Cloud Security & Standardization. Markku Siltanen Tietoturvakonsultti CISA, CGEIT, CRISC



Similar documents
Fujitsu s Approach to Cloud-related Information Security

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Security Issues in Cloud Computing

Cloud Computing Standards: Overview and ITU-T positioning

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

External Supplier Control Requirements

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Cloud Security and Managing Use Risks

Network Security Administrator

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

How To Manage Security On A Networked Computer System

Caretower s SIEM Managed Security Services

Study on Cloud security in Japan

How To Protect Your Cloud Computing Resources From Attack

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Cloud Security. Let s Open the Box. Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cloud Storage Security with a Focus on CDMI. Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP, ISSEP, SCSE Hitachi Data Systems

Copyright 2010 NTT DATA AgileNet L.L.C. 12/06/2010 NTT DATA Agilenet L.L.C. Kenji Motohashi

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Cloud Computing Governance & Security. Security Risks in the Cloud

John Essner, CISO Office of Information Technology State of New Jersey

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Top Ten Technology Risks Facing Colleges and Universities

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Where every interaction matters.

Cloud Security Framework (CSF): Gap Analysis & Roadmap

SECURITY CONSIDERATIONS FOR LAW FIRMS

Technology Risk Management

Is Your IT Environment Secure? November 18, Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

SERENA SOFTWARE Serena Service Manager Security

SNAP WEBHOST SECURITY POLICY

Data Protection: From PKI to Virtualization & Cloud

Network Access Control and Cloud Security

Cloud Security Framework (CSF): Gap Analysis & Roadmap

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Information Security Basic Concepts

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Critical Controls for Cyber Security.

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

IBX Business Network Platform Information Security Controls Document Classification [Public]

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY

Cloud Security. DLT Solutions LLC June #DLTCloud

BKDconnect Security Overview

F G F O A A N N U A L C O N F E R E N C E

Cloud Security. Securing what you can t touch. Presentation to Malaysia Government Cloud Computing Forum HUAWEI TECHNOLOGIES CO., LTD.

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS

Cloud Security Introduction and Overview

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Security Architectures for Cloud Computing

Security + Certification (ITSY 1076) Syllabus

Internal Audit Takes On Emerging Technologies

Preface Introduction

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Computer Forensics and Incident Response in the Cloud. Stephen Coty AlertLogic, AlertLogic_ACID

Introduction to Cyber Security / Information Security

LogRhythm and PCI Compliance

Cyber security in an organization-transcending way

GoodData Corporation Security White Paper

CLOUD SECURITY: THE GRAND CHALLENGE

Supplier Information Security Addendum for GE Restricted Data

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Network Access Control and Cloud Security

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cloud Security:Threats & Mitgations

CH ENSA EC-Council Network Security Administrator Detailed Course Outline

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

RuggedCom Solutions for

Introducing Systemwalker Operation Manager V13.3. July 2008 FUJITSU LIMITED

EC-Council Network Security Administrator (ENSA) Duration: 5 Days Method: Instructor-Led

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

CLOUD FRAMEWORK & SECURITY OVERVIEW

(Instructor-led; 3 Days)

Transcription:

0 Copyright 2011 FUJITSU Cloud Security & Standardization Markku Siltanen Tietoturvakonsultti CISA, CGEIT, CRISC

Cloud computing 1 Copyright 2011 FUJITSU

Characteristics of cloud 2 Copyright 2011 FUJITSU High anonymity due to lack of contract statements High risk of third party s attacks through the Internet Huge impact of one incident to multiple consumers High risks of harmful individuals using enormous resources Possibility that customers assets may be seized or investigated by law-enforcement agencies Difficulty of proving data being lawfully treated

Security defence in depth in the cloud 3 Copyright 2011 FUJITSU

Cloud threats 4 Copyright 2011 FUJITSU Abuse and malicious use of cloud Insecure interfaces and APIs Malicious Insiders Shared technology issues Data loss or leakage Account or service hijacking Unknown risk profile Browsers and their very complicated environments

Typical cloud related security risks 5 Copyright 2011 FUJITSU Attacks from outside against ICT resources in the cloud Effects of cyber terrorism, malicious scans and DDoS can be considerable Attacks to the outside using cloud as a steppingstone Cloud as a tool for mounting attacks on sites outside the cloud Attacks on cloud users from ICT resources within the cloud EDoS attacks to cause monetary losses and information leaks caused by unauthorized data transfers Incidents internal to cloud service providers Malicious actions by individuals or mistakes in operation Malicious use of cloud ICT resources Making use of ICT resources in the cloud for engaging in some sort of criminal behavior Incidents in the cloud not related to attacks Power outages, sw/hw faults, other unexpected incidents

Cloud security focus areas 6 Copyright 2011 FUJITSU Confidentiality Data residency; Access control Integrity Ensuring data has not been tampered with; Compliance; Trust and reputation; Acceptable use policies; Certification; Auditing; E- Discovery; Mergers & acquisitions; Data protection Availability Business continuity; Disaster recovery; DDoS etc.; Regime for patching, security updates etc.; Up-time commitments; System performance commitments

Shared responsibilities management 7 Copyright 2011 FUJITSU

Shared responsibilities operation 8 Copyright 2011 FUJITSU

Shared responsibilities technology 9 Copyright 2011 FUJITSU

Cloud standardization 10 Copyright 2011 FUJITSU Traditional IT standards organizations and industrial alliances represented by DMTF, OGF and SNIA (and NIST) Traditional telecommunications and Internet standards organizations represented by ITU, ISO, IEEE and IETF Emerging standards organizations represented by CSA, OCC and CCIF Issue: wide ranges of related standardization Network, storage, server, operations mgmt, authentication, security, etc. Fujitsu is engaged in DMTF/CMDBf, DMTF/CMWG, DMTF/CIM-RS, OASIS/SAF, OGF/OCCi, CSA, JTC1/SC38, etc. DMTF board, OGF board, OASIS SAF WG chair, JTC1/SC38 (vice chair)

Fujitsu Cloud CERT 11 Copyright 2011 FUJITSU Centralized monitoring and Vulnerability assessment Fujitsu Cloud CERT monitors IDS/IPS of each FGCP/S5 cloud and executes vulnerability scanning test Security monitoring for 24 hours x 7 days by operators Real-time alerting when invasion is detected Monthly statistical report of attacks against the service environment Providing archived IDS log when security incident occurs on the service

Security Countermeasures (FGCP) SLA of 99.99% system availability and confidentiality & integrity for business needs Authentication & ID management Access control Audit trail management Centralized management Encryption & Key management Design of availability Physical security Authentic method using client-certificates and PIN. Thoroughgoing identity management and confidential information management using LDAP. VLAN based logical isolation. Access control based on roles. Log management from viewpoints of Management", Control", and Security". Centralized control of customers environment & events using integrated management console. Availability based on redundant cabinet. Complete redundancy of parts, components, and networks. Adopting client-certificates published with government recommended algorithm. Managing Certificate Revocation List (CRL). Getting certified as the first data center to be the AAA (top rating) grade from I.S.Rating Co.,Ltd, specialty company for rating information security. 12 Copyright 2011 FUJITSU

13 Copyright 2011 FUJITSU Data masking technology (under dev t) Filters and obscures sensitive information exchanged among clouds, based on anonymization technology

14 Copyright 2011 FUJITSU Strong authentication as a Service (dev t) We plan to make it feasible to authenticate groups on the scale of 10 million people; rapid multimodal biometric identification

15 Copyright 2011 FUJITSU

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information