Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security



Similar documents
Security Issues in Cloud Computing

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Governance and Control in the Cloud. Infrastructure as a Service

Healthcare: La sicurezza nel Cloud October 18, IBM Corporation

Security & Trust in the Cloud

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Information Technology: This Year s Hot Issue - Cloud Computing

Cloud Computing Governance & Security. Security Risks in the Cloud

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Cloud & Security. Dr Debabrata Nayak Debu.nayak@huawei.com

Commercial Software Licensing

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Cloud Security and Managing Use Risks

Cloud Courses Description

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

How To Protect Your Cloud Computing Resources From Attack

Cloud Computing; What is it, How long has it been here, and Where is it going?

Key Considerations of Regulatory Compliance in the Public Cloud

LEGAL ISSUES IN CLOUD COMPUTING

Cloud Computing, and REST-based Architectures Reid Holmes

Consumption IT. Michael Shepherd Business Development Manager. Cisco Public Sector May 1 st 2014

Ragy Magdy Regional Channel Manager MEA IBM Security Systems

Managing Cloud Computing Risk

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cloud Computing in a Regulated Environment

The Cloud at 30,000 feet. Art Ridgway Scripps Media Inc. Managing Director Newspaper IT Operations

Information Security: Cloud Computing

Cloud Computing and the Regulatory Compliance Labyrinth

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

How To Manage Cloud Data Safely

Cloud Services Overview

Overview of Topics Covered

Trust but Verify. Vincent Campitelli. VP IT Risk Management

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

John Essner, CISO Office of Information Technology State of New Jersey

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Cloud Essentials for Architects using OpenStack

Cloud Computing Security Issues

Virtualization Impact on Compliance and Audit

Cloud Security. DLT Solutions LLC June #DLTCloud

THE BLUENOSE SECURITY FRAMEWORK

Cloud Courses Description

How To Secure Cloud Computing

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Security Introduction and Overview

Security & Cloud Services IAN KAYNE

Top 10 Cloud Risks That Will Keep You Awake at Night

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Cloud Computing and Standards

Clinical Trials in the Cloud: A New Paradigm?

The Need for Service Catalog Design in Cloud Services Development

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

NCTA Cloud Architecture

Securing Oracle E-Business Suite in the Cloud

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Logging In: Auditing Cybersecurity in an Unsecure World

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Remote Voting Conference

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

All the benefits of Public Cloud on Private, Dedicated Infrastructure. Benefits. Enterprise-Level Security. High Performance. Compliant and Audited

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

AskAvanade: Answering the Burning Questions around Cloud Computing

Cloud Computing: Risks and Auditing

Production in the Cloud

Dispelling the Myths about Cloud Computing Security

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

Private Cloud Database Consolidation with Exadata. Nitin Vengurlekar Technical Director/Cloud Evangelist

Auditing Software as a Service (SaaS): Balancing Security with Performance

Security Officer s Checklist in a Sourcing Deal

Security Concerns about Cloud Computing in Healthcare. Kate Borten, CISSP, CISM President, The Marblehead Group

Auditing Cloud Computing and Outsourced Operations

Security in the Cloud

Big Data, Big Risk, Big Rewards. Hussein Syed

Fundamental Concepts and Models

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2

EXIN Cloud Computing Foundation

Why Migrate to the Cloud. ABSS Solutions, Inc. 2014

VMware for your hosting services

CLOUD MIGRATION. Celina Alexandre M6807

Clo l ud d C ompu p tin i g

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Private & Hybrid Cloud: Risk, Security and Audit. Scott Lowry, Hassan Javed VMware, Inc. March 2012

Study concluded that success rate for penetration from outside threats higher in corporate data centers

Validating Enterprise Systems: A Practical Guide

How To Understand Cloud Computing

EARTHLINK BUSINESS. Simplify the Complex

Transcription:

Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Complexity and Challenges 2

Complexity and Challenges Compliance Regulatory entities are just now catching up. Prior to recently we had to read between the existing controls that did not touch on the cloud. PCI DSS Virtualization Guidelines NIST 800-125 Guide to Security for Full Virtualization NIST 800-144 Guidelines on Security and Privacy in Public Cloud Computing Complexity of management functions to secure in a multi-tenant community/public/hybrid cloud, dependencies and interconnections. Flexibility of cloud s self-service, pooling and elasticity while maintaining compliance. Meeting Regulatory Compliance is very expensive and timelines are challenging. Hand-off responsibilities contractually ownership vs. custodians Security Maintenance support & Expertise Cost for Security Tools are less expensive Risk Transfer 3

Due Diligence & Liability Prior to Service Provider engagement Are existing policies, procedures, processes and controls strong enough to secure our sensitive information? What drives us to be in compliance? Are we in compliance, what is our level of risk? What internal controls need to be re-evaluated and addressed? What roles and responsibilities am I willing to transfer? What are my deliverable expectations from a provider? Is data ownership and custodianship defined? 4

Provider Manages Provider Manages Provider Manages You Manage Provider Manages You Manage You Manage Cloud Security Colocation Infrastructure IaaS Platform PaaS Software SaaS Applications Applications Applications Applications Data Data Data Data Runtime Runtime Runtime Runtime Middleware Middleware Middleware Middleware O/S O/S O/S O/S Virtualization Virtualization Virtualization Virtualization Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking Facility Facility Facility Facility 5

Domain Consideration Security Governance, Disaster Recovery, Contractual Ownership Compliance as a Service Secure Connectivity Network Perimeter Security Solutions + DDOS Mitigation Managed Services Information Services Colocation Cloud Platforms Data Management Alerting & Reporting Policies & Standards Hybrid Connectivity Monitoring Controlled Operations Vulnerability Management Physical & Environmental Asset Management Infrastructure Protection Storage & Segmentation Hypervisor Control Identity Management Application & End-point Presentation & Mobility Lifecycle 6

Common Missteps Failing to isolate sensitive network assets Not having a security / compliance process in place Not following policy and procedure when in place Access control negligence Ignoring warnings from antiintrusion software Failing to identify a threat Involving third party vendors that do not follow your process 7 7

Cloud Segmentation 8

Assurance Application Policies Security Assurance Applications Availability Confidentiality Machine Policies Authorization Auditability Integrity VM s with Network Resource Pools Infrastructure Policies Service Provider requirements Will my resources be up and running? Can my data be altered by unauthorized access? Is environment access restricted to business need only? How is access control ensured? How are the controls monitored and verified? How am I segmented from other customers?

Best Practices Restrict Access to Business Need Logically Segment or Dedicate Entire Environment Encrypt Data at Rest and Over Transmission Monitor, Audit and Report Vulnerability Management Security Maintenance Integrity Controls Contractual Roles and Responsibilities Understand Provider Cloud Definition Transfer of Risk & Analysis Validation 10

Compliance is challenging, but achievable with the right strategy and the right resources. Communicate internally between business units, information technology, security departments and the provider to understand process, requirements and security controls. Learn your compliance requirements, plan with an experienced provider and communicate expectations with associates, vendors and partners. 11

anna.sharack@viawest.com www.linkedin.com/in/annaleailg/ 12 ViaWest, Inc. Confidential. All Rights Reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information