Realizing Trusted Clouds

Size: px
Start display at page:

Download "Realizing Trusted Clouds"

Transcription

1 Realizing Trusted Clouds with Trusted Computing and SCAP SICS Security Seminar April 08, 2014 Mudassar Aslam (Researcher,PhD Student) Security LAB (SEC Lab) 1

2 Outline Cloud Computing Trusted Clouds Cloud Audit & Certification Problems in existing approaches Solutions Challenges and Summary [SEC Lab] 2 /39

3 Cloud Computing + Cost Effective + Dynamic + Resource Elasticity [SEC Lab] 3 /39 - Security - Technical - Legal - Operational -...

4 Lack of Visibility Cloud Infrastructure managed by the CSP cannot see the internal details Data Security/Location Identity & Access Management Cloud Platform Integrity (applications and their settings) Result: Cannot Trust Cloud Service [SEC Lab] 4 /39

5 Lack of Visibility Cloud Infrastructure managed by the CSP cannot see the internal details Data Security/Location Identity & Access Management Cloud Platform Integrity (applications and their settings) Result: Cannot Trust Cloud Service [SEC Lab] 5 /39

6 Lack of Visibility Transparency Cloud Infrastructure managed by the CSP cannot see the internal details Data Security/Location Identity & Access Management Cloud Platform Integrity (applications and their settings) Result: Cannot Trust Cloud Service [SEC Lab] 6 /39

7 What is a Correct Platform? Correct Software Stack BIOS, Bootloader, OS, Applications, etc. Correct Configuration of every software SE Linux enforcing, Firewall config., etc. What is a Secure Platform Configuration Different for different scenarios Examples: Payment Card Industry -> PCI DSS Health Insurance Portability and Accountability Act -> HIPAA Federal Information Security Management Act -> FISMA many others... [SEC Lab] 7 /39

8 Audit & Certification Audit by a Trusted Third Party Evaluation of implemented security controls (e.g. NIST SP A in FISMA) Compared against defined Security Requirements (e.g. NIST SP in FISMA) Certification given to the organization Example: Federal Risk and Authorization Management Program (FedRAMP) Cloud : Federal Agencies (Govt. Dept.) Cloud Provider: Any Public Provider (e.g. Amazon) Trusted Third Party: FedRAMP approved 3PAOs [SEC Lab] 8 /39

9 Shortcomings of existing approaches Scheduled over months (quarterly, biannual, etc) Incomplete (only a subset is verified) Vulnerable to new exploits [SEC Lab] 9 /39

10 Audit & Certification Frequent & Random Scheduled over months (quarterly, biannual, etc) Incomplete (only a subset is verified) Vulnerable to new exploits [SEC Lab] 10 /39

11 Audit & Certification Frequent & Random Platform Level Certification Scheduled over months (quarterly, biannual, etc) Incomplete (only a subset is verified) Vulnerable to new exploits [SEC Lab] 11 /39

12 Audit & Certification Frequent & Random Platform Level Certification Continuous Vulnerability management Scheduled over months (quarterly, biannual, etc) Incomplete (only a subset is verified) Vulnerable to new exploits [SEC Lab] 12 /39

13 Cloud Security Alliance CSA STAR Continuous will be based on a continuous auditing & assessment of relevant security properties CSA STAR Continuous is currently under development and the target date of delivery is 2015 Source: https://cloudsecurityalliance.org/star/continuous/ [SEC Lab] 13 /39

14 Cloud Security Alliance CSA STAR Continuous will be based on a continuous auditing & assessment of relevant security properties CSA STAR Continuous is currently under development and the target date of delivery is 2015 Source: https://cloudsecurityalliance.org/star/continuous/ [SEC Lab] 14 /39

15 Cloud Security Alliance CSA STAR Continuous will be based on a continuous auditing & assessment of relevant security properties CSA STAR Continuous is currently under development and the target date of delivery is 2015 Source: https://cloudsecurityalliance.org/star/continuous/ [SEC Lab] 15 /39

16 Towards Solutions Summing up the requirements Trustworthy (IaaS) Cloud -> Integrity of Cloud Platform -> Check Correctness of the Platform -> Software Stack + Software Configuration Solution properties Automated Assessment Continuous audit -> Platform Certification Remote Platforms Automated Security Assessment & Auditing of Remote Platforms (ASArP) [SEC Lab] 16 /39

17 Approach Verify the Software Stack Integrity (i.e. only approved/known software) Remotely Certify the Correctness of a Remote Platform Verify that every software is Configured correctly [SEC Lab] 17 /39

