Securing Data While Leveraging Virtualized and Cloud Storage
|
|
- Jody Clark
- 8 years ago
- Views:
Transcription
1 Securing Data While Leveraging Virtualized and Cloud Storage Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP CTO Security & Privacy Hitachi Data System
2 Welcome to the Virtual Jungle The Setup Virtualization Lay of the Land Virtual Security (or Insecurity) Lifting the Haze Around Cloud Computing Securing the Cloud Legal & Compliance Issues The Storage Angle Wrapping Up 2
3 The Setup 3 A Little Context
4 Background Storage virtualization plays an important role in data resilience and data protection strategies within many organizations. Migrations onto virtual servers have saved some businesses huge sums of money as a result of consolidation and improved efficiency. The server virtualization market has emerged so quickly that customers have not been able to keep up from a best practices standpoint (especially security). Server virtualization introduces technologies that must be managed and secured. Virtualization is clearly an enabler for cloud. 4
5 Observations & Trends Concerns over security in a virtual environment are often centered around lack of visibility, lack of control and fear of the unknown. Smaller organizations with minimal IT departments can see improved security when using services and infrastructure from a public cloud service provider. The security and IS audit communities continue to highlight the risks associated with the use of cloud The storage industry is becoming very excited about virtualization and enabling technologies for the cloud In the U.S., many lawyers have become very interested in the cloud (data breaches and lawsuits) 5
6 Virtualization Lay of the Land 6
7 Virtualization Issues Networks that work correctly with physical servers don't necessarily work well with virtual machines. Virtualization introduces technologies like the hypervisor that must be managed. Virtual switching, which routes network traffic between virtual servers, is often done in ways that aren't always visible to tools designed to monitor traffic on the physical network. Many business continuity failures in virtualized environments can be attributed to network design flaws. In many organizations, the IT security team isn't consulted about virtual infrastructure until well after the architecture is built and rolled out on production servers. Virtualization does present risks if best practices are not followed and adapted to a virtual infrastructure. Virtual server instances may move between data centers, not just within a single facility. 7
8 Key Virtualization Components Virtual Machine (VM): Software that allow the sharing of the underlying physical machine resources between different VMs, each running its own operating system. Virtual Machine Monitor (VMM): Software responsible for managing interactions between VM(s) and the physical system. 8 Hypervisor: The software that handles kernel operations. A hypervisor can run on bare hardware (Type 1 or native VM) or on top of an operating system (Type 2 or hosted VM). Virtual Networks: Virtual networks tie together the VMs' virtual network interface cards (vnics), virtual switches (vswitches), and physical network interface cards (NICs) into various network architectures. Putting It All Together: A virtualized environment consists of a VMM and one or more VMs. The VMs and VMM interact with either a hypervisor or a host OS to access hardware, local I/O, and networking resources. In addition to these components, virtualization architectures leverage virtual networking, virtual storage, and terminal service capabilities to complete their architectures.
9 Key Virtualization Types 9 VM1 VM2 VM3 VM1 VM2 VM3 Applications Applications Applications Applications Applications Applications OS OS OS OS OS OS Virtual Hardware Virtual Hardware Virtual Hardware Virtual Hardware Virtual Hardware Virtual Hardware Virtualization Layer X86 Architecture Hardware Type 1 Virtualization Virtualization Layer Host OS Kernel X86 Architecture Hardware Type 2 Virtualization
10 Virtual Security (VirtSec) 10
11 Immutable Laws of Virtualization Security Law 1: All existing OS-level attacks work in the exact same way. Law 2: The hypervisor attack surface is additive to a system's risk profile. Law 3: Separating functionality and/or content into VMs will reduce risk. Law 4: Aggregating functions and resources onto a physical platform will increase risk. Law 5: A system containing a trusted VM on an untrusted host has a higher risk level than a system containing a trusted host with an untrusted VM. 11 SOURCE: Burton Group, Attacking and Defending Virtual Environments, Version 1, Pete Lindstrom, Jan-2010,
12 Virtualization Security Issues 12 Virtualization potentially makes the strong perimeter defense obsolete. While technologies are available to secure virtual infrastructure, it is common to see security failures that can be tracked to misconfigurations. The traffic flowing between VMs is another area of concern, since IDS/IPS, firewalls and other monitoring tools aren't able to tell if those machines are running on the same physical server hardware. In the virtual world, there is no inherent separation of duties, so it has to be build in. In an unchecked, unmonitored virtual environment, administrators are all powerful; often they don't understand the security risks. The hypervisor must be patched just like any other operating system to plug security holes.
13 Best Practices for Virtualized Systems Harden the Host Operating System, Hypervisor, and VMs Limit Physical Access to the Host Use Encrypted Communications Disable Background Tasks Employ Timely Patching and Updating of Systems Enable Perimeter Defenses on the VM Implement Only One Primary Function per VM Implement File Integrity Checks Perform Image Backups Frequently Secure VM Remote Access 13 SOURCE: Cloud Security, Krutz, Vines, 2010, Wiley Publishing, ISBN:
14 Lifting the Haze Around Cloud Computing 14
15 NIST Cloud Computing Characteristics 15 On-demand self-service. A consumer can unilaterally provision computing capabilities as needed automatically without requiring human interaction with each service s provider. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms. Resource pooling. The provider s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service. SOURCE: National Institute of Standards and Technology, NIST Definition of Cloud Computing v15,
16 An Application View of Cloud 16 Service Delivery Models High-performance Computing Analytics Software-as-a-Service (SaaS) Platform-as-a-Service (PaaS) Application Domains Finance Web Infrastructure-as-a-Service (IaaS) Other Public Hybrid Private Cloud Deployment Models SOURCE: Cloud Security and Privacy, Mather, Kumaraswamy, Latif, 2009, O Reilly, ISBN:
17 Mapping the Cloud Model to the Metal 17 Applications Information Intelligent workloads IaaS Management Network Trusted Computing Compute & Storage PaaS SaaS Physical SOURCE: Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing, Version 2.1, 2009,
18 Securing the Cloud 18
19 What is Cloud Security? 19 Security in the Cloud: Security (products, solutions, technology) instantiated as an operational capability deployed within Cloud Computing environments (up/down the stack.) Think tactical solutions like virtualized firewalls, IDS/IPS, AV, DLP, DoS/DDoS, IAM, etc. Security for the Cloud: Security services that are specifically targeted toward securing OTHER Cloud Computing services, delivered by Cloud Computing providers (see next entry). Think cloud-based Anti-spam, DDoS, DLP, WAF, etc. Security by the Cloud: Security services delivered by Cloud Computing services which are used by providers for the cloud which often rely on those features described in the cloud. Think, basically any service these days that brand themselves as Cloud.
20 CSA Cloud Computing Security Guidance Governance Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operations Traditional Security, Business Continuity and Disaster Recovery Data Center Operations Incident Response, Notification and Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization NOTE: The governance domains are broad and address strategic and policy issues within a cloud computing environment, while the operational domains focus on more tactical security concerns and implementation within the architecture. SOURCE: Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing, Version 2.1, 2009, 20
21 CSA Top Threats to Cloud Computing (1) 21 #1: Abuse and Nefarious Use of Cloud Computing Impacted Services Models: IaaS & PaaS Description: The illusion of unlimited compute, network, and storage capacity often coupled with a frictionless registration process (that preserve anonymity) has allowed spammers, malicious code authors, and other criminals to conduct their activities with relative impunity. #2: Insecure Interfaces and APIs Impacted Services Models: IaaS, PaaS, SaaS Description: Software interfaces or APIs, which are exposed for customers to manage and interact with cloud services (e.g., provisioning, management, orchestration, and monitoring), interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. SOURCE: Cloud Security Alliance, Top Threats to Cloud Computing, Version 1.0, 2010,
22 CSA Top Threats to Cloud Computing (2) #3: Malicious Insiders Impacted Services Models: IaaS, PaaS, SaaS Description: The well known malicious insider threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure as well as little or no visibility into the hiring standards and practices for cloud employees, creating an attractive opportunity for an adversary. #4: Shared Technology Issues Impacted Services Models: IaaS Description: IaaS vendors deliver their services in a scalable way by sharing infrastructure, which was not designed to offer strong isolation properties for a multi-tenant architecture, so appropriate security controls should be employed to ensure that individual customers do not impact the operations of other tenants and that customers do not have access to any other tenant s actual or residual data, network traffic, etc.
23 CSA Top Threats to Cloud Computing (3) 23 #5: Data Loss or Leakage Impacted Services Models: IaaS, PaaS, SaaS Description: The threat of data compromise (unauthorized access or corruption/destruction) increases in the cloud, due to the number of and interactions between risks and challenges, which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment. #6: Account or Service Hijacking Impacted Services Models: IaaS, PaaS, SaaS Description: Although account or service hijacking is not new, cloud solutions add a new threat because a successful attacker (e.g., gains access to your credentials) can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites as well as use your account or service instances as a new base for the attacker, possibly leverage the power of your reputation to launch subsequent attacks.
24 CSA Top Threats to Cloud Computing (4) #7: Unknown Risk Profile Impacted Services Models: IaaS, PaaS, SaaS Description: The features and functionality of a cloud service may be well advertised, but there may be few details (e.g., versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design) to help estimate your organization s security posture as well as little or no information on the cloud service provider s compliance of the internal security procedures, configuration hardening, patching, auditing, and logging. Often such questions are not clearly answered or are overlooked, leaving customers with an unknown risk profile that may include serious threats. 24
25 Legal & Compliance Issues 25
26 Governance & Compliance Compliance regulation/legislation not prescriptive on how to address virtual/cloud environments For Virtualized Environments: 26 Auditors making judgment calls; security teams adjusting existing controls to be compliant-enough Data tracking (VM movement) one of the biggest problems areas Monitoring and audit logging capabilities to prove compliance also a huge problem Need to establish compliance policies and practices as well as configuration management for virtual environments For Cloud: This list is long and distinguished (see CSA guidance)
27 Privacy For Virtualized Environments: 27 Access control much more difficult to establish and enforce It can be difficult/impossible to prove that regulated information has remained protected at all times while moving For Cloud: Sensitive information is potentially moving around the Internet within the Cloud in violation of law Data may be crossing national boundaries (possibly multiple jurisdictions) Data droppings throughout the Cloud; data retention and media sanitization are unpredictable Data protection and security dependent on contractual terms and service level agreements
28 Digital Evidence and Forensics Amassing the forensic data from the various sources could be a serious challenge Investigators must be proficient with the technologies For Virtualized Environments: Image backups of VMs could be extremely valuable Audit trails are key, but only if they are usable For Cloud: The real-time nature of Cloud Services may reduce the amount and nature of digital evidence The integrity and authenticity of data may be questionable (for example, inadequate protections against attacks) Describing (to a jury) indiscretions that occur within the Cloud could be extremely difficult 28
29 Electronic Discovery 29 For Virtualized Environments: Compartmentalization may make is easier to find relevant data Many more places to look for the data (missing it could result in sanctions) For Cloud: Data classification and records management practices become more important, but they are less likely to be used Relevant data could be within the hands of a large number of third parties (suppliers to suppliers) Business processes will be dependent on many elements within the Cloud (multiple consumers and suppliers) Organizations will have additional challenges identifying relevant data because business units are directly leveraging the Cloud
30 The Storage Angle 30
31 Storage and Virtualization 31 Storage virtualization is employed by many organizations as part of the data resilience and disaster recovery and business continuity solutions An assortment of storage security mechanisms exits: Entity authentication (iscsi CHAP & FC-SP DH-CHAP) Source filtering (IP address & WWNs) At-rest encryption (HBA and in-line) Storage security mechanisms often have to be loosened to accommodate server virtualization Storage-based replication can be a powerful compliment for VM movement between sites
32 Storage and Cloud 32 Multiple proprietary cloud storage offerings available and some include security mechanisms Cloud-based backup services used by many individuals and small businesses Storage Networking Industry Association (SNIA) has completed the Cloud Data Management Interface (CDMI) specification; working on reference implementation. Assume nothing about security; mechanisms are often disabled by default.
