compliance in the clouds (isaca cacs 2017)
TRANSCRIPT
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Andrew Plato
President / CEO of Anitian
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Meet the Speaker – Andrew Plato
• President / CEO of Anitian
• Principal at TrueBit CyberPartners
• 20+ years of experience in security
• Authored thousands of articles, documents, reports, etc.
• “Discovered” SQL injection in 1995
• Helped develop first in-line IPS engine (BlackICE)
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
What we doWe build great security
• Managed Security (MSSP): Virtual SOC, Managed Detection and Response
• Professional Services: Pentesting, compliance, risk assessments
• Virtual CISO: On-demand security
Why we do it We believe security is essential to growth, innovation, and prosperity
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
OVERVIEW
Intent
• Describe some of the issues that influence cloud compliance
• Dispel a few myths of compliance in the cloud
• Provide a strategy for meeting cloud compliance objectives
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
WHAT IS YOUR INTENTION?
Do you want to build secure and compliant environments, or do you want to be merely compliant?
MERELY COMPLIANT
• Ignore this presentation
• Hire the cheapest checkbox auditor you can find
• Good luck
SECURE AND COMPLIANT
• Sit tight, you are in the right place
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
ASSUMPTIONS
• This is a giant topic
• This presentation has a bias toward AWS and PCI compliance
• Topics apply to other hosts, and SaaS services
ROAD TO THE CLOUD
intelligent information securityA N I T I AN
intelligent information securityA N I T I AN
intelligent information securityA N I T I AN
REMEMBER THESE?
intelligent information securityA N I T I AN
FORMER CIO
intelligent information securityA N I T I AN
intelligent information securityA N I T I AN
intelligent information securityA N I T I AN
NOT A CHECKBOX
intelligent information securityA N I T I AN
IT IS A JOURNEY
WITH A DESTINATION
intelligent information securityA N I T I AN
CLOUD ISGOOD FOR BUSINESS
intelligent information securityA N I T I AN
COMPLIANCEIS
GOOD FOR BUSINESS
COMPLIANT CLOUDSARE GOOD FOR BUSINESS
OF COURSE
IT IS NEVER THAT EASY
WHO DO YOU WANT TO BE TODAY?
CLOUD COMPLIANCE
MYTHS
THE CLOUD IS EASY TO HACK
THIS IS NOT THE PROBLEM
PRE-HARDENED IMAGES
LOTS OF TECH
THIS GUYIS THE PROBLEM
I GOT NOTHING
WE CANNOT CONTROL THE DATA
intelligent information securityA N I T I AN
intelligent information securityA N I T I AN
EXACTLY WHERE YOU PUT IT
COMPLIANCE IS EASIER IN THE CLOUD THAN
ON-PREMISE
On Premise Compliance Program
Cloud Compliance Program
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
CONSIDER PENETRATION TESTING
On-Premise
• Hire a pentester
• Conduct test
• Patch systems
• Retest
• Pass
AWS
• Hire a pentester
• Find out they know nothing about the cloud
• Hire another pentester
• Wait two weeks for approval from AWS
• Conduct test
• Find problems with third party image
• Pound fist on table
• Rearchitect entire cloud
• Retest
• Pass
HOSTING WITH A COMPLIANT PROVIDER MAKES US COMPLIANT
WHAT’S MISSING?
Security
Compliance
Security
Compliance
Security
Compliance
Security
Compliance
YOU
M
AN
AG
E
YOU
M
AN
AG
E
YOU
M
AN
AG
E
YOU
M
AN
AG
E
OH YEAH,SECURITY AND COMPLIANCE !
SECURITY AND COMPLIANCE
YOUR RESPONSIBILITY
intelligent information securityA N I T I AN
CLOUD COMPLIANCE IS SHARED
ROAD TO CLOUD COMPLIANCE
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
1. WHAT EXACTLY ARE YOU MAKING COMPLIANT
I find your lack of scope
… disturbing.
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
2. INVENTORY
• Applications
• APIs
• Data
• Systems
• Access (remote)
• APIs
• Third party components
• Security controls
… everything
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
3A. SEGMENT AND ISOLATE
• Put the compliant systems in their own virtual private cloud (VPC)
• Precisely control ALL access between all other VPCs and the Internet
• Please do not peer your systems, route them
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
NO
3B. SEGMENTATION and ISOLATION
YESIt is in
the CDE
YESIt is in-scope
for PCI
NO
Does it process, store,
or transmit CHD?
Does it connect (in anyway)
to a CDE system?
Can it affect the security of the CDE at all?
YES
Out of ScopeNO
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
4. GET THE COMPLIANCE PACKAGE
• Any (truly) compliant cloud service can provide attestation.
• AWS and Azure have packages you can request:
AWS: https://aws.amazon.com/compliance/contact/
Microsoft: https://www.microsoft.com/en-us/trustcenter/Compliance
• If your host cannot provide attestation, they are not compliant
• You will be on the hook to make them compliant…which may be impossible
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Make sure it is a formal attestation of compliance…like this from the PCI Security Standards Council
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Not this….
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
5. REVIEW THE RESPONSIBILTY MATRIX
• Service providers must provide
• a responsibility matrix
• What they are responsible for?
• What you are responsible for?
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
6.WHAT SERVICES ARE COVERED?
Example – AWS services covered under PCI-DSS• Auto Scaling• AWS CloudFormation• Amazon CloudFront• AWS CloudHSM• AWS CloudTrail• AWS Config• AWS Direct Connect• Amazon DynamoDB• AWS Elastic Beanstalk• Amazon Elastic Block
Store (EBS)• Amazon Elastic Compute
Cloud (EC2)• Amazon EC2 Container
Service (ECS)
• Elastic Load Balancing (ELB)
• Amazon Elastic MapReduce (EMR)
• Amazon Glacier• AWS Key Management
Service (KMS)• AWS Identity and Access
Management (IAM)• Amazon Redshift• Amazon Relational
Database Service (RDS)• Amazon Route 53• Amazon SimpleDB• Amazon Simple Storage
Service (S3)• Amazon Simple Queue
Service (SQS)• Amazon Simple
Workflow Service (SWF)• Amazon Virtual Private
Cloud (VPC)• AWS WAF - Web
Application Firewall
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
7. BUILD A ROADMAP
• Identify the items you must make compliant
• Figure out the cloud-version of the controls you need
• NGFW & intrusion detection
• Endpoint security
• Integrity monitoring
• Configuration management
• Encryption
• Rewrite policies to reference the cloud
• Engage cloud experienced vendors for services, like pentesting
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
7B. ROADMAP
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
8. CONSULT BEST PRACTICE GUIDES
• Every provider offers best practice guides for compliance
• Reference architectures
• Configurations
• Design strategies
• For example, Anitian wrote a definitive guide for PCI compliance at AWS in collaboration with the AWS compliance team
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
9. TRANSLATE THE STANDARDS INTO CLOUD
• Most compliance standards were written in an era before cloud.
• Consider this example from the PCI-DSS11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
• You have to translate this into cloud technologies and designs
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
10. DIAGRAM YOUR CLOUD ENVIRONMENT & DATA FLOWS
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
11. TAG IT
• PLEASE tag your resources in a logical manner
• Tagging greatly helps with…everything
• AWS best practices:https://aws.amazon.com/premiumsupport/knowledge-center/ec2-resource-tags/
• Azure: https://azure.microsoft.com/en-us/documentation/articles/resource-group-using-tags
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
12. MOVE TOWARD DISPOSABLE INFRASTRUCTURE
A new approach to cloud with huge security and compliance benefits:
1. Fully automate the build of your environment
a. System and storage instantiation
b. Configuration, hardening, patching
c. Code deployment
2. On a regular basis, recreate the whole environment
3. Migrate from old to new (automatically)
4. Destroy the original
• Disposable IT forces formality and structure
• It also has huge security benefits
CONCLUSION
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
YOU STILL NEED ALL THE STANDARD CONTROLS
• Cloud does not change the fact that you still need controls…
• Firewall / NGFW (IDS/IPS)
• SIEM
• File Integrity Monitoring
• Endpoint Anti-virus
• Vulnerability Management
• Patch management
• Encryption
• Key Management
• Whether it is you running it, or somebody else, they still must be present
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
FINAL THOUGHTS
• Where is your data?
• What exactly are you making compliant
• This is not easy, but you do not need to make it difficult
• Resistance is futile, the cloud is now
Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
EMAIL: [email protected]
TWITTER: @andrewplato
@AnitianSecurity
WEB: www.anitian.com
BLOG: blog.anitian.com
SLIDES: bit.ly/anitian
CALL: 888-ANITIAN