18 Remote Platform Verification A three phase remote platform verification, assessment and certification solution Phase-I: Traditional Remote Attestation Phase-II: Assess platform for known vulnerabilities Phase-III: Check software configurations [SEC Lab] 18 /39

19 Phase-I : Software Stack Integrity Hash(SW) Software Vendor Reference Measurements Database Trusted Remote Verifier ( R V ) Attestation Request (N) + Bindkey Request Target Platform ( T P ) CompareHash(SW) Mgt ST Local Reference Measurements DB CompareHash(SW) Integrity Report(TPM_Quote, IML) + Bindkey(PublicKey, CertifyInfo) Hypervisor Hardware/CPU TPM Comlementary Whitelist (drivers, lib, proprietary sw ) [SEC Lab] 19 /39

20 Phase-II : Vulnerability Analysis - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Remote Verifier ( R V ) SW Vulnerability Status(CPE) Policy Software_CVSS Step 2 Local Vulnerability Database Step 1 CPE based Software List TCG based Software List [SEC Lab] 20 /39

21 Phase-II : Vulnerability Analysis - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Remote Verifier ( R V ) Policy SCAP Security Content Automation Protocol SW Vulnerability Status(CPE) CPE Common Platform Enumeration CVE Common Software_CVSS Vulnerability Exposure CVSS Common Vulnerability Scoring System Local Vulnerability XCCDF Database Extensible Configuration Checklist Description Format Step 2 Step 1 CPE based Software List TCG based Software List [SEC Lab] 21 /39

22 Phase-II : Vulnerability Analysis - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Remote Verifier ( R V ) SW Vulnerability Status(CPE) Policy Software_CVSS Step 2 Local Vulnerability Database Step 1 CPE based Software List TCG based Software List [SEC Lab] 22 /39

23 Phase-II : Vulnerability Analysis - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Remote Verifier ( R V ) Policy SCAP Security Content Automation Protocol SW Vulnerability Status(CPE) CPE Common Platform Enumeration CVE Common Software_CVSS Vulnerability Exposure CVSS Common Vulnerability Scoring System Local Vulnerability XCCDF Database Extensible Configuration Checklist Description Format Step 2 Step 1 CPE based Software List TCG based Software List [SEC Lab] 23 /39

24 Phase-III : Configuration Compliance - Industry Standard - Govt Defined Config Trusted Remote Verifier Recommended Configurations (software, hypervisor, OS) Request Configuration Analysis(xccdf) Target Platform ( T P ) Mgt ST Hypervisor signed report xccdf checklist Config Analysis (Mgt, Hypervisor) ST Config Policy Signed bindkey (compliance_report) Hardware/CPU TPM TPM Sign (bind key) compliance report [SEC Lab] 24 /39

25 Phase-III : Configuration Compliance - Industry Standard - Govt Defined Config Trusted Remote Verifier Recommended Configurations (software, hypervisor, OS) Request Configuration Analysis(xccdf) Target Platform ( T P ) Mgt ST Hypervisor signed report xccdf checklist Config Analysis (Mgt, Hypervisor) ST Config Policy Signed bindkey (compliance_report) Hardware/CPU TPM TPM Sign (bind key) compliance report [SEC Lab] 25 /39

26 Phase-III : Configuration Compliance - Industry Standard - Govt Defined Config Trusted Remote Verifier Recommended Configurations (software, hypervisor, OS) Request Configuration Analysis(xccdf) Target Platform ( T P ) Mgt ST Hypervisor signed report xccdf checklist Config Analysis (Mgt, Hypervisor) ST Config Policy Signed bindkey (compliance_report) Hardware/CPU TPM TPM Sign (bind key) compliance report [SEC Lab] 26 /39

27 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor Reference Measurements Database - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Local Admin - Industry Standard - Govt Defined Config Remote Verifier (Auditor, Platform Certification Authority, etc.) Phase I Software Stack Integrity Mgt ST ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Phase II Software Stack Vulnerability Assessment Phase III Software Configuration Compliance Trusted Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Remote Platforms by Combining Trusted Computing and Security Automation Techniques. In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

28 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Recommended Platform Configurations Reference Measurements Database - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Local Vulnerability Database Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Policy Phase I Software Stack Integrity Internet Certified { } Local Admin TT ID Mgt ST P d ID Profile PK_Bind Time Hypervisor Sign TTP Hardware/CPU ST: SCAP Tool TPM Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Phase II Software Stack Vulnerability Assessment Phase III Software Configuration Compliance Trusted Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Remote Platforms by Combining Trusted Computing and Security Automation Techniques. In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

