Session Four. Heads in the icloud. Moderated By. Sonny Segal. Chief Information Officer Montgomery County Maryland

Size: px
Start display at page:

Download "Session Four. Heads in the icloud. Moderated By. Sonny Segal. Chief Information Officer Montgomery County Maryland"

Transcription

1 Session Four Heads in the icloud Moderated By Sonny Segal Chief Information Officer Montgomery County Maryland

2 Introductions Mr. John W. Lainhart IV IBM Global Business Services Partner, Cybersecurity & Privacy Public Sector Cybersecurity & Privacy Service Area Leader Bethesda, MD Mr. Peter Romness Cisco Systems, Inc. Business Development Manager Public Sector Cybersecurity Herndon, VA Mr. Jeff Stratton Lockheed Martin Information Systems &Global Solutions (IS &GS) Civil Manager, Comprehensive Cyber Security Services - (CS)2 Gaithersburg, MD

3 What is the Cloud? Courtesy: Virtustream, Inc.

4 Types of Clouds Public cloud A cloud infrastructure shared by the general public or industry, typically owned and managed by an organization that sells cloud services. Community cloud A cloud infrastructure shared exclusively by certain groups, such as civil agencies or others with like missions, and managed by the group or a third party. It can be hosted on or off premises. Private cloud Cloud resources confined inside a firewall with private control over the cloud infrastructure. Some organizations run their data centers as a private cloud. Hybrid cloud An approach that uses a public cloud for some services, such as general business needs, but uses a private data center for others, such as storage of sensitive data. Government cloud There is no specific certification for this. Courtesy: Microsoft, inc.

5 Citizen services Potential Benefits Drive innovation with data services in the cloud that citizens can reuse. Offer your own data mashups on a portal. Infrastructure Get IT resources when needed. Pay only for what you use. Reduce need to build, manage, support data centers. Consolidate budget and facilities. Flexibility Adjust resources up and down to meet real-time needs; offload onsite data to the cloud; access via web browser from anywhere for remote work and continuity of operations. Collaboration More effectively communicate/collaborate; employees can access work the same way they access personal information. Courtesy: Microsoft, inc.

6 Potential Benefits(2) Disaster recovery / Continuity of Operations Centralized data storage, management, backups, data recovery in disruptions. Applications and content Rather than waiting in the software procurement line, get hosted software, datasets, and services as they are released so you can focus your mission. Policies and regulations Cloud computing can help meet compliance requirements. Creative IT Centrally managed, frees from keep-lights-on to creative problem-solving. Secure-ability Better secure-ability in cloud according to Vivek Kundra, Former U.S. CIO Speed of platform delivery Data-intensive computing in the cloud can be six times faster than in isolated data centers. Courtesy: Microsoft, inc.

7 Security Considerations Integration. With security and identity management technologies, i.e., Active Directory, and controls for role-based access and entity-level applications. Privacy. Data encryption, effective data anonymization, and mobile location privacy (compliance with the Privacy Act of 1974). Identity and access. Means of preventing inadvertent access. Ability to federate across different services and from your internal environment to the cloud? How are the databases protected for access? Compliance. What certifications does your provider possess? How do you handle dispute resolution and liability issues? What industry or government standards must you comply with? Clearly defined metrics for the cloud service monitoring? How are e-discovery and criminal compliance requests handled? What processes to move into cloud and back? Backup purged? What requirements with regard to physical location of your data? Courtesy: Microsoft, inc.

8 Security Considerations(2) Service integrity. How is the software protected from corruption (malicious or accidental)? How does your provider ensure the security of the written code? How do they do threat modeling? What is the hiring process for the personnel doing administrative operations? What levels of access do they have? Jurisdiction. The location of a cloud provider s operations can affect the privacy laws that apply to the data it hosts. Does your data need to reside within your legal jurisdiction? Federal records management and disposal laws may limit the ability of agencies to store official records in the cloud. Information protection. Who owns your data? Can it be encrypted? Who has access to encryption keys? Where is the backup located, and do you have an on-premise backup? How is Courtesy: Microsoft, inc.

