Realizing Trusted Clouds
|
|
- Myra Burke
- 8 years ago
- Views:
Transcription
1 Realizing Trusted Clouds with Trusted Computing and SCAP SICS Security Seminar April 08, 2014 Mudassar Aslam (Researcher,PhD Student) Security LAB (SEC Lab) 1
2 Outline Cloud Computing Trusted Clouds Cloud Audit & Certification Problems in existing approaches Solutions Challenges and Summary [SEC Lab] 2 /39
3 Cloud Computing + Cost Effective + Dynamic + Resource Elasticity [SEC Lab] 3 /39 - Security - Technical - Legal - Operational -...
4 Lack of Visibility Cloud Infrastructure managed by the CSP cannot see the internal details Data Security/Location Identity & Access Management Cloud Platform Integrity (applications and their settings) Result: Cannot Trust Cloud Service [SEC Lab] 4 /39
5 Lack of Visibility Cloud Infrastructure managed by the CSP cannot see the internal details Data Security/Location Identity & Access Management Cloud Platform Integrity (applications and their settings) Result: Cannot Trust Cloud Service [SEC Lab] 5 /39
6 Lack of Visibility Transparency Cloud Infrastructure managed by the CSP cannot see the internal details Data Security/Location Identity & Access Management Cloud Platform Integrity (applications and their settings) Result: Cannot Trust Cloud Service [SEC Lab] 6 /39
7 What is a Correct Platform? Correct Software Stack BIOS, Bootloader, OS, Applications, etc. Correct Configuration of every software SE Linux enforcing, Firewall config., etc. What is a Secure Platform Configuration Different for different scenarios Examples: Payment Card Industry -> PCI DSS Health Insurance Portability and Accountability Act -> HIPAA Federal Information Security Management Act -> FISMA many others... [SEC Lab] 7 /39
8 Audit & Certification Audit by a Trusted Third Party Evaluation of implemented security controls (e.g. NIST SP A in FISMA) Compared against defined Security Requirements (e.g. NIST SP in FISMA) Certification given to the organization Example: Federal Risk and Authorization Management Program (FedRAMP) Cloud : Federal Agencies (Govt. Dept.) Cloud Provider: Any Public Provider (e.g. Amazon) Trusted Third Party: FedRAMP approved 3PAOs [SEC Lab] 8 /39
9 Shortcomings of existing approaches Scheduled over months (quarterly, biannual, etc) Incomplete (only a subset is verified) Vulnerable to new exploits [SEC Lab] 9 /39
10 Audit & Certification Frequent & Random Scheduled over months (quarterly, biannual, etc) Incomplete (only a subset is verified) Vulnerable to new exploits [SEC Lab] 10 /39
11 Audit & Certification Frequent & Random Platform Level Certification Scheduled over months (quarterly, biannual, etc) Incomplete (only a subset is verified) Vulnerable to new exploits [SEC Lab] 11 /39
12 Audit & Certification Frequent & Random Platform Level Certification Continuous Vulnerability management Scheduled over months (quarterly, biannual, etc) Incomplete (only a subset is verified) Vulnerable to new exploits [SEC Lab] 12 /39
13 Cloud Security Alliance CSA STAR Continuous will be based on a continuous auditing & assessment of relevant security properties CSA STAR Continuous is currently under development and the target date of delivery is 2015 Source: [SEC Lab] 13 /39
14 Cloud Security Alliance CSA STAR Continuous will be based on a continuous auditing & assessment of relevant security properties CSA STAR Continuous is currently under development and the target date of delivery is 2015 Source: [SEC Lab] 14 /39
15 Cloud Security Alliance CSA STAR Continuous will be based on a continuous auditing & assessment of relevant security properties CSA STAR Continuous is currently under development and the target date of delivery is 2015 Source: [SEC Lab] 15 /39
16 Towards Solutions Summing up the requirements Trustworthy (IaaS) Cloud -> Integrity of Cloud Platform -> Check Correctness of the Platform -> Software Stack + Software Configuration Solution properties Automated Assessment Continuous audit -> Platform Certification Remote Platforms Automated Security Assessment & Auditing of Remote Platforms (ASArP) [SEC Lab] 16 /39
17 Approach Verify the Software Stack Integrity (i.e. only approved/known software) Remotely Certify the Correctness of a Remote Platform Verify that every software is Configured correctly [SEC Lab] 17 /39
18 Remote Platform Verification A three phase remote platform verification, assessment and certification solution Phase-I: Traditional Remote Attestation Phase-II: Assess platform for known vulnerabilities Phase-III: Check software configurations [SEC Lab] 18 /39
19 Phase-I : Software Stack Integrity Hash(SW) Software Vendor Reference Measurements Database Trusted Remote Verifier ( R V ) Attestation Request (N) + Bindkey Request Target Platform ( T P ) CompareHash(SW) Mgt ST Local Reference Measurements DB CompareHash(SW) Integrity Report(TPM_Quote, IML) + Bindkey(PublicKey, CertifyInfo) Hypervisor Hardware/CPU TPM Comlementary Whitelist (drivers, lib, proprietary sw ) [SEC Lab] 19 /39
