PURR - Public Cloud Security Auger / Hilgers. Public Cloud Security Final Report

Size: px
Start display at page:

Download "PURR - Public Cloud Security Auger / Hilgers. Public Cloud Security Final Report"

Transcription

1 Public Cloud Security Final Report Spring 2015 Richard Hilgers / Purdue University Gerald Auger / Dakota State University May 1,

2 Project Summary Public Cloud Providers Security Implementation; End-User Validated May 1, 2015 Researchers: Gerald Auger, DSU Richard Hilgers, Purdue Public Cloud Providers Security control assessment for publicly available cloud solution providers, as assessed from an end-user perspective. Keywords: (cloud, security assessment methodology, public cloud, IaaS, threat-model, FedRAMP) Public cloud computing solutions are desirable for business and government to outsource infrastructure technology requirements. This decision transfers the responsibility of certain security controls to the cloud provider. What security controls can a consumer validate indisputably from a public cloud provider that would meet the Federal government s standard of security? 2

3 Executive Summary Public Cloud Providers Security Implementation; End-User Validated May 1, 2015 Researchers: Gerald Auger/DSU Richard Hilgers/Purdue Security control implementation for publicly available cloud solution providers, as assessed from an enduser perspective. Keywords: (cloud, security assessment methodology, public cloud, IaaS, threat-model) The federal government is migrating a portion of its technology infrastructure needs to public, commercial cloud computing solutions because of the flexibility and cost-savings benefits cloud computing offers. This direction of moving federal agency programs to cloud computing platforms was strengthened and supported through the enactment of the Cloud First policy in This policy requires federal agencies to evaluate a variety of cloud options before making any investments.[10] There are security threats inherent to the adoption of cloud based computing solutions. Federal agencies adopting cloud solutions to host their programs are having to rely on third-party assessments of security controls implemented by the cloud provider on the cloud provider s information technology (IT) infrastructure. This leaves the federal agency as a consumer of the cloud IT without visibility into the effectiveness of in place security controls. A threat model, developed for Infrastructure-as-a-Service (IaaS) cloud services that focuses on the policies the cloud service provider had adopted, was developed by Purdue students in 2014.[1] The model was used to analyze the security of Amazon S3 services and gave some recommendations on how to improve the security. Our research evaluated existing threat models to the FedRAMP standard and matured the threat model developed by the Purdue students. The problem set we dealt with focused on improving the INSuRE threat-model to become more flexible in its applicability to a variety of cloud service providers. The threat model is attacker-centric for IaaS service models. Additionally, we developed a security control assessment methodology that assesses security controls for cloud computing platforms from an end-user perspective. The end-user perspective represents the access and rights afforded an end-user of the system. The methodology is a complete process of identifying applicable security controls, procedures for assessing those controls and proper reporting of results. The methodology enables assessors to provide situational awareness for program management of a cloud-hosted system. It is cloud provider agnostic, and is valid for evaluating any IaaS cloud provider. 3

4 We have developed a working threat-model to assist in determining risk with cloud security solutions, a methodology for objective assessment of the controls that are assessable from and end-user perspective and a complementary control assessment workbook with assessment procedures. 4

5 Table of Contents PROJECT SUMMARY... 2 EXECUTIVE SUMMARY INTRODUCTION LITERATURE REVIEW... 7 CLOUD COMPUTING AND FEDRAMP... 7 CLOUD COMPUTING THREAT MODEL FROM AN END-USER PERSPECTIVE... 9 CLOUD COMPUTING SECURITY CONTROL ASSESSMENT METHODOLOGY AGENCY INTERNAL ASSESSMENT OF CSP SUPPORTS RISK MANAGEMENT METHODS AND PROCEDURES DELIVERABLES THREAT MATRIX SECURITY CONTROL ASSESSMENT METHODOLOGY SECURITY CONTROL ASSESSMENT WORKBOOK TOOL LIMITATIONS AND DELIMITATIONS FINDINGS ISSUES CONCLUSIONS AND RECOMMENDATIONS REFERENCES BIOGRAPHICAL SKETCHES OF THE INVESTIGATORS TASKING APPENDIX APPENDIX 1: PUBLIC CLOUD SECURITY SCHEDULE

6 1.Introduction The federal government is being encouraged to adopt cloud-computing solutions before implementing internally managed IT infrastructure. To support this initiative, the federal CIO created the Cloud First policy requiring federal agencies to evaluate a variety of cloud options before making any investments.[11] Cloud providers are being assessed and authorized by objective thirdparty organizations through the federal risk and authorization program (FedRAMP). Government agencies can select an authorized cloud provider to host their programs, but lack explicit security control to ensure effective assurance. These agencies would benefit from a technique for independently validating the effectiveness of security controls that have been asserted as in place. In order to ensure the effectiveness of the security controls, there needs an understanding of the unique threats that are introduced by migrating to a cloud solution. This independent validation can only be executed from an end-user perspective, that is the perspective of an administrator or non-privileged user of the cloudcomputing platform. The figure below depicts the lack of security visibility federal agencies have with Cloud IT and how providing security control visibility (yellow arrow) provides security posture intelligence. Figure 1 - Current and Future State of NSA Security Visibility in the Cloud 6

7 We have developed a threat-model for public cloud providers, specifically IaaS architecture environments and a methodology for objectively assessing NIST SP security controls from an end-user perspective. As Federal agencies and the Department of Defense adopt cloud solutions, they must ensure their ability to accomplish their mission remains robust and agile. The creation of a testing procedure enables an organization purchasing the services of the cloud provider to validate a portion of their standardized security level. Additionally, development of a moldable threat model helps identify the weaknesses in existing services and improve the standards needed for future cloud services. Organizations want to ensure that their data is secured properly because the organizations have no control over the security for once the data leaves the organization's network. This research project generated an extended public cloud threat-model and a valid security control assessment methodology for public cloud solutions that can be used on any cloud provider. The security of the cloud systems are the responsibility of the cloud service provider, therefore agency decision makers must rely on third-party organizations independent assessment of the cloud provider s security controls. Our threat model and assessment methodology allows an agency or program to understand what threats should be anticipated for their cloud-hosted system and how to assess a subset of security controls, regardless of cloud provider. This intelligence increases visibility for the agency into the status of the security controls protecting their system. 2.Literature Review Cloud Computing and FedRAMP Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. [13] Cloud computing, offered through commercial cloud service providers (CSP), can provide federal agencies, such as the Department of Defense the opportunity to transfer the responsibility of key information technology (IT) elements. This IT paradigm is an appealing direction that allows organizations to afford reliable, scalable and ondemand technology resources in multiple service offerings. These offerings include, as defined by National Institute of Standards and Technology (NIST) Special Publication (SP) : 7

8 Software-as-a-Service (SaaS) - a model of service delivery whereby one or more applications and the computational resources to run them are provided for use on demand as a turnkey service. Platform-as-a-Service (PaaS) - a model of service delivery whereby the computing platform is provided as an on-demand service upon which applications can be developed and deployed Infrastructure-as-a-Service (IaaS) - a model of service delivery whereby the basic computing infrastructure of servers, software, and network equipment is provided as an on-demand service upon which a platform to develop and execute applications can be established. The federal government values the flexibility and cost-savings benefits cloud computing offers. This endorsement and direction of moving federal agency programs to cloud computing platforms was strengthened and supported through the enactment of the Cloud First policy. The Cloud First policy requires federal agencies to evaluate a variety of cloud options before making any investments.[11] FedRAMP was established to empower agencies processes of evaluating reliable cloud service providers for their needs. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. [1] FedRAMP leverages the NIST security controls for low and moderate baselines as the security requirements CSP s have to meet. Federal agencies are required to implement NIST security controls to be in compliance with the Federal Information Security Management Act (FISMA) of CSP s having to implement the same security standards aligns to the agency s FISMA requirements and makes adoption, integration and agency-awareness of control implementation more effective. The benefits of agility, efficiency and innovation come with additional risks. Some responsibilities for the organization s information security controls are transferred to the CSP. The cloud consumer now has to weigh the trust and reliability of the CSP when managing the risk to the program. This trade-off is a significant concern as noted in the cloud security alliance 2015 survey of 212 IT and security professionals that showed 73% of respondents described the top challenge holding back cloud projects was concern about the security of data.[9] These benefits are important to the federal government from a cost savings and efficiency perspective. FedRAMP is in place to assist in mitigating that risk and make pursuing migration to a cloudcomputing platform a safer, more secure option. Cloud computing introduces new weaknesses not seen in traditional IT infrastructures that must be accounted for when evaluating risk. These weaknesses can include being locked into a 8

9 specific Cloud Service Provider due to the lack of interoperability between cloud services, sharing resources with other unknown entities that could threaten privacy, lack of control over the physical and logical components, data loss, account hijacking, and malicious insiders. [2][10][15] Additionally, Gartner lists unique risks to moving to-the-cloud that all adopters should consider. These risks include CSP staff with privileged access to consumer systems, regulatory compliance conflicts between the data owner and the CSP, the physical location of the data, how helpful a cloud provider will be in investigative matters and the long-term viability of a CSP. [14] Cloud Computing Threat Model from an End-User Perspective Cloud computing is a new technology that is growing at a considerable rate. This rapid growth makes it is important to understand what vulnerabilities threaten the usage of cloud computing. Providers can better defend their private information and improve the security of their services by understanding what vulnerabilities and attacks can threaten the service through threat models. Additionally, by understanding newly created attacks and noting how to prevent these from affecting cloud systems, the provider can improve the existing threat models and in turn improve the overall security for cloud services. The Cloud Service Alliance (CSA) discusses top threats to cloud servers, describing the various ways these threats can affect an organization. [15] Two threats absent from the CSA article are the danger of resource sharing, where companies are unknowingly sharing cloud servers with their competitor, and un-encrypted or poorly encrypted communication channels [16]. Since society is becoming more technologically adept, these threats will continue to grow and continue to change as criminals continue to outpace our ability to protect against harm. Threat models are a useful way to perceive and protect against threats that could cause damage for an organization. While frameworks and threat models vary depending on the organization, a common standard to follow is FedRAMP, which is the security requirements and standards public CSP s must implement and meet to be considered by the federal government as a hosted cloud-computing platform. Since the aim of our project is to create a threat model that follows the FedRAMP standards, it becomes important to note similarities between existing threat models that can be applied to IaaS architectures. Research conducted in 2014 within the INSuRE project developed a new threat model in the summer of 2014, referred to hereafter as the Beckman-Riedle-Vargas threat model. The Beckman-Riedle-Vargas model was based on policy analysis of the cloud service as well as improving security from the user and provider s perspective [7]. This model s focus is useful primarily for analyzing the claims of the public cloud provider, allowing for the organization to know how their provider reacts to the current trends and major vulnerabilities. However, this model falls when looking at the current state of the security for the cloud provider. The reason is 9

10 due to the threat model not analyzing the current state of the cloud environment, as the security and equipment claims made by the cloud service provider could be incorrect. Another trust security model developed by Alruwaili and Gulliver in 2014 is called Trusted CCIPS. This security model focused on analyzing activity on the server for suspicious and malicious activity. [19] This was accomplished by utilizing a program that monitors and analyzes the activity of all users accessing the cloud environment. The strength of this model is that it is a constant, proactive approach to defending their data. The major weakness of this model is that it does not address privacy, as every action taken is watched and analyzed. This is similar to another approach taken by the two authors. In 2014, Alruwaili and Gulliver wrote an additional paper that discussed a framework that utilized risk assessment programs to constantly analyze the cloud environment for any possible risks. [18] Overall, the approach is useful to prevent and reduce any known risk through the use of a security operations center utilizing cloud services and a secure service level agreement. This is done by utilizing a program to analyze the current system and reporting the possible threats against the system to the operations center, where the report given by the program is analyzed to avoid any possible threats and keep risk to a minimal. However, this would cause a greater cost for the organization due to having to pay the cloud service provider, the security operations team, and the programmers to create and maintain the code utilized for the program. NIST released special publication (SP) in 2002, which were guidelines for risk management and discussed various ways to minimize the vulnerabilities to a system. [20] In 2012, NIST released a revised SP , which narrowed its focus from risk management to risk assessment and discusses a system for assessing risk. [21] As we are dealing with threats, if either paper was used for the threat analysis, it would have to be altered to adjust from risks and modified to match the security control assessment methodology developed. Since the original paper focused on risk management is not a necessary for assessing the system, the revisioned paper was the focus of research and analysis. The need for a threat model is important in order to battle the flood of threats that affect the cloud environment. Analyzing from the previous research done, it is important to note that there are few threat models developed for the end-user. By filling this need, we hope to improve the overall quality used in the security of cloud servers. But to completely ensure security, there is a need to assess security for a cloud service from the end-user. Cloud Computing Security Control Assessment Methodology From 2009 to 2011 the Office of Management and Budget (OMB) worked with an alliance of public and private sector organizations to develop a program, in concert with the Obama 10

