Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for the US Government

Similar documents
Auditing the Cloud. Paul Engle CISA, CIA

Azure SQL Database Basics

Cloud Customer Architecture for Securing Workloads on Cloud Services

Compliance & Security in Azure. April 21, 2018

Driving Cloud Governance and Avoiding Cloud Chaos

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

The Challenge of Cloud Security

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

SoftLayer Security and Compliance:

Launching a Highly-regulated Startup in the Cloud

The Nasuni Security Model

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

VMware Hybrid Cloud Solution

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Cloud Computing, SaaS and Outsourcing

EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

Security & Compliance in the AWS Cloud. Amazon Web Services

NS2 Cloud Overview The Cloud Built for Federal Security and Export Controlled Environments. Hunter Downey, Cloud Solution Director

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Best Practices in Securing a Multicloud World

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

COMPLIANCE IN THE CLOUD

Protecting Sensitive Data in the Cloud. Presented by: Eric Wolff Thales e-security

Privacy hacking & Data Theft

Implementing and maintaining a DevSecOps approach in the cloud George Gerchow - VP of Security &

Cloud Computing: Technologies and Enterprise IT Strategies

Cloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm

White Paper Impact of DoD Cloud Strategy and FedRAMP on CSP, Government Agencies and Integrators.

Title: Planning AWS Platform Security Assessment?

Mitigating Risks with Cloud Computing Dan Reis

Morgan Independent Software Vendor Lead

Introduction to Cloud Computing. [thoughtsoncloud.com] 1

CLOUD COMPUTING. Lecture 4: Introductory lecture for cloud computing. By: Latifa ALrashed. Networks and Communication Department

Security and Compliance at Mavenlink

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

Accelerate GDPR compliance with the Microsoft Cloud Agustín Corredera

Security Models for Cloud

Why Choose MS Azure?

Cloud Connect. Gain highly secure, performance-optimized access to third-party public and private cloud providers

PUBLIC AND HYBRID CLOUD: BREAKING DOWN BARRIERS

VMware Cloud on AWS. A Closer Look. Frank Denneman Senior Staff Architect Cloud Platform BU

CLOUD AND AWS TECHNICAL ESSENTIALS PLUS

Introduction to Cloud Computing

` 2017 CloudEndure 1

Practical Guide to Cloud Computing Version 2. Read whitepaper at

CS 6393 Lecture 10. Cloud Computing. Prof. Ravi Sandhu Executive Director and Endowed Chair. April 12,

What is Dell EMC Cloud for Microsoft Azure Stack?

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

CLOUD COMPUTING PRIMER FOR EXECUTIVES

Introduction to AWS GoldBase

10 Considerations for a Cloud Procurement. March 2017

CLOUD SECURITY CRASH COURSE

Security Readiness Assessment

AWS Well Architected Framework

Multi Packed Security Addressing Challenges in Cloud Computing

Exam C Foundations of IBM Cloud Reference Architecture V5

VMware, SQL Server and Encrypting Private Data Townsend Security

Module Day Topic. 1 Definition of Cloud Computing and its Basics

Building Trust in the Era of Cloud Computing

Accelerating the HCLS Industry Through Cloud Computing

OFFICE 365 GOVERNANCE: Top FAQ s & Best Practices. Internal Audit, Risk, Business & Technology Consulting

Copyright 2011 EMC Corporation. All rights reserved.

Secure Esri Solutions in the AWS Cloud. CJ Moses, AWS Deputy CISO

Practical Guide to Hybrid Cloud Computing. Cloud-Computing.

CAN MICROSOFT HELP MEET THE GDPR

Data Protection Modernization: Meeting the Challenges of a Changing IT Landscape

A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management

NET+ INFRASTRUCTURE AND PLATFORM SERVICES PORTFOLIO STATUS & UPDATE

MANAGED CLOUD SERVICES

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Leveraging the Cloud for Law Enforcement. Richard A. Falkenrath, PhD Principal, The Chertoff Group

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

Faculté Polytechnique

Private Cloud Public Cloud Edge. Consistent Infrastructure & Consistent Operations

Introduction to data centers

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

CLOUD COMPUTING. The Old Ways Are New Again. Jeff Rowland, Vice President, USAA IT/Security Audit Services. Public Information

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

Accelerate GDPR compliance with the Microsoft Cloud Ole Tom Seierstad National Security Officer Microsoft Norway

Healthcare and the Cloud:


Domain Registrations. Shared Hosting. Office 365 and Hosted Exchange #DOMAINS #HOSTING #

APPLICATION & INFRASTRUCTURE SECURITY CONTROLS

LINUX, WINDOWS(MCSE),

Introduction To Cloud Computing

Migrating Enterprise Applications to the Cloud Session 672. Leighton L. Nelson

Virtual Machine Encryption Security & Compliance in the Cloud

Cloud Computing 4/17/2016. Outline. Cloud Computing. Centralized versus Distributed Computing Some people argue that Cloud Computing. Cloud Computing.