9 Other Considerations Compliance HIPAA, SOX, and FISMA requirements, and FISMA accreditation and certification. Data centers Statement on Auditing Standards (SAS) 70 and International Standards Organization (ISO) certification, audited by independent, third-party security organizations. Uptime Guaranteed 99.9 percent uptime at data centers outfitted to operate during power outages and after natural disasters. Data replication between primary and secondary data centers for redundancy, without storing any data off-site. Data with or without borders Is data guaranteed to stay within the U.S. borders? Multiple data centers across the U.S. provide reliability and failover for government customers. Is the chain of custody for documents preserved when moving documents between onpremise and cloud? Do documents retain the format /fidelity for investigations/foia? How green is the cloud? Designed to reduce energy consumption (typically 25 40%) compared to traditional facilities. Who s who in your cloud? Who else is in the cloud? Courtesy: Microsoft, inc.

10 Contractual Safeguards Service Level Agreement. SLAs should include availability of services, permissible failure rate, response time on malfunction, and recovery time on crash. Security and privacy protection. SLAs should define security-relevant aspects and privacy protection agreements. Provider should agree to update security strategy in line with technological developments. Penalties for non-compliance. Agree on penalties if provider fails to deliver on contract terms. Sub-contracting. Agree whether and in what form the provider may subcontract out certain services. Need to assure subcontractors provide same level of protection as themselves, e.g., HIPAA compliance. Monitoring rights. Ensure they have the contractual right to monitor the cloud provider's data-processing activities, including its protective measures. Relying on the service provider's reports is insufficient. Contract term and return of data. Contract must include duration and exactly how data is to be returned or deleted when the contract expires or if the provider's business model changes. Exit strategy. Early return of data if the provider and/or subcontractor goes out of business or merges. Courtesy: Internet Revolution

11 Cloud Security IBM Cloud Offerings: IBM SmartCloud IBM SoftLayer IBM FedRAMP

12 To address these concerns, IBM is working with clients as both a cloud service provider and trusted advisor Secure IBM Clouds IBM Security Solutions Leveraging IBM s deep security skillset, hosting and strategic outsourcing experience, broad security portfolio, history of security innovation, and commitment to client trust as the foundation for building security into all cloud offerings. Capabilities Knowledge Leading portfolio of products and services to help secure cloud environments. Allows customers to address concerns when adopting private, public and hybrid cloud services by adopting security controls to match requirements of the workload. IBM Cloud Reference Model (Foundational Security Controls) IBM Security Framework (Cloud Security On Ramps) 12

13 IBM SmartCloud provides a robust platform for the full IBM cloud portfolio, built on the IBM cloud reference model Business Process as a Service Software as a Service Platform as a Service Infrastructure as a Service Management, support and deployment Security and isolation Availability and performance Technology platform Payment and billing IBM Cloud Reference Model 13

14 Adoption patterns are emerging and each pattern has its own set of key security concerns Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers Platform-as-a-Service (PaaS): Accelerate time to market with cloud platform services Innovate business models by becoming a cloud service provider Software as a Service (SaaS): Gain immediate access with business solutions on cloud Cloud Enabled Data Center Cloud Platform Services Cloud Service Provider Business Solutions on Cloud Integrated service management, automation, provisioning, self service Pre-built, pre-integrated IT infrastructures tuned to application-specific needs Advanced platform for creating, managing, and monetizing cloud services Capabilities provided to consumers for using a provider s applications Key security focus: Infrastructure and Identity Key security focus: Applications and Data Key security focus: Data and Compliance Key security focus: Compliance and Governance Manage datacenter identities Secure virtual machines Patch default images Monitor logs on all resources Network isolation Secure shared databases Encrypt private information Build secure applications Keep an audit trail Integrate existing security Isolate cloud tenants Policy and regulations Manage security operations Build compliant data centers Offer backup and resiliency Harden exposed applications Securely federate identity Deploy access controls Encrypt communications Manage application policies 14

15 IBM s Recent Cloud Acquisition: SoftLayer is a pure IaaS Provider

16 For U.S. Federal Government there is also FedRAMP FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The PROGRAM JAB GOALS is the primary governance PROGRAM BENEFITS group of the Accelerate the adoption of secure cloud solutions through reuse FedRAMP of assessments and authorizations program, consisting of the chief Increase confidence security of cloud solutions information officers for the: times" Achieve consistent Department security of Defense, authorizations using a baseline set of agreed upon standards to be used for Cloud product approval in Department of Homeland Security, and or outside of FedRAMP U.S. General Services Administration. Ensure consistent application of existing security practices Increases re-use of existing security assessments across agencies Saves significant cost, time and resources "do once, use many Improves real-time security visibility Provides a uniform approach to risk-based management Increase confidence in security assessments Increase automation and near real-time data for continuous monitoring Enhances transparency between government and cloud service providers (CSPs) Improves the trustworthiness, reliability, consistency, and quality of the Federal security authorization process 16

17 FedRAMP Security Control Pyramid Summary Security Control Count: Total Base Enhancements FISMA (NIST r3) MODERATE 252 (159, 93) FedRAMP (Cloud) MODERATE 297 (168, 129) The more Cloud Services a client purchases, the fewer controls that they will be responsible for: Each service builds on the foundation below it The client will always be responsible for their personnel and facilities SaaS Applications are designed for end-users, delivered over the web 1 FedRAMP SaaS CSP* IaaS Provides on demand processing, storage, networks, and other fundamental computing resources 9 FedRAMP IaaS CSPs* Client ctrls SaaS controls PaaS controls IaaS controls Security Control Pyramid The # of controls the client is responsible for reduces as mores cloud services are purchased PaaS Tools and services designed to make coding and deploying applications (SaaS, web apps, DBs) quick and efficient e.g. PureApp / System, Big Data 1 FedRAMP PaaS CSP* *CSP # s as of 7Jan

18 Cybersecurity In a Cloud Environment Peter Romness Business Development Management Public Sector Cybersecurity Cisco Systems Inc. 18

19 Mobility Cloud Threat Consumer centric market dynamics require an end to end security architecture

20 UTOMATION AGILITY FLEXIBITY AUTOMATION AGILITY CONSISTENCY VISIBILITY EFFICIENCY CONSISTENCY ELASTIC UTOMATION CONSOLIDATION Physi COST Virtual REDUCTION Cloud ELASTIC CONSO cal AGILITY FLEXIBITY AUTOMATION AGILITY CONSISTENCY VISIBILITY EFFICIENCY CONSISTENCY ELASTIC CONSOLIDATION COST REDUCTION ELASTIC CONSO DC CLOUD TRANSITION #! % Extending security posture Unifying the network services Securing multitenancy designs

21 IT Megatrends are creating the Any to Any problem Infrastruct ure public Apps / Services hybrid tenant Workload s private Blending of Personal Access Assets through Endpoint Proliferation & Business Use Multiple Medians Services Reside In Many Clouds

22 Market Direction Integrated Platforms - Threat Centric Device Threat Aware Malware, APT Data Center Context Aware Identity, Data, Location Content Aware Applications Network Access Control Firewall Firewall Content Gateways Integrated Platform Virtual Cloud

23 The New Security Model Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in time Continuous

24 Cybersecurity In a Cloud Environment Peter Romness Business Development Management Public Sector Cybersecurity Cisco Systems Inc. 24

25 Cyber Threat Defense Futu re AI-based Threat Detection Increase Telemetry for Analysis Self-Learning and Evasion Resistance ww w FW IP S Application Centric Infrastructure Reputation Identity NextGen Firewall NexGen IPS AMP Global Threat Intelligence

26 Options by Organization Size Meraki Monitored Threat Defense Virtual Network Appliances

27 Lockheed Martin Comprehensive Cyber Security Services (CS) 2 March 5 th 2014 Jeff Stratton - Manager, (CS) 2 Lockheed Martin Proprietary Information 27

28 High Level Approach The primary goal is to provide customers with a comprehensive assessment. Avoid surface level penetration testing (when possible). Accurate and relevant reporting of results No false positives No inflated or deflated risks Remediation assistance Training for long term security sustainment Developers System Administrators Leadership STEM 28

29 Penetration Testing Simulate real-world threats against productionready applications Determine feasibility of particular attack vectors Analyze system resilience to certain attacks Identify high-risk vulnerabilities low hanging fruit Identify business logic flaws and access control flaws that scanners cannot easily assess The Problem: You can hire 10 Penetration Testers and get 10 different results. 29

30 Type of Penetration Testing Blackbox Penetration Testing Does not simulate adversaries Because its supposed to be stealthy it only finds limited attack vectors, you just can t find it all and be quiet. Testers always find 1 way in, but their could be 50 more. Relying on Blackbox testing for web apps is a big mistake! Good for scaring the customer into spending more money Unfortunately some organizations need this to get the money they need to do things right. Comprehensive Whitebox Testing More effective at finding your most concerning issues Testers have full knowledge of the environment so testers can quickly uncover major problems, without wasting precious labor hours on searching for them. 30

31 APT Simulation Testing Great for Testing Defenses Focuses mainly on the response to the Kill Chain TM Methodology: Not designed to be a comprehensive Penetration Test. 31

32 Code Review Mobile and Web Applications Thoroughly inspect source code for vulnerabilities and eliminate them at their root level Analyze frameworks and software architecture for weaknesses Offer guidance at software architecture and code level to strengthen overall software security approach 32

33 Application Risk Analysis Holistic approach to software risk analysis Utilize all system artifacts (design, architecture, code, test environment) Utilize all security analysis techniques (architecture review, threat modeling, code review, pen-testing) Provides the most thorough understanding of system risks and vulnerabilities 33

34 Software Security Touchpoints External Review Abuse Cases Security Requirements Risk Analysis Risk-Based Security Tests Code Review (tools) Risk Analysis Penetration Testing Security Operations Requirements and Use Cases Architecture and Design Test Plans Code Tests and Test Results Feedback From the Field External Review 34

35 Security Lifecycle Management 35 35

36 Security Training Secure Coding and Secure Software Engineering Can be Customized specific to customer requirements Utilization of Customer Code Examples Specific Programming Languages and Frameworks Can also be based on vulnerabilities and findings in the Customer s Environment. Help Developers understand how to consistently develop secure applications. Customized Network and Systems Security Training Network Segmentation Monitoring Capabilities Network and Application Layer Firewall Configuration General Network Security Engineering Wireless Security Vulnerability Management 36 36

37 Security In the Cloud If you are using a cloud, where is your data actually stored physically from a brick and mortar perspective? Is it even in the US? Where are the datacenters? Who has access to it? Is it encrypted? Are you using shared databases, shared operating systems, shared applications, services? If another tenant gets compromised, is your data at risk? Has the cloud service provider had comprehensive penetration testing performed? Is your environment meeting the compliance standards required for your business set forth by federal, state and local regulations? 37

38 Certification, Accreditation and Audit Preparation NIST FEDRAMP Certification FISMA Low, Moderate, High ISO-17799/27000 Series 38

39 (CS) 2 History Initial CIRT/SIC Concept & Design Next Generation Intrusion Detection System Architect DNS Blocking & Intercept Concept LM Corporate Information Security SRT Red Team, ASE Team CEWL Support Reverse Engineering Vulnerability Research Web Application Security Cyber Monitoring & Analysis Information Design Assurance Red Team Counter Intelligence JSF Software Security Program Commercial Cyber Security Consulting Source Code Analysis Software Architectural Review Secure Software Development Lifecycle Embedded Software Security Concepts A Wealth of Experience with Diversified Backgrounds Fused Together 39

40 40

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing

More information

Cloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation

Cloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation Cloud Security Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs peterjopling 2011 IBM Corporation Cloud computing impacts the implementation of security in fundamentally new ways

More information

Securing the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation

Securing the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation Securing the Cloud with IBM Security Systems 1 2012 2012 IBM IBM Corporation Corporation IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns

More information

Healthcare: La sicurezza nel Cloud October 18, 2011. 2011 IBM Corporation

Healthcare: La sicurezza nel Cloud October 18, 2011. 2011 IBM Corporation Healthcare: La sicurezza nel Cloud October 18, 2011 Cloud Computing Tests The Limits Of Security Operations And Infrastructure Security and Privacy Domains People and Identity Data and Information Application

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better

More information

Cloud Security for Federal Agencies

Cloud Security for Federal Agencies Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service

More information

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information

More information

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director

More information

Seeing Though the Clouds

Seeing Though the Clouds Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

Dispelling the vapor around Cloud Security

Dispelling the vapor around Cloud Security Dispelling the vapor around Cloud Security The final barrier to adopting cloud computing is security of their data and applications in the cloud. The last barrier to cloud adoption This White Paper examines

More information

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC RE Think Invent IT & Business IBM SmartCloud Security Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC 2014 IBM Corporation Some Business Questions Is Your Company is Secure

More information

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization providing innovative management and technology-based

More information

Addressing Cloud Computing Security Considerations

Addressing Cloud Computing Security Considerations Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft

More information

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material

More information

Secure Cloud Computing

Secure Cloud Computing Secure Cloud Computing Agenda Current Security Threat Landscape Over View: Cloud Security Overall Objective of Cloud Security Cloud Security Challenges/Concerns Cloud Security Requirements Strategy for

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative September 2014 Council of the Inspectors General on Integrity and Efficiency Cloud Computing Initiative Executive

More information

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments H Y T RUST: S OLUTION B RIEF Solve the Nosy Neighbor Problem in Multi-Tenant Environments Summary A private cloud with multiple tenants such as business units of an enterprise or customers of a cloud service

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Strategies for assessing cloud security

Strategies for assessing cloud security IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Cloud and Regulations: A match made in heaven, or the worst blind date ever?

Cloud and Regulations: A match made in heaven, or the worst blind date ever? Cloud and Regulations: A match made in heaven, or the worst blind date ever? Vinod S Chavan Director Industry Cloud Solutions, IBM Cloud October 28, 2015 Customers are faced with challenge of balancing

More information

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Cloud Assurance: Ensuring Security and Compliance for your IT Environment Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware

More information

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members

More information

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications

More information

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management

More information

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications Written Testimony of Mark Kneidinger Director, Federal Network Resilience Office of Cybersecurity and Communications U.S. Department of Homeland Security Before the U.S. House of Representatives Committee

More information

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture

More information

Cisco Security Optimization Service

Cisco Security Optimization Service Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless

More information

Esri Managed Cloud Services and FedRAMP

Esri Managed Cloud Services and FedRAMP Federal GIS Conference February 9 10, 2015 Washington, DC Esri Managed Cloud Services and FedRAMP Erin Ross & Michael Young Agenda Esri Managed Services Program Overview Example Deployments New FedRAMP

More information

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud

More information

The Cloud, Virtualization, and Security

The Cloud, Virtualization, and Security A Cloud: Large groups of remote servers that are networked to allow centralized, shared data storage and online access to computer services or resources A Cloud: Large groups of remote servers that are

More information

Securing the Microsoft Cloud

Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and customers to fully embrace and benefit from cloud services. We are committed

More information

Cloud Computing for SCADA

Cloud Computing for SCADA Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry

More information

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals

More information

Overview. FedRAMP CONOPS

Overview. FedRAMP CONOPS Concept of Operations (CONOPS) Version 1.0 February 7, 2012 Overview Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources,

More information

Assessing Risks in the Cloud

Assessing Risks in the Cloud Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012 A COALFIRE PERSPECTIVE Moving to the Cloud A Summary of Considerations for Implementing Cloud Migration Plans into New Business Platforms NCHELP Spring Convention Panel May 2012 DALLAS DENVER LOS ANGELES

More information

How To Protect Your Cloud From Attack

How To Protect Your Cloud From Attack A Trend Micro White Paper August 2015 Trend Micro Cloud Protection Security for Your Unique Cloud Infrastructure Contents Introduction...3 Private Cloud...4 VM-Level Security...4 Agentless Security to

More information

Top 10 Cloud Risks That Will Keep You Awake at Night

Top 10 Cloud Risks That Will Keep You Awake at Night Top 10 Cloud Risks That Will Keep You Awake at Night Shankar Babu Chebrolu Ph.D., Vinay Bansal, Pankaj Telang Photo Source flickr.com .. Amazon EC2 (Cloud) to host Eng. Lab testing. We want to use SalesForce.com

More information

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer What is Cloud Computing A model for enabling convenient, on-demand network access to a shared pool of configurable

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

How to ensure control and security when moving to SaaS/cloud applications

How to ensure control and security when moving to SaaS/cloud applications How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk

More information

Cloud Security: An Independent Assessent

Cloud Security: An Independent Assessent Cloud Security: An Independent Assessent A Quantix White Paper Dec 2010 Call us on: 0115 983 6200 Visit us on-line at: www.quantix-uk.com E-mail us at : enquiries@quantix-uk.com Why are people concerned

More information

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015 NEXPOSE ENTERPRISE METASPLOIT PRO Effective Vulnerability Management and validation March 2015 KEY SECURITY CHALLENGES Common Challenges Organizations Experience Key Security Challenges Visibility gaps

More information

SOLUTIONS. Secure Infrastructure as a Service for Production Workloads

SOLUTIONS. Secure Infrastructure as a Service for Production Workloads IaaS SOLUTIONS Secure Infrastructure as a Service for Production Workloads THE CHALLENGE Now more than ever, business and government are facing the challenge of balancing conflicting demands. Market pressures

More information

How to survive in a world of Virtualization and Cloud Computing, where you even can t trust your own environment anymore. Raimund Genes, CTO

How to survive in a world of Virtualization and Cloud Computing, where you even can t trust your own environment anymore. Raimund Genes, CTO How to survive in a world of Virtualization and Cloud Computing, where you even can t trust your own environment anymore. Raimund Genes, CTO Data everywhere but protection? Unprotected Data Needing Protection

More information

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services Udo Schneider Trend Micro Udo_Schneider@trendmicro.de 26.03.2013

More information

GoodData Corporation Security White Paper

GoodData Corporation Security White Paper GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share

More information

IBM 000-281 EXAM QUESTIONS & ANSWERS

IBM 000-281 EXAM QUESTIONS & ANSWERS IBM 000-281 EXAM QUESTIONS & ANSWERS Number: 000-281 Passing Score: 800 Time Limit: 120 min File Version: 58.8 http://www.gratisexam.com/ IBM 000-281 EXAM QUESTIONS & ANSWERS Exam Name: Foundations of

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015 NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X

More information

Cisco Advanced Malware Protection

Cisco Advanced Malware Protection Solution Overview Cisco Advanced Malware Protection Breach Prevention, Detection, Response, and Remediation for the Real World BENEFITS Gain unmatched global threat intelligence to strengthen front-line

More information

Unified Security, ATP and more

Unified Security, ATP and more SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users

More information

Privacy + Security + Integrity

Privacy + Security + Integrity Privacy + Security + Integrity Docufree Corporation Data Security Checklist Security by Design Docufree is very proud of our security record and our staff works diligently to maintain the greatest levels

More information

Strategic Plan On-Demand Services April 2, 2015

Strategic Plan On-Demand Services April 2, 2015 Strategic Plan On-Demand Services April 2, 2015 1 GDCS eliminates the fears and delays that accompany trying to run an organization in an unsecured environment, and ensures that our customers focus on

More information

December 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments

December 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments December 8, 2011 MEMORANDUM FOR CHIEF INFORMATION OFFICERS FROM: SUBJECT: Steven VanRoekel Federal Chief Information Officer Security Authorization of Information Systems in Cloud Computing Environments

More information

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing. Bringing the Cloud into Focus Cloud Computing Bringing the Cloud into Focus November 2011 Introduction Ken Cochrane CEO, IT/NET Partner, KPGM Performance and Technology National co-leader IT Advisory Services KPMG Andrew Brewin Vice

More information

How To Protect Your Network From Attack From A Network Security Threat

How To Protect Your Network From Attack From A Network Security Threat Cisco Security Services Cisco Security Services help you defend your business from evolving security threats, enhance the efficiency of your internal staff and processes, and increase the return on your

More information

White Paper How Noah Mobile uses Microsoft Azure Core Services

White Paper How Noah Mobile uses Microsoft Azure Core Services NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah

More information

All Clouds Are Not Created Equal THE NEED FOR HIGH AVAILABILITY AND UPTIME

All Clouds Are Not Created Equal THE NEED FOR HIGH AVAILABILITY AND UPTIME THE NEED FOR HIGH AVAILABILITY AND UPTIME 1 THE NEED FOR HIGH AVAILABILITY AND UPTIME All Clouds Are Not Created Equal INTRODUCTION Companies increasingly are looking to the cloud to help deliver IT services.

More information

Security and Cloud Computing

Security and Cloud Computing Martin Borrett, Lead Security Architect, Europe, IBM 9 th December 2010 Outline Brief Introduction to Cloud Computing Security: Grand Challenge for the Adoption of Cloud Computing IBM and Cloud Security

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance 3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security

More information

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.) Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening

More information

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government

More information

FISMA Cloud GovDataHosting Service Portfolio

FISMA Cloud GovDataHosting Service Portfolio FISMA Cloud Advanced Government Oriented Cloud Hosting Solutions Cyber FISMA Security Cloud Information Security Management Compliance Security Compliant Disaster Recovery Hosting Application Cyber Security

More information

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:

More information

Security & privacy in the cloud; an easy road?

Security & privacy in the cloud; an easy road? Security & privacy in the cloud; an easy road? A journey to the trusted cloud Martin Vliem CISSP, CISA National Security Officer Microsoft The Netherlands mvliem@microsoft.com THE SHIFT O L D W O R L D

More information

Advanced Threat Protection with Dell SecureWorks Security Services

Advanced Threat Protection with Dell SecureWorks Security Services Advanced Threat Protection with Dell SecureWorks Security Services Table of Contents Summary... 2 What are Advanced Threats?... 3 How do advanced threat actors operate?... 3 Addressing the Threat... 5

More information

White Paper: Optimizing the Cloud Infrastructure for Enterprise Applications

White Paper: Optimizing the Cloud Infrastructure for Enterprise Applications White Paper: Optimizing the Cloud Infrastructure for Enterprise Applications 2010 Ashton, Metzler, & Associates. All rights reserved. Executive Summary Given the technological and organizational risks

More information

An Evaluation Framework for Selecting an Enterprise Cloud Provider

An Evaluation Framework for Selecting an Enterprise Cloud Provider An Evaluation Framework for Selecting an Enterprise Cloud Provider WHITE PAPER This White Paper is intended for senior IT leaders of global enterprises considering a new cloud solution or expanding an

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing Your Platform of Choice The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing Mark Cravotta EVP Sales and Service SingleHop LLC Talk About Confusing? Where do I start?

More information

Cloud Security Introduction and Overview

Cloud Security Introduction and Overview Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious

More information

Security & Trust in the Cloud

Security & Trust in the Cloud Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer

More information

MANAGED SERVICES PROVIDER. Dynamic Solutions. Superior Results.

MANAGED SERVICES PROVIDER. Dynamic Solutions. Superior Results. MANAGED SERVICES PROVIDER Dynamic Solutions. Superior Results. REVOLUTIONIZE YOUR INSTITUTION BY FULLY LEVERAGING THE BENEFITS OF TECHNOLOGY MAXIMIZE YOUR TECHNOLOGY INVESTMENTS ENHANCE SECURITY OF YOUR

More information

Cloud Courses Description

Cloud Courses Description Courses Description 101: Fundamental Computing and Architecture Computing Concepts and Models. Data center architecture. Fundamental Architecture. Virtualization Basics. platforms: IaaS, PaaS, SaaS. deployment

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Presented by Evan Sylvester, CISSP

Presented by Evan Sylvester, CISSP Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information

More information

Cloud Security Who do you trust?

Cloud Security Who do you trust? Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud

More information

SaaS Security for the Confirmit CustomerSat Software

SaaS Security for the Confirmit CustomerSat Software SaaS Security for the Confirmit CustomerSat Software July 2015 Arnt Feruglio Chief Operating Officer The Confirmit CustomerSat Software Designed for The Web. From its inception in 1997, the architecture

More information

Microsoft SharePoint Architectural Models

Microsoft SharePoint Architectural Models Microsoft SharePoint This topic is 1 of 5 in a series Introduction to Fundamental SharePoint This series is intended to raise awareness of the different fundamental architectural models through which SharePoint

More information

White paper September 2009. Realizing business value with mainframe security management

White paper September 2009. Realizing business value with mainframe security management White paper September 2009 Realizing business value with mainframe security management Page 2 Contents 2 Executive summary 2 Meeting today s security challenges 3 Addressing risks in the mainframe environment

More information

Cloud and Data Center Security

Cloud and Data Center Security solution brief Trend Micro Cloud and Data Center Security Secure virtual, cloud, physical, and hybrid environments easily and effectively introduction As you take advantage of the operational and economic

More information

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered. Real Security Outcomes. Delivered. Deploying healthcare and healthcare related services to the cloud can be frightening. The requirements of HIPAA can be difficult to navigate, and while many vendors claim

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

What Cloud computing means in real life

What Cloud computing means in real life ITU TRCSL Symposium on Cloud Computing Session 2: Cloud Computing Foundation and Requirements What Cloud computing means in real life Saman Perera Senior General Manager Information Systems Mobitel (Pvt)

More information

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP Principal Systems Engineer Security Specialist Agenda What is the Cloud? Virtualization Basics

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information