Cloud Computing Security ENISA. Daniele Catteddu, CISM, CISA. DigitPA egovernment e Cloud computing.

Size: px
Start display at page:

Download "Cloud Computing Security ENISA. Daniele Catteddu, CISM, CISA. DigitPA egovernment e Cloud computing. www.enisa.europa.eu"

Transcription

1 Cloud Computing Security ENISA Daniele Catteddu, CISM, CISA DigitPA egovernment e Cloud computing

2 Agenda Introduction to ENISA ENISA objectives in Cloud computing Reaching the objectives Benefits, risks and recommendations for Info Sec Gov Cloud: resilience and security CAMM

3 ENISA: Who are we? The European Network & Information Security Agency (ENISA) was formed in The Agency is a Centre of Expertise that supports the Commission and the EU Member States in the area of information security. We facilitate the exchange of information between EU institutions, the public sector and the private sector. 3

4 Activities The Agency s principal activities are as follows: Advising and assisting the Commission and the Member States on information security. Collecting and analysing data on security practices in Europe and emerging risks. Promoting risk assessment and risk management methods. Awareness-raising and co-operation between different actors in the information security field.

5 Focus ENISA assists Member States and the Commission in global issues that affect the European Community as a whole. ENISA contribute to the harmonization of appropriate technical and organizational security measures by providing expert advice. This is an advisory role and the focus is on prevention and preparedness. ENISA does NOT have any operational responsibilities either within the EU institutional framework or with respect to Member States. ENISA has no special role in the security process protecting EU institutions.

6 What is cloud computing ENISA s understanding Highly abstracted hw sw resources Near instant scalability and flexibility Near instantaneous provisioning Shared resources (hardware, database, memory, etc...) Service On demand, usually with a pay as you go billing system Programmatic management (e.g. through Web Services API)

7 What is cloud computing ENISA s understanding Cloud computing is a new business model It is a way of delivering computing resources Cloud computing is not a new technology. Lots of old hat, put together with some very clever resource distribution algorithms, which you can rent by the hour

8 ENISA Cloud Computing Objectives Help business and governments to reap the cost benefits of cloud computing. While maintaining service availability, data confidentiality and integrity, privacy, transparency, accountability and responsibility. 8

9 ENISA Cloud Computing Objectives Creating trust and trustworthiness through promoting best practice and assurance standards 9

10 ENISA Cloud Computing Objectives Improving transparency 10

11 ENISA Cloud Computing Objectives Recommending smart investment in R&D 11

12 Reaching the objectives ENISA Deliverables and Ongoing Activities Cloud Computing: Benefits, Risks and Recommendations for Information security 2009 Assurance framework 2009 Research Recommendations 2009 Gov-Cloud security and resilience analysis (2010) Common Assurance Maturity Model(CAMM) consortium (proposed) procurement and monitoring guidance for government cloud contracts. 12

13 Cloud Computing: Benefits, Risks and Recommendations for Information security 13

14 Highlights from the report 27 experts involved Mainly based on an SMEs requirements 8 security benefits 53 vulnerabilities considered 24 cloud specific risks identified Information Assurance (framework), Legal and Research recommendations 14

15 Security Benefits 15

16 Economy of Scale

17 Economies of scale and Security All kinds of security measures are cheaper when implemented on a larger scale (e.g. filtering, patch management, hardening of virtual machine instances and hypervisors, etc) The same amount of investment in security buys better protection.

18 Other benefits of scale Multiple locations by default -> redundancy and failure independence Edge networks: content delivered or processed closer to its destination Staff specialization & experience Cloud providers big enough to hire specialists in dealing with specific security threats.

19 Improved management of updates and defaults Updates can be rolled out much more rapidly across a homogenous platform Default VM images and software modules can be updated with the latest patches and security settings Snapshots of virtual infrastructure (in IaaS) to be taken regularly and compared with a security baseline.

