Authors Bram van Pelt Sander Mastwijk
|
|
- Adelia Thornton
- 8 years ago
- Views:
Transcription
1 AMIS Edisonbaan 15 Postbus AA Nieuwegein T +31(0) E info@amis.nl I amis.nl BTW nummer NL B69 KvK nummer Statutair gevestigd te Enschede Whitepaper: How to reach an optimal Cloud Security Level Additional measures on top of ISO / ISO to ensure the optimal cloud security level. Authors Bram van Pelt Sander Mastwijk Date October 2015
2 2/14
3 1 Abstract With the rise of cloud applications, a new way of looking at security is required. Security is no longer concentrated only within the perimeter of your company. The scope of your security management also needs to include the cloud providers which offer services to you. From a security perspective, this means that you are relying on their security measures to implement your security policy regarding the information you store in the cloud. Potential customers of SAAS products must adopt a more rigorous due diligence process due to regulatory changes, increasing privacy concerns, and risks of fraud and exposure. It is increasingly important to determine how providers implement security and if their level of security matches expectations. And as the SAAS market keeps growing, diversity and complexity of cloud solutions increase. This requires an even more detailed security analysis which goes beyond traditional contractual protection. This requires open communication about security matters, which also benefits providers in aligning services with market demand. This is similar to buying a car. The vendor may have a good reputation, and the features may be well documented. But you are still going to have to trust the customer reviews and have a good look underneath the hood before you trust it with your life. Or at least you want to prevent the embarrassment of showing up late for important meetings. This whitepaper details governance and technical security aspects that you need to address when exploring the possibilities of SAAS applications, and provides input for your risk analysis and service level agreements between you and your cloud provider. Securing your information in the cloud is a joint effort of you and your cloud provider. 3/14
4 Contents 1 Abstract Security Governance Processes and technical security measures Public interfaces Traffic Encryption Encryption type Encryption management Endpoint access Endpoint protection Internal infrastructure Multitenancy Component connections Security monitoring and feedback Uptime and availability Configuration / tripwire files Added services scan Administrative account management Service account security Data Storage Data encryption Backup strategy Data segregation & accessibility Identity and access management Identity management Access management /14
5 2 Security Governance When using cloud applications, you are basically incorporating a black box into your IT landscape. It provides you with specific functionality at a certain price. From a security perspective, you need to know what information is processed and stored in this black box, and what the provided functionality and stored information means to you. What does it mean to you when the information is lost or unavailable? What if its confidentiality or integrity is no longer guaranteed? Risk is determined based on these values. Based on the risks associated with the information you want to store in the cloud application, you define security policies and measures. This is basically the same chain of thought when managing your own applications, except with cloud applications there is a point up to which you can control security measures yourself. This can put you in an awkward situation because your cloud provider manages the black box, but you are still responsible for the information in it. Fortunately, there are ways to deal with this situation. For instance, you can keep a close eye on the cloud provider by asking for daily or weekly reports detailing the security aspects of their operation. These reports will help you to exercise control over the security infrastructure. Besides the reactive nature, the main problem with this method of control is that the cloud provider has to inform you of its own operational security status. This is a direct conflict of interest as it is in the best interest of the provider to reflect a positive image to its customers. Providers may not be able or willing to provide the level of transparency you want because of the risks involved, or simply because of the additional strain on their operations. An auditor might argue that you can never fully trust your provider. At a glance, the more appropriate way of managing security is to require the cloud provider to be audited on a regular basis. In most cases the ISO / ISO or similar security guidelines are used, which tell you something about how the provider manages security in general. Important things, like how their facilities are protected against unwanted physical access and cyber-attacks. Although this is a great way of gaining some assurance about the provider s security controls, they do not take into account how the responsibility for certain security aspects is divided between you and the provider. It also does not directly audit any specific requirements you may have regarding the service in question and the information that is processed. The responsibility for certain security aspects and the level of security can differ between providers, services they offer and individual customers. This makes it difficult for you to make an analysis of risks associated with the usage of a certain cloud service. So in order to gain insight in the risks of using cloud services, you need to ask additional questions to get a clear overview of security measures in place. With that overview you can check if the service meets your requirements and if there are any aspects your provider doesn t take care of. It also provides the input for audits (e.g. ISAE3402) that are more focused on your needs. 5/14
6 3 Processes and technical security measures Once you define the level of security you require for a specific service, you have the basis to which you can compare the measures your cloud provider has implemented. You need to understand the security level of your cloud provider and this is important for you both, because trust drives business. You need to be able to discuss security matters, for example when you want to do your own pen tests. And to make sure the cloud service is an effective part of your landscape in a sustainable way, you need to align views with your provider. Their security level is on their road map, not on yours. So keep your future business plans in mind to avoid having to switch cloud providers. In the next chapters we will go into some technical details. We start with the public interfaces that expose the service and its functionality. It goes without saying that access to these interfaces should be properly protected. Next, we look at the way they structure their service and store your data and make sure enough measures are taken to disrupt an attackers kill chain. And last, we look at the way you can control access to your data. Your provider needs to let you take care of what is your responsibility: making sure authorizations and access to your data are correct. It needs to let you do that. Below is a table of security measures discussed in this document and their strength. These measures can be combined in different ways to add up to a certain level of security. This can help you determine if the combination offered by the cloud provider meets the level you require based on your risk analysis. Security measure strength overview Basic Medium Advanced Public interfaces Traffic encryption Local authentication Firewall Strong traffic encryption Formal encryption management Federated login Reversed proxy Strong traffic encryption Formal encryption management HSM Federated, attribute based login IPS / IDS Internal infrastructure Multitenant Performance monitoring Manual privileged account management Encrypted multitenant Encrypted internal traffic Configuration monitoring Privileged account management process Single tenant Encrypted internal traffic Internal firewalls IDS / IPS PAM solution Data storage Data encryption Offsite backup Data encryption Disk encryption Encrypted offsite backup PAM Data encryption Disk encryption Watermarking Encrypted offsite backup Technical data segregation Identity & Access management Manual identity management Local authentication IDM integration Single sign-on IDM integration Access management integration Context based access control MFA / OTP 6/14
7 4 Public interfaces To interact with a cloud application, you connect with the publicly available application endpoints. When designing or running a cloud application, the cloud provider must manage the security of these publicly available endpoints. In this section an endpoint is defined as a web service which is available to the internet either via an open connection or a connection secured via VPN. Examples of these connections can be REST interfaces, web sites or an open SSH port. The security recommendations in this section should be applied to each endpoint. 4.1 Traffic Encryption Connections to each service which is open to the internet have to be encrypted. The only exception to this rule are static pages of a public website. Any other data is likely to contain personal information, company secrets or other sensitive information and must be encrypted. When adding encryption to an endpoint the following items need to be addressed: Encryption type There are several different ways of adding encryption to an endpoint. The most common is by adding SSL to a TCP connection or placing the endpoint behind a VPN. In case of connection security by adding SSL or other encryption which relies on certificates, it is important to consider that the certificate defines the minimum level of security. It is therefore very important that the certificate is defined correctly. One way of checking if an endpoint is secured correctly is by running it past the qualis guard SSL check tool. This is available on For VPNs the most important aspect is to check the key length of the connection and the filtering of IP addresses that are allowed to connect Encryption management When using encryption to secure an endpoint, it is very important that the cloud provider manages the encryption and the certificates correctly. The most common processes for encryption management usually are key generation, key application, key distribution and key storage. Keys can be a collection of certificates, passwords to use certificates and VPN keys. Common ways of storage include storing the keys in an encrypted container or storing them on a hardware security module (HSM). 4.2 Endpoint access When designing an application endpoint, designers need to keep in mind who is allowed to access an endpoint and how authentication is handled. In order to identify which people are allowed to access an interface, the design should avoid specifying individual accounts: it should specify conditions. Conditions like: an administrative user is defined by a role in an external system, or an external employee is identified by the identity store the user account is stored in. Only when software needs one specific account, and the account cannot be described by a condition, the account can be named specifically. When it is clear who will be able to access an endpoint, the second thing to consider is how users must authenticate. This can either be done by using a password which is stored within the cloud itself or by allowing a third party to authenticate users. By allowing a third party to authenticate users, a cloud provider needs to watch for one thing: trust. The main question is: how much do I trust this authentication provider? For instance if I host a whitepaper in the cloud and I only want to distribute it to people I can contact after they download the whitepaper, Linked-in could be rated as sufficiently trustworthy. On the other hand, if the file is classified as secure, an Identity provider set up by the customer is more appropriate. One of the options is to set up federation with an on premise system like your Active Directory. This way you control the accounts that can be used in the cloud environment more closely, and leverage existing monitoring capabilities to track login activity. There are other concerns as well when using accounts as a security measure. These concerns are addressed later in this document when discussing identity management. 7/14
