2011 Cloud Security Alliance, Inc. All rights reserved.

Size: px
Start display at page:

Download "2011 Cloud Security Alliance, Inc. All rights reserved."

Transcription

1

2 Vast Landscape of Cloud Standards Development Organizations (SDOs) 2

3

4 4 Mission Statement (Non-Profit) Promote common level of understanding Consumers Providers Security Requirements Attestation of Assurance Promote independent, agile research development incubator for standards development efforts Address cloud security and assurance risks and guidance through collective expertise Awareness campaigns and educational programs Cloud computing use cases Cloud security solutions

5 5 Organization & Operations

6 6 Standards Workgroup Title Proposed: International Standardization Council Formed at CSA Congress, Nov 2011 (Orlando) Aloysius Cheang, CSA Singapore appointed at Head of Standards Secretariat (Council Lead) Council Charter, Appointment of Co-Chairs (In Progress) Allows for CSA Members to actively engage in SDO process (contributions, comments, etc.)

7 International Standardization Council Global Membership 7 Jason Creasy (ISF) Said Tabet (EMC) Andreas Fuchsberger (Microsoft) Bernd Jäger (Colt Telecom) Xavier Guerin (France Telecom Orange) Laura Kuiper (Cisco) Becky Swain (EKKO Consulting) Marlin Pohlman (EMC) Crispen Maung (Salesforce.com) Heather Ouellette (Salesforce.com) Cameron Smith (Zscaler) Laura Posey (Microsoft) Aloysius Cheang (CSA Secretariat)

8

9 Security Guidance for Critical Areas of Focus in Cloud Computing 9 The Guidance Version 3.0 (Nov 2011) Seeks to establish a stable, secure baseline for cloud operations. Provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. 14 Domains rewritten to emphasize security, stability, and privacy, ensuring corporate privacy in a multi-tenant environment. /research/initiatives/security-guidance/ Prior Releases: Version 1.2 (Dec 2009) Incorporated into CCSK learning criteria Version 1.0 (April 2009) CSA founding publication

10 Security Guidance for Critical Areas of Focus in Cloud Computing 10 Section I. Cloud Architecture Section II. Governing in the Cloud Domain 1 Domain 2 Domain 3 Domain 4 Domain 5 Domain 6 Cloud Computing Architectural Framework Governance and Enterprise Risk Management Legal Issues: Contracts and Electronic Discovery Compliance and Audit Management Information Management and Data Security Interoperability and Portability Section III. Operating in the Cloud Domain 7 Domain 8 Domain 9 Domain 10 Domain 11 Domain 12 Domain 13 Domain 14 Traditional Security, Business Continuity, and Disaster Recovery Data Center Operations Incident Response Application Security Encryption and Key Management Identity, Entitlement, and Access Management Virtualization Security as a Service

11 11 The CSA GRC Stack A suite of four integrated and reinforcing CSA initiatives (the stack packages ) The Stack Packs Cloud Controls Matrix Consensus Assessments Initiative Cloud Audit CloudTrust Protocol Designed to support cloud consumers and cloud providers Prepared to capture value from the cloud as well as support compliance and control within the cloud

12 The CSA GRC Stack (Start from the bottom, then work your way up ) 12 Delivering Stack Pack Description Continuous monitoring with a purpose Common technique and nomenclature to request and receive evidence and affirmation of current cloud service operating circumstances from cloud providers Claims, offers, and the basis for auditing service delivery Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments Pre-audit checklists and questionnaires to inventory controls Industry-accepted ways to document what security controls exist The recommended foundations for controls Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider

13 The GRC Stack Solving the Value Equation in the Cloud 13 GRC Stack Security Requirements and Capabilities Security Transparency and Visibility Compliance and Trust Delivering evidence-based confidence with compliance-supporting data & artifacts.

14 CSA GRC Value Equation Contributions for Consumers and Providers What control requirements should I have as a cloud consumer or cloud provider? How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)? Individually useful Collectively powerful 14 Productive way to reclaim end-to-end information risk management capability Static claims & assurances How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations? Dynamic (continuous) monitoring and transparency How do I know that the controls I need are working for me now (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)?

15 Security, Trust, and Assurance Registry (CSA STAR) 15 Public Registry of Cloud Provider self assessments Leverages GRC Stack Projects Consensus Assessments Initiative Questionnaire Provider may substitute documented Cloud Controls Matrix compliance Voluntary industry action promoting transparency Free market competition to provide quality assessments Available October 2011

16 Security, Trust, and Assurance Registry (CSA STAR) 16 Expose control claims Compete to improve GRC capabilities GRC Stack Encourage transparency of security practices within cloud providers Documents the security controls provided by various cloud computing offerings Free and open to all cloud providers Option to use data/report based on CCM or the CAIQ

17 17 Trusted Cloud Initiative (TCI) CSA certification criteria and seal program for cloud providers Initial focus on secure & interoperable identity in the cloud, and its alignment with data encryption Assemble with existing standards Reference models & Proof of concept Outline responsibilities for Identity Providers, Enterprises, Cloud Providers, Consumers /trustedcloud.html

18 18 TCI Mission To create a Trusted Cloud reference architecture for cloud use cases that leverage cloud delivery models (SaaS, PaaS, IaaS) in the context of operational models (Public, Private, Hybrid) to deliver a secure and trusted cloud service.

19 Holistic approach 19 around controls https://cloudsecurityalliance.org/research/projects/cloud-controls-matrixccm/

20 and Architecture best 20 practices https://cloudsecurityalliance.org/research/projects/cloud-controls-matrixccm/

21 21 Reference model structure

22

23 23 NIST National Institute of Standards and Technology (NIST) Promotes the effective and secure use of the technology within the U.S. Federal Government, and, therefore, leading a number of efforts to develop cloud standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders. Standards Acceleration to Jumpstart the adoption of Cloud Computing (SAJACC) Strategy to build a US Government (USG) Cloud Computing Technology Roadmap. Publications SP : DRAFT Guidelines on Security and Privacy in Public Cloud Computing (Jan 28, 2011) SP : A NIST Definition of Cloud Computing (Sept 2011) SP : DRAFT Cloud Computing Synopsis and Recommendations (May 12, 2011) SP : NIST Cloud Computing Standards Roadmap (August 10, 2011) SP : NIST Cloud Computing Reference Architecture (September 08, 2011)

24 24 NIST Collaboration

25 25 NIST SAJACC Process

26 26 NIST Use Case

27 27 NIST Definition of Cloud The NIST definition of cloud computing (SP ) 5 essential characteristics 3 service models 4 deployment models Already widely adopted by Cloud Computing industry, including ISO/IEC JTC 1/SC38 and recognized in CSA Guidance.

28 NIST Cloud Computing Reference Model SP (September 08, 2011) 28

29 The CSA GRC Stack Architecture Reference Model Readiness 29 Transparency

30 NIST Cloud Computing Reference Model SP (September 08, 2011) 30

31 31 NIST FedRamp Proposed Security Assessment & Authorization for U.S. Government Cloud Computing" DRAFT (FedRamp) Based on NIST SP R1 and SP as a proposed Assessment and Authorization (A&A) for U.S. Government Cloud Computing. Chapter 1: Cloud Computing Security Requirement Baseline (SP ) Chapter 2: Continuous Monitoring Chapter 3: Potential Assessment & Authorization Approach (SP R1) CSA provided feedback on FedRamp DRAFT CSA CCM v1.2 incorporates mapping of SP R3 and FedRamp DRAFT CSA CCM v1.3 to include mapping of SP R4 and FedRamp FINAL

32 NIST SCAP (Pronounced S-Cap ) 32 & XCCDF The Security Content Automation Protocol (SCAP) Suite of specifications that standardize format/nomenclature by which software flaw and security configuration information is communicated, both to machines and humans Multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement Promote interoperability of security products, and fostering the use of standard expressions of security content Mandated by FedRAMP Continuous Monitoring 5 Specification Categories Languages standard vocabularies/conventions for expressing security policy, technical check mechanisms, and assessment results Extensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL ), and Open Checklist Interactive Language (OCIL ) Reporting Formats provide necessary constructs to express collected information in standardized formats Asset Reporting Format (ARF) and Asset Identification Enumerations define standard nomenclature and official dictionary expressed using that nomenclature Common Platform Enumeration (CPE ), Common Configuration Enumeration (CCE ), and Common Vulnerabilities and Exposures (CVE ) Measurement and scoring systems evaluation of specific characteristics of a security weakness (i.e., software vulnerabilities and security configuration issues) and, based on those characteristics, generating a score that reflects their relative severity Common Vulnerability Scoring System (CVSS), Common Configuration Scoring System (CCSS) Integrity preserve the integrity of SCAP content and results Trust Model for Security Automation Data (TMSAD)

33 NIST SCAP (Pronounced S-Cap ) 33 & XCCDF The Extensible Configuration Checklist Description Format (XCCDF) Specification language for writing security checklists, benchmarks, and related kinds of documents XCCDF document represents a structured collection of security configuration rules for some set of target systems Designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring Defines a data model and format for storing results of benchmark compliance testing The intent to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices.

34 NIST SCAP (Pronounced S-Cap ) 34 & XCCDF Source: NIST SP

35 NIST SCAP (Pronounced S-Cap ) 35 & XCCDF Publications SP : FINAL Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1 (July 27, 2010) SP Rev 2: DRAFT The Technical Specification for the Security Content Automation Protocol (SCAP) (July 12, 2011) IR 7511: DRAFT Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements (Feb 2009) SP Rev 1: FINAL Guide to Using Vulnerability Naming Schemes (Feb 24, 2011) IR 7275 Rev 4: Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2 (Sept 2011) Incorporated into the NIST SCAP Validation Program, which supports the United States Government Configuration Baseline (USGCB), an OMB mandated security configuration for all Federal desktops Increasing interest to make international standard ISO/IEC JTC 1, ITU-T SG17 Other SBOs involved IETF, DMTF

36 CloudTrust Protocol Pathways Mapping the Elements of Transparency in Deployment 36 Admin and Ops Specs Transparency Requests Extensions Assertions Evidence Affirmations Configuration definition: 20 Security capabilities and operations: 17 Configuration and vulnerabilities: 3,4,5,6,7 Anchoring: 8, 9, 10 (geographic, platform, process) SCAP CloudAudit.org SCAP Sign/sealing Session start: 1 Session end: 2 Alerts: 18 Users: 19 Anchors: 21 Quotas: 22 Alert conditions: 23 Violation: 11 Audit: 12 Access: 13 Incident log: 14 Config./control: 15 Stats: 16 Consumer/ provider negotiated:

