Presentation is loading. Please wait.

Presentation is loading. Please wait.

CONTENTS BACKGROUND CLOUD MODELS SECURITY CONSIDERATIONS MANAGING RISK.

Published by Modified over 6 years ago

Similar presentations

Presentation on theme: "CONTENTS BACKGROUND CLOUD MODELS SECURITY CONSIDERATIONS MANAGING RISK."— Presentation transcript:

1

2 CONTENTS BACKGROUND CLOUD MODELS SECURITY CONSIDERATIONS MANAGING RISK

3 01 | BACKGROUND

4 PONDURANCE SECURITY CONTINUITY COMPLIANCE THREAT HUNTING AND RESPONSE
Penetration Testing, Application Security Testing, Forensics CONTINUITY BCP/DRP, vCISO, Risk Management, Vendor Management COMPLIANCE PCI QSA, HITRUST, All the acronyms THREAT HUNTING AND RESPONSE Network, Log, Host – Closed Loop Incident Response

5 DUSTIN HUTCHISON PARTNER AT PONDURANCE TEACHING RESEARCH FOCUS
Operations and Delivery (EST/AST, Continuity and Compliance, SOC) Responsibility TEACHING Sullivan University, Embry-Riddle Aeronautical University, and Ivy Tech RESEARCH FOCUS Cloud computing (Dissertation: Factors affecting the adoption of cloud computing in healthcare) ALPHABET SOUP CISSP, CISA, CRISC, CCSFP, GCIH, PCI QSA

6 CONCLUSION (SNEAK PEAK)
Your ”Cloud” providers should be addressed in your general risk management strategy with a repeatable process (and reviewed periodically). (I know, sounds simple, but how do we put this process in place?)

7 02 | CLOUD MODELS

8 CLOUD CONTEXT Confidentiality, Integrity, and Availability (CIA)
Defense in Depth Cloud Current State vs Future State Responsibility

9 POLICIES, PROCEDURES, AND AWARENESS
CLOUD MODELS DEFENSE IN DEPTH POLICIES, PROCEDURES, AND AWARENESS PHYSICAL PERIMETER INTERNAL NETWORK HOST APPLICATION DATA

10 CLOUDS IN DEPTH

11 CURRENT STATE vs FUTURE STATE (NIST SP800-145)
Service Models Software as a Service (SaaS) - Top Google Apps, Salesforce, Microsoft Office 365 Platform as a Service (PaaS) - Middle Google App Engine, AWS Elastic Beanstalk Infrastructure as a Service (IaaS) - Bottom AWS, Azure Deployment Models Private Cloud Community Cloud Public Cloud Hybrid Cloud

12 RESPONSIBILITY Reference:

13

14 FOG COMPUTING (not kidding, NIST SP500-325)
Focus on Internet of Things (IoT) devices Name may shift (fog computing, mist computing, cloudlets, or edge computing)

15 03 | SECURITY CONSIDERATIONS

16 REASONS FOR ADOPTION Image source:

17 12 TOP CLOUD SECURITY THREATS?
CSO Online article top threats list: Data breaches Insufficient identity, credential, and access management Insecure interfaces and application programming interfaces System vulnerabilities Account hijacking Malicious insiders Advanced persistent threats Data loss Insufficient due diligence Abuse and nefarious use of cloud services Denial of service Shared technology vulnerabilities …This list doesn’t feel specific to cloud providers.

18 NOTABLE BREACHES 1. Microsoft (2010) 2. Dropbox (2012)
3. National Electoral Institute of Mexico (2016) 4. LinkedIn (2012) 5. Home Depot (2014) 6. Apple iCloud (2014) 7. Yahoo (2013) Microsoft – minor, but early – 2 hour issue, MS configuration exposed non-authorized users to see employee contact info Dropbox – 68 million user passwords – 93 million voter registration records compromised 6 million user passwords Point of sale terminals – 56 million credit card numbers Icloud hack – celebrity photos One billion user accounts

19 A. SECURITY (through trusted on-prem platforms (or obscurity)?)
Reference: ftp://public.dhe.ibm.com/software/os/systemz/pdf/HPINTEGRITYVSSYSTEMZ10ES.pdf

20 B. SECURITY (through compliance?)
GLBA Designate responsible party Identify applications hosting or transacting customer information Assess risks to customer information Design, monitor and test assessment program Hold service providers to same standards Continue to evaluate and adjust programs PCI DSS Protect cardholder data Manage vulnerabilities Provide strong access controls Monitor and test Maintain policies

21 C. SECURITY (through framework alignment?)

22 D. All OF THE ABOVE Yes, this one. Probably.

23 04 | MANAGING RISK

24 HOW? Vendor Management Risk Assessment
MANAGING RISK HOW? Vendor Management Risk Assessment Risk Remediation / Risk Acceptance Continued Monitoring

25 VENDOR MANAGEMENT PROCESS
Business Need Justification Vendor Identification Data Gathering Vendor Questionnaire Contract Review (Legal) Risk Assessment Assesssment* Remediation / Acceptance Legal Review Contract Risk Review Operational Integration Resource Planning Framework Steps (CMDB, DR/BCP, Monitoring, etc.) Continuous Monitoring SaaS vs PaaS vs IaaS VMP, IR, etc.

26 RISK ASSESSMENT Is a third party risk assessment or CSA CCM report good enough? Is HITRUST or SOC2 good enough? What is your internal process? Consultant response: It depends, but your due diligence is important

27 RISK TREATMENT Accept Avoid Mitigate Share Transfer

28 GAME TIME Data breaches
Insufficient identity, credential, and access management Insecure interfaces and application programming interfaces System vulnerabilities Account hijacking Malicious insiders Advanced persistent threats Data loss Insufficient due diligence Abuse and nefarious use of cloud services Denial of service Shared technology vulnerabilities

29 QUESTIONS? THANK YOU. CLOUD COMPUTING

Download ppt "CONTENTS BACKGROUND CLOUD MODELS SECURITY CONSIDERATIONS MANAGING RISK."

Similar presentations

Hi – 5 Marcus Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi Security of Cloud Computing.

Hi – 5 Marcus Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi Security of Cloud Computing.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
JARED BIRD Nagios: Providing Value Throughout the Organization.

JARED BIRD Nagios: Providing Value Throughout the Organization.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Security Controls – What Works

Security Controls – What Works
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.

Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
Cloud Computing Will Crowley Monica Lopez Jaimie Morrison.

Cloud Computing Will Crowley Monica Lopez Jaimie Morrison.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Security Framework For Cloud Computing -Sharath Reddy Gajjala.

Security Framework For Cloud Computing -Sharath Reddy Gajjala.
Jordan Wissel Eric Lewis Sarah Basile. Introduction This presentation will analyze: Overview/History Implementation Advantages/Disadvantages Security.

Jordan Wissel Eric Lewis Sarah Basile. Introduction This presentation will analyze: Overview/History Implementation Advantages/Disadvantages Security.
Security issues in the Cloud Presentation for CloudCamp 2012 (Lagos) Christopher Odutola FVC Inc. Dubai.

Security issues in the Cloud Presentation for CloudCamp 2012 (Lagos) Christopher Odutola FVC Inc. Dubai.
General Awareness Training

General Awareness Training
Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.

Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.
PCI: As complicated as it sounds? Gerry Lawrence CTO

PCI: As complicated as it sounds? Gerry Lawrence CTO
FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.

FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.
Xiaoyue Jiu, Fola Oyediran, Eboni Strawder | Group 10

Xiaoyue Jiu, Fola Oyediran, Eboni Strawder | Group 10
Computer Science and Engineering 1 Cloud ComputingSecurity.

Computer Science and Engineering 1 Cloud ComputingSecurity.
About Sally Smoczynski Background in process improvement Consultant in Information Security, Service Management and Business Continuity Strong experience.

About Sally Smoczynski Background in process improvement Consultant in Information Security, Service Management and Business Continuity Strong experience.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Similar presentations

Ads by Google