8 4.3 Endpoint protection Endpoints rely on certain components to run them. It is therefore important to be able to guarantee the security of these components. Common ways to secure components which are available to the internet are to place them behind an application layer firewall, intrusion detection and prevention systems or a behind a reverse proxy. The main objective of these devices is to filter out malicious connections to the endpoints. When thinking of malicious connections to an endpoint, one can think of ddos attacks or attacks which involve sending malicious data to an endpoint like SQL injection and heart bleed. Although some malicious connections can be handled by the endpoint itself, a designer should consider relieving the endpoint (and its development) by using some of the mentioned capabilities, which are designed for that purpose. 8/14
9 5 Internal infrastructure The internal infrastructure of a cloud application affects the overall security significantly. Even if the measures employed are not directly useful against stopping intruders, they pose a significant hurdle for malicious users in the exploitation phase of their attack. This in turn grants the cloud provider time to detect these malicious users and take action. 5.1 Multitenancy For efficiency reasons, cloud providers service customers from one environment (multitenancy). Multiple customers share at least parts of the cloud provider s systems. The first thing to check for is how data from customers is separated. This is called the tenant issue and is usually determined by (cost) efficiency of an application, but it does impact security. If customers have dedicated application instances, the impact of a data breach can be contained quite well. On the other hand, if data leaks from a cloud application, and the application instances are set up for multitenancy, other customers will be affected as well. Providers implement logical boundaries that separate customer data in the virtualization layer, in applications, in webservices and at storage level. How they do it is really up to them, but you do need insight in the risks of their chosen solution to determine if a (costly) single tenant is necessary. The only way you can add security to a multitenant environment yourself is by data encryption that uses a dedicated encryption key for your data. This is due to the fact that the only thing unique for a customer in a multitenant environment is its data. When different keys are used for different customers, a data leak will only reveal encrypted information which cannot be broken in case the keys of one customer are stolen. 5.2 Component connections In most cases, cloud applications are made up of multiple components. For instance the application might be made up of a database and a frontend web server. In order for these components to work together efficiently, they need to be able to communicate. What most cloud providers do however is leave this communication unencrypted. This allows malicious users to intercept and read plain text traffic. To solve this problem, traffic encryption should be used between front and backend servers. Also, if the interaction between components is not modelled correctly, front and backend servers might be able to use covert means of communication. This happens when internal development and operational processes are not properly aligned and it s not clear which ports are used so all are left open. To reduce this risk, a firewall should be placed between front and backend connections that allows all modelled traffic, whilst all non-modelled traffic should be used as a high priority security trigger. This causes strain on the providers operations and it s definitely something to talk about. 5.3 Security monitoring and feedback One of the most important components in a secure cloud environment is a solid security monitoring process. Security monitoring is usually a component which is not designed when setting up a cloud service. Usually, it is a component which is added at runtime by system administrators. In most cases you need to rely on system administrators to acknowledge the need for a monitoring system and their skill in setting it up correctly. When implemented properly, a monitoring system is divided in at least three components: Uptime and availability Uptime and availability monitoring systems are systems which check the status of components in the cloud service. They should at least check for the availability of endpoints and the response times of internal components Configuration / tripwire files The second monitoring task is the reporting of configuration changes. Your provider should have a process in place to detect these changes because anything that s not explained by incident or change handling processes indicates malicious activity. Tracking configuration changes can be achieved by storing hash values of 9/14
10 configuration files. The great advantage is that if any system or person changes these files, the system administrators will immediately be notified. A good example of one of these files is the UNIX password file or the static files of a webserver Added services scan The added services scan is a process which continually checks the cloud environment for new TCP/UDP services. A change to these services might indicate exfiltration of data by a malicious user. This scan usually gives a good insight in the securable endpoints of an internal cloud environment. 5.4 Administrative account management One of the most overlooked challenges in cloud management is being in control of administrative accounts and privileged access. In most cases system administrator accounts are managed manually as they would in a small company. To keep the usage of administrative accounts in check, the cloud provider needs to model the administration of its system and have processes for administrative access in place. An administrative model of the system should include a list of common administrative actions and the level of clearance a user needs to execute those actions. Also, the model should describe how users gain access to an administrative account and how to release an administrative account. Based on this information the correct administrative accounts can be created and managed. This management can be done by hand, but is preferably done automatically. A privileged access management (PAM) solution automatically manages privileged accounts and their passwords and provides audit information about their use. To complement this management, the monitoring system should include a tripwire for accounts that were not created by this process. 5.5 Service account security Service accounts are accounts that software services require to identify themselves. These accounts in general have more rights than normal user accounts and their use can t be traced to individuals. It is therefore imperative that procedures are defined to manage these accounts correctly. These procedures must include at least how to create a service account and how to reset the password of a service account. If both procedures are defined correctly, the password of a service account can be set up in the application once (encrypted of course) and does not need to be stored anywhere else. This in turn assures that no one can get access to the password and can therefore not abuse it. The password of a service account should preferably be as long as the key with which the database is encrypted. If this is not possible due to restrictions to the maximum length of a password, the password must be exactly that length. The more both processes can be automated, the better. It is also sensible to set a tripwire for every change in password for these accounts. 10/14
11 6 Data Storage Data is your most tangible property and must therefore be treated with great caution. If data leaks from a cloud provider, or if the suggestion is given that it has, it could be disastrous for the cloud provider. To ensure data is safely stored, a cloud provider should be rated on the topics below. 6.1 Data encryption Whenever customer data is stored with a cloud provider, the data has to be encrypted. This is due to two reasons. The first being that the data ownership lies with the customer, therefore the cloud provider should not have access to it. Second, in case of a data leak, the data will be encrypted and therefore not readable to external parties. This measure therefore protects both the cloud provider and the customer. There is another advantage of implementing data encryption. Data encryption can be used as a digital watermark to identify where the data originated. This can be very helpful in scenarios where data has been leaked, but it is not certain from where. A watermark can be created by a customer by controlling the encryption methods for a cloud provider. If the customer can determine which key is used by the cloud provider, leaked data can be identified by decrypting it. If all cloud providers for a customer use a different key, a decryption key can be used to determine where the information leak originated from. Lastly, the hard drive on which the data is stored should be encrypted as well. By encrypting the hard drives as well as the data which resides on it, the likelihood of an information leakage in case of a stolen hard drives becomes very little. Most operating systems support this kind of drive encryption natively. It can therefore be a quick win to enable this kind of encryption. 6.2 Backup strategy The most important thing that has to be considered when creating a secure backup strategy is the content of a backup. Backups come in a lot of shapes and varieties, for instance a backup could include the content of a running application server or a flat file dump of a database. The thing to keep in mind is what kind of information will be available in the backup. If customer data is included in the backup, backups must be encrypted and signed before leaving the system. If the backup contains configuration information the backup should be signed and the size of the backup should be signed before the data is allowed to leave the system: this ensures data integrity and reliability. To verify proper functioning you should periodically request a restore. After the encryption and signing of a backup, the backup should be stored off site on a secure location. The storage and transfer must conform to the security measures which have been named previously. For instance, the data transfer has to be secured using SSL to ensure data cannot be read by another person, and the location where the backup is stored should be encrypted. 6.3 Data segregation & accessibility If a cloud provider decides to set up a multitenant environment, usually the first question that pops to mind is how to keep data separated between customers. As stated before, data is the most tangible thing within a cloud application. Therefore, customers do not wish to see other customer s data, as this can be a good indication that its own data is showing up on unauthorized systems. So usually, this problem gets tackled well. But one important aspect is overlooked: the system administrator. Data is not separated from the cloud provider s system administrators. One of the consequences is that administrators can view, modify and delete customer data, that is why administrative accounts are a primary target for malicious users. So how is your data protected against misuse of these accounts? There are several ways of dealing with the segregation of data. The first is quite simple: you make the administrators sign a non-disclosure agreement and you require administrators to login with a personalized account. Although this cannot actually prevent access, in case of a system mishap a root cause analysis can quickly determine the active user on the system. The cloud provider has to be careful though when choosing this 11/14
12 approach. If administrators log into a system and as a habit elevate to the root account, the actions of an individual admin cannot be monitored properly anymore. A better way of dealing with data segregation is by installing a Privileged Account Management system. A PAM solution takes control of the administrative accounts and their passwords and provides staff with access in a controlled way. As an additional security measure the account can be locked until the administrator has approval from a manager to use the system. Also, this system can keep track of the actions a user undertakes whist using a privileged account. This in turn makes auditing the usage of privileged accounts simple. The last measure that can be taken to secure administrator accounts, is to restrict administrator accounts to only be able to manage databases, while denying them access to data stored in the database. The clear advantage is that administrative accounts can no longer be used to leak data. Ironically, this is also the downside of this system. System administrators will no longer be able to troubleshoot down to the data storage when the system displays incorrect information. This risk can be mitigated by unlocking a system account you control in a privileged account management system. 12/14
13 7 Identity and access management Security management is quite simply a gathering of processes in which you have a prominent role. The section below explains how you can get more control of who can use the cloud application. This involves having the tools needed to manage users, logins and check security audits. As mentioned in the chapter on identity and access in the public interfaces portion of this document, access rights and the way users connect are important to the security of an application. Since you are the only one who knows who can have access to what information, you need a secure way of managing these aspects of a cloud application. Let s break it down into identity management and access management. 7.1 Identity management Identity management in a cloud application usually consists of two parts: a user management portal and an API for user management. The user management portal is in most cases a website which allows customers to manually preform user management actions. Although this can be fine for small enterprises or applications which have a low volume of users or mutations, this is not an ideal situation. If the use of the application grows over time, user management tends to become more and more of a costly and fault sensitive process with the risk of user accounts not being removed in time or rights not changed quickly enough, leaving the door open for unwanted access. You will also have additional operational strain if you re required to do periodic reviews of access rights. A more effective way of managing users is by managing users from your own site. You normally already have a directory or an on premise identity manager (IDM). By allowing you to manage users in cloud applications with automated connections, a cloud provider facilitates a hybrid cloud security model. There are two ways of achieving this hybrid model. The first is by allowing identity management using an API. This allows you to push user updates to the cloud. This is usually the most desired situation if you have an on-site identity manager. In order to minimize operational risks related to custom integrations, a cloud provider should have support for standards used in the market. This is definitely something to check when considering a specific provider. A cloud provider can support SCIM or the older SPML. SCIM is a simple API based on REST web services. It is based on the CRUD approach to identity management. This is an effective way of user management in most cases. SPML is an older standard based on SOAP web services. It is a more free-format web service implementation for identity management. This allows the cloud provider to implement custom functionality for user management, but is more difficult to integrate with. If for some reason you are not using an API to push identity information, a second option is to set up a VPN connection between the cloud environment and an identity store you have set up on premise, for example an Active Directory. The cloud application then uses your local resource to authorize users. This option allows you to directly control accounts and access rights, but is more prone to operational issues. 7.2 Access management In basic form, authentication and session management is handled by the cloud application. Out of the box the functionalities it offers may be limited. Things like single sign-on, session logging and monitoring, context based rules and multifactor authentication are not always available. There are a number of these things you may want to accomplish, depending on the kind of information that can be accessed in the application, the associated risks, your information security policy, and operational needs. Here are some examples of functionality you can use for a higher level of control: Controlling the accounts that can be used to sign on Logging authentication events Single sign-on across applications Controlling active user sessions Specifying authentication methods Context based access decisions 13/14
14 As said earlier in this document, most providers support authentication through a third party by letting you specify a trusted external system to use for authentication using industry standards like SAML. This basically means that the cloud application redirects users to another system when they try to log in. The trusted system authenticates the user who then is sent back to the cloud application with the result. You can use this mechanism to designate a system that you trust or set up yourself as a source for authentication, and in doing so you provide yourself with an enforcement point for your access management requirements. If you re not extending your identity management processes to the cloud application, but you still want more control over accounts that can be used to sign on, you can set up a VPN connection to an on premise resource which the sign on mechanism of the application can use to authenticate users. This option allows you to directly control accounts and log authentication events, but is more prone to operational issues and does not give you any of the other benefits because you are still using the sign on mechanism of the application. A more agile option is to use a single sign-on solution that s set up on premise or another cloud location. Sometimes this is the only way to integrate a cloud application to a user store you control or your identity management solution. The main benefits are that you can use it to control access to multiple cloud services from a central location, and users only have to sign on once to use all connected applications. It also gives you a central point for integration with other processes like identity management and monitoring. Advanced access management solutions extend traditional single sign-on solutions by adding decision making capabilities based on rules and context. This enables you for instance to specify if a connection needs to be initiated from a specific location (for example from the IP range used in your offices), if a user needs a specific attribute (like a department number) to use an application or to require an additional login method outside business hours. It will also allow more methods of authentication (with support for Windows authentication, multifactor authentication (MFA), one time password (OTP) and social login). If you are already using an on premise access management solution it would be the logical choice to use that as an authentication point for the cloud application. This way you incorporate cloud applications in your existing access management processes. 14/14
FileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationMaking Database Security an IT Security Priority
Sponsored by Oracle Making Database Security an IT Security Priority A SANS Whitepaper November 2009 Written by Tanya Baccam Security Strategy Overview Why a Database Security Strategy? Making Databases
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationPortWise Access Management Suite
Create secure virtual access for your employees, partners and customers from any location and any device. With todays global and homogenous economy, the accuracy and responsiveness of an organization s
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationPortWise Access Management Suite
Create secure virtual access for your employees, partners and customers from any location and any device. With todays global and homogenous economy, the accuracy and responsiveness of an organization s
More informationIntel Enhanced Data Security Assessment Form
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
More informationnwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationData Protection: From PKI to Virtualization & Cloud
Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security
More informationCloud security architecture
ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationWHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting Email
WHITE PAPER Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting Email EXECUTIVE SUMMARY Data Loss Prevention (DLP) monitoring products have greatly
More informationSecurity Overview Enterprise-Class Secure Mobile File Sharing
Security Overview Enterprise-Class Secure Mobile File Sharing Accellion, Inc. 1 Overview 3 End to End Security 4 File Sharing Security Features 5 Storage 7 Encryption 8 Audit Trail 9 Accellion Public Cloud
More informationArchitecture. The DMZ is a portion of a network that separates a purely internal network from an external network.
Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationTable of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.
FME Cloud Security Table of Contents FME Cloud Architecture Overview Secure Operations I. Backup II. Data Governance and Privacy III. Destruction of Data IV. Incident Reporting V. Development VI. Customer
More informationHow to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization
How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization Alertsec offers Cloud Managed - Policy Controlled - Security Modules for Ensuring Compliance at the Endpoints Contents
More informationIBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
More informationReverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006
Reverse Shells Enable Attackers To Operate From Your Network Richard Hammer August 2006 Reverse Shells? Why should you care about reverse shells? How do reverse shells work? How do reverse shells get installed
More informationResidual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)
Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening
More informationOpen Data Center Alliance Usage: Provider Assurance Rev. 1.1
sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS
More informationExecutive s Guide to Cloud Access Security Brokers
Executive s Guide to Cloud Access Security Brokers Contents Executive s Guide to Cloud Access Security Brokers Contributor: Amy Newman 2 2 Why You Need a Cloud Access Security Broker 5 You Can t Achieve
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationNETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
More informationCompany Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationBuilding Energy Security Framework
Building Energy Security Framework Philosophy, Design, and Implementation Building Energy manages multiple subsets of customer data. Customers have strict requirements for regulatory compliance, privacy
More informationISO 27001 COMPLIANCE WITH OBSERVEIT
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
More informationSecret Server Qualys Integration Guide
Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationThe Essential Security Checklist. for Enterprise Endpoint Backup
The Essential Security Checklist for Enterprise Endpoint Backup IT administrators face considerable challenges protecting and securing valuable corporate data for today s mobile workforce, with users accessing
More informationAUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR
AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationTop Five Ways to Protect Your Network. A MainNerve Whitepaper
A MainNerve Whitepaper Overview The data security challenges within the business world have never been as challenging as they are today. Not only must organizations providers comply with stringent State
More informationPrivileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
More informationMAXIMUM DATA SECURITY with ideals TM Virtual Data Room
MAXIMUM DATA SECURITY with ideals TM Virtual Data Room WWW.IDEALSCORP.COM ISO 27001 Certified Account Settings and Controls Administrators control users settings and can easily configure privileges for
More informationPublic Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.
Public Clouds Krishnan Subramanian Analyst & Researcher Krishworld.com A whitepaper sponsored by Trend Micro Inc. Introduction Public clouds are the latest evolution of computing, offering tremendous value
More informationData Protection Act 1998. Bring your own device (BYOD)
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationProtecting Sensitive Data Reducing Risk with Oracle Database Security
Protecting Sensitive Data Reducing Risk with Oracle Database Security Antonio.Mata.Gomez@oracle.com Information Security Architect Agenda 1 2 Anatomy of an Attack Three Steps to Securing an Oracle Database
More informationSecuring Oracle E-Business Suite in the Cloud
Securing Oracle E-Business Suite in the Cloud November 18, 2015 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation Agenda The
More informationThe Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency
logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011
More informationTenzing Security Services and Best Practices
Tenzing Security Services and Best Practices OVERVIEW Security is about managing risks and threats to your environment. The most basic security protection is achieved by pro-actively monitoring and intercepting
More informationSHARPCLOUD SECURITY STATEMENT
SHARPCLOUD SECURITY STATEMENT Summary Provides details of the SharpCloud Security Architecture Authors: Russell Johnson and Andrew Sinclair v1.8 (December 2014) Contents Overview... 2 1. The SharpCloud
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationBest Practices Report
Overview As an IT leader within your organization, you face new challenges every day from managing user requirements and operational needs to the burden of IT Compliance. Developing a strong IT general
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationFMCS SECURE HOSTING GUIDE
FMCS SECURE HOSTING GUIDE October 2015 SHG-MNL-v3.0 CONTENTS INTRODUCTION...4 HOSTING SERVICES...4 Corporate Secure Hosting... 4 Hosting Partner... 4 Hosting Location... 4 Physical Security... 4 Risk and
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationWhat s New in Centrify Privilege Service Centrify Identity Platform 15.4
CENTRIFY PRIVILEGE SERVICE WHAT S NEW What s New in Centrify Privilege Service Centrify Identity Platform 15.4 Centrify Privilege Service Centrify Privilege Service is a cloud-based password and access
More informationRSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief
RSA SecurID Authentication in Action: Securing Privileged User Access RSA SecurID solutions not only protect enterprises against access by outsiders, but also secure resources from internal threats The
More informationApplication Intrusion Detection
Application Intrusion Detection Drew Miller Black Hat Consulting Application Intrusion Detection Introduction Mitigating Exposures Monitoring Exposures Response Times Proactive Risk Analysis Summary Introduction
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationNetop Environment Security. Unified security to all Netop products while leveraging the benefits of cloud computing
Netop Environment Security Unified security to all Netop products while leveraging the benefits of cloud computing Contents Introduction... 2 AWS Infrastructure Security... 3 Standards - Compliancy...
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationWith Great Power comes Great Responsibility: Managing Privileged Users
With Great Power comes Great Responsibility: Managing Privileged Users Darren Harmer Senior Systems Engineer Agenda What is a Privileged User Privileged User Why is it important? Security Intelligence
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationSecurity Issues in Cloud Computing
Security Issues in Cloud Computing Dr. A. Askarunisa Professor and Head Vickram College of Engineering, Madurai, Tamilnadu, India N.Ganesh Sr.Lecturer Vickram College of Engineering, Madurai, Tamilnadu,
More informationSecurity from a customer s perspective. Halogen s approach to security
September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationInjazat s Managed Services Portfolio
Injazat s Managed Services Portfolio Overview Premium Managed Services to Transform Your IT Environment Injazat s Premier Tier IV Data Center is built to offer the highest level of security and reliability.
More informationSIEM is only as good as the data it consumes
SIEM is only as good as the data it consumes Key Themes The traditional Kill Chain model needs to be updated due to the new cyber landscape A new Kill Chain for detection of The Insider Threat needs to
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationFIREWALL POLICY DOCUMENT
FIREWALL POLICY DOCUMENT Document Id Firewall Policy Sponsor Laura Gibbs Author Nigel Rata Date May 2014 Version Control Log Version Date Change 1.0 15/05/12 Initial draft for review 1.1 15/05/14 Update
More informationHosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com
Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on
More informationWhite Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0
White Paper Enterprise File Serving 2.0 Anywhere, Any Device File Access with IT in Control Like it or not, cloud- based file sharing services have opened up a new world of mobile file access and collaborative
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationUnderstanding Enterprise Cloud Governance
Understanding Enterprise Cloud Governance Maintaining control while delivering the agility of cloud computing Most large enterprises have a hybrid or multi-cloud environment comprised of a combination
More informationIT OUTSOURCING SECURITY
IT OUTSOURCING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationEnterprise Architecture Review Checklist
Enterprise Architecture Review Checklist Software as a Service (SaaS) Solutions Overview This document serves as Informatica s Enterprise Architecture (EA) Review checklist for Cloud vendors that wish
More informationEnsuring Enterprise Data Security with Secure Mobile File Sharing.
A c c e l l i o n S e c u r i t y O v e r v i e w Ensuring Enterprise Data Security with Secure Mobile File Sharing. Accellion, Inc. Tel +1 650 485-4300 1804 Embarcadero Road Fax +1 650 485-4308 Suite
More informationSaaS architecture security
Introduction i2o solutions utilise the software as a service (or SaaS) model because it enables us to provide our customers with a robust, easy to use software platform that facilitates the rapid deployment
More informationSimone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud
Simone Brunozzi, AWS Technology Evangelist, APAC Fortress in the Cloud AWS Cloud Security Model Overview Certifications & Accreditations Sarbanes-Oxley (SOX) compliance ISO 27001 Certification PCI DSS
More informationEXTENDING THREAT PROTECTION AND CONTROL TO MOBILE WORKERS
EXTENDING THREAT PROTECTION AND WHITEPAPER CLOUD-BASED SECURITY SERVICES PROTECT USERS IN ANY LOCATION ACROSS ANY NETWORK It s a phenomenon and a fact: employees are always on today. They connect to the
More informationRSA Authentication Manager 7.1 Security Best Practices Guide. Version 2
RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationIntegrating Single Sign-on Across the Cloud By David Strom
Integrating Single Sign-on Across the Cloud By David Strom TABLE OF CONTENTS Introduction 1 Access Control: Web and SSO Gateways 2 Web Gateway Key Features 2 SSO Key Features 3 Conclusion 5 Author Bio
More informationAPWG. (n.d.). Unifying the global response to cybecrime. Retrieved from http://www.antiphishing.org/
DB1 Phishing attacks, usually implemented through HTML enabled e-mails, are becoming more common and more sophisticated. As a network manager, how would you go about protecting your users from a phishing
More informationThe Cloud App Visibility Blindspot
The Cloud App Visibility Blindspot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Introduction Today, enterprise assets are more at risk than ever before
More informationExtending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper
with Cloud-Based Security Services > White Paper It s a phenomenon and a fact: employees are always on today. They connect to the network whenever they want, from wherever they happen to be, with laptops,
More informationCloudPassage Halo Technical Overview
TECHNICAL BRIEF CloudPassage Halo Technical Overview The Halo cloud security platform was purpose-built to provide your organization with the critical protection, visibility and control needed to assure
More informationSecurity Architecture Whitepaper
Security Architecture Whitepaper 2015 by Network2Share Pty Ltd. All rights reserved. 1 Table of Contents CloudFileSync Security 1 Introduction 1 Data Security 2 Local Encryption - Data on the local computer
More informationFor more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum.
For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum.com 844-644-4600 This publication describes the implications of HIPAA (the Health
More informationQuickBooks Online: Security & Infrastructure
QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...
More information