• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Avoiding a mushroom cloud
 

Avoiding a mushroom cloud

on

  • 165 views

Risk management challenges in the cloud.

Risk management challenges in the cloud.

Statistics

Views

Total Views
165
Views on SlideShare
161
Embed Views
4

Actions

Likes
0
Downloads
3
Comments
0

2 Embeds 4

http://www.linkedin.com 3
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Avoiding a mushroom cloud Avoiding a mushroom cloud Presentation Transcript

    • How to Avoid Becoming theVictim of a “Mushroom” Cloud Assessing the Security Ecosystem of Your Cloud Service Provider Presented by Brad Bemis © 2011 Network Computing Architects, all rights reserved
    • Introduction• Rehashing the Basics• Are You Ready for the Cloud?• Is the Cloud Ready for You?• Evaluating Service Providers• Moving to the Cloud• Contingency Planning• Resources © 2011 Network Computing Architects, all rights reserved
    • Rehashing the Basics• What is the cloud?Essential Characteristics• On-demand Self-service• Broad Network Access• Resource Pooling• Rapid Elasticity• Measured ServiceService Models• Software as a Service• Platform as a Service• Infrastructure as a Service• Security as a ServiceDeployment Models• Private Cloud• Public Cloud• Hybrid Cloud• Community Cloud• Vertical Cloud © 2011 Network Computing Architects, all rights reserved
    • Rehashing the Basics• What is the cloud?• What are the benefits?Essential Characteristics Value Added Through• On-demand Self-service • Focus on Core Business• Broad Network Access • Functional Alignment• Resource Pooling • Competitive Advantage• Rapid Elasticity • Scales of Economy• Measured Service • Universal Access • StandardizationService Models• Software as a Service Reductions In• Platform as a Service • Cost• Infrastructure as a Service • Complexity• Security as a Service • Resource Overhead • Compliancy IssuesDeployment Models• Private Cloud Increases In• Public Cloud • Operational Efficiency• Hybrid Cloud • Resource Availability• Community Cloud • General Adaptability• Vertical Cloud • Organizational Responsiveness © 2011 Network Computing Architects, all rights reserved
    • Rehashing the Basics• What is the cloud? Risks • Contractual Limitations • Asset Management• What are the benefits? • Loss of Control • Limited Visibility• What are the risks? • Portability of Assets • Isolation Failures • Data LeakageEssential Characteristics Value Added Through • Data Persistence• On-demand Self-service • Focus on Core Business • Interface Compromises• Broad Network Access • Functional Alignment • Service Engine Compromises• Resource Pooling • Competitive Advantage • Crypto Management Failures• Rapid Elasticity • Scales of Economy • Software Licensing Confusion• Measured Service • Universal Access • Configuration Conflicts • Standardization • Economic DOSService Models • Network Interception• Software as a Service Reductions In • Malicious Insiders• Platform as a Service • Cost • Resource Exhaustion• Infrastructure as a Service • Complexity • Poor Performance• Security as a Service • Resource Overhead • Service Degradation • Compliancy Issues • Outages and DowntimeDeployment Models • Jurisdictional Concerns• Private Cloud Increases In • E-Discovery Issues• Public Cloud • Operational Efficiency • Incident Handling Methods• Hybrid Cloud • Resource Availability • Law Enforcement Involvement• Community Cloud • General Adaptability • Legal/Regulatory Compliance• Vertical Cloud • Organizational Responsiveness • Provider Failure/Service Termination © 2011 Network Computing Architects, all rights reserved
    • Rehashing the Basics• What is the cloud? Risks • Contractual Limitations This is just • Asset Management• What are the benefits? a partial list! • Loss of Control • Limited Visibility• What are the risks? • Portability of Assets • Isolation Failures • Data LeakageEssential Characteristics Value Added Through • Data Persistence• On-demand Self-service • Focus on Core Business • Interface Compromises• Broad Network Access • Functional Alignment • Service Engine Compromises• Resource Pooling • Competitive Advantage • Crypto Management Failures• Rapid Elasticity • Scales of Economy • Software Licensing Confusion• Measured Service • Universal Access • Configuration Conflicts • Standardization • Economic DOSService Models • Network Interception• Software as a Service Reductions In • Malicious Insiders• Platform as a Service • Cost • Resource Exhaustion• Infrastructure as a Service • Complexity • Poor Performance• Security as a Service • Resource Overhead • Service Degradation • Compliancy Issues • Outages and DowntimeDeployment Models • Jurisdictional Concerns• Private Cloud Increases In • E-Discovery Issues• Public Cloud • Operational Efficiency • Incident Handling Methods• Hybrid Cloud • Resource Availability • Law Enforcement Involvement• Community Cloud • General Adaptability • Legal/Regulatory Compliance• Vertical Cloud • Organizational Responsiveness • Provider Failure/Service Termination © 2011 Network Computing Architects, all rights reserved
