Business In the Cloud. Mitigating Risk. Fred Pinkett VP of Product Management Security Innovation
|
|
- Gary Parks
- 8 years ago
- Views:
Transcription
1 Business In the Cloud Mitigating Risk Fred Pinkett VP of Product Management Security Innovation
2 About Security Innovation Application & Crypto Security Experts 10+ years research on vulnerabilities and cryptography Hundreds of assessments on world s most dominant software applications Products, Services & Training Software & SDLC Assessment elearning & Coding Standards High-Performance Data Encryption Helping organizations Build internal application security expertise Integrate security into their development process Reduce vulnerabilities and IT/data risk
3 Security Innovation Credentials Authors of 8 Books & Guides - How To Break Software Security - How to Break Web Software - The Software Vulnerability Guide - How To Break Software - Team Development with VSTS - Improving Web Services Security - Application Architecture Guide Security Engineering Explained Our roots are in Security Education Spin-off of Florida Institute of Technology (2002) One of three universities at the time with an application testing degree program and first to introduce a minor in software security Real-world, vetted content Techniques based on assessment of the world s most dominant software: Microsoft, Amazon.com, Symantec, Orbitz.com, B&N.com, Adobe, Akamai Industry s Largest Library of elearning Courses 40+ courses and 85+ hours of total content 100,000+ users
4 Agenda Pros and Cons of Cloud Computing Security Controls & Building a Secure System Redundancy We Still Need to Think About This? The Murky Waters of Compliance Service Level Agreements Conclusion
5 Pros & Cons of Cloud Computing Early days: buy one or many very large servers Pros: You own hardware/infrastructure; you know how it works (probably) Cons: You deal with hardware failure and build for peak load (may only happen once per year); very costly, slow to react Today there are lots of *aas models Software as a Service Platform as a Service Infrastructure as a Service and security means a lot of *aas holes
6 Pros & Cons of Cloud Computing Today s Cloud: pay for space, bandwidth, processing time (similar to time-sharing servers, but exponentially bigger) Pros: pay for what you need, instant and reactive scaling, many options for "going into the cloud, no more failover headaches Cons: You have no idea where your data is; Compliance issues, New Vulnerability Classes, Trust issues Security in the Cloud: You Are Still Responsible If your organization wasn t good at security, cloud can help you improve but it is not a silver bullet. Beware a false sense of security. If you organization was good at security, cloud can bring you backwards unknowingly. Understand and deal with regressions. Best protection is the SLA and how you build/deploy applications
7 Pros & Cons of Cloud Computing - Trust Amazon Elastic Compute Cloud (EC2) Failure Case Study EC2 is a web service that allows developers to obtain and configure capacity with minimal friction Affected EC2 customers primarily were in a subset of the Amazon Elastic Block Store ( EBS ) volumes on the US East Coast caused by several root causes interacting with one another, triggered by a network configuration change while upgrading instances trying to use these affected volumes got stuck when they attempted to read or write to them. In order to restore these volumes, Amazon disabled all control in the affected Availability Zone caused high error rates and latencies for EBS calls to these APIs across the entire US East Region. Failure cascaded up the stack.
8 Agenda Pros and Cons of Cloud Computing Security Controls & Building a Secure System Redundancy We Still Need to Think About This? The Murky Waters of Compliance Service Level Agreements Conclusion
9 Cloud Security Security can be improved or reduced by going into the Cloud Need to consider things like loss of control, data flow, insight into how the cloud infrastructure is designed, etc. Mitigating risk by transferring it; but can the recipient can provide necessary protections/assurance Amalgam of IDS, Firewalls, IPS and other security controls provided by cloud vendor good, but. Miss the majority of attacks and security vulnerabilities Ineffective when applications must be internet facing The truth is that security is generally a software problem With internet applications, software becomes the perimeter Between 70-92%* of security vulnerabilities exist in the application layer * source: Gartner Group and NIST
10 Building a Secure System: Locking Down Legacy Applications External Penetration Testing Access Control Review and update Recommendations Replacement If the application cannot be secured and provides key functionality Abandonment If the application cannot be secured and the functionality can be provided by another asset Isolation if the application cannot be secured, is critical and there s no alternative asset
11 Building a Secure System Securing New Applications Software Development Process Review Introduce secure best practices where needed Modify implemented practices where needed Software Requirements and Code Reviews Inline with development, constant feedback Security testing as part of the normal test plan Penetration Testing External (Outside in) Internal (Cross network)
12 Building a Secure System Under-leveraged, Powerful Risk Techniques Attack Surface Analysis and Reduction The entire collection of entry points is known as it s Attack Surface Helps prevent vulnerabilities you don t know about yet Real measure of risk in your application: Fewer doors (entry points) there are, generally there is lower risk Big Attack Surface = Big Security Work = Big Security Problems Threat Modeling Secure software starts with identifying most critical threats and risks Based on understanding an assets value and cost of exploitation Can be done at the individual application or system level Threats are not vulnerabilities: they live forever and are attackers goal
13 Building a Secure System Security Controls Secure in Isolation If a component is isolated though failure or malicious actions it should behave appropriately Secure (Defense) in Depth Multiple layers of defense Defense at all layers of the stack (from your provider and in your application) Secure in Failure If (When!) something goes down or is compromised, there should be forensic information but not sensitive information Test your controls early and often
14 Agenda Pros and Cons of Cloud Computing Security Controls & Building a Secure System Redundancy The Murky Waters of Compliance Service Level Agreements Conclusion
15 Application Redundancy & CIA Availability is the most straightforward to achieve Think up time Although no simple task, it is much easier than protecting confidentiality and integrity Typical attacks based on bad data input in effort to choke the application Requires strict data input rules as guidelines for validation Confidentiality & Integrity Confidentiality: ensure that only intended users can access information Integrity: ensure source of data and that it has not been altered in transit Both require strong authentication that allows the system to validate a true identity and authorization
16 Redundancy: We Still Need to Think About This? Ask Amazon s Customers Those that had a secondary service provider or replicated across mutiple Amazon availability zones continued Going Cloud an Opportunity for Redundant Redundancy Across providers, provider s geographic areas, etc. If You Lose Service You Get Fees Back, Not the Business We ll talk SLA s shortly Consider Insurance
17 Redundancy: We Still Need to Think About This? Where are your points of failure? DNS Load Balancer Data Storage Components are constantly failing and in flux, we need to Understand it Plan for it Make our failure transparent to our users
18 Redundancy Netflix Chaos Monkey Case Study Netflix has its infrastructure on the Amazon cloud Has to work within the limits of what Amazon provides: a highly automated set of capabilities across an elastic and regular infrastructure Chaos Monkey ensures that individual components work independently and return something when dependencies aren t responding Script that randomly kills instances and services Brings down production servers at random points during the day when developers are around, just in case things go wrong Designing applications in the cloud means designing for failure Avoid single points of failure Distributing activity across multiple nodes in multiple data centers so that if parts of the infrastructure fail, the applications continue to run
19 Agenda Pros and Cons of Cloud Computing Security Controls & Building a Secure System Redundancy We Still Need to Think About This? The Murky Waters of Compliance Service Level Agreements Conclusion
20 The Murky Waters of Compliance PCI-DSS PCI Responsibilities for Cloud Provider annual audits to make sure they meet all service provider criteria firewalls, intrusion detection, disaster recovery, physical controls and appropriate segmentation of staff duties PCI Responsibilities for Organization using Cloud Provider Need to add their own controls and technology, including not storing card information no longer than necessary to process transaction Gray Areas The place where data is stored can only be accessed by you and servers that you control are locked down In the cloud, servers may be shared by multiple clients, and even if they are not, who controls them? Part of the transaction takes place within merchant's point-of-sale system
21 The Murky Waters of Compliance SAS 70 Tracking data flow across multiple data centers can be difficult, but do-able If there are material numbers coming from data that has been stored or in any way acted upon by a cloud vendor, there needs to be a full understanding of where the information comes in, how it gets back to the users, the controls over the processing of the data, and what happens to the data when it gets to the cloud. Bottom line: YOU are responsible for your data With SAS 70, you are building a control framework that your auditor feels is appropriate i.e. SAS 70 does not talk about encryption, but you can make encryption part of your audit framework, and SAS 70 will show you are doing it.
22 The Murky Waters of Compliance HIPAA HIPAA Responsibilities for Cloud Provider warrant to customers that they are in a HIPAA-compliant environment, that the environment is secure both physically and logically, that the data is protected, and that controls are in place protect patient data HIPAA Responsibilities for Organization using Cloud Provider Ensure that the data is handled properly Although encryption is not required, if there is none, there must be mitigating controls (i.e. physical security to prevent unauthorized access) Personal data sent over public networks must be encrypted Log access and validate who has access to network Some companies strip out all protected health care information before uploading data the cloud to ensure compliance
23 The Murky Waters of Compliance GLBA Not built with security in mind; assumes data in controlled by the enterprise You are responsible for your providers Companies assume the risk for data loss no matter whereit is stored All the requirements apply to you, cannot be passed through Some things change How data is stored, accessed, transmitted Some things don t Logging/Auditing is still required Encryption can help or hurt Architecture has to be thought out in detail
24 The Murky Waters of Compliance Privacy and Disclosure Laws If your customer s data is disclosed, you have to notify You bear the cost You bear the hit to your reputation You can blame this on the provider, but that s a nuance lost on the customer Example marketing provider hacked I got notifications from several companies.
25 Agenda Pros and Cons of Cloud Computing Security Controls & Building a Secure System Redundancy We Still Need to Think About This? The Murky Waters of Compliance Service Level Agreements Conclusion
26 Service Level Agreements (SLAs) Read them like your business depends on it (hint: it does) Many exceptions and nebulous wording. Not responsible for events.caused by a third party.outside of our reasonable control (Amazon) Back to Amazon EC2 Failure Case Study Primary failure was in a component they didn't promise to be available (elastic storage) The Companies that knew this piece might fail, and accounted for it had no interruption in service EC2 has no guarantee for VM uptime Bottom line: limited recourse; lawyers need to get involved
27 Service Level Agreements (SLAs) Security Innovation Case Study We depend on a hosted LMS Provider Risk Moved from self-hosted system to cloud provider Business features and maintenance costs main driver We require that they let us conduct our own security testing Vulnerabilities are analyzed and traced back to damage potential If high risk/impact, push back on the vendor or consider removing offline If low risk/impact, implement mitigating controls We put these clauses in the contract We are currently working through several vulns with the cloud provider
28 Conclusion Cloud Computing has nice security and feature advantages, but beware of. How it impacts Compliance The false sense of security that comes with cloud provisioning What is in your SLA Amazon customers got 10 days fees back Your Applications are your line of defense in the Cloud They need to hardened and self-defending Well designed applications with small attack surface can protect against vulnerabilities that you don t know about or are introduced within a cloud environment
29 Questions? Thank You Fred Pinkett VP of Product Management
Achieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationData In The Cloud: Who Owns It, and How Do You Get it Back?
Data In The Cloud: Who Owns It, and How Do You Get it Back? Presented by Dave Millier, Soban Bhatti, and Oleg Sotnikov 2013 Sentry Metrics Inc. Agenda Reasons for Cloud Adoption How Did My Data Get There?
More informationnwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
More informationAPPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST
APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data
More informationSecurity & Trust in the Cloud
Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer
More informationSMS. Cloud Computing. Systems Management Specialists. Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales
SMS Systems Management Specialists Cloud Computing Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales Cloud Computing The SMS Model: Cloud computing is a model for enabling ubiquitous, convenient,
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationTOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series
TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital
More informationLas Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM
Las Vegas Datacenter Overview Product Overview and Data Sheet Product Data Sheet Maintaining a Software as a Service (SaaS) environment with market leading availability and security is something that Active
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationNETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationNASCIO 2015 State IT Recognition Awards
NASCIO 2015 State IT Recognition Awards Title: State of Georgia Private Security Cloud Implementation Category: Cybersecurity Contact: Mr. Calvin Rhodes CIO, State of Georgia Executive Director, GTA calvin.rhodes@gta.ga.gov
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationAll the benefits of Public Cloud on Private, Dedicated Infrastructure. Benefits. Enterprise-Level Security. High Performance. Compliant and Audited
ActiveGrid Private Cloud Solutions Support any workload with incredible flexibility and security, combined with the peace of mind of an enterprise cloud platform. All signs point to continued cloud adoption
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationCompliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:
Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services
More informationWhite Paper How Noah Mobile uses Microsoft Azure Core Services
NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationCourse: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationCloud Assurance: Ensuring Security and Compliance for your IT Environment
Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware
More informationThe Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency
logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationEnterprise level security, the Huddle way.
Enterprise level security, the Huddle way. Security whitepaper TABLE OF CONTENTS 5 Huddle s promise Hosting environment Network infrastructure Multiple levels of security Physical security System & network
More informationThe Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing
Your Platform of Choice The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing Mark Cravotta EVP Sales and Service SingleHop LLC Talk About Confusing? Where do I start?
More informationProjectManager.com Security White Paper
ProjectManager.com Security White Paper Standards & Practices www.projectmanager.com Introduction ProjectManager.com (PM) developed its Security Framework to continue to provide a level of security for
More informationCAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST
CENTER FOR ADVANCED SECURITY TRAINING 618 Designing and Implementing Cloud Security About EC-Council Center of Advanced Security Training () The rapidly evolving information security landscape now requires
More informationThe Cloud, Virtualization, and Security
A Cloud: Large groups of remote servers that are networked to allow centralized, shared data storage and online access to computer services or resources A Cloud: Large groups of remote servers that are
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationPROTECTING YOUR VOICE SYSTEM IN THE CLOUD
PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider
More informationSimone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud
Simone Brunozzi, AWS Technology Evangelist, APAC Fortress in the Cloud AWS Cloud Security Model Overview Certifications & Accreditations Sarbanes-Oxley (SOX) compliance ISO 27001 Certification PCI DSS
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationHIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.
Real Security Outcomes. Delivered. Deploying healthcare and healthcare related services to the cloud can be frightening. The requirements of HIPAA can be difficult to navigate, and while many vendors claim
More informationCloud Services and Business Process Outsourcing
Cloud Services and Business Process Outsourcing What security concerns surround Cloud Services and Outsourcing? Prepared for the Western NY ISACA Conference April 28 2015 Presenter Kevin Wilkins, CISSP
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationDISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2
DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing Slide 1 Slide 3 A style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet.
More informationHow To Protect Your Cloud Computing Resources From Attack
Security Considerations for Cloud Computing Steve Ouzman Security Engineer AGENDA Introduction Brief Cloud Overview Security Considerations ServiceNow Security Overview Summary Cloud Computing Overview
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationVendor Questionnaire
Instructions: This questionnaire was developed to assess the vendor s information security practices and standards. Please complete this form as completely as possible, answering yes or no, and explaining
More informationCloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationBuilding Energy Security Framework
Building Energy Security Framework Philosophy, Design, and Implementation Building Energy manages multiple subsets of customer data. Customers have strict requirements for regulatory compliance, privacy
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationAmazon Web Services: Risk and Compliance May 2011
Amazon Web Services: Risk and Compliance May 2011 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 This document intends to provide information to assist AWS customers
More informationMitigating Information Security Risks of Virtualization Technologies
Mitigating Information Security Risks of Virtualization Technologies Toon-Chwee, Wee VMWare (Hong Kong) 2009 VMware Inc. All rights reserved Agenda Virtualization Overview Key Components of Secure Virtualization
More informationWhitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption
Whitepaper What You Need to Know About Infrastructure as a Service (IaaS) Encryption What You Need to Know about IaaS Encryption What You Need to Know About IaaS Encryption Executive Summary In this paper,
More informationInformation Security Basic Concepts
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationDesigning Apps for Amazon Web Services
Designing Apps for Amazon Web Services Mathias Meyer, GOTO Aarhus 2011 Montag, 10. Oktober 11 Montag, 10. Oktober 11 Me infrastructure code databases @roidrage www.paperplanes.de Montag, 10. Oktober 11
More informationSysAid IT On-Demand Architecture Including Security and Disaster Recovery Plan
SysAid IT On-Demand Architecture Including Security and Disaster Recovery Plan This document covers three aspects of SysAid IT On-Demand: Architecture Security Business Continuity and Disaster Recovery
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationThe Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:
Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction
More informationHow to Achieve Operational Assurance in Your Private Cloud
How to Achieve Operational Assurance in Your Private Cloud As enterprises implement private cloud and next-generation data centers to achieve cost efficiencies and support business agility, operational
More informationAutodesk PLM 360 Security Whitepaper
Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure
More informationCloud Computing Governance & Security. Security Risks in the Cloud
Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud
More informationLife in the Cloud A Service Provider s View. Michael Smith mismith@akamai.com Security Evangelist
Life in the Cloud A Service Provider s View Michael Smith mismith@akamai.com Security Evangelist 1 Agenda Cloud is Secure, Right? Building a Cloud Security Program Security Program Case Study Features,
More informationSECURITY CONSIDERATIONS FOR LAW FIRMS
SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,
More informationsecurity in the cloud White Paper Series
security in the cloud White Paper Series 2 THE MOVE TO THE CLOUD Cloud computing is being rapidly embraced across all industries. Terms like software as a service (SaaS), infrastructure as a service (IaaS),
More informationTop 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services
Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationSecuring SaaS Applications: A Cloud Security Perspective for Application Providers
P a g e 2 Securing SaaS Applications: A Cloud Security Perspective for Application Providers Software as a Service [SaaS] is rapidly emerging as the dominant delivery model for meeting the needs of enterprise
More informationIs Your IT Environment Secure? November 18, 2015. Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting
Is Your IT Environment Secure? November 18, 2015 Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting Clark Schaefer Consulting Serving elite and emerging companies with practical solutions
More informationKeyLock Solutions Security and Privacy Protection Practices
KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout
More informationFormFire Application and IT Security. White Paper
FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development
More informationEXIN Cloud Computing Foundation
Sample Questions EXIN Cloud Computing Foundation Edition April 2013 Copyright 2013 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored in a data processing
More informationFrom Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org
From Rivals to BFF: WAF & VA Unite 07.23.2009 Brian Contos, Chief Security Strategist Imperva Inc. brian.contos@imperva.com +1 (650) 832.6054 Copyright The Foundation Permission is granted to copy, distribute
More informationAdobe Digital Publishing Security FAQ
Adobe Digital Publishing Suite Security FAQ Adobe Digital Publishing Security FAQ Table of contents DPS Security Overview Network Service Topology Folio ProducerService Network Diagram Fulfillment Server
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationQuickBooks Online: Security & Infrastructure
QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...
More informationOvercoming PCI Compliance Challenges
Overcoming PCI Compliance Challenges Randy Rosenbaum - Security Services Exec. Alert Logic, CPISM Brian Anderson - Product Manager, Security Services, SunGard AS www.sungardas.com Goal: Understand the
More informationA Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014
A Wake-Up Call? Fight Back Against Cybercrime Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 1 Coalfire Background Leading Information Security Consulting Firm Offices: Atlanta,
More informationPlan of Attack 5 Step Plan
Plan of Attack 5 Step Plan Naming those Digital Assets Practicing Digital Doomsday Training + Policies and Procedures Technology Tuning Security in the Supply Chain Next Steps Sample Plan 0 to 30 Days
More informationHow To Protect Yourself From Cyber Threats
Cyber Security for Non- Profit Organizations Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3 May 2015 Agenda IT Security Basics e- Discovery Compliance Legal Risk Disaster Plans Non- Profit
More informationRemote Services. Managing Open Systems with Remote Services
Remote Services Managing Open Systems with Remote Services Reduce costs and mitigate risk with secure remote services As control systems move from proprietary technology to open systems, there is greater
More informationThreat Modeling Cloud Applications
Threat Modeling Cloud Applications What You Don t Know Will Hurt You Scott Matsumoto Principal Consultant smatsumoto@cigital.com Software Confidence. Achieved. www.cigital.com info@cigital.com +1.703.404.9293
More informationLooking Ahead The Path to Moving Security into the Cloud
Looking Ahead The Path to Moving Security into the Cloud Gerhard Eschelbeck Sophos Session ID: SPO2-107 Session Classification: Intermediate Agenda The Changing Threat Landscape Evolution of Application
More informationArchitecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud
Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP Principal Systems Engineer Security Specialist Agenda What is the Cloud? Virtualization Basics
More informationCloud Security. DLT Solutions LLC June 2011. #DLTCloud
Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions
More informationTop virtualization security risks and how to prevent them
E-Guide Top virtualization security risks and how to prevent them There are multiple attack avenues in virtual environments, but this tip highlights the most common threats that are likely to be experienced
More informationHow to Choose the Right Industrial Firewall: The Top 7 Considerations. Li Peng Product Manager
How to Choose the Right Industrial Firewall: The Top 7 Considerations Li Peng Product Manager The right industrial firewall can strengthen the safety and reliability of control systems Central to industrial
More informationBusiness Values of Network and Security Virtualization
Business Values of Network and Security Virtualization VMware NSX in the context of the Software Defined Data Center Klaus Jansen Virtual Networks Sales Specialist VMware NSBU 2014 VMware Inc. All rights
More informationCA Cloud Overview Benefits of the Hyper-V Cloud
Benefits of the Hyper-V Cloud For more information, please contact: Email: sales@canadianwebhosting.com Ph: 888-821-7888 Canadian Web Hosting (www.canadianwebhosting.com) is an independent company, hereinafter
More informationAWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II
AWS Security CJ Moses Deputy Chief Information Security Officer Security is Job Zero! Overview Security Resources Certifications Physical Security Network security Geo-diversity and Fault Tolerance GovCloud
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationSecurity and Data Protection for Online Document Management Software
Security and Data Protection for Online Document Management Software Overview As organizations transition documents and company information to Software as a Service (SaaS) applications that are no longer
More informationSecurity Threat Risk Assessment: the final key piece of the PIA puzzle
Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security Agenda Introduction Current issues The value
More informationGive Vendors Access to the Data They Need NOT Access to Your Network
Give Vendors Access to the Data They Need NOT Access to Your Network Acumera AirGap Architecture By the year 2020 just five years from now it is estimated that 25 billion devices will be connected to the
More informationCIT 668: System Architecture
CIT 668: System Architecture Cloud Security Topics 1. The Same Old Security Problems 2. Virtualization Security 3. New Security Issues and Threat Model 4. Data Security 5. Amazon Cloud Security Data Loss
More informationBest Practices for Architecting Your Hosted Systems for 100% Application Availability
Best Practices for Architecting Your Hosted Systems for 100% Application Availability Overview Business Continuity is not something that is implemented at the time of a disaster. Business Continuity refers
More information