Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assessing the Security of the Cloud

Published byFarida Santoso Modified over 6 years ago

Similar presentations

Presentation on theme: "Assessing the Security of the Cloud"— Presentation transcript:

1

2 Assessing the Security of the Cloud
What Should you ask your vendors? Steve Deitrick, VP, Global Information Security John Heimann, VP, Global Product Security Jari Peters, VP, Security, Risk Management and Regulatory Compliance October 25, 2018

3 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.

4 Session Objective Give you tips and techniques on how to assess the security of your cloud vendors: What do you need to consider when moving to the cloud? What goes into securing a cloud? How do you ask about it? How should IaaS/PaaS/SaaS/DaaS offerings affect your security expectations?

5 Panelist Introductions
Steve Deitrick Vice President, Global Information Security (GIS) John Heimann Vice President, Global Product Security (GPS) Security Program Management (SPM) Jari Peters Vice President, Security, Risk Management and Regulatory Compliance, Global Business Units

6 Why are you considering the cloud?
Cost Flexibility Scalability Security Professional management/patching/operations

7 Specific requirements:
Security and Compliance Requirements Regulatory, Industry and Corporate Security Requirements – Example GLBA, GDPR, SOC1/2, HIPAA, PCI DSS, ISO 27001 Attestations/Audits/Certifications Available Direct Audit of Cloud – If Supported Scanning/Penetration Testing – If Supported Monitoring – Preventative and Detective Security Incident Response – Monitoring, Logging, Response and Notification Operational Requirements SLA– Availability, Backups, DR Secure Integrations Between Cloud(s) and On-Premise Systems Level of Access you need to the Cloud Configuration/Change/Release Management Vulnerability Management/Security Fixes Access Control for Admins and End Users Data Retention, Deletion and Portability Backup and DR Testing

8 What does it take to securely deliver cloud services?
The obvious things: Operational security – who has access to your data and how is protected? Independent validations - Pentesting

9 What does it take to securely deliver cloud services?
The not-so obvious things: Supply chain – components developed in-house? (and reliance on open source and third party components) Architecture – multitenancy? Development assurance – building security in vs. bolting it on?

10 Why does Oracle have a unique perspective?
Oracle is a cloud service provider IaaS, PaaS, SaaS, DaaS Oracle is in a unique position for its cloud supply chain (see next point) Oracle is a cloud technology vendor Hardware Operating system/VM Platform (Database, Java) Applications Oracle is a cloud customer (we run our business on our cloud services and technologies) We also deal with third-party cloud vendors when we acquire organizations

11 What is the role of customer vs. provider for cloud security?
It depends on: Type of cloud service For SaaS, provider does almost everything For IaaS, provider secures technical infrastructure and customer has to do almost everything Don’t assume your vendor will perform security functions they don’t claim to do Single vs. multi-vendor approach Multiple cloud vendors means customer has to do integration and management across vendors Vertical (Iaas/PaaS/SaaS) and horizontal (multiple vendors’ PaaS or SaaS application) integration may be required

12 What can you determine about your providers’ security?
How should you ask your provider about security? Make use of standard questionnaires such as SIG and CAIQ Always ask in the context of the data type you’re expecting to place in the cloud, and the regulatory framework you have to abide to What are the value and limitations of third party Pen Tests or scans? Trust but verify: such tests cannot provide you an exhaustive view of your supplier’s security practices Understand that most Cloud providers do not have more insight into the technologies they’re using than you do This is why Oracle Software Security Assurance is important

13 Conclusion Security in the cloud requires customers’ involvement (shared security model) One size does not fit all (let your requirements determine fit) Compliance in the cloud doesn’t happen magically You need to understand that securing a cloud is a complex and multi- facetted discipline Ask the right questions: be specific and disciplined

14

Download ppt "Assessing the Security of the Cloud"

Similar presentations

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Your customer as a segment of one That changes every second! Hein Van Der Merwe Chief.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Your customer as a segment of one That changes every second! Hein Van Der Merwe Chief.
Internet of Things Security Architecture

Internet of Things Security Architecture
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Oracle Cloud Marketplace Neelesh Gurnani Director, Product Development Arif Khan Director, Product Management September 29, 2014 Copyright © 2014, Oracle.

Oracle Cloud Marketplace Neelesh Gurnani Director, Product Development Arif Khan Director, Product Management September 29, 2014 Copyright © 2014, Oracle.
The Safe Harbor The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated.

The Safe Harbor The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated.
American Airlines AAdvantage®:

American Airlines AAdvantage®:
Cloud Brokers and the Health Industry Andrea Bilobrk.

Cloud Brokers and the Health Industry Andrea Bilobrk.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. JD Edwards Summit The Newest JDE Module – Rental Management Joel Sandberg Sales Consultant.

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. JD Edwards Summit The Newest JDE Module – Rental Management Joel Sandberg Sales Consultant.
© 2009 Oracle Corporation. S311443 : Slash Storage Costs with Oracle Automatic Storage Management Ara Vagharshakian ASM Product Manager – Oracle Product.

© 2009 Oracle Corporation. S : Slash Storage Costs with Oracle Automatic Storage Management Ara Vagharshakian ASM Product Manager – Oracle Product.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. JD Edwards Summit PaaS from an Applications Perspective Charles McGuinness Director,

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. JD Edwards Summit PaaS from an Applications Perspective Charles McGuinness Director,
Oracle Confidential – Internal/Restricted/Highly RestrictedCopyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Identity Management.

Oracle Confidential – Internal/Restricted/Highly RestrictedCopyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Identity Management.
QAD Customer Day – Santa Clara, CA QAD Customer Value Day WELCOME!

QAD Customer Day – Santa Clara, CA QAD Customer Value Day WELCOME!
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Health Sciences Global Business Unit Strategy Steve Rosenberg Senior Vice.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Health Sciences Global Business Unit Strategy Steve Rosenberg Senior Vice.
A New IMS-Like Architecture for Enterprise Applications Reid Stidolph Master Principle Solutions Architect Communications Global Business Unit October.

A New IMS-Like Architecture for Enterprise Applications Reid Stidolph Master Principle Solutions Architect Communications Global Business Unit October.
© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM Laura Posey, Chair CAIQ.

© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM Laura Posey, Chair CAIQ.
RMB Billing UX Design Concepts / Proposals Peter Picone.

RMB Billing UX Design Concepts / Proposals Peter Picone.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Improving Agility in Product Development and Pricing to Gain a Competitive Edge.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Improving Agility in Product Development and Pricing to Gain a Competitive Edge.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. An Auto-Join Network of Things Wong, H. and Wesson, B. Oracle Confidential – Internal/Restricted/Highly.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. An Auto-Join Network of Things Wong, H. and Wesson, B. Oracle Confidential – Internal/Restricted/Highly.
1Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Contract Management.

1Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Contract Management.
4. November 2014 OOW2014 Fredi Dorbek. © Swedbank 2 Safe Harbor Statement The following is intended to outline our general product direction. It is intended.

4. November 2014 OOW2014 Fredi Dorbek. © Swedbank 2 Safe Harbor Statement The following is intended to outline our general product direction. It is intended.

Similar presentations

Ads by Google