11 Administration International Strategy for Cyberspace and Cloud First Policy that supports federal government adoption of cloud computing solutions in a responsible manner. The program, called FedRAMP, establishes policy, guidance and tools to define security requirements, provide objective security assessment cases and standardize contract language. Additionally a reduction in cost can be realized by agencies by leveraging an existing CSP s Authority to Operate (ATO), instead of the classic approach of each program having to seek their own ATO. [3] FedRAMP relies on the security controls defined in NIST [4] for a low or moderate baseline with additional controls required specific to cloud computing security risk. Prior to a public CSP being authorized to host federal agency clients, they must document how security controls are implemented, have those security controls assessed and receive an authority to operate (ATO). It is the cloud providers responsibility to implement these required controls and have a certified independent third party organization assess the controls for validation. This guarantees minimum-security compliance with the standard. International Standards Organization (ISO) 27001:2005 is another information security standard considered a best solution for securing information assets [5], in addition to the NIST security requirements, which directly support the NIST Risk Management Framework [6]. Research from Ristov suggests both standards are effective for traditional IT infrastructures, but with respect to cloud computing, a hybrid of controls from both standards, should be used. [5]Ristov further emphasizes cloud specific controls by assigning cloud-contextual weighting to security controls for importance to the cloud consumer, specifically giving a -1 for service level agreement (SLA) addressed controls, a 0 for controls of equal importance in monolithic IT or cloud IT and a +1 for controls that are of greater importance because of cloud IT factors. [5] This prioritization scheme allows consumers to interpret risk reduction value to security controls, as well as, ensuring SLA s address security controls best suited for the CSP. The security control domains remain the same collection, but the cloud-based IT attribute impacts the level of importance to the control domain. Ristov s work informs to ensure resources and focus is appropriately reallocated to address this alteration. For example, external party related controls increase in importance by the amount of trust granted to the cloud provider. Physical security controls become less important by the lack of assets at the cloud consumer s facility. Agency Internal Assessment of CSP supports Risk Management Information technology is a fast changing environment and minimum compliance does not equate to maximum security. CSPs are independently assessed by certified organizations for the entire in-scope security control set, put forth by FedRAMP. Additionally, CSPs are legally required to receive annual reassessments to maintain an ATO. 11

12 Step six of the federally required NIST risk management framework is to monitor and accept the ongoing level of risk. [13] The transfer of ownership of some security controls introduces a challenge for an agency to perform this step. Annually, a third party assessor reassesses the security controls for the cloud provider. This provides some assurance to the status of the security controls. Ultimately it is the responsibility of the authorizing official over a program to authorize a program s security controls, both cloud controlled and organizationally controlled, are in-place. [10] This decision has to be made based on the efforts of parties not affiliated with the agency. FedRAMP dictates 167 security controls across 17 unique security control families. These controls provide compliance with the minimum-security requirements, but do not address all threats and associated risks. For example, an availability risk not addressed relates to the confiscation of physical hardware that is directly hosting an agency s data at a CSP, in support of a law enforcement investigation. Identifying these risks allows an organization to determine what controls would mitigate the risks. Furthermore, an agency can develop additional security control test cases and incorporate into a FedRAMP aligned self-assessing methodology. This would provide an agency more accuracy in calculating risk and ensuring risk aligns with the agency s risk appetite. 3.Methods and Procedures An exploratory research method was used in this project. The research for the specific client problem required identifying the security control set in-scope. Exploratory research provided additional insight to develop an approach for understanding what FedRAMP security controls can be assessed from an end-user perspective for a cloud computing platform. The challenge was to exhaustively determine all controls the cloud provider has attested to having implemented that can be validated on-demand by the cloud consumer. The workload for this research was split across two distinct work streams, the SCA methodology and the threat matrix. A detailed work breakdown structure was developed to assist in managing the project. The schedule was captured in a master schedule and is provided in the Findings section of this report as a table. In addition to task, start date and end date, the outcome of each task is documented in this table. The SCA methodology was based upon NIST SP A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. The NIST SP A is developed to apply to the controls in NIST SP , the same controls FedRAMP requires cloud service providers to implement, to become available to hosting federal programs. 12

13 The SCA workbook tool is based upon the security controls attributes as listed in the NIST SP that are in scope for FedRAMP moderate baseline compliant cloud service provider systems. Security control objective elements that compose each security control was distinctly identified and listed. This provided the initialization point of the workbook tool to begin determining what security control objectives could be assessed from the end-user perspective. Greater detail into this development is provided in the deliverables section below. The threat matrix was based upon NIST SP Revision 1, Guide for Conducting Risk Assessment. Alterations were made to adjust the guide from risk assessment to threat assessment and adjusted to meet the need in the SCA methodology and security controls in FedRAMP. Within this project, there was a need to decide which threats to utilize for the threat model. The ten threats that were decided upon were data breach, data loss, account hijacking, insecure interfaces and APIs, denial of service, shared technologies vulnerabilities, insufficient due diligence, malware and SQL injection, intrusion, and software exploit. Of the eight threats used in the threat model, five of the threats came from the Cloud Security Alliance s (CSA) paper The notorious nine: cloud computing top threats in [15] The four threats that were not utilized from the CSA s paper were malicious insiders, abuse of cloud services, shared technology vulnerabilities, and insufficient due diligence. Malicious insiders was ignored because it is a near impossible threat to identify as malicious insiders are people who have or are planning to betray the company s trust. Abuse of cloud services was ignored due to the reliance that it is a threat based on the end-user s application of the cloud service, not an outsider threat. Shared technology vulnerabilities was ignored due to a lot of issues faced in this threat is faced by the cloud service providers, as the vulnerabilities faced derive from the physical parts not designed to be used for cloud computing. Insufficient due diligence was not included due to that threat referring to a lack of preparation or investigation when transitioning or utilizing a new service, such as transitioning from a traditional IT environment to a cloud environment. Data loss and data breach were added different reasons despite both are considered end-results from malicious activity accomplished through threats. Data loss was added due to the threat being affected by external and internal actions, which could not be prevented by the organization. Data breach was added due to each control family either testing or creating plans to prevent this event from occurring. The main difference between insufficient due diligence and data breach is that insufficient due diligence focuses on the transition between infrastructures while data breach focuses on what actions could be done to minimize the release of information. Account hijacking was added as a threat primarily due to how much information and control a malicious outsider could gain by utilizing a highly privileged account. The primary aim of this threat was accounts with system administrator privileges or access to classified information, due to their unrestricted access. 13

