1 Diana Gligorijević, direktor marketinga INFOTECH Vrnjačka Banja TELEGROUP PROFILE
2 TELEGROUP OVERVIEW 1992 Telegroup LTD, UK 1996 TeleGroup Banja Luka 2001 TeleGroup Beograd 2007 TeleGroup Sofia One of the leading Solution Providers in the ICT & Energy areas in Western Balkan territories; Belgrade HQ
3 OVERALL SERVICES Consulting Designing of telecommunication, IT & energy networks and systems Creation & implementation of ICT Solutions Sales of ICT equipment (active & passive) Engineering of telecommunication, IT & energy infrastructure Cloud Services Software engineering End users System Management Project Management Technical Support 24x7 Trainings
4 ICT PORTFOLIO IT SOLUTIONS UNIFIED COMMUNICATIONS IP PBX, Contact Centers, Unified Messaging, Presence Voice and Video conferencing systems Critical Communications Recording solutions Total expense management VoIP gateways and controllers Video surveillance, Access Control, Fire protection and Intrusion prevention Wireless broadband access network systems Radio - relay and Functional systems Enterprise Mobility Solutions Network equipment and Server systems Network and Data Protection Data storage, preserving and archiving solutions Software solutions mpayment, mhealth, mticketing PASSIVE EQUIPMENT Heat shrink & cold shrink joints and pipes Splitters, modules, surge arrestors for modules, holders & connectors Cable locators Self supported cable and other telecommunication accessories Racks, patch panels, patch cords, adapters, modules, sockets...
5 TECHNICAL SUPPORT SERVICES Laboratory testing Testing and analysis of work of existing installed systems Installation of equipment and commissioning Diagnostics of irregularities in the working of the equipment Repair of devices Maintenance during warranty and post-warranty period Trainings for all systems included in TeleGroup business portfolio End users are provided with training for system use and maintenance Partners are provided with training for system installation and maintenance
6 Recovery time Response time 3 WAYS TO CONTACT TECHNICAL SUPPORT SERVICE Call Center Contact with responsible engineer Service Center On site consulting and/or Remote support Mutual work Technical Support Service center Head engineer On site intervention team Recovery work in progress System recovery Starting Intervention report Intervention report & technical level of a fault Completing Intervention report INTERVENTION PROCEDURE
7 CLOUD SECURITY
8 WHAT IS CLOUD? Today everybody talks about Cloud, but the fact is that everyone uses different although similar definition depending on their positions. One of the definitions. Cloud is computing area in which highly scalable IT capacities are provided to the external users as a service delivered over appropriate network infrastrucure!
9 ACTUAL TRENDS Global statistics is that almost 40% IT services users have migrated to Cloud services!!!
10 WHAT LED TO CLOUD EXPANSION? In introducing new IT solutions, most of the time we spent on defining the infrastructure (hardware and software) Cloud services increases productivity and enables easy upgrade Efficient delivery of IT Solutions Accelerations of all inovations in this area All solutions based on Cloud are much cheaper and more efficient All this facts led to the SOA (Service Oriented Architecture) where Cloud computing separates applications from the infrastructure
11 IT TRENDS AND SECURITY Megatrends in IT: mobility new mobile platforms cloud computing Megatrends impacting security highly sophisticated threats growing use of mobile devices new IT delivery models (SaaS) Rapid growth in security investment and important changes in the Security Solution Market Worldwide security spending will reach $63 billion in 2012 (10% of total IT budgets)
12 CLIENT INQUIRIES IN CLOUD SECURITY Clients are still looking for basic guidance for the security issues of enterprise use of cloud services. This client inquiry data can be used to align security professionals' priorities with those of their peers who are also evaluating cloud security measures
13 CLIENT INQUIRIES IN CLOUD SECURITY Clients strong interest in this area of security. This reflects the still-evolving state of both cloud computing and cloud security Clients are currently more concerned about identifying and assessing cloud security risks than about evaluating specific cloud security solutions The industry segments most concerned with cloud security are those that handle sensitive data and those that are subject to rigorous regulatory requirements. Client inquiries suggest a disproportionate interest in cloud security in Europe and among small-and-midsize enterprises.
14 CLIENT INQUIRIES IN CLOUD SECURITY Top 10 Cloud Security Search Terms
15 CLIENT INQUIRIES IN CLOUD SECURITY Industry Type
16 CLIENT INQUIRIES IN CLOUD SECURITY Region
17 CLIENT INQUIRIES IN CLOUD SECURITY Enterprise size
18 CRITICAL SECURITY QUESTIONS TO ASK A CLOUD SERVICE PROVIDER Issues Cloud security standards will not mature before 2H12 Many cloud service providers do not provide transparency into their security practices The global nature of cloud service providers complicates their compliance with local or national security regulations and requirements. What to do? Ensure that regulatory, corporate, industry or other applicable security standards apply to all cloud service providers Use checklist of independent security organizations as a starting point until cloud security standards mature Use a third-party vulnerability assessment firm to validate the responses to this checklist or any other questionnaire approach
19 CRITICAL SECURITY QUESTIONS TO ASK A CLOUD SERVICE PROVIDER Security must be a key criterion in any decision to use external cloud service providers when critical customer and business information is involved. A simple checklist is no substitute for a full standards-based security assessment, but will often be the only choice at this early stage of cloud service maturity.
20 CRITICAL SECURITY QUESTIONS TO ASK A CLOUD SERVICE PROVIDER Network Does the cloud service provider require the use of two-factor authentication for the administrative control of servers, routers, switches and firewalls? Does it support IPsec or Secure Sockets Layer with Extended Validation certificates and two-factor authentication for connecting to the service? Does it provide redundancy and load balancing for firewalls, intrusion prevention, and other critical security elements? Does it perform external penetration tests at least quarterly, and internal network security audits at least annually? Can it show documented requirements (and audit procedures) for network security Does it contract for, or provide protection against, denial-of-service attacks against its Internet presence?
21 CRITICAL SECURITY QUESTIONS TO ASK A CLOUD SERVICE PROVIDER Platform Can the cloud service provider present a documented policy for "hardening" the underlying virtualized infrastructure that its services run on? Can it provide validated procedures for configuration management, patch installation and malware prevention for all servers and PCs involved in cloud service delivery? Does it have a documented set of controls that it uses to ensure the separation of data and security information among customer applications?
22 CRITICAL SECURITY QUESTIONS TO ASK A CLOUD SERVICE PROVIDER Applications and Data How does the cloud service provider review the security of applications and any supporting code that it develops and uses? Does it use content monitoring and filtering, or data loss prevention inappropriate for data flows? Does it have documented procedures for configuration management, including the installation of security patches, for all applications? If the cloud service involves data that is covered by regulatory or other compliance requirements then does the provider meet the applicable requirements for data protection?
23 CRITICAL SECURITY QUESTIONS TO ASK A CLOUD SERVICE PROVIDER Operations Does the cloud service provider perform background checks on personnel with administrative or other privileged access to servers, applications or customer data? Does the provider have super user privilege management and database activity monitoring controls or the equivalent to detect inappropriate behavior by provider employees with administrative access? Can it show a documented process for evaluating security alerts from OS and application vendors, shielding systems from attack until patched, and installing security patches and service packs? Does it employ security monitoring and log management functions, and use write-once technology or other secure approaches for storing audit trails and security logs? Can it demonstrate established procedures for vulnerability management, intrusion prevention, incident response, and incident escalation and investigation?
24 CRITICAL SECURITY QUESTIONS TO ASK A CLOUD SERVICE PROVIDER End Services Does the cloud service provider's security staff average more than four years' experience in information and network security? Does more than 75% of its security staff have security industry certification. The cloud provider also should have vendor certification for the specific firewall equipment it will manage. Can it show documented identity management and help desk procedures for authenticating callers and resetting access controls, as well as for establishing and deleting accounts
25 CRITICAL SECURITY QUESTIONS TO ASK A CLOUD SERVICE PROVIDER Recommendations Enterprises' security organizations must be involved in the evaluation of prospective cloud service providers. Security organizations should have an established set of security requirements or standards that can be used as evaluation criteria for cloud service security providers. If a cloud service provider is already being used without enterprise security involvement, request visibility into any security audits that the provider has undergone.
26 THE GROWING ADOPTION OF CLOUD-BASED SECURITY SERVICES Cloud-based security services offer the promise of easy deployment and lower cost of ownership, but buyers must choose appropriate controls and weigh potential benefits against operational requirements.
