The Business of Security in the Cloud

Similar documents
Jim Reavis CEO and Founder Cloud Security Alliance December 2017

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Accelerate Your Enterprise Private Cloud Initiative

Copyright 2011 EMC Corporation. All rights reserved.

The Challenge of Cloud Security

Cloud Customer Architecture for Securing Workloads on Cloud Services

Security as a Service (Implementation Guides) Research Sponsorship

locuz.com SOC Services

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

Practical Guide to Cloud Computing Version 2. Read whitepaper at

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

Cloud Essentials for Architects using OpenStack

How to ensure control and security when moving to SaaS/cloud applications

Trust < Cloud < Trust

CLOUD COMPUTING. The Old Ways Are New Again. Jeff Rowland, Vice President, USAA IT/Security Audit Services. Public Information

Cloud-Security: Show-Stopper or Enabling Technology?

Security Readiness Assessment

CLOUD COMPUTING READINESS CHECKLIST

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

Managing SaaS risks for cloud customers

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

Security Models for Cloud

Cloud Computing. Presentation to AGA April 20, Mike Teller Steve Wilson

Cloud First Policy General Directorate of Governance and Operations Version April 2017

Cloud Services. Infrastructure-as-a-Service

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Auditing the Cloud. Paul Engle CISA, CIA

Cloud Computing and Service-Oriented Architectures

Business Assurance for the 21st Century

ArcGIS in the Cloud. Andrew Sakowicz & Alec Walker

CLOUD SECURITY CRASH COURSE

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Automating the Top 20 CIS Critical Security Controls

Cloud Security. Copyright Ramesh Nagappan. All rights reserved.

Healthcare and the Cloud:

Angela McKay Director, Government Security Policy and Strategy Microsoft

Secure & Unified Identity

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

Evolution of IT in the Finance Industry. Europe

Future Shifts in Enterprise Architecture Evolution. IPMA Marlyn Zelkowitz, SAP Industry Business Solutions May 22 nd, 2013

Cloud forensics definitions and critical criteria for cloud forensic capability: An overview of survey results

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Cloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm

IBM Future of Work Forum

SOARING THROUGH THE CLOUDS IT S A BREEZE

IT Consulting and Implementation Services

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cloud Storage Securing CDMI. Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP, ISSEP, SCSE Hitachi Data Systems

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

BHConsulting. Your trusted cybersecurity partner

Driving Cloud Governance and Avoiding Cloud Chaos

Securing Cloud Computing

Moving to computing are auditors ready for the security challenges? Albert Otete CPA CISA ISACA Uganda Workshop

Introduction to AWS GoldBase

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

Solutions Technology, Inc. (STI) Corporate Capability Brief

Dell helps you simplify IT

Building Trust in the Era of Cloud Computing

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

A Repeatable Cloud-First Deployment Process Model

Fundamental Concepts and Models

CLOUD COMPUTING. Rajesh Kumar. DevOps Architect.

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

EMC Strategy Overview: Journey To The Private Cloud

Protecting Sensitive Data in the Cloud. Presented by: Eric Wolff Thales e-security

Leveraging the Cloud for Law Enforcement. Richard A. Falkenrath, PhD Principal, The Chertoff Group

10 Considerations for a Cloud Procurement. March 2017

Securing Data in the Cloud: Point of View

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

EMC Solutions are Powered by Intel Xeon Processor Technology

IT your way - Hybrid IT FAQs

Bharath Chari Cyber Risk Sr. Manager, Deloitte & Touche LLP

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Cloud Computing and Service-Oriented Architectures

Click to edit Master title style

Chapter 4. Fundamental Concepts and Models

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Cloud Strategies for Addressing IT Challenges

Securing the Cloud Today: How do we get there?

CompTIA Cloud Essentials Certification Exam Objectives EXAM NUMBER: CLO-001

State of Cloud Survey GERMANY FINDINGS

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Building a More Secure Cloud Architecture

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Les joies et les peines de la transformation numérique

NIST Cloud Computing Security Working Group

Strong Security Elements for IoT Manufacturing

Best Practices in Securing a Multicloud World

Position Description IT Auditor

Accelerate Your Cloud Journey

SOC for cybersecurity

Vulnerability Assessments and Penetration Testing

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Spotlight Report. Information Security. Presented by. Group Partner

CLOUD GOVERNANCE SPECIALIST Certification

Enterprise & Cloud Security

Cloud Security Myths Paul Mazzucco, Chief Security Officer

Development*Process*for*Secure* So2ware

Transcription:

The Business of Security in the Cloud Dr. Pamela Fusco Vice President Industry Solutions Solutionary Inc. CISSP, CISM, CHSIII, IAM, NSA/CSS Adjunct Faculty

Promises Promises The promise of cloud computing is arguably revolutionizing the IT services world by transforming computing into a ubiquitous utility, leveraging on attributes such as increased agility, elasticity, storage capacity and redundancy to manage information assets

Defining Cloud On demand provisioning Elasticity Multi-tenancy Key types Infrastructure as a Service (IaaS): basic O/S & storage Platform as a Service (PaaS): IaaS + rapid dev Software as a Service (SaaS): complete application Public, Private, Community & Hybrid Cloud deployments

Cloud AAS IaaS Infrastructure as a Service PaaS Platform as a Service SaaS Software as a Service

Top Threats to Cloud Computing Cloud Security Risks / Threats Shared Technology Vulnerabilities Data Loss/Data Leakage Malicious Insiders Account Service or Hijacking of Traffic Insecure APIs Nefarious Use of Service Unknown Risk Profile

Enterprise CIO Strategies 6

Enterprise CIO Technology Priorities 7

Survey Results 2009 Top Ranked Threats RANK PERCENT 1) Data Loss/Leakage 28.8% 2) Abuse and Nefarious use of Cloud Computing 17.8% 3) Insecure API s 15.1% 4) Malicious Insiders 11.0% 5) Account/Service and Traffic Hijacking 9.6% 6) Unknown Risk Profile 9.6% 7) Shared Technology Vulnerabilities 8.2%

Top Threats to Cloud Computing Report 2010 Cloud services are clearly the next generation of IT to be mastered We have a shared responsibility to understand the security threats that accompany the cloud and apply the necessary best practices to mitigate them, said Jim Reavis, founder of the Cloud Security Alliance. The objective of this report was to not only identify those threats which are most germane to IT organizations but also help organizations understand how to proactively protect

Together These Threats Magnify Abuse and nefarious use of cloud computing: Includes exploits such as Zeus botnet, Trojans (info gathering), Mal formed software All threats are NOT rooted in/with Mal intent Social Networking sites require multiple API s Together, these threats comprise a combination of existing vulnerabilities that are magnified in severity in cloud environments as well as new, cloudspecific techniques that put data and systems at risk. Additional threats outlined in the research include: Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Account/Service and Traffic Hijacking

P2 Point in time is non-existent Real time and continuous diligence Everything is an asset If your HOT you re a target, if your new your vulnerable, if your old your vulnerable You can no longer drive a standard you must have an automatic 1- to many is a must have Collaboration is key My 70 yr. old mother is addicted to Facebook: She is a weak link Identity management will become DNA No more wire hangers MDM is a challenge

Summary Cloud Computing is real and transformational Challenges for People, Process, Technology, Organizations and Countries Broad governance approach needed Tactical fixes needed Combination of updating existing best practices and creating completely new best practices Common sense not optional

Always Use Protection Thank you!

About the Cloud Security Alliance Global, not-for-profit organization, Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, and on and on We believe Cloud Computing has a robust future, we want to make it better To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

Membership 50 Corporate Members 14 non-profit affiliations Over 90,000 individual members + by 200/week Broad Geographical Distribution Working Group activities performed through individual membership class

Cloud Controls Matrix Tool Controls derived from guidance Rated as applicable to S-P-I Customer vs Provider role Mapped to ISO 27001, COBIT, PCI, HIPAA Help bridge the gap for IT & IT auditors www.cloudsecurity.org/cm.html

Trusted Cloud Initiative Getting SaaS, PaaS to be Relying Parties for corporate directories Scalable federation Outline responsibilities for Identity Providers Assemble with existing standards Proof of concept Certification criteria and seal www.cloudsecurity.org/trustedcloud.html

Consensus Assessments Initiative New CSA project Initial chair, Jason Witty, Bank of America Research tools and processes to perform shared assessments of cloud providers Lightweight common criteria concept Kickoff meeting and working session in Chicago May 12 Focused on leverage existing tools and projects

Cloud Metrics Research Identifying CSA guidance we can build metrics for Initially developing metrics for GRC, encryption, key mgt & IdM Survey industry on maturity Create baseline capability Deliverable timeline not set

Key cloud assurance issues Must adapt security controls to all virtual world Challenges with geographical location and jurisdiction Challenges with provider transparency Tools, research and standards evolving to assist effort Best opportunity to secure cloud engagement is before procurement contracts, SLAs, architecture

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback