Building an Effec.ve Cloud Security Program
|
|
- Mildred Hubbard
- 8 years ago
- Views:
Transcription
1 Building an Effec.ve Cloud Security Program Laura Posey Senior Security Strategist, Microso3 Corpora6on Co- Chair, CSA CAIQ Programming Chair, NY Metro CSA Chapter
2 Is Cloud worth it? Yes! Pla?orm for Innova.on with U.lity IT Any Device, Anywhere, Any.me Collabora.on & Social Media 2
3 What are the Cloud risks? Shadow & Consumeriza.on of IT Security, Trust & Assurance Jurisdic.onal Data Governance 3
4 About the Cloud Security Alliance (CSA) Global, not- for- profit organiza6on Over 23,000 individual members, 100 corporate members, 50 chapters Building best prac6ces and a trusted cloud ecosystem Agile philosophy, rapid development of applied research GRC: Balance compliance with risk management Reference models: build using exis6ng standards Iden6ty: a key founda6on of a func6oning cloud economy Champion interoperability Enable innova6on Advocacy of prudent public policy To promote the use of best prac1ces for providing security assurance within Cloud Compu1ng, and provide educa1on on the uses of Cloud Compu1ng to help secure all other forms of compu1ng. 4
5 CSA Contribu.ng Members And MANY more 5
6 What is GRC? 6
7 Related exis.ng standards 7
8 Who is accountable for what? 8
9 Control Ownership Clarity You can outsource business capability or func6on but you cannot outsource accountability for informa6on security à do your due diligence to iden6fy and address 9
10 CSA Guidance Research " Popular best prac6ces for securing cloud compu6ng " 14 Domains of concern " governing & opera6ng groupings Operating in the Cloud Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Transparency Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud
11 Guidance Highlights 1/2 Governance, ERM: Secure the cloud before procurement contracts, SLAs, architecture Governance, ERM: Know provider s third par6es, BCM/DR, financial viability, employee vebng Legal: Plan for provider termina6on & return of assets Compliance: Iden6fy data loca6on when possible ILM: Persistence, Protec6on Portability & Interoperability: SOA loose coupling principles
12 Guidance Highlights 2/2 BCM/DR: provider redundancy vs. your own DC Ops: provisioning, patching, logging Encryp6on: encrypt data when possible, segregate key mgt from cloud provider AppSec: Adapt secure so3ware development lifecycle Virtualiza6on: Harden, rollback, port VM images IdM: Federa6on & standards e.g. SAML, OpenID
13 A Cloud Security Governance, Risk, and Compliance (GRC) Stack Delivering ç Stack Pack è Description The recommended founda.ons for controls Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider Pre- audit checklists and ques.onnaires to inventory controls Industry- accepted ways to document what security controls exist Con.nuous monitoring with a purpose Claims, offers, and the basis for audi.ng service delivery Common technique and nomenclature to request and receive evidence and affirma.on of current cloud service opera.ng circumstances from cloud providers Common interface and namespace to automate the Audit, Asser.on, Assessment, and Assurance (A6) of cloud environments 13
14 CSA GRC Stack (cont.) 14
15 Cloud Controls matrix (CCM) First ever baseline control framework specifically designed for managing risk in the Cloud Supply Chain: Addresses the inter and intra- organiza6onal challenges of persistent informa6on security by clearly delinea6ng control ownership. Provides an anchor point and common language for balanced measurement of security and compliance postures. Provides the holis6c adherence to the vast and ever evolving landscape of global data privacy regula6ons and security standards. Serving as the basis for new industry standards and cer6fica6ons. v1.2 released Aug 2011; v2.0 to be released Nov
16 CCM 11 Domains 16
17 CCM snapshot architectural and delivery model relevance 17
18 CCM snapshot mappings to popular standards* *Standards represented in CCM v1.2: COBIT 4.1, HIPAA/HITECH Act, ISO/IEC , NIST SP R3, FedRAMP, PCI DSS v2.0, BITS Shared Assessments SIG v6.0, BITS Shared Assessments AUP v5.0, GAPP (Aug 2009), Jericho Forum, NERC CIP 18