27 THE GROWING ADOPTION OF CLOUD-BASED SECURITY SERVICES The suitability of various security controls for cloud-based delivery controls differs across controls based on the characteristics of those controls, including ability to customize and sensitivity to network latency and capacity The successful adoption of cloud-based security depends on the suitability of controls to that style of delivery, but also on the ability to integrate with premises-based controls Cloud-based security controls will play an increasingly important role in securing the use of cloud computing services
28 THE GROWING ADOPTION OF CLOUD-BASED SECURITY SERVICES Benefits and Customer expectations: Efficiency Effectiveness Flexibility Availability Scalability Customization Integration Location Visibility Control Expertise
29 THE GROWING ADOPTION OF CLOUD-BASED SECURITY SERVICES List of Security Controls Secure Gateway Secure Web Gateway (SWG) Remote Vulnerability Assessment (VA) Security Information and Event Management (SIEM) Distributed Denial of Service (DDoS) Identity as a Service Application Security Testing Website Protection Cloud-Based Encryption Services Cloud Access Security Brokers (CASBs)
30 ENTERPRISES MUST BALANCE OPPORTUNITY AND RISK IN CLOUD AND MOBILE SECURITY Cloud computing and mobile devices hold the potential to make enterprises more agile, more efficient and more competitive. They also introduce new security risks that must be addressed immediately! Gartner analysts covering security, cloud computing and mobile devices have collaborated to develop a set of key predictions for 2012 and beyond. Chief information security officers (CISOs) and other enterprise decision makers should consider these forward-looking Strategic Planning Assumptions when allocating resources and selecting products and services!
31 CLOUD SECURITY AND RISK STANDARDS The current lack of agreement on cloud risk standards ensures that cloud provider risk evaluation will remain an inexact and inconvenient process for the next several years. It is easier to evaluate operational processes than technology quality, but both are equally relevant to cloud risk assessment. The use of questionnaires continues to grow in significance as a mechanism for evaluating service provider risk, with most buyers developing them from in-house expertise.
32 CLOUD SECURITY AND RISK STANDARDS Several standards for cloud practices have been published and can legitimately be considered as constituting today's understanding of "best practice. Four current initiatives show potential for meeting the needs for a cloud security standard. All are adapting and supplementing existing standards, such as ISO/IEC 27001/27002 and BS 25999, to create a written framework of control standards directly applicable to cloud service providers: Cloud Security Alliance The Shared Assessments Program Common Assurance Maturity Model (CAMM) FedRAMP
33 CLOUD SECURITY AND RISK STANDARDS Certification Programs: ISO/IEC certification American Institute of Certified Public Accountants (AICPA) In critical situations, providers must be required to document not just whether they meet the standard, but how they meet it. They must also allow annual audits for neutral verification. Vendors that refuse transparency should be avoided for mission-critical, corporate proprietary or regulated scenarios.
34 SECURITY TESTING OF CLOUD SERVICES PROVIDERS IS A MUST All kinds of cloud services (application, data, infrastructure, security) should be tested for the security of the Web interfaces and systems they use to provide services. Such testing, often performed by application security providers, will be critical for the security of cloud services. Security testing helps enterprises ensure that the cloud services providers they entrust with their assets and processes are secure and compliant with established policies.
35 SECURITY TESTING OF CLOUD SERVICES PROVIDERS IS A MUST Security Testing of Cloud Services Enterprises moving business-critical information and processes into the cloud must ensure that their cloud providers meet enterprises' security policies. This will be a somewhat painful issue for many enterprises, because business benefits (for example, lower cost and faster delivery) will often favor cloud solutions, while security concerns will stand as obstacles against achieving those benefits. However, enterprises should consider cloud business benefits and security risks, and make security an explicit clause in contractual agreements with cloud providers.
36 SECURITY TESTING OF CLOUD SERVICES PROVIDERS IS A MUST The following models of cloud security testing could be used: The prospective enterprise client, the cloud provider and the thirdparty security testing provider negotiate a trilateral agreement. The cloud provider agrees to the third-party security testing provider's inspection, which results in a report being sent to the prospective enterprise client. Based on the report, the enterprise decides whether the cloud provider's security measures meet its requirements. The cloud provider uses independent security testing and provides proof of such testing to its cloud services prospects and clients. The cloud provider adopts application security testing technologies, grows its own skills and expertise, and conducts its own security testing.
37 SECURITY TESTING OF CLOUD SERVICES PROVIDERS IS A MUST The Benefits of Independent Testing of Cloud Services Providers: Vendor independence Vendor expertise Cost savings Security Testing Certification Certification must meet enterprise or industry security standards. Certification should include a clause assuring that the cloud provider has been continually retested.
38 VENDORS IN SECURITY SERVICES AND CLOUD SECURITY Security as a Service product vendors McAfee Symantec Trend Micro Zscaler Panda Software Websense HP Barracuda
39 COOL VENDORS IN SECURITY SERVICES AND CLOUD SECURITY Enterprises and technology providers are increasingly looking to service- and cloud-based models to deliver more effective, more cost-efficient security practices. Chief information security officers (CISOs) and other security professionals should familiarize themselves with Gartner's 2012 Cool Vendors in service and cloud security, as well as the potential business benefits they offer. Services and Cloud Security Vendors: Certes Networks FireHost OpenDNS Zettaset Dasient WhiteHat Security
40 CONCLUSION Cloud computing is an efficient, scalable and effective way of delivering IT services today, but as an open system is subject to numerous of security problems However, if you use a centralized identity, access policy and appropriate standards that can dramatically increase the level of security
41 CONCLUSION Cloud computing is offered as a service and part of security issues are service provider's responsibility, but a higher level of security commonly used resources and solutions that are not associated with IT service provider If you plan to become a Cloud service user soon, TeleGroup can implement all the Cloud Security control based on recognized IT security framework and industry best practices!!!
Index The Expanding Role of the Network in Business Success 4 What Are Managed Services? 4 Scenario 1: Customer Owns Network and Shares Management Responsibility 5 Scenario 2: Service Provider Owns the
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
OVERVIEW OPTUS MANAGED SERVICES AND DELIVERY LETTING YOU GET ON WITH YOUR BUSINESS CONTENTS WELCOME TO OPTUS MANAGED SERVICES AND DELIVERY 01 A QUICK OVERVIEW 02 OUR SERVICES 03 WHAT IS INCLUDED IN MANAGED
Xerox Litigation Services In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Your Highest Priority is also Your Greatest Challenge Data breaches are not just
A Blueprint to the Future of Managed Services Direction of Managed Services with Cloud Initiatives Key Takeaways Economic pressures and the new expectations of users, which are being driven by the growth
Five Hosted VoIP Features WHITEPAPER: hosted exchange BUYER S GUIDE www.megapath.com executive summary The adoption of cloud-based hosted services is gaining momentum among businesses interested in reducing
Thought Leadership Paper Cloud Computing in the Hedge Fund Industry About Eze Castle Integration Eze Castle Integration is the leading provider of IT solutions and private cloud services to more than 600
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
WHITE PAPER Informatica Cloud Architecture and Security Overview Independent Analysis of the Architecture and Security Features of Informatica Cloud Prepared by Mercury Consulting, a leader in Ground to
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
IT@Intel White Paper Intel IT IT Best Practices Cloud Computing and Information Security January 2012 Virtualizing High-Security Servers in a Private Cloud Executive Overview Our HTZ architecture and design
UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 FORM 10-K (Mark One) È Annual Report pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 For the fiscal year ended
Managed Hosting: Best Practices to Support Education Strategy in the Career College Sector Online learning is playing a critical role in the delivery of Teaching and Learning and the overall experience
November 09 Benefits, risks and recommendations for information security ABOUT ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the
Best Practices for Cloud-Based Information Governance Autonomy White Paper Index Introduction 1 Evaluating Cloud Deployment 1 Public versus Private Clouds 2 Better Management of Resources 2 Overall Cloud
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
Firewall Strategies June 2003 (Updated May 2009) 1 Table of Content Executive Summary...4 Brief survey of firewall concepts...4 What is the problem?...4 What is a firewall?...4 What skills are necessary
WHITE PAPER Securing Your Cloud-Based Data Integration A Best Practices Checklist A Report on Secure Integration Techniques Targeted at the Information Technology Executive Prepared by Mercury Consulting,
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
PeopleSoft Red Paper Series Securing Your PeopleSoft Application Environment July 2010 Including: How to Plan for Security How to Secure Customized System Exposing PeopleSoft outside the Firewall Securing
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
White Paper Getting ahead in the cloud A White Paper by Bloor Research Author : Fran Howarth Publish date : March 2013 Users are demanding access to applications and services from wherever they are, whenever
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
Risk perception and risk management in cloud computing: Results from a case study of Swiss companies Nathalie Brender Haute Ecole de Gestion de Genève Campus de Battelle, Bâtiment F 7 route de Drize, 1227
Putting the cloud to work for your organization. A buyers guide to cloud solutions. What s in this guide for you? If you re thinking about bringing the cloud into your business but aren t sure where to
Guidelines on Wireless Networks for Schools (March 2015) Scope and purpose There is a significant shift in schools where the newer computing devices being introduced by schools for learning are increasingly
Consumerization of IT: Risk Mitigation Strategies [Deliverable 2012-12-19] Consumerization of IT: Risk Mitigation Strategies I Acknowledgements This report has been produced by ENISA using input and comments