Building a Security & Compliance Strategy with the Cloud
AGENDA Introductions Definition and Overview
Current Threat Landscape Current Compliance Landscape Shared Responsibility Five Steps Final Thoughts
Questions 2
SAJEEV PRELIS
JEFF SCHILLING
National Director | Risk Management & Security
Chief Security Officer | ARMOR
MBA, MS, QSA, PCIP, CCSFP, CISA, CGEIT, CRISC Over 20 years of IT Risk, Compliance, and Data Security experience. 12 years with Accretive Solutions
Former Chief of Operations of the DOD’s Global NetOps Center for JTF-GNO (Cyber Command) Former Global SOC Director for U.S. Army Cyber Command Former Director of Global Incident Response, SecureWorks
Industries: banking, healthcare, retail, manufacturing, entertainment, oil & gas, telecom, and service providers. 3
ACCRETIVE SOLUTIONS OVERVIEW Accretive Solutions is a national professional services firm providing Consulting, Staffing and Outsourcing solutions to a variety of organizations from start-ups to the Fortune 500.
Accounting & Finance
4
Governance & Compliance
Information Technology
Business Transformation
700+
10
900+
CONSULTING PROFESSIONALS
MARKETS NATIONWIDE
CLIENTS
ARMOR OVERVIEW •
Born in the cloud in 2009
•
1,200 clients in 42 countries
•
24x7x365 Security Operations Center
•
Data centers in Dallas, Phoenix, London, Amsterdam, and Singapore
•
ISO 27001 certified
•
SOC II annual audit
•
AWS Security Competency and Microsoft Azure Gold Partner
•
PCI, HITRUST, GDPR compliance
FOR CERTIFIED
5
WHAT IS THE CLOUD
6
CLOUD DEFINITION Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. – NIST Definition
Three Cloud Service Delivery Models: 1. Infrastructure as a Service (IaaS) 2. Platform as a Service (PaaS) 3. Software as a Service (SaaS)
Four Cloud Service Deployment Models
7
1. Public 2. Private 3. Community 4. Hybrid
SECURITY vs. COMPLIANCE
Security (Program)
Compliance
A collection of controls
security program meets a
designed to mitigate risk
minimum specific set of
and protect data.
Reporting on how your
requirements.
We can’t stress this enough: Security ≠ Compliance 8
COMPLIANCE-DRIVEN vs. RISK-DRIVEN SECURITY Company A
9
Company B
Goal: Bare minimum to meet compliance standard
Goal: Strong security practices using compliance requirements as a foundation
Objective: Maintain the bare minimum to pass compliance audits/assessments
Objective: Keep the company’s data secure
Culture: Viewed as additional work to prepare for an audit/assessment. “Check the Box” for compliance
Culture: Built into standard operating procedures. Compliance becomes a natural byproduct of strong security practices
Talent: High IT resource turnover, hard to attract and retain security experience.
Talent: Low turnover, easy to attract and retain security experience
Assessment Cost and Time: Increases due to lack of compliance in routine areas, can result in frequent extensions and extra reporting to key stakeholders (clients, banks, boards)
Assessment time and cost: Typically decreases relative to other companies of equal size and industry, makes it easier to achieve multiple compliance standards and increase market reputation / confidence
Risk: High - More potential for incidents/breaches, fines, fraud, poor market reputation, or loss of business
Risk: Low - Less potential for incidents/breaches, good market reputation, increased business opportunities
CURRENT THREAT LANDSCAPE
10
2017 GLOBAL CYBERSECURITY CHALLENGES
INCREASE IN HACKS 2015-2016
40%
https://www.bloomberg.com/news/articles/2017-01-19/databreaches-hit-record-in-2016-as-dnc-wendy-s-co-hacked
99 Days Dwell
“Sophisticated intelligence integration, automation, and threat hunting should be the end-state goal for organizations facing significant business risks and exposure to cyber attacks. “ Per Mandiant M-Trends 2017 report
3.2M 910BN
$4M
11
3.2M RECORD BREACHES YTD 910BN Record breaches in the last 10 years.
AVERAGE HEALTHCARE LOSS
$355
Healthcare companies lose an average of $355 per each stolen record
$4M AVERAGE COST OF DATA BREACH
AVERAGE TRANSPORTATION LOSS
Per Ponemon Institute. Cost of Breaches: http://www-03.ibm.com/security/databreach/
Transportation companies may lose $129 per record
$129
CURRENT CYBER SECURITY OUTLOOK Internet of Thinks (IoT)
Cloud Services
2016 Ransomware
TRENDS
Known Vulnerabilities
Spear Phishing
Data Security is being discussed in every board room Companies cannot pass on the responsibility for protecting their data – do your due diligence 12
DID YOU KNOW…?
170 DAYS
68% OF FUNDS LOST AS A RESULT OF A CYBER ATTACK WERE DECLARED UNRECOVERABLE
Average time to detect a malicious or criminal attack
176% Increase in the number of cyber attacks, with an average of 138 successful attacks per week.
$12.7 MILLION Average annualized cost of a cyber crime attack in the US. 96% increase from 2010
May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/
13
PHISHING EMAIL EXAMPLE
14
PHISHING EMAIL EXAMPLE 2 (1) Original Email Received: Checked separate Docusign application – nothing there
(2) Sent a separate email: retyped the client email address from CRM Source.
(3) Response received seconds after sending: Called the client – their email account had been compromised. 15
Big Data Big Data is extremely large data sets that may be analyzed computationally to reveal patterns, trends, and associations, especially relating to human behavior and interactions Data, Data Every ware… Production Servicers Test Servers Dev Servers
Decommissioned servers Backups Third parties Printers, phones, tablets FUN FACT: Google is estimated to hold somewhere between 10-15 EXABYTES of data. 16
COMPLIANCE LANDSCAPE
17
COMPLIANCE LANDSCAPE
18
SOC 1 & 2 System Organization Control
PCI DSS Payment Card Industry Data Security Standard
HITRUST Common Security Framework (CSF) for Healthcare
SOX Sarbanes-Oxley 404
HIPAA Health Insurance Portability and Accountability Act
FFIEC The Federal Financial Institutions Examination Council
ISO International Organization for Standardization
FCPA Foreign Corrupt Practices Act
FISMA Federal Information Security Management Act
NERC CIP Guidelines to help protect power grids.
GDPR Replacement to Safe Harbor
State Privacy Laws Varies by state
SHARED RESPONSIBILITY CONSIDERATIONS
19
UNDERSTANDING SHARED RESPONSIBILITY
95%
OF CLOUD SECURITY FAILURES THROUGH 2020 WILL BE THE CUSTOMERS FAULT.
That means the biggest threat to your cloud is “you don’t know what you don’t know.” Top Strategic Predictions for 2016 and Beyond – Gartner 2016
20
FIVE STEPS FOR MAINTAINING COMPLIANCE AND IMPROVING SECURITY PRACTICES
21
KNOW WHAT YOUR SECURING You have to know what you’re defending before you can defend it. Through a bit of self-reflection, you can do just that.
Questions to ask: • What are we securing? (Be thorough) • How do we purge data in a secure fashion? • How much security do we need? • Where do we secure it? (On-premises, cloud) • How do we monitor security
22
DETERMINE YOUR INTERNAL CAPABILITIES Just like knowing your data, it’s critical to know your internal capabilities – and limitations.
Questions to ask: • What is your budget capacity today and in the future? • How do you attract and keep sought after resources? • How do you train staff on the latest tools and techniques?
23
CHOOSE YOUR SERVICE PROVIDER CAREFULLY If you’ve elected to outsource services, it’s essential that you complete due diligence before handing over your data to a third party.
Third party due diligence aspects to consider: • Review the provider’s shared responsibility matrix to verify covered tasks. You’ll be responsible for anything not covered. • Verify geographic data housing considerations. • Where does the data reside? (On shore vs. Off shore)
• How effective is their network operations center (NOC)? • How good are they at supporting forensic needs (e.g. adequate log details, access to logs, law enforcement support)? 24
MONITOR AND MAINTAIN Maintenance is key when ensuring security and compliance in the cloud. Keeping an eye on the people and processes protecting your data will ensure consistent – and reliable – coverage. Periodic maintenance includes: • Review of vendor responsibility matrices • Incorporating proper security controls into your corporate DNA • Frequent testing of internal staff on security best practices
25
PLAN FOR WHEN NOT IF No matter how much you spend, educate, monitor and plan, you’ll neve be 100% secure. However, there is a surefire way to stay ahead of threats.
Threat prevention steps: • Identify your threat vectors • Write / review / test your incident responses / DR BCP / communication plans • Test, test and test again • Never stop training your employees on the importance of security and the roles they play
26
FINAL THOUGHTS Know where you stand: Not everyone is ready to go to the cloud Do your due diligence on your partners Make data security part of your culture Implement a monitoring program Plan for WHEN
27
QUESTIONS
28
