Cloud Security. DLT Solutions LLC June 2011. #DLTCloud



Similar documents
Cloud Security and Managing Use Risks

How To Protect Your Cloud Computing Resources From Attack

Cloud Computing Governance & Security. Security Risks in the Cloud

Introduction to Cloud Computing DLT Solutions LL DL C T Solutions LL May 2011

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Infrastructure as a Service (IaaS)

Security Issues in Cloud Computing

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Managing Cloud Computing Risk

Cloud Security Introduction and Overview

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Security & Trust in the Cloud

John Essner, CISO Office of Information Technology State of New Jersey

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Assessing Risks in the Cloud

Key Considerations of Regulatory Compliance in the Public Cloud

Cloud Security & Risk. Adam Cravedi, CISA Senior IT Auditor acravedi@compassitc.com

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Information Technology: This Year s Hot Issue - Cloud Computing

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

Perspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

White Paper How Noah Mobile uses Microsoft Azure Core Services

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

The Education Fellowship Finance Centralisation IT Security Strategy

Cloud Security Prof. Dr. Michael Waidner Fraunhofer SIT CASED. Fraunhofer SIT. Fraunhofer-Gesellschaft 2011

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Cloud Computing; What is it, How long has it been here, and Where is it going?

Compliance and the Cloud: What You Can and What You Can t Outsource

Secure Cloud Computing through IT Auditing

Cloud IaaS: Security Considerations

Security Issues in Cloud Computing

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Orchestrating the New Paradigm Cloud Assurance

New Requirements for Security and Compliance Auditing in the Cloud

Cisco Cloud Assessments. Justin Tang

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Security & Cloud Services IAN KAYNE

How To Protect Your Cloud From Attack

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

REVIEW ARTICLE. Received 21 February 2015 / Accepted 16 March INTRODUCTION

Cloud Security Who do you trust?

Security Controls What Works. Southside Virginia Community College: Security Awareness

How To Get A Cloud Security System To Work For You

FACING SECURITY CHALLENGES

What Cloud computing means in real life

A Survey on Cloud Security Issues and Techniques

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

BMC s Security Strategy for ITSM in the SaaS Environment

Security Considerations for the Cloud

Microsoft Azure. White Paper Security, Privacy, and Compliance in

Cloud Computing. What is Cloud Computing?

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Cloud Infrastructure Security

Cloud Security. Are you on the train or the tracks? ISSA CISO Executive Forum April 18, Brian Grayek CISSP, CCSK, ITILv3

Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )

Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A

Microsoft Azure. Microsoft Azure Security, Privacy, & Compliance

Week 1 Assignment. William Slater. CYBR 615 Cybersecurity Governance and Compliance. Bellevue University

Cloud Security for Federal Agencies

Cloud Services Overview

Deep Security. Προστατεύοντας Server Farm. Σωτήρης Δ. Σαράντος. Available Aug 30, Σύμβουλος Δικτυακών Λύσεων. Copyright 2011 Trend Micro Inc.

GoodData Corporation Security White Paper

Big Data, Big Risk, Big Rewards. Hussein Syed

Cloud Computing Paradigm Shift. Jan Šedivý

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Altius IT Policy Collection Compliance and Standards Matrix

Transcription:

Cloud Security DLT Solutions LLC June 2011

Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud

Your Hosts Van Ristau Chief Technology Officer, DLT Solutions David Blankenhorn Chief Cloud Technologist, DLT Solutions Leads DLT s Cloud Advisory Group 3

Introduction Cloud Webcast Series Five weekly webcasts (Thursdays May 12 June 9) Webcast #1 May 12 Introduction to Cloud Computing Webcast #2 May 19 Software as a Service (SaaS) Webcast #3 May 26 Infrastructure as a Service (IaaS) Webcast #4 June 2 Platform as a Service (PaaS) Webcast #5 June 9 Securing the Cloud Series Objectives Provide the audience with A baseline understanding of Cloud Computing service models. Suggested decision criteria for selecting appropriate Cloud services. An overview of vendor Cloud services available Vendor-neutral discussion with Brand vendor examples. 4

Agenda Cloud Security What s different? Key Security and Privacy Issues Security Upside Security Downside Threats & Risks Private & Virtual Private Clouds What To Look For What To Ask Considerations and Cautions Resources 5

