Securing Government Clouds Preparing for the Rainy Days
|
|
- Naomi Cross
- 8 years ago
- Views:
Transcription
1 Securing Government Clouds Preparing for the Rainy Days Majed Saadi Director, Cloud Computing Practice
2 Agenda 1. The Cloud: Opportunities and Challenges 2. Cloud s Potential for Providing Government Services 3. Strategizing for a Cloud-Based Government 4. Stratify: a Cloud Security Framework 5. Questions
3 Updated: 6/15/2012 SRA at a Glance Founded in 1978, SRA is dedicated to delivering innovative solutions to the US Federal Government. Approved FedRAMP 3PAO Assessor Current Cloud Vehicles Army Private Cloud (APC2) GSA as a Service (EaaS) GWAC FedRAMP 3PAO 90% of FY11 $1.7 billion in revenue generated as a prime contractor More than 6,300 employees across the country and around the world SRA Proprietary 3
4 4 SRA s Cyber Security Heritage SRA has always been focused on the protection of the Federal Government, beginning with Continuity of Operations work in the late 80s Developed the First Automated System Security Evaluation and Remediation Tracking Tool with the EPA (ASSERT) Received NSA IA-CMM Rating (Highest Rating Across Federal Contractors) Security Program Maturity Model Privacy Practice Established (DHS First Client) CyberRisk Compliance Process Developed Computer Network Exploitation Software and Services for the IC Cyber Security SOC Maturity Model Developed SecureElite SRA SDLC Finalized One of the First Federal ISO Certs for TSA SOC Congressional Scorecards (5 of the 7 A Scores are SRA Customers) Architect (Committers) of NSA Accumulo Secure Cloud Received Highest DoD CCRI Rating to Date (JSIN and EUCOM/ AFRICOM Projects) SRA Wins a Seat on the DHS CMaaS BPA Accredited FedRAMP Independent Third Party Assessment Organization (Type C) Cyber Security Practice Established moving to Critical Infrastructure Protection and cybersecurity in the 2000s, focusing on continuous diagnostics and mitigation, SOC operations, and cybersecurity preparedness Cybersecurity Big Data Capability using HADOOP
5 The Cloud: Opportunities and Challenges What do you need to know about government and the cloud? And why should you care?
6 Cloud & Cloud Security Trends
7 Government Cloud Computing Drivers Reduce infrastructure overhead (equipment & personnel) using cost controlled, easy to manage processing power Complying with federal mandates (Cloud First) Transfer infrastructure risks to contractors or service providers Satisfy short-term & short notice needs (Surges) Enhance service availability & remote accessibility options Increase agility in responding to infrastructure change requirements Facilitate proprietary application modernization, development and integration Improve business continuity & disaster recovery Improve the enterprise Green IT posture Why move to the Cloud? IT Efficiency Flexibility & Elasticity Compliance
8 Questions on Our Customer Minds How do I enable my agency to benefit from commodity cloud services while ensuring compliance and security??? How do I ensure that I have complete FISMA compliance with a FedRAMP cloud??? How do I transform my IT shop to allow my customers to consume cloud services from a centralized service catalog???
9 The US Government & The Cloud An Update Cloud First Initiative Potential Savings ~$20 Billion 25% of IT Budget Federal Data Center Consolidation Initiative (FDCCI) Close or consolidate ~1,200 of ~2,900 federal data centers Expected savings ~$2.4-$5 billion IaaS & EaaS BPAs Other Initiatives PortfolioStat Mobility Digital Government Strategy Source: FCW.com
10 Privacy and Security Legal Requirements Federal GLBA FTCA SOX FCRA/FACTA HIPAA FISMA, DIACAP FERPA 21 C.F.R. Part 11 (FDA Regulations) Executive Orders and Agency Memoranda COPPA Federal Risk and Authorization Management Program (FedRAMP) State Notice of Security Breach Other State Laws International EU Data Protection Directive Member Countries Canada PIPEDA Others (e.g., UK, Japan, Australia) Private Contractual Requirements and Standards PCI DSS Business Associate Agreements Service Provider Agreements NIST MPAA ISO 27001, 27002, etc. Cloud Security Association 10
11 FedRAMP s Purpose The Problem The Solution: FedRAMP A duplicative, inconsistent, time consuming, costly and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies. Unified risk management approach Uniform set of approved, minimum security controls (FISMA Low and Moderate Impact) Consistent assessment process Provisional ATO 4/21/2014 Slide 11
12 FedRAMP Executive Sponsors Office of Management and Budget US-CERT Incident Coordination CyberScope Continuous Monitoring Data Analysis 4/21/2014 Slide 12
13 Cloud s Potential for Providing Government Services Is the cloud really the solution?
14 The Demand for Change is Great Sequestration Budget Cuts Mandates Shadow IT Mobile Workforce
15 Dad, What is This?
16 The Digital Natives are Here! Buy hardware for that I need an iron clad application License to own a product Build to last Expect it to be $$$ There is an app for that I need an app store License to use a service Build to replace $1.00 maybe?
17 A New Paradigm for a New IT Worker Designed for endurance Operated with a tech sense Service optional Designed to accept failure Operated with a business sense Service first
18 Is Cloud a Tipping Point? Cloud Computing is mature IT, but its also flexible IT, mission aligned IT and for some it s also cool IT Cloud Computing changes users expectations; and promises a simplified business oriented approach What IT organizations fear about the cloud is the potential of losing control. Cloud Computing does force IT organizations out of their comfort zone Cloud Computing will soon become IT as usual But it will surely impact all IT organizations
19 Strategizing for a Cloud-Based Government Yes. We do need a strategy!
20 Government Specific Considerations Procurement Vehicles Budget Cycles Security & Compliance Service Level Management Portability & Interoperability Organizational Change Management Politics
21 A Gap Example: The Power Grid Analogy One Metric = One SLA = Life is Simple
22 A Gap Example: The Power Grid Analogy Many Metrics = Many SLAs = Life is Complicated
23 The Power Grid Analogy Who reads the meters? Who trusts the readings? Who controls Spending? Who makes the decisions??
24 Developing a Realistic Cloud Plan Understand the Cloud Concepts Approach cloud as part of your strategy, but not as an ultimate solution! Identify the cloud solutions or technology components that make sense to your organization First envision, then architect Do not keep your strategy a secret Visualize Communicate Publicize Use proven framework to reduce risks TOGAF, DODAF, FEAF, ITIL
25 SRA s Cloud Computing Support Services Strategy Readiness Engineering Modernization Management Cloud Migration Planning and Execution Cloud Service Management & Governance Cloud Strategy Development Cloud Readiness Assessment Cloud Architecture Cloud Software Modernization Cloud Software & Services Integration Cloud Security Management SRA Cloud Computing Support Services cover the complete cloud lifecycle to ensure comprehensive alignment of Cloud Services with our customers business and mission objectives
26 SRA s Cloud Brokerage CONOPS Architectural Options Unified Service, Performance & Financial Reporting Trend & Predictive Analysis Program & Portfolio Management Federal Cloud Consumers Project Management Cloud Service Enabler (Full Broker) Application Management and Oversight Mission and Architectural Requirements and Objectives Requirements Changes Pre-negotiated SLAs & Pricing Cloud APIs Service Management Cloud Lifecycle Management Portability & Interoperability Management Security & Compliance Service Levels Warranty Support Response Support Discovery Support Cloud Service Orchestration Cloud On- Boarding & Off- Boarding Cloud Assessment Initial & Periodic Security Control Assessment Cloud Backbone Management (IaaS, PaaS, SaaS) Cloud Service Providers (AWS) FedRAMP 3PAOs Security Control Documentation Auditing Security Controls Documentation
27 Cloud Security is a Shared Responsibility SRA s Stratify allows federal CIOs and CSOs to address cloud security and compliance gaps by bridging FedRAMP and FISMA moderate controls with a realistic, practical and cloud-centric architecture Stratify Customer and Cloud Systems Integrator Responsibility Joint Responsibility Engineering & Administration Personnel Applications Data Operating Systems Service Management Transport Systems Hypervisors Cloud Service Provider Responsibility Physical Servers Physical Infrastructure Datacenter Personnel 27
28 The Stratify Reference Architecture Model 28
29 Anatomy of a Cloud A successful cloud implementation requires providing solution(s) for all required components as well as all the optional components required by the environment.
30 Security Reporting Anatomy of a Secure Cloud Compliance Validation Governance & Continual Improvement Security Technology To be able to call a cloud solution a Secure one, four elements should be introduced: Security Technology, Security Reporting, Governance & Continual Improvement, and Compliance Validation
31 Alerts Management Security Reporting Compliance Dashboards Stratify a Reference Architecture External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Asset Discovery & Control Configuration Control Image Management Baseline Compliance Identity & Access Management Multi-factor Authentication Authorization Management Single-Sign-On Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Data-at-Rest Encryption Data-in-Transit Encryption Data Loss Prevention Data Resilience Perimeter Defense Personnel Security Training & Talent Management Governance & Continual Improvement Physical Security
32 Alerts Management Security Reporting Compliance Dashboards Reference Architecture Applicability Example External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Asset Discovery & Control Configuration Control Image Management Baseline Compliance Identity & Access Management Multi-factor Authentication Authorization Management Single-Sign-On Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Data-at-Rest Encryption Data-in-Transit Encryption Data Loss Prevention Data Resilience Perimeter Defense Personnel Security Training & Talent Management Governance & Continual Improvement The applicability of certain architectural components to a specific environment is highly influenced by SRA s customer intimacy, understanding of strategic goals, and the applied use case Physical Security Key Must Have Good to Have
33 Alerts Management Security Reporting Compliance Dashboards Reference Architecture Responsibilities & Ownership Example External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Asset Discovery & Control Configuration Control Image Management Baseline Compliance Identity & Access Management Multi-factor Authentication Authorization Management Single-Sign-On Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Data-at-Rest Encryption Data-in-Transit Encryption Data Loss Prevention Data Resilience Perimeter Defense Physical Security Personnel Security Training & Talent Management Governance & Continual Improvement Understanding the scope of ownership and responsibility for each of the architectural components is essential, as Cloud Security cannot be successful unless its underlining responsibilities are well defined and communicated to each of the players Key CSP Enabler Joint Customer/SI
34 Security Reporting Security Reporting Modular Implementations Approach Stratify can be applied as a blueprint architecture where an agency would map each of the architectural components to existing and road-mapped investments in security products External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Identity & Access Management Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Governance & Continual Improvement It could also be applied holistically as a turnkey packaged solution (with all its recommended products). Especially when new programs or green field initiatives are commenced in the cloud External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Perimeter Defense Physical Security The modular Stratify architecture enables government agencies to utilize their existing security product investments to secure their cloud implementations. Using it as a target integration architecture also highlights any gaps that could be remediated using proven technology Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Identity & Access Management Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Perimeter Defense Physical Security Governance & Continual Improvement 34
35 Mapping to Key Security Frameworks 35
36 Partner & Product Selection Criteria Integration Capabilities (APIs) Cloud Offerings and Licensing Model Stable Business Model Gartner/Forrester Assessment Tool Areas Mapping Proven in Government Thought Leader Comprehensive Cost Effective Feasible Practical Stratify Partner 36
37 Partner Mapping to Reference Architecture 37
38 My Final Message The Cloud is here, and the government is starting to consider it in its strategy With new opportunities come new challenges The Cloud will have an impact on the way the government supports its mission It will also have an impact on how commercial venders and FSI conduct business with the government The impact should not be overlooked!!!
39 Questions & Contact Information Majed Saadi Director, Cloud Computing Practice SRA International LinkedIn: ohcloud Blog:
40 Key Stratify Outputs Security Reference Architecture Model Mapping to Key Security Frameworks and Controls Technology Recommendations Compliancy Dashboards details the different technology components that constitute secure cloud environments and their interrelationships. Focus on common IaaS use scenarios and provide the blueprints for employing them. to assist CIOs and CSOs in making the cloud migration decision in the context of the proven models (FISMA, SAN s 20, FedRAMP, etc.) lists proven best-ofbreed technical solutions along with their associated vendors and aligns them with the architectural components detailed in the Security Reference Architecture Models provides CSOs with the ability to monitor their cloud environments with government-oriented security metrics 40
41 Stratify Demo 41
42 Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 42
43 Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 43
44 Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 44
45 Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 45
46 Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 46
47
48
49
50
51
52
53
54 Clean Results Attack Initiated How Vulnerable Systems will show
Seeing Though the Clouds
Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating
More informationHow To Use Cloud Computing For Federal Agencies
Cloud Computing Briefing Scott Renda Office of Management and Budget www.whitehouse.gov/omb/egov Cloud Computing Basics Style of computing Cloud Computing: What Does it Mean? Close public/private sector
More informationFederal Aviation Administration. efast. Cloud Computing Services. 25 October 2012. Federal Aviation Administration
efast Cloud Computing Services 25 October 2012 1 Bottom Line Up Front The FAA Cloud Computing Vision released in 2012 identified the agency's road map to meet the Cloud First Policy efast must provide
More informationOverview. FedRAMP CONOPS
Concept of Operations (CONOPS) Version 1.0 February 7, 2012 Overview Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources,
More informationCloud Security for Federal Agencies
Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service
More informationHow to Lead the People in a Program Based Environment
SESSION ID: GRC-W01 Balancing Compliance and Operational Security Demands Steve Winterfeld Bank Information Security Officer CISSP, PCIP What is more important? Compliance with laws / regulations Following
More informationCloud models and compliance requirements which is right for you?
Cloud models and compliance requirements which is right for you? Bill Franklin, Director, Coalfire Stephanie Tayengco, VP of Technical Operations, Logicworks March 17, 2015 Speaker Introduction Bill Franklin,
More informationExpert Reference Series of White Papers. Understanding NIST s Cloud Computing Reference Architecture: Part II
Expert Reference Series of White Papers Understanding NIST s Cloud Computing Reference Architecture: Part II info@globalknowledge.net www.globalknowledge.net Understanding NIST s Cloud Computing Reference
More informationSecuring the Microsoft Cloud Infrastructure. Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC! 24.06.
Securing the Microsoft Cloud Infrastructure Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC! 24.06.2015 1 Certification & Security Reliance Microsoft s cloud environment Application
More informationConcurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services
Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization providing innovative management and technology-based
More informationAWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II
AWS Security CJ Moses Deputy Chief Information Security Officer Security is Job Zero! Overview Security Resources Certifications Physical Security Network security Geo-diversity and Fault Tolerance GovCloud
More informationCloud Security Strategies. Fabio Gianotti, Head of Cyber Security and Enterprise Security Systems
Cloud Security Strategies Fabio Gianotti, Head of Cyber Security and Enterprise Security Systems London, 14 October 2015 UNICREDIT AT A GLANCE Employees: more than 146.600 Branches: 8.403 Banking operations
More informationCloud Services The Path Forward. Mr. Stan Kaczmarczyk Acting Director - Strategic Solutions and Security Services FAS/ ITS, GSA
Cloud Services The Path Forward Mr. Stan Kaczmarczyk Acting Director - Strategic Solutions and Security Services FAS/ ITS, GSA November 1, 2012 Agenda Integrated Technology Services (ITS) Cloud Acquisition
More informationSecuring The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
More informationCorporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA 22153 Office: 703.636.2033 Fax: 866.761.7457 www.mindpointgroup.
Corporate Overview MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA 22153 Office: 703.636.2033 Fax: 866.761.7457 www.mindpointgroup.com IS&P Practice Areas Core Competencies Clients & Services
More informationEsri Managed Cloud Services and FedRAMP
Federal GIS Conference February 9 10, 2015 Washington, DC Esri Managed Cloud Services and FedRAMP Erin Ross & Michael Young Agenda Esri Managed Services Program Overview Example Deployments New FedRAMP
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationIT-CNP, Inc. Capability Statement
Securing America s Infrastructure Security Compliant IT Operations Hosting Cyber Security Information FISMA Cloud Management Hosting Security Compliant IT Logistics Hosting 1 IT-CNP, Inc. is a Government
More informationCloud and Regulations: A match made in heaven, or the worst blind date ever?
Cloud and Regulations: A match made in heaven, or the worst blind date ever? Vinod S Chavan Director Industry Cloud Solutions, IBM Cloud October 28, 2015 Customers are faced with challenge of balancing
More informationWritten Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications
Written Testimony of Mark Kneidinger Director, Federal Network Resilience Office of Cybersecurity and Communications U.S. Department of Homeland Security Before the U.S. House of Representatives Committee
More informationDecember 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments
December 8, 2011 MEMORANDUM FOR CHIEF INFORMATION OFFICERS FROM: SUBJECT: Steven VanRoekel Federal Chief Information Officer Security Authorization of Information Systems in Cloud Computing Environments
More informationISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services
ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better
More informationCloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent
Cloud Security A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud Sean Curry Sales Executive, Aquilent The first in a series of audits DoD did not fully execute elements of the July 2012
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationBMC s Security Strategy for ITSM in the SaaS Environment
BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...
More informationSikkerhet i skytjenester; hva bør en tenke på? Ole Tom Seierstad National Security Officer Microsoft Norway oles@microsoft.com
Sikkerhet i skytjenester; hva bør en tenke på? Ole Tom Seierstad National Security Officer Microsoft Norway oles@microsoft.com Cloud is becoming integral to business transformation The secure pathway to
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationSTATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration
STATEMENT OF Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration BEFORE THE HOUSE COMMITTEE ON HOMELAND SECURITY SUBCOMMITTEE
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationSecurity from a customer s perspective. Halogen s approach to security
September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving
More informationAnypoint Platform Cloud Security and Compliance. Whitepaper
Anypoint Platform Cloud Security and Compliance Whitepaper 1 Overview Security is a top concern when evaluating cloud services, whether it be physical, network, infrastructure, platform or data security.
More informationCloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC
Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationThe Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach
The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach by Philippe Courtot, Chairman and CEO, Qualys Inc. Information Age Security Conference - London - September 25
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationDEPARTMENT AGENCY STATEMENT OF OBJECTIVES FOR CLOUD MIGRATION SERVICES: INVENTORY, APPLICATION MAPPING, AND MIGRATION PLANNING MONTH YYYY TEMPLATE
DEPARTMENT AGENCY STATEMENT OF OBJECTIVES FOR CLOUD MIGRATION SERVICES: INVENTORY, APPLICATION MAPPING, AND MIGRATION PLANNING MONTH YYYY TEMPLATE 1 Introduction and Instructions This sample Statement
More informationIT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
More informationSecure Cloud Computing
Secure Cloud Computing Agenda Current Security Threat Landscape Over View: Cloud Security Overall Objective of Cloud Security Cloud Security Challenges/Concerns Cloud Security Requirements Strategy for
More informationCloud Brokerage Industry Day August 2, 2012. Panel Questions & Answers
Cloud Brokerage Industry Day August 2, 2012 Panel Questions & Answers Contents This presentation contains discussion questions and notes from the panelist responses for the GSA Cloud Brokerage Industry
More informationVA Office of Inspector General
VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND
More informationHP and netforensics Security Information Management solutions. Business blueprint
HP and netforensics Security Information Management solutions Business blueprint Executive Summary Every day there are new destructive cyber-threats and vulnerabilities that may limit your organization
More informationBRIDGE. the gaps between IT, cloud service providers, and the business. IT service management for the cloud. Business white paper
BRIDGE the gaps between IT, cloud service providers, and the business. IT service management for the cloud Business white paper Executive summary Today, with more and more cloud services materializing,
More informationHow To Cloud Compute At The Cloud At The Cyclone Center For Cnc
Cloud Computing at CDC Current Status and Future Plans Earl Baum March, 2014 1 Background Current Activities Agenda Use Cases, Shared Services and Other Considerations What s Next 2 Background Cloud Definition
More informationSECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP
SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationSTATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration
STATEMENT OF Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration BEFORE THE HOUSE SCIENCE, SPACE AND TECHNOLOGY COMMITTEE SUBCOMMITTEE
More informationSTATE OF MARYLAND 2017 INFORMATION TECHNOLOGY MASTER PLAN (ITMP) Department of Information Technology David Garcia; State CIO
STATE OF MARYLAND 2017 INFORMATION TECHNOLOGY MASTER PLAN (ITMP) Department of Information Technology David Garcia; State CIO Introduction Since taking office in January 2015, Governor Larry Hogan has
More informationReliable, Repeatable, Measurable, Affordable
Reliable, Repeatable, Measurable, Affordable Defense-in-Depth Across Your Cyber Security Life-Cycle Faced with today s intensifying threat environment, where do you turn for cyber security answers you
More informationFederal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP) NIST June 5, 2013 Matt Goodrich, JD FedRAMP, Program Manager Federal Cloud Computing Initiative OCSIT GSA What is FedRAMP? FedRAMP is a government-wide