37 CloudTrust Protocol (CTP) Sample 37

38 38 CloudTrust Protocol V2.0 Syntax Based on XML Traditional RESTful web service over HTTP Legend: New in V2.0 SCAP / XCCDF query & response structure

39 39 CSA CloudSIRT MISSION: Enhance the capability of the cloud community to prepare for and respond to vulnerabilities, threats, and incidents in order to preserve trust in cloud computing. Community of organizations sharing threat identification, liaising with security organizations, providing incident response assistance and consultation, and collaborating on research, including education, training and awareness: Cloud service providers Telecommunications service providers Country CERT/CCs and ISACs

40 40 ENISA European Network and Information Security Agency (ENISA) EU s response to these cyber security issues of the European Union and described as the 'pace-setter' for Information Security in Europe, and a centre of expertise, working for the EU Institutions and Member States. Cloud computing: benefits, risks and recommendations for information technology by ENISA uses a risk assessment approach to analyze the security issues raised by cloud services and incorporated into CSA CCSK training criteria. Security and Resilience in Governmental Clouds, which provides a decision-making model that can be used by governments considering using cloud computing to determine which architectural solution that best suits the security requirements of their organization.

41 41 ISO/IEC JTC 1 ISO/IEC JTC 1 is Joint Technical Committee 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) with a mandate to develop, maintain, promote and facilitate IT standards required by global markets meeting business and user requirements concerning: the design and development of IT systems and tools the performance and quality of IT products and systems the security of IT systems and information the portability of application programs the interoperability of IT products and systems the unified tools and environments the harmonized IT vocabulary, and the user-friendly and ergonomically-designed user interfaces Work is conducted by subcommittees (SC) dealing with a particular field and SCs may be comprised of several working groups (WGs).

42 ISO/IEC JTC 1 Development 42 Process

43 43 ISO/IEC JTC 1/SC 27 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) Joint Technical Committee 1/Subcommittee 27 (ISO/IEC JTC1/SC 27) Information Technology Security Techniques (2700x series of ISMS standards) Study period on Cloud Computing Security and Privacy to investigate the requirements for cloud computing and a feasible program of standards work to meet requirements, involving 3 WGs: WG 1 (Information Security Management) leading the coordinating efforts on this study period in conjunction with the following working groups: WG 4 Security Control and Services WG 5 Identity Management, Privacy Technology and Biometrics Topics for consideration information security management, risk management, application and network security, cybersecurity, business continuity, privacy and identity management with contributions from CSA (CAIQ, CCM, Guidance, TCI Architecture), ITU-T, SC 38 and others.

44 44 ISO/IEC JTC 1/SC 27

45 45 ISO/IEC JTC 1/SC 27

46 ISO/IEC JTC 1/SC 27 Nairobi, Kenya Resolutions (Oct 2011) 46 WG1: ISO/IEC Output from Cloud Security & Privacy (CSP) Joint WG 1/4/5 Study Period 2nd WD Guidelines on information security controls for the use of cloud computing services based on ISO/IEC (Project Co-Editors: Satoru Yamasaki, JP & Marlin Pohlman, US/CSA) WG 4: ISO/IEC X Information technology Security techniques Information security for supplier relationships 2nd WD Part 1 Overview and Concepts (Project Co-Editor: Becky Swain, US/CSA) 2nd WD Part 2 Common Requirements (Project Co-Editor: Benoit Poletti, Luxemburg) 2nd WD Part 3 Guidelines for ICT Supply Chain Security (Project Co-Editor: Nadya Bartol, US) Part 4 Guidelines for Outsourcing (TBD) Part 5 Cloud Computing (TBD) Part 6 TBD CSA NWIP Planned for WG 4 CSP Study Period WG 5: NWIP Output from CSP Joint WG 1/4/5 Study Period Information technology Security techniques Code of practice for data protection controls for public cloud computing services (Project Co-Editor: Chris Mitchell, UK)

47 Control Matrix >> Guidance >> 47 ISO/IEC &

48 48 ISO/IEC JTC 1/SC 38 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) Joint Technical Committee 1/Subcommittee 28 (ISO/IEC JTC 1/SC 28) Distributed Application Platform & Services (DAPS) comprised of 2 WGs focused on SOA and Web Services, and a study group on Cloud computing. Established a Cloud Computing Study Group (SGCC) in order to provide candidates of standardization issues on Cloud Computing to JTC 1 and to develop NPs (New Work Item Proposals) on Cloud Computing to be studied in JTC 1. Working Group on Cloud (WG3), 1 st Delegation Meeting Feb 2012 NWIP: Distributed Application Platforms and Services Cloud Computing Vocabulary NWIP: Distributed Application Platforms and Services Cloud Computing Reference Architecture

49 49 ITU-T ITU Telecommunication Standardization Sector (ITU-T) 1 of 3 sectors (divisions or units) of the International Telecommunication Union (ITU) that coordinates standards for telecommunications. Mission is to ensure the efficient and timely production of standards covering all fields of telecommunications on a worldwide basis, as well as defining tariff and accounting principles for international telecommunication services, and as part of the ITU (UN specialized agency), its standards carry formal international weight. In addition to the ITU-T Recommendations, which have non-mandatory status until they are adopted in national laws, ITU-T is also the custodian of a binding international treaty, the International Telecommunication Regulations (ITRs). The technical work, the development of Recommendations, of ITU-T is managed by Study Groups (SGs).

