2. 2
Bryan Langston - Director of Architecture
Bryan leads the global architecture practice at Mirantis. He and
his team consult with companies of all sizes across all industries
to design world-class open cloud solutions.
Jason James - Director of Security
Jason has worked in the information security realm for over 20
years. His professional background has ranged from Military to
the commercial realm as a Global CISO. He has focused in the
GRC areas for most of career, helping companies become and
stay compliant.
Presenters
3. 3
A little housekeeping
● Please submit questions in the
Questions panel.
● We’ll provide a link where you
can download the slides at the
end of the webinar.
6. 6
Navigating a Cloud Security Program
1. Align with a framework
2. Understand the objective of an
auditor
3. Understand the burden of proof for
each control
4. Distinguish policy from process from
technology
5. RACI: Who does what?
7. 7
Tools Selection
The right tool is the one that works for you
Open source
vs.
3rd party / proprietary
vs.
home grown
Which one should I use?
8. 8
What is it? The activity associated with monitoring changes in an
operating system or application software from a known baseline.
● Cloud Control Matrix (CCM) control spec for AIS-04:
○ Policies and procedures shall be established and maintained in support of data
security to include (confidentiality, integrity and availability) across multiple
system interfaces, jurisdictions and business functions to prevent improper
disclosure, alteration, or destruction.
● Solutions: auditd+rules, Wazuh, CloudPassage…
● Examples of resources to monitor: Linux password db, search
paths, sudo config, SSHD config, Linux filesystem deletes...
File Integrity Monitoring
9. 9
What is it? A defined configuration state
● CCM control spec for Governance and Risk Management (GRM-01):
○ Baseline security requirements shall be established for developed or acquired,
organizationally-owned or managed, physical or virtual, applications and infrastructure
system and network components that comply with applicable legal, statutory, and
regulatory compliance obligations.
○ Deviations from standard baseline configurations must be authorized following change
management policies and procedures prior to deployment, provisioning, or use.
○ Compliance with security baseline requirements must be reassessed at least annually
unless an alternate frequency has been established and authorized based on business
needs.
● Solutions: Custom scripts/automation, CIS benchmarks, OpenSCAP
+ OVAL, XCCDF
Security Baselines
10. 10
Elevated Privilege Management
What is it? Authentication and tracking use of root permissions.
● CCM control spec for Infrastructure & Virtualization Security
Audit Logging / Intrusion Detection (IVS-01):
○ Higher levels of assurance are required for protection, retention, and lifecycle
management of audit logs, adhering to applicable legal, statutory or regulatory
compliance obligations and providing unique user access accountability to
detect potentially suspicious network behaviors and/or file integrity anomalies,
and to support forensic investigative capabilities in the event of a security
breach.
● Solutions: 3rd party tools, Beyond Trust, monitoring agents,
log monitoring
11. 11
Event Auditing
What is it? Tracking the 7 W’s of audit and compliance:
Who, what, where, when, on what, from where, and where to.
● CCM control spec for Data Security & Information Lifecycle
Management Classification (DSI-01):
○ Data and objects containing data shall be assigned a classification by the data
owner based on data type, value, sensitivity, and criticality to the organization
● Solutions: Cloud Audit Data Framework (CADF)
12. 12
Summary
● The Cloud Security Alliance Cloud Controls Matrix
(CSA CCM) helps “humanize” security language
● Interpret controls to your use case
● Implement tools you can defend
● Document your process
● Maintain evidence of process performance
13. 14
Thank You!
Q&A
Download the slides from bit.ly/mirantis-compliance-webinar
Watch the webinar recording at
https://info.mirantis.com/cloud-security-recording