The USENIX LISA 2016 Conference wrapped up a week ago after a tremendous five-day program of workshops, training sessions, presentations, talks, and more. Our own Pat Cable, Threat Stack Security Engineer, lent his expertise as “Invited Talks Co-Chair,” and Threat Stack was a proud sponsor of the event.
Full length presentations and videos will soon be available on the LISA site, but we thought it would be fun and informative to follow LISA’s motto of “More Craft, Less Cruft” by bringing you short video interviews with five LISA16 attendees and presenters.
So in their own words, here’s what they had to say about their favorite projects, the importance of security, and anything else that was top of mind. Read more “The USENIX LISA 2016 Conference: In Their Own Words”
Compliance is a complex, ongoing process. Between deciphering requirements into relatable terms, allocating a budget, and assembling a team for your compliance audit — all while trying to stay focused on running your business — there’s a lot to think about and do. And after all of this, there is still more that needs to be managed.
From regular maintenance of the processes, controls, and technology you implemented, to questions from customers about your level of compliance, you’ll quickly realize that compliance is a continuous process that needs to be managed, not a one-and-done activity.
Having said that, what are you doing, or going to do, to make your compliance plan accessible so team members — from Security to IT to Sales — can quickly verify a control or process?
Read more “How to Verify That Compliance Controls and Processes are Being Met”
We write about compliance (and talk to customers about it) pretty regularly, and if you’ve been following our blog over the last two months, then you know we also just did a full series on the topic. In addition, we released the The Threat Stack Compliance Playbook that’s full of practical information you can use to help your company achieve compliance without losing your sanity.
Read more “The Ultimate Compliance Cheat Sheet: A Wrap Up of Threat Stack’s Cloud Compliance Series”
Have you heard one about the bear and the two hikers?
A bear jumps out of the bush and starts chasing two hikers. They both start running for their lives, but then one of them stops to put on his running shoes.
The first hiker says, “What are you doing? You can’t outrun a bear!”
The second hiker replies, “I don’t have to outrun the bear; I only have to outrun you!”
Compliance works in a similar way. You don’t need to be the most compliant company; you just need to meet the requirements well enough to satisfy regulators, auditors, customers, and stakeholders. And, ideally, you want to be more compliant than your competitors. That’s how you outrun the bear (err… win the customer.)
Read more “When is Good Enough Good Enough? Meeting Compliance Without Losing Your Mind”
Monitoring is the most reliable method of identifying and tracking users who are accessing data on company systems. Whether you’re on the lookout for an unauthorized employee viewing confidential patient data, or a malicious outsider trying to steal cardholder data, monitoring is indispensable to a strong security posture.
As well, monitoring is a requirement for just about every major compliance framework and regulation, from PCI DSS to HIPAA and beyond. For the sake of this post, we’ll be focusing on security monitoring requirements for PCI DSS and HIPAA, two of the most widely applicable regulations today.
Amazon Web Services (AWS) has pioneered the Shared Responsibility Model in the cloud. Basically, this model outlines how cloud service providers and consumers of these cloud-based services should share responsibilities when it comes to ensuring security in the cloud. AWS and other cloud service providers (CSPs) are responsible for ensuring that cloud infrastructure is secure. Meanwhile, companies (those using the cloud services) are responsible for their data, networks, applications, and operating systems — anything they own that lives in the cloud.
Read more “The Impact of the Cloud’s Shared Responsibility Model on Compliance”
We’ve been talking a lot about compliance lately. That’s because, as more businesses are moving to the cloud and storing internal and customer data there, the means to achieving compliance change significantly. But it’s not the approach to compliance that changes in the cloud, it’s the tooling, as we explained in our post How Does Compliance Differ In The Cloud Versus On-Premise? So as more businesses move to the cloud or operate hybrid environments, we want to help them become clear about what they need to do and, for the purpose of this post, when they need to do it.
Read more “Why You Need to be Compliant Much Sooner Than You Think”
PCI DSS. HIPAA. SOC 2. SOX 404. Compliance can be a complicated and confusing beast, with plenty of acronyms and layers of regulations — not to mention expenses and stress. But achieving compliance in the cloud can also be the key to unlocking new sources of revenue, winning business, and achieving success in today’s competitive business environment.
Read more “Announcing Threat Stack’s Compliance Blog Post Series”
On Tuesday, June 21, I teamed up with Scott Ward, Solutions Architect at AWS, and Arup Chakrabarti, Director of Engineering at PagerDuty, to deliver a webinar about scaling quickly and securely in AWS. The discussion was lively enough to keep beach-and-BBQ dreams at bay for an hour or so on a humid Wednesday in Boston.
Read more “Scaling Quickly & Securely: Achieving Security & Compliance in AWS”
How many times have you finished a 1,000-piece puzzle? How about a serious game of Monopoly? Both of these activities have parallels with the process of meeting compliance regulations.
Read more “Creating a Framework to Enable Compliance in the Cloud”