Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Size: px
Start display at page:

Download "Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC"

Transcription

1 Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC Financial Managers Society, Inc.

2 Cloud Security Implications for Financial Institutions By Scott Galyk, Director of Software Development, FIMAC Solutions, LLC Cloud Computing and Financial Institutions Financial institutions are developing and adopting cloud strategies within their organizations. Such strategies are being defined for adoption of hybrid clouds that combine internal data centers with private clouds. The challenges for most financial institutions are controls and security available within the cloud, as institutions are seeking transparency, auditing controls and data encryption from cloud providers. Institutions see value in the form of flexible infrastructure capacity and reduced time for resource provisioning. The adoption of the cloud is driven by services for customer relationship management, application development and . Significantly, compliance is the primary area of concern when considering adoption of cloud service and delivery models, and its drivers include data protection, corporate governance, Payment Card Industry Data Security Standard (PCI-DSS) and national regulations. Cloud Computing Overview The U.S. National Institute of Standards and Technology (NIST) defines Cloud Computing as a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provide interaction Financial Managers Society, Inc.

3 NIST Cloud Computing reference architecture The NIST Cloud Computing reference architecture defines five major actors: cloud consumer; cloud provider; cloud carrier; cloud auditor and cloud broker. Each actor is an entity that participates in a transaction or process and/or performs tasks in cloud computing. Cloud Consumer: A person or organization that maintains a business relationship with, and uses services from, cloud providers Cloud Provider: A person, organization or entity responsible for making a service available to interested parties Cloud Auditor: A party that can conduct independent assessment of cloud services, information system operations, performance and security of the cloud implementation Cloud Broker: An entity that manages the use, performance and delivery of cloud services and negotiates relationships between providers and consumers Cloud Carrier: An intermediary that provides connectivity and transport of cloud services from providers to consumers Financial Managers Society, Inc.

4 The NIST Cloud Computing model consists of five essential characteristics, three delivery models, and four deployment models. Essential Characteristics On Demand Self Service: A consumer can unilaterally provision computing capabilities without requiring interaction with service providers. On-demand self service provides automated provisioning of cloud resources. Broad Network Access: Capabilities are available over the network and access through standard mechanisms that promote use by heterogeneous client platforms. Access platforms include smart phones, tablets, laptops, and workstations. Resource Pooling: The provider s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence, in that the customer generally has no control or knowledge over the exact location of the provided resources. Pooled resources include storage, processing, memory, and network bandwidth. Rapid Elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. Measured Service: Cloud systems automatically control and optimize resource use, by leveraging a metering capability at some level of abstraction appropriate to the type of service. Such resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service Financial Managers Society, Inc.

5 Service Models Software as a Service (SaaS): The capability is provided to consumers to utilize a provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. But the consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS): This is the capability provided to consumers for deploying onto the cloud infrastructure their consumer-created or acquired applications, created using programming languages, libraries, services, and tools supported by the provider. While the consumer does not manage or control the underlying cloud infrastructure, he or she does have control over the deployed applications, and possibly configuration settings for the applicationhosting environment. Infrastructure as a Service (IaaS): This is the capability for consumers to provision processing, storage, networks, and other fundamental computing resources where he or she is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications--and possibly limited control of select networking components Financial Managers Society, Inc.

6 Deployment Models Private cloud: This cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers. It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Community cloud: The community cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns. It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Public cloud: A public infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Hybrid cloud: This type of infrastructure is a composition of two or more distinct cloud infrastructures that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability Financial Managers Society, Inc.

7 Cloud Computing Security Cloud computing and storage solutions provide users and enterprises with various capabilities to store and process data in third-party data centers. Cloud consumers may use one or more service models and deploymen0t models. Importantly cloud security involves issues and concerns falling into two broad categories: Security related to cloud providers that offer service models and deployment models. The security issues related to cloud consumers that utilize those models. Thus, the providers and customers share responsibility for such security. Providers are responsible for ensuring that infrastructure is secure and that the consumer s data and applications are protected. On the other hand, customers are responsible for validating and applying standard security and privacy policy and procedures that have been adopted. Thus, cloud consumers surrender levels of control over security and privacy based on usage of service and deployment models. Private clouds offer the consumer the greatest amount of control as he or she is the sole user of the cloud. Alternatively, community clouds reduce security and privacy controls as the consumer shares use of the cloud with a select group of other consumers. Finally, public clouds offer the least amount of control, as consumers share use of the cloud with a broad group of other consumers. Cloud security controls Cloud security architecture is effective when correct defensive implementations have been designed and implemented. The architecture should recognize issues that will arise with security management that utilizes security controls. Security controls are used to safeguard system weaknesses and reduce effects of an attack. The security controls are grouped into broad categories with subcategories, and include the following. Deterrent controls Deterrent controls are intended to reduce attacks on a cloud system, by informing potential attackers that there will be adverse consequences for attacks. Preventive controls Preventive controls strengthen systems against incidents by identifying and managing vulnerabilities to reduce or eliminate them. The use of strong authentication policy, practices, and standards for consumers provides mechanisms for positive identification and reduces instances of unauthorized access. Detective controls Detective controls are intended to detect and react appropriately to any incidents that occur. Such controls signal the preventative or corrective controls to address the issues. System and network security monitoring, intrusion detection and prevention arrangements are used to detect attacks on cloud systems and the supporting communications infrastructure Financial Managers Society, Inc.

8 Corrective controls Corrective controls reduce incident consequences and damage, and are employed throughout the life of an incident. Dimensions of cloud security Security controls should be selected and implemented based on risks through the assessment of threats, vulnerabilities and impacts. Significantly, cloud security concerns can be grouped into any number of dimensions. Gartner Group has identified seven dimensions, while Cloud Security Alliance identified 14 areas of concern. The top dimensions are: Security and privacy Identity management Cloud consumers utilize identity access and management systems to control access to information and computing resources, while cloud providers may integrate a consumer s identity access and management systems into its infrastructure. Physical security Cloud providers secure physical infrastructure against unauthorized access, interference, theft, fires, floods and other events to ensure that essential resources are available in of disruption. Also, providers utilize data centers that are professionally designed, constructed, managed, monitored, and maintained to deliver cloud computing resources. The providers may offer both service and delivery models as a provider, or provide services while also consuming delivery models as a cloud consumer for another provider. Personnel security Personnel security is mitigated through security screening, security awareness and training programs, proactive security monitoring and supervision, disciplinary policy and procedures, employment contracts or agreement, service level agreements, codes of conduct, or general employment practices and policies. Availability Cloud providers ensure that consumers can rely on access to data and applications. Application security Cloud providers ensure that applications delivered using SaaS service models are secure by architecting, designing, implementing, testing and maintaining application security measures that meet industry standards required by cloud consumers. Privacy Cloud providers ensure that non-public information and critical data are masked or encrypted and accessible by authorized consumers. Providers also ensure that digital identities and credentials are protected using Identity and access management systems. Further, providers ensure that data collected or produced is protected using best practices, policies and standards support by data archiving and purging processes Financial Managers Society, Inc.

9 Compliance Data storage and use are governed by various laws and regulations. U.S. privacy and data protection laws that govern data storage and use include: Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley Act (SOX) Basel Committee on Banking Supervision (BCBS) Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) Payment Card Industry Data Security Standard (PCI DSS) Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Children s Internet Protection Act (CIPA) Family Educational Rights and Privacy Act (FERPA) Others Similar laws may apply in different legal jurisdictions and may differ from those enforced in the US. Cloud consumers should be aware of the legal and regulatory differences between the jurisdictions within which provider operate. Laws and regulations mandate controls that must be supported by reporting against the controls. Thus, providers must satisfy requirements to demonstrate compliance and accountability. Business continuity and data recovery Cloud providers should provide business continuity and data recovery plans to ensure that service and delivery models are maintained in the event of a disaster or an emergency that causes data loss supported by data recovery practices, policies and standards that ensure data is restored. And consumers should validate and/or verify that the provider s business continuity and data recovery plans satisfy their business continuity and data recovery plans. Logs and audit trails Providers must produce and provide logs and audit trails that can be accessed by consumers. Thus, a provider ensures that logs and audit trails are properly secured, maintained, archived and purged in accordance with best practices, policies and standards. Likewise, consumers should validate and/or verify that the provider s logs and audit trails are properly secured, maintained, archived and purged in accordance satisfy their practices, policies and standards Financial Managers Society, Inc.