14 Insecure interfaces and APIs is included in the threat matrix because any insecurities in the interfaces and APIs can cause breach of information, meaning the data and interaction between the end-user and the cloud service could easily be compromised. Denial of Service (DoS) was included as a threat because of it being a well-known type of attack that can effectively prevent any usage of the cloud service. However, this threat can be removed depending on how the company accesses their cloud service, such as IP-based or applicationbased access. Malware and SQL injection were added into the matrix due to the havoc and damage to a company s server and reveal confidential information. The reason malware and SQL injection were both included to form a single threat is due to both are malicious code that aims to either destroy or send information to a cyber criminal. Intrusion was a threat included in the matrix that was not in the CSA s top threats paper. What is meant by intrusion for this threat matrix is a person or group of people with no affiliation to the targeted system or any related organization to the targeted entering into a system without any authorization. This threat was included due to how dangerous an outsider threat entering the system containing classified information, even if the intruder reported to the organization. Software exploit was included as a threat because it is a type of threat that takes advantage of software bugs or programs that interfere with each other (e.g. TOR and Firefox). For this specific threat, it does not only have to be software used in the cloud environment but includes the programs utilized to access the cloud environment. 4.Deliverables Our project generated three deliverables. These items are a threat matrix, a security control assessment methodology and a security control assessment workbook tool. Each items purpose and a general description is documented below. Threat matrix The threat matrix focuses on providing an assessment of which families within FedRAMP as well as link, which security controls affect with certain threats. Additionally, the threat matrix notes the probability and impact each security control has with each threat. Within the threat matrix spreadsheet, each of the FedRAMP baseline controls are assessed in comparison to a certain threat. The assessment is done based on impact and probability. The impact rating is assessed based on how much damage would occur if this control is not in place 14

15 as well as what threats are prevented by the control. The probability is assessed by the likelihood of an attacker utilizing an exploit within the system, meaning that well-known types of attacks are going to have a higher rating. The threat matrix is also linked with the security control assessment methodology due to the methodology allows a company to. Since the threat matrix and security control assessment was designed with IaaS as a focus, threats that are only effective against IaaS was used. As threats to an infrastructure are always expected, it is careful to assess how much impact each threat can cause to a system. By linking each threat to a security control, an organization can assess a server s vulnerability based on this checklist. If utilized with the security control assessment methodology, a highly accurate assessment can be determined, rather than relying on the cloud service provider s claims. Security Control Assessment Methodology The security control assessment methodology provides the structure, approach and tools to execute a security control assessment for an IaaS service model, cloud computing platform. Traditional information technology (IT) infrastructure was planned, built and managed by the project or program that was utilizing it. The advent of cloud IT has moved the building and management of the IT infrastructure to an external third-party, allowing the program or project to dynamically deploy systems, allowing the program to scale it s IT needs accordingly. This introduces an issue to applying and assessing security. The CSP and a third-party organization have the responsibility of applying and assessing security controls, respectively, in a cloud IT infrastructure. Seen in the diagram below, the federal agency loses security visibility by utilizing a cloud IT infrastructure. This methodology provides the controls, assessment procedures and reporting for executing a security control assessment on a cloud service provider from the perspective of the cloud consumer. A program will have visibility into the implementation of a subset of security controls that the CSP has asserted are in place. Security Control Assessment Workbook Tool Successful execution of a security control assessment can be supported with a workbook tool to provide structure and direction to the assessment. The security control assessment workbook tool was developed to provide this function. The FedRAMP Moderate baseline has 325 controls[22]. Each control is composed of multiple objectives. There are 2329 control objectives. These unique objectives are the units to be reviewed and determined if each can be assessed from an end-user perspective. Determining 15

16 deeper at the objective level versus the higher control level provided a greater level of granularity for assessing security. Each control objective was initially reviewed to determine if it was a managerial, operational or technical control objective. Managerial means a control that comes from individuals being put into a place of authority to accept the risk and accountability of the system. Operational means controls associated with processes such as audit log reviews and incident response testing. Technical means controls that are implemented through a configuration of a system such as password complexity enforcement or audit log generation. An additional category, physical, was identified that can cross-cut operational or technical categories. Physical indicated control objectives that is physical in nature outside of the information system such as the presence of fire extinguishers or water shutoff valves. These could be assessed via a physical walkthrough, and therefore received a special designation. Managerial and operational control objectives are not accessible from the end-user perspective. It is not possible from an end-user perspective to determine if management has been put in place over information security, if budget has been allocated for information security or if operations staff is performing audit log reviews. The technical control objectives were then reviewed individually to determine which could be assessed from the end-user perspective. If it was possible, a test procedure was documented. If it was not possible, an explanation was documented. Questions asked to determine applicability included: Is this control objective involved exclusively with back-end CSP processes or technology? If so, it is likely not assessable from the end-user perspective. (e.g. auditing configuration on cloud service systems). Is this control objective related to a security control that affects user accounts? If so, it is likely it can be assessable from the end-user perspective as the federal program stakeholders will have user accounts to the underlying Cloud provider system, such as the virtual machine management interface or overall account management interface. (e.g. password complexity requirements for user accounts) Can this control objective be validated with a basic physical tour of the cloud service provider? If so, then its assumed a basic facility tour can be scheduled, and the control objective is assessable. (e.g. fire extinguishers are present) There are control objectives identified as end user assessable, but received a designation of red team or black team. These designates indicate an invasive approach to testing that can disrupt the cloud provider operations and potentially violate a service level agreement. Red team indicates the use of hacking tools, social engineering and deployment of malware to the cloud service provider to determine the status of a control. Black team indicates bringing a cloud service 16

17 provider production facility down for an extended period of time, forcing an enactment (and validation of existence) of the cloud service providers disaster recovery plan. The intent is not to execute red team or black team test objectives, but they are assessable from the end-user perspective, so were captured as such. 17