33 Wrapping Up 33
34 Summary Virtualization Server virtualization is common-place for many organization, and becoming so for many others Virtualization security is a viable option, but: Security professionals need to engaged early Security requirements/mechanisms may impose restrictions that negate some or all of the value of virtualization Compliance requirements must be factored into the solution Leverage storage technologies to help with data management 34
35 Summary Cloud 35 It is possible to engineer solutions across most cloud services today that meet or exceed the security provided within the enterprise however, the capability to execute may not be a reality! With cloud, the SLA represents the best of circumstances (assume nothing). Don t put anything in the cloud you wouldn t want someone else to see (government, competitor, or a private litigant)
36 Cloud Security Resources 36 Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing, Top Threats to Cloud Computing, European Network and information Security Agency (ENISA), Cloud Computing Benefits, risks and recommendations for information security, Information Systems Audit and Control Association (ISACA), Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, Cloud Security and Privacy, Mather, Kumaraswamy, Latif, 2009, O Reilly Publishing, ISBN: Cloud Security A Comprehensive Guide to Secure Cloud Computing, Ronald L. Krutz, Russel Dean Vines, 2010, Wiley, ISBN: SNIA Cloud Storage Initiative,
37 Cloud Standards Activities (1) Cloud Computing Interoperability Forum (CCIF) is developing Unified Cloud Interfaces and APIs Cloud Security Alliance (CSA) to promote the use of best practices for providing security assurance within Cloud computing Distributed Management Task Force (DMTF) is developing specification for the management interfaces between the cloud service consumer / developer and the cloud service provider. ISO/IEC JTC 1 Subcommittee 38 (SC38) on Distributed Application Platforms and Services (DAPS) has a focus on Web services, SOA, and cloud computing 37
38 Cloud Standards Activities (2) Object Management Group (OMG) to establish a uniform vocabulary for Cloud Computing, as well as to synchronize standards development Open Cloud Consortium (OCC) is researching the creation of inter-cloud interfaces with the aim of developing compatibility standards Open Grid Forum (OGF) is developing on an Open Cloud Computing Interface (OCCI) Storage Networking Industry Association (SNIA) developed the Cloud Data Management Interface (CDMI) specification 38
39 39 Questions & Comments can be directed to: Thank You
40 About the Author/Presenter Eric Hibbard is Hitachi Data Systems CTO for Security and Privacy where he is responsible for storage security strategy, identifying and defining new storage security architectures, and designing new storage networking infrastructures. He is a senior security professional with 30+ years experience in information and communications technology (ICT), working for government, academia, and industry. 40 Mr. Hibbard is active in formal storage and security standardization as well as organizations involved with data security and protection. He serves as the International Representative for INCITS/CS1 Cyber Security, Co-Chair of the E-Discovery and Digital Evidence (EDDE) Committee of the American Bar Association s Section of Science & Technology Law, the Vice Chair of IEEE Information Assurance Standards Committee (IASC), the Vice Chair of IEEE P1619 Security in Storage Work Group (SISWG), and the Chair of the Storage Networking Industry Association (SNIA) Security Technical Working Group. He is also involved with INCITS/T11, Information Systems Audit and Control Association (ISACA), Information Systems Security Association (ISSA), Trusted Computing Group, IEEE-USA Critical Infrastructure Protection Committee (CIPC), IETF, W3C, and the Distributed Management Task Force (DMTF). Mr. Hibbard currently holds the International Information Systems Security Certification Consortium (ISC) 2 CISSP certification as well as the ISSAP, the ISSMP, and the ISSEP concentration certifications. He also holds the ISACA Certified Information Systems Auditor (CISA) and the SNIA Certified Storage Engineer (SCSE) certifications. His educational background includes a B.S. in Computer Science and a credential in Data Communications.
Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems
Eric A. Hibbard, CISSP, CISA Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies and individual members may
More informationCloud Storage Security with a Focus on CDMI. Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP, ISSEP, SCSE Hitachi Data Systems
Cloud Storage Security with a Focus on CDMI Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP, ISSEP, SCSE Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted by the
More informationA HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY
Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP, ISSEP, SCSE Hitachi Data Systems A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY Subhash Sankuratripati NetApp SNIA Legal Notice The material contained in
More informationCLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
More informationSTORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM
STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members
More informationA HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems
A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY Eric A. Hibbard, CISSP, CISA Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise
More informationA HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY
A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP, ISSEP, SCSE Hitachi Data Systems Author: Eric A. Hibbard, Hitachi Data Systems SNIA Legal Notice The material
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationSecuring The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
More informationCloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
More informationCloud Security Introduction and Overview
Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious
More informationD. L. Corbet & Assoc., LLC
Demystifying the Cloud OR Cloudy with a Chance of Data D. L. Corbet & Assoc., LLC thelinuxguy@donet.com Why 'The Cloud' Common Clouds Considerations and Risk Why 'The Cloud' Distributed Very Large / Very
More informationCloud Computing: What needs to Be Validated and Qualified. Ivan Soto
Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data
More information10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH VORAPOJ.L@G-ABLE.COM. Agenda. Security Cases What is Cloud? Road Map Security Concerns
BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH VORAPOJ.L@G-ABLE.COM Agenda Security Cases What is Cloud? Road Map Security Concerns 1 Security Cases on Cloud Data Protection - Two arrested in ipad
More informationNETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
More informationCloud Security & Standardization. Markku Siltanen Tietoturvakonsultti CISA, CGEIT, CRISC
0 Copyright 2011 FUJITSU Cloud Security & Standardization Markku Siltanen Tietoturvakonsultti CISA, CGEIT, CRISC Cloud computing 1 Copyright 2011 FUJITSU Characteristics of cloud 2 Copyright 2011 FUJITSU
More informationIBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation
IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing
More informationCloud Computing Governance & Security. Security Risks in the Cloud
Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud
More informationSECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP
SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson
More informationLecture 02b Cloud Computing II
Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,
More informationAssessing Risks in the Cloud
Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research
More informationLatest in Cloud Computing Standards. Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems
Latest in Cloud Computing Standards Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems 1 Short Introduction CTO Security & Privacy, Hitachi Data Systems Involved
More informationWhite Paper on CLOUD COMPUTING
White Paper on CLOUD COMPUTING INDEX 1. Introduction 2. Features of Cloud Computing 3. Benefits of Cloud computing 4. Service models of Cloud Computing 5. Deployment models of Cloud Computing 6. Examples
More informationHow To Protect Your Cloud Computing Resources From Attack
Security Considerations for Cloud Computing Steve Ouzman Security Engineer AGENDA Introduction Brief Cloud Overview Security Considerations ServiceNow Security Overview Summary Cloud Computing Overview
More informationCloud Computing Security. Belmont Chia Data Center Solutions Architect
Cloud Computing Security Belmont Chia Data Center Solutions Architect 1 Cloud Computing Security What is this Cloud stuff? Security in Public Clouds Security in Private Clouds 2 Defining Cloud Computing
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationLifting the Fog Around Cloud Computing. Eric A. Hibbard, CISSP-ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems
Lifting the Fog Around Cloud Computing Eric A. Hibbard, CISSP-ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems 1 Straw Poll Cloud Awareness A. To truly understand clouds one should
More informationCloud Storage: Where Does It Fit Into Tomorrow s IT?
Cloud Storage: Where Does It Fit Into Tomorrow s IT? Vincent Franceschini CTO Distributed Data Storage Solutions Hitachi Data Systems Corporation Vincent.Franceschini@hds.com Constant, increasing reliance
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationCloud-Security: Show-Stopper or Enabling Technology?
Cloud-Security: Show-Stopper or Enabling Technology? Fraunhofer Institute for Secure Information Technology (SIT) Technische Universität München Open Grid Forum, 16.3,. 2010, Munich Overview 1. Cloud Characteristics
More informationOverview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
More informationHealthcare: La sicurezza nel Cloud October 18, 2011. 2011 IBM Corporation
Healthcare: La sicurezza nel Cloud October 18, 2011 Cloud Computing Tests The Limits Of Security Operations And Infrastructure Security and Privacy Domains People and Identity Data and Information Application
More informationSecurity Issues in Cloud Computing
Security Issues in Cloud Computing Dr. A. Askarunisa Professor and Head Vickram College of Engineering, Madurai, Tamilnadu, India N.Ganesh Sr.Lecturer Vickram College of Engineering, Madurai, Tamilnadu,
More informationThe standards landscape in cloud
The standards landscape in cloud PRESENTATION computing TITLE GOES HERE Vincent Franceschini CTO Distributed Architectures, Hitachi Data System Chairman Emeritus, SNIA Governing Board Member, SNIA Cloud
More informationInternational Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: 2347-3622, Volume-1, Issue-5, February 2014
An Overview on Cloud Computing Services And Related Threats Bipasha Mallick Assistant Professor, Haldia Institute Of Technology bipasm@gmail.com Abstract. Cloud computing promises to increase the velocity
More informationSecurity Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)
Security Management of Cloud-Native Applications Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM) 1 Outline Context State-of-the-Art Design Patterns Threats to cloud systems Security
More informationSecuring the Physical, Virtual, Cloud Continuum
Securing the Physical, Virtual, Cloud Continuum By Ted Ritter, CISSP Senior Research Analyst Executive Summary The data center is undergoing a radical shift, from virtualization towards internal cloud
More informationCloud Computing Standards: Overview and ITU-T positioning
ITU Workshop on Cloud Computing (Tunis, Tunisia, 18-19 June 2012) Cloud Computing Standards: Overview and ITU-T positioning Dr France Telecom, Orange Labs Networks & Carriers / R&D Chairman ITU-T Working
More informationSecurity Virtual Infrastructure - Cloud
Security Virtual Infrastructure - Cloud Your Name Ramkumar Mohan Head IT & CISO Orbis Financial Corporation Ltd Agenda Cloud Brief Introduction State of Cloud Cloud Challenges Private Cloud Journey to
More informationCloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation
Cloud Security Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs peterjopling 2011 IBM Corporation Cloud computing impacts the implementation of security in fundamentally new ways
More informationData Protection: From PKI to Virtualization & Cloud
Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security
More informationIT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011
IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011 Cloud Basics Cloud Basics The interesting thing about cloud computing is that we've redefined cloud computing to include everything
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationCloud Security. DLT Solutions LLC June 2011. #DLTCloud
Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions
More informationEast African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?
East African Information Conference 13-14 th August, 2013, Kampala, Uganda Security and Privacy: Can we trust the cloud? By Dr. David Turahi Director, Information Technology and Information Management
More informationNew Risks in the New World of Emerging Technologies
New Risks in the New World of Emerging Technologies Victor Chu Client Technical Professional Identity, Security, and Compliance Management Software Group IBM Malaysia Risk it s NOT a four simple letter
More informationAuditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A
Brochure More information from http://www.researchandmarkets.com/reports/2213812/ Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A Description: The auditor's guide to ensuring
More informationSECURITY THREATS TO CLOUD COMPUTING
IMPACT: International Journal of Research in Engineering & Technology (IMPACT: IJRET) ISSN(E): 2321-8843; ISSN(P): 2347-4599 Vol. 2, Issue 3, Mar 2014, 101-106 Impact Journals SECURITY THREATS TO CLOUD
More informationSecurity Threats in Cloud Computing Environments 1
Security Threats in Cloud Computing Environments 1 Kangchan Lee Electronics and Telecommunications Research Institute chan@etr.re.kr Abstract Cloud computing is a model for enabling service user s ubiquitous,
More informationCloud Computing. Cloud Computing An insight in the Governance & Security aspects
Cloud Computing An insight in the Governance & Security aspects AGENDA Introduction Security Governance Risks Compliance Recommendations References 1 Cloud Computing Peter Hinssen, The New Normal, 2010
More informationCloud Computing: Risks and Auditing
IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI Cloud Computing: Risks Auditing Phil Lageschulte/Partner/KPMG Sailesh Gadia/Director/KPMG
More informationCloud Computing Security Issues And Methods to Overcome
Cloud Computing Security Issues And Methods to Overcome Manas M N 1, Nagalakshmi C K 2, Shobha G 3 MTech, Computer Science & Engineering, RVCE, Bangalore, India 1,2 Professor & HOD, Computer Science &
More informationPurpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.
Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM
More informationyvette@yvetteagostini.it yvette@yvetteagostini.it
1 The following is merely a collection of notes taken during works, study and just-for-fun activities No copyright infringements intended: all sources are duly listed at the end of the document This work
More informationEXIN Cloud Computing Foundation
Sample Questions EXIN Cloud Computing Foundation Edition April 2013 Copyright 2013 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored in a data processing
More informationSee Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.
Cloud Strategy Information Systems and Technology Bruce Campbell What is the Cloud? From http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf Cloud computing is a model for enabling ubiquitous,
More informationWhat Cloud computing means in real life
ITU TRCSL Symposium on Cloud Computing Session 2: Cloud Computing Foundation and Requirements What Cloud computing means in real life Saman Perera Senior General Manager Information Systems Mobitel (Pvt)
More informationCloud Computing for SCADA
Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry
More informationCloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC
Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications
More informationFuture of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST
Future of Cloud Computing Irena Bojanova, Ph.D. UMUC, NIST No Longer On The Horizon Essential Characteristics On-demand Self-Service Broad Network Access Resource Pooling Rapid Elasticity Measured Service
More informationFACING SECURITY CHALLENGES
24 July 2013 TimeTec Cloud Security FACING SECURITY CHALLENGES HEAD-ON - by Mr. Daryl Choo, Chief Information Officer, FingerTec HQ Cloud usage and trend Cloud Computing is getting more common nowadays
More informationINTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS
INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS CLOUD COMPUTING Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing
More informationCloud Courses Description
Courses Description 101: Fundamental Computing and Architecture Computing Concepts and Models. Data center architecture. Fundamental Architecture. Virtualization Basics. platforms: IaaS, PaaS, SaaS. deployment
More informationIaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures
IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF Introduction
More informationRE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC
RE Think Invent IT & Business IBM SmartCloud Security Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC 2014 IBM Corporation Some Business Questions Is Your Company is Secure
More informationCloud Infrastructure Security
Cloud Infrastructure Security Dimiter Velev 1 and Plamena Zlateva 2 1 University of National and World Economy, UNSS - Studentski grad, 1700 Sofia, Bulgaria dvelev@unwe.acad.bg 2 Institute of Control and
More informationThe Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.
The Magical Cloud Lennart Franked Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall. 2014-10-20 Lennart Franked (MIUN IKS) The Magical Cloud 2014-10-20 1 / 35
More informationCloud Security: The Grand Challenge
Dr. Paul Ashley IBM Software Group pashley@au1.ibm.com Cloud Security: The Grand Challenge Outline Cloud computing: the pros, the cons, the blind spots Security in the cloud - what are the risks now and
More informationSecuring the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation
Securing the Cloud with IBM Security Systems 1 2012 2012 IBM IBM Corporation Corporation IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns
More informationHow Data-Centric Protection Increases Security in Cloud Computing and Virtualization
How Data-Centric Protection Increases Security in Cloud Computing and Virtualization Executive Overview Cloud services and virtualization are driving significant shifts in IT spending and deployments.
More informationIT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT
More informationStorage Multi-Tenancy for Cloud Computing. Paul Feresten, NetApp; SNIA Cloud Storage Initiative Member
Paul Feresten, NetApp; SNIA Cloud Storage Initiative Member March, 2010 Table of Contents Introduction...1 What is Multi-Tenancy?...2 Storage Multi-Tenancy...2 Enabling Cloud-Based Data Management CDMI...3
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationINTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) Introduction to Cloud Security. Taniya
INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 6464(Print)
More informationVirtualization and Cloud Computing
Virtualization and Cloud Computing Security is a Process, not a Product Guillermo Macias CIP Security Auditor, Sr. Virtualization Purpose of Presentation: To inform entities about the importance of assessing
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationEmerging Approaches in a Cloud-Connected Enterprise: Containers and Microservices
Emerging Approaches in a -Connected Enterprise: Containers and Microservices Anil Karmel Co-Founder and CEO, C2 Labs Co-Chair, NIST Security Working Group akarmel@c2labs.com @anilkarmel Emerging Technologies
More informationCloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive
Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise
More informationSECURE CLOUD COMPUTING
Outline SECURE CLOUD COMPUTING Introduction (of many buzz words) References What is Cloud Computing Cloud Computing Infrastructure Security Cloud Storage and Data Security Identity Management in the Cloud
More informationCloud computing: benefits, risks and recommendations for information security
Cloud computing: benefits, risks and recommendations for information security Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency (ENISA) Goals of my presentation
More informationStrategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security
Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities
More informationCloud Computing Security Issues
Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security, marchany@vt.edu Something Old, Something New New: Cloud describes the use of a collection of services, applications,
More informationSecure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com
Secure Multi Tenancy In the Cloud Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com At-a-Glance Trends Do MORE with LESS Increased Insider Threat Increasing IT spend on cloud
More informationjourney to a hybrid cloud
journey to a hybrid cloud Virtualization and Automation VI015SN journey to a hybrid cloud Jim Sweeney, CTO GTSI about the speaker Jim Sweeney GTSI, Chief Technology Officer 35 years of engineering experience
More informationSecurity of Cloud Computing
Security of Cloud Computing Fabrizio Baiardi f.baiardi@unipi.it 1 Syllabus Cloud Computing Introduction Definitions Economic Reasons Service Model Deployment Model Supporting Technologies Virtualization
More informationThe Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing
Your Platform of Choice The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing Mark Cravotta EVP Sales and Service SingleHop LLC Talk About Confusing? Where do I start?
More informationTop 10 Risks in the Cloud
A COALFIRE PERSPECTIVE Top 10 Risks in the Cloud by Balaji Palanisamy, VCP, QSA, Coalfire March 2012 DALLAS DENVER LOS ANGELES NEW YORK SEATTLE Introduction Business leaders today face a complex risk question
More informationCLOUD COMPUTING DEMYSTIFIED
CLOUD COMPUTING DEMYSTIFIED Definitions you ve been pretending to understand JACK DANIEL, CCSK, CISSP, MVP ENTERPRISE SECURITY Definitions Words have meaning, professionals need to understand them. We
More informationSecurity in Hybrid Clouds
Security in Hybrid Clouds Executive Summary... 3 Commonly Accepted Security Practices and Philosophies... 4 Defense- in- Depth... 4 Principal of Least Privileges... 4 Hybrid Cloud Security Issues and Threats...
More informationClouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst
Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment
More information6 Cloud computing overview
6 Cloud computing overview 6.1 General ISO/IEC 17788:2014 (E) Cloud Computing Overview Page 1 of 6 Cloud computing is a paradigm for enabling network access to a scalable and elastic pool of shareable
More informationNetwork Access Control in Virtual Environments. Technical Note
Contents Security Considerations in.... 3 Addressing Virtualization Security Challenges using NAC and Endpoint Compliance... 3 Visibility and Profiling of VMs.... 4 Identification of Rogue or Unapproved
More informationAskAvanade: Answering the Burning Questions around Cloud Computing
AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,
More informationSecurity Issues In Cloud Computing And Their Solutions
Security Issues In Cloud Computing And Their Solutions Mr. Vinod K. Lalbeg Lecturer (Management), NWIMSR, Pune-1 & Ms. Anjali S. Mulik Lecturer (Management), NWIMSR, Pune-1 ABSTRACT Cloud Computing offers
More informationAddressing Data Security Challenges in the Cloud
Addressing Data Security Challenges in the Cloud Coordinate Security. The Need for Cloud Computing Security A Trend Micro White Paper July 2010 I. INTRODUCTION Enterprises increasingly recognize cloud
More informationSecurity & Trust in the Cloud
Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer
More informationPCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
More informationITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS
ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information
More information