    • Are You Ready for the Cloud?• Have you thought about your data?  What data is going into the cloud?  What is the value/sensitivity of the data?  Who will interact with the data?  How will the data be accessed?  How will the data be used? © 2011 Network Computing Architects, all rights reserved
    • Are You Ready for the Cloud?• Have you thought about your data?  What data is going into the cloud?  What is the value/sensitivity of the data?  Who will interact with the data?  How will the data be accessed?  How will the data be used?• Have you defined your requirements?  Business requirements  Technology requirements  Compliance Requirements  Security Requirements  Operational Requirements © 2011 Network Computing Architects, all rights reserved
    • Are You Ready for the Cloud?• Have you considered the risks? Risks • Contractual Limitations • Asset Management • Loss of Control • Limited Visibility • Portability of Assets • Isolation Failures • Data Leakage • Data Persistence • Interface Compromises • Service Engine Compromises • Crypto Management Failures • Software Licensing Confusion • Configuration Conflicts • Economic DOS • Network Interception • Malicious Insiders • Resource Exhaustion • Poor Performance • Service Degradation • Outages and Downtime • Jurisdictional Concerns • E-Discovery Issues • Incident Handling Methods • Law Enforcement Involvement • Legal/Regulatory Compliance • Provider Failure/Service Termination © 2011 Network Computing Architects, all rights reserved
    • Are You Ready for the Cloud?• Have you considered the risks? Risks • Contractual Limitations • Asset Management • Loss of ControlWAIT! • Limited Visibility • Portability of Assets • Isolation Failures • Data Leakage • Data Persistence • Interface Compromises • Service Engine Compromises • Crypto Management Failures • Software Licensing Confusion • Configuration Conflicts • Economic DOS • Network Interception • Malicious Insiders • Resource Exhaustion • Poor Performance • Service Degradation • Outages and Downtime • Jurisdictional Concerns • E-Discovery Issues • Incident Handling Methods • Law Enforcement Involvement • Legal/Regulatory Compliance • Provider Failure/Service Termination © 2011 Network Computing Architects, all rights reserved
    • Are You Ready for the Cloud? • Have you considered the risks? Risks • Contractual Limitations • Asset Management • Loss of Control WAIT! • Limited Visibility • Portability of Assets • Isolation Failures • Data Leakage • Data Persistence • Interface Compromises • Service Engine Compromises • Crypto Management Failures • Software Licensing Confusion • Configuration ConflictsHow mature is your current • Economic DOS • Network Interception security program? • Malicious Insiders • Resource Exhaustion • Poor Performance • Service Degradation • Outages and Downtime • Jurisdictional Concerns • E-Discovery Issues • Incident Handling Methods • Law Enforcement Involvement • Legal/Regulatory Compliance • Provider Failure/Service Termination © 2011 Network Computing Architects, all rights reserved
    • Are You Ready for the Cloud? • Have you considered the risks? Risks • Contractual Limitations • Asset Management • Loss of Control WAIT! • Limited Visibility • Portability of Assets • Isolation Failures • Data Leakage • Data Persistence • Interface Compromises • Service Engine Compromises • Crypto Management Failures • Software Licensing Confusion • Configuration ConflictsHow mature is your current • Economic DOS • Network Interception security program? • Malicious Insiders • Resource Exhaustion • Poor Performance • Service Degradation • Outages and Downtime • Jurisdictional Concerns • E-Discovery Issues ≠ • Incident Handling Methods • Law Enforcement Involvement • Legal/Regulatory Compliance • Provider Failure/Service Termination © 2011 Network Computing Architects, all rights reserved
    • Is the Cloud Ready for You?• Lots of things are happening!  Increased industry recognition  Better understanding of the issues  New ideas and approaches daily  CSA and others are leading the way!!! © 2011 Network Computing Architects, all rights reserved
    • Is the Cloud Ready for You?• Lots of things are happening!  Increased industry recognition  Better understanding of the issues  New ideas and approaches daily  CSA and others are leading the way!!!• We still have a long road to travel though!  Increased vigilance and accountability is a must!  Cloud providers have a clear responsibility here!  The market will ultimately determine whats right! © 2011 Network Computing Architects, all rights reserved
    • Is the Cloud Ready for You?• Lots of things are happening!  Increased industry recognition  Better understanding of the issues  New ideas and approaches daily  CSA and others are leading the way!!!• We still have a long road to travel though!  Increased vigilance and accountability is a must!  Cloud providers have a clear responsibility here!  The market will ultimately determine whats right!• Security is STILL the #1 barrier to cloud adoption  How do we move from barrier to enabler?  Are there any security models that can help? © 2011 Network Computing Architects, all rights reserved
    • Is the Cloud Ready for You? Version 3.0 Under Development © 2011 Network Computing Architects, all rights reserved
    • Is the Cloud Ready for You? Version 3.0 Under Development The GRC Stack • Cloud Audit (A6) • Cloud Controls Matrix • Assessment Questionnaire • Cloud Trust Protocol © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers• For this presentation:  It‟s not about public vs. private vs. hybrid  It‟s not about SaaS, PaaS, IaaS  It‟s not about the technologies involved  It‟s not about using the cloud to “get out of jail for free”  You can‟t afford to fall for clever marketing schemes  Sending out a general questionnaire isn‟t going to cut it  Especially if you‟re just filing the responses away  You have to do your homework IT’S ABOUT DUE DILLIGENCE!!! © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers• Let‟s frame the discussion in terms of risk management• The “gap” approach to assessments is insufficient• Many of our tools are gap based, not risk based• Even many of our risk-based tools are highly flawed• Applying flawed methods to unknowns is dangerous• The real question for cloud service providers is: “Can you provide me with an adequate degree of protection that is consistent with my established risk tolerance thresholds” HOW DO WE FIND THE ANSWER? © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers• The true goal of a risk assessment is to help business leaders make informed/better decisions!!!• To meet this goal you need to assess the security ecosystem of your cloud service provider and deliver findings/recommendations that are: – Clear There’s a complication – Concise though… Providers are unlikely – Meaningful to let you peek behind the – Actionable curtain. © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers• The true goal of a risk assessment is to help business leaders make informed/better decisions!!!• To meet this goal you need to assess the security ecosystem of your cloud service provider and deliver findings/recommendations that are: – Clear There’s a complication – Concise though… Providers are unlikely – Meaningful to let you peek behind the – Actionable curtain. How would you know or the difference? © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers The Maturity Continuum You can learn a lot about a provider just by their response to the question “What security controls do you have in place?” Acknowledgement Basic Contractual General 3rd Party Full ISO 27001 Cert Of Security Issues Language In Place Assessment Done Achieved0 5 No Understanding of Verbal Security Controls Statement SAS 70/SSAE 16 Security At All! Assurances Made Made Available Audit Performed THIS MAY BE ALL YOU HAVE TO WORK WITH! © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service ProvidersThe Tools We’ll Use:• First of all, there‟s this great organization called the Cloud Security Alliance (CSA) – You may have heard of them! – They‟ve built a “GRC Stack” of resources • Cloud Audit Toolset • Cloud Controls Matrix • Consensus Assessment Initiative Questionnaire• Next we‟ll add in resources from NIST and ENISA• Finally, we‟ll draw from FAIR and more from NIST• At the end we‟ll use a scorecard for comparison © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers Assessment Process Flow Inputs Fully Qualified Service Provider’s Business Needs Security Assertions Description Framework Data Collection Risk Catalogue Controls Consensus NIST 800-144/ Matrix Questions ENISA Report Supplement as Needed Supplement as Needed CSA Guidance Slightly Modified Your Reqs NIST 800-30 FAIR Reporting Format Risk Analysis Fully Informed Business Decision Output © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service ProvidersBusiness Needs (+Requirements):• What‟s “Fully Qualified” mean in a cloud context? – Let‟s point back to your requirements for reference: • Why are you moving to the cloud? • Do you understand what the cloud is? • How you thought about the data? • Are you ready for the cloud? Is your house in order? – What business needs will you be satisfying? – Where are your risk tolerance thresholds set? – How will this align with your governance efforts? – …and lots more! © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service ProvidersProvider Assertions:• Where is the provider on the maturity scale?