50 50 ITU-T FG Cloud ITU-T Focus Group on Cloud Computing (FG Cloud) Established further to ITU-T TSAG (parent group) agreement at its meeting in Geneva, 8-11 February 2010 followed by ITU-T study groups (SG17, 13) and membership consultation. Contribute with the telecommunication aspects in order to support services/applications of cloud computing making use of telecommunication networks. Collaborate with worldwide cloud computing communities (e.g., research institutes, forums, academia) including other SDOs and consortia. Workgroups: WG1: Cloud computing benefits & requirements WG2: Gap Analysis and Roadmap on Cloud Computing Standards development in ITU-T Focus Group Output from Seoul, Korea September 2011 (Cloud-O-0072), Marlin Pohlman (CSA) co-authored with Koji Nakao (Vice-Chair, ITU-T SG 17) CSA Contributions CAIQ, CCM, Guidance, TCI Architecture

51 51 ITU-T SG17 ITU-T Study Group 17 (SG17) Designated Lead Study Group for "Telecommunication Security" which include developing and maintaining security outreach material; coordination of security-related work; and identification of needs and assignment and prioritization of work to encourage timely development of telecommunication security Recommendations. For Cloud Computing, SG17 has been working on cloud computing security since April 2010, and the following three work items were recognized and are currently in progress. Security guideline for cloud computing in telecommunication area (X.ccsec) Security requirements and framework of cloud based telecommunication service environment (X.srfcts), Marlin Pohlman (CSA) co-authored with Koji Nakao (Vice-Chair, ITU-T SG 17) Security functional requirements for Software as a Service (SaaS) application environment (X.sfcse) ITU-T SG17 collaborates closely with ISO/IEC SC 27 and SC 38

52 SDO Liaison Collaboration International 52

53 SDO Liaison Collaboration Supply Chain Risk Management (SCRM) for information communication and technology (ICT) 53

54 SDO Liaison Collaboration Supply Chain Risk Management (SCRM) for information communication and technology (ICT) 54

55 55 ISF Comments/Contributions for ISO/IEC X: Information security for external suppliers: A common baseline (Dec 2010) Common baseline information security arrangements Standard of Good Practice on roadmap for CSA CCM mapping CSA Representative: Jason Creasy CSA GRC Stack Steering Committee Standards WG

56 56 ISACA Comments/Contributions for ISO/IEC JTC 1/SC27 CSP Joint WG 1/4/5 Study Period: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives IT Control Objectives for Cloud Computing Cloud Computing Management Audit/Assurance Program CSA CCM includes mapping to COBIT 5.0 CSA Representative: Ron Hale CSA GRC Stack Steering Committee

57

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012 Cloud Security Alliance and Standards Jim Reavis Executive Director March 2012 About the CSA Global, not for profit, 501(c)6 organization Over 32,000 individual members, 120 corporate members, 60 chapters

More information

Building an Effective

Building an Effective Building an Effective Cloud Security Program Becky Swain Co-Founder/Chair, CSA CCM Board Member, CSA Silicon Valley Chapter Partner, EKKO Consulting Marlin Pohlman Co-Chair, CSA CCM Co-Chair/Founder, CSA

More information

Cloud Audit and Cloud Trust Protocol. By David Lingenfelter 2011

Cloud Audit and Cloud Trust Protocol. By David Lingenfelter 2011 Cloud Audit and Cloud Trust Protocol By David Lingenfelter 2011 Background > MaaS360 SaaS Cloud Model > Mobile Device Management > FISMA Moderate Certified > SAS-70/SOC-2 Cloud Adoption Obstacles Planning

More information

ITU- T Focus Group Cloud Compu2ng

ITU- T Focus Group Cloud Compu2ng ITU- T Focus Group Cloud Compu2ng International Telecommunication Union 1 ITU-T FG Cloud Management & Structure Management team: Chairman: Victor Kutukov (Russia) Vice-Chairman: Jamil Chawki (France Telecom

More information

GRC and Cloud Services. By David Lingenfelter 2012

GRC and Cloud Services. By David Lingenfelter 2012 GRC and Cloud Services By David Lingenfelter 2012 Background > MaaS360 SaaS Cloud Model > Mobile Device Management > FISMA Moderate Certified > SAS-70/SOC-2 > Member of the Cloud Security Alliance > Participant

More information

TOOLS and BEST PRACTICES

TOOLS and BEST PRACTICES TOOLS and BEST PRACTICES Daniele Catteddu Managing Director EMEA, Cloud Security Alliance ABOUT THE CLOUD SECURITY ALLIANCE To promote the use of best practices for providing security assurance within

More information

Latest in Cloud Computing Standards. Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems

Latest in Cloud Computing Standards. Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems Latest in Cloud Computing Standards Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems 1 Short Introduction CTO Security & Privacy, Hitachi Data Systems Involved

More information

Global Efforts to Secure Cloud Computing

Global Efforts to Secure Cloud Computing April 2012 Global Efforts to Secure Cloud Computing Jim Reavis Executive Director Cloud: ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart Mobility: Compute

More information

GRC Stack Research Sponsorship

GRC Stack Research Sponsorship GRC Stack Research Sponsorship Overview Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary

More information

Information Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy

Information Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management

More information

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?

More information

BMC Client Management - SCAP Implementation Statement. Version 12.0

BMC Client Management - SCAP Implementation Statement. Version 12.0 BMC Client Management - SCAP Implementation Statement Version 12.0 BMC Client Management - SCAP Implementation Statement TOC 3 Contents SCAP Implementation Statement... 4 4 BMC Client Management - SCAP

More information

Global Efforts to Secure Cloud Computing. Jason Witty President, Cloud Security Alliance Chicago

Global Efforts to Secure Cloud Computing. Jason Witty President, Cloud Security Alliance Chicago Global Efforts to Secure Cloud Computing Jason Witty President, Cloud Security Alliance Chicago Cloud: Ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart

More information

Enhancing Security for Next Generation Networks and Cloud Computing

Enhancing Security for Next Generation Networks and Cloud Computing V1.0 Enhancing Security for Next Generation Networks and Cloud Computing Tony Rutkowski Yaana Technologies Georgia Tech ITU-T Q.4/17 Rapporteur ETSI Workshop 19-20 January 2011 Sophia Antipolis, France

More information

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Vendor Provided Validation Details - McAfee Policy Auditor 6.2 The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Statement of

More information

Cloud Security Certification

Cloud Security Certification Cloud Security Certification January 21, 2015 1 Agenda 1. What problem are we solving? 2. Definitions (Attestation vs Certification) 3. Cloud Security Responsibilities and Risk Exposure 4. Who is responsible

More information

Cloud Security Alliance: Industry Efforts to Secure Cloud Computing

Cloud Security Alliance: Industry Efforts to Secure Cloud Computing Cloud Security Alliance: Industry Efforts to Secure Cloud Computing Jim Reavis, Executive Director September, 2010 Cloud: Dawn of a New Age Art Coviello - the most overhyped, underestimated phenomenon

More information

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute

More information

Corporate Membership. For Solution Providers

Corporate Membership. For Solution Providers Corporate Membership For Solution Providers Introduction Welcome to the Cloud Security Alliance. The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing

More information

Working Group on. First Working Group Meeting 29.5.2012

Working Group on. First Working Group Meeting 29.5.2012 Working Group on Cloud Security and Privacy (WGCSP) First Working Group Meeting 29.5.2012 1 Review of fexisting i Standards d and Best Practices on Cloud Security Security Standards and Status List of

More information

Open Certification Framework. Vision Statement

Open Certification Framework. Vision Statement Open Certification Framework Vision Statement Jim Reavis and Daniele Catteddu August 2012 BACKGROUND The Cloud Security Alliance has identified gaps within the IT ecosystem that are inhibiting market adoption

More information

NIST Cloud Computing Security Reference Architecture (SP 500-299 draft)

NIST Cloud Computing Security Reference Architecture (SP 500-299 draft) NIST Cloud Computing Security Reference Architecture (SP 500-299 draft) NIST Cloud Computing Security Working Group Dr. Michaela Iorga, NIST Senior Security Technical Lead for Cloud Computing Chair, NIST

More information

A view from the Cloud Security Alliance peephole

A view from the Cloud Security Alliance peephole A view from the Cloud Security Alliance peephole Cloud One million new mobile devices - each day! Social Networking Digital Natives State Sponsored Cyberattacks? Organized Crime? Legal Jurisdiction & Data

More information

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit UNCLASSIFIED Security Content Automation Protocol for Governance, Risk, Compliance, and Audit presented by: Tim Grance The National Institute of Standards and Technology UNCLASSIFIED Agenda NIST s IT Security

More information

! Global Efforts to Secure! Cloud Computing

! Global Efforts to Secure! Cloud Computing ay 2012! Global Efforts to Secure! Cloud Computing Jim Reavis Executive Director loud: ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart Mobility: Compute

More information

The Cloud Security Alliance

The Cloud Security Alliance The Cloud Security Alliance Daniele Catteddu, Managing Director EMEA & OCF-STAR Program Director Cloud Security Alliance ABOUT THE CLOUD SECURITY ALLIANCE To promote the use of best practices for providing

More information

Agenda 4/21/2015. Evelyn de Souza Chair Cloud Security Alliance Data Governance Chair/ Data Privacy and Compliance Leader Cisco Systems

Agenda 4/21/2015. Evelyn de Souza Chair Cloud Security Alliance Data Governance Chair/ Data Privacy and Compliance Leader Cisco Systems Evelyn de Souza Chair Cloud Security Alliance Data Governance Chair/ Data Privacy and Compliance Leader Cisco Systems Cloud Security Alliance, 2015 Agenda Charter /Members What is Data Governance Data

More information

Cloud Computing Standards: Overview and ITU-T positioning

Cloud Computing Standards: Overview and ITU-T positioning ITU Workshop on Cloud Computing (Tunis, Tunisia, 18-19 June 2012) Cloud Computing Standards: Overview and ITU-T positioning Dr France Telecom, Orange Labs Networks & Carriers / R&D Chairman ITU-T Working

More information

ICT Security Cybersecurity CYBEX Overview of activities in ITU-T with focus on Study Group 17

ICT Security Cybersecurity CYBEX Overview of activities in ITU-T with focus on Study Group 17 ICT Security Cybersecurity CYBEX Overview of activities in ITU-T with focus on Study Group 17 TSB Briefing to the Regional Offices, 28 Feb 2011 Martin Euchner Advisor of ITU-T Study Group 17 Martin.Euchner@itu.int

More information

The standards landscape in cloud

The standards landscape in cloud The standards landscape in cloud PRESENTATION computing TITLE GOES HERE Vincent Franceschini CTO Distributed Architectures, Hitachi Data System Chairman Emeritus, SNIA Governing Board Member, SNIA Cloud

More information

Moving to the Cloud: NIST Vision and Initiatives

Moving to the Cloud: NIST Vision and Initiatives Moving to the Cloud: NIST Vision and Initiatives part of the US Federal Cloud Computing Strategy Dawn Leaf NIST Senior Executive for Cloud Computing March 16, 2011 Gaithersburg, Maryland, USA NIST Mission:

More information

US Government Driven Cloud. A panel discussion including: DMTF, Cloud Security Alliance, NIST and SNIA

US Government Driven Cloud. A panel discussion including: DMTF, Cloud Security Alliance, NIST and SNIA US Government Driven Cloud Computing Standards A panel discussion including: DMTF, Cloud Security Alliance, NIST and SNIA Lee Badger: Computer Scientist, Computer Security Division, National Institute

More information

ISO/IEC JTC 1 SC 38 Cloud Works & Issues

ISO/IEC JTC 1 SC 38 Cloud Works & Issues ISO/IEC JTC 1 SC 38 Cloud Works & Issues International Cloud Symposium 2011 10-13 October 2011, Ditton Manor, UK Dr. Seungyun Lee syl@etri.re.kr International Cloud Symposium 2011, 10-13 October 2011,

More information

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Security, Compliance & Risk Management for Cloud Relationships Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Introductions & Poll Organization is leveraging the Cloud? Organization

More information

Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University.

Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University. Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University P a g e 1 P a g e 2 Table of Contents Abstract... 3 Introduction... 3 Previous

More information

Towards security management in the cloud utilizing SECaaS

Towards security management in the cloud utilizing SECaaS Towards security management in the cloud utilizing SECaaS JAN MÉSZÁROS University of Economics, Prague Department of Information Technologies W. Churchill Sq. 4, 130 67 Prague 3 CZECH REPUBLIC jan.meszaros@vse.cz

More information

The role of standards in driving cloud computing adoption

The role of standards in driving cloud computing adoption The role of standards in driving cloud computing adoption The emerging era of cloud computing The world of computing is undergoing a radical shift, from a product focus to a service orientation, as companies

More information

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 2015 CloudeAssurance Page 1 Table of Contents Copyright and Disclaimer... 3 Appendix A: Introduction... 4 Appendix

More information

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs FDCC & SCAP Content Challenges Kent Landfield Director, Risk and Compliance Security Research McAfee Labs Where we have been 1 st Security Automation Workshop nearly 20 people in a small room for the day

More information

White Paper on CLOUD COMPUTING

White Paper on CLOUD COMPUTING White Paper on CLOUD COMPUTING INDEX 1. Introduction 2. Features of Cloud Computing 3. Benefits of Cloud computing 4. Service models of Cloud Computing 5. Deployment models of Cloud Computing 6. Examples

More information

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

More information

Maintaining Herd Communication - Standards Used In IT And Cyber Security. Laura Kuiper

Maintaining Herd Communication - Standards Used In IT And Cyber Security. Laura Kuiper Maintaining Herd Communication - Standards Used In IT And Cyber Security Laura Kuiper So what is Cyber Security? According to ITU-T X.1205 Cybersecurity is the collection of tools, policies, security concepts,

More information

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES Agenda Importance of Common Cloud Standards Outline current work undertaken Define

More information

Highlights & Next Steps

Highlights & Next Steps USG Cloud Computing Technology Roadmap Highlights & Next Steps NIST Mission: To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways

More information

NIST Cloud Computing Program

NIST Cloud Computing Program NIST Program USG Roadmap Top 10 high priority requirements to accelerate USG adoption of the model NIST Mission: To promote U.S. innovation and industrial competitiveness by advancing measurement science,

More information

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions

More information

The NIST Cloud Computing Program

The NIST Cloud Computing Program The NIST Cloud Computing Program Robert Bohn Information Technology Laboratory National Institute of Standards and Technology October 12, 2011 Information Technology Laboratory Cloud 1 Computing Program

More information

Securing the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation

Securing the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation Securing the Cloud with IBM Security Systems 1 2012 2012 IBM IBM Corporation Corporation IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns

More information

Realizing Trusted Clouds

Realizing Trusted Clouds Realizing Trusted Clouds with Trusted Computing and SCAP SICS Security Seminar April 08, 2014 Mudassar Aslam (Researcher,PhD Student) Security LAB (SEC Lab) 1 Outline Cloud Computing Trusted Clouds Cloud

More information

The Open Group 2011. Cloud Work Group

The Open Group 2011. Cloud Work Group The Open Group Cloud Work Group 18 May 2011 Heather Kreger SOA WG co-chair Liaison for SOA, Cloud IBM Cornwallis Rd B062, M307 Research Triangle Park, NC Tel 919-496-9572 Kreger@us.ibm.com www.opengroup.org

More information

Attacking the roadblocks preventing aggressive adoption of Cloud Standards:

Attacking the roadblocks preventing aggressive adoption of Cloud Standards: Attacking the roadblocks preventing aggressive adoption of Cloud Standards: How SNIA and other standards orgs are developing standards that benefit high priority use cases. John Eastman, CTO, Presented

More information

Federal Desktop Core Configuration (FDCC)

Federal Desktop Core Configuration (FDCC) Federal Desktop Core Configuration (FDCC) Presented by: Saji Ranasinghe Date: October, 2007 FDCC Federal Desktop Core Configuration (FDCC) Standardized Configuration with Hardened Security Settings to

More information

Accelerating Cloud adoption with Security Level Agreements automation, monitoring and industry standards compliance

Accelerating Cloud adoption with Security Level Agreements automation, monitoring and industry standards compliance Accelerating Cloud adoption with Security Level Agreements automation, monitoring and industry standards compliance Cirrus Workshop, Vienna, Austria, November 19, 2013 Dr. Said Tabet Senior Technologist

More information

NIST Cloud Computing Program Activities

NIST Cloud Computing Program Activities NIST Cloud Computing Program Overview The NIST Cloud Computing Program includes Strategic and Tactical efforts which were initiated in parallel, and are integrated as shown below: NIST Cloud Computing

More information

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014 CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION Architecture Framework Advisory Committee November 4, 2014 1 Agenda TIME TOPICS PRESENTERS 9:00 9:15 Opening Remarks and Introductions Shirley Ivan,

More information

When Security, Privacy and Forensics Meet in the Cloud

When Security, Privacy and Forensics Meet in the Cloud When Security, Privacy and Forensics Meet in the Cloud Dr. Michaela Iorga, Senior Security Technical Lead for Cloud Computing Co-Chair, Cloud Security WG Co-Chair, Cloud Forensics Science WG March 26,

More information

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security

More information

Cloud Computing Standards: Overview and first achievements in ITU-T SG13.

Cloud Computing Standards: Overview and first achievements in ITU-T SG13. Cloud Computing Standards: Overview and first achievements in ITU-T SG13. Dr ITU-T, Chairman of Cloud Computing Working Party, SG 13 Future Networks Orange Labs Networks, Cloud & Future Networks Standard

More information

A New Way to Compute or: How I Learned to Stop Worrying and Love the Cloud

A New Way to Compute or: How I Learned to Stop Worrying and Love the Cloud A New Way to Compute or: How I Learned to Stop Worrying and Love the Cloud Robert Bohn NIST March 7, 2012 DC/SLA Washington, DC Chapter History Cloud" is borrowed from telephony. Telecoms once offered

More information

Building Trust in Global Cloud Computing Systems

Building Trust in Global Cloud Computing Systems Building Trust in Global Cloud Computing Systems Jim Reavis, CEO & Founder Cloud Security Alliance Global, not-for-profit organization Building security best practices for next generation IT Research and

More information

Cloud Security for Federal Agencies

Cloud Security for Federal Agencies Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service

More information

Assessing Risks in the Cloud

Assessing Risks in the Cloud Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research

More information

Cloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation

Cloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation Cloud Security Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs peterjopling 2011 IBM Corporation Cloud computing impacts the implementation of security in fundamentally new ways

More information

ISSA Guidelines on Master Data Management in Social Security

ISSA Guidelines on Master Data Management in Social Security ISSA GUIDELINES ON INFORMATION AND COMMUNICATION TECHNOLOGY ISSA Guidelines on Master Data Management in Social Security Dr af t ve rsi on v1 Draft version v1 The ISSA Guidelines for Social Security Administration

More information

Standardising privacy and security for the cloud

Standardising privacy and security for the cloud Standardising privacy and security for the cloud Chris Mitchell Royal Holloway, University of London www.chrismitchell.net 1 Acknowledgements Like to thank organisers of event for inviting me to contribute.

More information

Incident Management & Forensics Working Group. Charter

Incident Management & Forensics Working Group. Charter Incident Management & Forensics Working Group Charter February 2013 2013 Cloud Security Alliance All Rights Reserved All rights reserved. You may download, store, display on your computer, view, print,

More information

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY Eric A. Hibbard, CISSP, CISA Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise

More information

Continuous Monitoring

Continuous Monitoring Continuous Monitoring The Evolution of FISMA Compliance Tina Kuligowski Tina.Kuligowski@Securible.com Overview Evolution of FISMA Compliance NIST Standards & Guidelines (SP 800-37r1, 800-53) OMB Memorandums

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...

More information

ISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT

ISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT ISO/IEC Information & ICT Security and Governance Standards in practice Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT June 4, 2009 ISO and IEC ISO (the International Organization for Standardization)

More information

SECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP

SECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson

More information

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak Cloud Standardization, Compliance and Certification Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak Todays Agenda IT Resourcing with Cloud Computing and related challenges Landscape

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

IT Audit in the Cloud

IT Audit in the Cloud IT Audit in the Cloud Pavlina Ivanova, CISM ISACA-Sofia Chapter Content: o 1. Introduction o 2. Cloud Computing o 3. IT Audit in the Cloud o 4. Residual Risks o Used Resources o Questions 1. ISACA Trust

More information

ISO/IEC JTC 1 Information technology. Business plan 2014

ISO/IEC JTC 1 Information technology. Business plan 2014 Information technology Business plan 2014 Our vision To be the world s leading provider of high quality, globally relevant International Standards through its members and stakeholders. Our mission ISO

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT)

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT) NIST Interagency Report 7800 (Draft) Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT) David Waltermire, Adam Halbardier,