20 Phase-II : Vulnerability Analysis - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Remote Verifier ( R V ) SW Vulnerability Status(CPE) Policy Software_CVSS Step 2 Local Vulnerability Database Step 1 CPE based Software List TCG based Software List [SEC Lab] 20 /39
21 Phase-II : Vulnerability Analysis - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Remote Verifier ( R V ) Policy SCAP Security Content Automation Protocol SW Vulnerability Status(CPE) CPE Common Platform Enumeration CVE Common Software_CVSS Vulnerability Exposure CVSS Common Vulnerability Scoring System Local Vulnerability XCCDF Database Extensible Configuration Checklist Description Format Step 2 Step 1 CPE based Software List TCG based Software List [SEC Lab] 21 /39
22 Phase-II : Vulnerability Analysis - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Remote Verifier ( R V ) SW Vulnerability Status(CPE) Policy Software_CVSS Step 2 Local Vulnerability Database Step 1 CPE based Software List TCG based Software List [SEC Lab] 22 /39
23 Phase-II : Vulnerability Analysis - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Remote Verifier ( R V ) Policy SCAP Security Content Automation Protocol SW Vulnerability Status(CPE) CPE Common Platform Enumeration CVE Common Software_CVSS Vulnerability Exposure CVSS Common Vulnerability Scoring System Local Vulnerability XCCDF Database Extensible Configuration Checklist Description Format Step 2 Step 1 CPE based Software List TCG based Software List [SEC Lab] 23 /39
24 Phase-III : Configuration Compliance - Industry Standard - Govt Defined Config Trusted Remote Verifier Recommended Configurations (software, hypervisor, OS) Request Configuration Analysis(xccdf) Target Platform ( T P ) Mgt ST Hypervisor signed report xccdf checklist Config Analysis (Mgt, Hypervisor) ST Config Policy Signed bindkey (compliance_report) Hardware/CPU TPM TPM Sign (bind key) compliance report [SEC Lab] 24 /39
25 Phase-III : Configuration Compliance - Industry Standard - Govt Defined Config Trusted Remote Verifier Recommended Configurations (software, hypervisor, OS) Request Configuration Analysis(xccdf) Target Platform ( T P ) Mgt ST Hypervisor signed report xccdf checklist Config Analysis (Mgt, Hypervisor) ST Config Policy Signed bindkey (compliance_report) Hardware/CPU TPM TPM Sign (bind key) compliance report [SEC Lab] 25 /39
26 Phase-III : Configuration Compliance - Industry Standard - Govt Defined Config Trusted Remote Verifier Recommended Configurations (software, hypervisor, OS) Request Configuration Analysis(xccdf) Target Platform ( T P ) Mgt ST Hypervisor signed report xccdf checklist Config Analysis (Mgt, Hypervisor) ST Config Policy Signed bindkey (compliance_report) Hardware/CPU TPM TPM Sign (bind key) compliance report [SEC Lab] 26 /39
27 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor Reference Measurements Database - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Local Admin - Industry Standard - Govt Defined Config Remote Verifier (Auditor, Platform Certification Authority, etc.) Phase I Software Stack Integrity Mgt ST ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Phase II Software Stack Vulnerability Assessment Phase III Software Configuration Compliance Trusted Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Remote Platforms by Combining Trusted Computing and Security Automation Techniques. In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39
28 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Recommended Platform Configurations Reference Measurements Database - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Local Vulnerability Database Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Policy Phase I Software Stack Integrity Internet Certified { } Local Admin TT ID Mgt ST P d ID Profile PK_Bind Time Hypervisor Sign TTP Hardware/CPU ST: SCAP Tool TPM Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Phase II Software Stack Vulnerability Assessment Phase III Software Configuration Compliance Trusted Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Remote Platforms by Combining Trusted Computing and Security Automation Techniques. In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39
29 Platform Certificate (uses) Aslam, Mudassar and Gehrmann, Christian and Rasmusson, Lars and Björkman, Mats (2012), Securely Launching Virtual Machines on Trustworthy Platforms in a Public Cloud. In: International Conference on Cloud Computing and Services Science, CLOSER 2012, April 2012, Porto, Portugal. Paladi, Nicolae and Gehrmann, Christian and Aslam, Mudassar and Morenius, Fredric (2013), Trusted Launch of Virtual Machine Instances in Public IaaS Environments. In: 15th Annual International Conference on Information Security and Cryptology, Nov 2012, Seoul, Korea Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2012) Security and Trust Preserving Migrations in Public Clouds. In: The 2nd IEEE International Symposium on Trust and Security in Cloud Computing, in conjunction with IEEE TrustCom-12, June 2012, Liverpool, UK. { } TT ID P d ID Profile PK_Bind Time Sign TTP [SEC Lab] 29 /39
