SlideShare uma empresa Scribd logo

Compliance & Privacy in the Cloud

Mike D
Mike D
Tecnologia
1 de 53
Baixar para ler offline
There Is No Spoon: Compliance & Privacy in the Cloud Michael Dahn MSIA, CISSP Friday, November 20, 2009
Which Cloud do you mean? Compliance Cloud Technical Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
What is Compliance? Friday, November 20, 2009
Compliance vs Validation • Compliance is a state of being, like auto insurance you need to have it continuously • Validation is proof of compliance you do annually Friday, November 20, 2009
Compliance vs Security Friday, November 20, 2009
Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” Friday, November 20, 2009
Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Friday, November 20, 2009
Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Compliant until you're compromised... Friday, November 20, 2009
the “Singularity” Friday, November 20, 2009
the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron Friday, November 20, 2009
the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron • If someone dies wearing a seat belt, does that make them useless? Friday, November 20, 2009
Risk & Transference • #1 Question everyone has: Liability? • “You can outsource the work, but you cannot outsource the responsibility” • Cloud-sourcing does not transfer risk Friday, November 20, 2009
There is No Spoon Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made • Think beyond technology, checklists, and compliance. Think Risk. Friday, November 20, 2009
Problem List Friday, November 20, 2009
Problems: PCI DSS Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? • Requirement 11.2 - ASV Scans Friday, November 20, 2009
Problems: Service Level Agreement • Uptime/Availability? Yes’ish • Security? No. • Compliance? No. • Assurance of data integrity? No. Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? • Now assume everything moves Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
Problems: Audit Logging Friday, November 20, 2009
Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe Friday, November 20, 2009
Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? Friday, November 20, 2009
Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? • Are they accessible 12-18 months later? ✓What if the server is no longer there? Friday, November 20, 2009
Problems: Forensic Issues • During peak retail months systems are scaled up and then down • Fraud patterns have lead time of 12-18 mo. • How do you forensically examine a ‘ghost’ server? Friday, November 20, 2009
Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Friday, November 20, 2009
Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Maintain a written agreement that includes an acknowledgement that the ... monitor service providers! service providers are responsible for PCI DSS compliance status. the security of cardholder data the service providers possess. Friday, November 20, 2009
Problems: Data Destruction • Where do the following go? ✓Failed hard drive ✓Deleted VM Who owns the data? You or your cloud? Friday, November 20, 2009
Problems: Backup? • Who is backing up? • How is it backed up? • Where do the backups go? ✓Offsite to a third-party? New scope/ contract Friday, November 20, 2009
Conclusion • Cloud Compliance is possible but not probable .. until the services evolve • Cloud gives you scalability, but not security .. unless you bake it in Friday, November 20, 2009
Thank You • Questions? • Contact Mike Dahn? Friday, November 20, 2009

Recomendados

How compliance regulations get made
How compliance regulations get madeHow compliance regulations get made
How compliance regulations get madeMike D
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1rtjbond
 
EU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesEU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesRob Blamires
 
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]Data Privacy Alert- Privacy Shield Goes Live August 1 [2]
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]Christine Zebrowski
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk- Mark - Fullbright
 
ABC's of Privacy and Security
ABC's of Privacy and SecurityABC's of Privacy and Security
ABC's of Privacy and SecurityChristina Gagnier
 
How to comply with Privacy Shield
How to comply with Privacy ShieldHow to comply with Privacy Shield
How to comply with Privacy Shieldtermsfeed
 
Deconstructing risk management
Deconstructing risk managementDeconstructing risk management
Deconstructing risk managementMike D
 

Recomendados

How compliance regulations get made
How compliance regulations get madeHow compliance regulations get made
How compliance regulations get madeMike D
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1rtjbond
 
EU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesEU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesRob Blamires
 
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]Data Privacy Alert- Privacy Shield Goes Live August 1 [2]
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]Christine Zebrowski
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk- Mark - Fullbright
 
ABC's of Privacy and Security
ABC's of Privacy and SecurityABC's of Privacy and Security
ABC's of Privacy and SecurityChristina Gagnier
 
How to comply with Privacy Shield
How to comply with Privacy ShieldHow to comply with Privacy Shield
How to comply with Privacy Shieldtermsfeed
 
Deconstructing risk management
Deconstructing risk managementDeconstructing risk management
Deconstructing risk managementMike D
 
ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era Martin Thompson
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesGovCloud Network
 
ITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraMartin Thompson
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Amazon Web Services
 
ITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonMartin Thompson
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remediesGiuseppe Paterno'
 
Představení služby QualysGuard
Představení služby QualysGuardPředstavení služby QualysGuard
Představení služby QualysGuardRisk Analysis Consultants, s.r.o.
 
Automating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsAutomating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsZack Smith
 
Time to Bet on the Cloud?
Time to Bet on the Cloud?Time to Bet on the Cloud?
Time to Bet on the Cloud?gojkoadzic
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
Ubiquitous Computing
Ubiquitous ComputingUbiquitous Computing
Ubiquitous ComputingVashira Ravipanich
 
CCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCloud Congress
 
PCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentPCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentTripwire
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementNishant Kaushik
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure DevelopmentSecurity Ninja
 
Cloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudCloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudLiquid Litigation Mangement, Inc.
 
Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)will_j
 
Mdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedMdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedmtlgirlgeeks
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010graywilliams
 
Ciso executive summit 2012
Ciso executive summit 2012Ciso executive summit 2012
Ciso executive summit 2012Bill Burns
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Mais conteúdo relacionado

Semelhante a Compliance & Privacy in the Cloud

ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era Martin Thompson
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesGovCloud Network
 
ITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraMartin Thompson
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Amazon Web Services
 
ITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonMartin Thompson
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remediesGiuseppe Paterno'
 
Automating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsAutomating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsZack Smith
 
Time to Bet on the Cloud?
Time to Bet on the Cloud?Time to Bet on the Cloud?
Time to Bet on the Cloud?gojkoadzic
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
CCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCloud Congress
 
PCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentPCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentTripwire
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementNishant Kaushik
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure DevelopmentSecurity Ninja
 
Cloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudCloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudLiquid Litigation Mangement, Inc.
 
Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)will_j
 
Mdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedMdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedmtlgirlgeeks
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010graywilliams
 
Ciso executive summit 2012
Ciso executive summit 2012Ciso executive summit 2012
Ciso executive summit 2012Bill Burns
 

Semelhante a Compliance & Privacy in the Cloud (20)

ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic Slides
 
ITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud Era
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
 
ITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remedies
 
Představení služby QualysGuard
Představení služby QualysGuardPředstavení služby QualysGuard
Představení služby QualysGuard
 
Automating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsAutomating Enterprise Wireless Deployments
Automating Enterprise Wireless Deployments
 
Time to Bet on the Cloud?
Time to Bet on the Cloud?Time to Bet on the Cloud?
Time to Bet on the Cloud?
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
Ubiquitous Computing
Ubiquitous ComputingUbiquitous Computing
Ubiquitous Computing
 
CCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny Rachitsky
 
PCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentPCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a Punishment
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity Management
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure Development
 
Cloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudCloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the Cloud
 
Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)
 
Mdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedMdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitized
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010
 
Ciso executive summit 2012
Ciso executive summit 2012Ciso executive summit 2012
Ciso executive summit 2012
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Último (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Compliance & Privacy in the Cloud

  • 1. There Is No Spoon: Compliance & Privacy in the Cloud Michael Dahn MSIA, CISSP Friday, November 20, 2009
  • 2. Which Cloud do you mean? Compliance Cloud Technical Cloud Friday, November 20, 2009
  • 9. Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
  • 10. Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
  • 11. Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
  • 12. Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
  • 13. What is Compliance? Friday, November 20, 2009
  • 14. Compliance vs Validation • Compliance is a state of being, like auto insurance you need to have it continuously • Validation is proof of compliance you do annually Friday, November 20, 2009
  • 15. Compliance vs Security Friday, November 20, 2009
  • 16. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” Friday, November 20, 2009
  • 17. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Friday, November 20, 2009
  • 18. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Compliant until you're compromised... Friday, November 20, 2009
  • 20. the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron Friday, November 20, 2009
  • 21. the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron • If someone dies wearing a seat belt, does that make them useless? Friday, November 20, 2009
  • 22. Risk & Transference • #1 Question everyone has: Liability? • “You can outsource the work, but you cannot outsource the responsibility” • Cloud-sourcing does not transfer risk Friday, November 20, 2009
  • 23. There is No Spoon Friday, November 20, 2009
  • 24. There is No Spoon • Can any firewall be used to segment a network? Friday, November 20, 2009
  • 25. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall Friday, November 20, 2009
  • 26. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? Friday, November 20, 2009
  • 27. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made Friday, November 20, 2009
  • 28. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made • Think beyond technology, checklists, and compliance. Think Risk. Friday, November 20, 2009
  • 30. Problems: PCI DSS Friday, November 20, 2009
  • 31. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” Friday, November 20, 2009
  • 32. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? Friday, November 20, 2009
  • 33. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? Friday, November 20, 2009
  • 34. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? Friday, November 20, 2009
  • 35. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? • Requirement 11.2 - ASV Scans Friday, November 20, 2009
  • 36. Problems: Service Level Agreement • Uptime/Availability? Yes’ish • Security? No. • Compliance? No. • Assurance of data integrity? No. Friday, November 20, 2009
  • 37. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
  • 38. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! Friday, November 20, 2009
  • 39. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! Friday, November 20, 2009
  • 40. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? Friday, November 20, 2009
  • 41. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? • Now assume everything moves Friday, November 20, 2009
  • 42. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
  • 43. Problems: Audit Logging Friday, November 20, 2009
  • 44. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe Friday, November 20, 2009
  • 45. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? Friday, November 20, 2009
  • 46. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? • Are they accessible 12-18 months later? ✓What if the server is no longer there? Friday, November 20, 2009
  • 47. Problems: Forensic Issues • During peak retail months systems are scaled up and then down • Fraud patterns have lead time of 12-18 mo. • How do you forensically examine a ‘ghost’ server? Friday, November 20, 2009
  • 48. Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Friday, November 20, 2009
  • 49. Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Maintain a written agreement that includes an acknowledgement that the ... monitor service providers! service providers are responsible for PCI DSS compliance status. the security of cardholder data the service providers possess. Friday, November 20, 2009
  • 50. Problems: Data Destruction • Where do the following go? ✓Failed hard drive ✓Deleted VM Who owns the data? You or your cloud? Friday, November 20, 2009
  • 51. Problems: Backup? • Who is backing up? • How is it backed up? • Where do the backups go? ✓Offsite to a third-party? New scope/ contract Friday, November 20, 2009
  • 52. Conclusion • Cloud Compliance is possible but not probable .. until the services evolve • Cloud gives you scalability, but not security .. unless you bake it in Friday, November 20, 2009
  • 53. Thank You • Questions? • Contact Mike Dahn? Friday, November 20, 2009