29 Platform Certificate (uses) Aslam, Mudassar and Gehrmann, Christian and Rasmusson, Lars and Björkman, Mats (2012), Securely Launching Virtual Machines on Trustworthy Platforms in a Public Cloud. In: International Conference on Cloud Computing and Services Science, CLOSER 2012, April 2012, Porto, Portugal. Paladi, Nicolae and Gehrmann, Christian and Aslam, Mudassar and Morenius, Fredric (2013), Trusted Launch of Virtual Machine Instances in Public IaaS Environments. In: 15th Annual International Conference on Information Security and Cryptology, Nov 2012, Seoul, Korea Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2012) Security and Trust Preserving Migrations in Public Clouds. In: The 2nd IEEE International Symposium on Trust and Security in Cloud Computing, in conjunction with IEEE TrustCom-12, June 2012, Liverpool, UK. { } TT ID P d ID Profile PK_Bind Time Sign TTP [SEC Lab] 29 /39

30 Platform Certificate (uses) Aslam, Mudassar and Gehrmann, Christian and Rasmusson, Lars and Björkman, Mats (2012), Securely Launching Virtual Machines on Trustworthy Platforms in a Public Cloud. In: International Conference on Cloud Computing and Services Science, CLOSER 2012, April 2012, Porto, Portugal. Paladi, Nicolae and Gehrmann, Christian and Aslam, Mudassar and Morenius, Fredric (2013), Trusted Launch of Virtual Machine Instances in Public IaaS Environments. In: 15th Annual International Conference on Information Security and Cryptology, Nov 2012, Seoul, Korea Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2012) Security and Trust Preserving Migrations in Public Clouds. In: The 2nd IEEE International Symposium on Trust and Security in Cloud Computing, in conjunction with IEEE TrustCom-12, June 2012, Liverpool, UK. { } TT ID P d ID Profile PK_Bind Time Sign TTP [SEC Lab] 30 /39

31 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor Reference Measurements Database - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Local Admin - Industry Standard - Govt Defined Config Remote Verifier (Auditor, Platform Certification Authority, etc.) Phase I Software Stack Integrity Mgt ST ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Phase II Software Stack Vulnerability Assessment Phase III Software Configuration Compliance TPM Chip Trusted TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

32 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Reference Measurements Database MongoDB cve-search - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Phase I Software Stack Integrity Mgt ST Local Admin ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Phase II Software Stack Vulnerability Assessment Phase III Software Configuration Compliance TPM Chip Trusted TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

33 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Reference Measurements Database MongoDB cve-search - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Phase I Software Stack Integrity Mgt ST Local Admin ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Enhanced Phase II Software Stack Vulnerability Assessment SCAP Editor Phase III Software Configuration Compliance TPM Chip Trusted (escape) TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

34 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Reference Measurements Database MongoDB cve-search - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Open SCAP (oscap) Phase I Software Stack Integrity Mgt ST Local Admin ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Enhanced Phase II Software Stack Vulnerability Assessment SCAP Editor Phase III Software Configuration Compliance TPM Chip Trusted (escape) TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

35 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Reference Measurements Database MongoDB cve-search - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Open SCAP (oscap) Phase I Software Stack Integrity Mgt ST Local Admin ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Enhanced Phase II Software Stack Vulnerability Assessment SCAP Editor Phase III Software Configuration Compliance TPM Chip Trusted (escape) TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

36 Configuration Compliance [SEC Lab] 36 /39

37 Performance results [SEC Lab] 37 /39

38 Achievements (in general) Trusted Cloud Platforms Platform Level Certification CSA STAR Continuous Implementation Proposal TCG-SCAP Synergy Use of SCAP promises better ways to interpret TPM integrity reports to assess the platform security status Use of TPM promises better assurances about SCAP analysis and its results [SEC Lab] 38 /39

39 Challenges and Summary TCG Integrity Report does not map directly to the SCAP framework no standard implementation/deployment exist Sealing anything to the runtime state is not practical current proposals only use BIOS+IPL OS is hard to handle -> not handled [SEC Lab] 39 /39

40 Questions 40

BMC Client Management - SCAP Implementation Statement. Version 12.0

BMC Client Management - SCAP Implementation Statement. Version 12.0 BMC Client Management - SCAP Implementation Statement Version 12.0 BMC Client Management - SCAP Implementation Statement TOC 3 Contents SCAP Implementation Statement... 4 4 BMC Client Management - SCAP

More information

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Vendor Provided Validation Details - McAfee Policy Auditor 6.2 The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Statement of

More information

How to Secure Infrastructure Clouds with Trusted Computing Technologies

How to Secure Infrastructure Clouds with Trusted Computing Technologies How to Secure Infrastructure Clouds with Trusted Computing Technologies Nicolae Paladi Swedish Institute of Computer Science 2 Contents 1. Infrastructure-as-a-Service 2. Security challenges of IaaS 3.