10 Legal and contractual issues Cloud providers and customers should negotiate terms for liability, intellectual property, end-ofservice, and data retrieval for litigation or other purposes supported by service-level agreements (SLA). Managing Cloud Computing Security Managing cloud computing security is shared between providers and customers. Roles and responsibilities for managing cloud computing security are defined below: Cloud providers are responsible for cloud computing security. Providers are accountable to customers for cloud computing security. Cloud consumers support providers in delivering cloud computing security through review and verification. Providers consult with consumers to review, confirm and verify that cloud computing security requirement. Providers inform customers about cloud security events, issues and resolutions Financial Managers Society, Inc.

11 Framework for managing cloud computing security Management of cloud computing security uses a framework that is defined by four broad categories: Visibility Compliance Threat Prevention Data Security Visibility Visibility provides the ability to view and review information or data across the cloud computing enterprise. Information and data views are provided for infrastructure, platforms, services, software and other resources used within the cloud computing enterprise. Information and data from cloud computing resources provide insights about: Threats and vulnerabilities. Remote access devices. Global positions and locations. User access, authorization and devices. User activities and data usage. Business drivers define visibility for cloud computing security. Business drivers that define visibility include: Protecting sensitive data for commercial and legal reasons. Tracking services used by employees. Monitoring and managing data stored and used by services. Identifying anomalies that may indicate a breach. Auditing user access by devices and locations. Defining boundaries to comply with privacy laws and regulations. Cloud customers should ask key questions about visibility to assess and verify that the provider s cloud computing security meets or satisfies its policy, procedures and standards. Key questions include: Questions Which services are employees and business units using overall and in each category (e.g. file sharing, social media, collaboration)? Which services are gaining in popularity and should be evaluated for enterprise-wide adoption? What is the risk level of each service in use? How effective are my firewalls and proxies at identifying cloud services and enforcing Financial Managers Society, Inc.

12 acceptable cloud use policies? Which redundant services are employees using, and are they introducing additional cost and risk or inhibiting collaboration? How do I quantify the risk from the use of cloud services and compare it to peers in my industry? Which services house sensitive or confidential data today? What are the security capabilities of the services storing sensitive data? Which data is available to external collaborators outside of the company? Which partners cloud services are employees accessing, and what s the risk of these partners? Which external collaborators are granted access to our company s services? How do I track and log all user and admin actions for compliance and investigations? Compliance Compliance provides the ability assess compliance with laws, regulations and standard that govern data use and storage across the cloud computing enterprise. Information and data from cloud computing resources provide insights about: Where is sensitive data stored? How is sensitive data used? How is sensitive data protected? Sensitive and confidential information on customers may be hosted within the cloud enterprise. Information and data that is common to the cloud enterprise include: General information and data. Financial information and data. Employee information and data. Intellectual property. Security information and data. Providers and customers should engage in standard activities to protect data and meet compliance requirements. Activities that they should perform include: Asking the 5 w s: who, what, when, why and where to assess data protection and compliance requirements. Using data to prove and support the answers to the 5 w s. Collaborating on reporting for data protection and compliance. Tracking and logging user behavior across the cloud enterprise Financial Managers Society, Inc.

13 Integrating and assessing security information and event management policies, practices and standards. Identifying and assessing cloud security components that satisfy functional, compliance and risk requirements. Laws, regulations and standards drive compliance across the cloud enterprise. regulations that drive compliance include: Laws and Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley Act (SOX) Basel Committee on Banking Supervision (BCBS) Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) Payment Card Industry Data Security Standard (PCI DSS) Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Children s Internet Protection Act (CIPA) Family Educational Rights and Privacy Act (FERPA) Others Customers should review key data elements related to compliance to assess and verify that the provider s cloud computing security meets or satisfies its policy, procedures and standards. Key privacy data elements include: Name Address Birthdate Phone numbers Fax numbers addresses Social security numbers Medical record numbers Health plan numbers Bank account numbers Credit card account numbers Professional certificates Professional license numbers License plate numbers Finger prints Voice prints Full face photographs Any other unique identifying numbers Uniform resource locator (URLs) Internet protocol number (IPs) Financial Managers Society, Inc.

