Security and compliance in the cloudHow smart leaders put safeguards in place

White Paper

2

In this white paper, we’ll share the lessons learned by smart business leaders who take a proactive and thorough approach to protect the digital assets of employees, customers and the business. We’ll arm you with key questions to ask your cloud solution provider (and prepare you with the right answers). With more confidence in your knowledge of the risks and responsibilities of security and compliance, you can direct more energy to the important work of building the business.

1. Control and protect customer and business data

In today’s world, data is the most valuable asset you control. Losing intellectual property, incurring a breach of clients’ personally identifiable information (PII), unauthorized access of financial information or confidential employee records can disrupt business.

Key elements of strong data management policies and processes include:

• Encryption of data at rest (physically stored data), encryption of data in transit, and firewall protection against external networks

• Active login access monitoring and management

• Strong password and two-factor authentication to validate the identity of the user

• Content monitoring to protect the perimeters of your environment

• Regular patch management for prevention of and protection against malware threats

Security and compliance in the cloud The responsibilities and requirements of security and compliance can be so distracting they keep leaders from focusing on the organization’s opportunities and growth. Protection of the modern foundations of business — including data, digital assets, connectivity and continuity — is critical. You can’t afford to ignore the risks. But you can put the safeguards in place that will allow you to put the focus back on better customer experiences, more efficient operations and growing profits.

Table of contents

Public cloud SLAs should include robust engineering and redundancy 3

Mobile security tips 4

Security policies 5

IT groups struggle to fill staffing and skills gaps 5

Understanding PCI 6

Understanding HIPPA 7

Application knowledge and expertise mitigate your risk 7

DXC Concerto makes security and compliance easier 8

White Paper

3

White Paper

• A system designed to back up data as well as replicate it to a geographically dispersed facility

• Classification information embedded with data for persistent protection — ensuring that it remains protected regardless of where it’s stored or with whom it’s shared

2. Stay ahead of external threats

The cybersecurity landscape is constantly changing, challenging every organization to detect threats and respond quickly when attacked. Even the most well-designed and implemented service cannot protect customer data and privacy if it is deployed to an environment that is not secure.

To protect customer, employee and corporate data, your organization must be able to:

• Detect suspicious behavior with built-in security services on-premises or in the cloud, using analytics for insights into attacks

• Investigate security incidents and quickly remediate compromised identities, emails and affected devices

• Integrate built-in cybersecurity tools with your environment to monitor and protect data, and the applications and devices your employees use

• Have a realistic and effective incident response plan to serve as a mechanism for action

Public cloud SLAs should include robust engineering and redundancy

Microsoft Azure™ does not automatically encrypt clients’ data at rest and requires additional solutions to be leveraged to accomplish this requirement. Many public cloud providers guarantee compliance at the container level, but not throughout the application layers, which can be key to a multifactor data security approach. It is often the responsibility of the organization to implement workloads and applications in a way that will achieve strong security for compliance.

3. Provide safe, secure access for a mobile workforce

Mobile devices are an integral part of today’s workplace, allowing employees to work from just about anywhere. To help your mobile workforce maintain productivity, you need to provide them with consistent access to corporate resources and data from any location and device. For IT administrators, that access means vigilance in protecting corporate assets from unauthorized access. Devices remotely connected to a network are prime entry points for attackers.

Using cloud-based backup and security services, organizations can balance access with prevention through:

• Reliable data backup as a core component of data-protection policies

• Online storage providing access to employees’ latest files from any device and giving them the ability to save their changes to a central file

• Remediation for lost or stolen mobile devices, with the ability to remotely wipe data from lost devices and sync data, settings and apps to new devices

67 percent of organizations believe the risk of cyber extortion will increase in frequency and payout.

Ponemon Institute 2018 Study on Global Megatrends in Cybersecurity

4

White Paper

Mobile security tips

Reduce risk of credential compromise by educating users on why they should avoid simple passwords, enforcing multifactor authentication and applying alternative authentication methods (e.g., gesture or PIN). Do not work in public WiFi hotspots where attackers could eavesdrop on your communications, capture logins and passwords and access your personal data.

4. Promote security awareness

The saying “an ounce of prevention is worth a pound of cure” is as pertinent to security as it is to health. Clearly establish and enforce all policies and procedures. Educating your employees on safe computing practices for both the office and remote work can help you avoid some of the most common security issues. Educate employees early and often to prevent mistakes by inexperienced employees and avoid complacency in seasoned workers.

• Policies and procedures that are practical and clear, providing the appropriate level of security for each business unit

• An actively enforced policy requiring strong passwords

• Security policies that control access to sensitive data and limit corporate network access to appropriate users, locations, devices and operating systems

5

White Paper

Security policies

Policies can be defined for any area of security. It is up to the security administrator and IT manager to classify what policies need to be defined and who should plan the policies. There could be policies for the whole company or policies for various sections within the company.

The various types of policies that could be included are:

• Password policies

• Administrative responsibilities

• User responsibilities

• Email policies

• Internet policies

• Backup and restore policies

5. Prepare for recovery in the face of the unexpected

To minimize the impact of breaches, malware, ransomware and other attacks, your team needs to be prepared to react immediately.

Your response team should be able to:

• Identify the security issue, assign a severity classification and appropriately escalate

• Contain the incident and protect data

• Eradicate any damage caused by the security incident and identify the root cause of the security issue

• Recover the system and services to full working capacity

• Analyze each security incident to ensure that appropriate mitigations are applied to protect against future recurrence

IT groups struggle to fill staffing and skills gaps

The talent pool for cloud and security is in high demand, and the domain-specific roles of yesterday are being replaced by multi-skilled IT professionals who are proficient with a variety of platforms, languages and models. These professionals are increasingly hard to find, costly to hire and difficult to retain.

6. Understand and meet compliance requirements

Managing compliance has become such a complex task that it is difficult for an organization to navigate alone. Not only are there many levels of standards and regulations, but electronic data-handling laws continue to evolve.

3.5 million unfilled cybersecurity jobs predicted by 2021.

6

White Paper

The three primary compliance areas your organization needs to consider include:

• Cross-industry international standards established by bodies such as the International Organization for Standardization (ISO) or the Cloud Security Alliance, which are applicable to virtually all cloud customers around the world

• Industry-specific regulations that apply to organizations in healthcare, manufacturing, education, financial services and government

• Regulations and standards that are based on regional or national needs, or on data protection laws

Understanding PCI

The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the five major credit card brands.

As with many compliance standards managed in a public cloud, PCI compliance is fully compliant only if properly configured by the customer. Depending on the nature and number of transactions, an organization can fall under one of four standards of quality for PCI compliance: Self-Assessment Questionnaire (SAQ) A, B, C and D. SAQ D, the most complex of the four, encompasses over 200 requirements and covers the entirety of the PCI DSS.

7. Keep up with changing industry requirements

In light of the ever-changing regulatory landscape, achieving compliance is no longer enough. Companies must dedicate resources to ensure that all aspects of the business maintain compliance. Toward that end, one of the greatest benefits of cloud computing is the ability to quickly create compliant IT platforms and efficiently maintain them.

7

White Paper

A cloud provider with a proven commitment to compliance regulations and standards will:

• Stay abreast of industry-specific requirements that have an impact on processes, physical security, data isolation and security measures

• Provide access to the audited reports, certifications and attestations required for each industry being served

• Protect your customers and your business, ensuring that data is being handled properly and meeting the criteria for these international standards

Understanding HIPAA

HIPAA guidelines state that a Business Associate Agreement (BAA) must be contracted between the healthcare organization and the service provider. This is available on Microsoft Azure only if there is an Enterprise Agreement being purchased. In addition, Microsoft recommends against storing or processing ePHI (electronic protected health information) data in its cloud outside of the BAA, unless you can ensure that the data is rendered useless in the event of a breach.

Application knowledge and expertise mitigate your risk

From design and development to deployment and management, DXC Concerto™ provides the expertise you need to manage a wide range of mission-critical applications. You can trust DXC Concerto to migrate your applications — such as enterprise resource planning (ERP), financials and e-commerce systems —while fully satisfying your compliance, security and uptime requirements.

DXC Concerto Cloud Advisory Services provide a clear vision:

• Cost/benefit analysis of moving workloads to the cloud

• Risk and impact assessment of current platforms

• Operational and uptime requirements

• Public, private and hybrid cloud recommendations

• Best-practices guidance

• Ability to offer help in the delivery of your requirements

DXC Concerto makes security and compliance easier

Our dedicated governance, regulatory and compliance (GRC) team takes the effort and guesswork out of maintaining a solid, compliant environment to help reduce your organizational risk. Our cloud solutions meet and often exceed stringent industry-specific security requirements. We apply security down to the application layers and further customize security standards to meet required compliance standards, including: Service Organization Control (SOC) 1, SOC 2, Sarbanes–Oxley Act (SOX), HIPAA, PCI, Criminal Justice Information Services (CJIS), International Traffic in Arms Regulations (ITAR), Federal Information Processing Standard (FIPS) 140-2, and EU-U.S. Privacy Shield.

Why DXC Concerto?

DXC Concerto, the mid-market cloud offering within DXC Technology, specializes in providing a best-in-class multi-cloud platform that helps organizations accelerate digital transformation and realize their full potential. We make cloud adoption easy with unrivaled uptime and accelerated delivery, worldwide. Our strategic partnerships include Microsoft, NetApp, Cisco and Amazon Web Services (AWS). Delivering application expertise, innovation and service excellence in every engagement, we serve as trusted advisors to clients and application partners seeking to better manage risk and reduce operational challenges.

White Paper

T 844.760.1842www.dxc.technology/dxcconcerto

About DXC Technology

DXC Technology (DXC: NYSE) is the world’s leading independent, end-to-end IT services company, serving nearly 6,000 private and public-sector clients from a diverse array of industries across 70 countries. The company’s technology independence, global talent and extensive partner network deliver transformative digital offerings and solutions that help clients harness the power of innovation to thrive on change. DXC Technology is recognized among the best corporate citizens globally. For more information, visit www.dxc.technology.

© 2018 DXC Technology Company. All rights reserved. ECL-074. July 2018