19 Consensus Assessments Ini.a.ve Ques.onnaire (CAIQ) Cloud Supply Chain risk management and due diligence ques6onnaire (148 ques6ons) Enables Cloud service providers to demonstrate compliance with the CSA CCM. Forms the basis for establishing Cloud- specific Service Level Objec6ves that can be incorporated into supplier agreements. Along with CSA CCM, integrated into third party GRC solu6on providers. 19
20 CAIQ Guiding Principles The following are the principles that the working group u6lized as guidance when developing the CAIQ: The ques6onnaire is organized using CSA 13 governing & opera6ng domains divided into control areas within CSA s Control Matrix structure Ques6ons are to assist both cloud providers in general principles of cloud security and clients in vebng cloud providers on the security of their offering and company security profile CAIQ not intended to duplicate or replace exis6ng industry security assessments but to contain ques6ons unique or cri6cal to the cloud compu6ng model in each control area Each ques6on should be able to be answered yes or no If a ques6on can t be answered yes or no then it was separated into two or more ques6ons to allow yes or no answers. Ques6ons are intended to foster further detailed ques6ons to provider by client specific to client s cloud security needs. This was done to limit number of ques6ons to make the assessment feasible and since each client may have unique follow- on ques6ons or may not be concerned with all follow- on ques6ons 20
21 CAIQ snapshot 21
22 CAIQ snapshot ques.ons detail Encryp6on Key Management IS- 19 IS Do you encrypt tenant data at rest (on disk/storage) within your environment? IS Do you leverage encryp6on to protect data and virtual machine images during transport across and between networks and hypervisor instances? IS Do you have a capability to manage encryp6on keys on behalf of tenants? IS Do you maintain key management procedures? Vulnerability / IS- 20 IS Do you conduct network- layer vulnerability scans regularly as prescribed by Patch industry best prac6ces? Management IS Do you conduct applica6on- layer vulnerability scans regularly as prescribed by industry best prac6ces? IS Do you conduct local opera6ng system- layer vulnerability scans regularly as prescribed by industry best prac6ces? IS Will you make the results of vulnerability scans available to tenants at their request? IS Do you have a capability to rapidly patch vulnerabili6es across all of your compu6ng devices, applica6ons, and systems? IS Will you provide your risk- based systems patching 6meframes to your tenants upon request? 22
23 CSA Security Trust & Assurance Registry (STAR) Public and free registry of Cloud Provider self assessments, demonstra7ng adop7on of: Cloud Controls Matrix (CCM) Consensus Assessments Ini6a6ve Ques6onnaire (CAIQ) Ø Promotes transparency of security prac.ces within cloud providers Ø Documents the security controls provided by various cloud compu.ng offerings Ø Free market compe77on to provide quality assessments. 23
24 CSA STAR Lis.ng Process Provider fills out CAIQ or customizes CCM Uploads document at /star CSA performs basic verifica6on Authorized lis6ng from provider Delete SPAM, poisoned lis6ng Basic content accuracy check CSA digitally signs and posts at /star Registry loca6on: htps://cloudsecurityalliance.org/research/ ini6a6ves/star- registry/ 24
25 Completed STAR snapshot Microsod s Office 365 Control ID In CCM Descrip.on (CCM Version R1.1. Final) Microsod Response IS- 19 Informa6on Security - Encryp6on Key Management Policies and procedures shall be established and mechanisms implemented for effec6ve key management to support encryp6on of data in storage and in transmission. Encryp6on is provided on several layers, such as Transport Layer, encryp6on between clients and Exchange Online (SSL), Instant Messaging and IM federa6on. For more informa6on consult the Office 365 Security Service Descrip6on available on the Download Center. Furthermore, we support S/MIME, Ac6ve Directory Rights Management Services or PGP. Office 365 currently does not encrypt data at rest, however, the customer may do so through IRM or RMS. Media Handling is covered under the ISO standards, specifically addressed in Annex A, domain For more informa6on review of the publicly available ISO standards we are cer6fied against is suggested. IS-20 Information Security - Vulnerability / Patch Management Policies and procedures shall be established and mechanism implemented for vulnerability and patch management, ensuring that application, system, and network device vulnerabilities are evaluated and Contractor-supplied security patches applied in a timely manner taking a risk-based approach for prioritizing critical patches. Microsoft Online Services implements technologies to scan the environment for vulnerabilities. Identified vulnerabilities are tracked, and verified for remediation. In addition, regular vulnerability/penetration assessments to identify vulnerabilities and determine whether key logical controls are operating effectively are performed. Microsoft s Security Response Center (MSRC) regularly monitors external security vulnerability awareness sites. As part of the routine vulnerability management process, Microsoft Online Services evaluates our exposure to these vulnerabilities and leads action across Microsoft Online Services to mitigate risks when necessary. The Microsoft Security Response Center (MSRC) releases security bulletins on the second Tuesday of every month ( Patch Tuesday ), or as appropriate to mitigate zeroday exploits. In the event that proof-of-concept code is publicly available regarding a possible exploit, or if a new critical security patch is released, Microsoft Online Services is required to apply patches to affected Microsoft Online Services systems according to a patching policy to remediate the vulnerability to the customer s hosted environment. Control of technical vulnerabilities is covered under the ISO standards, specifically addressed in Annex A, domain For more information review of the publicly available ISO standards we are certified against is suggested. 25
26 CSA STAR What You Should Do Providers Start filling out CAIQ and/or CCM Ask us for help Customers Put your providers on no6ce, point them to CAIQ and/or CCM Make CSA STAR entries a standard part of procurement & assessment Get ready for the update in November. 26
27 CSA Collabora.on with SBOs Copyright 2010 Cloud Security Alliance 27
28 Other CSA Research Trusted Cloud Ini7a7ve (TCI) - - Presents a mul6-6er architecture integra6on TOGAF (The Open Group) ITIL, and SABSA (Zachman security model) with individual security elements mapped to CMM controls. CloudSIRT Enhance the capability of the cloud community to prepare for and respond to vulnerabili6es, threats, and incidents in order to preserve trust in cloud compu6ng. Cloud Metrics - - Companion project of CCM and CloudAudit defining objec6ve criteria related security control items, encompassing xdas, CEE and Syslog- ng and collaborates with the DMTF cloud audit data federa6on work group. Big Data - Iden6fying scalable techniques for data- centric security and privacy problems to lead to crystalliza6on of best prac6ces for security and privacy in big data that can help industry and government with adop6on of best prac6ces. Mobile Crea6ng guidelines for the mobile device security framework and mobile cloud architectures. Securing applica6on stores and other public en66es deploying so3ware to mobile devices, analysis of mobile security capabili6es and features of key mobile opera6ng systems and cloud- based management, provisioning, policy, and data management of mobile devices to achieve security objec6ves. 28
29 Contact CSA Help us secure cloud compu7ng! LinkedIn: Join your local CSA Chapter: htps://cloudsecurityalliance.org/chapters/ 29
30 Thank You! 30
31 Appendix Back- Up Slides 31
32 CSA Organiza.on & Opera.ons 32
33 CCM 98 Controls 33
34 CCM 98 Controls (cont.) 34
35 CCM 98 Controls (cont.) 35
36 CCM 98 Controls (cont.) 36
37 CSA STAR FAQ Where? /star/ Help? Special LinkedIn support group and private mailbox moderated by CSA volunteers Costs? Free to post, free to use Is this a new hacker threat vector? No, it is responsible disclosure of security prac6ces Will CSA police STAR? Ini6al verifica6on and maintenance of Abuse mailbox Do lis7ngs expire? Yes, 1 year limit 37
38 Key Cloud Security Problems From CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance, and the capture of real value Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud so3ware Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud- specific atacks 38
Building an Effective
Building an Effective Cloud Security Program Becky Swain Co-Founder/Chair, CSA CCM Board Member, CSA Silicon Valley Chapter Partner, EKKO Consulting Marlin Pohlman Co-Chair, CSA CCM Co-Chair/Founder, CSA
More informationAssessing Risks in the Cloud
Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research
More informationTOOLS and BEST PRACTICES
TOOLS and BEST PRACTICES Daniele Catteddu Managing Director EMEA, Cloud Security Alliance ABOUT THE CLOUD SECURITY ALLIANCE To promote the use of best practices for providing security assurance within
More informationCloud Security Alliance: Industry Efforts to Secure Cloud Computing
Cloud Security Alliance: Industry Efforts to Secure Cloud Computing Jim Reavis, Executive Director September, 2010 Cloud: Dawn of a New Age Art Coviello - the most overhyped, underestimated phenomenon
More informationSecuring The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
More informationCloud Security Alliance and Standards. Jim Reavis Executive Director March 2012
Cloud Security Alliance and Standards Jim Reavis Executive Director March 2012 About the CSA Global, not for profit, 501(c)6 organization Over 32,000 individual members, 120 corporate members, 60 chapters
More informationCloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter
Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute
More informationGlobal Efforts to Secure Cloud Computing
April 2012 Global Efforts to Secure Cloud Computing Jim Reavis Executive Director Cloud: ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart Mobility: Compute
More informationInterna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES
Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES Agenda Importance of Common Cloud Standards Outline current work undertaken Define
More information! Global Efforts to Secure! Cloud Computing
ay 2012! Global Efforts to Secure! Cloud Computing Jim Reavis Executive Director loud: ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart Mobility: Compute
More informationThe Cloud Security Alliance
The Cloud Security Alliance Daniele Catteddu, Managing Director EMEA & OCF-STAR Program Director Cloud Security Alliance ABOUT THE CLOUD SECURITY ALLIANCE To promote the use of best practices for providing
More informationCloud Security. Let s Open the Box. Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research
t Cloud Security Let s Open the Box t Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research Facts about Ericsson Ericsson is a world-leading provider of telecommunication equipment and
More informationCloud Risks and Opportunities
Cloud Risks and Opportunities John Howie COO Cloud Security Alliance #SCCLondon About the Cloud Security Alliance Global, not- for- profit organiza;on Building security best prac;ces for next genera;on
More informationCloud Security: Critical Threats and Global Initiatives
Cloud Security: Critical Threats and Global Initiatives Richard Zhao, Founder and Board Member of CSA-GCC Chief Strategy Officer, NSFOCUS Sept. 2010 What is Cloud Computing? Compute as a utility: third
More informationSTORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM
STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationGlobal Efforts to Secure Cloud Computing. Jason Witty President, Cloud Security Alliance Chicago
Global Efforts to Secure Cloud Computing Jason Witty President, Cloud Security Alliance Chicago Cloud: Ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart
More informationHow To Protect Virtualized Data From Security Threats
S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust
More informationUpdate on the Cloud Demonstration Project
Update on the Cloud Demonstration Project Khalil Yazdi and Steven Wallace Spring Member Meeting April 19, 2011 Project Par4cipants BACKGROUND Eleven Universi1es: Caltech, Carnegie Mellon, George Mason,
More informationCloud Audit and Cloud Trust Protocol. By David Lingenfelter 2011
Cloud Audit and Cloud Trust Protocol By David Lingenfelter 2011 Background > MaaS360 SaaS Cloud Model > Mobile Device Management > FISMA Moderate Certified > SAS-70/SOC-2 Cloud Adoption Obstacles Planning
More informationManaged Services. An essen/al set of tools for today's businesses
Managed Services An essen/al set of tools for today's businesses Manage your enterprise better with a holis/c solu/on to all your IT worries only at Infolob What are Managed Services? By far the most cu/ng
More informationSan Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP
Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO
More informationSecurity, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32
Security, Compliance & Risk Management for Cloud Relationships Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Introductions & Poll Organization is leveraging the Cloud? Organization
More informationGRC Stack Research Sponsorship
GRC Stack Research Sponsorship Overview Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary
More informationTRUSTED CLOUD. Our commitment to provide a cloud you can trust. Fernando Machado Píriz September 2014
TRUSTED CLOUD Our commitment to provide a cloud you can trust Fernando Machado Píriz September 2014 Technology Trends Driving cloud adoption 71% of strategic buyers cite scalability, cost and business
More informationCloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015
Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 2015 CloudeAssurance Page 1 Table of Contents Copyright and Disclaimer... 3 Appendix A: Introduction... 4 Appendix
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationPrivileged Administra0on Best Prac0ces :: September 1, 2015
Privileged Administra0on Best Prac0ces :: September 1, 2015 Discussion Contents Privileged Access and Administra1on Best Prac1ces 1) Overview of Capabili0es Defini0on of Need 2) Preparing your PxM Program
More informationBPO. Accerela*ng Revenue Enhancements Through Sales Support Services
BPO Accerela*ng Revenue Enhancements Through Sales Support Services What is BPO? Business Process Outsorcing (BPO) is the process of outsourcing specific business func6ons to a third- party service provider
More informationFounda'onal IT Governance A Founda'onal Framework for Governing Enterprise IT Adapted from the ISACA COBIT 5 Framework
Founda'onal IT Governance A Founda'onal Framework for Governing Enterprise IT Adapted from the ISACA COBIT 5 Framework Steven Hunt Enterprise IT Governance Strategist NASA Ames Research Center Michael
More informationCloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week
Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions
More informationA Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey
A Comparison of IT Governance & Control Frameworks in Cloud Computing Jack D. Becker ITDS Department, UNT & Elana Bailey ITDS Department, UNT MS in IS AMCIS 2014 August, 2014 Savannah, GA Presentation
More informationNIST Email Security Improvements. William C. Barker and Scott Rose October 22, 2015 M3AAWG 35 th General Meeting
NIST Email Security Improvements William C. Barker and Scott Rose October 22, 2015 M3AAWG 35 th General Meeting Presenters Scott Rose Computer Scientist, NIST ITL William (Curt) Barker Guest Researcher,
More informationWorking Group on. First Working Group Meeting 29.5.2012
Working Group on Cloud Security and Privacy (WGCSP) First Working Group Meeting 29.5.2012 1 Review of fexisting i Standards d and Best Practices on Cloud Security Security Standards and Status List of
More informationTop Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces
Top Practices in Health IT Compliance Data Breach & Leading Program Prac3ces Overview Introduc3on to ID Experts & Secure Digital Solu3ons Healthcare Data Breach Trends & Drivers Data Incident Management
More informationAna Juan Ferrer Cloud Forward 2015, 07/10/2015
Ana Juan Ferrer Cloud Forward 2015, 07/10/2015 SLALOM in a nutshell Service Level Agreement Legal and Open Model SLALOM s principal objeccve is to create a Service Level Agreement (SLA) reference model
More informationCloud Security Certification
Cloud Security Certification January 21, 2015 1 Agenda 1. What problem are we solving? 2. Definitions (Attestation vs Certification) 3. Cloud Security Responsibilities and Risk Exposure 4. Who is responsible
More informationHardware enhanced Security in Cloud Compu8ng. Cloud Compu8ng (Public IaaS)
Hardware enhanced Security in Cloud Compu8ng Ruby B. Lee Princeton University ARO workshop on Cloud Security, March 11, 2013 Cloud Compu8ng (Public IaaS) End Users Cloud Provider Guest VMs Cloud Customer
More informationAgenda 4/21/2015. Evelyn de Souza Chair Cloud Security Alliance Data Governance Chair/ Data Privacy and Compliance Leader Cisco Systems
Evelyn de Souza Chair Cloud Security Alliance Data Governance Chair/ Data Privacy and Compliance Leader Cisco Systems Cloud Security Alliance, 2015 Agenda Charter /Members What is Data Governance Data
More informationDeveloping the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009
Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in
More informationCase Study. The SACM Journey at the Ontario Government
Case Study The SACM Journey at the Ontario Government Agenda Today s Objec=ves The Need for SACM Our SACM Journey Scope and Governance Process Ac=vi=es Key Process Roles Training and Measurement Lessons
More informationUpdate on the Cloud Demonstration Project
Update on the Cloud Demonstration Project Steven Wallace Joint Techs Summer 2011 13- July- 2011 Project Par4cipants BACKGROUND Twelve Universi,es: Caltech, Carnegie Mellon,Cornell George Mason, Indiana
More informationCLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
More informationInformation Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy
Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management
More informationCompliance and the Cloud: What You Can and What You Can t Outsource
Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Kate Donofrio Security Assessor Fortrex Technologies Instructor Biography Background On Fortrex What s In A Cloud? Pick
More informationCan Cloud Hos+ng Providers Really Replace. Your Cri(cal IT Infrastructure?
Can Cloud Hos+ng Providers Really Replace Your Cri(cal IT Infrastructure? Housekeeping Welcome to Align s Webinar Can Cloud Hos+ng Providers Really Replace Your Cri(cal IT Infrastructure? Informa+on for
More informationHow To Perform a SaaS Applica7on Inventory in. 5Simple Steps. A Guide for Informa7on Security Professionals. Share this ebook
How To Perform a SaaS Applica7on Inventory in 5Simple Steps A Guide for Informa7on Security Professionals WHY SHOULD I READ THIS? This book will help you, the person in the organiza=on who cares deeply
More informationCloud Computing Governance & Security. Security Risks in the Cloud
Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationHow To Write A Cloud Computing Plan
US Government Driven Cloud Computing Standards A panel discussion including: DMTF, Cloud Security Alliance, NIST and SNIA Lee Badger: Computer Scientist, Computer Security Division, National Institute
More informationCloud Channel Summit 2015 @rhipecloud #RCCS15
Cloud Channel Summit 2015 @rhipecloud #RCCS15 About the Cloud Security Alliance Global, not-for-profit organisation 300 member driven organization with over 56,000 individual members in 65 chapters worldwide
More informationconfigurability compares with typical SIEM & Log Management systems Able to install collectors on remote sites rather than pull all data
Software Comparison Sheet SIEM & Log OpViewTM from Software leverages a completely new database architecture to deliver the most flexible monitoring system available on the market today. This award-winning
More informationconfigurability compares with typical Asset Monitoring systems Able to install collectors on remote sites rather than pull all data
Software Comparison Sheet OpViewTM from Software leverages a completely new database architecture to deliver the most flexible monitoring system available on the market today. This award-winning solution
More informationA R o a d t o y o u r C l o u d. Professional Service. C R M a n d C l o u d C o n s u l t i n g
RM-C A R o a d t o y o u r C l o u d Professional Service C R M a n d C l o u d C o n s u l t i n g CRM-C Highlights! A Unique Cloud CRM Consulting service firm! Specializing in cloud CRM and Office Collaboration
More informationProtec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli
Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli Vice President, IT Risk Management McKesson Corpora-on What is Your Business Model? Economic Moats In business, I look
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationOpen Certification Framework. Vision Statement
Open Certification Framework Vision Statement Jim Reavis and Daniele Catteddu August 2012 BACKGROUND The Cloud Security Alliance has identified gaps within the IT ecosystem that are inhibiting market adoption
More informationHow To Build Trust In The Cloud
Building Trust in Global Cloud Computing Systems Jim Reavis, CEO & Founder Cloud Security Alliance Global, not-for-profit organization Building security best practices for next generation IT Research and
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationSecurity & IT Governance: Strategies to Building a Sustainable Model for Your Organization
Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements
More informationMigra1ng to the Cloud
Migra1ng to the Cloud Barry P. Sheward LM Fellow barry.p.sheward@lmco.com June 9, 2014 2014 Lockheed Mar1n. All Rights Reserved. 1 About this presenta/on The presenta1on will cover a brief introduc1on
More informationBusiness Analysis Center of Excellence The Cornerstone of Business Transformation
February 20, 2013 Business Analysis Center of Excellence The Cornerstone of Business Transformation John E. Parker, CEO Enfocus Solutions Inc. www.enfocussolutions.com 0 John E. Parker (Introduc3on) President
More informationThrough the Security Looking Glass. Presented by Steve Meek, CISSP
Through the Security Looking Glass Presented by Steve Meek, CISSP Agenda Presentation Goal Quick Survey of audience Security Basics Overview Risk Management Overview Organizational Security Tools Secure
More informationCloud Services Overview
Cloud Services Overview John Hankins Global Offering Executive Ricoh Production Print Solutions May 23, 2012 Cloud Services Agenda Definitions Types of Clouds The Role of Virtualization Cloud Architecture
More informationPaco Hope <paco@cigital.com> Florence Mo ay <fmo ay@cigital.com> 2012 Cigital. All Rights Reserved. SecAppDev. Define third party so ware
Paco Hope Florence Moay 2012 Cigital. All Rights Reserved. SecAppDev 1 Objectives Define third party soware What it is, why we use it Define the risks from third
More informationPCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:
PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On
More informationProtec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protec/ng Informa/on Assets Greg Senko
Protec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning MIS5206 Week 8 In the News Readings In Class Case Study BCP/DRP Test Taking Tip Quiz In the News Discuss items
More informationCloud Security Introduction and Overview
Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious
More informationCloud, and Digital Iden1ty Management (DIM) Exis1ng DIMs and their Limita1ons Our Goals World of Group Signatures SPICE!
Cloud, and Digital Iden1ty Management (DIM) Exis1ng DIMs and their Limita1ons Our Goals World of Group Signatures SPICE! Simple Showcase 2 Cloud compu1ng has been envisioned as the next- genera1on architecture
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationCSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments
CSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments Kelvin Ng Tao Yao Sing Heng Yiak Por Acknowledgeme nts Co-Chairs Kapil Raina, Zscaler Kelvin Ng, Nanyang
More informationHow RSA has helped EMC to secure its Virtual Infrastructure
How RSA has helped EMC to secure its Virtual Infrastructure A new solution, the RSA solution for Cloud Security and Compliance, has been developed and is now available to all of our customers. Luciano
More informationMission. To provide higher technological educa5on with quality, preparing. competent professionals, with sound founda5ons in science, technology
Mission To provide higher technological educa5on with quality, preparing competent professionals, with sound founda5ons in science, technology and innova5on, commi
More informationHIPAA and HITRUST - FAQ
A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are
More informationAbout the Presenter About the Cloud Security Alliance Guidance 1.0 Getting Involved Call to Action
Governance, Risk Management, Compliance, & Audit An Overview of Cloud Security Alliance s Security Guidance for Critical Areas of Focus in Cloud Computing July 23, 2009 Agenda About the Presenter About
More informationSome Security Challenges of Cloud Compu6ng. Kui Ren Associate Professor Department of Computer Science and Engineering SUNY at Buffalo
Some Security Challenges of Cloud Compu6ng Kui Ren Associate Professor Department of Computer Science and Engineering SUNY at Buffalo Cloud Compu6ng: the Next Big Thing Tremendous momentum ahead: Prediction
More informationAn Introduc+on to CloudPrime
TM An Introduc+on to CloudPrime Secure messaging pla/orm to protect pa2ent privacy and uphold HIPAA/HITECH regula2on Mari Tangredi, CloudPrime 1 CloudPrime Company Overview! Headquartered in San Francisco,
More informationCorporate Membership. For Solution Providers
