Security and Compliance in Clouds

Similar documents

Security und Compliance in Clouds

Security and Compliance in Clouds: Challenges and Solutions

Compliance in Clouds A cloud computing security perspective

Security and Compliance in Clouds

Panel: SwA Practices - Getting to Effectiveness in Implementation

Management-Forum Strategic MDM

Effective Contract Management

Master data deployment and management in a global ERP implementation

Minimize Access Risk and Prevent Fraud With SAP Access Control

Cloud-Security: Show-Stopper or Enabling Technology?

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

Cloud Computing Security Audit

EMC HYBRID CLOUD FOR SAP

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

BIG DATA STRATEGY. Rama Kattunga Chair at American institute of Big Data Professionals. Building Big Data Strategy For Your Organization

Find the intruders using correlation and context Ofer Shezaf

How To Manage Risk

The ODCA, Helix Nebula and Federated Identity Management. Mick Symonds Principal Solutions Architect Atos Managed Services NL

Microsoft Services Premier Support. Security Services Catalogue

How to survive in a world of Virtualization and Cloud Computing, where you even can t trust your own environment anymore. Raimund Genes, CTO

10 Best-Selling Modules For Home Information Technology Professionals

EU Threat Landscape Threat Analysis in Research ENISA Workshop Brussels 24th February 2015

FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO

全球資安剖析, 您做確實了嗎? Albert Yung Barracuda Networks

Enterprise Security Solutions

Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015

Governance, Risk and Compliance in BPM - A Survey of Software Tools

Agenda 3/7/ ERM Symposium March 14 16, Continuous Controls Monitoring. I. Changes In Corporate Environment

Virtualization Impact on Compliance and Audit

CloudCheck Compliance Certification Program

RSA enables rapid transformation of Identity and Access Governance processes

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

MetaOption, L.L.C. Implementing ERP Using Microsoft Dynamics Navision

Secure Services and Quality Testing SST. Security Engineering Privacy by Design Trusted Solutions. Mario Hoffmann. for Service Ecosystems

Strengthen security with intelligent identity and access management

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

CS 101 November 15, 2010

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment.

SAP Identity Management Overview

ISACA Kampala Chapter Feb Bernard Wanyama Syntech Associates Limited

Application Control Effectiveness for SAP. December 2007

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Security Issues in Cloud Computing

Top 10 Tech Trends For 2015 by Gartner

"Service Lifecycle Management strategies for CIOs"

How SITEFORUM provides you with main components to build and run an innovative cloud computing service for an industry or special interest group

Combining Security Risk Assessment and Security Testing based on Standards

De D l e iver e i r ng n g S of o twa w r a e r e as a a a We W b e A b pp p p Ser e v r ice Varsha Jadhav

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Certified Information Systems Auditor (CISA)

Enterprise Enabler and the Microsoft Integration Stack

Cybersecurity The role of Internal Audit

Combining Security Risk Assessment and Security Testing based on Standards

Too Critical To Fail Cyber-Attacks on ERP, CRM, SCM and HR Systems

The Essentials Series. Communications Enabled Business. by Ken Camp

How Accenture is taking SAP NetWeaver Identity Management to the next level. Kristian Lehment, SAP AG Matthew Pecorelli, Accenture

Our Service Offering to SASOL

Information & Asset Protection with SIEM and DLP

Accountability in Cloud Computing An Introduction to the Issues, Approaches, and Tools

Service Portfolio Management PinkVERIFY

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

MARKetstudy:»Cloud Computing for Logistics«

Data Privacy SERVICES

Complete Database Security. Thomas Kyte

CITY UNIVERSITY OF HONG KONG

D6.1: Service management tools implementation and maturity baseline assessment framework

How To Secure Cloud Computing

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

Becoming a Cloud Services Broker. Neelam Chakrabarty Sr. Product Marketing Manager, HP SW Cloud Products, HP April 17, 2013

DOCUMATION S SELF-SERVICE PORTAL

The Casper Suite An ROI overview

Leading investor communications firm serving brokerdealers, and investment banks protects sensitive data

Security and Compliance in Clouds 1

First-hand Information about the Enhanced Functionality and Integration Options Within SAP NetWeaver Identity Management 7.2

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Cloud computing: benefits, risks and recommendations for information security

SECURITY CONFIGURATION WITH ACTIVE DIRECTORY FOR MICROSOFT DYNAMICS:

THE USE OF THE ERP-CRM-CIM SYSTEMS WITHIN THE MASTER S DEGREE PROGRAMMES

Microsoft Windows 7 and Office. Key Initiative Overview

Whitepaper: 7 Steps to Developing a Cloud Security Plan

SAP Solution in Detail SAP NetWeaver SAP NetWeaver Identity Management. Business-Driven, Compliant Identity Management

Providing Full Life-cycle Identity Management

Building an Effective

Address C-level Cybersecurity issues to enable and secure Digital transformation

XBRL & GRC Future opportunities?

Enabling Data Quality

Cloud Security Fails & How the SDLC could (not?) have prevented them

The problem of cloud data governance

Delivering Commercial Best Practices to Government Customers. Copyright 2013 Accenture All rights reserved.

RSA Via Lifecycle and Governance 101. Getting Started with a Solid Foundation

Secure your cloud applications by building solid foundations with enterprise (security ) architecture

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

How To Use Commission Suite

The CRM that Defines Innovation. Bill Armistead, Product Sales Specialist CONNECTIONS

Cloudbuz at Glance. How to take control of your File Transfers!

ADOPTION OF OPEN SOURCE AND CONVENTIONAL ERP SOLUTIONS FOR SMALL AND MEDIUM ENTERPRISES IN MANUFACTURING. Mehran G. Nezami Wai M. Cheung Safwat Mansi

rating of 5 out 5 stars

Sebis Study: Cloud Adoption and Strategy 2013

Oracle Applications Profile

Transcription:

Security and Compliance in Clouds Jan Jürjens, Kristian Beckers Fraunhofer Institute for Software and Systems Engineering ISST (Dortmund, Germany) http://jan.jurjens.de

Security is the Major Show-Stopper

GRC in Clouds Governance Policy design Classification schema for data and processes Trust chain in a cloud Risk Risk strategy Business Impact Analysis Threat and Vulnerability Analysis Risk Analysis Remediation Compliance Policy enforcement Legal compliance (SOX, SOLVENCY II) Control implementation The Cloud offers dynamic ressource allocation For GRC in clouds we require the same dynamic

Compliance Scenarios Customer -> Cloud: Security Compliance: Check the security processes of the cloud for compliance with SLA Legal Compliance: Check the business process for SOX, MaRisk compliance Cloud -> Cloud: Contract Compliance: Check the interaction of two business partners in the cloud Cloud -> Customer: Security Compliance: Inspect the processes for cloud behavior violation

Related Standards Process Maturity Holistic Control Systems Security Standards Transparency Safe Harbor

Architectures for Auditable Business Process Execution (APEX) Tool supported method for implementing business processes to IT infrastructure under consideration of compliance policy requirements (like Basel II, Solvency II,...). Analysis is performed on the basis of text documents, models or other data sources Governance, Risk and Compliance (GRC) and measures especially for Cloud Computing for SMEs and large-scale enterprises. 6

Motivation Implementation of compliance regulations is essential: Implementation of EU-Guidelines Basel II, Solvency II till 2012 Implementation of MaRisk from BaFin US-market actors require SOX Today: time-consuming and expensive manual labour Specialists are employed for standard tasks and there is often no time for analysis of special cases e.g. risk of fraud by stuff (spectacular example: Societe Generale 2008: 5 Mrd. Euro loss). APEX approach reduces the manual effort and provides time for GRC experts to focus on specific issues

Definition Security and Compliance Governance, Risk und Compliance (GRC) Governance: internal company guidelines Compliance: external guidelines, e.g. SOX Risk: risk management under consideration of all guidelines Security Abstract security objectives, e.g. CIA applied to a company A company can be compliant, but not secure.

The Idea behind the APEX Approach Automation of standard GRC tasks RoI reduction through manual work reduction Experts focus on special cases Development of GRC information bases for companies Data sources: Interviews, texts, process mining, and processes Risk management concept evaluation Partially automated by APEX framework Support by measures for GRC monitoring Implementation of monitoring tools e.g. in web portals Data can be also used in BPM sector 9 9

The APEX Framework

Log-File Analysis: Identification of Patterns Four-Eyes-Principle Identification of the Four- Eyes-Principle with the help of the following information: Request Ids are conform Owners are different Job was finished at the same point in time 11

Log-File Analysis: Identification of pattern with chronology - Chronology of the four-eyes principle is considered - First an employee has to create a contract - Afterwards another one has to check the contract - The action has to have a consistent processid Pattern: Four-Eyes- Principle ProcessID Activity ID Consultant Time Stampe Description 1 A John 9-3-10:15.01 Create Contract 2 A Mike 9-3-10:15.12 Print Document 1 B Mike 9-3-10:16.07 Check Contract 2 C Carol 9-3-10:18:25 Send Document 12

Log-File Analysis APEX Framework 13

Business Process Mining Analysis based on IT-systems Analysis of processes derived with reverse engineering A X C B Event dates Process ID Activity ID Consultant Time Stampe 1 A John 9-3-10:15.01 2 A Mike 9-3-10:15.12 3 B Mike 9-3-10:16.07 4 C Carol 9-3-10:18.25 ERP SCM WfM S... CRM 14

Business Process Analysis Analysis based on models Automated compliance-analysis Two approaches: 1.Test-based analysis of the activity identifier for the automated risk identification 2. Structural analysis of the process model for complianceviolation-pattern 15

Textbased Automated Riskanalysis Compliance-relevant keywords: Credentials, Login, Check Advantage: Detailed risk analysis possible Disadvantage: modelling required 16

Structural Analysis on the Model Layer Structural analysis of a business process against compliance pattern Approach: Search with abstract syntax for a contract v Search for the Four-Eyes-Principle for this linked v Pattern: four-eyes principle v: contract, a!=b : employee v:contract :editcontract a:employee v:contract :editcontract b:employee 17

Conclusion Clouds? Make sure you are secure! ( and compliant) Contact: http://jan.jurjens.de