CONTENTS BACKGROUND CLOUD MODELS SECURITY CONSIDERATIONS MANAGING RISK.

Slides:



Advertisements
Similar presentations
Hi – 5 Marcus Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi Security of Cloud Computing.
Advertisements

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
JARED BIRD Nagios: Providing Value Throughout the Organization.
Security Issues and Challenges in Cloud Computing
Security Controls – What Works
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
Cloud Computing Will Crowley Monica Lopez Jaimie Morrison.
Website Hardening HUIT IT Security | Sep
Security Framework For Cloud Computing -Sharath Reddy Gajjala.
Jordan Wissel Eric Lewis Sarah Basile. Introduction This presentation will analyze: Overview/History Implementation Advantages/Disadvantages Security.
Security issues in the Cloud Presentation for CloudCamp 2012 (Lagos) Christopher Odutola FVC Inc. Dubai.
General Awareness Training
Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.
PCI: As complicated as it sounds? Gerry Lawrence CTO
FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.
Xiaoyue Jiu, Fola Oyediran, Eboni Strawder | Group 10
Computer Science and Engineering 1 Cloud ComputingSecurity.
About Sally Smoczynski Background in process improvement Consultant in Information Security, Service Management and Business Continuity Strong experience.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
By Nicole Rowland. What is Cloud Computing?  Cloud computing means that infrastructure, applications, and business processes can be delivered to you.
Top Threats WG Co-Chair Jon-Michael Brook. Agenda About our Top Threats Polling the industry Call for participation Categorizing our Top Threats.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking.
Elizabeth Muli Technical University of Kenya & James Kimutai Moi University 1.
What does it mean for Records and Information Management.
OTech CalCloud Security General 1  Meets the operational and compliance requirements of the State  SAM/SIMM  NIST  FedRAMP v2  Other necessary regulatory.
Information Security and Technology Overview Presented By: Enterprise Risk Management (ERM) Division Jill Martucci, CISA, SSCP, Senior Allison Hall, Experienced.
CAN I DO THAT IN THE CLOUD? Jason Testart, BMath, CISSP Director, Information Security Services May 2016.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Enhancing Network Security
Performing Risk Analysis and Testing: Outsource or In-house
Cloud App Security vs. O365 Advanced Security Management
Platform as a Service (PaaS)
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Cybersecurity - What’s Next? June 2017
Healthcare Cybersecurity: State of Industry
Cloud adoption NECOOST Advisory | June 2017.
Do you know who your employees are sharing their credentials with
VIRTUALIZATION & CLOUD COMPUTING
Hot Topics:Mobility in the Cloud
Recommendation 6: Using ‘cloud computing’ to meet the societal need ‘Faster and transparent access to public sector services’ Cloud computing Faster and.
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Paul Woods Chair, MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast.
Cloud Computing Kelley Raines.
Cyber Attacks on Businesses 43% of cyber attacks target small business Only 14% of small business rate their ability to mitigate cyber risk highly.
Secure & Unified Identity
I have many checklists: how do I get started with cyber security?
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
CLOUD COMPUTING SECURITY
Company Overview & Strategy
Cloud Security An IaaS Story 2018 © Netskope. All rights reserved.
cyberopsalliance.com |
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Developing a Baseline On Cloud Security Jim Reavis, Executive Director
Securing the Threats of Tomorrow, Today.
Cyber Risk & Cyber Insurance - Overview
Fundamental Concepts and Models
Computer Science and Engineering
Views of Cloud Computing
OpenStack-alapú privát felhő üzemeltetés
Compliance in the Cloud
Microsoft Data Insights Summit
IT Management Services Infrastructure Services
The state of digital supplier risk management: In partners we trust
Cloud Computing for Wireless Networks
Presentation transcript:

CONTENTS BACKGROUND CLOUD MODELS SECURITY CONSIDERATIONS MANAGING RISK

01 | BACKGROUND

PONDURANCE SECURITY CONTINUITY COMPLIANCE THREAT HUNTING AND RESPONSE Penetration Testing, Application Security Testing, Forensics CONTINUITY BCP/DRP, vCISO, Risk Management, Vendor Management COMPLIANCE PCI QSA, HITRUST, All the acronyms THREAT HUNTING AND RESPONSE Network, Log, Host – Closed Loop Incident Response

DUSTIN HUTCHISON PARTNER AT PONDURANCE TEACHING RESEARCH FOCUS Operations and Delivery (EST/AST, Continuity and Compliance, SOC) Responsibility TEACHING Sullivan University, Embry-Riddle Aeronautical University, and Ivy Tech RESEARCH FOCUS Cloud computing (Dissertation: Factors affecting the adoption of cloud computing in healthcare) ALPHABET SOUP CISSP, CISA, CRISC, CCSFP, GCIH, PCI QSA

CONCLUSION (SNEAK PEAK) Your ”Cloud” providers should be addressed in your general risk management strategy with a repeatable process (and reviewed periodically). (I know, sounds simple, but how do we put this process in place?)