18 Control Title ALTERNATE PROCESSING SITE Control Identifier (detailed) CP-7(a)[3] Decision establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions, within the organization-defined time period, when the primary processing capabilities are unavailable; End-User Perspective Assessable? yes / Black Team End-User Perspective Assessable Comment This CP-7 objective is assessable, but would require severe detrimental service to the cloud service provider (electrical grid blackout, explosives threat) to determine if they could successfully recover operations at an alternate processing site. This is an extreme measure and not endorsed or encouraged, but in the spirit of objectivity it can be assessed. Note this introduces high risk to the programs availability, in the event this control is not in place. INTRUSION ALARMS / SURVEILLANCE EQUIPMENT PE-6(1) Determine if the organization monitors physical intrusion alarms and surveillance equipment. yes / Red Team This element is aligned to a control procedure that is verifiable through data center walkthrough at the cloud service provider facility. This assumes a physical walk through would be available. The red team would have to actively set off physical intrusion detection to determine if it is being monitored. 18

19 20MAR15 Cloud service providers must have their security controls assessed against FISMA requirements by third party organizations. The results from these events are available upon request by federal organizations. These results can be used to validate security controls around whether or not controls are assessed. Additionally, these reports can be invaluable in providing context and assurance into the quality, status and existence of the cloud service provider s security controls. There are 189 total security control objectives assessable from the end user perspective. of the 189, 54 are red team and 6 are black team, determined after applying the logical filters mentioned above and logically thinking about each unique circumstance of a security control objectives implementation and ability to assess, All deliverables have been made available through PURR in the following directory Projects > Public Cloud Providers > 2015Spr DSU-Pur Auger-Hilgers > Deliverables. This directory can be accessed directly at the following URL: https://purr.purdue.edu/projects/insureclass/files/?action=browse&subdir=projects%2fpublic+cl oud+providers%2f2015spr+dsu-pur+auger-hilgers%2fdeliverables Individuals without access to the PURR site should contact Dr. Melissa Dark at Purdue University for access at 5.Limitations and Delimitations These security controls are aligned to federal requirements for federal agencies. These results could be leveraged by non-government entities, but there is no understood agreement that the controls being tested have been implemented by the cloud service provider. Therefore the methodology is useful, but is intended for a federal agency assessing a FedRAMP approved CSP. This research considered NIST SPs and FedRAMP guidance. Security control objectives required by FedRAMP are included in the NIST SP The NIST SP A are recommended divisions of each control to each unique control objective. This document was intentionally written to complement the , but is only a recommendation. A unique perspective on enumerating the control objectives that made up each control could have been taken. For the sake of time and not reinventing the wheel, the NIST A was used. The final determination of whether a security control objective was end-user assessable was left to the professional judgment of the researchers. Each decision was not further supported by assessing the security control objective to prove it was not possible or was possible. 19

20 20MAR15 The primary limitations on the threat matrix are the knowledge of the primary researcher of the threat matrix. Additionally, the ratings utilized for the threat matrix was based on the definitions of each control from the and the researcher s judgment. This can cause heavy bias and may need to be altered by various experts within the subject of IT to ensure both its accuracy and credibility. The delimitation that was set in place for the threat matrix was its use of NIST SP Revision 1, which utilizes a five level rating. While allowing a more accurate assessment of the system, the rating of a certain threat in relation to control can vary based on the assessor s perception. 6.Findings The NSA problem set asked the simple question, What security controls are assessable from the end-user perspective for a program hosted on a FedRAMP-accredited cloud service platform? Our research shows that there are 175 security control aspects across 91 security controls that are assessable. Table 1, located below, shows the controls and corresponding control objectives per control that are assessable. Table 1 - Public Cloud Security End-User Perspective Assessable Table Control Family Yes End-User Perspective Assessable Yes / Yes / Yes / Red Black FedRAMP Team Team ACCESS CONTROL AUDIT AND ACCOUNTABILITY CONFIGURATION MANAGEMENT CONTINGENCY PLANNING IDENTIFICATION AND AUTHENTICATION INCIDENT RESPONSE 3 3 MAINTENANCE 5 5 MEDIA PROTECTION 5 5 PHYSICAL AND ENVIRONMENTAL PROTECTION RISK ASSESSMENT 1 1 SECURITY ASSESSMENT AND AUTHORIZATION 8 8 SYSTEM AND COMMUNICATIONS PROTECTION SYSTEM AND INFORMATION INTEGRITY Grand Total Grand Total

21 20MAR15 Discussed in the schedule section, the project was divided into multiple tasks aligned with different key deliverables. The tables, found in Appendix 1, provides each task with a detailed explanation and the task outcome. Most tasks were inputs into the next successive task. As a way to utilize the information gained from these assessable controls, each control was linked to a chosen threat, which were Data Breaches, Data Loss, Account Hijacking, Insecure Interfaces and APIs, Denial of Service (DoS), Shared Technology Vulnerabilities, Malware & SQL Injection, Intrusion, and Software Exploit. FedRAMP consists of 325 security controls when modified to the NIST SP In order to assess the threats that could, the primary researcher decided to utilize NIST SP Revision 1 and alter it to match the FedRAMP controls and threats chosen. The reason NIST SP Revision 1 was chosen is due to its flexibility and its assessment method, which allows for detailed assessments of the risks threats involved. Below is a compressed version of the overall assessment table, looking only at the control families in relation to the threats. Table 2 - Overall Control Family / Threat Risk Assessment FedRAMP Families/CSA Top Threats Data Breaches Data Loss Account Hijacking Insecure Interfaces and APIs Denial of Service (DoS) Malware & SQL Injection Intrusion Software Exploit Access Control Very probability High High Very Very High Impact- High Impact- Security Awareness and Training Audit and Accountability Security Assessment and Authorization Configuration Management Contingency Planning High Very High High High High Very High. High High Impact- High 24

22 20MAR15 FedRAMP Families/CSA Top Threats Data Breaches Data Loss Account Hijacking Insecure Interfaces and APIs Denial of Service (DoS) Malware & SQL Injection Intrusion Software Exploit Identification and Authentication Incident Response Maintenance. High Very High High Very High Very High Very High Impact- Very High. Media Protection Physical and Environmental Security Planning Personnel Security Risk Assessment System and Services Acquisition Very High High High High High High High High High High System and Communications Protection. High Impact - High Very Very Very System and Information Integrity. Very probability Impact - Very probability High 30

23 7.Issues 20MAR15 The project experienced limited issues. Research is available on threat models, cloud IT security and federal IT security requirements. We actively maintained a master task schedule to provide visibility and tracking of project status. This schedule allowed us to identify project slippage due to time constraints. Issues did not rise from completing tasks, but in having time to review internally before closing out the task. Additionally, our project consisted of geographically separated team members. This dynamic added a level of project communication and coordination that resulted in a depreciated ability to develop a synergy and share discovered knowledge relative to the research. The project maintained two weekly meetings to mitigate the risk of this issue. Also, the project had two key deliverables, which each member was responsible. This plan allowed team members to deepdive on a research topic without having to coordinate sub-task distribution. As the project is based on trimester schedule, we have a limited amount of time to work on each section. Due to the amount of time it took to create and develop our deliverables being greater than expected, the team s aim to test the threat matrix and SCA methodology was unable to occur. This allows further research into each security control for the SCA methodology and threats utilized in the threat matrix before testing occurs. Finally, part of our goal this semester was to develop a security assessment report (SAR) template. However, after assessing the developed FedRAMP SAR template with our goals and outcomes of this research period, the team had decided that the FedRAMP SAR template was developed and met our needs for a SAR template. 8.Conclusions and Recommendations The research revealed only 8% of security controls the CSPs are required to implement could be assessed from the end-user perspective. This number reduces to 5% if non red/black team test cases are given consideration. This insight into security control visibility is marginally better than the initial 0% security control visibility. The results, from the third-party organization audit of the CSP implemented security controls, can be requested by any federal agency. These results can provide greater visibility into the security control implementation. This extends the research for the interested federal program from just the cloud service provider to include the reliability, reputation and quality of the thirdparty organization in its ability to effectively execute a security control assessment and report the findings accurately. 31

24 20MAR15 The researchers were unable to test the security control assessable methodology. The methodology should be executed against a cloud service provider to validate the process and the security control objectives determined to be end-user assessable for a public cloud IaaS environment. A security assessment report template specific to this purpose should be developed. Currently the FedRAMP security assessment report template is linked to in the methodology, but this report includes many elements that are not needed for this application. Starting with the FedRAMP template and paring it to essential sections only would best achieve the activity of customizing it for this methodologies needs. It is recommended for the risk matrix to be assessed and refined by various experts through to ensure accuracy and remove bias. Additionally, the assessors may find alter or change the threats on the list based on what they believe is more prominent in cloud computing. This would result in different versions of this threat matrix that altered, which can be combined to an agreed assessment to be utilized with the assessment methodology. 32

25 9.References 20MAR15 [1] GSA (2014). "FedRAMP Overview." from [2] Jamil, D. and H. Zaki (2011). "CLOUD COMPUTING SECURITY." International Journal of Engineering Science & Technology 3(4). [3] VanRoekel, S. F. C. (2011). OMB Memo: Security Authorization of Information Systems in Cloud Computing Environments, https://cio.gov/wp-content/uploads/2012/09/fedrampmemo.pdf [4] Ross, R. (2013). "NIST SP , Revision 4." Security and Privacy Controls for Federal Information Systems and Organizations [5] Ristov, S., et al. (2012). A new methodology for security evaluation in cloud computing. MIPRO, 2012 Proceedings of the 35th International Convention, IEEE. [6] Ross, R. (2010). "NIST SP A, Revision 1." Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans. [7] Beckman, J., Riedle, M., and Vargas, H. (2014) Analysis of Amazon S3 Cloud Services. [8] Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of network and computer applications, 34(1), [9] Alliance, C. S. (2015). Cloud Adoption Practices and Priorities Survey Report. https://cloudsecurityalliance.org/star/self-assessment/, Cloud Security Alliance. [10] Jansen, W. and T. Grance (2011). "Sp guidelines on security and privacy in public cloud computing." [11] Kundra, V. (2011). "Federal cloud computing strategy." [12] Mell, Peter, and Tim Grance. "The NIST definition of cloud computing." National Institute of Standards and Technology 53.6 (2009): 50. [13] NIST, SP. " " Guide for Applying Risk Management Framework to Federal Information Systems (2004). [14] Brodkin, Jon. "Gartner: Seven cloud-computing security risks." Infoworld 2008 (2008): 1-3. [15] Top Threats Working Group. (2013). The notorious nine: cloud computing top threats in Cloud Security Alliance. [16] Hay, B., Nance, K., & Bishop, M. (2011, January). Storm clouds rising: security challenges for IaaS cloud computing. In System Sciences (HICSS), th Hawaii International Conference on (pp. 1-7). IEEE. [17] Popovic, K. and Z. Hocenski (2010). Cloud computing security issues and challenges. MIPRO, 2010 proceedings of the 33rd international convention, IEEE. [18] Alruwaili, F. F., & Gulliver, T. A. (2014). Safeguarding the Cloud: An Effective Risk Management Framework for Cloud Computing Services. International Journal of Future Generation Distributed Systems (IJFGDS), 1(2). [19] Alruwaili, F. F., & Gulliver, T. A. (2014). Trusted CCIPS: A Trust Security Model for Cloud Services Based on a Collaborative Intrusion Detection and Prevention Framework. International Journal of Latest Trends in Computing, 5(1). 33

26 20MAR15 [20] NIST. (2002). SP Risk management guide for information technology systems, [21] NIST. (2012). SP Revision 1. Guide for Conducting Risk Assessments, [22] FedRAMP (2014), FedRAMP Security Controls. https://www.fedramp.gov/files/2015/03/fedramp-rev-4-baseline-workbook- FINAL xlsx 34