Dyadic Security Enterprise Key Management

Capgemini Dynamic Services

Enhanced Privacy ID (EPID), 156

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

CLOUD STORAGE. Predictive Analytics The Art of Service

Click to edit Master title style

Certificate of Registration

Understanding Cloud Migration. Ruth Wilson, Data Center Services Executive

CSA Consensus Assessments Initiative Questionnaire. May 2017

Telos and Amazon Web Services (AWS): Accelerating Secure and Compliant Cloud Deployments

Transcription:

Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for the US Government April 13, 2016 Presenter: Carlo Di Giulio Advisor: Dr. Masooda Bashir

Focus of the Research Security and privacy risks and pitfalls in commercial cloud services Help the US Airforce to identify the most secure and convenient Cloud Service Providers (CSPs) to the US Government among the selected ones Spot possible market trends How service providers are addressing government needs

Focus of the Research The research currently focuses on 5 major CSPs

Structure The research is organized in three pillars Norms, regulations, and guidelines Products and services General privacy and security policies

Pillar I: Norms and Guidelines Different level of security, different controls and authorizations

Pillar I: Norms and Guidelines The authorization process to provide a service to the DoD is rather complex Image: The FedRAMP and CC SRG Roadmap (1)

Pillar II: Offering Each CSP offers a number of services that may be classified and compared to others We classified products and services of each service provider into 3 main categories (NIST 500-292): IaaS PaaS SaaS

Pillar II: Offering A few examples CSP Service AWS Microsoft (Azure) Google CS IBM Softlayer VMWare Data Analytics Event Hubs BigQuery vrealize Operations Manager Cloud Monitoring Amazon CloudWatch Cloud Monitoring Monitoring & Reporting Compute Amazon EC2 Cloud Services App Engine Virtual Servers Compute Relational Database Redshift SQL Database Cloud SQL Continuent Identity Management AWS IAM Active Directory Cloud IAM Identity Manager

Pillar III: Policies In order to classify the policies, standardization and classification are required NIST 800 53 FedRAMP Baseline medium - high Frameworks issued by credible NGOs AICPA (SOC 2 criteria) CSA (CCM 3.0.1)

Pillar III: Policies - Examples Do you allow tenants/customers to define password and account lockout policies for their accounts? (IAM 12.9 Indicator, CCM 3.0.1) AWS Identity and Access Management (IAM) lets [the tenant] manage several types of long-term security credentials for IAM users (2) ( ) must at a minimum meet Microsoft internal IT requirements, but an internal organization can increase the strength past this standard (3) Not at this time (4)

Pillar III: Policies - Examples Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? (EKM 03.02 Indicator, CCM 3.0.1) ( ) option of encrypting customer data transmitted to and from Microsoft datacenters over public networks. ( ) private networks with encryption for replication of non-public customer data between Microsoft datacenters (3) "Yes. ( ) uses AES-256 encryption to encapsulate in-transit workloads. For in-cloud vmotion activities, a dedicated, secure and encrypted network is used exclusively for this purpose ( ) (4) Tenant Control Consideration (5)

Next Steps Conclude the policy analysis Select relevant policy indicators Cross reference policies and services Explore features and differences among services more in detail Collaborate with a Technical SME (CS Grad Student) to specify security criterias for the analysis

Thanks for your Attention! For more information: Carlo Di Giulio: cdigiul2@illinois.edu Dr. Masooda Bashir mnb@illinois.edu

References (1) Bockelman, P. and McDermott, A. (2015). DoD-Compliant Implementations in the AWS Cloud. Reference Architectures. Amazon Web Services, April 2015. Retrieved from https://aws.amazon.com/compliance/dod/ (2) Amazon WS (2016). Amazon Web Services: Risk and Compliance. White Paper. Retrieved from http://aws.amazon.com/compliance/aws-whitepapers/ (3) Microsoft (2015). Standard Response to Request for Information Microsoft Azure Security, Privacy, and Compliance. White Paper. Retrieved from https://cloudsecurityalliance.org/ (4) Vmware (2015). VMware vcloud Air IaaS CAIQ v1.0 - Consensus Assessments Initiative Questionnaire v3.0.1. Retrieved from https://cloudsecurityalliance.org/ (5) Softlayer (2016) CAIQ V1.0 - Consensus Assessments Initiative Questionnaire V3.0.1. Retrieved from https://cloudsecurityalliance.org/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback