Compliance in the Clouds (ISACA CACS 2017)

Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.

Andrew Plato

President / CEO of Anitian


Meet the Speaker – Andrew Plato

• President / CEO of Anitian

• Principal at TrueBit CyberPartners

• 20+ years of experience in security

• Authored thousands of articles, documents, reports, etc.

• “Discovered” SQL injection in 1995

• Helped develop first in-line IPS engine (BlackICE)


What we doWe build great security

• Managed Security (MSSP): Virtual SOC, Managed Detection and Response

• Professional Services: Pentesting, compliance, risk assessments

• Virtual CISO: On-demand security

Why we do it We believe security is essential to growth, innovation, and prosperity


OVERVIEW

Intent

• Describe some of the issues that influence cloud compliance

• Dispel a few myths of compliance in the cloud

• Provide a strategy for meeting cloud compliance objectives


WHAT IS YOUR INTENTION?

Do you want to build secure and compliant environments, or do you want to be merely compliant?

MERELY COMPLIANT

• Ignore this presentation

• Hire the cheapest checkbox auditor you can find

• Good luck

SECURE AND COMPLIANT

• Sit tight, you are in the right place


ASSUMPTIONS

• This is a giant topic

• This presentation has a bias toward AWS and PCI compliance

• Topics apply to other hosts, and SaaS services

ROAD TO THE CLOUD

intelligent information securityA N I T I AN


REMEMBER THESE?


FORMER CIO


NOT A CHECKBOX


IT IS A JOURNEY

WITH A DESTINATION


CLOUD ISGOOD FOR BUSINESS


COMPLIANCEIS

GOOD FOR BUSINESS

COMPLIANT CLOUDSARE GOOD FOR BUSINESS

OF COURSE

IT IS NEVER THAT EASY

WHO DO YOU WANT TO BE TODAY?

CLOUD COMPLIANCE

MYTHS

THE CLOUD IS EASY TO HACK

THIS IS NOT THE PROBLEM

PRE-HARDENED IMAGES

LOTS OF TECH

THIS GUYIS THE PROBLEM

I GOT NOTHING

WE CANNOT CONTROL THE DATA


EXACTLY WHERE YOU PUT IT

COMPLIANCE IS EASIER IN THE CLOUD THAN

ON-PREMISE

On Premise Compliance Program

Cloud Compliance Program


CONSIDER PENETRATION TESTING

On-Premise

• Hire a pentester

• Conduct test

• Patch systems

• Retest

• Pass

AWS

• Hire a pentester

• Find out they know nothing about the cloud

• Hire another pentester

• Wait two weeks for approval from AWS

• Conduct test

• Find problems with third party image

• Pound fist on table

• Rearchitect entire cloud

• Retest

• Pass

HOSTING WITH A COMPLIANT PROVIDER MAKES US COMPLIANT

WHAT’S MISSING?

Security

Compliance

Security

Compliance

Security

Compliance

Security

Compliance

YOU

M

AN

AG

E

YOU

M

AN

AG

E

YOU

M

AN

AG

E

YOU

M

AN

AG

E

OH YEAH,SECURITY AND COMPLIANCE !

SECURITY AND COMPLIANCE

YOUR RESPONSIBILITY


CLOUD COMPLIANCE IS SHARED

ROAD TO CLOUD COMPLIANCE


1. WHAT EXACTLY ARE YOU MAKING COMPLIANT

I find your lack of scope

… disturbing.


2. INVENTORY

• Applications

• APIs

• Data

• Systems

• Access (remote)

• APIs

• Third party components

• Security controls

… everything


3A. SEGMENT AND ISOLATE

• Put the compliant systems in their own virtual private cloud (VPC)

• Precisely control ALL access between all other VPCs and the Internet

• Please do not peer your systems, route them


NO

3B. SEGMENTATION and ISOLATION

YESIt is in

the CDE

YESIt is in-scope

for PCI

NO

Does it process, store,

or transmit CHD?

Does it connect (in anyway)

to a CDE system?

Can it affect the security of the CDE at all?

YES

Out of ScopeNO


4. GET THE COMPLIANCE PACKAGE

• Any (truly) compliant cloud service can provide attestation.

• AWS and Azure have packages you can request:

AWS: https://aws.amazon.com/compliance/contact/

Microsoft: https://www.microsoft.com/en-us/trustcenter/Compliance

• If your host cannot provide attestation, they are not compliant

• You will be on the hook to make them compliant…which may be impossible

https://aws.amazon.com/compliance/contact/

https://www.microsoft.com/en-us/trustcenter/Compliance


Make sure it is a formal attestation of compliance…like this from the PCI Security Standards Council


Not this….


5. REVIEW THE RESPONSIBILTY MATRIX

• Service providers must provide

• a responsibility matrix

• What they are responsible for?

• What you are responsible for?


6.WHAT SERVICES ARE COVERED?

Example – AWS services covered under PCI-DSS• Auto Scaling• AWS CloudFormation• Amazon CloudFront• AWS CloudHSM• AWS CloudTrail• AWS Config• AWS Direct Connect• Amazon DynamoDB• AWS Elastic Beanstalk• Amazon Elastic Block

Store (EBS)• Amazon Elastic Compute

Cloud (EC2)• Amazon EC2 Container

Service (ECS)

• Elastic Load Balancing (ELB)

• Amazon Elastic MapReduce (EMR)

• Amazon Glacier• AWS Key Management

Service (KMS)• AWS Identity and Access

Management (IAM)• Amazon Redshift• Amazon Relational

Database Service (RDS)• Amazon Route 53• Amazon SimpleDB• Amazon Simple Storage

Service (S3)• Amazon Simple Queue

Service (SQS)• Amazon Simple

Workflow Service (SWF)• Amazon Virtual Private

Cloud (VPC)• AWS WAF - Web

Application Firewall


7. BUILD A ROADMAP

• Identify the items you must make compliant

• Figure out the cloud-version of the controls you need

• NGFW & intrusion detection

• Endpoint security

• Integrity monitoring

• Configuration management

• Encryption

• Rewrite policies to reference the cloud

• Engage cloud experienced vendors for services, like pentesting


7B. ROADMAP


8. CONSULT BEST PRACTICE GUIDES

• Every provider offers best practice guides for compliance

• Reference architectures

• Configurations

• Design strategies

• For example, Anitian wrote a definitive guide for PCI compliance at AWS in collaboration with the AWS compliance team


9. TRANSLATE THE STANDARDS INTO CLOUD

• Most compliance standards were written in an era before cloud.

• Consider this example from the PCI-DSS11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.

Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.

• You have to translate this into cloud technologies and designs


10. DIAGRAM YOUR CLOUD ENVIRONMENT & DATA FLOWS


11. TAG IT

• PLEASE tag your resources in a logical manner

• Tagging greatly helps with…everything

• AWS best practices:https://aws.amazon.com/premiumsupport/knowledge-center/ec2-resource-tags/

• Azure: https://azure.microsoft.com/en-us/documentation/articles/resource-group-using-tags

https://aws.amazon.com/premiumsupport/knowledge-center/ec2-resource-tags/

https://azure.microsoft.com/en-us/documentation/articles/resource-group-using-tags


12. MOVE TOWARD DISPOSABLE INFRASTRUCTURE

A new approach to cloud with huge security and compliance benefits:

1. Fully automate the build of your environment

a. System and storage instantiation

b. Configuration, hardening, patching

c. Code deployment

2. On a regular basis, recreate the whole environment

3. Migrate from old to new (automatically)

4. Destroy the original

• Disposable IT forces formality and structure

• It also has huge security benefits

CONCLUSION


YOU STILL NEED ALL THE STANDARD CONTROLS

• Cloud does not change the fact that you still need controls…

• Firewall / NGFW (IDS/IPS)

• SIEM

• File Integrity Monitoring

• Endpoint Anti-virus

• Vulnerability Management

• Patch management

• Encryption

• Key Management

• Whether it is you running it, or somebody else, they still must be present


FINAL THOUGHTS

• Where is your data?

• What exactly are you making compliant

• This is not easy, but you do not need to make it difficult

• Resistance is futile, the cloud is now


EMAIL: [email protected]

TWITTER: @andrewplato

@AnitianSecurity

WEB: www.anitian.com

BLOG: blog.anitian.com

SLIDES: bit.ly/anitian

CALL: 888-ANITIAN

Compliance in the Clouds (ISACA CACS 2017)

Technology

Transcript of Compliance in the Clouds (ISACA CACS 2017)