SECURITY IN THE CLOUD

Similar documents
PII Compliance Guidelines

Automated User Provisioning

10 Smart Ideas for. Keeping Data Safe. From Hackers

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Cloud Security and Managing Use Risks

Data Security Best Practices & Reasonable Methods

The Value of Vulnerability Management*

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Preemptive security solutions for healthcare

IBM Security Privileged Identity Manager helps prevent insider threats

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Caretower s SIEM Managed Security Services

The Benefits of an Integrated Approach to Security in the Cloud

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

privileged identities management best practices

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

SecurityMetrics Vision whitepaper

Trend Micro Cloud Security for Citrix CloudPlatform

Payment Card Industry Data Security Standard

Securing the Cloud Infrastructure

INFORMATION SECURITY FOR YOUR AGENCY

Solving the Security Puzzle

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Stay ahead of insiderthreats with predictive,intelligent security

Intelligent Security Design, Development and Acquisition

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

External Supplier Control Requirements

The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh. May 20 th, 2013

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

The Cloud App Visibility Blindspot

I D C A N A L Y S T C O N N E C T I O N

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Cloud security with Sage Construction Anywhere

Take Control of Identities & Data Loss. Vipul Kumra

How to Secure Your Environment

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Windows Least Privilege Management and Beyond

How to Practice Safely in an era of Cybercrime and Privacy Fears

SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support

NASCIO 2015 State IT Recognition Awards

Seven Things To Consider When Evaluating Privileged Account Security Solutions

F G F O A A N N U A L C O N F E R E N C E

Cloud and Data Center Security

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

STRONGER AUTHENTICATION for CA SiteMinder

Central Agency for Information Technology

The Cloud App Visibility Blind Spot

Critical Controls for Cyber Security.

Introduction. PCI DSS Overview

Identity and Access Management: The Promise and the Payoff

Defending Against Data Beaches: Internal Controls for Cybersecurity

The Education Fellowship Finance Centralisation IT Security Strategy

SUPPLIER SECURITY STANDARD

Compliance and Cloud Computing

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Cyber Security Management

Identity & Access Management in the Cloud: Fewer passwords, more productivity

HOW SECURE IS YOUR PAYMENT CARD DATA?

Enterprise Cybersecurity: Building an Effective Defense

Securing Virtual Desktop Infrastructures with Strong Authentication

CloudCheck Compliance Certification Program

Microsoft s cybersecurity commitment

Five keys to a more secure data environment

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security.

BIG SHIFT TO CLOUD-BASED SECURITY

WHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

Time Is Not On Our Side!

How To Achieve Pca Compliance With Redhat Enterprise Linux

The 7 Tenets of Successful Identity & Access Management

Trust but Verify: Best Practices for Monitoring Privileged Users

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Cloud security architecture

Cloud Security: Getting It Right

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

CAN NUCLEAR INSTALLATIONS AND RESEARCH CENTERS ADOPT CLOUD COMPUTING?

Cybersecurity Workshop

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

The Oracle Mobile Security Suite: Secure Adoption of BYOD

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

NERC CIP VERSION 5 COMPLIANCE

The ODCA, Helix Nebula and Federated Identity Management. Mick Symonds Principal Solutions Architect Atos Managed Services NL

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Data Security and Healthcare

Effective Software Security Management

Avoiding the Top 5 Vulnerability Management Mistakes

Hands on, field experiences with BYOD. BYOD Seminar

How To Protect Yourself From A Hacker Attack

Cybersecurity Policies and Best Practices: Protecting small firms, large firms, and professional services from malware and other cyber-threats

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

THE FIVE NEW PCI COMPLIANCE RULES YOU NEED TO KNOW

GFI White Paper PCI-DSS compliance and GFI Software products

Transcription:

Common Knowledge: Kevin Burns SECURITY IN THE CLOUD (aka- Insecurity in the Cloud)

Real Issue: You don t know what you don t know For Instance - First Question who is responsible for securing what? Who has access to what data? Which way did it go? (the data that is) You destroyed what data? What technologies are being used? Who made those firewalls? Who configured those firewalls?

