Cloud Security and Compliance
stackArmor provides cloud security and compliance solutions for regulated industries including Government, Financial Services, Healthcare, Universities, and Public sector organizations. stackArmor is 1 of 10 launch partners for Amazon’s Security Competency and has successfully managed complex systems on AWS for customers like DOD, US Federal Agencies, and Public Sector clients as well as Healthcare and Financial Services clients. Security and compliance-focused customers especially delivering services to Government organizations must comply with FedRAMP, FISMA, or CMMC requirements. NIST SP 800-53 establishes baseline security requirements that define continuous monitoring controls.
Our security and compliance services include:
- Security Assessment & Authorization (SA&A) for NIST SP 800-53 and 800-171 Compliance
- Independent Vulnerability Assessment, Penetration Testing and Attestation for SOC2, HIPAA and NIST compliance
- Managed Security Services with Continuous Security Monitoring, Reporting and Incident Response
Given the increased need for cybersecurity oversight and compliance, organizations are seeking to find the fastest path to complying with ISO 27001, HIPAA, FISMA, FedRAMP, FFIEC, or NIST standards. The stackArmor A.R.MTM (Assess.Remediate.Monitor) methodology is a structured and agile execution path that includes a gap analysis, remediation plan, and continuous compliance framework. The methodology and security controls assessed are drawn from NIST Special Publication 800-53, and additionally map to international ISO/IEC 27001/27002 standards to address administrative, physical, and technical security controls. stackArmor has developed a holistic security architecture and cloud operations framework that is based on real-world implementation experience with US Federal Agencies, Department of Defense, and large Financial and Security-focused Commercial organizations.
The Assessment phase begins with the creation of a risk model and conducting a gap analysis to understand the current state. The risk model identifies the risk factors (threats, vulnerabilities, impact, likelihood, and predisposing conditions) to be assessed and defines the relationships among them. A threat is any circumstance or event with the potential for adverse impact to operations, assets, or personnel. The source of a threat can be a human, environmental, or structural failure and may be intentional or accidental in nature. A vulnerability is a weakness in an information system, security procedure, internal control, or implementation that may be exploited by a threat source. A predisposing condition is a condition that exists within the organization, its business processes, enterprise architecture, or an operating environment that affects the likelihood that initiated threat events result in an adverse impact. The likelihood of occurrence is a weighted risk factor based on the probability that a given threat is capable of exploiting a given vulnerability. The impact of successful exploitation of a vulnerability or predisposed condition is a measure of the magnitude of harm that could be expected to the firm, its assets, or personnel. The assessment approach combines the measurable aspects of a traditional quantitative assessment with the flexibility of a qualitative assessment. This provides meaningful risk results that allow for prioritization. In order to provide improved rigor and effectiveness of risk analysis, a vulnerability-oriented analysis with an impact-oriented analysis to provide a more complete risk picture that identifies vulnerabilities in policy, process, and technology as well as critical assets and the impact of successful attacks against those assets. The Assessment phase includes a comprehensive review of policies, procedures, practices, and tools currently deployed within the enterprise. The environment is scanned for detecting vulnerabilities using penetration testing and scanning tools that are NIST compliant and includes web applications and operating systems software for identifying patching levels.
Based on the findings of the Assessment, a remediation activity is conducted that is commensurate with the organization’s desired security posture. Typically, the remediation phase includes providing a Basic Security Policy that provides an initial baseline. As part of the remediation activity, a Security Assessment Report (SAR) is created that summarizes the scope, approach, high-level findings, and recommendations. Typically, organizations create a Plan of Actions and Milestones (POAM) to implement the recommendations. Findings are categorized as High, Medium or Low. The general practice is to remediate all High’s and a significant number of the Medium’s. Once all remediation activity is concluded, Automated scans with basic parameters are executed to ensure that vulnerabilities have actually been addressed.
Given the dynamic nature of the hosting and software environment, it is critical to ensure that continuous operational activities for vulnerability management, continuous monitoring, and executive management reviews are conducted on a periodic basis, preferably monthly but at least quarterly. An annual penetration and vulnerability test should be conducted to ensure a stable baseline. stackArmor has implemented continuous monitoring and compliance verification service to help organizations easily establish baselines and assess their risk. Click here to learn more about stackArmor ThreatAlert.
Coupled with the right framework and governance methodology, it is critical to have a full-stack security architecture that covers and protects the entire stack including the environment, application, data, and infrastructure. Each element of the architecture requires its own set of tools to protect from the threat vectors for that specific layer. Finally, in addition to the tools, relevant policies and procedures must be incorporated to provide a holistic cybersecurity solution. The diagram provides a high-level overview of the full-stack framework.
Are you interested in a Free consultation with a stackArmor Security Architect on how you can secure your cloud systems from vulnerabilities, meet HIPPA, FFIEC, FedRAMP, or FISMA compliant requirements? Are you interested in learning about the continuous monitoring requirements to meet cloud security and compliance best practices? We can help review your workload requirements and also assist with your security and compliance needs. Schedule a free consultation with a stackArmor DevOps Solutions Architect by sending us an email at solutions at stackarmor.com or fill our contact us form or call us at 888-964-1644.