20 The Risks

21 Very high value assets Most risks are not new, but they are amplified by resource concentration Trustworthiness of insiders. Hypervisors - hypervisor layer attacks on virtual machines are very attractive. More Data in transit (Without encryption?) Management interfaces big juicy targets

22 Loss of Governance The client cedes control to the Provider on a number of issues effecting security: External pen testing not permitted. Very limited logs available. Usually no forensics service offered No information on location/jurisdiction of data. Outsource or sub-contract services to third-parties (fourth parties?) SLAs may not offer a commitment to provide the above services, thus leaving a gap in security defences.

23 Lock in Few tools, procedures or standard formats for data and service portability. Difficult to migrate from one provider to another, or to migrate data and services to or from an in-house IT environment. Potential dependency of service provision on a particular CP.

24 Compliance Challenges Cloud Provider cannot provide evidence of their own compliance to the relevant requirements Cloud Provider does not permit audit by the Cloud Customer In certain cases, using a cloud implies certain kind of compliance cannot be achieved

25 Legal and contractual risks Data in multiple jurisdictions, some of which may be risky. Lack of compliance with EU Data Protection Directive Potentially difficult for the customer (data controller) to check the data handling practices of the provider Multiple transfers of data exacerbated the problem Subpoena and e-discovery Confidentiality and Non-disclosure Intellectual Property Risk Allocation and limitation of liability

26 Isolation failure Storage (e.g. Side channel attacks see Memory Virtual machines Entropy pools (http://bit.ly/41siin) Resource use (e.g. Bandwidth)

27 RESOURCE EXHAUSTION Overbooking Underbooking Caused by: Resource allocation algos Denial of Service Freak events

28 Key management Key management is (currently) the responsibility of the cloud customer Key provisioning and storage is usually off-cloud One key-pair per machine doesn t scale to multiple account holders/rbac Credential recovery sometimes available through management interface (protected by UN/PWD by) Copies of VM images may contain keys if not wellmanaged

29 Recommendations 29

30 Cloud Information Assurance Framework Increasing transparency through a minimum baseline for: comparing cloud offers assessing the risk to go Cloud reducing audit burden for CP and security risks

31 Cloud Information Assurance Framework An example Network architecture controls Well-defined controls are in place to mitigate DDoS (distributed denial of-service) attacks e.g. o o Defence in depth (traffic throttling, packet black-holing, etc..) Defences are in place against internal (originating from the cloud providers networks) attacks as well as external (originating from the Internet or customer networks) attacks. Measures are specified to isolate resource usage between accounts for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc. The architecture supports continued operation from the cloud when the customer is separated from the service provider and vice versa (e.g., there is no critical dependency on the customer LDAP system).

32 Research recommendations BUILDING TRUST IN THE CLOUD Certification processes and standards for clouds Return on security investments (ROSI) the measures cloud computing can enable to improve the accuracy of ROI for security; Techniques for increasing transparency while maintaining appropriate levels of security: Tagging, e.g., location tagging, data type tagging, policy tagging Privacy preserving data provenance systems, e.g., tracing data end-to-end through systems; End-to-end data confidentiality in the cloud and beyond: Encrypted search (long term) Encrypted processing schemes (long term) Encryption and confidentiality tools for social applications in the cloud Higher assurance clouds, virtual private clouds, etc;

33 Research recommendations DATA PROTECTION IN LARGE-SCALE CROSS- ORGANIZATIONAL SYSTEMS The following areas require further research with respect to cloud computing: Data destruction and lifecycle management Integrity verification - of backups and archives in the cloud and their version management Incident handling - monitoring and traceability Dispute resolution and rules of evidence International differences in relevant regulations, including data protection and privacy Legal means to facilitate the smooth functioning of multinational cloud infrastructures Automated means to mitigate problems with different jurisdictions...

34 Governments recommendations Public clouds are (usually) not suitable for critical government applications. Clearly define international differences in DP legislation. Should there be breach notification requirements on cloud providers....

35 Governments and the Cloud DK UK... Gov Agencies and Public Organizations around the globe are moving non-critical applications towards a "cloud approach". In Europe we have some fast adopters, i.e. Denmark and UK, announcing/planning to move into the cloud. Australia USA In the short-medium term (1 to 3 years) an increasing number of Public Organizations, in EU Member States, will consider/adopt cloud computing. Singapore Japan 35

36 Security and resilience in Gov clouds: achieving an informed decision Government towards the Cloud: impact on service security & resilience ENISA aims to: analyze and evaluate the impact of cloud computing on the resilience and security of GOV services. provide recommendations and good practices for European Members State planning to migrate to cloud computing 36

37

38 Security and resilience in Gov clouds: achieving an informed decision 3 scenarios considered: a local healthcare authority implementing the electronic healthcare records and other e- services, a local public administration rolling out new services for the citizens and rationalizing internal IT services, and finally, a Ministry planning the creation of governmental cloud as a business incubator 38

39 Objectives and scope to guide Public Administrations (PAs) in the definition of their risk profile to evaluate S.W.O.T. of cloud computing to provide good practices to support MSs in elaborating their cloud strategy The main focus is the impact on service resilience and security.

40 Security and Resilience Security and parameters requirements Business/Operational, Legal and Regulation requirements IT services architectural option and delivery model COMPARATIVE ASSESSMENT (SWOT or RISK ANALYSIS & ASSESSMENT Select IT solution MITIGATE Prepare Request for Proposal (RpF) Select Partner-Provider MITIGATE

41 Security and Resilience parameters Preparedness Risk Analysis and Assessment Prevention and Detection Patch Management Access Control and Accountability Supply Chain Business continuity Service Delivery Availability and Reliability Scalability and Elasticity Cloud Access Recovery and response Legal and regulatory compliance

42 Community cloud Strengths Common requirements and constraints and risks More bargaining power as a group (with the cloud provider) Ability to be a walled garden You vett the membership according to their trustworthiness (entry criteria) If based on federation -> edge networks Private cloud Public full transparency and control over legal requirements such as geography. Ability to implement your own practices (e.g. risk analysis and assessment) You can fully monitor all security events, BCP testing auditablilty priority in service resumption strong security and resilience capabilities (e.g. prevention and detection, patch management, availability and reliability, tolerance and elasticity, performance, response and recovery, business continuity and physical security CAVEAT: these strength are directly related with the scale of the provider

43 Weaknesses Community difficult to agree on security baselines, the client-based common logging formats, etc compared to a private cloud, you are a bigger target. access control and authentication are weakened Private Public no advantage of economies of scale potentially less tolerance to malicious attacks less comprehensive redundancy regime, no geo-redundancy less flexibility lack of control on the access control systems, the lack accountability (audits are not allowed). you need negotiations power to be able to ask the right info the provider. external forensics very difficult geo location constrains as a weakness: data cannot leave the country

44 Opportunities Community Public common ToR and security policies, standards etc... Potential flexibility of security policies closedness e.g. more strict security Risk Analysis and Assessment, Penetration testing, Real time security monitoring In order for a public cloud to take advantage of these opportunities a the following measure should be in place: 1) full control on asset inventory, 2) detailed physical assets, information and services classification, 3) integration between risk analysis/assessment and real time security monitoring processes, 4) effective screening of employees...

45 Threats Community Are there also exit criteria? Community might grow too quickly Harder to predict resource usage (than private cloud) Failure of isolation mechanisms (not compared to public) Difficulty of identifying the legal entity Public Lack of legal and regulatory compliance (data retention, forensics, reporting). Attractive target for criminals and Insiders Isolation failure, information leakage, illegal monitoring linkability and accountability in case illegal activities poor requirements definition and asset classification. You might incur in supplementary multiple jurisdiction Change of control (Risk acquisition) Lock in

46 From To Cloud Information Assurance Framework CAMM: Common Assurance Maturity Model

47 The Challenge Vision for CAMM: open, accessible, relevant, automated, extensible, modular, integrated Modular: capable of addressing traditional and emerging distributed IT models including outsourcing and the cloud Integrated: enabling understanding of the overall assurance of a complex solution with both outsourced and in-house elements Short-term: help customers in making informed risk decision in migrating from traditional to cloud computing model

48 CAMM Common Assurance Maturity Model MISSION Provide an objective framework to transparently rate and benchmark the capability of a selected solution to deliver information assurance maturity across the supply chain

49 Key Objectives Transparency compared to any other existing standard. Easily Accessible for wide audience globally. Suitable for multiple environments, regardless of geography or industry through its modular approach. Trusted as it is a collaborative approach between the key industry organizations, regulators and standardization bodies. Creation of an easy to understand common language that is accessible to both senior management and security professionals. Avoids duplication through the use of existing compliance activities. Integrated by enabling understanding of the overall assurance of a complex solution with both outsourced and in-house elements Help customers in making informed risk decisions in comparing the provision of in-sourced or outsourced models

50 Conclusions Cloud computing can represent an improvement in security and resilience But transparency is crucial: users must be given a means to assess and compare provider security practices In the current state of the art, migrating critical applications and data to the cloud is still very risky Much more effort is required to achieve security levels required for higher assurance applications in the cloud For once we can build security in by design, let s not miss the chance

51 The Penultimate Slide Watch out for the results of ENISA s cloud security study out in mid November (http://)

52 The Final Slide Contact: Daniele Catteddu

53 Contact Daniele Catteddu - European Network and Information Security Agency Science and Technology Park of Crete (ITE) P.O. Box Heraklion - Crete Greece

Cloud Computing Security ENISA. Daniele Catteddu, CISM, CISA. Convegno Associazione Italiana Information Systems Auditors. www.enisa.europa.

Cloud Computing Security ENISA. Daniele Catteddu, CISM, CISA. Convegno Associazione Italiana Information Systems Auditors. www.enisa.europa. Cloud Computing Security ENISA Daniele Catteddu, CISM, CISA Convegno Associazione Italiana Information Systems Auditors Agenda Introduction to ENISA ENISA objectives in Cloud computing Reaching the objectives

More information

ENISA Cloud Computing Security Strategy

ENISA Cloud Computing Security Strategy ENISA Cloud Computing Security Strategy Dr Giles Hogben European Network and Information Security Agency (ENISA) What is Cloud Computing? Isn t it just old hat? What is cloud computing ENISA s understanding

More information

Cloud computing: benefits, risks and recommendations for information security

Cloud computing: benefits, risks and recommendations for information security Cloud computing: benefits, risks and recommendations for information security Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency (ENISA) Goals of my presentation

More information

How to procure a secure cloud service

How to procure a secure cloud service How to procure a secure cloud service Dr Giles Hogben European Network and Information Security Agency Security in the cloud contracting lifecycle Can cloud meet your security requirements Choose the provider

More information

ENISA and Cloud Security

ENISA and Cloud Security ENISA and Cloud Security Rossen Naydenov Network Information Security Officer Critical Information Infrastructure Protection Department - ENISA European Union Agency for Network and Information Security

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects Cloud Computing An insight in the Governance & Security aspects AGENDA Introduction Security Governance Risks Compliance Recommendations References 1 Cloud Computing Peter Hinssen, The New Normal, 2010

More information

Assessing Risks in the Cloud

Assessing Risks in the Cloud Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

ENISA and Cloud Security

ENISA and Cloud Security ENISA and Cloud Security Dimitra Liveri NIS Expert EuroCloud Forum 2015 Barcelona 07-10-2015 European Union Agency for Network and Information Security Securing Europe s Information Society Operational

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com Introduction to Cloud Computing Srinath Beldona srinath_beldona@yahoo.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?

More information

What Cloud computing means in real life

What Cloud computing means in real life ITU TRCSL Symposium on Cloud Computing Session 2: Cloud Computing Foundation and Requirements What Cloud computing means in real life Saman Perera Senior General Manager Information Systems Mobitel (Pvt)

More information

Cloud Security Who do you trust?

Cloud Security Who do you trust? Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud

More information

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material

More information

Cloud Security Who do you trust?

Cloud Security Who do you trust? Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

More information

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.) Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening

More information

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance 3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security

More information

How to ensure control and security when moving to SaaS/cloud applications

How to ensure control and security when moving to SaaS/cloud applications How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING 1. K.SURIYA Assistant professor Department of Computer Applications Dhanalakshmi Srinivasan College of Arts and Science for Womren Perambalur Mail: Surik.mca@gmail.com

More information

Lecture 02b Cloud Computing II

Lecture 02b Cloud Computing II Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,

More information

(Instructor-led; 3 Days)

(Instructor-led; 3 Days) Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of

More information

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members

More information

Privacy, Security and Identity in the Cloud. Giles Hogben ENISA

Privacy, Security and Identity in the Cloud. Giles Hogben ENISA Privacy, Security and Identity in the Cloud Giles Hogben ENISA What s new about Cloud Computing? Isn t it just old hat? Larry Ellison, CEO, Oracle The interesting thing about cloud computing is that we

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Hybrid Cloud Computing

Hybrid Cloud Computing Dr. Marcel Schlatter, IBM Distinguished Engineer, Delivery Technology & Engineering, GTS 10 November 2010 Hybrid Computing Why is it becoming popular, Patterns, Trends, Impact Hybrid Definition and Scope

More information

CAN NUCLEAR INSTALLATIONS AND RESEARCH CENTERS ADOPT CLOUD COMPUTING?

CAN NUCLEAR INSTALLATIONS AND RESEARCH CENTERS ADOPT CLOUD COMPUTING? CAN NUCLEAR INSTALLATIONS AND RESEARCH CENTERS ADOPT CLOUD COMPUTING? Ameer Pichan School of Electrical Engineering & Computing Curtin University, Australia What is it? Similar to other services net r

More information

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015 NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X

More information

Security Considerations for Cloud Computing. Steve Ouzman Security Engineer

Security Considerations for Cloud Computing. Steve Ouzman Security Engineer Security Considerations for Cloud Computing Steve Ouzman Security Engineer AGENDA Introduction Brief Cloud Overview Security Considerations ServiceNow Security Overview Summary Cloud Computing Overview

More information

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing. Bringing the Cloud into Focus Cloud Computing Bringing the Cloud into Focus November 2011 Introduction Ken Cochrane CEO, IT/NET Partner, KPGM Performance and Technology National co-leader IT Advisory Services KPMG Andrew Brewin Vice

More information

Security of Cloud Computing

Security of Cloud Computing Security of Cloud Computing Fabrizio Baiardi f.baiardi@unipi.it 1 Syllabus Cloud Computing Introduction Definitions Economic Reasons Service Model Deployment Model Supporting Technologies Virtualization

More information

Cloud Security Specialist Certification Self-Study Kit Bundle

Cloud Security Specialist Certification Self-Study Kit Bundle Cloud Security Specialist Certification Bundle CloudSchool.com CLOUD CERTIFIED Technology Professional This certification bundle provides you with the self-study materials you need to prepare for the exams

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

National Cyber Security Policy -2013

National Cyber Security Policy -2013 National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of

More information

Benefits, risks and recommendations for information security

Benefits, risks and recommendations for information security Cloud Computing Rev.B December 2012 2 Cloud Computing Document History Date Version Modification Author December 2009 December 2012 1.0 Initial Release, Rev.A Daniele Catteddu, Giles Hogben 2.0 Rev.B Thomas

More information

Appendix J: Strengthening the Resilience of Outsourced Technology Services

Appendix J: Strengthening the Resilience of Outsourced Technology Services Appendix J: Strengthening the Resilience of Outsourced Technology Services Background and Purpose Many financial institutions depend on third-party service providers to perform or support critical operations.

More information

The Magazine for IT Security. May 2010. issue 3. sör alex / photocase.com

The Magazine for IT Security. May 2010. issue 3. sör alex / photocase.com The Magazine for IT Security May 2010 sör alex / photocase.com free digital version made in Germany issue 3 Luiz Fotolia.com Clouds or storm clouds? Cloud Computing Security by Javier Moreno Molinero Gradually,

More information

Cloud Computing November 09. Benefits, risks and recommendations for information security

Cloud Computing November 09. Benefits, risks and recommendations for information security November 09 Benefits, risks and recommendations for information security ABOUT ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe. CENTR General Assembly, Brussels October 4, 2012

ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe. CENTR General Assembly, Brussels October 4, 2012 ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe CENTR General Assembly, Brussels October 4, 2012 christoffer.karsberg@enisa.europa.eu 1 Who we are ENISA was

More information

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT

More information

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales SMS Systems Management Specialists Cloud Computing Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales Cloud Computing The SMS Model: Cloud computing is a model for enabling ubiquitous, convenient,

More information

Effective Practices for Cloud Security

Effective Practices for Cloud Security Effective Practices for Cloud Security Effective Security Practices Series Moving some internal processes to the cloud initially looks appealing: lower capital costs, more centralized management and control,

More information

Key Considerations of Regulatory Compliance in the Public Cloud

Key Considerations of Regulatory Compliance in the Public Cloud Key Considerations of Regulatory Compliance in the Public Cloud W. Noel Haskins-Hafer CRMA, CISA, CISM, CFE, CGEIT, CRISC 10 April, 2013 w_haskins-hafer@intuit.com Disclaimer Unless otherwise specified,

More information

Cloud Computing - Cyber Security Challenges

Cloud Computing - Cyber Security Challenges Cloud Computing - Cyber Security Challenges for the Finance Sector Dr. Evangelos Ouzounis Head of Unit Secure Infrastructures and Services - ENISA European Union Agency For Network And Information Security

More information

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing Your Platform of Choice The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing Mark Cravotta EVP Sales and Service SingleHop LLC Talk About Confusing? Where do I start?

More information

POWER PROTECT PROMOTE. Information Governance In The Cloud

POWER PROTECT PROMOTE. Information Governance In The Cloud Information Governance In The Cloud Galina Datskovsky, Ph. D., CRM President of ARMA International SVP Information Governance Solutions Topics Cloud Characteristics And Risks Information Management In

More information

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS CLOUD COMPUTING Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing

More information

Information Security: Cloud Computing

Information Security: Cloud Computing Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration

More information

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities

More information

Inadequacies of Current Risk Controls for the Cloud

Inadequacies of Current Risk Controls for the Cloud Inadequacies of Current Risk Controls for the Cloud Name: Michael Goldsmith Michael Auty, Sadie Creese and Paul Hopkins Venue: CPSRT@CloudCom2010, Indianapolis Date: 2 December 2010 Research supported

More information

Lecture 02a Cloud Computing I

Lecture 02a Cloud Computing I Mobile Cloud Computing Lecture 02a Cloud Computing I 吳 秀 陽 Shiow-yang Wu What is Cloud Computing? Computing with cloud? Mobile Cloud Computing Cloud Computing I 2 Note 1 What is Cloud Computing? Walking

More information

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Public Cloud Security: Surviving in a Hostile Multitenant Environment Public Cloud Security: Surviving in a Hostile Multitenant Environment SESSION ID: EXP-R01 Mark Russinovich Technical Fellow Windows Azure, Microsoft @markrussinovich The Third Computing Era Security Could

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

AskAvanade: Answering the Burning Questions around Cloud Computing

AskAvanade: Answering the Burning Questions around Cloud Computing AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,

More information

CSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments

CSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments CSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments Kelvin Ng Tao Yao Sing Heng Yiak Por Acknowledgeme nts Co-Chairs Kapil Raina, Zscaler Kelvin Ng, Nanyang

More information

Data Protection: From PKI to Virtualization & Cloud

Data Protection: From PKI to Virtualization & Cloud Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security

More information

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Cloud Computing for SCADA

Cloud Computing for SCADA Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry

More information

Cloud-Security: Show-Stopper or Enabling Technology?

Cloud-Security: Show-Stopper or Enabling Technology? Cloud-Security: Show-Stopper or Enabling Technology? Fraunhofer Institute for Secure Information Technology (SIT) Technische Universität München Open Grid Forum, 16.3,. 2010, Munich Overview 1. Cloud Characteristics

More information

Sytorus Information Security Assessment Overview

Sytorus Information Security Assessment Overview Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)

More information

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM) Security Management of Cloud-Native Applications Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM) 1 Outline Context State-of-the-Art Design Patterns Threats to cloud systems Security

More information

Fujitsu Cloud IaaS Trusted Public S5. shaping tomorrow with you

Fujitsu Cloud IaaS Trusted Public S5. shaping tomorrow with you Fujitsu Cloud IaaS Trusted Public S5 shaping tomorrow with you Realizing the cloud opportunity: Fujitsu Cloud iaas trusted Public s5 All the benefits of the public cloud, with enterprise-grade performance

More information

IT OUTSOURCING SECURITY

IT OUTSOURCING SECURITY IT OUTSOURCING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Summary Report Report # 1. Security Challenges of Cross-Border Use of Cloud Services under Special Consideration of ENISA s Contributions

Summary Report Report # 1. Security Challenges of Cross-Border Use of Cloud Services under Special Consideration of ENISA s Contributions Summary Report Report # 1 Security Challenges of Cross-Border Use of Cloud Services under Special Consideration of ENISA s Contributions COINS Summer School 2015 on Could Security Prepared by: Nabeel Ali

More information

Cloud Security Introduction and Overview

Cloud Security Introduction and Overview Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious

More information

Study on Cloud security in Japan

Study on Cloud security in Japan Study on Cloud security in Japan 2011/February Professor Yonosuke HARADA INSTITUTE of INFORMATION SECURITY (C) ITGI Japan Content 1 Background 2 Survey 2.1 Respondents 2.2 User on cloud services 2.3 Risk

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

Cloud Computing Security Considerations

Cloud Computing Security Considerations Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction

More information

GoodData Corporation Security White Paper

GoodData Corporation Security White Paper GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share

More information

Information Technology Security Policy for IBTS

Information Technology Security Policy for IBTS Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...

More information

Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101

Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101 Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro

More information

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment

More information

Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )

Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken ) 23.11.2015 Jan Philipp Manager, Cyber Risk Services Enterprise Architect Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken ) Purpose today Introduction» Who I am

More information

IT Architecture Review. ISACA Conference Fall 2003

IT Architecture Review. ISACA Conference Fall 2003 IT Architecture Review ISACA Conference Fall 2003 Table of Contents Introduction Business Drivers Overview of Tiered Architecture IT Architecture Review Why review IT architecture How to conduct IT architecture

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber

More information

Overview. What are operational policies? Development, adoption, implementation

Overview. What are operational policies? Development, adoption, implementation Practical Geospatial Policies: Resolving Operational Issues to Optimize Your SDI Ed Kennedy Hickling Arthurs Low Corporation and Cynthia Mitchell and Simon Riopel Division, Natural Resources Canada Overview

More information

Security Overview. BlackBerry Corporate Infrastructure

Security Overview. BlackBerry Corporate Infrastructure Security Overview BlackBerry Corporate Infrastructure Published: 2015-04-23 SWD-20150423095908892 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations...8 Corporate Security

More information

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information

More information

We employ third party monitoring services to continually audit our systems to measure performance and identify potential bottlenecks.

We employ third party monitoring services to continually audit our systems to measure performance and identify potential bottlenecks. Cloud computing, often referred to as simply the cloud, is the delivery of on-demand computing resources over the internet through a global network of state-of-the-art data centers. Cloud based applications

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model

More information

The Education Fellowship Finance Centralisation IT Security Strategy

The Education Fellowship Finance Centralisation IT Security Strategy The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and

More information

VMware vcloud Air Security TECHNICAL WHITE PAPER

VMware vcloud Air Security TECHNICAL WHITE PAPER TECHNICAL WHITE PAPER The Shared Security Model for vcloud Air The end-to-end security of VMware vcloud Air (the Service ) is shared between VMware and the customer. VMware provides security for the aspects

More information