1. Why the Cloud can be
Compliant and Secure
Presented by:
Jeff Reich
Chief Risk Officer
Layered Technologies
2. Agenda
● Abstract Review
● Layered Technologies Overview
● Speaker Overview
● What is a secure cloud?
● Table Stakes
● Compliance vs Security
● Components of Security
2
Complying To The Higher Standard
3. Abstract
This session addresses misconceptions about security in the
cloud and examines critical differences between compliance
and security, including how compliance does not always
ensure secure environments. To establish a secure
cloud, one must make risk-based decisions that embrace
compliance but also address practicalities and technical
capabilities. While achieving compliance is considered “table
stakes,” cloud security is an investment and must be
continuous. The audience will learn about key security
components, such as social engineering, patching, system
interfaces and more. The presentation will also address the
importance of grouping similar organizations in the cloud
because they share common security control needs.
Complying To The Higher Standard .3
4. About Layered Tech
• First to offer full PCI support in market
(since 2005)
Leadership • Compliance cloud solution with built-in security
position in and controls
compliant • Comprehensive consulting and audit services
(and partners)
hosting
Market-leading • One of first virtual private data center offers
• Robust community cloud platform with built-in
cloud/virtualization security and controls
Tiered managed • Monitoring up to full management
services for client • “LT Anywhere” extension
choice
High-touch and • Managed service team specialization
process-driven • Unified system support for problem
diagnostics
client support • Disciplined change and log management
Global reach • 3 primary and 9 secondary data centers
Only service provider to offer Compliance Guaranteed: our compliance clients are guaranteed
to pass 100 percent of every IT audit or assessment sanctioned by the relevant industry or regulatory entity.
4
5. Jeff Reich
●Over 30 years in Cyber Security, Risk
Management, Physical Security and other areas
●Leadership roles in technology and financial services
organizations
●Founding member of Cloud Security Alliance
●CRISC, CISSP, CHS-III certifications,…
●ISSA Distinguished Fellow
Complying To The Higher Standard .5
6. What is a Secure Cloud?
●First, let’s agree on what a cloud is…
●5-4-3
● 5 Essential Characteristics
● 4 Deployment Models
● 3 Service Models
Complying To The Higher Standard .6
7. Let’s Agree on the Cloud
According to NIST:
Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network access to
a shared pool of configurable computing resources
(e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released
with minimal management effort or service provider
interaction. This cloud model is composed of five
essential characteristics, three service models, and
four deployment models.
Source: The NIST Definition of Cloud Computing Authors: Peter Mell and Tim Grance
Special Publication 800-145
7
Complying To The Higher Standard
8. 5 Essential Characteristics
● On-demand self-service
● Broad network access
● Resource pooling
● Rapid elasticity
● Measured Service
8
Complying To The Higher Standard
9. 4 Deployment Models
●Private cloud
●Community cloud
●Public cloud
●Hybrid cloud
9
Complying To The Higher Standard
10. 3 Service Models
● Software as a Service (SaaS)
● Platform as a Service (PaaS)
● Infrastructure as a Service (IaaS)
10
Complying To The Higher Standard
11. Table Stakes
Your compliance needs may include, but are not limited to:
PCI-DSS
HIPAA
FISMA
SOX
GLB
FedRAMP
Industry Standards
Corporate Policies
and many, many more
Complying To The Higher Standard . 11
12. Compliance vs Security
Your
Compliant Secure
Best
Practices Practices
Practices
Complying To The Higher Standard . 12
13. Managing Costs Around Controls
Potential Cost of
Losses Controls
$ Good
Business
Sense
Tree of FUD
Level of Controls
Complying To The Higher Standard . 13
14. Risk Management in the Cloud
● First mistake of many cloud prospects
● How am I managing risks now?
● Risk picture may not improve
● What are the most valuable information or process assets
for your organization?
● Disclosure Confidentiality
● Modification Integrity
● Denial of Access Availability
14
Complying To The Higher Standard
15. Components of Security
● Trust
● Verification
● Policies, Standards, Guidelines and Procedures
● Situational Awareness
● Training
● Testing
● Lather, rinse, repeat,…
Complying To The Higher Standard . 15
16. Components of Cloud Security
● Trust
● Verification
● Policies, Standards, Guidelines and Procedures
● Situational Awareness
● Training
● Testing
● Lather, rinse, repeat,…
Complying To The Higher Standard . 16
17. Components of Cloud Security
Your provider should offer:
●Policies
●Validation
●Transparency
●Demonstration of compliance
●Compliance support
For more information, see www.cloudsecurityalliance.org
Complying To The Higher Standard .1
18. Finding a Cloud Environment
Private Hybrid Community Public
Greater Control
IaaS
PaaS
SaaS
Greater Exposure
15
Complying To The Higher Standard
19. Contact Me
● Jeff Reich
● 972-379-8567
● jeff.reich@layeredtech.com
● Twitter: @jnreich
● Skype: jnreich
● www.layeredtech.com
18
Complying To The Higher Standard