More informationRisk Management Framework (RMF): The Future of DoD Cyber Security is Here
Risk Management Framework (RMF): The Future of DoD Cyber Security is Here Authors: Rebecca Onuskanich William Peterson 3300 N Fairfax Drive, Suite 308 Arlington, VA 22201 Phone: 571-481-9300 Fax: 202-315-3003
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationNEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015
NEXPOSE ENTERPRISE METASPLOIT PRO Effective Vulnerability Management and validation March 2015 KEY SECURITY CHALLENGES Common Challenges Organizations Experience Key Security Challenges Visibility gaps
More informationCLOUD COMPUTING SERVICES CATALOG
CLOUD COMPUTING SERVICES CATALOG... Including information about the FedRAMP SM authorized Unclassified Remote Hosted Desktop (URHD) Software as a Service solution CTC Cloud Computing Services Software
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationEnterprise Continuous Monitoring Bridging Shared Services, Clouds, and In-House Solutions
Enterprise Continuous Monitoring Bridging Shared Services, Clouds, and In-House Solutions Benjamin Bergersen Certified in the Governance of Enterprise IT - CGEIT Certified Information Systems Security
More informationCloud Security Alliance and Standards. Jim Reavis Executive Director March 2012
Cloud Security Alliance and Standards Jim Reavis Executive Director March 2012 About the CSA Global, not for profit, 501(c)6 organization Over 32,000 individual members, 120 corporate members, 60 chapters
More informationPerspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory
Perspectives on Cloud Computing and Standards Peter Mell, Tim Grance NIST, Information Technology Laboratory Standardization and Cloud Computing Cloud computing is a convergence of many technologies Some
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationCYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014
CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION Architecture Framework Advisory Committee November 4, 2014 1 Agenda TIME TOPICS PRESENTERS 9:00 9:15 Opening Remarks and Introductions Shirley Ivan,
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationCaretower s SIEM Managed Security Services
Caretower s SIEM Managed Security Services Enterprise Security Manager MSS -TRUE 24/7 Service I.T. Security Specialists Caretower s SIEM Managed Security Services 1 Challenges & Solution Challenges During
More informationOWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect
OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud
More informationThe Education Fellowship Finance Centralisation IT Security Strategy
The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and
More informationRethinking IT and IT Security Strategies in an Era of Advanced Attacks, Cloud and Consumerization
Rethinking IT and IT Security Strategies in an Era of Advanced Attacks, Cloud and Consumerization Neil MacDonald VP and Gartner Fellow Gartner Information Security, Privacy and Risk Research Twitter @nmacdona
More informationCloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter
Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute
More informationITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS
ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information
More informationRising to the Challenge
CYBERSECURITY: Rising to the Challenge Dialogues with Subject Matter Experts Advanced persistent threats. Zero-day attacks. Insider threats. Cybersecurity experts say that if IT leaders are not concerned
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationSimone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud
Simone Brunozzi, AWS Technology Evangelist, APAC Fortress in the Cloud AWS Cloud Security Model Overview Certifications & Accreditations Sarbanes-Oxley (SOX) compliance ISO 27001 Certification PCI DSS
More informationA COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012
A COALFIRE PERSPECTIVE Moving to the Cloud A Summary of Considerations for Implementing Cloud Migration Plans into New Business Platforms NCHELP Spring Convention Panel May 2012 DALLAS DENVER LOS ANGELES
More informationUsing ArcGIS for Server in the Amazon Cloud
Federal GIS Conference February 9 10, 2015 Washington, DC Using ArcGIS for Server in the Amazon Cloud Bonnie Stayer, Esri Amy Ramsdell, Blue Raster Session Outline AWS Overview ArcGIS in AWS Cloud Builder
More informationWhy Cloud CompuTing ThreaTens midsized enterprises and WhaT To do about it
The Cloud Threat Why Cloud CompuTing ThreaTens midsized enterprises and WhaT To do about it This white paper outlines the concerns that often prevent midsized enterprises from taking advantage of the Cloud.
More informationSOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for Compliance
SOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for Compliance www.citrix.com Contents Introduction... 3 Fitting Compliance to the Cloud... 3 Considerations for Compliance in the Cloud... 4
More informationNCTA Cloud Architecture
NCTA Cloud Architecture Course Specifications Course Number: 093019 Course Length: 5 days Course Description Target Student: This course is designed for system administrators who wish to plan, design,
More informationCloud Computing and Data Center Consolidation
Cloud Computing and Data Center Consolidation Charles Onstott, PMP Chief Technology Officer, Enterprise IT Services SAIC Steven Halliwell General Manager for State and Local and Education Sales Amazon
More informationWasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute
Wasting Money on the Tools? Automating the Most Critical Security Controls Bonus: Gaining Support From Top Managers for Security Investments Mason Brown Director, The SANS Institute The Most Trusted Name
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationProfessional Services Overview
Professional Services Overview INFORMATION SECURITY ASSESSMENT AND ADVISORY NETWORK APPLICATION MOBILE CLOUD IOT Praetorian Company Overview HISTORY Founded in 2010 Headquartered in Austin, TX Self-funded
More informationHow To Protect Yourself From A Hacker Attack
Cybersecurity Demystified: Information Technology Security Trends Joe Oleksak, Plante Moran Agenda Data Security Trends Example Attacks Industry Examples An Answer 1 Who Are The Victims? Targets - victims
More informationNERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice
NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice Overview The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to
More informationTESTIMONY OF MR. RICHARD SPIRES CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON HOMELAND SECURITY
TESTIMONY OF MR. RICHARD SPIRES CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON HOMELAND SECURITY SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
More informationAWS Worldwide Public Sector
15 Minute Introduction to AWS and Q&A April 2015 Mark Fox Sr. Manager DoD Sales I love/hate relationship with the term cloud Now the IT norm Commercial Cloud should not be scary nor considered less secure
More informationSecuring the Service Desk in the Cloud
TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,
More informationCIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016
CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 My name is Jacob Olcott and I am pleased to share some observations on
More informationVirginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101
Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro
More informationRun SAP for Savings and Speed in the Cloud Presentation for ASUG, September 28, 2011
Run SAP for Savings and Speed in the Cloud Presentation for ASUG, September 28, 2011 2011 RUNE2E, llc Mike Culver Amazon Web Services Ray Kelly RunE2E, LLC SAP Solutions & Services from RunE2E Gold Channel
More informationReport via OMB s Integrated Data Collection (IDC), https://community.max.gov/x/lhtgjw 10
EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 June 2, 2016 M-16-12 MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES FROM: Anne E. Rung United States Chief
More informationOracle Reference Architecture and Oracle Cloud
Oracle Reference Architecture and Oracle Cloud Anbu Krishnaswamy Anbarasu Enterprise Architect Social. Mobile. Complete. Global Enterprise Architecture Program Safe Harbor Statement The following is intended
More informationCloud Security. DLT Solutions LLC June 2011. #DLTCloud
Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions
More informationWhy Migrate to the Cloud. ABSS Solutions, Inc. 2014
Why Migrate to the Cloud ABSS Solutions, Inc. 2014 ASI Cloud Services Information Systems Basics Cloud Fundamentals Cloud Options Why Move to the Cloud Our Service Providers Our Process Information System
More informationState of Information Security
State of Information Security Second Annual Assessment Study 2013 Table of Contents: Synopsis and Methodology _ page 2 A Snapshot of Participants _ page 2 Survey Findings _ page 5 Final Thoughts _ page
More informationCloud Essentials for Architects using OpenStack
Cloud Essentials for Architects using OpenStack Course Overview Start Date 18th December 2014 Duration 2 Days Location Dublin Course Code SS906 Programme Overview Cloud Computing is gaining increasing
More informationAccelerate Your Enterprise Private Cloud Initiative
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
More informationBerlin, 15 th November 2013. Mark Dunne SaaSAssurance
Berlin, 15 th November 2013 Mark Dunne SaaSAssurance SaaSAssurance guidance to Irish Government on Cloud Adoption Who are SaaSAssurance? Diverse multilingual European team Focus on the here and now Digital
More informationThreat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA
www.pwc.com Vulnerability Management (TVM) Protecting IT assets through a comprehensive program Chicago IIA/ISACA 2 nd Annual Hacking Conference Introductions Paul Hinds Managing Director Cybersecurity
More information