Cloud Security Best Practices

Cloud environments bring advantages to businesses of all sizes–reduced cost, flexibility, low risk, efficiency–so why do you need to go the extra mile and implement cloud security best practices? Security vulnerabilities exist, even in the cloud. Traditional security problems of an internal network still show up in cloud environments, like one vicious cycle.

In this webinar, we discuss three areas where traditional security problems must be reassessed for cloud environments: credential reuse and management interface, secure configurations, and system logging and monitoring.

1. Credential Reuse and Securing the Management Interface

In a traditional internal network, you may encounter issues like the same local administrator account being used on all deployed workstations, domain administrator permissions being granted to daily use accounts, and static password service accounts having administrative permissions. You could encounter these same traditional security problems in cloud environments, they’ll just look slightly different. For example, the same SSH key may be used for all IaaS server instances without securing the private key properly, administrator permissions may be granted to daily use accounts, and account keys may be used for scripted automation tasks.

2. Managing Secure Configurations

Secure configurations are vital to a traditional internal network or cloud environments. Patching and hardening systems can be a disruptive process that requires a significant amount of resources, making it one of the most common traditional security problems. This approach dos not need to be carried over into cloud environments. To gain the advantages that cloud environments can provide, applications need to be totally transformed to bring additional business value.

3. System Logging and Monitoring

Analysis and retention of log data can easily overburden limited IT resources. In the PCI DSS framework, for example, you must retain all logs for a year. When reassessed for cloud environments, system logging and monitoring can become less expensive and burdensome. Object-based storage for retention is less expensive than large amounts of physical storage, and security-as-service providers can make the log analysis process automated.

Listen to the full webinar to learn about best practices for cloud security. For more information on cloud security assessments, contact us today.

More Cloud Resources

European Union Agency for Network and Information Security (ENISA)

The NIST Definition of Cloud Computing

Cloud Security Alliance’s Treacherous Twelve

Look for KirkpatrickPrice at #1811

San Francisco, CA – KirkpatrickPrice will bring their cloud security expertise to the AWS Summit on April 4, 2018. The summit brings together the cloud computing community to connect, collaborate, and learn about AWS.

KirkpatrickPrice’s AWS cloud security experts hold the Certificate of Cloud Security Knowledge (CCSK) and Certified Cloud Security Professional (CCSP) certifications. These certifications allow the firm to adapt existing security controls to the AWS cloud environment, look for security vulnerabilities in organization’s current AWS cloud infrastructure, provide remediation guidance, and assist in implementing AWS cloud security best practices. Partner with KirkpatrickPrice and your organization will gain access to their Online Audit Manager, which streamlines the audit process, allowing your organization to demonstrate compliance with all relevant information security frameworks while ensuring that your AWS cloud environment is secure.

KirkpatrickPrice has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. Their AWS Cloud Security Solutions can help your organization feel at ease that your hosting environment is secure and that you are able to provide the services you’ve promised to your clients. The firm also provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR, ISO 27001, FISMA, and CFPB frameworks.

GDPR Roles – Where Does Your Organization Start?

The most common questions we’re hearing related to GDPR have to do with roles – what role does my organization play? Are we a data controller or data processor? Joint controller? Controller-processor? Where should we start in our journey towards GDPR compliance? This can be a confusing aspect of compliance, but GDPR requirements depend on roles, so determining what role your organization plays sets the groundwork for determining which GDPR requirements apply to you.

What to Expect in the Webinar

In this webinar, we discuss three types of roles: data controller, joint controller, and data processor. The law defines a data controller as the natural or legal person that determines the purposes and means of the processing of personal data. A joint controller occurs when two or more controllers jointly determine the purposes and means of processing. A data processor is the natural or legal person which processes personal data on behalf of the data controller. When determining which role your organization fits, your organization should consider the following:

  • Organizational size and structure is irrelevant.
  • Processing activity is partially relevant.
  • Data source is incredibly relevant.
  • Contractual arrangements are completely relevant.

In this webinar, Mark Hinely also outlines a list of questions that should help your organization decide what its role is. Who decides…

  • To collect the personal data in the first place and the legal basis for doing so?
  • Which items of personal data to collect?
  • What methods to use to collect personal data?
  • The purpose(s) that the data are to be used for?
  • Which individuals to collect data about?
  • Whether to disclose the data, and if so, who to?
  • Whether subject access and other individuals’ rights apply (i.e. the application of exemptions)?
  • How long to retain the data or whether to make non-routine amendments to the data?
  • How to store personal data?
  • The detail of security surrounding the personal data?
  • The means used to transfer personal data from one organization to another?
  • The means used to delete or dispose of personal data?

Listen to the full webinar to learn about what your organization’s role is and hear Q&A from Regulatory Compliance Specialist, Mark Hinely. For more information on GDPR readiness, contact us today.

More GDPR Resources

ICO’s Data controllers and data processors: what the difference is and what the governance implications are

GDPR Readiness: What, Why and Who

Are You Ready for GDPR Compliance?

No one wants to work with an at-risk SaaS provider. If someone is looking to use your services, they want to know how secure your SaaS solution actually is. You may think you have a secure SaaS solution, but does an auditor? Does a hacker? Let’s look at how a SOC 2 audit could bring value to your organization’s reputation, marketing initiatives, and competitive advantage.

What is a SOC 2?

A SOC 2 audit is perfect for SaaS and other cloud service organizations that want to reassure their clients that their information is secure, available, and confidential. It’s becoming increasingly common for organizations to request that their vendors become SOC 2 compliant so they can ensure that the SaaS providers they work with are developing secure SaaS solutions.

A SOC 2 audit addresses third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria. This means that a SOC 2 audit report focuses on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. When determining which Trust Services Criteria apply to your organization, consider the following questions:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

Typically, a SaaS provider will choose to be evaluated against the security and availability criteria. If a client can’t be assured that you have a realiabe, secure SaaS solution, why would they choose to use you? If a SaaS solution holds sensitive or valuable information, then an organization may choose to be evaluated for confidentiality.

Understanding Secure SaaS Solutions with SOC 2 Compliance

Undergoing a SOC 2 audit demonstrates that your organization is invested in providing a secure SaaS solution. Your reputation, business continuity, competitive advantage, and branding all depend on the quality and security of your systems and can benefit from SOC 2 compliance.

A SaaS provider depends on trust. If a client can’t trust your SaaS solution, why would they choose to use it? If your SaaS solution suffers from a data breach, the negative impact to your reputation would be a ripple effect. Once your SaaS solution has been successfully attacked and customers’ data has been exposed, you’ve put your organization on a path full of obstacles and fragmented security. Your reputation will be permanently changed. Clients will stop trusting you, larger, educated prospects won’t want to work with you, and lawsuits and fines will begin to surface. The continuity of your business depends on securing your systems.

On the other hand, if you do pursue SOC 2 compliance and achieve attestation, your organization will have a new branding tool. You can market your product as a reliable, secure SaaS solution. There are so many possible ways to incorporate your compliance into branding methodology. We always recommend that our clients leverage their compliance as marketing material and strive to help find creative ways to do so.

When you partner with an auditing firm that educates you and performs a thorough, quality-driven audit, you gain a valuable competitive advantage. Does your competition have a SOC 2 audit report? If not, you’re ahead of the game. Even if they have gone through a SOC 2 audit, was it a quality audit? You want to be educated on what a quality audits looks like so you can explain to prospects why your SOC 2 audit report holds more value than a competitor’s. Having a SOC 2 audit report from a licensed, quality-driven firm also opens you up to a whole new marketplace of prospects who are knowledgeable about security and looking for a vendor with SOC 2 compliance.

Even with all these benefits, you may be wondering what the penalties are of not pursuing SOC 2 compliance. These questions may help you understand the scope of implications if you don’t invest in SOC 2 compliance:

  • How would your organization’s reputation be damaged if you suffered from a data breach?
  • Would your clients stay loyal to you if they know that your SaaS solution couldn’t secure their information?
  • What future sales would you lose if your SaaS solution suffered from a data breach?
  • How are you validating that your security and privacy practices are in place and effective?
  • How happy would your competition be if you suffered from a data breach?
  • What’s your potential exposure to lawsuits if you suffered from a data breach? What fines would you pay?
  • How much would it cost to investigate a data breach and notify clients who were impacted?

The potential loss of business from a breach far outweighs the cost of compliance. Our Information Security Specialists want to be your audit partner, your second set of eyes validating that your security and privacy practices are effective. Let’s start planning your SOC 2 audit today.

HITRUST’s Continual Effort to Evolve

As more and more organizations look to the HITRUST CSF® as a way to ensure security and compliance, HITRUST continually updates the framework to incorporate evolving regulations and standards. What’s new in HITRUST CSF v9.1, HITRUST’s latest release? HITRUST CSF v9.1 includes changes based on community feedback as well as two major updates: support of GDPR and 23 NY CRR 500 requirements. The incorporation of these regulations support HITRUST’s initiative to make the framework more comprehensive and facilitate the application of the HITRUST CSF across multiple industries in order to internationalize the framework.

Jessie Skibbe, VP of Strategic Development and Chief Compliance Officer at KirkpatrickPrice and member of the 2018 HITRUST CSF Assessor Council, states, “HITRUST is paying attention to recent cyber threat activity and breach data, as well as working closely with regulators and industry leaders to create a comprehensive framework that will self-regulate and provide due diligence. It’s something that you can feel good about implementing. Whether a HITRUST CSF assessment is something that clients require of you or whether it’s something that you’re choosing on your own accord, you can be assured that HITRUST is committed to their users and will continue to update the framework.”

So, what’s new in HITRUST CSF v9.1 and what do organizations need to know when preparing for HITRUST CSF v9.1?

23 NY CRR 500 Overview

23 NY CRR 500 OverviewEffective March 1, 2017, the New York (NY) State Department of Financial Services Cybersecurity Requirements Regulation (CRR) for Financial Services Companies Part 500 (NY CRR 500) established cybersecurity requirements for financial services companies. The regulation requires that companies develop a cybersecurity program, based on internal and external risk, that protects sensitive customer information and the confidentiality, integrity, and availability of companies’ information technology systems. Some key elements of this cybersecurity program, as outlined in 23 NY CRR 500, include:

  • Management’s involvement and approval
  • Developing and implementing cybersecurity policies and procedures
  • Appointing a Chief Information Security Officer
  • Performing penetration testing and vulnerability assessments
  • Conducting a thorough risk assessment
  • Employing access privileges, application security, multi-factor authentication, and encryption methods
  • Training your employees
  • Developing an Incident Response Plan

When preparing for HITRUST CSF v9.1, HITRUST encourages organizations to note, “Integrating 23 NY CRR 500 into the HITRUST CSF will enable the financial industry to leverage the framework to achieve better cybersecurity resilience and protection. The requirements for Financial Services Companies not only affects financial institutions but also healthcare organizations such as health insurers and their business associates, including those outside of New York.”

GDPR Overview

GDPR OverviewBorn out of cybercrime threats, technology advances, and concerns about data misuse, the EU’s General Data Protection Regulation (GDPR) is one of the top regulatory focuses of 2018, even among US companies, and is considered to be one of the most significant information security and privacy laws of our time. GDPR will require all data controllers and data processors that handle personal data of EU residents to “implement appropriate technical and organizational measures…to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.” The applicability of the law follows the data, rather than a person or location. The scope is big and the sanctions are bigger; non-compliance can lead to fines of up to €20 million or 4% of annual global turnover, whichever is greatest.

When preparing for HITRUST CSF v9.1 and GDPR compliance, HITRUST encourages organizations to understand the globalization efforts being made. HITRUST states, “Incorporation of GDPR is part of HITRUST’s initiative towards internationalization of the HITRUST CSF and increased support for global organizational privacy programs. The updated framework now allows organizations to easily manage and report on the controls intended to address GDPR requirements.”

Preparing for HITRUST CSF v9.1

If you aren’t wondering what’s new in HITRUST CSF v9.1 because your organization is currently being assessed under HITRUST CSF v9.0, remember that you have a six-month grace period from the release date (February 26, 2018) to submit your assessment to HITRUST. If you’re under HITRUST CSF v9.0, it’s also important to note that an assessment objective must be created to avoid being rolled over to v9.1.

If you have already submitted an assessment under previous versions, your organization will not be immediately affected by this new release of HITRUST CSF v9.1. As your organization prepares for re-certification, though, we recommend that you continue to perform risk assessments and review 23 NY CRR 500 and GDPR requirements that may impact you. Even if your organization is not subject to GDPR or 23 NY CRR 500, you can utilize the control requirements to improve your security and privacy initiatives.

More HITRUST CSF Resources

HITRUST CSF v9.1

Defining HITRUST CSF Compliance Webinar

Navigating HITRUST CSF Compliance Webinar

The HITRUST CSF Assessment Process and Beyond Webinar

Navigating HITRUST CSF Compliance Video Series

For more information on what’s new in HITRUST CSF v9.1 or how to get started with your HITRUST CSF certification process, contact us to speak to a HITRUST CSF expert.