Debate Session II No More Mr. Nice Guy! Tightening the screws on Cloud Security Thursday 27 March 2014 10:20 10:50 am Iben Rodriguez
Security products tested Overview
Business model aligned with enterprises No conflict of interest Independent assessment, not certification Vendors do not pay to participate in tests Vendors cannot commission or sponsor a test Vendors cannot opt out of a test
Make security a science. Only NSS has the complete picture to provide actionable intelligence relevant to your organization. Attack Impact We can tell you which attacks will bypass your layers of security, and whether or not you need to take action. Threat Intelligence Security Product Efficacy
How do we know that? We test. Our data shows which attacks bypass a cyber kill chain. You can now make decisions based upon intelligence tailored to your unique environment: 1. Select your applications 2. Select your security product(s) 3. NSS will tell you which exploits bypass each product + combined kill chain of products and 4. NSS will provide you with relevant indicators of compromise including: URLs, shellcode, malware, command & control, etc.
What could you do with this information? Manage OPEX and CAPEX more effectively Reduce cost, complexity, and time Prioritize patches Optimize security policies Eliminate redundancy Efficiently deploy resources Security is not one size fits all
Test Report Release Process NSS releases three sets of reports per test Product Analysis Report (PAR): Individual product reports per product Security Value Map (SVM): Graphical map of each product s TCO Comparative Analysis Reports (CAR): Comparative look at all products performance against security efficacy, performance and TCO. PAR s are released as completed SVM released once all tests are complete CAR s are final reports released and signify completion of public test
Sample Security Value Map View trade-offs between security, performance and cost
The NSS ThreatCAST Suite Threat Mapping Threat Intelligence Threat Intelligence Threat feed tracking live threats from around the world. Research Library product efficacy reports, analyst briefs, and toolkits. Analyst Inquiries tailored, actionable advice from industry experts. Attack Surface Diagnostics Threat Mapping Running attacks gathered by Threat Intelligence against live targets provides you with a real-time view of what the adversaries are targeting TODAY. ThreatCAST Attack Surface Diagnostics Deploying security products within the Threat Map, we can tell you which attacks are capable of bypassing your layers of security in real-time.
Common compliance regulations: Revised International Capital Framework (Basel II) Gramm Leach Bliley Act (GLBA) Health Insurance Portability and Accountability Act, (HIPAA) North American Electric Reliability Corporation Standards (NERC) Payment Card Industry Data Security Standards (PCI-DSS) Sarbanes-Oxley Act of 2002 (SOX) Federal Risk and Authorization Management Program (FedRAMP) Federal Information Security Management Act of 2002 (FISMA) International Traffic in Arms Regulations (ITAR) International Organization for Standardization (ISO) 27001 Federal Information Processing Standards (FIPS) 140-2 American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) Reports Federal Office for Information Security (BSI) Germany Financial Services Roundtable BITS Shared Assessments Agreed Upon Procedures (AUP) and Standardized Information Gathering (SIG) Control Objectives for Information and Related Technology (COBIT) European Network and Information Security Agency (ENISA) Information Assurance Framework (IAF) AICPA and Canadian Institute of Chartered Accountants (CICA) Generally Accepted Privacy Principles (GAPP) Health Information Technology for Economic and Clinical Health (HITECH) Act Jericho Forum National Institute for Science and Technology (NIST) New Zealand Information Security Manual (NZISM) Trusted Cloud Initiative (TCI) Reference Architecture https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/
Debate Session II Cloud Security Dennis Moreau is responsible for Software Defined Security/Compliance/Trust technology at VMware, EMC/RSA, Configuresoft. Security & compliance automation standards with NIST, Mitre, DHS, DoD, and national labs. Dr. Hongwen Zhang is the CEO and a co-founder of Wedge Networks Inc., a cloud-based information security platform vendor. He is a co-chair of the CloudEthernet Forum s Security Working Group. Iben is the Director of Cloud and Virtual Testing for NSS Labs. His team builds, tests, and researches cloud security infrastructure used by enterprise customers. Paul To is Director in charge of Spirent s SDN & Cloud strategy and Vice Chairman of the Testing Leadership Council at Open Networking Foundation. Steve Pate is the Chief Architect at HyTrust with deep experience in the areas of file systems, encryption, virtualization, and storage security.
Debate Session II Cloud Security Security controls for a distributed data plane Cloud Privacy Data Sovereignty Encryption for data at rest, Ciphers Key management Geo location, Network path selection, audit, test Cloud providers and 3rd party vendors Big Data Analytics Supply Chain Management NFV for Security functions