• What type of assertions do you have to work with?• Did you send survey questions and get responses?• What else do you need for the assessment? © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service ProvidersCSA Guidance:• Grab a copy of the Cloud Security Alliance‟s “Security Guidance for Critical Areas of Focus in Cloud Computing” (v 2.1) – Describes 13 domains relevant to cloud security – Offers a structure and advice for tackling cloud security challenges – Provides a level of detail that you won‟t find anywhere else – and it‟s part of the GRC Stack! – Should serve as an authoritative resource• Version 3.0 in development – watch for it! © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service ProvidersCloud Controls Matrix:• This is where “the rubber meets the road”• A complete mapping of the cloud security domains as presented by the CSA• Includes applicability columns for SaaS, PaaS, IaaS based services – and provider vs. tenant responsibilities• Most importantly, it offers a direct mapping across every major security best practice in the industry – COBIT, HIPAA/HITECH, ISO 27001, NIST 800-53, PCI DSS 2.0, BITS, GAPP, etc. – Version 1.2 is out now – I added in the Jericho Forum Piece! © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service ProvidersConsensus Questionnaire:• Yet another component of the GRC Stack – the questionnaire is an invaluable data gathering tool – Directly aligned with the Controls Matrix – Asks very cloud specific questions – Can be used to guide the assessment effort• Supplementation is recommended though – Look at the BITS Shared Assessment Program – Leverage the BITS Questionnaire (there‟s even a lite version) – Remember, BITS is already mapped to the Controls Matrix• Many other great resources out there… © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service ProvidersNIST and ENISA Materials:• The CSA materials are great, but we also need a “Risk Catalogue” to help us go from a gap-based approach to a risk-based one• The CSA Guidance document is a great start, but there‟s more information needed• NIST 800-144 steps through a number of key issues and places them into a risk-based context• The ENISA Cloud Computing Assessment is an absolutely fantastic risk resource – a „must have‟ © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service ProvidersThe FAIR Assessment Method:• Now we need to use a risk analysis process to create a list of comparative, contextual results• Factor Analysis of Information Risk, by Jack Jones is a REALISTIC approach to risk assessment/analysis• It provides a model for risk measurement that goes far beyond the traditional “threat + vulnerability = risk”• It takes into account things like: Loss Event Frequency, Threat Event Frequency, Contact (opportunity), Action (motive), Vulnerability, Threat Capability, Control Strength, Probable Loss Magnitudes, and more… © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service ProvidersNIST 800-30:• Ultimately this contains a „traditional‟ (insufficient) methodology for risk assessments• However, it does include a few things that FAIR only hints at (like System Characterization)• Appendix B offers a simple reporting outline that‟s actually quite useful when coupled with FAIR outputs• Using this as a tool to assist in shaping the final findings and recommendations report is invaluable• FAIR displaces most of the methodology though• 800-30 is due for an update – so keep an eye out © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service ProvidersThe *INFORMED* Business Decision:• With a clear, concise, meaningful, and actionable report in hand, business leaders can make much better management decisions about their cloud security risks• These business decisions may have a major influence on the future of the organization – moving to the cloud is no small undertaking, even at a micro level• Keep in mind that the report will only be as good as the quality of the information and level of effort that went into it though © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers Assessment Process Flow Inputs Fully Qualified Service Provider’s Business Needs Security Assertions Description Framework Data Collection Risk Catalogue Controls Consensus NIST 800-144/ Matrix Questions ENISA Report Supplement as Needed Supplement as Needed CSA Guidance Slightly Modified Your Reqs NIST 800-30 FAIR Reporting Format Risk Analysis Fully Informed Business Decision Output © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers• Now granted – this is a pretty involved process © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers• Now granted – this