Cloud Computing Lectures. Cloud Security

Similar documents
IBM Security Intelligence on Cloud

SECURITY & PRIVACY DOCUMENTATION

CHAPTER 5 DISCUSSION AND ANALYSIS

Safeguarding Cardholder Account Data

Best Practices in Securing a Multicloud World

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

University of Pittsburgh Security Assessment Questionnaire (v1.7)

PCI DSS Compliance. White Paper Parallels Remote Application Server

Security

AUTHORITY FOR ELECTRICITY REGULATION

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

MEETING ISO STANDARDS

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Data Security and Privacy Principles IBM Cloud Services

Keys to a more secure data environment

Security+ SY0-501 Study Guide Table of Contents

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Security Audit What Why

Watson Developer Cloud Security Overview

What can the OnBase Cloud do for you? lbmctech.com

ADIENT VENDOR SECURITY STANDARD

Information Security at Veritext Protecting Your Data

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

IBM SmartCloud Notes Security

The Common Controls Framework BY ADOBE

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Juniper Vendor Security Requirements

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Layer Security White Paper

KantanMT.com. Security & Infra-Structure Overview

10 FOCUS AREAS FOR BREACH PREVENTION

Firewall Configuration and Management Policy

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

In this unit we are going to look at cloud computing. Cloud computing, also known as 'on-demand computing', is a kind of Internet-based computing,

McAfee MVISION Cloud. Data Security for the Cloud Era

2. Firewall Management Tools used to monitor and control the Firewall Environment.

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Abstract. main advantage with cloud computing is that, the risk of infrastructure maintenance reduces a

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

SECURITY STRATEGY & POLICIES. Understanding How Swift Digital Protects Your Data

Auditing the Cloud. Paul Engle CISA, CIA

Comprehensive Database Security

Security and Compliance at Mavenlink

Data Security: Public Contracts and the Cloud

QuickBooks Online Security White Paper July 2017

A1 Information Security Supplier / Provider Requirements

Title: Planning AWS Platform Security Assessment?

DHIS2 Hosting Proposal

IBM Case Manager on Cloud

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

See the unseen. CryptoAuditor SSH.COM. Control and audit encrypted 3rd party sessions. What is CryptoAuditor?

Smart Grid vs. The NERC CIP

Cloud & Managed Server Hosting for Healthcare Professionals

Altius IT Policy Collection

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Secure & Unified Identity

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Business Technology Briefing: Fear of Flying, And How You Can Overcome It

Altius IT Policy Collection Compliance and Standards Matrix

Privacy and Security in the Age of Meaningful Use

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Information Security for Mail Processing/Mail Handling Equipment

Information Security in Corporation

Accelerate GDPR compliance with the Microsoft Cloud

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Security Policies and Procedures Principles and Practices

Pillar 4: Be Accountable: Implement your Privacy & Data Protection (PDP) Measures Legal Basis: Sec. 20.a-e, 22 and 24 of the DPA, Sections of

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

CompTIA Security+ Study Guide (SY0-501)

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

CipherCloud CASB+ Connector for ServiceNow

Post-Class Quiz: Access Control Domain

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

This paper introduces the security policies, practices, and procedures of Lucidchart.

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

2017 SaaS Security Study ABSTRACT

Baseline Information Security and Privacy Requirements for Suppliers

Twilio cloud communications SECURITY

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Cyber Security in the time of Austerity. Shannon Simpson, CCO CNS Group

Secure Access & SWIFT Customer Security Controls Framework

CLOUD FORENSICS : AN OVERVIEW. Kumiko Ogawa

Security Assessment Checklist

White Paper. The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection

Ensuring a Consistent Security Perimeter with CloudGenix AppFabric

Cloud Customer Architecture for Securing Workloads on Cloud Services

CCISO Blueprint v1. EC-Council

Altius IT Policy Collection Compliance and Standards Matrix

Cloud Essentials for Architects using OpenStack

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

The following security and privacy-related audits and certifications are applicable to the Lime Services:

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

Transcription:

Cloud Computing Lectures Cloud Security 1/17/2012

Why security is important for cloud computing? Multi Tenancy, that is same infrastructure, platform, Service is shared among vendors. It is accessed over internet Data is stored in cloud Greater attack surface

