Your SlideShare is downloading. ×
0
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Extending security in the cloud   network box - v4
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Extending security in the cloud network box - v4

138

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
138
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Embrace a secure-by-design approach: IT organizations need to focus on identifying controls that address the lack of direct access to information. Taking an approach that is secure by design forms the foundation of the organizations strategy for entering the cloud and allows the organization to consistently approach security needs based on the workloads and granular data represented in their cloud efforts. This also facilitates the implementation of resiliency and audit capabilities in the cloud, allowing organizations to extend their security philosophy into the cloud.
  • Embrace a secure-by-design approach: IT organizations need to focus on identifying controls that address the lack of direct access to information. Taking an approach that is secure by design forms the foundation of the organizations strategy for entering the cloud and allows the organization to consistently approach security needs based on the workloads and granular data represented in their cloud efforts. This also facilitates the implementation of resiliency and audit capabilities in the cloud, allowing organizations to extend their security philosophy into the cloud.
  • Implement an active monitoring solution: For organizations to address availability or instability conditions they must implement an active monitoring solution, failure to do so relies on cues from users which could result in damages ranging from poor customer satisfaction, to loss of customers. Organizations need to make determinations as to the monitoring and intervals based on data content and should implement manual or automated procedures to respond to related events.
  • Develop a plan and educate the response team: A large element of security is the response to threats and how rapidly an organization can respond to threats and adverse events. Organizations should document logical responses to event classes and implement education programs to facilitate response to said conditions.
  • Transcript

    • 1. Extending Security in the Cloud Steven Wolford Chad WalterDirector, Information Security Director, Channel Development 6fusion Network Box USA
    • 2. Today’s Agenda• Introduction• IT Infrastructure Models• Common Cloud Security Myths• Cloud Security Basics• Cloud Security Challenges • Access • Protection • Segregation • Recovery• Cloud Security Best Practices
    • 3. Who We Are 6fusion Network Box USA6fusion provides a utility-metered cloud Network Box USA providesplatform that enables global workload comprehensive, fully managed perimeterdistribution by turning public, private and internet security solutions. The Network Boxhybrid clouds into pay-per-use billable utilities. Unified Threat Management (UTM) solutionThe unique metering algorithm, Workload combines numerous applications such asAllocation Cube (WAC), creates a commercial firewall, intrusion prevention andstandard to quantify supply and demand for detection, anti-virus, content filtering, anti-compute resources. span, anti-phishing, anti-spyware and VPN into one single, sophisticated mix of hardware and software. Network Box USA enables businesses of all sizes to secure their networks easily and cost effectively. This is the first in a series of webinars on cloud security. We will let you shape the content of the next webinar at the end of this webinar.
    • 4. IT Infrastructure Models
    • 5. Cloud Security Myths• Cloud cannot be secure • All Cloud models are not created equal - Private, Hybrid, Public - IaaS, PaaS, SaaS • All Cloud providers are not created equal - Look for independent audit reports• Cloud security is new • The security concepts remain unchanged • Unfortunately many used network defenses to compensate for weak application security• Cloud requires more effort or tools to be as secure • NIST used the existing SP 800-53 and SP 800-37 to develop FedRAMP • Oh by the way, Department of Homeland Security recently announced it is moving services to a cloud provider that has been reviewed under FedRAMP• The only reason enterprises move to the cloud is cost reduction, reallocation, etc. • Security can also be enhanced if you incorporate the following in your migration - Security by Design, Active Monitoring, Incident Response Plan
    • 6. A Quick Cloud AnalogyYour data happily in the cloud Procurement PII Financial Email Payroll HR An incident beyond yourYour data no longer just in the cloud control occurs Payroll PII Email Procurement Financial HR
    • 7. Data Loss in Summary To an Resulting in Data Can Leak Outsider Breach• Trade Secrets • Stored on the • Thieves, • Company• Account network or mobsters, defamation Numbers shared drives other • Monetary• Social Security • Copied on nefarious expense per Numbers removable characters record lost• Intellectual media • Competitors • Loss of assets Property • Transferred • Regulators • Breach of• Health electronically • Unauthorized customer Records Internal Users trust• Other • Press/Media Personal Information
    • 8. Top Reasons for Data LossHardware Failure Human 35% Error 28% Software Theft/Mal Failure icious 14% Employee Action Virus 17% 6%
    • 9. Cloud Security Challenges There are a number of security issues associated with cloud computing, but data security is arguably the biggest issue.Main areas of concern specific to data security include: Access Protection Segregation Recovery
    • 10. Access Data placed in the cloud are accessed and managed by persons other than privileged users within the customer’s organization. • What type and level of security checks areAccess enforced on those individuals? • How are those checks enforced? • What policies are in place to ensure roles and privileges are enforced?
    • 11. Protection The nature of cloud computing means data can be stored at any geographical location at any given time. • Apart from some cloud service providers such as Amazon who offers their customers the option ofProtection choosing between different zones in which to store their data, it is uncommon to see a cloud computing service contract where the customer is guaranteed that their data would not be transferred outside a specified region. • Customers need to be aware that local laws may apply to data held on servers within the cloud, and that it is their responsibility to comply with data protection laws under various jurisdictions worldwide where their data is held.
    • 12. Segregation Data in the cloud is typically stored in a shared environment whereby one customer’s data is stored alongside another customer’s data. • While it is difficult to assure data segregation, customers should review the cloudSegregation vendor’s architecture to ensure proper data segregation is available and that data leak prevention (DLP) measures are in place.
    • 13. Recovery As with traditional IT systems, unexpected problems can and will occur with cloud computing. • What plan is in place to recover customer’s data in event of a disaster, how long will dataRecovery restoration take and the impact on business continuity?
    • 14. Cloud Security Best Practices• Ask where data will be kept and enquire the details of data protection laws in the relevant jurisdictions.• Include clauses in the cloud service contract that your data always belong to you, that you can reclaim your data at any time and that your data shall not be disclosed to any third party.• Make it as hard as possible to gain access to your systems and then to your data by implementing two-factor user authentication.• Ensure that data is encrypted both ways across the Internet by using, for example, mutual SSL. Ensure that data is encrypted when at rest, as well as when in motion from one location to another. You, the customer, should have control of key materials used for encrypting and decrypting data.• Develop good password policies – how they’re created, changed and protected.• Seek an independent security audit of the cloud vendor.
    • 15. Where do you go from here?
    • 16. Risk-based Framework EstablishIdentify Govern Assess Loosely based on NIST RMF
    • 17. Security by DESIGN• Understand your security philosophy• Know all of the components for each information system• Implement the controls that bring risk down to the level acceptable to your organization
    • 18. Implement Active MONITORING• Customers would rather hear bad news from you than from the media• Mitigation cannot happen if you do not know adverse events are occurring• What, How, Who
    • 19. Develop a RESPONSE Team and Plan• Security is not a guarantee• Most events can be categorized with operational, technic al, and legal responses planned• Training and awareness are key
    • 20. Questions?
    • 21. Thank You! Resources What’s next?FedRAMP 2nd Webinar in the Series http://www.gsa.gov/portal/category/1 02371 • Timing: Early March • Topic: How to advance yourCloud Security Alliance https://cloudsecurityalliance.org/ organizational security • Details: You tell us…FFIEC (not really cloud but outsourced providers) http://ithandbook.ffiec.gov/it- What do you want to hear about in booklets/outsourcing-technology- the next webinar? services/appendix-d-managed-security- service-providers.aspxNIST (SP800-144) Email us at marketing@6fusion.com http://www.nist.gov/customcf/get_pdf. with your ideas! cfm?pub_id=909494

    ×