27 20MAR Biographical sketches of the investigators Gerald Auger: I have been working within the IT industry for nine years, focusing the last six in the cyber security arena. I am an active CISSP, CISM, and CISA. I have had the distinguished pleasure to work for Booz Allen Hamilton in the public sector, providing cyber security solutions to the DoD, the Dept. of Veterans Affairs and the National Science Foundation United States Antarctic Program (NSF USAP). I have years of experience with the DoD 8500 framework and the NIST risk-management framework and fully utilize NIST Special Publications for my research and efforts. I have earned a master s in Computer Science and a master s in Information Assurance, which affords me the ability to analyze a problem set on a technical and engineering level, and cross-cut this analysis with security concepts and thought processes. Richard Hilgers My knowledge of cloud computing primarily comes from the CNIT course Cyber Forensics on Cloud/Virtual Machines, where my primary research paper for the course was based on cloud forensics. In addition to my research on cloud forensics, I learned the various ways a cloud server could be exploited or attacked. Additionally, I have some knowledge of cloud service from my part-time job as an Anti-Fraud analyst, primarily due to some consumers utilizing their cloud accounts for malicious acts. My organizational and time-management skills can also help keep the entire project on track. 11. Tasking Tasking was strategically distributed amongst the team for realistic execution and effectiveness. Given the project was determined to be a two-prong approach, each individual took a lead on one major item. Gerald took the SCA methodology while Richard took the threat model. In addition to task execution, the researchers maintained a standing Wednesday teleconference for exchanging research and developments. The researchers held a weekly Friday call that included each respective university s course mentor and the NSA technical director (optional attendee). This weekly call provided an end of the week work completed, work upcoming, issues agenda for the team to stay on task and schedule. 35

28 12. Appendix Appendix 1: Public Cloud Security Schedule Table 4 - Public Cloud Security Schedule Legend 20MAR15 36

Cloud Security Introduction and Overview

Cloud Security Introduction and Overview Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious

More information

Overview. FedRAMP CONOPS

Overview. FedRAMP CONOPS Concept of Operations (CONOPS) Version 1.0 February 7, 2012 Overview Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources,

More information

How to ensure control and security when moving to SaaS/cloud applications

How to ensure control and security when moving to SaaS/cloud applications How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Cloud Security and Managing Use Risks

Cloud Security and Managing Use Risks Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access

More information

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On

More information

A Secure System Development Framework for SaaS Applications in Cloud Computing

A Secure System Development Framework for SaaS Applications in Cloud Computing A Secure System Development Framework for SaaS Applications in Cloud Computing Eren TATAR, Emrah TOMUR AbstractThe adoption of cloud computing is ever increasing through its economical and operational

More information

Seeing Though the Clouds

Seeing Though the Clouds Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating

More information

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

Logically Securing a Public Cloud Service

Logically Securing a Public Cloud Service SESSION ID: CIN-W07 Logically Securing a Public Cloud Service Tim Mather CISO Cadence Design Systems @mather_tim Disclaimer: AWS (Amazon Web Services) is referenced in this presentation extensively, only

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

A Survey on Cloud Security Issues and Techniques

A Survey on Cloud Security Issues and Techniques A Survey on Cloud Security Issues and Techniques Garima Gupta 1, P.R.Laxmi 2 and Shubhanjali Sharma 3 1 Department of Computer Engineering, Government Engineering College, Ajmer Guptagarima09@gmail.com

More information

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall. The Magical Cloud Lennart Franked Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall. 2014-10-20 Lennart Franked (MIUN IKS) The Magical Cloud 2014-10-20 1 / 35

More information

Cloud Security for Federal Agencies

Cloud Security for Federal Agencies Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service

More information

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012 A COALFIRE PERSPECTIVE Moving to the Cloud A Summary of Considerations for Implementing Cloud Migration Plans into New Business Platforms NCHELP Spring Convention Panel May 2012 DALLAS DENVER LOS ANGELES

More information

Compliance and Cloud Computing

Compliance and Cloud Computing Compliance and Cloud Computing Balaji Palanisamy Director, Southwest- US Coalfire Systems, Inc. July 24, 2014 Agenda Introduction Cloud Computing Basics Cloud Computing Threats Security vs. Compliance

More information

FACING SECURITY CHALLENGES

FACING SECURITY CHALLENGES 24 July 2013 TimeTec Cloud Security FACING SECURITY CHALLENGES HEAD-ON - by Mr. Daryl Choo, Chief Information Officer, FingerTec HQ Cloud usage and trend Cloud Computing is getting more common nowadays

More information

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

ITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING

ITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING ITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University What is cloud computing? What are some of the keywords? How many of you cannot

More information

Cloud and Regulations: A match made in heaven, or the worst blind date ever?

Cloud and Regulations: A match made in heaven, or the worst blind date ever? Cloud and Regulations: A match made in heaven, or the worst blind date ever? Vinod S Chavan Director Industry Cloud Solutions, IBM Cloud October 28, 2015 Customers are faced with challenge of balancing

More information

WHITEPAPER. Data Security for Office 365 Balancing control & usability

WHITEPAPER. Data Security for Office 365 Balancing control & usability WHITEPAPER Data Security for Office 365 Balancing control & usability Contents Executive Summary... 2 Top Security Issues for Office 365... 4 Compelled Disclosures... 4 Unauthorized Sharing... 4 External

More information

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public. Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT

More information

Information Security for Managers

Information Security for Managers Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize

More information

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

Information Security Team

Information Security Team Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao Guocui.gao@tufts.

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao Guocui.gao@tufts. Tufts University Department of Computer Science COMP 116 Introduction to Computer Security Fall 2014 Final Project Investigating Security Issues in Cloud Computing Guocui Gao Guocui.gao@tufts.edu Mentor:

More information

Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service Cloud Computing Best Practices Cloud Computing Best Practices Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service Overview Cloud Computing

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization providing innovative management and technology-based

More information

Perspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Perspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory Perspectives on Cloud Computing and Standards Peter Mell, Tim Grance NIST, Information Technology Laboratory Standardization and Cloud Computing Cloud computing is a convergence of many technologies Some

More information

Ensuring Cloud Security Using Cloud Control Matrix

Ensuring Cloud Security Using Cloud Control Matrix International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 9 (2013), pp. 933-938 International Research Publications House http://www. irphouse.com /ijict.htm Ensuring

More information

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli Vice President, IT Risk Management McKesson Corpora-on What is Your Business Model? Economic Moats In business, I look

More information

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory 7-11-2009

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory 7-11-2009 Perspectives on Moving to the Cloud Paradigm and the Need for Standards Peter Mell, Tim Grance NIST, Information Technology Laboratory 7-11-2009 2 NIST Cloud Computing Resources NIST Draft Definition of

More information

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH VORAPOJ.L@G-ABLE.COM. Agenda. Security Cases What is Cloud? Road Map Security Concerns

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH VORAPOJ.L@G-ABLE.COM. Agenda. Security Cases What is Cloud? Road Map Security Concerns BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH VORAPOJ.L@G-ABLE.COM Agenda Security Cases What is Cloud? Road Map Security Concerns 1 Security Cases on Cloud Data Protection - Two arrested in ipad

More information

Risks and Challenges

Risks and Challenges Cloud and Mobile Security: Risks and Challenges Chong Sau Wei (CISM) chong@scan associates.net General Manager Managed Security Services SCAN Associates Berhad Seminar e Kerajaan Negeri Pulau Pinang 14

More information

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Is it Time to Trust the Cloud? Unpacking the Notorious Nine Is it Time to Trust the Cloud? Unpacking the Notorious Nine Jonathan C. Trull, CISO, Qualys Cloud Security Alliance Agenda Cloud Security Model Background on the Notorious Nine Unpacking the Notorious

More information

Assessing Risks in the Cloud

Assessing Risks in the Cloud Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research

More information

Esri Managed Cloud Services and FedRAMP

Esri Managed Cloud Services and FedRAMP Federal GIS Conference February 9 10, 2015 Washington, DC Esri Managed Cloud Services and FedRAMP Erin Ross & Michael Young Agenda Esri Managed Services Program Overview Example Deployments New FedRAMP

More information

Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University.

Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University. Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University P a g e 1 P a g e 2 Table of Contents Abstract... 3 Introduction... 3 Previous

More information

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

White Paper How Noah Mobile uses Microsoft Azure Core Services

White Paper How Noah Mobile uses Microsoft Azure Core Services NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah

More information

Cloud Computing in a Regulated Environment

Cloud Computing in a Regulated Environment Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members

More information

Cloud Assessments. Federal Computer Security Managers Forum. John Connor, IT Security Specialist, OISM, NIST. Meeting.

Cloud Assessments. Federal Computer Security Managers Forum. John Connor, IT Security Specialist, OISM, NIST. Meeting. Cloud Assessments SaaS Email Working Group John Connor, IT Security Specialist, OISM, NIST Meeting August, 2015 Background Photo - JILA strontium atomic clock (a joint institute of NIST and the University

More information

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material

More information

Orchestrating the New Paradigm Cloud Assurance

Orchestrating the New Paradigm Cloud Assurance Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems

More information

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications

More information

Anatomy of a Cloud Computing Data Breach

Anatomy of a Cloud Computing Data Breach Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations

More information

Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101

Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101 Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro

More information

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

Security & Trust in the Cloud

Security & Trust in the Cloud Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer

More information

Can Nuclear Installations and Research Centres Adopt Cloud Computing Platform?

Can Nuclear Installations and Research Centres Adopt Cloud Computing Platform? Can Nuclear Installations and Research Centres Adopt Cloud Computing Platform? Ameer PICHAN, Dr. Sie Teng SOH, A/Prof Mihai LAZARESCU School of Electrical Engineering and Computing, Curtin University,

More information

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including

More information

Strengthen security with intelligent identity and access management

Strengthen security with intelligent identity and access management Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers

More information

SECURITY THREATS TO CLOUD COMPUTING

SECURITY THREATS TO CLOUD COMPUTING IMPACT: International Journal of Research in Engineering & Technology (IMPACT: IJRET) ISSN(E): 2321-8843; ISSN(P): 2347-4599 Vol. 2, Issue 3, Mar 2014, 101-106 Impact Journals SECURITY THREATS TO CLOUD

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Symantec's Continuous Monitoring Solution

Symantec's Continuous Monitoring Solution Preparing for FISMA 2.0 and Continuous Monitoring Requirements Symantec's Continuous Monitoring Solution White Paper: Preparing for FISMA 2.0 and Continuous Monitoring Requirements Contents Introduction............................................................................................

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015 Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015 1 P a g e ABSTRACT This study examined improving web

More information

Developing the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009

Developing the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009 Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals

More information

BUSINESS MANAGEMENT SUPPORT

BUSINESS MANAGEMENT SUPPORT BUSINESS MANAGEMENT SUPPORT Business disadvantages using cloud computing? Author: Maikel Mardjan info@bm-support.org 2010 BM-Support.org Foundation. All rights reserved. EXECUTIVE SUMMARY Cloud computing

More information

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE

More information

Guideline on Implementing Cloud Identity and Access Management

Guideline on Implementing Cloud Identity and Access Management CMSGu2013-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Implementing Cloud Identity and Access Management National

More information

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Computing; What is it, How long has it been here, and Where is it going? Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where

More information

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director

More information

Security Authorization Process Guide

Security Authorization Process Guide Security Authorization Process Guide Office of the Chief Information Security Officer (CISO) Version 11.1 March 16, 2015 TABLE OF CONTENTS Introduction... 1 1.1 Background... 1 1.2 Purpose... 2 1.3 Scope...

More information

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology A comprehensive approach

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model

More information

Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A

Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A Brochure More information from http://www.researchandmarkets.com/reports/2213812/ Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A Description: The auditor's guide to ensuring

More information

Compliance and the Cloud: What You Can and What You Can t Outsource

Compliance and the Cloud: What You Can and What You Can t Outsource Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Kate Donofrio Security Assessor Fortrex Technologies Instructor Biography Background On Fortrex What s In A Cloud? Pick

More information

Safeguarding the cloud with IBM Dynamic Cloud Security

Safeguarding the cloud with IBM Dynamic Cloud Security Safeguarding the cloud with IBM Dynamic Cloud Security Maintain visibility and control with proven security solutions for public, private and hybrid clouds Highlights Extend enterprise-class security from

More information

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing

More information

Security Control Standard

Security Control Standard Department of the Interior Security Control Standard Security Assessment and Authorization January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,

More information

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored

More information

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects Cloud Computing An insight in the Governance & Security aspects AGENDA Introduction Security Governance Risks Compliance Recommendations References 1 Cloud Computing Peter Hinssen, The New Normal, 2010

More information

journey to a hybrid cloud

journey to a hybrid cloud journey to a hybrid cloud Virtualization and Automation VI015SN journey to a hybrid cloud Jim Sweeney, CTO GTSI about the speaker Jim Sweeney GTSI, Chief Technology Officer 35 years of engineering experience

More information

POSTAL REGULATORY COMMISSION

POSTAL REGULATORY COMMISSION POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1

More information