14 Compliance is a shared responsibility. Cloud consumers are responsible for protecting the privacy of employee and customer information and data, while providers are responsible for protecting product data and information. Cloud customers should ask key questions about compliance to assess and verify that the provider s cloud computing security meets or satisfies its policy, procedures and standards. Key questions include: Question Which applications house sensitive data subject to regulatory compliance? Which services are gaining in popularity and should be evaluated for enterprise-wide adoption? What are the legal terms of the services housing sensitive data? Which employees are accessing sensitive data, and how are they using or sharing it? Which employees are uploading sensitive data to high-risk services? Which administrators have behavioral anomalies that indicate excessive privilege access? When is sensitive data uploaded to the cloud, and what action should be taken (allow, block, quarantine, encrypt)? How do we leverage previous resource investments and extend existing on premise data loss prevention policies to the cloud? How do we implement a closed workflow to review, remediate compliance violations, and educate violators? Is sensitive data kept in a specific country or region to comply with international data residency requirements? Threat prevention Threat prevention provides the ability to identify, isolate, mitigate and prevent attacks or intrusions from external or internal resources. Threats are designed to steal corporate data or to damage an ongoing concern. Threats are presented in two basic forms that are categorized as an attack or intrusion. Common attacks or intrusions that impact cloud security include: Insiders attacks to obtain data about customers, sales, intellectual property or network data Denial of service attacks to disable services. Malware injection attacks to modify data, extract data or block data. Side channel attack to gain access using physical encryption information Authentication attack to gain assess using compromised credentials Man in the middle attack to gain access as an unknown intermediary between parties.

15 Threat prevention is managed through controls that are employed against events. Common events that drive controls for threat prevention include: Access from known suspicious countries, locations, or devices. Access by compromised user / service accounts. Access by cancelled, dormant or inactive user/service accounts. Direct access that bypassed security controls. Access by browsers and operating systems that are not or are no longer supported. Cloud customers should ask key questions about threat prevention to assess and verify that the provider s cloud computing security meets or satisfies its policy, procedures and standards. Key questions include: Question What does normal behavior for any given service look like? How does a user s role affect their normal cloud service usage patterns? How do I monitor and baseline usage across the enterprise for both local and remote employees? Which users are accessing large volumes of sensitive data? Which administrators are accessing large volumes of sensitive data? Which cloud services have behavioral anomalies that indicate insider threat? Which cloud services have behavioral anomalies that indicate malware at work? Which cloud services have behavioral anomalies that indicate an account is compromised? Which cloud services in use are rated as high-risk and have an anonymous use policy? Data Security Data security refers to policies, technologies and controls to protect the cloud computing enterprise. Data-security controls are designed and implemented provide data privacy and protection for the following: Data corruption. Data theft or illegal use. Data privacy Financial Managers Society, Inc.

16 Data security is managed through activities and controls that are designed to protect data integrity and privacy. Common activities and controls that drive data security include: Access control policies, practices and standards. Encryption policies, practices and standards. Encryption across applications, services, and data. Tokenization policies, practices and standards. Control over encryption keys. Data masking to protect sensitive information. Planning, scheduling and performing data backups. Planning, scheduling and performing data purges / erasures. Access Controls Access controls are used to manage access to applications, services, data and infrastructure. Access controls are designed and implemented across the cloud computing enterprise and its resources. Common activities and controls for applications, services and data include: Access and identity management policies, practices and standards. Authentication mechanisms and protocols. Managing, monitoring and performing audit processes. Common activities and controls for infrastructure include: Managing and monitoring physical access to data centers and resources. Managing and monitoring network access to resources. Encryption Encryption controls are designed and implemented to protect data and provide privacy. Encryption controls are driven through the use best practices and standards. Common best practices and standards that are applied include: Avoiding proprietary algorithms. Utilization of standard algorithms that have been reviewed against modern cryptographic standards. Selection of algorithms that fit the application and its functionality. Controlling ownership of encryption keys. Data Migration Migrating and moving data to the cloud enterprise should utilize best practices and standards to ensure data security. Best practices for migrating and moving data to the cloud include: Using encryption or tokenized practices for sensitive data or other data. Verifying authentication and authorization practices and procedures are defined and enforced. Assessing support for encryption key management Financial Managers Society, Inc.

17 Auditing user or group access to enterprise data. Confirming data ownership / stewardship to prevent data loss due to de-provisioning activities. Certifying data loss prevention and e-discovery are available. Validating data usability after data migration. Cloud customers should ask key questions about data security to assess and verify that the provider s cloud security meets or satisfies its policy, procedures and standards. Key questions include: Question Which cloud services encrypt data at rest and provide multi-factor authentication? What are the compliance certifications of the services employees are using? Which of our cloud services undergo regular penetration testing? Which of our cloud services has been compromised in the last week, month, year? Which data should be encrypted in which cloud services? How do we encrypt data while maintaining required functionality within cloud services? How do we encrypt data while controlling our own encryption keys? How do we employ tokenization to ensure data privacy in addition to security? How do we enforce access policies based on user, device, and location? References NIST Cloud Computing Standards Roadmap, Special Publication , Version 2, July 2013 The Definitive Guide to Cloud Security, Skyhigh Networks The Cloud Encryption Handbook: ENCRYPTION SCHEMES AND THEIR RELATIVE STRENGTHS ANDWEAKNESSES, Skyhigh Networks Cloud Adoption Practices & Priorities Survey Report - January 2015, Cloud Security Alliance Financial Managers Society, Inc.

18 HOW CLOUD IS BEING USED IN THE FINANCIAL SECTOR: SURVEY REPORT March 2015, Cloud Security Alliance Mind The SaaS Security Gaps: G Craig Lawson, Sid Deshpande Skyhigh Networks Cloud Adoption and Risk Report: Q REPORT: KEY REQUIREMENTS FOR CLOUD SECURITY, Cypher Cloud About the Author Scott Galyk is Director of Software Development at FIMAC Solutions, LLC. Published by: Financial Managers Society 1 North LaSalle Street, Suite 3100 Chicago, IL (member login required) For over 65 years, the Financial Managers Society s network of members has provided technical education to financial professionals from community financial institutions through conferences, seminars, webinars and publications. For details on FMS membership benefits or how to become a member, please visit or call 800-ASK-4FMS ( ) Financial Managers Society, Inc.

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models. Cloud Strategy Information Systems and Technology Bruce Campbell What is the Cloud? From http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf Cloud computing is a model for enabling ubiquitous,

More information

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes Cloud Computing Supplementary slides Course: Designing and Implementing Service Oriented Business Processes 1 Introduction Cloud computing represents a new way, in some cases a more cost effective way,

More information

Cloud Security Introduction and Overview

Cloud Security Introduction and Overview Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious

More information

The NIST Definition of Cloud Computing

The NIST Definition of Cloud Computing Special Publication 800-145 The NIST Definition of Cloud Computing Recommendations of the National Institute of Standards and Technology Peter Mell Timothy Grance NIST Special Publication 800-145 The NIST

More information

IS PRIVATE CLOUD A UNICORN?

IS PRIVATE CLOUD A UNICORN? IS PRIVATE CLOUD A UNICORN? With all of the discussion, adoption, and expansion of cloud offerings there is a constant debate that continues to rear its head: Public vs. Private or more bluntly Is there

More information

yvette@yvetteagostini.it yvette@yvetteagostini.it

yvette@yvetteagostini.it yvette@yvetteagostini.it 1 The following is merely a collection of notes taken during works, study and just-for-fun activities No copyright infringements intended: all sources are duly listed at the end of the document This work

More information

The HIPAA Security Rule: Cloudy Skies Ahead?

The HIPAA Security Rule: Cloudy Skies Ahead? The HIPAA Security Rule: Cloudy Skies Ahead? Presented and Prepared by John Kivus and Emily Moseley Wood Jackson PLLC HIPAA and the Cloud In the past several years, the cloud has become an increasingly

More information

East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud? East African Information Conference 13-14 th August, 2013, Kampala, Uganda Security and Privacy: Can we trust the cloud? By Dr. David Turahi Director, Information Technology and Information Management

More information

The NIST Definition of Cloud Computing (Draft)

The NIST Definition of Cloud Computing (Draft) Special Publication 800-145 (Draft) The NIST Definition of Cloud Computing (Draft) Recommendations of the National Institute of Standards and Technology Peter Mell Timothy Grance NIST Special Publication

More information

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Standardizing Cloud Services for Financial Institutions through the provisioning of Service Level Agreements (SLAs)

Standardizing Cloud Services for Financial Institutions through the provisioning of Service Level Agreements (SLAs) Standardizing Cloud Services for Financial Institutions through the provisioning of Service Level Agreements (SLAs) Robert Bohn, PhD Advanced Network Technologies Division Cloud FS Americas 2015 New York,

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information

More information

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall. The Magical Cloud Lennart Franked Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall. 2014-10-20 Lennart Franked (MIUN IKS) The Magical Cloud 2014-10-20 1 / 35

More information

Capability Paper. Today, aerospace and defense (A&D) companies find

Capability Paper. Today, aerospace and defense (A&D) companies find Today, aerospace and defense (A&D) companies find Today, aerospace and defense (A&D) companies find themselves at potentially perplexing crossroads. On one hand, shrinking defense budgets, an increasingly

More information

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1 Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1 Taking a Deeper Look at the Cloud: Solution or Security Risk? LoyCurtis Smith East Carolina University TAKING A DEEPER LOOK AT THE CLOUD:

More information

AskAvanade: Answering the Burning Questions around Cloud Computing

AskAvanade: Answering the Burning Questions around Cloud Computing AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,

More information

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015 NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X

More information

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Cloud Computing. What is Cloud Computing?

Cloud Computing. What is Cloud Computing? Cloud Computing What is Cloud Computing? Cloud computing is where the organization outsources data processing to computers owned by the vendor. Primarily the vendor hosts the equipment while the audited

More information

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer What is Cloud Computing A model for enabling convenient, on-demand network access to a shared pool of configurable

More information

Self-Service SOX Auditing With S3 Control

Self-Service SOX Auditing With S3 Control Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with

More information

White Paper on CLOUD COMPUTING

White Paper on CLOUD COMPUTING White Paper on CLOUD COMPUTING INDEX 1. Introduction 2. Features of Cloud Computing 3. Benefits of Cloud computing 4. Service models of Cloud Computing 5. Deployment models of Cloud Computing 6. Examples

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director

More information

Cloud Computing Policy 1.0 INTRODUCTION 2.0 PURPOSE. Effective Date: July 28, 2015

Cloud Computing Policy 1.0 INTRODUCTION 2.0 PURPOSE. Effective Date: July 28, 2015 Cloud Computing Policy Effective Date: July 28, 2015 1.0 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

Secure Cloud Computing through IT Auditing

Secure Cloud Computing through IT Auditing Secure Cloud Computing through IT Auditing 75 Navita Agarwal Department of CSIT Moradabad Institute of Technology, Moradabad, U.P., INDIA Email: nvgrwl06@gmail.com ABSTRACT In this paper we discuss the

More information

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH VORAPOJ.L@G-ABLE.COM. Agenda. Security Cases What is Cloud? Road Map Security Concerns

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH VORAPOJ.L@G-ABLE.COM. Agenda. Security Cases What is Cloud? Road Map Security Concerns BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH VORAPOJ.L@G-ABLE.COM Agenda Security Cases What is Cloud? Road Map Security Concerns 1 Security Cases on Cloud Data Protection - Two arrested in ipad

More information

6 Cloud computing overview

6 Cloud computing overview 6 Cloud computing overview 6.1 General ISO/IEC 17788:2014 (E) Cloud Computing Overview Page 1 of 6 Cloud computing is a paradigm for enabling network access to a scalable and elastic pool of shareable

More information

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Presented by: Sabrina M. Segal, USITC, Counselor to the Inspector General, Sabrina.segal@usitc.gov Reference

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals

More information

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS CLOUD COMPUTING Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

LEGAL ISSUES IN CLOUD COMPUTING

LEGAL ISSUES IN CLOUD COMPUTING LEGAL ISSUES IN CLOUD COMPUTING RITAMBHARA AGRAWAL INTELLIGERE 1 CLOUD COMPUTING Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing

More information

Information Security: Cloud Computing

Information Security: Cloud Computing Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration

More information

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Computing; What is it, How long has it been here, and Where is it going? Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where

More information

CLOUD ARCHITECTURE DIAGRAMS AND DEFINITIONS

CLOUD ARCHITECTURE DIAGRAMS AND DEFINITIONS CLOUD ARCHITECTURE DIAGRAMS AND DEFINITIONS April 2014 Cloud Conceptual Reference Model The ease of use a Cloud Consumer experiences results from a complex, behind-the-scenes, orchestration of interchangeable,

More information

CSO Cloud Computing Study. January 2012

CSO Cloud Computing Study. January 2012 CSO Cloud Computing Study January 2012 Purpose and Methodology Survey Sample Survey Method Fielded Dec 20, 2011-Jan 8, 2012 Total Respondents Margin of Error +/- 7.3% Audience Base Survey Goal 178 security

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Cloud Security and Managing Use Risks

Cloud Security and Managing Use Risks Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access

More information

The Cloud vs. the Back-Office. Which is right for you?

The Cloud vs. the Back-Office. Which is right for you? The Cloud vs. the Back-Office Which is right for you? Introductions Andy Skrzypczak President NetSource One We help, guide and support frustrated and overwhelmed business owners who want Pain Free IT so

More information

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management Log Management How to Develop the Right Strategy for Business and Compliance An Allstream / Dell SecureWorks White Paper 1 Table of contents Executive Summary 1 Current State of Log Monitoring 2 Five Steps

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Kent State University s Cloud Strategy

Kent State University s Cloud Strategy Kent State University s Cloud Strategy Table of Contents Item Page 1. From the CIO 3 2. Strategic Direction for Cloud Computing at Kent State 4 3. Cloud Computing at Kent State University 5 4. Methodology

More information

Cloud Computing for SCADA

Cloud Computing for SCADA Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry

More information

Technology & Business Overview of Cloud Computing

Technology & Business Overview of Cloud Computing Your Place or Mine? In-House e-discovery Platform vs. Software as a Service Technology & Business Overview of Cloud Computing Janine Anthony Bowen, Esq. Jack Attorneys & Advisors www.jack-law.com Atlanta,

More information

Verifying Correctness of Trusted data in Clouds

Verifying Correctness of Trusted data in Clouds Volume-3, Issue-6, December-2013, ISSN No.: 2250-0758 International Journal of Engineering and Management Research Available at: www.ijemr.net Page Number: 21-25 Verifying Correctness of Trusted data in

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014

Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014 Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September What is the The Cloud Some Definitions The NIST Definition of Cloud computing Cloud computing is

More information

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing

More information

ADOPTING CLOUD COMPUTING AS AN ICT DEPLOYMENT STRATEGY FOR DELIVERING SERVICES IN THE GOVERNMENT

ADOPTING CLOUD COMPUTING AS AN ICT DEPLOYMENT STRATEGY FOR DELIVERING SERVICES IN THE GOVERNMENT MALACA√ĎANG PALACE MANILA BY THE PRESIDENT OF THE PHILIPPINES ADMINISTRATIVE ORDER NO. ADOPTING CLOUD COMPUTING AS AN ICT DEPLOYMENT STRATEGY FOR DELIVERING SERVICES IN THE GOVERNMENT WHEREAS, Section 24,

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Legal Issues in the Cloud: A Case Study. Jason Epstein

Legal Issues in the Cloud: A Case Study. Jason Epstein Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types

More information

Business Intelligence (BI) Cloud. Prepared By: Pavan Inabathini

Business Intelligence (BI) Cloud. Prepared By: Pavan Inabathini Business Intelligence (BI) Cloud Prepared By: Pavan Inabathini Summary Federal Agencies currently maintain Business Intelligence (BI) solutions across numerous departments around the enterprise with individual

More information

Virtualization Impact on Compliance and Audit

Virtualization Impact on Compliance and Audit 2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance

More information

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - 45 min Webinar: November 14th, 2014 The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - www.cunesoft.com Rainer Schwarz Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH PART

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com Introduction to Cloud Computing Srinath Beldona srinath_beldona@yahoo.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?

More information

FormFire Application and IT Security. White Paper

FormFire Application and IT Security. White Paper FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development

More information

Cloud definitions you've been pretending to understand. Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro

Cloud definitions you've been pretending to understand. Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro Cloud definitions you've been pretending to understand Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro You keep using that word cloud. I do not think it means what you think it

More information

Enterprise Governance and Planning

Enterprise Governance and Planning GEORGIA TECHNOLOGY AUTHORITY Title: Enterprise Operational Environment PSG Number: SO-10-003.02 Topical Area: Operations / Performance and Capacity Document Type: Standard Pages: 5 Issue Date: July 15,

More information

Cloud Computing Security Issues

Cloud Computing Security Issues Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security, marchany@vt.edu Something Old, Something New New: Cloud describes the use of a collection of services, applications,

More information

OVERVIEW Cloud Deployment Services

OVERVIEW Cloud Deployment Services OVERVIEW Cloud Deployment Services Audience This document is intended for those involved in planning, defining, designing, and providing cloud services to consumers. The intended audience includes the

More information

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011 A Strawman Model NIST Cloud Computing Reference Architecture and Taxonomy Working Group January 3, 2011 Objective Our objective is to define a neutral architecture consistent with NIST definition of cloud

More information

ITSM in the Cloud. An Overview of Why IT Service Management is Critical to The Cloud. Presented By: Rick Leopoldi RL Information Consulting LLC

ITSM in the Cloud. An Overview of Why IT Service Management is Critical to The Cloud. Presented By: Rick Leopoldi RL Information Consulting LLC ITSM in the Cloud An Overview of Why IT Service Management is Critical to The Cloud Presented By: Rick Leopoldi RL Information Consulting LLC What s Driving the Move to Cloud Computing Greater than 70%

More information

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model

More information

Security Officer s Checklist in a Sourcing Deal

Security Officer s Checklist in a Sourcing Deal Security Officer s Checklist in a Sourcing Deal Guide Share Europe Ostend, May 9th 2014 Johan Van Mengsel IBM Distinguished IT Specialist IBM Client Abstract Sourcing deals creates opportunities and challenges.

More information

Media Shuttle s Defense-in- Depth Security Strategy

Media Shuttle s Defense-in- Depth Security Strategy Media Shuttle s Defense-in- Depth Security Strategy Introduction When you are in the midst of the creative flow and tedious editorial process of a big project, the security of your files as they pass among

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

Cloud Security: The Grand Challenge

Cloud Security: The Grand Challenge Dr. Paul Ashley IBM Software Group pashley@au1.ibm.com Cloud Security: The Grand Challenge Outline Cloud computing: the pros, the cons, the blind spots Security in the cloud - what are the risks now and

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Projectplace: A Secure Project Collaboration Solution

Projectplace: A Secure Project Collaboration Solution Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

REQUEST FOR INFORMATION FLORIDA AGENCY FOR STATE TECHNOLOGY CLOUD SERVICES AND SOLUTIONS RFI NO.: 150925

REQUEST FOR INFORMATION FLORIDA AGENCY FOR STATE TECHNOLOGY CLOUD SERVICES AND SOLUTIONS RFI NO.: 150925 I. PURPOSE REQUEST FOR INFORMATION FLORIDA AGENCY FOR STATE TECHNOLOGY CLOUD SERVICES AND SOLUTIONS RFI NO.: 150925 The State of Florida, Agency for State Technology (AST), hereby issues this Request for

More information

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012 A COALFIRE PERSPECTIVE Moving to the Cloud A Summary of Considerations for Implementing Cloud Migration Plans into New Business Platforms NCHELP Spring Convention Panel May 2012 DALLAS DENVER LOS ANGELES

More information

The Cloud App Visibility Blindspot

The Cloud App Visibility Blindspot The Cloud App Visibility Blindspot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Introduction Today, enterprise assets are more at risk than ever before

More information

Feature. Log Management: A Pragmatic Approach to PCI DSS

Feature. Log Management: A Pragmatic Approach to PCI DSS Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Addressing Cloud Computing Security Considerations

Addressing Cloud Computing Security Considerations Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

Strengthen security with intelligent identity and access management

Strengthen security with intelligent identity and access management Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers

More information

NIST Cloud Computing Reference Architecture

NIST Cloud Computing Reference Architecture NIST Cloud Computing Reference Architecture Version 1 March 30, 2011 2 Acknowledgements This reference architecture was developed and prepared by Dr. Fang Liu, Jin Tong, Dr. Jian Mao, Knowcean Consulting

More information

A white paper from Fordway on CLOUD COMPUTING. Why private cloud should be your first step on the cloud computing journey - and how to get there

A white paper from Fordway on CLOUD COMPUTING. Why private cloud should be your first step on the cloud computing journey - and how to get there A white paper from Fordway on CLOUD COMPUTING Why private cloud should be your first step on the cloud computing journey - and how to get there PRIVATE CLOUD WHITE PAPER January 2012 www.fordway.com Page

More information

THE NEW FRONTIER FOR PROTECTING CORPORATE DATA IN THE CLOUD

THE NEW FRONTIER FOR PROTECTING CORPORATE DATA IN THE CLOUD Security Intelligence: THE NEW FRONTIER FOR PROTECTING CORPORATE DATA IN THE CLOUD Brought to you by Introduction 3 Data Theft from Cloud Systems of Record 5 6-Step Process to Protect Data from Insider

More information