More information

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs FDCC & SCAP Content Challenges Kent Landfield Director, Risk and Compliance Security Research McAfee Labs Where we have been 1 st Security Automation Workshop nearly 20 people in a small room for the day

More information

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?

More information

Federal Desktop Core Configuration (FDCC)

Federal Desktop Core Configuration (FDCC) Federal Desktop Core Configuration (FDCC) Presented by: Saji Ranasinghe Date: October, 2007 FDCC Federal Desktop Core Configuration (FDCC) Standardized Configuration with Hardened Security Settings to

More information

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit UNCLASSIFIED Security Content Automation Protocol for Governance, Risk, Compliance, and Audit presented by: Tim Grance The National Institute of Standards and Technology UNCLASSIFIED Agenda NIST s IT Security

More information

Security compliance automation with Red Hat Satellite

Security compliance automation with Red Hat Satellite Security compliance automation with Red Hat Satellite Matt Micene Solution Architect, DLT Solutions @cleverbeard @nzwulfin Created with http://wordle.net Compliance is a major problem About half of the

More information

Logically Securing a Public Cloud Service

Logically Securing a Public Cloud Service SESSION ID: CIN-W07 Logically Securing a Public Cloud Service Tim Mather CISO Cadence Design Systems @mather_tim Disclaimer: AWS (Amazon Web Services) is referenced in this presentation extensively, only

More information

Building Blocks Towards a Trustworthy NFV Infrastructure

Building Blocks Towards a Trustworthy NFV Infrastructure Building Blocks Towards a Trustworthy NFV Infrastructure IRTF NFVRG Adrian L. Shaw Hewlett-Packard Laboratories / July 22 nd, 2015 1 Why security and trust? Big requirement for critical

More information

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security

More information

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute

More information

Manage Vulnerabilities (VULN) Capability Data Sheet

Manage Vulnerabilities (VULN) Capability Data Sheet Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired

More information

Cyber Security Symposium 2015 September 29,2015

Cyber Security Symposium 2015 September 29,2015 Cyber Security Symposium 2015 September 29,2015 Introducing David Langston Branch Manager Security Management Department of Technology 2 About CalCloud Mission Offer cost-effective cloud solutions that

More information

Seeing Though the Clouds

Seeing Though the Clouds Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating

More information

Qualys PC/SCAP Auditor

Qualys PC/SCAP Auditor Qualys PC/SCAP Auditor Getting Started Guide August 3, 2015 COPYRIGHT 2011-2015 BY QUALYS, INC. ALL RIGHTS RESERVED. QUALYS AND THE QUALYS LOGO ARE REGISTERED TRADEMARKS OF QUALYS, INC. ALL OTHER TRADEMARKS

More information

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012 Cloud Security Alliance and Standards Jim Reavis Executive Director March 2012 About the CSA Global, not for profit, 501(c)6 organization Over 32,000 individual members, 120 corporate members, 60 chapters

More information

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen feisal@techumen.com

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen feisal@techumen.com SECURING HEALTH INFORMATION IN THE CLOUD Feisal Nanji, Executive Director, Techumen feisal@techumen.com Conflict of Interest Disclosure Feisal Nanji, MPP, CISSP Has no real or apparent conflicts of interest

More information

Software Vulnerability Assessment

Software Vulnerability Assessment Software Vulnerability Assessment Setup Guide Contents: About Software Vulnerability Assessment Setting Up and Running a Vulnerability Scan Manage Ongoing Vulnerability Scans Perform Regularly Scheduled

More information

Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University.

Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University. Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University P a g e 1 P a g e 2 Table of Contents Abstract... 3 Introduction... 3 Previous

More information

Trusted Computing and Secure Virtualization in Cloud Computing. Master Thesis

Trusted Computing and Secure Virtualization in Cloud Computing. Master Thesis Trusted Computing and Secure Virtualization in Cloud Computing Master Thesis Nicolae Paladi Luleå University of Technology Dept. of Computer Science, Electrical and Space Engineering Div. of Computer and

More information

SECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP

SECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson

More information

Lecture 02b Cloud Computing II

Lecture 02b Cloud Computing II Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,

More information

White Paper How Noah Mobile uses Microsoft Azure Core Services

White Paper How Noah Mobile uses Microsoft Azure Core Services NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah

More information

Massively Scaled Security Solutions for Massively Scaled IT

Massively Scaled Security Solutions for Massively Scaled IT Massively Scaled Security Solutions for Massively Scaled IT Michael Smith, SecTor 2009 Who is Michael Smith? 8 years active duty army Graduate of Russian basic course, Defense Language Institute, Monterey,

More information

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet IBM PowerSC Security and compliance solution designed to protect virtualized datacenters Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance

More information

GRC and Cloud Services. By David Lingenfelter 2012

GRC and Cloud Services. By David Lingenfelter 2012 GRC and Cloud Services By David Lingenfelter 2012 Background > MaaS360 SaaS Cloud Model > Mobile Device Management > FISMA Moderate Certified > SAS-70/SOC-2 > Member of the Cloud Security Alliance > Participant

More information

Trusted Geolocation in the Cloud. Based on NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation

Trusted Geolocation in the Cloud. Based on NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation Trusted Geolocation in the Cloud Based on NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation 2 Agenda Definition of cloud computing Trusted Geolocation in

More information

Robert Brammer. Senior Advisor to the Internet2 CEO rfbtech@internet2.edu. Internet2 NET+ Security Assessment Forum. 8 April 2014

Robert Brammer. Senior Advisor to the Internet2 CEO rfbtech@internet2.edu. Internet2 NET+ Security Assessment Forum. 8 April 2014 Robert Brammer Senior Advisor to the Internet2 CEO rfbtech@internet2.edu Internet2 NET+ Security Assessment Forum 8 April 2014 INTERNET2 NET+ Security Initiative Primary objective -- develop guidance to

More information

Security Information and Event Management

Security Information and Event Management Security Information and Event Management sponsored by: ISSA Web Conference April 26, 2011 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London Welcome Conference Moderator Phillip H. Griffin ISSA

More information

Cloud Audit and Cloud Trust Protocol. By David Lingenfelter 2011

Cloud Audit and Cloud Trust Protocol. By David Lingenfelter 2011 Cloud Audit and Cloud Trust Protocol By David Lingenfelter 2011 Background > MaaS360 SaaS Cloud Model > Mobile Device Management > FISMA Moderate Certified > SAS-70/SOC-2 Cloud Adoption Obstacles Planning

More information

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security PART 1 - COMPLIANCE STANDARDS PART 2 SECURITY IMPACT THEMES BUILD A MODEL THEMES MONITOR FOR FAILURE THEMES DEMONSTRATE

More information

IIA Conference. September 18, 2015. Paige Needling Director, Global Information Security Recall, Inc.

IIA Conference. September 18, 2015. Paige Needling Director, Global Information Security Recall, Inc. IIA Conference September 18, 2015 Paige Needling Director, Global Information Security Recall, Inc. IT SECURITY UMBRELLA Compliance for IT Data Privacy Protection Privacy Risk Assessment Vulnerability

More information

STIGs,, SCAP and Data Metrics

STIGs,, SCAP and Data Metrics Defense Information Systems Agency A Combat Support Agency STIGs,, SCAP and Data Metrics Roger S. Greenwell, CISSP, CISA, CISM Technical Director / Capabilities Implementation Division DISA Field Security

More information

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

More information

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com Introduction to Cloud Computing Srinath Beldona srinath_beldona@yahoo.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

Trusted Launch of Virtual Machine Instances in Public IaaS Environments

Trusted Launch of Virtual Machine Instances in Public IaaS Environments Trusted Launch of Virtual Machine Instances in Public IaaS Environments Nicolae Paladi 1, Christian Gehrmann 1, Mudassar Aslam 1, and Fredric Morenius 2 1 Swedish Institute of Computer Science, Stockholm,

More information

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015 For the Financial Industry in Singapore 31 July 2015 TABLE OF CONTENT 1. EXECUTIVE SUMMARY 3 2. INTRODUCTION 4 2.1 Audience 4 2.2 Purpose and Scope 4 2.3 Definitions 4 3. REQUIREMENTS 6 3.1 Overview 6

More information

Total Protection for Compliance: Unified IT Policy Auditing

Total Protection for Compliance: Unified IT Policy Auditing Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.

More information

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better

More information

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet IBM PowerSC Security and compliance solution designed to protect virtualised data centres Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance

More information

Guide to Enterprise Patch Management Technologies

Guide to Enterprise Patch Management Technologies NIST Special Publication 800-40 Revision 3 Guide to Enterprise Patch Management Technologies Murugiah Souppaya Karen Scarfone C O M P U T E R S E C U R I T Y NIST Special Publication 800-40 Revision 3

More information

Digi Device Cloud: Security You Can Trust

Digi Device Cloud: Security You Can Trust Digi Device Cloud: Security You Can Trust Abstract Historically, security has oftentimes been an afterthought or a bolt-on to any engineering product. In today s markets, however, security is taking a

More information

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise 1. Introduction Information security means protecting information

More information

THE AVALANCHE OF VULNERABILITIES

THE AVALANCHE OF VULNERABILITIES THE AVALANCHE OF VULNERABILITIES A PERSPECTIVE Mike Ahmadi Global Director of Critical Systems Security, Codenomicon Ltd @codenomicon UNKNOWN VULNERABILITIES ARE BAD KNOWN VULNERABILITIES ARE A HUGE PROBLEM

More information

Building an Effective

Building an Effective Building an Effective Cloud Security Program Becky Swain Co-Founder/Chair, CSA CCM Board Member, CSA Silicon Valley Chapter Partner, EKKO Consulting Marlin Pohlman Co-Chair, CSA CCM Co-Chair/Founder, CSA

More information

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On

More information

CLOUD COMPUTING READINESS CHECKLIST

CLOUD COMPUTING READINESS CHECKLIST CLOUD COMPUTING READINESS VOLKER RATH VOLKER RATH 1 CONTENTS HOW SHOULD THIS GUIDE BE USED? 2 WILL MY COMPANY BENEFIT FROM 2 TRANSITIONING SERVICES TO THE CLOUD? CLOUD READINESS OVERVIEW 3 SECURITY CONCERNS

More information

Towards security management in the cloud utilizing SECaaS

Towards security management in the cloud utilizing SECaaS Towards security management in the cloud utilizing SECaaS JAN MÉSZÁROS University of Economics, Prague Department of Information Technologies W. Churchill Sq. 4, 130 67 Prague 3 CZECH REPUBLIC jan.meszaros@vse.cz

More information

Realities of Private Cloud Security

Realities of Private Cloud Security SESSION ID: CSV-F03 Realities of Private Cloud Security Scott Carlson PayPal @relaxed137 PayPal Cloud & Software Defined Data Center VIRTUAL Cloud Design Principals, traditional Data Center Deploy from

More information

With Eversync s cloud data tiering, the customer can tier data protection as follows:

With Eversync s cloud data tiering, the customer can tier data protection as follows: APPLICATION NOTE: CLOUD DATA TIERING Eversync has developed a hybrid model for cloud-based data protection in which all of the elements of data protection are tiered between an on-premise appliance (software

More information

Cloud Architecture and Management. M.I. Deen General Manager (Enterprise Solutions) Sri Lanka Telecom

Cloud Architecture and Management. M.I. Deen General Manager (Enterprise Solutions) Sri Lanka Telecom Cloud Architecture and Management M.I. Deen General Manager (Enterprise Solutions) Sri Lanka Telecom Cloud Computing Architecture Reference Architecture, Terminology and Definitions Akaza Cloud Architecture

More information

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe Intro to QualysGuard IT Risk & Asset Management Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe A Unified and Continuous View of ICT Security, Risks and Compliance

More information

Automating Compliance with Security Content Automation Protocol

Automating Compliance with Security Content Automation Protocol Automating Compliance with Security Content Automation Protocol presented by: National Institute of Standards and Technology Agenda Information Security Current State Security Content Automation Protocol

More information

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps WHITE PAPER HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps Summary Summary Compliance with PCI, HIPAA, FISMA, EU, and other regulations is as critical in virtualized

More information

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014 Vulnerability Scanning Requirements and Process Clarification Disposition and FAQ 11/27/2014 Table of Contents 1. Vulnerability Scanning Requirements and Process Clarification Disposition... 3 2. Vulnerability

More information

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications

More information

Index. BIOS rootkit, 119 Broad network access, 107

Index. BIOS rootkit, 119 Broad network access, 107 Index A Administrative components, 81, 83 Anti-malware, 125 ANY policy, 47 Asset tag, 114 Asymmetric encryption, 24 Attestation commercial market, 85 facts, 79 Intel TXT conceptual architecture, 85 models,

More information

Cloud Security Certification

Cloud Security Certification Cloud Security Certification January 21, 2015 1 Agenda 1. What problem are we solving? 2. Definitions (Attestation vs Certification) 3. Cloud Security Responsibilities and Risk Exposure 4. Who is responsible

More information

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn Critical Infrastructure Security: The Emerging Smart Grid Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn Overview Assurance & Evaluation Security Testing Approaches

More information

Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments

Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments Nicolae Paladi 1, Christian Gehrmann 1, Mudassar Aslam 1, and Fredric Morenius 2 1 Swedish Institute of Computer Science, Kista,

More information

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP Vasileios A. Baousis (Ph.D) Network Applications Team Slide 1 Agenda Introduction Background - SCAP - Puppet &Mcollective

More information

Capturing the New Frontier:

Capturing the New Frontier: Capturing the New Frontier: How Software Security Unlocks the Power of Cloud Computing Executive Summary Cloud computing is garnering a vast share of IT interest. Its promise of revolutionary cost savings

More information

Dispelling the Myths about Cloud Computing Security

Dispelling the Myths about Cloud Computing Security Dispelling the Myths about Cloud Computing Security security is no longer an hinderance to the cloud! Leo F. Howell, CISSP CISA CCSK Knowledge MYTH we are all talking about the same cloud Discussion cloud

More information

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014 IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security

More information

Enterprise Cloud Use Cases and Security Considerations

Enterprise Cloud Use Cases and Security Considerations Enterprise Cloud Use Cases and Security Considerations Carson Sweet! CEO, CloudPassage! For This Discussion We re talking about cloud infrastructure! Cloud-oriented infrastructure delivery Infrastructure

More information

Symantec Control Compliance Suite Standards Manager

Symantec Control Compliance Suite Standards Manager Symantec Control Compliance Suite Standards Manager Automate Security Configuration Assessments. Discover Rogue Networks & Assets. Harden the Data Center. Data Sheet: Security Management Control Compliance

More information

S24 Virtualiza.on Security from the Auditor Perspec.ve

S24 Virtualiza.on Security from the Auditor Perspec.ve S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust

More information

Global Efforts to Secure Cloud Computing

Global Efforts to Secure Cloud Computing April 2012 Global Efforts to Secure Cloud Computing Jim Reavis Executive Director Cloud: ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart Mobility: Compute

More information

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription

More information

ASV Scan Report Attestation of Scan Compliance

ASV Scan Report Attestation of Scan Compliance ASV Scan Report Attestation of Scan Compliance Scan Customer Information Company: David S. Marcus, Ph. D Approved Scanning Vendor Information Company: ComplyGuard Networks Contact: Contact: Support Tel:

More information

Deep Security. Προστατεύοντας Server Farm. Σωτήρης Δ. Σαράντος. Available Aug 30, 2011. Σύμβουλος Δικτυακών Λύσεων. Copyright 2011 Trend Micro Inc.

Deep Security. Προστατεύοντας Server Farm. Σωτήρης Δ. Σαράντος. Available Aug 30, 2011. Σύμβουλος Δικτυακών Λύσεων. Copyright 2011 Trend Micro Inc. Deep Security Προστατεύοντας Server Farm Available Aug 30, 2011 Σωτήρης Δ. Σαράντος Σύμβουλος Δικτυακών Λύσεων Copyright 2011 Trend Micro Inc. Legacy Security Hinders Datacenter Consolidation Physical

More information

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group TNC: Open Standards for Network Security Automation Copyright 2010 Trusted Computing Group Agenda Introduce TNC and TCG Explanation of TNC What problems does TNC solve? How does TNC solve those problems?

More information

Cloud Computing. Report No. OIG-AMR-74-14-03. UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General.

Cloud Computing. Report No. OIG-AMR-74-14-03. UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General. UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General Cloud Computing Report No. OIG-AMR-74-14-03 October 21, 2014 CONTENTS EXECUTIVE SUMMARY... 1 BACKGROUND... 2 OBJECTIVE,

More information

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities

More information

Secunia Vulnerability Intelligence Manager (VIM) 4.0

Secunia Vulnerability Intelligence Manager (VIM) 4.0 Secunia Vulnerability Intelligence Manager (VIM) 4.0 In depth Real-time vulnerability intelligence brought to you on time, every time, by Secunia s renowned research team Introduction Secunia is the world-leading

More information

CDM Vulnerability Management (VUL) Capability

CDM Vulnerability Management (VUL) Capability CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation

More information

A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing

A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing Stefan Berger Joint work with: Kenneth Goldman, Dimitrios Pendarakis, David Safford, Mimi Zohar IBM T.J. Watson Research Center 09/21/2011

