SlideShare a Scribd company logo

Demystifying Cloud Security Compliance

Mirantis
Mirantis

Mirantis webinar about cloud security compliance. Watch the recording at https://info.mirantis.com/cloud-security-recording

Related slideshows

BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat v18 || Dep for the app layer - time for app sec to grow upBlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat v18 || Dep for the app layer - time for app sec to grow up
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
1 of 13
Download to read offline
Copyright © 2019 Mirantis, Inc. All rights reserved Demystifying Cloud Security Compliance WEBINAR | August 28, 2019
2 Bryan Langston - Director of Architecture Bryan leads the global architecture practice at Mirantis. He and his team consult with companies of all sizes across all industries to design world-class open cloud solutions. Jason James - Director of Security Jason has worked in the information security realm for over 20 years. His professional background has ranged from Military to the commercial realm as a Global CISO. He has focused in the GRC areas for most of career, helping companies become and stay compliant. Presenters
3 A little housekeeping ● Please submit questions in the Questions panel. ● We’ll provide a link where you can download the slides at the end of the webinar.
4 ● Navigating a Cloud Security Program ● Tools Selection ● File Integrity Monitoring ● Security Baseline ● Elevated Privilege Management ● Event Auditing Agenda
5 Audience Poll
6 Navigating a Cloud Security Program 1. Align with a framework 2. Understand the objective of an auditor 3. Understand the burden of proof for each control 4. Distinguish policy from process from technology 5. RACI: Who does what?
7 Tools Selection The right tool is the one that works for you Open source vs. 3rd party / proprietary vs. home grown Which one should I use?
8 What is it? The activity associated with monitoring changes in an operating system or application software from a known baseline. ● Cloud Control Matrix (CCM) control spec for AIS-04: ○ Policies and procedures shall be established and maintained in support of data security to include (confidentiality, integrity and availability) across multiple system interfaces, jurisdictions and business functions to prevent improper disclosure, alteration, or destruction. ● Solutions: auditd+rules, Wazuh, CloudPassage… ● Examples of resources to monitor: Linux password db, search paths, sudo config, SSHD config, Linux filesystem deletes... File Integrity Monitoring
9 What is it? A defined configuration state ● CCM control spec for Governance and Risk Management (GRM-01): ○ Baseline security requirements shall be established for developed or acquired, organizationally-owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations. ○ Deviations from standard baseline configurations must be authorized following change management policies and procedures prior to deployment, provisioning, or use. ○ Compliance with security baseline requirements must be reassessed at least annually unless an alternate frequency has been established and authorized based on business needs. ● Solutions: Custom scripts/automation, CIS benchmarks, OpenSCAP + OVAL, XCCDF Security Baselines
10 Elevated Privilege Management What is it? Authentication and tracking use of root permissions. ● CCM control spec for Infrastructure & Virtualization Security Audit Logging / Intrusion Detection (IVS-01): ○ Higher levels of assurance are required for protection, retention, and lifecycle management of audit logs, adhering to applicable legal, statutory or regulatory compliance obligations and providing unique user access accountability to detect potentially suspicious network behaviors and/or file integrity anomalies, and to support forensic investigative capabilities in the event of a security breach. ● Solutions: 3rd party tools, Beyond Trust, monitoring agents, log monitoring
11 Event Auditing What is it? Tracking the 7 W’s of audit and compliance: Who, what, where, when, on what, from where, and where to. ● CCM control spec for Data Security & Information Lifecycle Management Classification (DSI-01): ○ Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization ● Solutions: Cloud Audit Data Framework (CADF)
12 Summary ● The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) helps “humanize” security language ● Interpret controls to your use case ● Implement tools you can defend ● Document your process ● Maintain evidence of process performance
14 Thank You! Q&A Download the slides from bit.ly/mirantis-compliance-webinar Watch the webinar recording at https://info.mirantis.com/cloud-security-recording

More Related Content

Demystifying Cloud Security Compliance

  • 1. Copyright © 2019 Mirantis, Inc. All rights reserved Demystifying Cloud Security Compliance WEBINAR | August 28, 2019
  • 2. 2 Bryan Langston - Director of Architecture Bryan leads the global architecture practice at Mirantis. He and his team consult with companies of all sizes across all industries to design world-class open cloud solutions. Jason James - Director of Security Jason has worked in the information security realm for over 20 years. His professional background has ranged from Military to the commercial realm as a Global CISO. He has focused in the GRC areas for most of career, helping companies become and stay compliant. Presenters
  • 3. 3 A little housekeeping ● Please submit questions in the Questions panel. ● We’ll provide a link where you can download the slides at the end of the webinar.
  • 4. 4 ● Navigating a Cloud Security Program ● Tools Selection ● File Integrity Monitoring ● Security Baseline ● Elevated Privilege Management ● Event Auditing Agenda
  • 6. 6 Navigating a Cloud Security Program 1. Align with a framework 2. Understand the objective of an auditor 3. Understand the burden of proof for each control 4. Distinguish policy from process from technology 5. RACI: Who does what?
  • 7. 7 Tools Selection The right tool is the one that works for you Open source vs. 3rd party / proprietary vs. home grown Which one should I use?
  • 8. 8 What is it? The activity associated with monitoring changes in an operating system or application software from a known baseline. ● Cloud Control Matrix (CCM) control spec for AIS-04: ○ Policies and procedures shall be established and maintained in support of data security to include (confidentiality, integrity and availability) across multiple system interfaces, jurisdictions and business functions to prevent improper disclosure, alteration, or destruction. ● Solutions: auditd+rules, Wazuh, CloudPassage… ● Examples of resources to monitor: Linux password db, search paths, sudo config, SSHD config, Linux filesystem deletes... File Integrity Monitoring
  • 9. 9 What is it? A defined configuration state ● CCM control spec for Governance and Risk Management (GRM-01): ○ Baseline security requirements shall be established for developed or acquired, organizationally-owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations. ○ Deviations from standard baseline configurations must be authorized following change management policies and procedures prior to deployment, provisioning, or use. ○ Compliance with security baseline requirements must be reassessed at least annually unless an alternate frequency has been established and authorized based on business needs. ● Solutions: Custom scripts/automation, CIS benchmarks, OpenSCAP + OVAL, XCCDF Security Baselines
  • 10. 10 Elevated Privilege Management What is it? Authentication and tracking use of root permissions. ● CCM control spec for Infrastructure & Virtualization Security Audit Logging / Intrusion Detection (IVS-01): ○ Higher levels of assurance are required for protection, retention, and lifecycle management of audit logs, adhering to applicable legal, statutory or regulatory compliance obligations and providing unique user access accountability to detect potentially suspicious network behaviors and/or file integrity anomalies, and to support forensic investigative capabilities in the event of a security breach. ● Solutions: 3rd party tools, Beyond Trust, monitoring agents, log monitoring
  • 11. 11 Event Auditing What is it? Tracking the 7 W’s of audit and compliance: Who, what, where, when, on what, from where, and where to. ● CCM control spec for Data Security & Information Lifecycle Management Classification (DSI-01): ○ Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization ● Solutions: Cloud Audit Data Framework (CADF)
  • 12. 12 Summary ● The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) helps “humanize” security language ● Interpret controls to your use case ● Implement tools you can defend ● Document your process ● Maintain evidence of process performance
  • 13. 14 Thank You! Q&A Download the slides from bit.ly/mirantis-compliance-webinar Watch the webinar recording at https://info.mirantis.com/cloud-security-recording