Sign up to save your podcasts
Or
Share What To Expect In 2017: Security And Government Regulations
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
What To Expect In 2017: Security And Government Regulations
The government and cloud security's relationship is surprisingly hands off. Current regulations already extend their umbrellas over our data in flight and rest regardless who's IaaS/SaaS you're using. For us traditional enterprise administrators, the regulations are established and and we follow them to because we're all perfect and deserve raises. But when it comes to "the cloud" we've introduced developers and application admins releasing services to the general public with great hates; sometimes without the checks and balances needed for compliance. The results are mixed. Increasingly popular scan-all-the-things method of finding vulnerable systems are weeding out quite a few unprotected cloud-connected data sets. Even the smallest vendor needs to validate their compliance requirements and implement them at the same pace they're implementing publicly available applications. HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) completed enforcement of security policies on personal health care information (PHI) in 2006. HIPPA includes polices related from control and auditing to intrusion prevention and alerting, data validation, authentication practices, and risk analysis and remediation plans (and a host of other things we admins don't care as much about). We know we're getting compliance wrong because as of January 31st of 2017, the Office of Civil Rights has received since 2003 over 148,292 complaints of violation (complaint != violation). 2017 will see more and more companies deploying cloud services that will start to gray the area between basic PII and PHI. Think Strava recording your epic bike ride or your Garmin tracking your last run... all store data relevant to you and how it relates to your physical condition. What's more interesting to investigate is what are your rights to your last bike ride's information? Can it be sold with only basic de-identification? The boundaries between PHI and PII are blurring from our desires to connect our selves so expect a lot of angry people when an insurance provider is found denying a claim based off "acquired" Fitbit data. SOX Thanks ENRON (and Tyco/WorldCom) for getting the Sarbanes-Oxley (SOX) Act of 2020 thrust onto all publicly traded companies. SOX regulates financial practices and corporate governance divided into 11 titles most of which are related to enforcing basic ethics we apparently take for granted. Section 802 is a whole different InfoSec ball game regulating data retention, classification, and records keeping to ensure the shredder doesn't get used too much. And the cloud has made complying with 802's requirements much. Data governance tools, DLP, and enhanced record keeping tools are being introduced into all of our favorite cloud apps from Office 365 to Slack. It's assumed SOX will play a requirement for many cloud applications so the needed technologies should exist out of the gate. FIPS The Federal Information Processing Standards (FIPS) standardizes government use in computer systems by non-military agencies and contractors. Most people are familiar with FIPS 140-2: Security Requirements for Cryptographic Modules because it's so cool and interesting. FIPS 200: Minimum Security Requirements for Federal Information and Information Systems will be more prevalent as federal providers are encouraged/forced to use authorized cloud resources to migrate off existing internal government IT disasters and deprecating systems. The massive failure of the Office of Personnel Management and the years-blame game still underway is making private could resources more attractive to existing government entities. FIPS 200 will play a vital role for those Iaas/Saas providers to ensure they can receive those federal dollars. It's going to happen, it's already happening; maybe we can stop
View all episodes
The government and cloud security's relationship is surprisingly hands off. Current regulations already extend their umbrellas over our data in flight and rest regardless who's IaaS/SaaS you're using. For us traditional enterprise administrators, the regulations are established and and we follow them to because we're all perfect and deserve raises. But when it comes to "the cloud" we've introduced developers and application admins releasing services to the general public with great hates; sometimes without the checks and balances needed for compliance. The results are mixed. Increasingly popular scan-all-the-things method of finding vulnerable systems are weeding out quite a few unprotected cloud-connected data sets. Even the smallest vendor needs to validate their compliance requirements and implement them at the same pace they're implementing publicly available applications. HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) completed enforcement of security policies on personal health care information (PHI) in 2006. HIPPA includes polices related from control and auditing to intrusion prevention and alerting, data validation, authentication practices, and risk analysis and remediation plans (and a host of other things we admins don't care as much about). We know we're getting compliance wrong because as of January 31st of 2017, the Office of Civil Rights has received since 2003 over 148,292 complaints of violation (complaint != violation). 2017 will see more and more companies deploying cloud services that will start to gray the area between basic PII and PHI. Think Strava recording your epic bike ride or your Garmin tracking your last run... all store data relevant to you and how it relates to your physical condition. What's more interesting to investigate is what are your rights to your last bike ride's information? Can it be sold with only basic de-identification? The boundaries between PHI and PII are blurring from our desires to connect our selves so expect a lot of angry people when an insurance provider is found denying a claim based off "acquired" Fitbit data. SOX Thanks ENRON (and Tyco/WorldCom) for getting the Sarbanes-Oxley (SOX) Act of 2020 thrust onto all publicly traded companies. SOX regulates financial practices and corporate governance divided into 11 titles most of which are related to enforcing basic ethics we apparently take for granted. Section 802 is a whole different InfoSec ball game regulating data retention, classification, and records keeping to ensure the shredder doesn't get used too much. And the cloud has made complying with 802's requirements much. Data governance tools, DLP, and enhanced record keeping tools are being introduced into all of our favorite cloud apps from Office 365 to Slack. It's assumed SOX will play a requirement for many cloud applications so the needed technologies should exist out of the gate. FIPS The Federal Information Processing Standards (FIPS) standardizes government use in computer systems by non-military agencies and contractors. Most people are familiar with FIPS 140-2: Security Requirements for Cryptographic Modules because it's so cool and interesting. FIPS 200: Minimum Security Requirements for Federal Information and Information Systems will be more prevalent as federal providers are encouraged/forced to use authorized cloud resources to migrate off existing internal government IT disasters and deprecating systems. The massive failure of the Office of Personnel Management and the years-blame game still underway is making private could resources more attractive to existing government entities. FIPS 200 will play a vital role for those Iaas/Saas providers to ensure they can receive those federal dollars. It's going to happen, it's already happening; maybe we can stop