30 Platform Certificate (uses) Aslam, Mudassar and Gehrmann, Christian and Rasmusson, Lars and Björkman, Mats (2012), Securely Launching Virtual Machines on Trustworthy Platforms in a Public Cloud. In: International Conference on Cloud Computing and Services Science, CLOSER 2012, April 2012, Porto, Portugal. Paladi, Nicolae and Gehrmann, Christian and Aslam, Mudassar and Morenius, Fredric (2013), Trusted Launch of Virtual Machine Instances in Public IaaS Environments. In: 15th Annual International Conference on Information Security and Cryptology, Nov 2012, Seoul, Korea Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2012) Security and Trust Preserving Migrations in Public Clouds. In: The 2nd IEEE International Symposium on Trust and Security in Cloud Computing, in conjunction with IEEE TrustCom-12, June 2012, Liverpool, UK. { } TT ID P d ID Profile PK_Bind Time Sign TTP [SEC Lab] 30 /39
31 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor Reference Measurements Database - Security Labs - S/W Vendors - Researchers Security Advisory Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Local Admin - Industry Standard - Govt Defined Config Remote Verifier (Auditor, Platform Certification Authority, etc.) Phase I Software Stack Integrity Mgt ST ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Phase II Software Stack Vulnerability Assessment Phase III Software Configuration Compliance TPM Chip Trusted TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39
32 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Reference Measurements Database MongoDB cve-search - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Phase I Software Stack Integrity Mgt ST Local Admin ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Phase II Software Stack Vulnerability Assessment Phase III Software Configuration Compliance TPM Chip Trusted TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39
33 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Reference Measurements Database MongoDB cve-search - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Phase I Software Stack Integrity Mgt ST Local Admin ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Enhanced Phase II Software Stack Vulnerability Assessment SCAP Editor Phase III Software Configuration Compliance TPM Chip Trusted (escape) TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39
34 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Reference Measurements Database MongoDB cve-search - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Open SCAP (oscap) Phase I Software Stack Integrity Mgt ST Local Admin ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Enhanced Phase II Software Stack Vulnerability Assessment SCAP Editor Phase III Software Configuration Compliance TPM Chip Trusted (escape) TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39
35 ASArP: Automated Security Assessment & Audit of Remote Platforms Software WFN including SHA1 Software Vendor - Industry Standard - Govt Defined Config Reference Measurements Database MongoDB cve-search - Security Labs - S/W Vendors - Researchers Security Advisory Remote Verifier (Auditor, Platform Certification Authority, etc.) Public Vulnerability Database (CPE, CVE, CVSS, CCSS) Open SCAP (oscap) Phase I Software Stack Integrity Mgt ST Local Admin ST: SCAP Tool Recommended Platform Configurations Local Vulnerability Database Policy Internet Hypervisor Hardware/CPU TPM Certified Local Reference Measurements DB Comlementary Whitelist (drivers, lib, proprietary sw ) Target Platform Enhanced Phase II Software Stack Vulnerability Assessment SCAP Editor Phase III Software Configuration Compliance TPM Chip Trusted (escape) TCG Compliant BIOS GRUB-IMA Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2013), Continuous Security Evaluation and Auditing of Linux IMA Remote Platforms by Combining Trusted Computing and Security Automation Techniques. TrouSerS In: The 6th International Conference on Security of Information and Networks, November 26-28, 2013, Aksaray/Turkey [SEC Lab] /39
36 Configuration Compliance [SEC Lab] 36 /39
37 Performance results [SEC Lab] 37 /39
38 Achievements (in general) Trusted Cloud Platforms Platform Level Certification CSA STAR Continuous Implementation Proposal TCG-SCAP Synergy Use of SCAP promises better ways to interpret TPM integrity reports to assess the platform security status Use of TPM promises better assurances about SCAP analysis and its results [SEC Lab] 38 /39
39 Challenges and Summary TCG Integrity Report does not map directly to the SCAP framework no standard implementation/deployment exist Sealing anything to the runtime state is not practical current proposals only use BIOS+IPL OS is hard to handle -> not handled [SEC Lab] 39 /39
40 Questions 40
BMC Client Management - SCAP Implementation Statement. Version 12.0
BMC Client Management - SCAP Implementation Statement Version 12.0 BMC Client Management - SCAP Implementation Statement TOC 3 Contents SCAP Implementation Statement... 4 4 BMC Client Management - SCAP
More informationHow To Use A Policy Auditor 6.2.2 (Macafee) To Check For Security Issues
Vendor Provided Validation Details - McAfee Policy Auditor 6.2 The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Statement of
More informationHow to Secure Infrastructure Clouds with Trusted Computing Technologies
How to Secure Infrastructure Clouds with Trusted Computing Technologies Nicolae Paladi Swedish Institute of Computer Science 2 Contents 1. Infrastructure-as-a-Service 2. Security challenges of IaaS 3.
More informationFDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs
FDCC & SCAP Content Challenges Kent Landfield Director, Risk and Compliance Security Research McAfee Labs Where we have been 1 st Security Automation Workshop nearly 20 people in a small room for the day
More informationSecure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities
Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?
More informationFederal Desktop Core Configuration (FDCC)
Federal Desktop Core Configuration (FDCC) Presented by: Saji Ranasinghe Date: October, 2007 FDCC Federal Desktop Core Configuration (FDCC) Standardized Configuration with Hardened Security Settings to
More informationSecurity Content Automation Protocol for Governance, Risk, Compliance, and Audit
UNCLASSIFIED Security Content Automation Protocol for Governance, Risk, Compliance, and Audit presented by: Tim Grance The National Institute of Standards and Technology UNCLASSIFIED Agenda NIST s IT Security
More informationSecurity compliance automation with Red Hat Satellite
Security compliance automation with Red Hat Satellite Matt Micene Solution Architect, DLT Solutions @cleverbeard @nzwulfin Created with http://wordle.net Compliance is a major problem About half of the
More informationBuilding Blocks Towards a Trustworthy NFV Infrastructure
Building Blocks Towards a Trustworthy NFV Infrastructure IRTF NFVRG Adrian L. Shaw Hewlett-Packard Laboratories / July 22 nd, 2015 1 Why security and trust? Big requirement for critical
More informationLogically Securing a Public Cloud Service
SESSION ID: CIN-W07 Logically Securing a Public Cloud Service Tim Mather CISO Cadence Design Systems @mather_tim Disclaimer: AWS (Amazon Web Services) is referenced in this presentation extensively, only
More informationSCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference
SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security
More informationManage Vulnerabilities (VULN) Capability Data Sheet
Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired
More informationCloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter
Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute
More informationCyber Security Symposium 2015 September 29,2015
Cyber Security Symposium 2015 September 29,2015 Introducing David Langston Branch Manager Security Management Department of Technology 2 About CalCloud Mission Offer cost-effective cloud solutions that
More informationQualys PC/SCAP Auditor
Qualys PC/SCAP Auditor Getting Started Guide August 3, 2015 COPYRIGHT 2011-2015 BY QUALYS, INC. ALL RIGHTS RESERVED. QUALYS AND THE QUALYS LOGO ARE REGISTERED TRADEMARKS OF QUALYS, INC. ALL OTHER TRADEMARKS
More informationSeeing Though the Clouds
Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating
More informationCloud Security Alliance and Standards. Jim Reavis Executive Director March 2012
Cloud Security Alliance and Standards Jim Reavis Executive Director March 2012 About the CSA Global, not for profit, 501(c)6 organization Over 32,000 individual members, 120 corporate members, 60 chapters
More informationSECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen feisal@techumen.com
SECURING HEALTH INFORMATION IN THE CLOUD Feisal Nanji, Executive Director, Techumen feisal@techumen.com Conflict of Interest Disclosure Feisal Nanji, MPP, CISSP Has no real or apparent conflicts of interest
More informationSoftware Vulnerability Assessment
Software Vulnerability Assessment Setup Guide Contents: About Software Vulnerability Assessment Setting Up and Running a Vulnerability Scan Manage Ongoing Vulnerability Scans Perform Regularly Scheduled
More informationInformation Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University.
Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University P a g e 1 P a g e 2 Table of Contents Abstract... 3 Introduction... 3 Previous
More informationHow To Create A Trusted Cloud Computing Platform
Trusted Computing and Secure Virtualization in Cloud Computing Master Thesis Nicolae Paladi Luleå University of Technology Dept. of Computer Science, Electrical and Space Engineering Div. of Computer and
More informationCloud Audit and Cloud Trust Protocol. By David Lingenfelter 2011
Cloud Audit and Cloud Trust Protocol By David Lingenfelter 2011 Background > MaaS360 SaaS Cloud Model > Mobile Device Management > FISMA Moderate Certified > SAS-70/SOC-2 Cloud Adoption Obstacles Planning
More informationSECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP
SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson
More informationLecture 02b Cloud Computing II
Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,
More informationWhite Paper How Noah Mobile uses Microsoft Azure Core Services
NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah
More informationIBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet
IBM PowerSC Security and compliance solution designed to protect virtualized datacenters Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance
More informationMassively Scaled Security Solutions for Massively Scaled IT
Massively Scaled Security Solutions for Massively Scaled IT Michael Smith, SecTor 2009 Who is Michael Smith? 8 years active duty army Graduate of Russian basic course, Defense Language Institute, Monterey,
More informationRobert Brammer. Senior Advisor to the Internet2 CEO rfbtech@internet2.edu. Internet2 NET+ Security Assessment Forum. 8 April 2014
Robert Brammer Senior Advisor to the Internet2 CEO rfbtech@internet2.edu Internet2 NET+ Security Assessment Forum 8 April 2014 INTERNET2 NET+ Security Initiative Primary objective -- develop guidance to
More informationTrusted Geolocation in the Cloud. Based on NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation
Trusted Geolocation in the Cloud Based on NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation 2 Agenda Definition of cloud computing Trusted Geolocation in
More informationSecurity Information and Event Management
Security Information and Event Management sponsored by: ISSA Web Conference April 26, 2011 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London Welcome Conference Moderator Phillip H. Griffin ISSA
More informationSecuring The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
More informationHow I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security
How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security PART 1 - COMPLIANCE STANDARDS PART 2 SECURITY IMPACT THEMES BUILD A MODEL THEMES MONITOR FOR FAILURE THEMES DEMONSTRATE
More informationSTIGs,, SCAP and Data Metrics
Defense Information Systems Agency A Combat Support Agency STIGs,, SCAP and Data Metrics Roger S. Greenwell, CISSP, CISA, CISM Technical Director / Capabilities Implementation Division DISA Field Security
More informationPenetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015
For the Financial Industry in Singapore 31 July 2015 TABLE OF CONTENT 1. EXECUTIVE SUMMARY 3 2. INTRODUCTION 4 2.1 Audience 4 2.2 Purpose and Scope 4 2.3 Definitions 4 3. REQUIREMENTS 6 3.1 Overview 6
More informationIIA Conference. September 18, 2015. Paige Needling Director, Global Information Security Recall, Inc.
IIA Conference September 18, 2015 Paige Needling Director, Global Information Security Recall, Inc. IT SECURITY UMBRELLA Compliance for IT Data Privacy Protection Privacy Risk Assessment Vulnerability
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationTotal Protection for Compliance: Unified IT Policy Auditing
Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.
More informationIBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet
IBM PowerSC Security and compliance solution designed to protect virtualised data centres Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance
More informationGuide to Enterprise Patch Management Technologies
NIST Special Publication 800-40 Revision 3 Guide to Enterprise Patch Management Technologies Murugiah Souppaya Karen Scarfone C O M P U T E R S E C U R I T Y NIST Special Publication 800-40 Revision 3
More informationAssuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise
Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise 1. Introduction Information security means protecting information
More informationCLOUD COMPUTING READINESS CHECKLIST
CLOUD COMPUTING READINESS VOLKER RATH VOLKER RATH 1 CONTENTS HOW SHOULD THIS GUIDE BE USED? 2 WILL MY COMPANY BENEFIT FROM 2 TRANSITIONING SERVICES TO THE CLOUD? CLOUD READINESS OVERVIEW 3 SECURITY CONCERNS
More informationISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services
ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better
More informationIncrease In Vulnerabilities Of Mobile Broadband Network Infrastructure
THE AVALANCHE OF VULNERABILITIES A PERSPECTIVE Mike Ahmadi Global Director of Critical Systems Security, Codenomicon Ltd @codenomicon UNKNOWN VULNERABILITIES ARE BAD KNOWN VULNERABILITIES ARE A HUGE PROBLEM
More informationBuilding an Effective
Building an Effective Cloud Security Program Becky Swain Co-Founder/Chair, CSA CCM Board Member, CSA Silicon Valley Chapter Partner, EKKO Consulting Marlin Pohlman Co-Chair, CSA CCM Co-Chair/Founder, CSA
More informationDigi Device Cloud: Security You Can Trust
Digi Device Cloud: Security You Can Trust Abstract Historically, security has oftentimes been an afterthought or a bolt-on to any engineering product. In today s markets, however, security is taking a
More informationTowards security management in the cloud utilizing SECaaS
Towards security management in the cloud utilizing SECaaS JAN MÉSZÁROS University of Economics, Prague Department of Information Technologies W. Churchill Sq. 4, 130 67 Prague 3 CZECH REPUBLIC jan.meszaros@vse.cz
More informationPCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:
PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On
More informationRealities of Private Cloud Security
SESSION ID: CSV-F03 Realities of Private Cloud Security Scott Carlson PayPal @relaxed137 PayPal Cloud & Software Defined Data Center VIRTUAL Cloud Design Principals, traditional Data Center Deploy from
More informationWith Eversync s cloud data tiering, the customer can tier data protection as follows:
APPLICATION NOTE: CLOUD DATA TIERING Eversync has developed a hybrid model for cloud-based data protection in which all of the elements of data protection are tiered between an on-premise appliance (software
More informationIntro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe
Intro to QualysGuard IT Risk & Asset Management Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe A Unified and Continuous View of ICT Security, Risks and Compliance
More informationCloud Architecture and Management. M.I. Deen General Manager (Enterprise Solutions) Sri Lanka Telecom
Cloud Architecture and Management M.I. Deen General Manager (Enterprise Solutions) Sri Lanka Telecom Cloud Computing Architecture Reference Architecture, Terminology and Definitions Akaza Cloud Architecture
More informationTrusted Launch of Virtual Machine Instances in Public IaaS Environments
Trusted Launch of Virtual Machine Instances in Public IaaS Environments Nicolae Paladi 1, Christian Gehrmann 1, Mudassar Aslam 1, and Fredric Morenius 2 1 Swedish Institute of Computer Science, Stockholm,
More informationHyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps
WHITE PAPER HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps Summary Summary Compliance with PCI, HIPAA, FISMA, EU, and other regulations is as critical in virtualized
More informationVulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014
Vulnerability Scanning Requirements and Process Clarification Disposition and FAQ 11/27/2014 Table of Contents 1. Vulnerability Scanning Requirements and Process Clarification Disposition... 3 2. Vulnerability
More informationCloud Security Certification
Cloud Security Certification January 21, 2015 1 Agenda 1. What problem are we solving? 2. Definitions (Attestation vs Certification) 3. Cloud Security Responsibilities and Risk Exposure 4. Who is responsible
More informationIndex. BIOS rootkit, 119 Broad network access, 107
Index A Administrative components, 81, 83 Anti-malware, 125 ANY policy, 47 Asset tag, 114 Asymmetric encryption, 24 Attestation commercial market, 85 facts, 79 Intel TXT conceptual architecture, 85 models,
More informationCloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC
Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications
More informationCapturing the New Frontier:
Capturing the New Frontier: How Software Security Unlocks the Power of Cloud Computing Executive Summary Cloud computing is garnering a vast share of IT interest. Its promise of revolutionary cost savings
More information2011 Cloud Security Alliance, Inc. All rights reserved.
Vast Landscape of Cloud Standards Development Organizations (SDOs) 2 4 Mission Statement (Non-Profit) Promote common level of understanding Consumers Providers Security Requirements Attestation of Assurance
More informationSymantec Control Compliance Suite Standards Manager
Symantec Control Compliance Suite Standards Manager Automate Security Configuration Assessments. Discover Rogue Networks & Assets. Harden the Data Center. Data Sheet: Security Management Control Compliance
More informationContinuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP
Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP Vasileios A. Baousis (Ph.D) Network Applications Team Slide 1 Agenda Introduction Background - SCAP - Puppet &Mcollective
More informationCritical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn
Critical Infrastructure Security: The Emerging Smart Grid Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn Overview Assurance & Evaluation Security Testing Approaches
More informationIT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
More informationDispelling the Myths about Cloud Computing Security
Dispelling the Myths about Cloud Computing Security security is no longer an hinderance to the cloud! Leo F. Howell, CISSP CISA CCSK Knowledge MYTH we are all talking about the same cloud Discussion cloud
More informationANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details
Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription
More informationEnterprise Cloud Use Cases and Security Considerations
Enterprise Cloud Use Cases and Security Considerations Carson Sweet! CEO, CloudPassage! For This Discussion We re talking about cloud infrastructure! Cloud-oriented infrastructure delivery Infrastructure
More informationHow To Protect Virtualized Data From Security Threats
S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust
More informationGlobal Efforts to Secure Cloud Computing
April 2012 Global Efforts to Secure Cloud Computing Jim Reavis Executive Director Cloud: ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart Mobility: Compute
More informationSecunia Vulnerability Intelligence Manager (VIM) 4.0
Secunia Vulnerability Intelligence Manager (VIM) 4.0 In depth Real-time vulnerability intelligence brought to you on time, every time, by Secunia s renowned research team Introduction Secunia is the world-leading
More informationASV Scan Report Attestation of Scan Compliance
ASV Scan Report Attestation of Scan Compliance Scan Customer Information Company: David S. Marcus, Ph. D Approved Scanning Vendor Information Company: ComplyGuard Networks Contact: Contact: Support Tel:
More informationTNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group
TNC: Open Standards for Network Security Automation Copyright 2010 Trusted Computing Group Agenda Introduce TNC and TCG Explanation of TNC What problems does TNC solve? How does TNC solve those problems?
More informationCDM Vulnerability Management (VUL) Capability
CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation
More informationCloud Computing. Report No. OIG-AMR-74-14-03. UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General.
UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General Cloud Computing Report No. OIG-AMR-74-14-03 October 21, 2014 CONTENTS EXECUTIVE SUMMARY... 1 BACKGROUND... 2 OBJECTIVE,
More informationAutomating Compliance with Security Content Automation Protocol
Automating Compliance with Security Content Automation Protocol presented by: National Institute of Standards and Technology Agenda Information Security Current State Security Content Automation Protocol
More informationTrusted Launch of Generic Virtual Machine Images in Public IaaS Environments
Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments Nicolae Paladi 1, Christian Gehrmann 1, Mudassar Aslam 1, and Fredric Morenius 2 1 Swedish Institute of Computer Science, Kista,
More informationA Virtualized Linux Integrity Subsystem for Trusted Cloud Computing
A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing Stefan Berger Joint work with: Kenneth Goldman, Dimitrios Pendarakis, David Safford, Mimi Zohar IBM T.J. Watson Research Center 09/21/2011
More informationStrategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security
Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities
More informationSecuring Amazon It s a Jungle Out There
ANALYST BRIEF Securing Amazon It s a Jungle Out There PART 1 CONTROLS AND OPTIONS OFFERED BY AMAZON Author Rob Ayoub Overview Infrastructure as a service (IaaS) is a foundational component of modern cloud
More informationProperty Based TPM Virtualization
Property Based Virtualization Marcel Winandy Joint work with: Ahmad Reza Sadeghi, Christian Stüble Horst Görtz Institute for IT Security Chair for System Security Ruhr University Bochum, Germany Sirrix
More informationA Study of Design Measure for Minimizing Security Vulnerability in Developing Virtualization Software
A Study of Design Measure for Minimizing Security Vulnerability in Developing Virtualization Software 1 Mi Young Park, *2 Yang Mi Lim 1, First Author Science and Technology Policy Institute,ollive@stepi.re.kr
More informationeguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life
Executive s Guide to Windows Server 2003 End of Life Facts About Windows Server 2003 Introduction On July 14, 2015 Microsoft will end support for Windows Sever 2003 and Windows Server 2003 R2. Like Windows
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationHow To Get A Cloud Security System To Work For You
Trust in the Cloud Ovidiu Pismac MCSE Security, CISSP, MCSE Private Cloud / Server & Desktop infrastructure, MCTS Forefront Microsoft Romania ovidiup@microsoft.com Technology trends: driving cloud adoption
More informationNessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)
Nessus Enterprise Cloud User Guide October 2, 2014 (Revision 9) Table of Contents Introduction... 3 Nessus Enterprise Cloud... 3 Subscription and Activation... 3 Multi Scanner Support... 4 Customer Scanning
More informationCloud Security. DLT Solutions LLC June 2011. #DLTCloud
Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions
More informationWelcome to Modulo Risk Manager Next Generation. Solutions for GRC
Welcome to Modulo Risk Manager Next Generation Solutions for GRC THE COMPLETE SOLUTION FOR GRC MANAGEMENT GRC MANAGEMENT AUTOMATION EASILY IDENTIFY AND ADDRESS RISK AND COMPLIANCE GAPS INTEGRATED GRC SOLUTIONS
More informationCloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week
Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationSecuring the Microsoft Cloud
Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and customers to fully embrace and benefit from cloud services. We are committed
More informationCloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University
Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University What is cloud computing? What are some of the keywords? How many of you cannot
More informationHW (Fat001) TPM. Figure 1. Computing Node
1. Overview Two major components exist in our current prototype systems: the management node, including the Cloud Controller, Cluster Controller, Walrus and EBS, and the computing node, i.e. the Node Controller
More informationCloud Essentials for Architects using OpenStack
Cloud Essentials for Architects using OpenStack Course Overview Start Date 18th December 2014 Duration 2 Days Location Dublin Course Code SS906 Programme Overview Cloud Computing is gaining increasing
More informationContinuous Monitoring
Continuous Monitoring The Evolution of FISMA Compliance Tina Kuligowski Tina.Kuligowski@Securible.com Overview Evolution of FISMA Compliance NIST Standards & Guidelines (SP 800-37r1, 800-53) OMB Memorandums
More informationAudit My OpenStack Cloud!!
Audit My OpenStack Cloud!! Prabhakar Attaluri, IBM Distinguished Engineer, CTO Vinod Chavan, Cloud Executive Wednesday, August 12, 2015: 04:30 PM - 05:30 PM, Dolphin, Southern Hemisphere 3 Insert Custom
More informationPrivacy for Healthcare Data in the Cloud - Challenges and Best Practices
Privacy for Healthcare Data in the Cloud - Challenges and Best Practices Dr. Sarbari Gupta sarbari@electrosoft-inc.com 703-437-9451 ext 12 Cloud Standards Customer Council (CSCC) Cloud Privacy Summit Electrosoft
More informationEnhancing Security for Next Generation Networks and Cloud Computing
V1.0 Enhancing Security for Next Generation Networks and Cloud Computing Tony Rutkowski Yaana Technologies Georgia Tech ITU-T Q.4/17 Rapporteur ETSI Workshop 19-20 January 2011 Sophia Antipolis, France
More informationGlobal Efforts to Secure Cloud Computing. Jason Witty President, Cloud Security Alliance Chicago
Global Efforts to Secure Cloud Computing Jason Witty President, Cloud Security Alliance Chicago Cloud: Ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart
More informationProtec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli
Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli Vice President, IT Risk Management McKesson Corpora-on What is Your Business Model? Economic Moats In business, I look
More informationTrusted Geolocation in The Cloud Technical Demonstration
Trusted Geolocation in The Cloud Technical Demonstration NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation Trusted Geolocation in the Cloud Business Business
More information