SlideShare una empresa de Scribd logo

Compliance & Privacy in the Cloud

Mike D
Mike D
Tecnología
1 de 53
Descargar para leer sin conexión
There Is No Spoon: Compliance & Privacy in the Cloud Michael Dahn MSIA, CISSP Friday, November 20, 2009
Which Cloud do you mean? Compliance Cloud Technical Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud Friday, November 20, 2009
Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
What is Compliance? Friday, November 20, 2009
Compliance vs Validation • Compliance is a state of being, like auto insurance you need to have it continuously • Validation is proof of compliance you do annually Friday, November 20, 2009
Compliance vs Security Friday, November 20, 2009
Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” Friday, November 20, 2009
Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Friday, November 20, 2009
Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Compliant until you're compromised... Friday, November 20, 2009
the “Singularity” Friday, November 20, 2009
the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron Friday, November 20, 2009
the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron • If someone dies wearing a seat belt, does that make them useless? Friday, November 20, 2009
Risk & Transference • #1 Question everyone has: Liability? • “You can outsource the work, but you cannot outsource the responsibility” • Cloud-sourcing does not transfer risk Friday, November 20, 2009
There is No Spoon Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made Friday, November 20, 2009
There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made • Think beyond technology, checklists, and compliance. Think Risk. Friday, November 20, 2009
Problem List Friday, November 20, 2009
Problems: PCI DSS Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? Friday, November 20, 2009
Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? • Requirement 11.2 - ASV Scans Friday, November 20, 2009
Problems: Service Level Agreement • Uptime/Availability? Yes’ish • Security? No. • Compliance? No. • Assurance of data integrity? No. Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? • Now assume everything moves Friday, November 20, 2009
Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
Problems: Audit Logging Friday, November 20, 2009
Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe Friday, November 20, 2009
Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? Friday, November 20, 2009
Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? • Are they accessible 12-18 months later? ✓What if the server is no longer there? Friday, November 20, 2009
Problems: Forensic Issues • During peak retail months systems are scaled up and then down • Fraud patterns have lead time of 12-18 mo. • How do you forensically examine a ‘ghost’ server? Friday, November 20, 2009
Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Friday, November 20, 2009
Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Maintain a written agreement that includes an acknowledgement that the ... monitor service providers! service providers are responsible for PCI DSS compliance status. the security of cardholder data the service providers possess. Friday, November 20, 2009
Problems: Data Destruction • Where do the following go? ✓Failed hard drive ✓Deleted VM Who owns the data? You or your cloud? Friday, November 20, 2009
Problems: Backup? • Who is backing up? • How is it backed up? • Where do the backups go? ✓Offsite to a third-party? New scope/ contract Friday, November 20, 2009
Conclusion • Cloud Compliance is possible but not probable .. until the services evolve • Cloud gives you scalability, but not security .. unless you bake it in Friday, November 20, 2009
Thank You • Questions? • Contact Mike Dahn? Friday, November 20, 2009

Recomendados

How compliance regulations get made
How compliance regulations get madeHow compliance regulations get made
How compliance regulations get madeMike D
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1rtjbond
 
EU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesEU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesRob Blamires
 
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]Data Privacy Alert- Privacy Shield Goes Live August 1 [2]
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]Christine Zebrowski
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk- Mark - Fullbright
 
ABC's of Privacy and Security
ABC's of Privacy and SecurityABC's of Privacy and Security
ABC's of Privacy and SecurityChristina Gagnier
 
How to comply with Privacy Shield
How to comply with Privacy ShieldHow to comply with Privacy Shield
How to comply with Privacy Shieldtermsfeed
 
Deconstructing risk management
Deconstructing risk managementDeconstructing risk management
Deconstructing risk managementMike D
 

Recomendados

How compliance regulations get made
How compliance regulations get madeHow compliance regulations get made
How compliance regulations get madeMike D
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1rtjbond
 
EU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesEU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesRob Blamires
 
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]Data Privacy Alert- Privacy Shield Goes Live August 1 [2]
Data Privacy Alert- Privacy Shield Goes Live August 1 [2]Christine Zebrowski
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk- Mark - Fullbright
 
ABC's of Privacy and Security
ABC's of Privacy and SecurityABC's of Privacy and Security
ABC's of Privacy and SecurityChristina Gagnier
 
How to comply with Privacy Shield
How to comply with Privacy ShieldHow to comply with Privacy Shield
How to comply with Privacy Shieldtermsfeed
 
Deconstructing risk management
Deconstructing risk managementDeconstructing risk management
Deconstructing risk managementMike D
 
ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era Martin Thompson
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesGovCloud Network
 
ITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraMartin Thompson
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Amazon Web Services
 
ITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonMartin Thompson
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remediesGiuseppe Paterno'
 
Představení služby QualysGuard
Představení služby QualysGuardPředstavení služby QualysGuard
Představení služby QualysGuardRisk Analysis Consultants, s.r.o.
 
Automating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsAutomating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsZack Smith
 
Time to Bet on the Cloud?
Time to Bet on the Cloud?Time to Bet on the Cloud?
Time to Bet on the Cloud?gojkoadzic
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
Ubiquitous Computing
Ubiquitous ComputingUbiquitous Computing
Ubiquitous ComputingVashira Ravipanich
 
CCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCloud Congress
 
PCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentPCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentTripwire
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementNishant Kaushik
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure DevelopmentSecurity Ninja
 
Cloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudCloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudLiquid Litigation Mangement, Inc.
 
Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)will_j
 
Mdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedMdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedmtlgirlgeeks
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010graywilliams
 
Ciso executive summit 2012
Ciso executive summit 2012Ciso executive summit 2012
Ciso executive summit 2012Bill Burns
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Más contenido relacionado

Similar a Compliance & Privacy in the Cloud

ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era Martin Thompson
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesGovCloud Network
 
ITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraMartin Thompson
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Amazon Web Services
 
ITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonMartin Thompson
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remediesGiuseppe Paterno'
 
Automating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsAutomating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsZack Smith
 
Time to Bet on the Cloud?
Time to Bet on the Cloud?Time to Bet on the Cloud?
Time to Bet on the Cloud?gojkoadzic
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
CCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCloud Congress
 
PCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentPCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentTripwire
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementNishant Kaushik
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure DevelopmentSecurity Ninja
 
Cloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudCloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudLiquid Litigation Mangement, Inc.
 
Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)will_j
 
Mdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedMdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedmtlgirlgeeks
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010graywilliams
 
Ciso executive summit 2012
Ciso executive summit 2012Ciso executive summit 2012
Ciso executive summit 2012Bill Burns
 

Similar a Compliance & Privacy in the Cloud (20)

ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era ITAM AUS 2017 ITAM in a cloud era
ITAM AUS 2017 ITAM in a cloud era
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic Slides
 
ITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud EraITAM US 2017 ITAM in the Cloud Era
ITAM US 2017 ITAM in the Cloud Era
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
 
ITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin ThompsonITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
ITAM UK 2017 ITAM in the Cloud Era_Martin Thompson
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remedies
 
Představení služby QualysGuard
Představení služby QualysGuardPředstavení služby QualysGuard
Představení služby QualysGuard
 
Automating Enterprise Wireless Deployments
Automating Enterprise Wireless DeploymentsAutomating Enterprise Wireless Deployments
Automating Enterprise Wireless Deployments
 
Time to Bet on the Cloud?
Time to Bet on the Cloud?Time to Bet on the Cloud?
Time to Bet on the Cloud?
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
Ubiquitous Computing
Ubiquitous ComputingUbiquitous Computing
Ubiquitous Computing
 
CCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny RachitskyCCCC Neustar Lenny Rachitsky
CCCC Neustar Lenny Rachitsky
 
PCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentPCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a Punishment
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity Management
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure Development
 
Cloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the CloudCloud Computing: What Organizations Need to Know Before Moving to the Cloud
Cloud Computing: What Organizations Need to Know Before Moving to the Cloud
 
Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)Nanite (And An Introduction To Cloud Computing)
Nanite (And An Introduction To Cloud Computing)
 
Mdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitizedMdawson product strategy preso geek girls 12 7-12 sanitized
Mdawson product strategy preso geek girls 12 7-12 sanitized
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010
 
Ciso executive summit 2012
Ciso executive summit 2012Ciso executive summit 2012
Ciso executive summit 2012
 

Último

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Último (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Compliance & Privacy in the Cloud

  • 1. There Is No Spoon: Compliance & Privacy in the Cloud Michael Dahn MSIA, CISSP Friday, November 20, 2009
  • 2. Which Cloud do you mean? Compliance Cloud Technical Cloud Friday, November 20, 2009
  • 9. Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
  • 10. Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
  • 11. Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
  • 12. Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
  • 13. What is Compliance? Friday, November 20, 2009
  • 14. Compliance vs Validation • Compliance is a state of being, like auto insurance you need to have it continuously • Validation is proof of compliance you do annually Friday, November 20, 2009
  • 15. Compliance vs Security Friday, November 20, 2009
  • 16. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” Friday, November 20, 2009
  • 17. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Friday, November 20, 2009
  • 18. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Compliant until you're compromised... Friday, November 20, 2009
  • 20. the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron Friday, November 20, 2009
  • 21. the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron • If someone dies wearing a seat belt, does that make them useless? Friday, November 20, 2009
  • 22. Risk & Transference • #1 Question everyone has: Liability? • “You can outsource the work, but you cannot outsource the responsibility” • Cloud-sourcing does not transfer risk Friday, November 20, 2009
  • 23. There is No Spoon Friday, November 20, 2009
  • 24. There is No Spoon • Can any firewall be used to segment a network? Friday, November 20, 2009
  • 25. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall Friday, November 20, 2009
  • 26. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? Friday, November 20, 2009
  • 27. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made Friday, November 20, 2009
  • 28. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made • Think beyond technology, checklists, and compliance. Think Risk. Friday, November 20, 2009
  • 30. Problems: PCI DSS Friday, November 20, 2009
  • 31. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” Friday, November 20, 2009
  • 32. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? Friday, November 20, 2009
  • 33. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? Friday, November 20, 2009
  • 34. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? Friday, November 20, 2009
  • 35. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? • Requirement 11.2 - ASV Scans Friday, November 20, 2009
  • 36. Problems: Service Level Agreement • Uptime/Availability? Yes’ish • Security? No. • Compliance? No. • Assurance of data integrity? No. Friday, November 20, 2009
  • 37. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
  • 38. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! Friday, November 20, 2009
  • 39. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! Friday, November 20, 2009
  • 40. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? Friday, November 20, 2009
  • 41. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? • Now assume everything moves Friday, November 20, 2009
  • 42. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
  • 43. Problems: Audit Logging Friday, November 20, 2009
  • 44. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe Friday, November 20, 2009
  • 45. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? Friday, November 20, 2009
  • 46. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? • Are they accessible 12-18 months later? ✓What if the server is no longer there? Friday, November 20, 2009
  • 47. Problems: Forensic Issues • During peak retail months systems are scaled up and then down • Fraud patterns have lead time of 12-18 mo. • How do you forensically examine a ‘ghost’ server? Friday, November 20, 2009
  • 48. Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Friday, November 20, 2009
  • 49. Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Maintain a written agreement that includes an acknowledgement that the ... monitor service providers! service providers are responsible for PCI DSS compliance status. the security of cardholder data the service providers possess. Friday, November 20, 2009
  • 50. Problems: Data Destruction • Where do the following go? ✓Failed hard drive ✓Deleted VM Who owns the data? You or your cloud? Friday, November 20, 2009
  • 51. Problems: Backup? • Who is backing up? • How is it backed up? • Where do the backups go? ✓Offsite to a third-party? New scope/ contract Friday, November 20, 2009
  • 52. Conclusion • Cloud Compliance is possible but not probable .. until the services evolve • Cloud gives you scalability, but not security .. unless you bake it in Friday, November 20, 2009
  • 53. Thank You • Questions? • Contact Mike Dahn? Friday, November 20, 2009