUR CLOUD ENVIRONMENT & DATA FLOWS
![Page 56: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/56.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
11. TAG IT
• PLEASE tag your resources in a logical manner
• Tagging greatly helps with…everything
• AWS best practices:https://aws.amazon.com/premiumsupport/knowledge-center/ec2-resource-tags/
• Azure: https://azure.microsoft.com/en-us/documentation/articles/resource-group-using-tags
![Page 57: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/57.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
12. MOVE TOWARD DISPOSABLE INFRASTRUCTURE
A new approach to cloud with huge security and compliance benefits:
1. Fully automate the build of your environment
a. System and storage instantiation
b. Configuration, hardening, patching
c. Code deployment
2. On a regular basis, recreate the whole environment
3. Migrate from old to new (automatically)
4. Destroy the original
• Disposable IT forces formality and structure
• It also has huge security benefits
![Page 58: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/58.jpg)
CONCLUSION
![Page 59: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/59.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
YOU STILL NEED ALL THE STANDARD CONTROLS
• Cloud does not change the fact that you still need controls…
• Firewall / NGFW (IDS/IPS)
• SIEM
• File Integrity Monitoring
• Endpoint Anti-virus
• Vulnerability Management
• Patch management
• Encryption
• Key Management
• Whether it is you running it, or somebody else, they still must be present
![Page 60: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/60.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
FINAL THOUGHTS
• Where is your data?
• What exactly are you making compliant
• This is not easy, but you do not need to make it difficult
• Resistance is futile, the cloud is now
![Page 61: Compliance in the Clouds (ISACA CACS 2017)](https://reader031.vdocument.in/reader031/viewer/2022030318/5a6d58847f8b9ac2418b5dc7/html5/thumbnails/61.jpg)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
EMAIL: [email protected]
TWITTER: @andrewplato
@AnitianSecurity
WEB: www.anitian.com
BLOG: blog.anitian.com
SLIDES: bit.ly/anitian
CALL: 888-ANITIAN