How To Protect Your Cloud Computing Resources From Attack

Similar documents
Cloud Security. DLT Solutions LLC June #DLTCloud

Security Issues in Cloud Computing

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Cloud Security and Managing Use Risks

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Cloud Security Who do you trust?

D. L. Corbet & Assoc., LLC

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Cloud Security Introduction and Overview

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

New Risks in the New World of Emerging Technologies

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Cloud-Security: Show-Stopper or Enabling Technology?

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Cloud Computing Governance & Security. Security Risks in the Cloud


John Essner, CISO Office of Information Technology State of New Jersey

Cloud Security Who do you trust?

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Cloud Security:Threats & Mitgations

Security & Trust in the Cloud

KeyLock Solutions Security and Privacy Protection Practices

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud security and OpenStack Primož Cigoj Laboratorij za odprte sisteme in mreže IJS-E5.

Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald

Managing Cloud Computing Risk

Infrastructure as a Service (IaaS) Dancik International and Peak 10

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Cloud Security: An Independent Assessent

Top 10 Cloud Risks That Will Keep You Awake at Night

Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Cloud Storage Security with a Focus on CDMI. Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP, ISSEP, SCSE Hitachi Data Systems

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

FACING SECURITY CHALLENGES

A Survey on Cloud Security Issues and Techniques

Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Cloud Computing: Risks and Auditing

Network Access Control and Cloud Security

How to ensure control and security when moving to SaaS/cloud applications

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

Addressing Security for Hybrid Cloud

Cloud Infrastructure Security

PortWise Access Management Suite

Cloud Computing. Benefits and Risks. Bill Wells, CISSP, CISM, CISA, CRISC, CIPP/IT

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: , Volume-1, Issue-5, February 2014

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

TENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6. TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4

BMC s Security Strategy for ITSM in the SaaS Environment

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

Security in the Green Cloud

SERENA SOFTWARE Serena Service Manager Security

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Information Technology: This Year s Hot Issue - Cloud Computing

It ain t all fluffy and blue sky out there!

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

Projectplace: A Secure Project Collaboration Solution

TOP THREATS IN CLOUD COMPUTING

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Module 1: Facilitated e-learning

Cloud & Security. Dr Debabrata Nayak Debu.nayak@huawei.com

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

Data Protection: From PKI to Virtualization & Cloud

A Review : Security Framework Information Technology for University Based on Cloud Computing. E.S. Negara, R. Andryani

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Goals. What is Cloud Computing? 11/11/2010. Understand what cloud computing is and how. Understand the challenges and advantages of cloud computing

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

Anypoint Platform Cloud Security and Compliance. Whitepaper

External Supplier Control Requirements

BUSINESS MANAGEMENT SUPPORT

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

Cloud Computing: Compliance and Client Expectations

CompTIA Cloud+ 9318; 5 Days, Instructor-led

What Cloud computing means in real life

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Cloud models and compliance requirements which is right for you?

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

GoodData Corporation Security White Paper

Security & Cloud Services IAN KAYNE

How To Secure Cloud Computing

Security Controls What Works. Southside Virginia Community College: Security Awareness

Passing PCI Compliance How to Address the Application Security Mandates

Risks and Challenges

Securing the Cloud through Comprehensive Identity Management Solution

Transcription:

Security Considerations for Cloud Computing Steve Ouzman Security Engineer

AGENDA Introduction Brief Cloud Overview Security Considerations ServiceNow Security Overview Summary

Cloud Computing Overview The cloud model promotes availability and scalability and is composed of: - five essential characteristics - three service models - four deployment models.

Cloud Definition Deployment Models Private Cloud Hybrid Clouds Community Cloud Public Cloud Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Essential Characteristics On Demand Self-Service Broad Network Access Rapid Elasticity Resource Pooling Measured Service Common Characteristics Massive Scale Homogeneity Virtualization Low Cost Software Resilient Computing Geographic Distribution Service Orientation Advanced Security Based upon original chart created by Alex Dowbor - http://ornot.wordpress.com

Cloud Computing Security Considerations

Seven Security Considerations For Cloud Computing 1. Abuse of Cloud Computing Resources:- IaaS & PaaS platforms provide huge computing resources and can provide a very simple registration process to adopt. Eg. IaaS Offerings have hosted the Zeus Botnet, Infostealer trojan horses. 2. Insecure Interfaces and API s:- Cloud Providers expose a set of API for interacting customers to manage their data and interact with 3 rd party applications for integrations. These need strict controls. Eg. Anonymous access / re-usable passwords. Improper Authorizations.

Seven Security Considerations For Cloud Computing 3. Malicious Insiders:- Well known threat for most organizations. Threat amplified for consumers of cloud services by the convergence of IT Services under single management. 4. Shared Technology Issues:- IaaS and some SaaS vendors deliver their services in a scalable way by sharing resources. Multi-tenant environment share hardware resources through hypervisors / virtualization and can expose the underlying operating system.

Seven Security Considerations For Cloud Computing 5. Data Loss or Leakage:- Many ways to compromise data. Deletion / Alteration of records without backup. Loss of encryption key. Insufficient authorization controls. Eg. Insufficient AAA controls, Encryption of sensitive data in transit and at rest. 6. Account or Service Hijacking:- Not a new concept. Phishing, fraud and exploitation of software vulnerabilities still achieve results. Attackers could eavesdrop on your activities and transactions and manipulate data.

Seven Security Considerations For Cloud Computing 7. Unknown Risk Profile:- The benefits of using cloud computing resources should be measures against the security concerns. Versions of software, code updates, security practices, vulnerability profiles and security design of the cloud vendor must be understood. Furthermore legal jurisdiction and local legislation requirements need to be considered Eg. EU Privacy Laws, PCI Compliance, HIPAA etc.

Cloud Security Reference Sites ENISA:- http://www.enisa.europa.eu/act/rm/files/deliverables/ cloud-computing-risk-assessment Cloud Security Alliance:- https://cloudsecurityalliance.org/ Jericho Forum https://www.opengroup.org/jericho/

ServiceNow Security Overview

Security Program Security Program based on ISO 27001 Security Policies and Standards directly map to ISO 27002 controls We support customers regulatory requirements: PCI, SOX, FDA, HIPAA, NIST Risk based, data-centric approach

Data Location and Data Isolation Customer data ONLY exists in assigned Primary and Secondary secured datacenter No data processed/stored in business offices No data stored/processed on laptops/desktops Dedicated physical server option (additional cost) Hot DR site with asynchronous replication

Disaster Recovery Asynchronous data replication between primary and secondary datacenter Replicated backup files Coordinated DR testing (typically 4-7 minutes for failover and restored operations) Two Service-now.com DR drills per year Annual Business Impact Analysis

Datacenter Security Controls All internet connections terminate in DMZ Explicit network and host-based firewall rules RSA Two-Factor authentication for all administrator access QualysGuard for Vulnerability Management Centralized audit logging using Splunk TippingPoint IPS Sensors (blocking mode)

Penetration Testing Nightly QualysGuard Port Maps Bi-monthly Perimeter Scans using QualysGuard Integrated WhiteHat Security Application Penetration Testing Any given month: three customer initiated penetration tests in progress. Annual comprehensive Security Penetration Testing

Application Security Features LDAP/S and SAML Single Sign-On Integration Options Full encryption for data in motion (SSL, TLS, S/FTP) Column Level Encryption Full Support of Users/Groups/Roles Full Access Control List Support: Application, Module, Table, column, row Contextual Security Model

Demo Research Request Info demo.service-now.com www.service-now.com info@service-now.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information