SlideShare ist ein Scribd-Unternehmen logo

Compliance & Privacy in the Cloud

Mike D
Mike D
Technologie
1 von 53
Downloaden Sie, um offline zu lesen
There Is No Spoon: Compliance & Privacy in the Cloud Michael Dahn MSIA, CISSP Friday, November 20, 2009
Which Cloud do you mean? Compliance Cloud Technical Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
What is Compliance? Friday, November 20, 2009
Compliance vs Validation • Compliance is a state of being, like auto insurance you need to have it continuously • Validation is proof of compliance you do annually Friday, November 20, 2009
Compliance vs Security Friday, November 20, 2009
Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” Friday, November 20, 2009
Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Friday, November 20, 2009
Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Compliant until you're compromised... Friday, November 20, 2009
the “Singularity” Friday, November 20, 2009
the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron Friday, November 20, 2009
the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron • If someone dies wearing a seat belt, does that make them useless? Friday, November 20, 2009
Risk & Transference • #1 Question everyone has: Liability? • “You can outsource the work, but you cannot outsource the responsibility” • Cloud-sourcing does not transfer risk Friday, November 20, 2009
There is No Spoon Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made • Think beyond technology, checklists, and compliance. Think Risk. Friday, November 20, 2009
Problem List Friday, November 20, 2009
Problems: PCI DSS Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? • Requirement 11.2 - ASV Scans Friday, November 20, 2009
Problems: Service Level Agreement • Uptime/Availability? Yes’ish • Security? No. • Compliance? No. • Assurance of data integrity? No. Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? • Now assume everything moves Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
Problems: Audit Logging Friday, November 20, 2009
Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe Friday, November 20, 2009
Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? Friday, November 20, 2009
Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? • Are they accessible 12-18 months later? ✓What if the server is no longer there? Friday, November 20, 2009
Problems: Forensic Issues • During peak retail months systems are scaled up and then down • Fraud patterns have lead time of 12-18 mo. • How do you forensically examine a ‘ghost’ server? Friday, November 20, 2009
Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Friday, November 20, 2009
Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Maintain a written agreement that includes an acknowledgement that the ... monitor service providers! service providers are responsible for PCI DSS compliance status. the security of cardholder data the service providers possess. Friday, November 20, 2009
Problems: Data Destruction • Where do the following go? ✓Failed hard drive ✓Deleted VM Who owns the data? You or your cloud? Friday, November 20, 2009
Problems: Backup? • Who is backing up? • How is it backed up? • Where do the backups go? ✓Offsite to a third-party? New scope/ contract Friday, November 20, 2009
Conclusion • Cloud Compliance is possible but not probable .. until the services evolve • Cloud gives you scalability, but not security .. unless you bake it in Friday, November 20, 2009
Thank You • Questions? • Contact Mike Dahn? Friday, November 20, 2009

Empfohlen

How compliance regulations get made
How compliance regulations get madeHow compliance regulations get made
How compliance regulations get madeMike D
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1rtjbond
 
EU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesEU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesRob Blamires
 
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]Data Privacy Alert- Privacy Shield Goes Live August 1 [2]
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]Christine Zebrowski
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk- Mark - Fullbright
 
ABC's of Privacy and Security
ABC's of Privacy and SecurityABC's of Privacy and Security
ABC's of Privacy and SecurityChristina Gagnier
 
How to comply with Privacy Shield
How to comply with Privacy ShieldHow to comply with Privacy Shield
How to comply with Privacy Shieldtermsfeed
 
Deconstructing risk management
Deconstructing risk managementDeconstructing risk management
Deconstructing risk managementMike D
 

Empfohlen

How compliance regulations get made
How compliance regulations get madeHow compliance regulations get made
How compliance regulations get madeMike D
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1rtjbond
 
EU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesEU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesRob Blamires
 
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]Data Privacy Alert- Privacy Shield Goes Live August 1 [2]
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]Christine Zebrowski
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk- Mark - Fullbright
 
ABC's of Privacy and Security
ABC's of Privacy and SecurityABC's of Privacy and Security
ABC's of Privacy and SecurityChristina Gagnier
 
How to comply with Privacy Shield
How to comply with Privacy ShieldHow to comply with Privacy Shield
How to comply with Privacy Shieldtermsfeed
 
Deconstructing risk management
Deconstructing risk managementDeconstructing risk management
Deconstructing risk managementMike D
 
ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era Martin Thompson
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesGovCloud Network
 
ITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraMartin Thompson
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Amazon Web Services
 
ITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonMartin Thompson
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remediesGiuseppe Paterno'
 
Představení služby QualysGuard
Představení služby QualysGuardPředstavení služby QualysGuard
Představení služby QualysGuardRisk Analysis Consultants, s.r.o.
 
Automating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsAutomating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsZack Smith
 
Time to Bet on the Cloud?
Time to Bet on the Cloud?Time to Bet on the Cloud?
Time to Bet on the Cloud?gojkoadzic
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
Ubiquitous Computing
Ubiquitous ComputingUbiquitous Computing
Ubiquitous ComputingVashira Ravipanich
 
CCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCloud Congress
 
PCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentPCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentTripwire
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementNishant Kaushik
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure DevelopmentSecurity Ninja
 
Cloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudCloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudLiquid Litigation Mangement, Inc.
 
Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)will_j
 
Mdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedMdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedmtlgirlgeeks
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010graywilliams
 
Ciso executive summit 2012
Ciso executive summit 2012Ciso executive summit 2012
Ciso executive summit 2012Bill Burns
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Weitere ähnliche Inhalte

Ähnlich wie Compliance & Privacy in the Cloud

ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era Martin Thompson
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesGovCloud Network
 
ITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraMartin Thompson
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Amazon Web Services
 
ITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonMartin Thompson
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remediesGiuseppe Paterno'
 
Automating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsAutomating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsZack Smith
 
Time to Bet on the Cloud?
Time to Bet on the Cloud?Time to Bet on the Cloud?
Time to Bet on the Cloud?gojkoadzic
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
CCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCloud Congress
 
PCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentPCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentTripwire
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementNishant Kaushik
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure DevelopmentSecurity Ninja
 
Cloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudCloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudLiquid Litigation Mangement, Inc.
 
Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)will_j
 
Mdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedMdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedmtlgirlgeeks
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010graywilliams
 
Ciso executive summit 2012
Ciso executive summit 2012Ciso executive summit 2012
Ciso executive summit 2012Bill Burns
 

Ähnlich wie Compliance & Privacy in the Cloud (20)

ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic Slides
 
ITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud Era
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
 
ITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remedies
 
Představení služby QualysGuard
Představení služby QualysGuardPředstavení služby QualysGuard
Představení služby QualysGuard
 
Automating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsAutomating Enterprise Wireless Deployments
Automating Enterprise Wireless Deployments
 
Time to Bet on the Cloud?
Time to Bet on the Cloud?Time to Bet on the Cloud?
Time to Bet on the Cloud?
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
Ubiquitous Computing
Ubiquitous ComputingUbiquitous Computing
Ubiquitous Computing
 
CCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny Rachitsky
 
PCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentPCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a Punishment
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity Management
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure Development
 
Cloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudCloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the Cloud
 
Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)
 
Mdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedMdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitized
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010
 
Ciso executive summit 2012
Ciso executive summit 2012Ciso executive summit 2012
Ciso executive summit 2012
 

Kürzlich hochgeladen

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 

Kürzlich hochgeladen (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

Compliance & Privacy in the Cloud

  • 1. There Is No Spoon: Compliance & Privacy in the Cloud Michael Dahn MSIA, CISSP Friday, November 20, 2009
  • 2. Which Cloud do you mean? Compliance Cloud Technical Cloud Friday, November 20, 2009
  • 9. Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
  • 10. Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
  • 11. Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
  • 12. Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
  • 13. What is Compliance? Friday, November 20, 2009
  • 14. Compliance vs Validation • Compliance is a state of being, like auto insurance you need to have it continuously • Validation is proof of compliance you do annually Friday, November 20, 2009
  • 15. Compliance vs Security Friday, November 20, 2009
  • 16. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” Friday, November 20, 2009
  • 17. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Friday, November 20, 2009
  • 18. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Compliant until you're compromised... Friday, November 20, 2009
  • 20. the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron Friday, November 20, 2009
  • 21. the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron • If someone dies wearing a seat belt, does that make them useless? Friday, November 20, 2009
  • 22. Risk & Transference • #1 Question everyone has: Liability? • “You can outsource the work, but you cannot outsource the responsibility” • Cloud-sourcing does not transfer risk Friday, November 20, 2009
  • 23. There is No Spoon Friday, November 20, 2009
  • 24. There is No Spoon • Can any firewall be used to segment a network? Friday, November 20, 2009
  • 25. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall Friday, November 20, 2009
  • 26. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? Friday, November 20, 2009
  • 27. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made Friday, November 20, 2009
  • 28. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made • Think beyond technology, checklists, and compliance. Think Risk. Friday, November 20, 2009
  • 30. Problems: PCI DSS Friday, November 20, 2009
  • 31. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” Friday, November 20, 2009
  • 32. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? Friday, November 20, 2009
  • 33. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? Friday, November 20, 2009
  • 34. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? Friday, November 20, 2009
  • 35. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? • Requirement 11.2 - ASV Scans Friday, November 20, 2009
  • 36. Problems: Service Level Agreement • Uptime/Availability? Yes’ish • Security? No. • Compliance? No. • Assurance of data integrity? No. Friday, November 20, 2009
  • 37. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
  • 38. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! Friday, November 20, 2009
  • 39. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! Friday, November 20, 2009
  • 40. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? Friday, November 20, 2009
  • 41. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? • Now assume everything moves Friday, November 20, 2009
  • 42. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
  • 43. Problems: Audit Logging Friday, November 20, 2009
  • 44. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe Friday, November 20, 2009
  • 45. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? Friday, November 20, 2009
  • 46. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? • Are they accessible 12-18 months later? ✓What if the server is no longer there? Friday, November 20, 2009
  • 47. Problems: Forensic Issues • During peak retail months systems are scaled up and then down • Fraud patterns have lead time of 12-18 mo. • How do you forensically examine a ‘ghost’ server? Friday, November 20, 2009
  • 48. Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Friday, November 20, 2009
  • 49. Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Maintain a written agreement that includes an acknowledgement that the ... monitor service providers! service providers are responsible for PCI DSS compliance status. the security of cardholder data the service providers possess. Friday, November 20, 2009
  • 50. Problems: Data Destruction • Where do the following go? ✓Failed hard drive ✓Deleted VM Who owns the data? You or your cloud? Friday, November 20, 2009
  • 51. Problems: Backup? • Who is backing up? • How is it backed up? • Where do the backups go? ✓Offsite to a third-party? New scope/ contract Friday, November 20, 2009
  • 52. Conclusion • Cloud Compliance is possible but not probable .. until the services evolve • Cloud gives you scalability, but not security .. unless you bake it in Friday, November 20, 2009
  • 53. Thank You • Questions? • Contact Mike Dahn? Friday, November 20, 2009