Evaluate risks What resources to be put in cloud ( Data, Service, Application) How sensitive is the resource? Risk associated with the deployment model. Where will be the data and functionality What service model? Evaluation of data access methods, particular to the cloud provider

6 Questions a CIO should ask How does your vendor plan on securing your data? Need to understand how your provider s physical security, personnel, access controls and architecture work together to build a secure environment Do they secure the transactional data as well as the data at rest? do they truly provide end-to-end encryption with security in place while the data is at rest or in storage. Also, cloud security should go beyond data encryption to include encryption key management, Does the vendor follows secure development principles? What are the vendor s security certifications, audits and compliance mandates? How does your vendor detect a compromise or intrusion? What are their disaster recovery plans and how does data security figure into those plans?

What is Golden system image? Concept similar to LKGC An image taken, through a snapshot feature Machine Images Application and Data Image Network Interfaces, firewall, switch Allows to check with the current image for any threat or vulnerability Generally a cloud provider mentions in a page what kind of certification and accreditation it has

The security boundary Security boundary - End of provider responsibility - Start of customer responsibility - Any security mechanism below is provider s responsibility - Any security mechanism above is customer s responsibility. - As we go down the service stack the ownership of security gets transferred from customer to provider

The security boundary

Security Mapping ( What I need, what CP gives ) - It s about identifying various needs of your deployment Security Features Compliance Auditing Other Requirements - Then checking which functions are covered by cloud provider, how many of them can be covered on premise - Basically gives an idea of the security coverage A security control model covers security related to Application Data Management Network Physical Hardware It also includes compliance.

Securing Data Sending, retrieving data to and from cloud is the single largest Security concern. WAN traffic can be intercepted Mechanisms Access Control Auditing Authentication Authorization

Brokerage cloud storage access Data can be anywhere, on premise, data center, cloud ( Same province, country, Continent or somewhere outside. Can not Firewall like Client Server Approach is creating layered access with a proxy in between Proxy allow some rule, based on client identify Multiple encryption keys can be used

Brokerage cloud storage access 1. Client Data Request Client 6. Data Response 2. Apply rules, restate request Proxy 5. Storage data Relay Broker 3 Modified Data Request Cloud Storage 4 Storage data Reply

Storage location and tenancy Cloud providers mention in contract, where data stored. To dos: Check cloud provide under local privacy law Method of segregation in case of multi tenancy Check who has privileged access? What type of encryption? Recoverability? Tested by security experts? Plans for disaster recovery? Multisite etc Encryption : Many providers like Microsoft, Amazon allows having multiple keys, allowing to create multiple zones. Key management needs to be dealt seriously Keys should have a defined life cycle.

Auditing & Compliance Auditing about logging and inspect event and activities. Verifying that the processes meet relevant regulation, or standard Issues in cloud, many sections may be applicable only to provider, they might not be willing, the terms and condition not covered in SLA. Few things to be understood Which regulations? Which apply to provider, where is the demarcation? How cloud provider will support? How to provide data to regulator, to provide information necessary, irrespective of responsibility

Auditing & Compliance Burden is with client, rather than provider, so if risky avoid. Need to check for data security and no compromise on integrity. Situations complicate with multi country possibilities Few steps Contract reviewed by legal staff Right-to-audit clause in SLA Review cloud service provider Scope of applicable regulations Evaluate steps need to comply to regulation Adjust procedure Collect and maintain evidence Check with provider, if they can give audit statement.

Identity Management Identity management is a primary mechanism for controlling access to data in the cloud preventing unauthorized access maintaining user roles Complying with regulation Cloud computing requires the following That you establish an identity That the identity be authenticated That the authentication is portable That authentication provide access to cloud resources

Identity protocol standard OpenID is the standard associated with creating an identity and having a third party authenticate the use of that digital identity. It is key to creating Single Signon (SSO) system. Let s say that you re visiting a new web site that supports OpenID. When signing in, you will see a form that looks something like: After you submit the login form, your browser takes you from the web site you are visiting to your OpenID provider s web site. At this point, your provider checks to see if you are who you say you are. Now you ve proven to your provider that you really are who you say you are. Next, your provider wants to make sure that you want to log into the requesting web site and that you are willing to share information with it.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback