Realizing Trusted Clouds

Size: px
Start display at page:

Download "Realizing Trusted Clouds"

Transcription

1 Realizing Trusted Clouds with Trusted Computing and SCAP SICS Security Seminar April 08, 2014 Mudassar Aslam (Researcher,PhD Student) Security LAB (SEC Lab) 1

2 Outline Cloud Computing Trusted Clouds Cloud Audit & Certification Problems in existing approaches Solutions Challenges and Summary [SEC Lab] 2 /39

3 Cloud Computing + Cost Effective + Dynamic + Resource Elasticity [SEC Lab] 3 /39 - Security - Technical - Legal - Operational -...

4 Lack of Visibility Cloud Infrastructure managed by the CSP cannot see the internal details Data Security/Location Identity & Access Management Cloud Platform Integrity (applications and their settings) Result: Cannot Trust Cloud Service [SEC Lab] 4 /39

5 Lack of Visibility Cloud Infrastructure managed by the CSP cannot see the internal details Data Security/Location Identity & Access Management Cloud Platform Integrity (applications and their settings) Result: Cannot Trust Cloud Service [SEC Lab] 5 /39

6 Lack of Visibility Transparency Cloud Infrastructure managed by the CSP cannot see the internal details Data Security/Location Identity & Access Management Cloud Platform Integrity (applications and their settings) Result: Cannot Trust Cloud Service [SEC Lab] 6 /39

7 What is a Correct Platform? Correct Software Stack BIOS, Bootloader, OS, Applications, etc. Correct Configuration of every software SE Linux enforcing, Firewall config., etc. What is a Secure Platform Configuration Different for different scenarios Examples: Payment Card Industry -> PCI DSS Health Insurance Portability and Accountability Act -> HIPAA Federal Information Security Management Act -> FISMA many others... [SEC Lab] 7 /39

8 Audit & Certification Audit by a Trusted Third Party Evaluation of implemented security controls (e.g. NIST SP A in FISMA) Compared against defined Security Requirements (e.g. NIST SP in FISMA) Certification given to the organization Example: Federal Risk and Authorization Management Program (FedRAMP) Cloud : Federal Agencies (Govt. Dept.) Cloud Provider: Any Public Provider (e.g. Amazon) Trusted Third Party: FedRAMP approved 3PAOs [SEC Lab] 8 /39

9 Shortcomings of existing approaches Scheduled over months (quarterly, biannual, etc) Incomplete (only a subset is verified) Vulnerable to new exploits [SEC Lab] 9 /39

10 Audit & Certification Frequent & Random Scheduled over months (quarterly, biannual, etc) Incomplete (only a subset is verified) Vulnerable to new exploits [SEC Lab] 10 /39

11 Audit & Certification Frequent & Random Platform Level Certification Scheduled over months (quarterly, biannual, etc) Incomplete (only a subset is verified) Vulnerable to new exploits [SEC Lab] 11 /39

12 Audit & Certification Frequent & Random Platform Level Certification Continuous Vulnerability management Scheduled over months (quarterly, biannual, etc) Incomplete (only a subset is verified) Vulnerable to new exploits [SEC Lab] 12 /39

13 Cloud Security Alliance CSA STAR Continuous will be based on a continuous auditing & assessment of relevant security properties CSA STAR Continuous is currently under development and the target date of delivery is 2015 Source: https://cloudsecurityalliance.org/star/continuous/ [SEC Lab] 13 /39

14 Cloud Security Alliance CSA STAR Continuous will be based on a continuous auditing & assessment of relevant security properties CSA STAR Continuous is currently under development and the target date of delivery is 2015 Source: https://cloudsecurityalliance.org/star/continuous/ [SEC Lab] 14 /39

15 Cloud Security Alliance CSA STAR Continuous will be based on a continuous auditing & assessment of relevant security properties CSA STAR Continuous is currently under development and the target date of delivery is 2015 Source: https://cloudsecurityalliance.org/star/continuous/ [SEC Lab] 15 /39

16 Towards Solutions Summing up the requirements Trustworthy (IaaS) Cloud -> Integrity of Cloud Platform -> Check Correctness of the Platform -> Software Stack + Software Configuration Solution properties Automated Assessment Continuous audit -> Platform Certification Remote Platforms Automated Security Assessment & Auditing of Remote Platforms (ASArP) [SEC Lab] 16 /39

17 Approach Verify the Software Stack Integrity (i.e. only approved/known software) Remotely Certify the Correctness of a Remote Platform Verify that every software is Configured correctly [SEC Lab] 17 /39

18 Remote Platform Verification A three phase remote platform verification, assessment and certification solution Phase-I: Traditional Remote Attestation Phase-II: Assess platform for known vulnerabilities Phase-III: Check software configurations [SEC Lab] 18 /39

19 Phase-I : Software Stack Integrity Hash(SW) Software Vendor Reference Measurements Database Trusted Remote Verifier ( R V ) Attestation Request (N) + Bindkey Request Target Platform ( T P ) CompareHash(SW) Mgt ST Local Reference Measurements DB CompareHash(SW) Integrity Report(TPM_Quote, IML) + Bindkey(PublicKey, CertifyInfo) Hypervisor Hardware/CPU TPM Comlementary Whitelist (drivers, lib, proprietary sw ) [SEC Lab] 19 /39

20 Phase-II : Vulnerability Analysis - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Remote Verifier ( R V ) SW Vulnerability Status(CPE) Policy Software_CVSS Step 2 Local Vulnerability Database Step 1 CPE based Software List TCG based Software List [SEC Lab] 20 /39

21 Phase-II : Vulnerability Analysis - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Remote Verifier ( R V ) Policy SCAP Security Content Automation Protocol SW Vulnerability Status(CPE) CPE Common Platform Enumeration CVE Common Software_CVSS Vulnerability Exposure CVSS Common Vulnerability Scoring System Local Vulnerability XCCDF Database Extensible Configuration Checklist Description Format Step 2 Step 1 CPE based Software List TCG based Software List [SEC Lab] 21 /39

22 Phase-II : Vulnerability Analysis - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Remote Verifier ( R V ) SW Vulnerability Status(CPE) Policy Software_CVSS Step 2 Local Vulnerability Database Step 1 CPE based Software List TCG based Software List [SEC Lab] 22 /39

23 Phase-II : Vulnerability Analysis - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Remote Verifier ( R V ) Policy SCAP Security Content Automation Protocol SW Vulnerability Status(CPE) CPE Common Platform Enumeration CVE Common Software_CVSS Vulnerability Exposure CVSS Common Vulnerability Scoring System Local Vulnerability XCCDF Database Extensible Configuration Checklist Description Format Step 2 Step 1 CPE based Software List TCG based Software List [SEC Lab] 23 /39

24 Phase-III : Configuration Compliance - Industry Standard - Govt Defined Config Trusted Remote Verifier Recommended Configurations (software, hypervisor, OS) Request Configuration Analysis(xccdf) Target Platform ( T P ) Mgt ST Hypervisor signed report xccdf checklist Config Analysis (Mgt, Hypervisor) ST Config Policy Signed bindkey (compliance_report) Hardware/CPU TPM TPM Sign (bind key) compliance report [SEC Lab] 24 /39

25 Phase-III : Configuration Compliance - Industry Standard - Govt Defined Config Trusted Remote Verifier Recommended Configurations (software, hypervisor, OS) Request Configuration Analysis(xccdf) Target Platform ( T P ) Mgt ST Hypervisor signed report xccdf checklist Config Analysis (Mgt, Hypervisor) ST Config Policy Signed bindkey (compliance_report) Hardware/CPU TPM TPM Sign (bind key) compliance report [SEC Lab] 25 /39

26 Phase-III : Configuration Compliance - Industry Standard - Govt Defined Config Trusted Remote Verifier Recommended Configurations (software, hypervisor, OS) Request Configuration Analysis(xccdf) Target Platform ( T P ) Mgt ST Hypervisor signed report xccdf checklist Config Analysis (Mgt, Hypervisor) ST Config Policy Signed bindkey (compliance_report) Hardware/CPU TPM TPM Sign (bind key) compliance report [SEC Lab] 26 /39

27 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor Reference Measurements Database - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Local Admin - Industry Standard - Govt Defined Config Remote Verifier (Auditor, Platform Certification Authority, etc.) Phase I Software Stack Integrity Mgt ST ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Phase II Software Stack Vulnerability Assessment Phase III Software Configuration Compliance Trusted Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Remote Platforms by Combining Trusted Computing and Security Automation Techniques. In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

28 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Recommended Platform Configurations Reference Measurements Database - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Local Vulnerability Database Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Policy Phase I Software Stack Integrity Internet Certified { } Local Admin TT ID Mgt ST P d ID Profile PK_Bind Time Hypervisor Sign TTP Hardware/CPU ST: SCAP Tool TPM Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Phase II Software Stack Vulnerability Assessment Phase III Software Configuration Compliance Trusted Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Remote Platforms by Combining Trusted Computing and Security Automation Techniques. In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

29 Platform Certificate (uses) Aslam, Mudassar and Gehrmann, Christian and Rasmusson, Lars and Björkman, Mats (2012), Securely Launching Virtual Machines on Trustworthy Platforms in a Public Cloud. In: International Conference on Cloud Computing and Services Science, CLOSER 2012, April 2012, Porto, Portugal. Paladi, Nicolae and Gehrmann, Christian and Aslam, Mudassar and Morenius, Fredric (2013), Trusted Launch of Virtual Machine Instances in Public IaaS Environments. In: 15th Annual International Conference on Information Security and Cryptology, Nov 2012, Seoul, Korea Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2012) Security and Trust Preserving Migrations in Public Clouds. In: The 2nd IEEE International Symposium on Trust and Security in Cloud Computing, in conjunction with IEEE TrustCom-12, June 2012, Liverpool, UK. { } TT ID P d ID Profile PK_Bind Time Sign TTP [SEC Lab] 29 /39

30 Platform Certificate (uses) Aslam, Mudassar and Gehrmann, Christian and Rasmusson, Lars and Björkman, Mats (2012), Securely Launching Virtual Machines on Trustworthy Platforms in a Public Cloud. In: International Conference on Cloud Computing and Services Science, CLOSER 2012, April 2012, Porto, Portugal. Paladi, Nicolae and Gehrmann, Christian and Aslam, Mudassar and Morenius, Fredric (2013), Trusted Launch of Virtual Machine Instances in Public IaaS Environments. In: 15th Annual International Conference on Information Security and Cryptology, Nov 2012, Seoul, Korea Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2012) Security and Trust Preserving Migrations in Public Clouds. In: The 2nd IEEE International Symposium on Trust and Security in Cloud Computing, in conjunction with IEEE TrustCom-12, June 2012, Liverpool, UK. { } TT ID P d ID Profile PK_Bind Time Sign TTP [SEC Lab] 30 /39

31 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor Reference Measurements Database - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Local Admin - Industry Standard - Govt Defined Config Remote Verifier (Auditor, Platform Certification Authority, etc.) Phase I Software Stack Integrity Mgt ST ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Phase II Software Stack Vulnerability Assessment Phase III Software Configuration Compliance TPM Chip Trusted TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

32 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Reference Measurements Database MongoDB cve-search - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Phase I Software Stack Integrity Mgt ST Local Admin ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Phase II Software Stack Vulnerability Assessment Phase III Software Configuration Compliance TPM Chip Trusted TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

33 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Reference Measurements Database MongoDB cve-search - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Phase I Software Stack Integrity Mgt ST Local Admin ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Enhanced Phase II Software Stack Vulnerability Assessment SCAP Editor Phase III Software Configuration Compliance TPM Chip Trusted (escape) TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

34 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Reference Measurements Database MongoDB cve-search - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Open SCAP (oscap) Phase I Software Stack Integrity Mgt ST Local Admin ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Enhanced Phase II Software Stack Vulnerability Assessment SCAP Editor Phase III Software Configuration Compliance TPM Chip Trusted (escape) TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

35 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Reference Measurements Database MongoDB cve-search - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Open SCAP (oscap) Phase I Software Stack Integrity Mgt ST Local Admin ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Enhanced Phase II Software Stack Vulnerability Assessment SCAP Editor Phase III Software Configuration Compliance TPM Chip Trusted (escape) TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39

36 Configuration Compliance [SEC Lab] 36 /39

37 Performance results [SEC Lab] 37 /39

38 Achievements (in general) Trusted Cloud Platforms Platform Level Certification CSA STAR Continuous Implementation Proposal TCG-SCAP Synergy Use of SCAP promises better ways to interpret TPM integrity reports to assess the platform security status Use of TPM promises better assurances about SCAP analysis and its results [SEC Lab] 38 /39

39 Challenges and Summary TCG Integrity Report does not map directly to the SCAP framework no standard implementation/deployment exist Sealing anything to the runtime state is not practical current proposals only use BIOS+IPL OS is hard to handle -> not handled [SEC Lab] 39 /39

40 Questions 40

BMC Client Management - SCAP Implementation Statement. Version 12.0

BMC Client Management - SCAP Implementation Statement. Version 12.0 BMC Client Management - SCAP Implementation Statement Version 12.0 BMC Client Management - SCAP Implementation Statement TOC 3 Contents SCAP Implementation Statement... 4 4 BMC Client Management - SCAP

More information

How to Secure Infrastructure Clouds with Trusted Computing Technologies

How to Secure Infrastructure Clouds with Trusted Computing Technologies How to Secure Infrastructure Clouds with Trusted Computing Technologies Nicolae Paladi Swedish Institute of Computer Science 2 Contents 1. Infrastructure-as-a-Service 2. Security challenges of IaaS 3.

More information

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Vendor Provided Validation Details - McAfee Policy Auditor 6.2 The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Statement of

More information

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs FDCC & SCAP Content Challenges Kent Landfield Director, Risk and Compliance Security Research McAfee Labs Where we have been 1 st Security Automation Workshop nearly 20 people in a small room for the day

More information

Federal Desktop Core Configuration (FDCC)

Federal Desktop Core Configuration (FDCC) Federal Desktop Core Configuration (FDCC) Presented by: Saji Ranasinghe Date: October, 2007 FDCC Federal Desktop Core Configuration (FDCC) Standardized Configuration with Hardened Security Settings to

More information

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?

More information

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit UNCLASSIFIED Security Content Automation Protocol for Governance, Risk, Compliance, and Audit presented by: Tim Grance The National Institute of Standards and Technology UNCLASSIFIED Agenda NIST s IT Security

More information

Logically Securing a Public Cloud Service

Logically Securing a Public Cloud Service SESSION ID: CIN-W07 Logically Securing a Public Cloud Service Tim Mather CISO Cadence Design Systems @mather_tim Disclaimer: AWS (Amazon Web Services) is referenced in this presentation extensively, only

More information

Security compliance automation with Red Hat Satellite

Security compliance automation with Red Hat Satellite Security compliance automation with Red Hat Satellite Matt Micene Solution Architect, DLT Solutions @cleverbeard @nzwulfin Created with http://wordle.net Compliance is a major problem About half of the

More information

Building Blocks Towards a Trustworthy NFV Infrastructure

Building Blocks Towards a Trustworthy NFV Infrastructure Building Blocks Towards a Trustworthy NFV Infrastructure IRTF NFVRG Adrian L. Shaw Hewlett-Packard Laboratories / July 22 nd, 2015 1 Why security and trust? Big requirement for critical

More information

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security

More information

Tivoli Endpoint Manager for Configuration Management SCAP User's Guide

Tivoli Endpoint Manager for Configuration Management SCAP User's Guide Tivoli Endpoint Manager for Configuration Management SCAP User's Guide ii Tivoli Endpoint Manager for Configuration Management SCAP User's Guide Contents Configuration Management SCAP User's Guide................

More information

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen feisal@techumen.com

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen feisal@techumen.com SECURING HEALTH INFORMATION IN THE CLOUD Feisal Nanji, Executive Director, Techumen feisal@techumen.com Conflict of Interest Disclosure Feisal Nanji, MPP, CISSP Has no real or apparent conflicts of interest

More information

Seeing Though the Clouds

Seeing Though the Clouds Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating

More information

Manage Vulnerabilities (VULN) Capability Data Sheet

Manage Vulnerabilities (VULN) Capability Data Sheet Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired

More information

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute

More information

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012 Cloud Security Alliance and Standards Jim Reavis Executive Director March 2012 About the CSA Global, not for profit, 501(c)6 organization Over 32,000 individual members, 120 corporate members, 60 chapters

More information

SECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP

SECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson

More information

Lecture 02b Cloud Computing II

Lecture 02b Cloud Computing II Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,

More information

Cyber Security Symposium 2015 September 29,2015

Cyber Security Symposium 2015 September 29,2015 Cyber Security Symposium 2015 September 29,2015 Introducing David Langston Branch Manager Security Management Department of Technology 2 About CalCloud Mission Offer cost-effective cloud solutions that

More information

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet IBM PowerSC Security and compliance solution designed to protect virtualized datacenters Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance

More information

Qualys PC/SCAP Auditor

Qualys PC/SCAP Auditor Qualys PC/SCAP Auditor Getting Started Guide August 3, 2015 COPYRIGHT 2011-2015 BY QUALYS, INC. ALL RIGHTS RESERVED. QUALYS AND THE QUALYS LOGO ARE REGISTERED TRADEMARKS OF QUALYS, INC. ALL OTHER TRADEMARKS

More information

White Paper How Noah Mobile uses Microsoft Azure Core Services

White Paper How Noah Mobile uses Microsoft Azure Core Services NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah

More information

Trusted Geolocation in the Cloud. Based on NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation

Trusted Geolocation in the Cloud. Based on NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation Trusted Geolocation in the Cloud Based on NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation 2 Agenda Definition of cloud computing Trusted Geolocation in

More information

Software Vulnerability Assessment

Software Vulnerability Assessment Software Vulnerability Assessment Setup Guide Contents: About Software Vulnerability Assessment Setting Up and Running a Vulnerability Scan Manage Ongoing Vulnerability Scans Perform Regularly Scheduled