Current Models It s All Inside Physical Datacenter Systems Servers (Hypervisors) Storage Network Appliances Application Platforms Operating Systems (VMs) Applications Account Management Identity Authentication Authorization Governance, Risk & Compliance (GRC) Audit Analysis Business Continuity Security Infrastructure Intrusion Prevention Intrusion Detection Continuous Monitoring Access Controls Client Interface Browsers Smartphones Desktops Laptops Tablets A very simplified view 6

Traditional Hosting Models IT Systems Application Platform GRC Account Management Security Infrastructure Client Interface Hosting Provider Physical Data Center Systems (limited) Application Platform (limited) GRC 7

Public Cloud - Realms of Responsibility SaaS PaaS IaaS Application Application Platform Security Infrastructure Physical Data Center Systems Hypervisor Subscriber Responsibilities GRC Account Management Client Interface GRC Account Management Client Interface Application GRC Account Management Client Interface Application Application Platform Security Infrastructure 8

Key Security & Privacy Issues Governance Data Protection Compliance Incident Response Trust Availability Architecture & Software Isolation Identity & Access As defined by NIST 9

Possible Security Upside Cloud Staff Specialization Platform Strength Resource Availability Backup & Recovery Data Concentration Source: NIST Internal Staff (Re)specialization Standards Focus Investigation & Forensics Logging Complimentary Cloud Services 10

Possible Security Downside Shared, Multi-tenant Services Complexity Loss of Control & Visibility Internet Facing Data Sovereignty And the bad guys can use it too 11

Top Threats & Risks Threats Abuse & Nefarious Use Insecure Interfaces & APIs Malicious Insiders Shared Technology Data Loss or Leakage Account or Service Hijacking Unknown Risk Profile Source: Cloud Security Alliances (CSA) Top Threats to Cloud Computing v1.0 Risks Privileged User Access Regulatory & Ethical Compliance Data Location Data Segregation Disaster Recovery Investigative Support Source: Gartner 12

What About Private? Needs Additional Security Virtualization Cloud Infrastructure Systems Servers (Hypervisors?) Storage VM Mobility Network Appliances Loses Scale Requires New Skills Pay Upfront Solves Data Sovereignty Maintains Control & Visibility Physical Datacenter Application Platforms Operating Systems (VMs?) Applications Account Management Identity Authentication Authorization Governance, Risk & Compliance (GRC) Audit Analysis Security Infrastructure Intrusion Prevention Intrusion Detection Continuous Monitoring Access Controls Client Interface Browsers Smartphones Laptops Tablets 13

Virtual Private Cloud? Resource Dedication Multi-Tenancy Risk Reduced Virtual Private Network (VPN) Additional Security Boundaries Visibility & Control Increased But still limited Agility Premium Pricing 14

What To Look For Service Level Agreements Certifications & Compliance FISMA SAS 70, Type II ISO 27001 PCI DSS, HIPAA, etc. Penetration Testing Incident Response Processes & Procedures Service & Data Recovery 15

What To Ask How to audit? Where s the data? Who can access? How are employees trained? What data classification is used? How viable? 16

Considerations & Cautions Data Sovereignty Key Management Identity Integration Network Latency Cloud Compatibility Auditors Trust, but Verify Risk Mitigation 17

Resources National Institute of Standards and Technology (NIST) http://www.nist.gov/itl/cloud/ 800-37: Guide to Security Certification and Accreditation of Federal Systems 800-53r3: Recommended Security Controls for Federal Information Systems and Organizations 800-146: DRAFT Cloud Computing Synopsis and Recommendations 800-144: Guidelines on Security and Privacy in Public Cloud Computing 800-125: Guide to Security for Full Virtualization Technologies Cloud Security Alliance (CSA) https://cloudsecurityalliance.org/ Cloud Controls Matrix European Network and Information Security Agency (ENISA) http://www.enisa.europa.eu/ Cloud Computing: Benefits, risks and recommendations for information security Federal Risk and Authorization Management Program (FedRAMP) http://info.apps.gov/content/federal-risk-and-authorization-management-program-fedramp 18

Closing Thoughts Clouds are massive complex systems [that] can be reduced to simple primitives that are replicated thousands of times and common functional units. Peter Mell and Tim Grance, NIST. OR When eating an elephant, take one [bite] at a time. General Creighton Abrams Jr. 19

Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information