What REALLY matters in Cloud Security? RE: Internet of things sensors, data, security and beyond!



Similar documents
Tactical View for Cyber Security Framework

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Cloud Security Introduction and Overview

Cloud Security and Managing Use Risks

Cyber Education triangle clarifying the fog of cyber security through targeted training

Security Issues in Cloud Computing

What REALLY matters in Cyber? RE: Internet of things, privacy security and beyond

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Cloud & Mobile Security

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Cloud Security. DLT Solutions LLC June #DLTCloud

A Secure System Development Framework for SaaS Applications in Cloud Computing

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

State of Security Monitoring of Public Cloud

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Why are Companies in the EU Adopting More and More Cloud-Based Security Solutions? François GRATIOLET, Qualys Inc., CSO EMEA

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

When Security, Privacy and Forensics Meet in the Cloud

Compliance and Cloud Computing

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Address C-level Cybersecurity issues to enable and secure Digital transformation

Securing Smart City Platforms IoT, M2M, Cloud and Big Data

Cloud Security & Standardization. Markku Siltanen Tietoturvakonsultti CISA, CGEIT, CRISC

Cloud Computing Governance & Security. Security Risks in the Cloud

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

IT Audit in the Cloud

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Cloud Security:Threats & Mitgations

CSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Cybersecurity Strategic Consulting

Cutting through the fog of cybersecurity

Practical Advice for Cloud Data Protection

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Cloud Data Security. Sol Cates

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Vendor Risk Management Financial Organizations

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

Personal Security Practices of the CAO

Logging In: Auditing Cybersecurity in an Unsecure World

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

CFIR - Finance IT 2015 Cyber security September 2015

Security & Trust in the Cloud

Public Cloud Workshop Offerings

How To Protect Your Cloud Computing Resources From Attack

Production in the Cloud

Cloud Computing Security Issues

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

The Next Generation of Security Leaders

Cloud Computing Standards: Overview and ITU-T positioning

Secure your cloud applications by building solid foundations with enterprise (security ) architecture

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

SECURITY RISK MANAGEMENT

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Assessing, Evaluating and Managing Cloud Computing Security

The Cloud App Visibility Blindspot

Cyber Security Seminar KTH

Security in the Cloud

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Update On Smart Grid Cyber Security

Big Data, Big Risk, Big Rewards. Hussein Syed

KURA M2M/IoT Gateway. reducing the distance between embedded and enterprise technologies. Tiziano Modotti, October 28 th, 2014

Think like an MBA not a CISSP

How to ensure control and security when moving to SaaS/cloud applications

Ragy Magdy Regional Channel Manager MEA IBM Security Systems

Consumption IT. Michael Shepherd Business Development Manager. Cisco Public Sector May 1 st 2014

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

Cloud Computing Business, Technology & Security. Subra Kumaraswamy Director, Security Architecture, ebay

Dispelling the Myths about Cloud Computing Security

Transcription:

What REALLY matters in Cloud Security? RE: Internet of things sensors, data, security and beyond! HOW to best integrate security into the office AND the cloud? And what is a thing is that MORE we have to do??? Dec 9, 2013 Mike Davis mike@sciap.org ElectEngr/MSEE, CISSP, SysEngr ISSA / ISC2 / SOeC AFCEA / NDIA IEEE / INCOSE / et al easy button COMPLEXITY

Cyber Security Overall Status (Senior IA/Cyber VIP Mike Jacobs same issues as 40 50 years ago, but better in last 10) Technology G trending We have what we NEED NOW Business Policy Procedures / standards Education Leadership Awareness Y Y G G R G Some LSIs resist change Legislation poor Can t be voluntary NIST done well Need uniform implementation 170+ CAEs (schools) 10,000+ / year Complexity vs CISO C suite complacency and inability to absorb Education starting earlier, STEM, NICE Must all provide an enterprise integrated, cyber package including cloud security!

What s new in cyber, and what matters? Sensor + WiFi = device Things > systems, machines, equipment, and devices connected to the Internet and each other RIFD, Apps, MEMS, WSN, SCADA, PLC, ASIC, API, ETC, etc Is all this stuff secure? How much is needed? COMPLEXITY Is everywhere! What is a due diligence level of security? The Internet of things (IoT) is not really new IoT requires ALL the cyber protections we already know and still need to do! Where sensors dominate

Complexity of Enterprise IT Systems is Increasing AND so is the associated Cyber Security from sensor to cloud! So what is good enough security? Follow the DATA, where is it, who has it how sure are you?