02 | CLOUD MODELS

CLOUD CONTEXT Confidentiality, Integrity, and Availability (CIA) Defense in Depth Cloud Current State vs Future State Responsibility

POLICIES, PROCEDURES, AND AWARENESS CLOUD MODELS DEFENSE IN DEPTH POLICIES, PROCEDURES, AND AWARENESS PHYSICAL PERIMETER INTERNAL NETWORK HOST APPLICATION DATA

CLOUDS IN DEPTH

CURRENT STATE vs FUTURE STATE (NIST SP800-145) Service Models Software as a Service (SaaS) - Top Google Apps, Salesforce, Microsoft Office 365 Platform as a Service (PaaS) - Middle Google App Engine, AWS Elastic Beanstalk Infrastructure as a Service (IaaS) - Bottom AWS, Azure Deployment Models Private Cloud Community Cloud Public Cloud Hybrid Cloud

RESPONSIBILITY Reference: https://blogs.msdn.microsoft.com/azuresecurity/2016/04/18/what-does-shared-responsibility-in-the-cloud-mean/

FOG COMPUTING (not kidding, NIST SP500-325) Focus on Internet of Things (IoT) devices Name may shift (fog computing, mist computing, cloudlets, or edge computing)

03 | SECURITY CONSIDERATIONS

REASONS FOR ADOPTION Image source: https://www.cisco.com/c/en/us/products/security/security-images-acr2018.html

12 TOP CLOUD SECURITY THREATS? CSO Online article top threats list: Data breaches Insufficient identity, credential, and access management Insecure interfaces and application programming interfaces System vulnerabilities Account hijacking Malicious insiders Advanced persistent threats Data loss Insufficient due diligence Abuse and nefarious use of cloud services Denial of service Shared technology vulnerabilities …This list doesn’t feel specific to cloud providers.

NOTABLE BREACHES 1. Microsoft (2010) 2. Dropbox (2012) 3. National Electoral Institute of Mexico (2016) 4. LinkedIn (2012) 5. Home Depot (2014) 6. Apple iCloud (2014) 7. Yahoo (2013) Microsoft – minor, but early – 2 hour issue, MS configuration exposed non-authorized users to see employee contact info Dropbox – 68 million user passwords – 93 million voter registration records compromised 6 million user passwords Point of sale terminals – 56 million credit card numbers Icloud hack – celebrity photos One billion user accounts

A. SECURITY (through trusted on-prem platforms (or obscurity)?) Reference: ftp://public.dhe.ibm.com/software/os/systemz/pdf/HPINTEGRITYVSSYSTEMZ10ES.pdf

B. SECURITY (through compliance?) GLBA Designate responsible party Identify applications hosting or transacting customer information Assess risks to customer information Design, monitor and test assessment program Hold service providers to same standards Continue to evaluate and adjust programs PCI DSS Protect cardholder data Manage vulnerabilities Provide strong access controls Monitor and test Maintain policies

C. SECURITY (through framework alignment?)

D. All OF THE ABOVE Yes, this one. Probably.

04 | MANAGING RISK

HOW? Vendor Management Risk Assessment MANAGING RISK HOW? Vendor Management Risk Assessment Risk Remediation / Risk Acceptance Continued Monitoring

VENDOR MANAGEMENT PROCESS Business Need Justification Vendor Identification Data Gathering Vendor Questionnaire Contract Review (Legal) Risk Assessment Assesssment* Remediation / Acceptance Legal Review Contract Risk Review Operational Integration Resource Planning Framework Steps (CMDB, DR/BCP, Monitoring, etc.) Continuous Monitoring SaaS vs PaaS vs IaaS VMP, IR, etc.

RISK ASSESSMENT Is a third party risk assessment or CSA CCM report good enough? Is HITRUST or SOC2 good enough? What is your internal process? Consultant response: It depends, but your due diligence is important

RISK TREATMENT Accept Avoid Mitigate Share Transfer

GAME TIME Data breaches Insufficient identity, credential, and access management Insecure interfaces and application programming interfaces System vulnerabilities Account hijacking Malicious insiders Advanced persistent threats Data loss Insufficient due diligence Abuse and nefarious use of cloud services Denial of service Shared technology vulnerabilities

QUESTIONS? THANK YOU. CLOUD COMPUTING

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.