Corporate Membership For Solution Providers Introduction Welcome to the Cloud Security Alliance. The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing
More informationA Review : Security Framework Information Technology for University Based on Cloud Computing. E.S. Negara, R. Andryani
ICIBA 2014, the Third International Conference on Information Technology and Business Aplication Palembang-Indonesia, 20-21 February 2014 A Review : Security Framework Information Technology for University
More informationCloud Card Compliance Checklist
Cloud Card Compliance Checklist An efficient tool for securing deployment Card Solutions on the Cloud Hassan El Alloussi, Laila Fetjah, Abdelhak Chaichaa Department of Mathematics and Computer Science
More informationFrom Big Data to Value
From Big Data to Value The Power of Master Data Management 2.0 Sergio Juarez SVP Elemica EMEA & LATAM Reveal Oct 2014 Agenda Master Data Management Why Now? What To Do? How To Do It? What s Next? Today
More informationCloud Computing What Auditors need to know
Cloud Computing What Auditors need to know This presentation is provided solely for educational purposes and, in developing and presenting these materials, Deloitte is not providing accounting, business,
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationCloud Security. DLT Solutions LLC June 2011. #DLTCloud
Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions
More informationBig Data. The Big Picture. Our flexible and efficient Big Data solu9ons open the door to new opportuni9es and new business areas
Big Data The Big Picture Our flexible and efficient Big Data solu9ons open the door to new opportuni9es and new business areas What is Big Data? Big Data gets its name because that s what it is data that
More informationTop 10 Risks in the Cloud
A COALFIRE PERSPECTIVE Top 10 Risks in the Cloud by Balaji Palanisamy, VCP, QSA, Coalfire March 2012 DALLAS DENVER LOS ANGELES NEW YORK SEATTLE Introduction Business leaders today face a complex risk question
More informationCompliance and Cloud Computing
Compliance and Cloud Computing Balaji Palanisamy Director, Southwest- US Coalfire Systems, Inc. July 24, 2014 Agenda Introduction Cloud Computing Basics Cloud Computing Threats Security vs. Compliance
More informationSECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP
SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson
More informationCloud Security for Federal Agencies
Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service
More informationHow To Protect Your Cloud From Attack
SESSION ID: CDS-R03 Security Lessons Learned: Enterprise Adoption of Cloud Computing Jim Reavis Chief Executive Officer Cloud Security Alliance @cloudsa Agenda What we are going to cover The current &
More informationCost Effec/ve Approaches to Best Prac/ces in Data Analy/cs for Internal Audit
Cost Effec/ve Approaches to Best Prac/ces in Data Analy/cs for Internal Audit Presented to: ISACA and IIA Joint Mee/ng October 10, 2014 By Outline Introduc.on The Evolving Role of Internal Audit The importance
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationB2B Offerings. Helping businesses op2mize. Infolob s amazing b2b offerings helps your company achieve maximum produc2vity
B2B Offerings Helping businesses op2mize Infolob s amazing b2b offerings helps your company achieve maximum produc2vity What is B2B? B2B is shorthand for the sales prac4ce called business- to- business
More informationAddressing Cloud Computing Security Considerations
Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft
More informationISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services
ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better
More informationCloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak
Cloud Standardization, Compliance and Certification Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak Todays Agenda IT Resourcing with Cloud Computing and related challenges Landscape
More informationBusiness Analysis Standardization A Strategic Mandate. John E. Parker CVO, Enfocus Solu7ons Inc.
Business Analysis Standardization A Strategic Mandate John E. Parker CVO, Enfocus Solu7ons Inc. Agenda What is Business Analysis? Why Business Analysis is Important? Why Standardization of Business Analysis
More informationBSM for IT Governance, Risk and Compliance: NERC CIP
BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More information