More information

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

More information

Massively Scaled Security Solutions for Massively Scaled IT

Massively Scaled Security Solutions for Massively Scaled IT Massively Scaled Security Solutions for Massively Scaled IT Michael Smith, SecTor 2009 Who is Michael Smith? 8 years active duty army Graduate of Russian basic course, Defense Language Institute, Monterey,

More information

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps WHITE PAPER HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps Summary Summary Compliance with PCI, HIPAA, FISMA, EU, and other regulations is as critical in virtualized

More information

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities

More information

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet IBM PowerSC Security and compliance solution designed to protect virtualised data centres Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance

More information

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise 1. Introduction Information security means protecting information

More information

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On

More information

GRC and Cloud Services. By David Lingenfelter 2012

GRC and Cloud Services. By David Lingenfelter 2012 GRC and Cloud Services By David Lingenfelter 2012 Background > MaaS360 SaaS Cloud Model > Mobile Device Management > FISMA Moderate Certified > SAS-70/SOC-2 > Member of the Cloud Security Alliance > Participant

More information

Trusted Computing and Secure Virtualization in Cloud Computing. Master Thesis

Trusted Computing and Secure Virtualization in Cloud Computing. Master Thesis Trusted Computing and Secure Virtualization in Cloud Computing Master Thesis Nicolae Paladi Luleå University of Technology Dept. of Computer Science, Electrical and Space Engineering Div. of Computer and

More information

With Eversync s cloud data tiering, the customer can tier data protection as follows:

With Eversync s cloud data tiering, the customer can tier data protection as follows: APPLICATION NOTE: CLOUD DATA TIERING Eversync has developed a hybrid model for cloud-based data protection in which all of the elements of data protection are tiered between an on-premise appliance (software

More information

Index. BIOS rootkit, 119 Broad network access, 107

Index. BIOS rootkit, 119 Broad network access, 107 Index A Administrative components, 81, 83 Anti-malware, 125 ANY policy, 47 Asset tag, 114 Asymmetric encryption, 24 Attestation commercial market, 85 facts, 79 Intel TXT conceptual architecture, 85 models,

More information

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com Introduction to Cloud Computing Srinath Beldona srinath_beldona@yahoo.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?

More information

Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University.

Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University. Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University P a g e 1 P a g e 2 Table of Contents Abstract... 3 Introduction... 3 Previous

More information

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014 IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

Dispelling the Myths about Cloud Computing Security

Dispelling the Myths about Cloud Computing Security Dispelling the Myths about Cloud Computing Security security is no longer an hinderance to the cloud! Leo F. Howell, CISSP CISA CCSK Knowledge MYTH we are all talking about the same cloud Discussion cloud

More information

Security Information and Event Management

Security Information and Event Management Security Information and Event Management sponsored by: ISSA Web Conference April 26, 2011 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London Welcome Conference Moderator Phillip H. Griffin ISSA

More information

Digi Device Cloud: Security You Can Trust

Digi Device Cloud: Security You Can Trust Digi Device Cloud: Security You Can Trust Abstract Historically, security has oftentimes been an afterthought or a bolt-on to any engineering product. In today s markets, however, security is taking a

More information

Cloud Audit and Cloud Trust Protocol. By David Lingenfelter 2011

Cloud Audit and Cloud Trust Protocol. By David Lingenfelter 2011 Cloud Audit and Cloud Trust Protocol By David Lingenfelter 2011 Background > MaaS360 SaaS Cloud Model > Mobile Device Management > FISMA Moderate Certified > SAS-70/SOC-2 Cloud Adoption Obstacles Planning

More information

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better

More information

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015 For the Financial Industry in Singapore 31 July 2015 TABLE OF CONTENT 1. EXECUTIVE SUMMARY 3 2. INTRODUCTION 4 2.1 Audience 4 2.2 Purpose and Scope 4 2.3 Definitions 4 3. REQUIREMENTS 6 3.1 Overview 6

More information

Building an Effective

Building an Effective Building an Effective Cloud Security Program Becky Swain Co-Founder/Chair, CSA CCM Board Member, CSA Silicon Valley Chapter Partner, EKKO Consulting Marlin Pohlman Co-Chair, CSA CCM Co-Chair/Founder, CSA

More information

Property Based TPM Virtualization

Property Based TPM Virtualization Property Based Virtualization Marcel Winandy Joint work with: Ahmad Reza Sadeghi, Christian Stüble Horst Görtz Institute for IT Security Chair for System Security Ruhr University Bochum, Germany Sirrix

More information

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe Intro to QualysGuard IT Risk & Asset Management Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe A Unified and Continuous View of ICT Security, Risks and Compliance

More information

Towards security management in the cloud utilizing SECaaS

Towards security management in the cloud utilizing SECaaS Towards security management in the cloud utilizing SECaaS JAN MÉSZÁROS University of Economics, Prague Department of Information Technologies W. Churchill Sq. 4, 130 67 Prague 3 CZECH REPUBLIC jan.meszaros@vse.cz

More information

Cloud Architecture and Management. M.I. Deen General Manager (Enterprise Solutions) Sri Lanka Telecom

Cloud Architecture and Management. M.I. Deen General Manager (Enterprise Solutions) Sri Lanka Telecom Cloud Architecture and Management M.I. Deen General Manager (Enterprise Solutions) Sri Lanka Telecom Cloud Computing Architecture Reference Architecture, Terminology and Definitions Akaza Cloud Architecture

More information

Robert Brammer. Senior Advisor to the Internet2 CEO rfbtech@internet2.edu. Internet2 NET+ Security Assessment Forum. 8 April 2014

Robert Brammer. Senior Advisor to the Internet2 CEO rfbtech@internet2.edu. Internet2 NET+ Security Assessment Forum. 8 April 2014 Robert Brammer Senior Advisor to the Internet2 CEO rfbtech@internet2.edu Internet2 NET+ Security Assessment Forum 8 April 2014 INTERNET2 NET+ Security Initiative Primary objective -- develop guidance to

More information

Guide to Enterprise Patch Management Technologies

Guide to Enterprise Patch Management Technologies NIST Special Publication 800-40 Revision 3 Guide to Enterprise Patch Management Technologies Murugiah Souppaya Karen Scarfone C O M P U T E R S E C U R I T Y NIST Special Publication 800-40 Revision 3

More information

Trusted Launch of Virtual Machine Instances in Public IaaS Environments

Trusted Launch of Virtual Machine Instances in Public IaaS Environments Trusted Launch of Virtual Machine Instances in Public IaaS Environments Nicolae Paladi 1, Christian Gehrmann 1, Mudassar Aslam 1, and Fredric Morenius 2 1 Swedish Institute of Computer Science, Stockholm,

More information

STIGs,, SCAP and Data Metrics

STIGs,, SCAP and Data Metrics Defense Information Systems Agency A Combat Support Agency STIGs,, SCAP and Data Metrics Roger S. Greenwell, CISSP, CISA, CISM Technical Director / Capabilities Implementation Division DISA Field Security

More information

IIA Conference. September 18, 2015. Paige Needling Director, Global Information Security Recall, Inc.

IIA Conference. September 18, 2015. Paige Needling Director, Global Information Security Recall, Inc. IIA Conference September 18, 2015 Paige Needling Director, Global Information Security Recall, Inc. IT SECURITY UMBRELLA Compliance for IT Data Privacy Protection Privacy Risk Assessment Vulnerability

More information

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP Vasileios A. Baousis (Ph.D) Network Applications Team Slide 1 Agenda Introduction Background - SCAP - Puppet &Mcollective

More information

Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments

Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments Nicolae Paladi 1, Christian Gehrmann 1, Mudassar Aslam 1, and Fredric Morenius 2 1 Swedish Institute of Computer Science, Kista,

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

Enterprise Cloud Use Cases and Security Considerations

Enterprise Cloud Use Cases and Security Considerations Enterprise Cloud Use Cases and Security Considerations Carson Sweet! CEO, CloudPassage! For This Discussion We re talking about cloud infrastructure! Cloud-oriented infrastructure delivery Infrastructure

More information

Total Protection for Compliance: Unified IT Policy Auditing

Total Protection for Compliance: Unified IT Policy Auditing Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.

More information

Global Efforts to Secure Cloud Computing

Global Efforts to Secure Cloud Computing April 2012 Global Efforts to Secure Cloud Computing Jim Reavis Executive Director Cloud: ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart Mobility: Compute

More information

Secunia Vulnerability Intelligence Manager (VIM) 4.0

Secunia Vulnerability Intelligence Manager (VIM) 4.0 Secunia Vulnerability Intelligence Manager (VIM) 4.0 In depth Real-time vulnerability intelligence brought to you on time, every time, by Secunia s renowned research team Introduction Secunia is the world-leading

More information

CLOUD COMPUTING READINESS CHECKLIST

CLOUD COMPUTING READINESS CHECKLIST CLOUD COMPUTING READINESS VOLKER RATH VOLKER RATH 1 CONTENTS HOW SHOULD THIS GUIDE BE USED? 2 WILL MY COMPANY BENEFIT FROM 2 TRANSITIONING SERVICES TO THE CLOUD? CLOUD READINESS OVERVIEW 3 SECURITY CONCERNS

More information

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions

More information

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information

More information

Cloud Security Certification

Cloud Security Certification Cloud Security Certification January 21, 2015 1 Agenda 1. What problem are we solving? 2. Definitions (Attestation vs Certification) 3. Cloud Security Responsibilities and Risk Exposure 4. Who is responsible

More information

Symantec Control Compliance Suite Standards Manager

Symantec Control Compliance Suite Standards Manager Symantec Control Compliance Suite Standards Manager Automate Security Configuration Assessments. Discover Rogue Networks & Assets. Harden the Data Center. Data Sheet: Security Management Control Compliance

More information

Building Trust in Global Cloud Computing Systems

Building Trust in Global Cloud Computing Systems Building Trust in Global Cloud Computing Systems Jim Reavis, CEO & Founder Cloud Security Alliance Global, not-for-profit organization Building security best practices for next generation IT Research and

More information

Capturing the New Frontier:

Capturing the New Frontier: Capturing the New Frontier: How Software Security Unlocks the Power of Cloud Computing Executive Summary Cloud computing is garnering a vast share of IT interest. Its promise of revolutionary cost savings

More information

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions

More information

Realities of Private Cloud Security

Realities of Private Cloud Security SESSION ID: CSV-F03 Realities of Private Cloud Security Scott Carlson PayPal @relaxed137 PayPal Cloud & Software Defined Data Center VIRTUAL Cloud Design Principals, traditional Data Center Deploy from

More information

Deep Security. Προστατεύοντας Server Farm. Σωτήρης Δ. Σαράντος. Available Aug 30, 2011. Σύμβουλος Δικτυακών Λύσεων. Copyright 2011 Trend Micro Inc.

Deep Security. Προστατεύοντας Server Farm. Σωτήρης Δ. Σαράντος. Available Aug 30, 2011. Σύμβουλος Δικτυακών Λύσεων. Copyright 2011 Trend Micro Inc. Deep Security Προστατεύοντας Server Farm Available Aug 30, 2011 Σωτήρης Δ. Σαράντος Σύμβουλος Δικτυακών Λύσεων Copyright 2011 Trend Micro Inc. Legacy Security Hinders Datacenter Consolidation Physical

More information

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University What is cloud computing? What are some of the keywords? How many of you cannot

More information

Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A

Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A Brochure More information from http://www.researchandmarkets.com/reports/2213812/ Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A Description: The auditor's guide to ensuring

More information

Introduction to AWS Security July 2015

Introduction to AWS Security July 2015 Introduction to AWS Security July 2015 Page 1 of 7 Table of Contents Introduction... 3 Security of the AWS Infrastructure... 3 Security Products and Features... 4 Network Security... 4 Inventory and Configuration

More information

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013 SOFTWARE ASSET MANAGEMENT Continuous Monitoring September 16, 2013 Tim McBride National Cybersecurity Center of Excellence timothy.mcbride@nist.gov David Waltermire Information Technology Laboratory david.waltermire@nist.gov

More information

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security PART 1 - COMPLIANCE STANDARDS PART 2 SECURITY IMPACT THEMES BUILD A MODEL THEMES MONITOR FOR FAILURE THEMES DEMONSTRATE

More information

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group TNC: Open Standards for Network Security Automation Copyright 2010 Trusted Computing Group Agenda Introduce TNC and TCG Explanation of TNC What problems does TNC solve? How does TNC solve those problems?

More information

1.1.1 Introduction to Cloud Computing

1.1.1 Introduction to Cloud Computing 1 CHAPTER 1 INTRODUCTION 1.1 CLOUD COMPUTING 1.1.1 Introduction to Cloud Computing Computing as a service has seen a phenomenal growth in recent years. The primary motivation for this growth has been the

More information

A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing

A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing Stefan Berger Joint work with: Kenneth Goldman, Dimitrios Pendarakis, David Safford, Mimi Zohar IBM T.J. Watson Research Center 09/21/2011

More information

Compliance for Cloud and Virtualized Environments

Compliance for Cloud and Virtualized Environments Compliance for Cloud and Virtualized Environments White Paper Using 5nine Cloud Security to Meet PCI DSS v3.0 Compliance Authored By: Morgan Holm VP of Product Management at 5nine Software Dr. Konstantin

More information

Automating Compliance with Security Content Automation Protocol

Automating Compliance with Security Content Automation Protocol Automating Compliance with Security Content Automation Protocol presented by: National Institute of Standards and Technology Agenda Information Security Current State Security Content Automation Protocol

More information

NIST Cloud Computing Security Reference Architecture (SP 500-299 draft)

NIST Cloud Computing Security Reference Architecture (SP 500-299 draft) NIST Cloud Computing Security Reference Architecture (SP 500-299 draft) NIST Cloud Computing Security Working Group Dr. Michaela Iorga, NIST Senior Security Technical Lead for Cloud Computing Chair, NIST

More information

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn Critical Infrastructure Security: The Emerging Smart Grid Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn Overview Assurance & Evaluation Security Testing Approaches

More information

HW (Fat001) TPM. Figure 1. Computing Node

HW (Fat001) TPM. Figure 1. Computing Node 1. Overview Two major components exist in our current prototype systems: the management node, including the Cloud Controller, Cluster Controller, Walrus and EBS, and the computing node, i.e. the Node Controller

More information

Cloud Computing Technology

Cloud Computing Technology Cloud Computing Technology The Architecture Overview Danairat T. Certified Java Programmer, TOGAF Silver danairat@gmail.com, +66-81-559-1446 1 Agenda What is Cloud Computing? Case Study Service Model Architectures

More information

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014 Vulnerability Scanning Requirements and Process Clarification Disposition and FAQ 11/27/2014 Table of Contents 1. Vulnerability Scanning Requirements and Process Clarification Disposition... 3 2. Vulnerability

More information

Cloud Computing and the Regulatory Compliance Labyrinth

Cloud Computing and the Regulatory Compliance Labyrinth Cloud Computing and the Regulatory Compliance Labyrinth About ERM About The Speaker Nick Shuman Information Security Consultant Bachelor of Science in Computer Science and Psychology - University of Miami

More information

Symantec's Continuous Monitoring Solution

Symantec's Continuous Monitoring Solution Preparing for FISMA 2.0 and Continuous Monitoring Requirements Symantec's Continuous Monitoring Solution White Paper: Preparing for FISMA 2.0 and Continuous Monitoring Requirements Contents Introduction............................................................................................

More information

Cloud Essentials for Architects using OpenStack

Cloud Essentials for Architects using OpenStack Cloud Essentials for Architects using OpenStack Course Overview Start Date 18th December 2014 Duration 2 Days Location Dublin Course Code SS906 Programme Overview Cloud Computing is gaining increasing

More information

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011 A Strawman Model NIST Cloud Computing Reference Architecture and Taxonomy Working Group January 3, 2011 Objective Our objective is to define a neutral architecture consistent with NIST definition of cloud

More information

Cloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation

Cloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation Cloud Security Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs peterjopling 2011 IBM Corporation Cloud computing impacts the implementation of security in fundamentally new ways

More information

WHY we left. Amazon Web Services for. Regulatory Compliance Improved Efficiency NO SURPRISES. Why We Left Amazon Web Services 1

WHY we left. Amazon Web Services for. Regulatory Compliance Improved Efficiency NO SURPRISES. Why We Left Amazon Web Services 1 WHY we left Amazon Web Services for Regulatory Compliance Improved Efficiency NO SURPRISES Why We Left Amazon Web Services 1 Launched in 2005, this mobile payment solutions startup quickly became a worldwide

More information

Cloud Services Overview

Cloud Services Overview Cloud Services Overview John Hankins Global Offering Executive Ricoh Production Print Solutions May 23, 2012 Cloud Services Agenda Definitions Types of Clouds The Role of Virtualization Cloud Architecture

More information

Trusted Geolocation in The Cloud Technical Demonstration

Trusted Geolocation in The Cloud Technical Demonstration Trusted Geolocation in The Cloud Technical Demonstration NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation Trusted Geolocation in the Cloud Business Business

More information

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014 Cloud Security Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014 Agenda Introduction Security Assessment for Cloud Secure Cloud Infrastructure

More information

Trust in the Cloud. Microsoft Azure

Trust in the Cloud. Microsoft Azure Trust in the Cloud Ovidiu Pismac MCSE Security, CISSP, MCSE Private Cloud / Server & Desktop infrastructure, MCTS Forefront Microsoft Romania ovidiup@microsoft.com Technology trends: driving cloud adoption

More information

S24 Virtualiza.on Security from the Auditor Perspec.ve

S24 Virtualiza.on Security from the Auditor Perspec.ve S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust

More information

Cloud Courses Description

Cloud Courses Description Courses Description 101: Fundamental Computing and Architecture Computing Concepts and Models. Data center architecture. Fundamental Architecture. Virtualization Basics. platforms: IaaS, PaaS, SaaS. deployment

More information