SlideShare uma empresa Scribd logo

093049ov4.pptx

Transferir como PPTX, PDF
N
NguyenNM

tranning

Tecnologia
1 de 19
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Designing a Secure and Compliant Cloud Infrastructure 1 • Design Cloud Infrastructure for Security • Determine Organizational Compliance Needs
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Responsible Parties in Cloud Environments 2 On-premises Environment Cloud Environment Infrastructure and Security Services Managed by You Managed by You Infrastructure and Security Services Managed by CSP
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Corporate Security Policies 3 The security policy might include the following: • Goals or mission statement for cloud services: One or two sentences that clearly state the goals for using cloud services. • Data classification: This is a complex but essential component of a security policy. Data can be classified a number of ways, but some common classifications are: • Sensitive corporate data (corporate secrets). • Data that is protected by law such as personally identifiable information (PII), sensitive personal information (SPI), and HIPAA-related information. • Operational data that is used in performance of day-to-day operations. • Scope: This defines who and what the policy applies to. • Responsibilities: The section by role and current role-holder name who is responsible for key activities. • Policy statements: These are the specific, discrete statements that make up the policy.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Questions to Ask When Developing Security Policies 4 • What services, apps, and data should be put in the cloud? Why? • What services, apps, and data should not be put in the cloud? Why? • Is there already a corporate data classification policy that can be leveraged? • Are there any other applicable polices that can be leveraged? • How are industry peers handling their polices and making their choices? • What do standards bodies such as ISO, NIST, or the CSA recommend for security and data handling policies related to your industry? • Who should have authority to approve agreements with CSPs, and what type of approval change is required for CSP contracts? • Where can services and data be physically located? • What are our options for moving services, apps, and data from one provider to another, to a private cloud, or back to on-premises? • Can the CSPs protect corporate sensitive data to the standards defined by the corporate policy? • Who can make changes to configuration settings for infrastructure, services, and apps?
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Goals of Securing Cloud Solution Components 5 Goal Description Abuse and unallowed use of cloud resources Malicious users, either internal or external, from using your cloud resources for illicit, illegal, or unauthorized activities. Breaches and exploitation of shared resources Cloud technologies that may not have been designed to offer strong isolation in multi-tenant environments. Breaches and exploitation of cloud apps This includes credential theft or gaining access to integrated services and APIs. Access to resources by malicious insiders Cloud solutions must be projected from bad actors within your organization and the CSP. Data theft, loss, and leakage Data theft, loss, or leakage risk is common for both cloud and on- premises deployments. Account, service, and traffic hijacking Exploitations of service or app vulnerabilities can lead to accounts being compromised. Unknown risk profile Since cloud environments are controlled by CSPs, visibility may be reduced, making it difficult to calculate a risk profile and activate proper remediation techniques.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Need for a Holistic Security Approach 6 Security issue Prevention measure Abuse and unallowed use of cloud resources Consult with your CSP on how they mitigate these threats. Breaches and exploitation of shared resources Talk with your CSP and ask how each client is isolated from the others in the CSP’s multi-tenant shared infrastructure. Breaches and exploitation of cloud apps Analyze and implement highly secure models for cloud service interfaces such as using strong authentication methods combined with encryption of transmitted data. Attacks from malicious insiders Perform an assessment of your CSP’s hiring practices and policies. Data theft, loss, and leakage You should encrypt data to and from the CSP network to end-users. Account hijacking Prohibit the sharing of account credentials among users and across services both by policy and by design. Unknown risk profile Seek to reduce unknowns by working with your CSP.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Encryption and Decryption 7
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Apply Security to Achieve Defense-In-Depth 8 • To achieve true defense-in-depth, you must consider all components in use and any points of vulnerability. • Implement strong, policy-based management. • Monitor network activity and review security logs of the system, app, or service and those of any network security devices in the path of connectivity to it. • You should also perform, or have a third party perform, occasional vulnerability scanning and penetration testing.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Guidelines for Planning a Secure Cloud Infrastructure 9 • Consider all components in use and any points of vulnerability. • Encrypt data while it is in transit using network encryption such as IPSec, SSL/TLS, PKI, or other technologies. • Encrypt data that is being backed up. • Encrypt data while at rest using disk encryption, file encryption, database encryption, and other technologies. • Consider encrypting virtual machines. • Use a high bitstrength encryption for PKI and other encryption technologies for extra security. • Consider data movement when planning security. • Disable unneeded ports and services on infrastructure components. • Create and enforce strict account management policies that include timely account cleanup and deletion as well as account audits. • Use host-based, VM-based, and container-based software firewalls as appropriate. • Install antivirus and anti-malware on VMs and containers. • Make sure patching is done rapidly after appropriate validation, following security guidelines.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Activity: Planning a Secure Cloud Infrastructure for Deployment 10 • The Executive Steering Committee has stated that the cloud services need to be secure, and they asked you what security features you will use to implement security. • They also want to know if there are any potential security issues with having an app in the cloud and keeping the database on-premises. • In order to plan for a secure cloud infrastructure, you need to know the security options available in your cloud platforms. • This informs you of what options you have and if there are areas where security is lacking and needs additional effort. • You will review the security features of both cloud platforms.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Need for a Compliant Cloud Design 11 Compliance requirements: • HIPAA (Health Insurance Portability and Accountability Act). • Education: FERPA (Federal Education Rights and Privacy Act). • Email and cloud content: SCA (Stored Communications Act). • Consumer credit history: FCRA (Fair Credit Reporting Act). • Children's data and images: COPPA (Children’s Online Privacy Protection Act). • Internal financial records of public companies: SOX (Sarbanes-Oxley). • Protection of public data held by federal agencies: FISMA (Federal Information Security Management Act). • Payment Card Industry Data Security Standard PCI DSSPCI DSS.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Governance 12 Control Objectives for Information and Related Technology (COBIT) includes: • A framework for implementation and linking governance to business requirements. • Process descriptions for planning, building, running, and monitoring IT processes. • Control objectives, which are requirements that are considered necessary for management of IT services. • Maturity models that allow for processes to develop, evolve, and be refined. • Guidelines for management to help assign responsibilities, measure performance, and define objectives.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Compliance Responsibility 13 CSP Who is ultimately responsible for meeting regulatory compliance for your cloud? You are or
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Cloud Compliance and Governance Issues 14 Compliance-related issues that must be governed in most regulated industries include: • CSP compliance with data handling requirements set out by specific regulations such as PCI DSS or HIPAA. • Location, recoverability, and retention of data stored in the cloud. You must be able to locate regulated data, often including the physical device(s) it is stored on. • Physical and digital security. Data centers where regulated data is stored must meet physical security requirements. • Support and procedures for cross-border investigations. Multinational regulated organizations must comply with different regulations from the national entities they serve or store data in such as the United States and European Union.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Compliance Audit Requirements 15 Compliance Requirements
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Audit and Compliance Requirements 16 To meet audit and compliance requirements, an organization will need to follow a process that uses steps like these: • Identify compliance requirements such as corporate policies and standards, laws and regulations, SLAs, etc. • Implement policies, procedures, processes, and systems to satisfy those compliance requirements. • Monitor whether these policies, procedures, and processes are followed diligently.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Guidelines for Determining Organizational Compliance Needs for Deployment 17 • Evaluate CSPs for certifications in the areas where your organization must be compliant. • Remember that the onus of meeting compliance requirements is on the client. • Make sure cloud providers offer transparency of their infrastructure to customers. • Ask CSPs about audit results on their compliant storage practices and security ratings. • Ask CSPs to review recent compliance certification reports or audits. • Consider asking businesses in your field or industry that are using cloud services about their experience maintaining compliance in the cloud. • When considering compliance needs, ask about and research the following: • Scope of compliance needs. • CSP compliance certifications. • CSP SLAs. • Provider solvency and the well being of their business. • Data retention period for regulated data. • Incident management.
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Activity: Determining Organizational Compliance Needs for Deployment 18 • Currently Rudison does not have any apps that have any compliance requirements. They have a new app that may store some healthcare-related data. • You will need to research both CSPs to see what compliance options they have.
Reflective Questions Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Reflective Questions 1. How are IT networks and assets you’ve worked with been designed to be secure? 2. How have systems or data you've worked with had to meet compliance needs? 19

Recomendados

The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThis account is closed
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Danny Miller
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30This account is closed
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
 
Compliance in the Cloud
Compliance in the CloudCompliance in the Cloud
Compliance in the CloudRapidScale
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldMaria Colgan
 

Recomendados

The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThis account is closed
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Danny Miller
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30This account is closed
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
 
Compliance in the Cloud
Compliance in the CloudCompliance in the Cloud
Compliance in the CloudRapidScale
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldMaria Colgan
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaAchSulav
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaAchSulav
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing RisksMarc Vael
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it securityEast Midlands Cyber Security Forum
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
093049ov16.pptx
093049ov16.pptx093049ov16.pptx
093049ov16.pptxNguyenNM
 
Hybrid Cloud - Key Benefits & Must Have Requirements
Hybrid Cloud - Key Benefits & Must Have RequirementsHybrid Cloud - Key Benefits & Must Have Requirements
Hybrid Cloud - Key Benefits & Must Have RequirementsJamcracker Inc
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentParshant Tyagi
 
Itmgen 4317 security
Itmgen 4317 securityItmgen 4317 security
Itmgen 4317 securityCisco
 
Cloud security
Cloud securityCloud security
Cloud securityAdeel Javaid
 
Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and ComplianceQuadrisk
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityPyingkodi Maran
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think Uni Systems S.M.S.A.
 
SRWE_Module_12.pptx
SRWE_Module_12.pptxSRWE_Module_12.pptx
SRWE_Module_12.pptxNguyenNM
 
SRWE_Module_14.pptx
SRWE_Module_14.pptxSRWE_Module_14.pptx
SRWE_Module_14.pptxNguyenNM
 

Mais conteúdo relacionado

Semelhante a 093049ov4.pptx

Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaAchSulav
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaAchSulav
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing RisksMarc Vael
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
093049ov16.pptx
093049ov16.pptx093049ov16.pptx
093049ov16.pptxNguyenNM
 
Hybrid Cloud - Key Benefits & Must Have Requirements
Hybrid Cloud - Key Benefits & Must Have RequirementsHybrid Cloud - Key Benefits & Must Have Requirements
Hybrid Cloud - Key Benefits & Must Have RequirementsJamcracker Inc
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentParshant Tyagi
 
Itmgen 4317 security
Itmgen 4317 securityItmgen 4317 security
Itmgen 4317 securityCisco
 
Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and ComplianceQuadrisk
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think Uni Systems S.M.S.A.
 

Semelhante a 093049ov4.pptx (20)

Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav Acharya
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav Acharya
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing Risks
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
093049ov16.pptx
093049ov16.pptx093049ov16.pptx
093049ov16.pptx
 
Hybrid Cloud - Key Benefits & Must Have Requirements
Hybrid Cloud - Key Benefits & Must Have RequirementsHybrid Cloud - Key Benefits & Must Have Requirements
Hybrid Cloud - Key Benefits & Must Have Requirements
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviroment
 
Itmgen 4317 security
Itmgen 4317 securityItmgen 4317 security
Itmgen 4317 security
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and Compliance
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think
 

Mais de NguyenNM

SRWE_Module_12.pptx
SRWE_Module_12.pptxSRWE_Module_12.pptx
SRWE_Module_12.pptxNguyenNM
 
SRWE_Module_14.pptx
SRWE_Module_14.pptxSRWE_Module_14.pptx
SRWE_Module_14.pptxNguyenNM
 
readme_vap902.pdf
readme_vap902.pdfreadme_vap902.pdf
readme_vap902.pdfNguyenNM
 
chuong 1 tts.ppt
chuong 1 tts.pptchuong 1 tts.ppt
chuong 1 tts.pptNguyenNM
 
093049ov10.pptx
093049ov10.pptx093049ov10.pptx
093049ov10.pptxNguyenNM
 
093049ov5.pptx
093049ov5.pptx093049ov5.pptx
093049ov5.pptxNguyenNM
 

Mais de NguyenNM (6)

SRWE_Module_12.pptx
SRWE_Module_12.pptxSRWE_Module_12.pptx
SRWE_Module_12.pptx
 
SRWE_Module_14.pptx
SRWE_Module_14.pptxSRWE_Module_14.pptx
SRWE_Module_14.pptx
 
readme_vap902.pdf
readme_vap902.pdfreadme_vap902.pdf
readme_vap902.pdf
 
chuong 1 tts.ppt
chuong 1 tts.pptchuong 1 tts.ppt
chuong 1 tts.ppt
 
093049ov10.pptx
093049ov10.pptx093049ov10.pptx
093049ov10.pptx
 
093049ov5.pptx
093049ov5.pptx093049ov5.pptx
093049ov5.pptx
 

Último

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 

Último (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

093049ov4.pptx

  • 1. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Designing a Secure and Compliant Cloud Infrastructure 1 • Design Cloud Infrastructure for Security • Determine Organizational Compliance Needs
  • 2. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Responsible Parties in Cloud Environments 2 On-premises Environment Cloud Environment Infrastructure and Security Services Managed by You Managed by You Infrastructure and Security Services Managed by CSP
  • 3. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Corporate Security Policies 3 The security policy might include the following: • Goals or mission statement for cloud services: One or two sentences that clearly state the goals for using cloud services. • Data classification: This is a complex but essential component of a security policy. Data can be classified a number of ways, but some common classifications are: • Sensitive corporate data (corporate secrets). • Data that is protected by law such as personally identifiable information (PII), sensitive personal information (SPI), and HIPAA-related information. • Operational data that is used in performance of day-to-day operations. • Scope: This defines who and what the policy applies to. • Responsibilities: The section by role and current role-holder name who is responsible for key activities. • Policy statements: These are the specific, discrete statements that make up the policy.
  • 4. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Questions to Ask When Developing Security Policies 4 • What services, apps, and data should be put in the cloud? Why? • What services, apps, and data should not be put in the cloud? Why? • Is there already a corporate data classification policy that can be leveraged? • Are there any other applicable polices that can be leveraged? • How are industry peers handling their polices and making their choices? • What do standards bodies such as ISO, NIST, or the CSA recommend for security and data handling policies related to your industry? • Who should have authority to approve agreements with CSPs, and what type of approval change is required for CSP contracts? • Where can services and data be physically located? • What are our options for moving services, apps, and data from one provider to another, to a private cloud, or back to on-premises? • Can the CSPs protect corporate sensitive data to the standards defined by the corporate policy? • Who can make changes to configuration settings for infrastructure, services, and apps?
  • 5. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Goals of Securing Cloud Solution Components 5 Goal Description Abuse and unallowed use of cloud resources Malicious users, either internal or external, from using your cloud resources for illicit, illegal, or unauthorized activities. Breaches and exploitation of shared resources Cloud technologies that may not have been designed to offer strong isolation in multi-tenant environments. Breaches and exploitation of cloud apps This includes credential theft or gaining access to integrated services and APIs. Access to resources by malicious insiders Cloud solutions must be projected from bad actors within your organization and the CSP. Data theft, loss, and leakage Data theft, loss, or leakage risk is common for both cloud and on- premises deployments. Account, service, and traffic hijacking Exploitations of service or app vulnerabilities can lead to accounts being compromised. Unknown risk profile Since cloud environments are controlled by CSPs, visibility may be reduced, making it difficult to calculate a risk profile and activate proper remediation techniques.
  • 6. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Need for a Holistic Security Approach 6 Security issue Prevention measure Abuse and unallowed use of cloud resources Consult with your CSP on how they mitigate these threats. Breaches and exploitation of shared resources Talk with your CSP and ask how each client is isolated from the others in the CSP’s multi-tenant shared infrastructure. Breaches and exploitation of cloud apps Analyze and implement highly secure models for cloud service interfaces such as using strong authentication methods combined with encryption of transmitted data. Attacks from malicious insiders Perform an assessment of your CSP’s hiring practices and policies. Data theft, loss, and leakage You should encrypt data to and from the CSP network to end-users. Account hijacking Prohibit the sharing of account credentials among users and across services both by policy and by design. Unknown risk profile Seek to reduce unknowns by working with your CSP.
  • 7. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Encryption and Decryption 7
  • 8. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Apply Security to Achieve Defense-In-Depth 8 • To achieve true defense-in-depth, you must consider all components in use and any points of vulnerability. • Implement strong, policy-based management. • Monitor network activity and review security logs of the system, app, or service and those of any network security devices in the path of connectivity to it. • You should also perform, or have a third party perform, occasional vulnerability scanning and penetration testing.
  • 9. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Guidelines for Planning a Secure Cloud Infrastructure 9 • Consider all components in use and any points of vulnerability. • Encrypt data while it is in transit using network encryption such as IPSec, SSL/TLS, PKI, or other technologies. • Encrypt data that is being backed up. • Encrypt data while at rest using disk encryption, file encryption, database encryption, and other technologies. • Consider encrypting virtual machines. • Use a high bitstrength encryption for PKI and other encryption technologies for extra security. • Consider data movement when planning security. • Disable unneeded ports and services on infrastructure components. • Create and enforce strict account management policies that include timely account cleanup and deletion as well as account audits. • Use host-based, VM-based, and container-based software firewalls as appropriate. • Install antivirus and anti-malware on VMs and containers. • Make sure patching is done rapidly after appropriate validation, following security guidelines.
  • 10. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Activity: Planning a Secure Cloud Infrastructure for Deployment 10 • The Executive Steering Committee has stated that the cloud services need to be secure, and they asked you what security features you will use to implement security. • They also want to know if there are any potential security issues with having an app in the cloud and keeping the database on-premises. • In order to plan for a secure cloud infrastructure, you need to know the security options available in your cloud platforms. • This informs you of what options you have and if there are areas where security is lacking and needs additional effort. • You will review the security features of both cloud platforms.
  • 11. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Need for a Compliant Cloud Design 11 Compliance requirements: • HIPAA (Health Insurance Portability and Accountability Act). • Education: FERPA (Federal Education Rights and Privacy Act). • Email and cloud content: SCA (Stored Communications Act). • Consumer credit history: FCRA (Fair Credit Reporting Act). • Children's data and images: COPPA (Children’s Online Privacy Protection Act). • Internal financial records of public companies: SOX (Sarbanes-Oxley). • Protection of public data held by federal agencies: FISMA (Federal Information Security Management Act). • Payment Card Industry Data Security Standard PCI DSSPCI DSS.
  • 12. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Governance 12 Control Objectives for Information and Related Technology (COBIT) includes: • A framework for implementation and linking governance to business requirements. • Process descriptions for planning, building, running, and monitoring IT processes. • Control objectives, which are requirements that are considered necessary for management of IT services. • Maturity models that allow for processes to develop, evolve, and be refined. • Guidelines for management to help assign responsibilities, measure performance, and define objectives.
  • 13. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Compliance Responsibility 13 CSP Who is ultimately responsible for meeting regulatory compliance for your cloud? You are or
  • 14. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Cloud Compliance and Governance Issues 14 Compliance-related issues that must be governed in most regulated industries include: • CSP compliance with data handling requirements set out by specific regulations such as PCI DSS or HIPAA. • Location, recoverability, and retention of data stored in the cloud. You must be able to locate regulated data, often including the physical device(s) it is stored on. • Physical and digital security. Data centers where regulated data is stored must meet physical security requirements. • Support and procedures for cross-border investigations. Multinational regulated organizations must comply with different regulations from the national entities they serve or store data in such as the United States and European Union.
  • 15. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Compliance Audit Requirements 15 Compliance Requirements
  • 16. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Audit and Compliance Requirements 16 To meet audit and compliance requirements, an organization will need to follow a process that uses steps like these: • Identify compliance requirements such as corporate policies and standards, laws and regulations, SLAs, etc. • Implement policies, procedures, processes, and systems to satisfy those compliance requirements. • Monitor whether these policies, procedures, and processes are followed diligently.
  • 17. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Guidelines for Determining Organizational Compliance Needs for Deployment 17 • Evaluate CSPs for certifications in the areas where your organization must be compliant. • Remember that the onus of meeting compliance requirements is on the client. • Make sure cloud providers offer transparency of their infrastructure to customers. • Ask CSPs about audit results on their compliant storage practices and security ratings. • Ask CSPs to review recent compliance certification reports or audits. • Consider asking businesses in your field or industry that are using cloud services about their experience maintaining compliance in the cloud. • When considering compliance needs, ask about and research the following: • Scope of compliance needs. • CSP compliance certifications. • CSP SLAs. • Provider solvency and the well being of their business. • Data retention period for regulated data. • Incident management.
  • 18. Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Activity: Determining Organizational Compliance Needs for Deployment 18 • Currently Rudison does not have any apps that have any compliance requirements. They have a new app that may store some healthcare-related data. • You will need to research both CSPs to see what compliance options they have.
  • 19. Reflective Questions Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Reflective Questions 1. How are IT networks and assets you’ve worked with been designed to be secure? 2. How have systems or data you've worked with had to meet compliance needs? 19