Building a Security & Compliance Strategy with the Cloud - Dallas IIA

SAJEEV PRELIS. National Director | Risk Management & Security. MBA, MS, QSA, PCIP, CCSFP, CISA, CGEIT, CRISC. Over 20 years of IT Risk, Compliance, an...

6 downloads 691 Views 1MB Size
Building a Security & Compliance Strategy with the Cloud

AGENDA Introductions Definition and Overview

Current Threat Landscape Current Compliance Landscape Shared Responsibility Five Steps Final Thoughts

Questions 2

SAJEEV PRELIS

JEFF SCHILLING

National Director | Risk Management & Security

Chief Security Officer | ARMOR

MBA, MS, QSA, PCIP, CCSFP, CISA, CGEIT, CRISC Over 20 years of IT Risk, Compliance, and Data Security experience. 12 years with Accretive Solutions

Former Chief of Operations of the DOD’s Global NetOps Center for JTF-GNO (Cyber Command) Former Global SOC Director for U.S. Army Cyber Command Former Director of Global Incident Response, SecureWorks

Industries: banking, healthcare, retail, manufacturing, entertainment, oil & gas, telecom, and service providers. 3

ACCRETIVE SOLUTIONS OVERVIEW Accretive Solutions is a national professional services firm providing Consulting, Staffing and Outsourcing solutions to a variety of organizations from start-ups to the Fortune 500.

Accounting & Finance

4

Governance & Compliance

Information Technology

Business Transformation

700+

10

900+

CONSULTING PROFESSIONALS

MARKETS NATIONWIDE

CLIENTS

ARMOR OVERVIEW •

Born in the cloud in 2009



1,200 clients in 42 countries



24x7x365 Security Operations Center



Data centers in Dallas, Phoenix, London, Amsterdam, and Singapore



ISO 27001 certified



SOC II annual audit



AWS Security Competency and Microsoft Azure Gold Partner



PCI, HITRUST, GDPR compliance

FOR CERTIFIED

5

WHAT IS THE CLOUD

6

CLOUD DEFINITION Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. – NIST Definition

 Three Cloud Service Delivery Models: 1. Infrastructure as a Service (IaaS) 2. Platform as a Service (PaaS) 3. Software as a Service (SaaS)

 Four Cloud Service Deployment Models

7

1. Public 2. Private 3. Community 4. Hybrid

SECURITY vs. COMPLIANCE

Security (Program)

Compliance

A collection of controls

security program meets a

designed to mitigate risk

minimum specific set of

and protect data.

Reporting on how your

requirements.

We can’t stress this enough: Security ≠ Compliance 8

COMPLIANCE-DRIVEN vs. RISK-DRIVEN SECURITY Company A

9

Company B

Goal: Bare minimum to meet compliance standard

Goal: Strong security practices using compliance requirements as a foundation

Objective: Maintain the bare minimum to pass compliance audits/assessments

Objective: Keep the company’s data secure

Culture: Viewed as additional work to prepare for an audit/assessment. “Check the Box” for compliance

Culture: Built into standard operating procedures. Compliance becomes a natural byproduct of strong security practices

Talent: High IT resource turnover, hard to attract and retain security experience.

Talent: Low turnover, easy to attract and retain security experience

Assessment Cost and Time: Increases due to lack of compliance in routine areas, can result in frequent extensions and extra reporting to key stakeholders (clients, banks, boards)

Assessment time and cost: Typically decreases relative to other companies of equal size and industry, makes it easier to achieve multiple compliance standards and increase market reputation / confidence

Risk: High - More potential for incidents/breaches, fines, fraud, poor market reputation, or loss of business

Risk: Low - Less potential for incidents/breaches, good market reputation, increased business opportunities

CURRENT THREAT LANDSCAPE

10

2017 GLOBAL CYBERSECURITY CHALLENGES

INCREASE IN HACKS 2015-2016

40%

https://www.bloomberg.com/news/articles/2017-01-19/databreaches-hit-record-in-2016-as-dnc-wendy-s-co-hacked

99 Days Dwell

“Sophisticated intelligence integration, automation, and threat hunting should be the end-state goal for organizations facing significant business risks and exposure to cyber attacks. “ Per Mandiant M-Trends 2017 report

3.2M 910BN

$4M

11

3.2M RECORD BREACHES YTD 910BN Record breaches in the last 10 years.

AVERAGE HEALTHCARE LOSS

$355

Healthcare companies lose an average of $355 per each stolen record

$4M AVERAGE COST OF DATA BREACH

AVERAGE TRANSPORTATION LOSS

Per Ponemon Institute. Cost of Breaches: http://www-03.ibm.com/security/databreach/

Transportation companies may lose $129 per record

$129

CURRENT CYBER SECURITY OUTLOOK Internet of Thinks (IoT)

Cloud Services

2016 Ransomware

TRENDS

Known Vulnerabilities

Spear Phishing

Data Security is being discussed in every board room Companies cannot pass on the responsibility for protecting their data – do your due diligence 12

DID YOU KNOW…?

170 DAYS

68% OF FUNDS LOST AS A RESULT OF A CYBER ATTACK WERE DECLARED UNRECOVERABLE

Average time to detect a malicious or criminal attack

176% Increase in the number of cyber attacks, with an average of 138 successful attacks per week.

$12.7 MILLION Average annualized cost of a cyber crime attack in the US. 96% increase from 2010

May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/

13

PHISHING EMAIL EXAMPLE

14

PHISHING EMAIL EXAMPLE 2 (1) Original Email Received: Checked separate Docusign application – nothing there

(2) Sent a separate email: retyped the client email address from CRM Source.

(3) Response received seconds after sending: Called the client – their email account had been compromised. 15

Big Data Big Data is extremely large data sets that may be analyzed computationally to reveal patterns, trends, and associations, especially relating to human behavior and interactions Data, Data Every ware… Production Servicers Test Servers Dev Servers

Decommissioned servers Backups Third parties Printers, phones, tablets FUN FACT: Google is estimated to hold somewhere between 10-15 EXABYTES of data. 16

COMPLIANCE LANDSCAPE

17

COMPLIANCE LANDSCAPE

18

SOC 1 & 2 System Organization Control

PCI DSS Payment Card Industry Data Security Standard

HITRUST Common Security Framework (CSF) for Healthcare

SOX Sarbanes-Oxley 404

HIPAA Health Insurance Portability and Accountability Act

FFIEC The Federal Financial Institutions Examination Council

ISO International Organization for Standardization

FCPA Foreign Corrupt Practices Act

FISMA Federal Information Security Management Act

NERC CIP Guidelines to help protect power grids.

GDPR Replacement to Safe Harbor

State Privacy Laws Varies by state

SHARED RESPONSIBILITY CONSIDERATIONS

19

UNDERSTANDING SHARED RESPONSIBILITY

95%

OF CLOUD SECURITY FAILURES THROUGH 2020 WILL BE THE CUSTOMERS FAULT.

That means the biggest threat to your cloud is “you don’t know what you don’t know.” Top Strategic Predictions for 2016 and Beyond – Gartner 2016

20

FIVE STEPS FOR MAINTAINING COMPLIANCE AND IMPROVING SECURITY PRACTICES

21

KNOW WHAT YOUR SECURING You have to know what you’re defending before you can defend it. Through a bit of self-reflection, you can do just that.

Questions to ask: • What are we securing? (Be thorough) • How do we purge data in a secure fashion? • How much security do we need? • Where do we secure it? (On-premises, cloud) • How do we monitor security

22

DETERMINE YOUR INTERNAL CAPABILITIES Just like knowing your data, it’s critical to know your internal capabilities – and limitations.

Questions to ask: • What is your budget capacity today and in the future? • How do you attract and keep sought after resources? • How do you train staff on the latest tools and techniques?

23

CHOOSE YOUR SERVICE PROVIDER CAREFULLY If you’ve elected to outsource services, it’s essential that you complete due diligence before handing over your data to a third party.

Third party due diligence aspects to consider: • Review the provider’s shared responsibility matrix to verify covered tasks. You’ll be responsible for anything not covered. • Verify geographic data housing considerations. • Where does the data reside? (On shore vs. Off shore)

• How effective is their network operations center (NOC)? • How good are they at supporting forensic needs (e.g. adequate log details, access to logs, law enforcement support)? 24

MONITOR AND MAINTAIN Maintenance is key when ensuring security and compliance in the cloud. Keeping an eye on the people and processes protecting your data will ensure consistent – and reliable – coverage. Periodic maintenance includes: • Review of vendor responsibility matrices • Incorporating proper security controls into your corporate DNA • Frequent testing of internal staff on security best practices

25

PLAN FOR WHEN NOT IF No matter how much you spend, educate, monitor and plan, you’ll neve be 100% secure. However, there is a surefire way to stay ahead of threats.

Threat prevention steps: • Identify your threat vectors • Write / review / test your incident responses / DR BCP / communication plans • Test, test and test again • Never stop training your employees on the importance of security and the roles they play

26

FINAL THOUGHTS  Know where you stand: Not everyone is ready to go to the cloud  Do your due diligence on your partners  Make data security part of your culture  Implement a monitoring program  Plan for WHEN

27

QUESTIONS

28