More information

Compliance for Cloud and Virtualized Environments

Compliance for Cloud and Virtualized Environments Compliance for Cloud and Virtualized Environments White Paper Using 5nine Cloud Security to Meet PCI DSS v3.0 Compliance Authored By: Morgan Holm VP of Product Management at 5nine Software Dr. Konstantin

More information

2011 Cloud Security Alliance, Inc. All rights reserved.

2011 Cloud Security Alliance, Inc. All rights reserved. Vast Landscape of Cloud Standards Development Organizations (SDOs) 2 4 Mission Statement (Non-Profit) Promote common level of understanding Consumers Providers Security Requirements Attestation of Assurance

More information

Property Based TPM Virtualization

Property Based TPM Virtualization Property Based Virtualization Marcel Winandy Joint work with: Ahmad Reza Sadeghi, Christian Stüble Horst Görtz Institute for IT Security Chair for System Security Ruhr University Bochum, Germany Sirrix

More information

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life Executive s Guide to Windows Server 2003 End of Life Facts About Windows Server 2003 Introduction On July 14, 2015 Microsoft will end support for Windows Sever 2003 and Windows Server 2003 R2. Like Windows

More information

A Study of Design Measure for Minimizing Security Vulnerability in Developing Virtualization Software

A Study of Design Measure for Minimizing Security Vulnerability in Developing Virtualization Software A Study of Design Measure for Minimizing Security Vulnerability in Developing Virtualization Software 1 Mi Young Park, *2 Yang Mi Lim 1, First Author Science and Technology Policy Institute,ollive@stepi.re.kr

More information

Trust in the Cloud. Microsoft Azure

Trust in the Cloud. Microsoft Azure Trust in the Cloud Ovidiu Pismac MCSE Security, CISSP, MCSE Private Cloud / Server & Desktop infrastructure, MCTS Forefront Microsoft Romania ovidiup@microsoft.com Technology trends: driving cloud adoption

More information

PII Compliance Guidelines

PII Compliance Guidelines Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last

More information

Securing the Microsoft Cloud

Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and customers to fully embrace and benefit from cloud services. We are committed

More information

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions

More information

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University What is cloud computing? What are some of the keywords? How many of you cannot

More information

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC Welcome to Modulo Risk Manager Next Generation Solutions for GRC THE COMPLETE SOLUTION FOR GRC MANAGEMENT GRC MANAGEMENT AUTOMATION EASILY IDENTIFY AND ADDRESS RISK AND COMPLIANCE GAPS INTEGRATED GRC SOLUTIONS

More information

HW (Fat001) TPM. Figure 1. Computing Node

HW (Fat001) TPM. Figure 1. Computing Node 1. Overview Two major components exist in our current prototype systems: the management node, including the Cloud Controller, Cluster Controller, Walrus and EBS, and the computing node, i.e. the Node Controller

More information

Privacy for Healthcare Data in the Cloud - Challenges and Best Practices

Privacy for Healthcare Data in the Cloud - Challenges and Best Practices Privacy for Healthcare Data in the Cloud - Challenges and Best Practices Dr. Sarbari Gupta sarbari@electrosoft-inc.com 703-437-9451 ext 12 Cloud Standards Customer Council (CSCC) Cloud Privacy Summit Electrosoft

More information

Cloud Essentials for Architects using OpenStack

Cloud Essentials for Architects using OpenStack Cloud Essentials for Architects using OpenStack Course Overview Start Date 18th December 2014 Duration 2 Days Location Dublin Course Code SS906 Programme Overview Cloud Computing is gaining increasing

More information

1.1.1 Introduction to Cloud Computing

1.1.1 Introduction to Cloud Computing 1 CHAPTER 1 INTRODUCTION 1.1 CLOUD COMPUTING 1.1.1 Introduction to Cloud Computing Computing as a service has seen a phenomenal growth in recent years. The primary motivation for this growth has been the

More information

Continuous Monitoring

Continuous Monitoring Continuous Monitoring The Evolution of FISMA Compliance Tina Kuligowski Tina.Kuligowski@Securible.com Overview Evolution of FISMA Compliance NIST Standards & Guidelines (SP 800-37r1, 800-53) OMB Memorandums

More information

Audit My OpenStack Cloud!!

Audit My OpenStack Cloud!! Audit My OpenStack Cloud!! Prabhakar Attaluri, IBM Distinguished Engineer, CTO Vinod Chavan, Cloud Executive Wednesday, August 12, 2015: 04:30 PM - 05:30 PM, Dolphin, Southern Hemisphere 3 Insert Custom

More information