Assessing the vendor How likely is the vendor to continue the service? How financially stable is the vendor? To what extent does the vendor use subcontractors? What are the vendor s standard security practices? What is the vendor s track record with security?

So What Now? Getting serious for a minute IT STARTS WITH THE CONTRACT! Contracts Are The Key Legal Enforcement Mechanism» (BTW - Cloud Security Alliance great source) - Examples Right to Audit clauses - Adherence to compliance (PCI) - How will provider respond to INFO requests? Termination of contract handled? (Assets returned)

Legal Stuff (Cont.) Service Level Agreements necessary performance?? NIST 800-144 Security - Public Clouds Breach notification process must be defined!!! Data allowed/not allowed to be co-mingled Contract language stipulates where the data will reside Disaster Recovery/Redundancy (other locations of provider)

SAS 70 Type II Compliance- (What the heck is that? Replaced by SSAE 16 in 2010 Never mind) Certifications Differences SAS 70 verified that controls/processes at data center were followed (Cloud providers still touting their SAS 70s even as of this date) SSAE 16 does the above AND also requires verification of design and operating effectiveness. Attestation of system effectiveness versus SAS 70 controls focus And look for a recent independent Vulnerability and Penetration test (perimeter network)!!!!

THREATS TO YOUR CLOUD Cloud Security Alliance has identified threats to cloud security: Data breaches will continue (duh) - but why? Because they are only as strong as their own security posture (firewall patches) Threats - Cloud Security Data loss (gulp pun intended) - the drives went where? Your provider went bankrupt? DDOS - (Mass.Gov or e-mail (if ever in the cloud) not accessible?) Oh oh! Malicious insiders (my favorite!) Maybe keep the encryption keys in-house Abuse of cloud services My cloud provider is serving up malware? Shared technology Hey, hey, you you get off of my cloud (you knew that was coming)

Just Sayin.. Reminder (so you don t forget) The Cloud Security Alliance calls out Lack of Due Diligence as a MAJOR threat Threats -continued Enterprises may push applications that have internal onpremises network security controls into the cloud, where those network security controls don't work. If enterprise architects don't understand the cloud environment, their application designs may not function with proper security when they're run in a cloud setting, the report warned.

Summary Tactics Be Proactive Insist on communication(s) with CISOs of your cloud security provider So.. Obtain explanations of their security controls both at a high level & low level Put the data owner on notice that they bear responsibility Insist on accurate data flow & network diagrams - you cannot protect it if you don t know: origin, destination, transmission, and storage locations. THE ABOVE SEEMS OBVIOUS BUT..

Any questions?

Identity and Access Management Massachusetts Office of Information Technology Executive Office for Administration and Finance Aldo Pietropaolo (IAM Technical Lead & Industry SME) MassIT

Agenda Identity And Access Management Current Cybercrime Landscape Addressing The Gaps Program Benefits Real Examples Questions

Identity And Access Management Give the right people the right access to the right resources and applications, at the right time and for the right reasons.

Cyber-Criminal Attacks Continue To Increase Malware attacks targeting identity theft are increasing (Examples: Home Depot, Target, Citibank, JP Morgan Chase) State employee and citizen identity and personal data at highest risk. Access to state information systems at risk. Increase targeting of mobile devices (Android, Apple) SMS Trojans Capable of stealing your text messages. Ransom Ware Capable of locking personal files and asking for ransom. Increase in advanced and persistent cyber-crime threats. These operate silently and avert detection until personal information is stolen and put into the black market. Increase in exploiting zero day attacks in vendor products. State regulatory requirements are becoming more stringent. FBI Criminal Justice, HIPPA, Federal Security Mandates Access control cited as one of the most frequent gaps (Deloitte NASCIO Report: http://www.nascio.org/publications/documents/deloitte-nasciocybersecuritystudy_2014.pdf) 14

