compliance in the era of cloud
TRANSCRIPT
C O M P L I A N C E I N T H E
E R A O F C L O U D
S P E A K E R S
Chip EppsSenior Director, Product Marketing
@chipepps
Alvaro J HoyosChief Information Security Officer
@wherestherisk
Rob CapozziSenior Sales Engineer
@onelogin
/ / / Introduction
/ / / Develop a Secure Access Strategy
/ / / Implement a Secure Access Strategy with OneLogin
/ / / Questions & Answers
A G E N D A
Guidelines & Frameworks Aid in the Process● ISO 27001● NIST Cybersecurity Framework
Structured Approach Makes the Process Manageable
P L A N
A C T
D O
C H E C K
ISO 27001
NIST Cybersecurity Framework
D E V E L O P A S E C U R E A C C E S S S T R A T E G Y
P R O T E C T D E T E C TI D E N T I F Y [...]
I D E N T I F YD E V E L O P A S E C U R E A C C E S S S T R A T E G Y
Ticketing System
I D E N T I F Y
P R O T E C T
D E T E C T
Function Defined
● Identify assets and asset owners● Typically done as part of your risk assessment process● Assets can be people, data, systems
Example Assets
Storage [Financial
Data]Storage
[Brand Assets] Office Productivity
ERP [AR, AP, G/L]
Social Media
Virtual Data Center
CRM
Source Code
Web Conferencing
Contract Management
I D E N T I F YD E V E L O P A S E C U R E A C C E S S S T R A T E G Y
I D E N T I F Y
P R O T E C T
D E T E C T
Assets Organized by Department
Social Media
CRM
Storage [Brand Assets]
M A R K E T I N G
Contract Management
CRM
Office Productivity
S A L E S
ERP[AR, AP, G/L]
Storage [Financial Data]
Office Productivity
F I N A N C E
Virtual Data Center
Source Code
Ticketing System
D E V O P S
P R O T E C TD E V E L O P A S E C U R E A C C E S S S T R A T E G Y
D E T E C T
P R O T E C T
I D E N T I F Y Function Defined
● Develop and implement safeguards● Safeguards should be commensurate with risk
Sample Safeguards
● Role based access● Strong passwords● Multi-factor authentication● IP whitelisting
P R O T E C TD E V E L O P A S E C U R E A C C E S S S T R A T E G Y
D E T E C T
P R O T E C T
I D E N T I F Y Deploy Safeguards Based on Risk
Lo
we
r R
isk
Hig
he
r R
isk
+Role based access+Strong passwords
+Role based access+Strong passwords+MFA+IP whitelisting
Storage [Financial Data]
Office Productivity
F I N A N C E
ERP[AR, AP, G/L]
D E T E C TD E V E L O P A S E C U R E A C C E S S S T R A T E G Y
I D E N T I F Y Function Defined
● Develop detection mechanisms● Mechanisms can be active or passive
Example Mechanisms
● Access reviews● Event log reviews● Automated alerts
D E T E C T
P R O T E C T
D E T E C TD E V E L O P A S E C U R E A C C E S S S T R A T E G Y
I D E N T I F Y Deploy Mechanisms Based on Risk
D E T E C T
P R O T E C TNon-Privileged
User Access
Privileged User Access
A C C E S S L E V E L S
Lo
we
r R
isk
Hig
he
r R
isk
+Periodic user access
+Periodic user access+Assumed user review
DEMO
I M P L E M E N T A S E C U R E A C C E S S S T R A T E G Y
I D E N T I F Y
Map Asset Users to Assets Discovered in Identify Function● Connecting different OUs ● Creating role containers to enable role based access
Deploy Safeguards from Protect Function● Role based access● Strong passwords● Multi-factor authentication● IP whitelisting
Deploy Mechanisms from Detect Function● Access reviews● Event log reviews
P R O T E C T
D E T E C T
Q & A
G E T O N E L O G I N F O R F R E EHTTPS://WWW.ONELOGIN.COM/SIGNUP
Q & A
15
THANK YOUAlvaro J HoyosChief Information Security [email protected]
Rob CapozziSenior Sales [email protected]
Chip EppsSr. Director, Product [email protected]