is a pretty involved process• Take what you need and do what makes sense © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers• Now granted – this is a pretty involved process• Take what you need and do what makes sense• Just remember how important this could be to the future of your business © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers• Now granted – this is a pretty involved process• Take what you need and do what makes sense• Just remember how important this could be to the future of your business• Don‟t forget the basic due diligence/due care mandate © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers• Now granted – this is a pretty involved process• Take what you need and do what makes sense• Just remember how important this could be to the future of your business• Don‟t forget the basic due diligence/due care mandate• You have a duty to protect your customers, partners, brand, etc. © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers• Now granted – this is a pretty involved process• Take what you need and do what makes sense• Just remember how important this could be to the future of your business• Don‟t forget the basic due diligence/due care mandate• You have a duty to protect your customers, partners, brand, etc.• No matter how much data you collect though, it‟s good to rate your top 2 or 3 providers against one another – a scorecard could be helpful © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers Leveraging a “Score Card” Approach • YOUR Requirements • Choosing the Right Team • Objective Scoring Criteria • Clearly Defined Rating System • ‘Tie-Breaker’ Rules Just in Case © 2011 Network Computing Architects, all rights reserved
    • Evaluating Service Providers Leveraging a “Score Card” Approach • YOUR Requirements • Choosing the Right Team • Objective Scoring Criteria • Clearly Defined Rating System • ‘Tie-Breaker’ Rules Just in Case Don’t Forget: This is what you are trying to avoid! © 2011 Network Computing Architects, all rights reserved
    • Moving to the Cloud• Make sure that you have a clear plan in place, that you know what you‟re getting yourself into, and that you‟re truly ready to make the leap © 2011 Network Computing Architects, all rights reserved
    • Moving to the Cloud• Make sure that you have a clear plan in place, that you know what you‟re getting yourself into, and that you‟re truly ready to make the leap• Start small and build upwards/outwards; there‟s no need to push everything into the cloud all at once – this will keep your scope and risks more manageable! © 2011 Network Computing Architects, all rights reserved
    • Moving to the Cloud• Make sure that you have a clear plan in place, that you know what you‟re getting yourself into, and that you‟re truly ready to make the leap• Start small and build upwards/outwards; there‟s no need to push everything into the cloud all at once – this will keep your scope and risks more manageable!• Leverage the resources available – a lot of work has already gone into defining this space and creating models to support it © 2011 Network Computing Architects, all rights reserved
    • Moving to the Cloud• Make sure that you have a clear plan in place, that you know what you‟re getting yourself into, and that you‟re truly ready to make the leap• Start small and build upwards/outwards; there‟s no need to push everything into the cloud all at once – this will keep your scope and risks more manageable!• Leverage the resources available – a lot of work has already gone into defining this space and creating models to support it• Don‟t let the nature of the cloud invalidate best practices that are known to work – in many cases it‟s just a matter of tweaking the context © 2011 Network Computing Architects, all rights reserved
    • Contingency Planning• As you are getting INTO the cloud arena – think about how you‟re going to get back OUT again if something goes wrong © 2011 Network Computing Architects, all rights reserved
    • Contingency Planning• As you are getting INTO the cloud arena – think about how you‟re going to get back OUT again if something goes wrong• Pay attention to warning signs indicating issues or problems with your service provider – don‟t be afraid to go elsewhere if your security needs aren‟t being met © 2011 Network Computing Architects, all rights reserved
    • Contingency Planning• As you are getting INTO the cloud arena – think about how you‟re going to get back OUT again if something goes wrong• Pay attention to warning signs indicating issues or problems with your service provider – don‟t be afraid to go elsewhere if your security needs aren‟t being met• Really start thinking in terms of a „Zero Trust‟ model – the less trust you place in service providers the better protected you will be no matter what happens © 2011 Network Computing Architects, all rights reserved
    • Contingency Planning• As you are getting INTO the cloud arena – think about how you‟re going to get back OUT again if something goes wrong• Pay attention to warning signs indicating issues or problems with your service provider – don‟t be afraid to go elsewhere if your security needs aren‟t being met• Really start thinking in terms of a „Zero Trust‟ model – the less trust you place in service providers the better protected you will be no matter what happens• Update all of your business continuity, disaster recovery, and incident response processes to reflect your cloud relationships – BE PREPARED! © 2011 Network Computing Architects, all rights reserved
    • Resources• Check out the Cloud Security Alliance web site © 2011 Network Computing Architects, all rights reserved
    • Resources• Check out the Cloud Security Alliance web site• Join the local CSA Chapter and participate © 2011 Network Computing Architects, all rights reserved
    • Resources• Check out the Cloud Security Alliance web site• Join the local CSA Chapter and participate• And of course – ENGAGE NCA TO HELP! NCA‟s Information Security Practice is an ISO 27001 Certified Professional Security Services Consultancy with offices in Bellevue WA, Portland OR, and Las Gatos CA. We offer a wide range of professional security services that can be scaled and customized to meet the business needs of any organization. Our major core competencies include: • Program Management: Building and managing holistic information security programs. • Governance: Incorporating security into enterprise or IT governance frameworks. • Risk Management: Measuring and managing information security and other related risks. • Compliance: Ensuring that all internal and external requirements are being met. • Identity & Access Management: Managing identities and permissions for systems and users. • Perimeter Defense & Firewall Management: Defending the borders between networks. • Traditional & Mobile End-Point Protection: Securing fixed and mobile end-point devices. • Virtualization & Cloud Security: Safeguarding the latest virtualized and cloud-based technologies. • Event Management & Incident Response: Detecting and responding to security incidents. • Awareness & Training: Engaging people in the process of security on a daily basis. Through a number of strategic partnerships we can also deliver additional services in the areas of: • Managed Services: Managing the day-to-day operational security of information systems. • Application Security & Penetration Testing: Validating controls for business applications. • Business Continuity & Disaster Recovery: Sustaining the business during emergencies. © 2011 Network Computing Architects, all rights reserved
    • Questions???Send Additional Follow-up Questions to Brad.Bemis@NCANet.com Or Call Us at 1-877-566-9622 Follow Me: @SecureITExpert © 2011 Network Computing Architects, all rights reserved
    • About the Author: Brad Bemis is the CISO, Security Practice Manager, and Principle Security Consultant for Network Computing Architects (NCA) in Bellevue WA, and has over 20 years of practical experience in IT and information security. He is also a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Associate Business Continuity Planner (ABCP), and Lean Six Sigma Greenbelt; with several additional technology-centric certifications from Cisco, Microsoft, and CompTIA.Brad holds associate degrees in both Personnel Management and in Information Systems Technology, a Bachelors of Science inInformation Technology, and is currently pursuing a Masters of Science in Education. He has also engaged in graduate level course-worktowards a Masters of Business Administration and a Masters of Science in Clinical Psychology.Brad has worked with multiple Fortune 500 companies, military organizations, and government agencies around the world; in rolesranging from Systems Security Administrator to Chief Information Security Officer (and everything in-between). Although highly skilledacross multiple security disciplines, his main passion is information security awareness and training – evangelizing the message andengaging others. He is also very active in the security community, including: contributions to the Cloud Security Alliance (CSA), boardpositions with the Greater Seattle Area Chapter of the Cloud Security Alliance and the Pacific Northwest Chapter of the InformationSystems Security Association (ISSA), participation in several other professional associations, sharing insights and experience across anumber of on-line security forums, and much much more.Additional information can be found on Brads professional blog at www.secureitexpert.com. © 2011 Network Computing Architects, all rights reserved