Addressing The Gaps Significantly Reduce Implementation Costs And Address Security Gaps Provide Faster Deployment And Consistent Security And Audit Capabilities IAM Assembly Line (Continuous Delivery) (Agile) Significantly reduce implementation costs by an estimated 35% 45% By adopting a continuous deployment model, small packages are processed in an assembly line fashion to yield quality results. Measurable return on investment for CAPEX and OPEX. Commonwealth business requirements and IAM technology roadmap will serve as input to assembly line. Security Intelligence delivers 360-degree view: Increase Security Safe Guards Audit & Access Re-Certification Capabilities Centralized service for knowing who has access to what. Access re-certification and revocation process if a user has access to an application and should not, IAM will remove the access.

IAM Program Benefits An improved enterprise IAM environment enables these benefits Which result in a strong, industry demonstrated return on investment Benefit Decreased time to provision accounts Automated auditing and reporting Simplify system architecture Typical Metric Reduce from weeks to 1h or less Decreased reporting labor through more automated processes Reduce development costs by 2-5% per system Typical Financial ROI Model ROI ranges from 40% to over 100% 100% recapture of capital investment in three years or less Reduced ongoing operating costs of 20% or greater Standardized login processes that simplify access Single consolidated login process $3.5 Simplify account management & improve accuracy Reduce labor by 50% or more $3.0 $2.5 Automated password reset function De-provision accounts quickly Automated provisioning improves accuracy assignment and permissions Reduce help desk calls by 75%+ Decrease from days to minutes Decrease errors by 90% or more $2.0 $1.5 $1.0 $.5 $.0 Year 1-2006 Year 2-2007 Year 3-2008 Year 4-2009 Year 5-2010 Improved understanding of who has access to speed investigation Enforce standardized IAM policies and procedures Decrease risk Improve compliance, decrease risk Total Cost Quantifiable Benefits Fewer passwords or other access credentials Reduce from dozens to a few or one *Typical Metrics and ROI Model

Let s look at some real examples

HR/CMS Admin Access Today Outside Commonwealth (Internet) Inside Commonwealth Time And Attendance Payroll Employee Management New Hires Employee And Contractor Terminations HR/CMS Single Sign On Only Desktop Login Employee # Self Service UAID HR System HR/CMS Super Users HR/CMS User ID / Password Digital Certificate Virtual Private Network Strong Authentication

HR/CMS Admin Access Tomorrow Outside Commonwealth (Internet) Inside Commonwealth Key Benefits Prevent Breaches such as direct deposit bank account modifications. Single Sign On to all integrated applications. Employees IAM login page IAM Portal page HR/CMS Admin Users One Time Passcode HR/CMS External HR/CMS Core One Time Passcode SMS / Email Two Factor Authentication

Inter-Agency Cooperation Agency (MassIT) Agency (MassDOT) Application Landing Page JSmith in MassIT translates to John.Smith In DOR, and vice versa for application access. Application Landing Page Identity Federation Identity Federation Single Sign On To Federated Agencies Employee / Contractor in agency A has seamless navigation to application(s) in agency B. User has Single Sign On for both agencies. Employee / Contractor in agency B has seamless navigation to application(s) in agency A. User has Single Sign On for both organizations.

Summary Opportunity to realize ROI on capital investment within 3 5 years, while significantly strengthening Commonwealth security posture and identity management processes Increase Inter-Agency Collaboration While Reducing CapEx Costs Use existing systems where applicable for employee, contractor, and citizen access to Commonwealth resources No need to rebuild IAM services that already exist, therefore saving an average of 1.2 1.4 Million dollars in CapEx (Industry average for an enterprise IAM foundation) Accelerate common and valuable services to Commonwealth citizens Decrease errors by 80 % 90 % which may lead to personal data exposure by introducing a level of continuous automation, service availability, consistency, and quality improvements 21

Questions?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information