More information

Pilvipalveluiden tietoturvan standardisointi

Pilvipalveluiden tietoturvan standardisointi Pilvipalveluiden tietoturvan standardisointi Juha Röning Juha.Roning@oulu.fi Sisältö Standardien kirjo Pilvipalveluiden standardit Seurattavat standardit Standardit ja CSA Cloud Controls Matriisi Cloud

More information

Identity Management Initiatives in identity management and emerging standards Presented to Fondazione Ugo Bordoni Rome, Italy

Identity Management Initiatives in identity management and emerging standards Presented to Fondazione Ugo Bordoni Rome, Italy Identity Management Initiatives in identity management and emerging standards Presented to Fondazione Ugo Bordoni Rome, Italy November 18, 2008 Teresa Schwarzhoff Computer Security Division Information

More information

INTERNATIONAL TELECOMMUNICATION UNION

INTERNATIONAL TELECOMMUNICATION UNION INTERNATIONAL TELECOMMUNICATION UNION TELECOMMUNICATION STANDARDIZATION SECTOR STUDY PERIOD 2009-2012 English only Original: English Question(s): 4/17 Geneva, 11-20 February 2009 Ref. : TD 0244 Rev.2 Source:

More information

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security

More information

Robert Brammer. Senior Advisor to the Internet2 CEO rfbtech@internet2.edu. Internet2 NET+ Security Assessment Forum. 8 April 2014

Robert Brammer. Senior Advisor to the Internet2 CEO rfbtech@internet2.edu. Internet2 NET+ Security Assessment Forum. 8 April 2014 Robert Brammer Senior Advisor to the Internet2 CEO rfbtech@internet2.edu Internet2 NET+ Security Assessment Forum 8 April 2014 INTERNET2 NET+ Security Initiative Primary objective -- develop guidance to

More information

Towards a standard approach to supply chain integrity. Claire Vishik September 2013

Towards a standard approach to supply chain integrity. Claire Vishik September 2013 Towards a standard approach to supply chain integrity Claire Vishik September 2013 1 Draws from: ENISA s report on this topic Slawomir Gorniak, European Network and Information Security Agency Demosthenes

More information

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors 1 Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors Scott Woodison Executive Director, Compliance and Enterprise Risk Office of Internal Audit and Compliance

More information

How RSA has helped EMC to secure its Virtual Infrastructure

How RSA has helped EMC to secure its Virtual Infrastructure How RSA has helped EMC to secure its Virtual Infrastructure A new solution, the RSA solution for Cloud Security and Compliance, has been developed and is now available to all of our customers. Luciano

More information

Security standards for cloud usage

Security standards for cloud usage DRAFT, Version 0.9, March 2013 ii About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private

More information

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey A Comparison of IT Governance & Control Frameworks in Cloud Computing Jack D. Becker ITDS Department, UNT & Elana Bailey ITDS Department, UNT MS in IS AMCIS 2014 August, 2014 Savannah, GA Presentation

More information

Cloud Computing ISO Security and Privacy Standards: 27017, 27018, 27001 Mike Edwards (Chair UK Cloud Standards Committee)

Cloud Computing ISO Security and Privacy Standards: 27017, 27018, 27001 Mike Edwards (Chair UK Cloud Standards Committee) Cloud Computing ISO Security and Privacy Standards: 27017, 27018, 27001 Mike Edwards (Chair UK Cloud Standards Committee) Mike Edwards Senior Technical Staff Member, IBM Cloud Computing & SOA Standards,

More information

Symantec's Continuous Monitoring Solution

Symantec's Continuous Monitoring Solution Preparing for FISMA 2.0 and Continuous Monitoring Requirements Symantec's Continuous Monitoring Solution White Paper: Preparing for FISMA 2.0 and Continuous Monitoring Requirements Contents Introduction............................................................................................

More information

Security compliance automation with Red Hat Satellite

Security compliance automation with Red Hat Satellite Security compliance automation with Red Hat Satellite Matt Micene Solution Architect, DLT Solutions @cleverbeard @nzwulfin Created with http://wordle.net Compliance is a major problem About half of the

More information

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members

More information

CLOUD SERVICE LEVEL AGREEMENTS Meeting Customer and Provider needs

CLOUD SERVICE LEVEL AGREEMENTS Meeting Customer and Provider needs CLOUD SERVICE LEVEL AGREEMENTS Meeting Customer and Provider needs Eric Simmon January 28 th, 2014 BACKGROUND Federal Cloud Computing Strategy Efficiency improvements will shift resources towards higher-value

More information

RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP

RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP 1. Identity Ecosystem Steering Group Charter The National Strategy for Trusted Identities in Cyberspace (NSTIC or Strategy), signed by President

More information

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP, ISSEP, SCSE Hitachi Data Systems A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY Subhash Sankuratripati NetApp SNIA Legal Notice The material contained in

More information

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014 Cloud Security Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014 Agenda Introduction Security Assessment for Cloud Secure Cloud Infrastructure

More information

Securing the Microsoft Cloud

Securing the Microsoft Cloud Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and consumers to fully embrace and benefit from

More information

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public. Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM

More information

Potential standardization items for the cloud computing in SC32

Potential standardization items for the cloud computing in SC32 WG2 N1665 Potential standardization items for the cloud computing in SC32 ISO/IEC JTC 1/SC 32 Plenary Meeting, Berlin, Germany, June 2012 Sungjoon Lim, Korea Database Agency (KDB) Dongwon Jeong, Kunsan

More information