Thinking Cloud Services Look Before You Leap



Similar documents
Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Application Security Architecture: Timing & Requirements Getting It Right and On Time

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Data In The Cloud: Who Owns It, and How Do You Get it Back?

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Take Control of Identities & Data Loss. Vipul Kumra

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP

HIPAA Myths. WEDI Member Town Hall. Chris Apgar, CISSP Apgar & Associates

Data Protection: From PKI to Virtualization & Cloud

Securing The Cloud With Confidence. Opinion Piece

HIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates


NAVY COMMAND PRINCIPAL SECURITY ADVISOR RECOMMENDED FACEBOOK SECURITY SETTINGS

Cloud Security and Managing Use Risks

Security from a customer s perspective. Halogen s approach to security

A CIO s Cloud Decision and 7 Lessons Learned From Peers

Electronic Records Storage Options and Overview

Cloud-Security: Show-Stopper or Enabling Technology?

Identity Management Overview. Bill Nelson Vice President of Professional Services

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Cloud Computing. What is Cloud Computing?

Provider ecorrespondence instructions when you don t have a My Secure L&I account:

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

New Risks in the New World of Emerging Technologies

Web File Sharing. For the latest version of this document please go to: v 1.0 May 16,2011 Audience: Staff

Why can you trust Google?

Introductions. KPMG Presenters: Jay Schulman - Managing Director, Advisory - KPMG National Leader Identity and Access Management

The Data Melting Pot Computing in the Cloud. Becky Pinkard Manager, Security Operations Centres Research In Motion

INTRODUCTION TO CLOUD STORAGE

Evaluating IaaS security risks

Single Sign-On Portal User Reference (Okta Cloud SSO)

Intel Enhanced Data Security Assessment Form

Online Backup by Mozy. Common Questions

( and how to fix them )

Privacy Policy. Introduction. Scope of Privacy Policy. 1. Definitions

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Application Intrusion Detection

Enterprise level security, the Huddle way.

Paxata Security Overview

Personal Safety Tips For Public Information Technology

How To Protect Your Cloud Computing Resources From Attack

Neoscope

How To Make Bring Your Own Device A Plus, Not A Risk

Cloud Computing: Risks and Auditing

To begin, log in to your Facebook account and click on the down arrow located in the upper right hand corner:

GadgetTrak Mobile Security Android & BlackBerry Installation & Operation Manual

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Security, trust and assurance

RezScore SM Privacy Policy

Adopting Cloud Computing with a RISK Mitigation Strategy

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

7 Myths of Healthcare Cloud Security Debunked

How to configure Mac OS X Server

NCSU SSO. Case Study

Office of the Chief Information Officer

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Security Issues in Cloud Computing

FXLoader Cloud Service Deployment Guide

Solving the Online File-Sharing Problem Replacing Rogue Tools with the Right Tools

Overview. What are operational policies? Development, adoption, implementation

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

Unless otherwise stated, our SaaS Products and our Downloadable Products are treated the same for the purposes of this document.

Transferring data safely

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Egnyte Cloud File Server. White Paper

Terms, Privacy and Cookie Policy

Policy Outsourcing and Cloud Based File Sharing

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

Mobile Device Management (MDM) Policies. Best Practices Guide.

Security Is Everyone s Concern:

Selecting a Law Firm Cloud Provider: Questions to Ask and Ethical/Security Concerns

SUNY Adirondack

UBC Workspace 2.0: Using the Self-Service Portal

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Information Security Policies. Version 6.1

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Mobile Device Management (MDM) Policies

Fax User Guide 07/31/2014 USER GUIDE

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

The Business Value of a Comprehensive All-in-One Data Protection Solution for Your Organization

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

Cloud Computing Backgrounder

HTTPS Inspection with Cisco CWS

Blue Jeans Network Security Features

Privacy Policy. Definitions

What are cloud services?

Apptix Online Backup by Mozy

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

Facebook Guidelines For Parents

24 Highbury Crescent London N5 1RX UK Tel: + 44 (0) Fax: +44 (0)

Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )

Making the leap to the cloud: IS my data private and secure?

When enterprise mobility strategies are discussed, security is usually one of the first topics

Privacy Policy. What is Covered in This Privacy Policy. What Information Do We Collect, and How is it Used?

Cloud Computing Secured. Thomas Mitchell CISSP. A Technical Communication

Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

ONLINE PRIVACY POLICY

Transcription:

Thinking Cloud Services Look Before You Leap Brian V. Cummings brian.cummings@tcs.com Tata Consultancy Services Friday, March 16, 2012 Session 10358

Preamble Cloud security literature consistently boils down to one repetitive message: Don t put any important information in the Cloud! 1

What The Cloud Looks Like to Proponents 2

What the Cloud looks like to Security folks 3

Or, Maybe this! 4

What does it really look like? The reality is mixed Some things to applaud Some things that worry One big thorny issue 5

What Cloud are we talking about? The concept of cloud computing dates to the 1960 s Cloud computing comes in a number of forms, deployments, Bottom line: Our Cloud concern is where your data sits in any external environment that is under someone else s management, and the concern increases to the extent the resources in that environment are shared across the provider s clients. 6

What do Cloud Providers tell us? Cloud Providers will tell you Security is best in class Your data is safe The benefits of cloud will set you free 7

Who owns the responsibility Owners vs Custodians Cloud service consumers (Owners) cannot shift responsibility for information security or disaster recovery to a cloud provider. Cost and execution can be shifted. Consumers can leverage services provided by the provider, and enhance the capabilities. Cloud provider has custodial responsibilities which vary depending on the type of cloud service. 8

Cloud Security Concerns Identities Authentication Passwords Privacy Data 9

Identities and Authentication Once it was only a label It was deemed public information, expected to be known Man in the middle and hijack attacks necessitated changes The concept of an identity and its authentication is changing An account name A device A user selected icon or picture Out of band confirmation Email confirmation 10

Identities: Facebook Device 11

Identities: Facebook Confirmation 12

Authentication: Google 2-Step 13

Cloud-Based Identity Management 14

Passwords Self-Service password selection and change Strong password enforcement Coupled with extended identity authentication Other considerations Enforce periodic changes Ability to use a different password for sensitive services Password reverification Cloud-based password management and single sign-on 15 Buyer Beware: Not all providers enable user password change!

Google Application Passwords 16

Google - Reverification 17

Cloud-Based Single Sign-On 18

Privacy Google Privacy Policy Information we collect We collect information to provide better services to all of our users from figuring out basic stuff like which language you speak, to more complex things like which ads you ll find most useful or the people who matter most to you online. We collect information in two ways: Information you give us. Personal information, Google Profile, Information we get from your use of our services. 19 Log information Device information Location information Unique application numbers Local storage Cookies and anonymous identifiers (Google services)

Privacy Customer Control Privacy Principles 20 Customer should have full control over the selection of privacy settings. Customer should have the option to opt out of user experience data collection. Customer should be able to review, correct, delete any information collected and stored for an account. Email confirmation of changes in any account settings For social media, notifications when anyone posts, writes, pokes, or otherwise touches your account and information Buyer Beware: Sign on to services only for selected activities.

Data Security Google Information Security Statement 21

Information Security Thorny Issue Infrastructure Security Minimal security: Access control If client data is comingled on storage devices or in databases, how is client data segregation assured? How is data protected from abuse of privilege by infrastructure folks. How is your data protected on portable media or remote storage for archive or backup purposes? 22

Information Security - Encryption Infrastructure Security Cloud providers typically do not offer encryption. Too many issues Client by client, or full encryption of all customer storage? Who manages the keys? What is the legal liability? Customers will need to implement encryption 23

Google Enterprise Storage Encryption 24

Cloud Provider Attestation 25

Cloud Security Summary Identities need cloud federation Authentication - extended Passwords strong passwords required Privacy full customer control Data encrypt sensitive data 26

The End! Thank you! 27 The Minions of Despicable Me

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information