SO what does matter in Cyber? CYBER is fundamentally all about TRUST and DATA It s NOT about expensive new cyber capabilities / toys but more about the SoS / I&I glue (distributed trust, resiliency, automation, profiles, etc) 90+% of security incidents are from lack of doing the basics! Conduct Effective Security Continuous Monitoring (SCM / SIEM) a MUST DO! USE enforced: cyber hygiene, enterprise access control, & reduce complexity (APLs) Shift from only protecting the network, to the DATA security itself information centric view Embrace your Risk Management Plan LIVE IT! Have an enforceable security policy what is allowed / not train to it KNOW your baseline Protect the business from the unknown risks as well Employ a due diligence level of security then transfer residual risks! When in doubt, do the cyber BASICS well!!! An achievable 90 95% solution to MOST vulnerabilities stabilize the environment! 5

What s a simple IA/Cyber vision / end state look like? AND what are the requirements? Cyber is ALL about TRUST, Rules/MOAs & State KEY C I A entities / touch points things comms the cloud IoT = things + comms AND DATA Is yours assured / with a pedigree? 4Vs satisfied? A cyber end state stresses encapsulation using secure communications

Gartner's 2013 Hype Cycle for Emerging Technologies How do we prove end 2 end security? What is a due diligence level of cyber? Everything connected to everything? Comms Secure? Automation = machines in control? M2M Secure? IoT is all about SECURE sensors, DATA and communications! Pervasive new technologies? Built secure? ALL the technologies / connections need built in security

Cloud Security Factoids The cloud security challenges are principally based on: a. Trusting vendor's security model b. Customer inability to respond to audit findings c. Obtaining support for investigations d. Indirect administrator accountability e. Proprietary implementations can't be examined f. Loss of physical control Areas that will mature soon, enhancing enterprise risk management (re: Gartner): Consensus on what constitutes the most significant risks, Cloud services certification standards, Virtual machine governance and control (orchestration), Enterprise control over logging and investigation, Content based control within SaaS and PaaS, and Cloud security gateways, security "add ons" based in proxy services Cloud Security Alliance (CSA) nine critical threats: 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues Shift from only protecting the network, to the DATA itself! (e.g., data centric security) We recommend following both the NIST and CSA cloud guidance: https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf http://csrc.nist.gov/publications/pubssps.html AND an overall, enterprise, e2e, risk management approach (e.g., RMF & FedRAMP)

Notional Data Centric Architecture iso the typical information environment IA / Security / cyber (e.g., defense in depth (DiD)) Supports quality / assured data (with pedigree / provenance) Cyber must be preserved in the full data AND capabilities life cycle Must accommodate BOTH in house and cloud IA controls / inheritance What IA/security capabilities are needed for the DATA itself? OMG / DDS Reputation based Security How does the DATA move about? DATA Storage Services Apps Host / device Business logic Behavior monitoring Middleware Must account for the four Vs Volume, Variety, Velocity and Veracity transport FW/IDS/IPS Continuous monitoring Data is either at rest, being processed OR in transit DCA Security = DCPS, DDSI, DataReader, DataWriter, Pub / Sub. Java, mobile code, widgets, storage SW, middleware, services, ESB, etc

mike@sciap.org Cloud Security Overview Security in the cloud is likely better than you have in house * Security is the SAME everywhere WHO does which IA controls changes * Don t sell cloud offer security capabilities instead end2end services * Few are all in the cloud @ 100% Hence TWO environments to manage * ALL must use the same cloud security standards (and QA in SLA / supports SoS too) http://www.sciap.org/blog1/wp content/uploads/cloud Security Standards SEP 20131.xlsx * Implement SCM / SIEM integrate cloud metrics / status (& QA the SLAs) * Service Level Agreements (SLA)not sufficient trust but verify (Orchestration SW?) * Encrypt everywhere Yes more key management, but risks greatly reduced * Data owners always accountable for PII / privacy / compliance (& location) * Update Risk management Plan (RMP) = Comms, COOP. with cloud R&R http://media.amazonwebservices.com/aws_risk_and_compliance_whitepaper.pdf For more details see paper: Cloud Security What really matters? At http://www.sciap.org/blog1/ (under Cyber Body of Knowledge ) mike@sciap.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information