Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance


Published on

Security & Compliance in the Cloud - Standards, Security & Proactively Managing Governance, Risk & Compliance
Key Note Address by Chad M. Lawler, Ph.D.
Cloud Security Alliance - North Texas Chapter
Friday, June 28, 2013

Published in: Education, Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

  1. 1. Security & Compliance in the CloudS t a n d a r d s , S e c u r i t y & P r o a c t i v e l y M a n a g i n g G o v e r n a n c e ,R i s k & C o m p l i a n c eNORTH TEXASCHAPTERDALLAS / FT.WORTHF r i d a y , J u n e 2 8 , 2 0 1 3F C D a l l a s S t a d i u m9 2 0 0 W o r l d C u p W a y ,S u i t e 2 0 2 , F r i s c o , T XK e y N o t e S p e a k e r -C h a d M . L a w l e r, P h . D.D i r e c t o r o f C o n s u l t i n g ,C l o u d C o m p u t i n gH i t a c h i C o n s u l t i n g
  2. 2. 2Goals & Overview of Today‟s DiscussionGoalsAwarenessEncourage Focus on Security, Governance & ComplianceCreating Broad Awareness – Providing Education & Focus on StandardsFocus on Best PracticesFor Risk Security Mitigation, Regulatory Compliance & GovernanceOverview of Cloud Security Alliance (CSA) & Research AreasOverviewCloud is Changing Business & IT - New IT LandscapeCloud Security Alliance - Research & StandardsConclusion & Panel DiscussionToday’s Presentation Slides -
  3. 3. Cloud is Changing Business & ITThe New IT Landscape
  4. 4. 4Cloud is Changing Business & ITIT OPERATIONS + MULTI CLOUD Legacy Coexistence with Cloud Migration and New Cloud Apps Multiple Application Spread Across Environment Legacy & Cloud Selective Outsourcing and Managed services Private, Public and Hybrid Cloud UtilizationDATACENTERTraditional Data Center On-site Traditional Infrastructure Dedicated with LimitedVirtualization Internal Application ProvisioningPRIVATE CLOUDNext Generation Datacenter On-site Private Cloud IaaS Utility Dedicated On-Site Infrastructure Internal Application ProvisioningPUBLIC CLOUDRegional Datacenter 2Regional Datacenter 1Public Cloud Datacenter Off-site Utility Pay-as-You -Go Consumption External Application ProvisioningHYBRID CLOUDHybrid - Public/Private/Virtual PrivateEnterprise Datacenter On-Site + Off-site Utility Dedicated Infrastructure + Utility Internal + External ProvisioningNext GenerationDatacenter TransitionEnterprise Cloud Model - Multi-Source Hybrid Public/Private MixSAASIAAS & PAASTh e New IT Lan dscape
  5. 5. 5Cloud is Changing Business & ITSaaSIaaS PaaSServicesProvidersYour BusinessBusiness and EndUsers Circumventing ITIncreasingShadow ITYOUR CENTRAL ITCloud EcosystemTh e New IT Lan dscape
  6. 6. 6Cloud is Changing Business & ITEnterprise Cloud Model - Multi-Source Hybrid Public/Private MixFocus on Cloud Supply Chain, Security & GovernanceMix of public-private cloud services from multiple, different cloud providersWith the cloud comes increased complexities, disruptive for both business and ITIncreased need for risk visibility, management, governance and securityBusinesses already negotiating multiple cloud service contracts with different providersUsing multiple/different cloud services - more contracts, payments, providers to manageNeed for new best practices for security, cloud supply chain management and resource controlTh e New IT Lan dscape
  7. 7. 7Cloud + MobileDispersal of applicationsDispersal of dataDispersal of usersDispersal of endpoint devicesCloud UsersNotionalOrganizationalBoundaryPublic CloudsPrivatecloudswww.cloudsecurityalliance.orgCloud is Changing Business & ITTh e New IT Lan dscapeCopyright © 2013 Cloud Security Alliance
  8. 8. 8Cloud is Changing Business & ITWhere IT is GoingTechnology consumerization and its offspringCloud: Compute as a utilitySmart Mobility: Compute anywhereShifting balance of power to technology usersOrganizational structure & business planningDisrupting IT and IT security through agilityTh e New IT Lan dscapewww.cloudsecurityalliance.orgKey Trust IssuesTransparency & visibility from providersCompatible laws across jurisdictionsData sovereigntyIncomplete standardsMulti-tenant technologies & architectureIncomplete Identity ManagementConsumer awareness & engagementIs Challenging Our Assumptions About… EverythingCopyright © 2013 Cloud Security Alliance
  9. 9. 9Cloud is Changing Business & ITGovernanceAdministration & Control of IT AssetsMeasurement, Policy & EnforcementAppropriate & Authorized Resource UseSecurity & RiskConfidentiality, Integrity & AvailabilitySecurity Protection, Controls & ReportingIncident Mitigation, Detection & ResponseComplianceLegal & RegulatoryPolicies, Standards & ProceduresAuditing & ReportingPUBLIC CLOUDPUBLIC CLOUDPRIVATE CLOUDDATACENTERHYBRID CLOUDTh e New IT Lan dscape
  10. 10. A Look at Today‟s Security LandscapeFacing Modern Security Threats
  11. 11. 11The State of Information SecurityThe Global State of Information Security Survey 2013Source: The Global State of Information Security Survey 2013 -
  12. 12. 12Texas Comptrollers 3.5 Million Record BreachSource: Cyber Risk Remains a Serious Threat Facing Public Entities state’s investigationrevealed that the data wasnot encrypted, even thoughTexas administrative rulesrequire encryption of datafiles containing sensitiveinformation.
  13. 13. 13Personally Identifiable Information Consumer NotificationsSource:
  14. 14. 141. Yahoo Japan - the identity details of up to 22 million users may have been compromised when attackers hacked into its computer systems.2. Washington State Court System - May 2013- Exposed 160,000 social security numbers from a cyber attack on servers operated by the Washington state court system3. Federal Reserve - May 2013- Federal Reserve Security Breach of undisclosed information. Anonymous exploited a zero-day exploit in Adobe ColdFusion .4. Alabama Criminal Justice Information Center - May 2013- Anonymous Hack posts 4,000 Bank Exec Credentials, login & contact info, & IP addresses5. - April 2013 - Security breach that has exposed names, e-mail addresses and password data for up to 50 million of its users.6. Twitter - February 2013 - 250,000 accounts hacked in security breach & hackers access usernames, email addresses and passwords in sophisticated operation7. US Army Corps of Engineers’ National Inventory of Dams (NID) - Cyber intrusion into sensitive information on vulnerabilities of 8,100 major dams in the US by Chinese cyber warriors8. Wyndham Hotels - Announced in 2012, began in 2008- Over $10.6 million in credit card transactions made fraudulently. The most egregious security breach of 2012. Federal TradeCommission brought a lawsuit against Wyndham Hotels.9. Zappos – Jan 2012, - hackers compromise over 24 million records which included user names, phone numbers, email addresses, partial credit card numbers, and encrypted passwords.10. LinkedIn/eHarmony - June 2012 - 8 Million Passwords Taken.11. - In mid-2012 - hackers had exploited lax security to make off with millions of user passwords.12. Medicaid - March 30, 2012,, hackers broke into a Utah Department of Health, Medicaid server , exposing 280,000 residents Social Security numbers & health data of 500,000 residents.13. Sutter Physicians Services – 2011 - 3.3 million patients medical details stolen- stored in encrypted format . Data from both Sutter Physicians Services and Sutter Medical Foundation wasbreached in November - when a thief stole a desktop computer14. Sonys PlayStation Network - Date: April 20, 2011 - Over 100 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month, facedan ongoing customer relations fallout and class-action lawsuits over its failure to protect over 100 million user records.15. ESTsoft - July-August 2011 - Personal information of 35 million South Koreans exposed after hackers breached the security of a popular software provider.16. Tricare and SAIC – Sept 2011. 5.1 million people’s records breached. Backup tapes containing SAIC (Science Applications International Corporation) data were stolen from the car of aTricare employee. with data on current and retired members of the armed services and families. Led to a $4.9 billion lawsuit being filed.17. Nasdaq – 2011 - attackers breached a cloud-based Nasdaq system designed to facilitate boardroom-level communications for 10,000 senior executives18. Yahoo - 2011 - 450,000 user names and passwords stolen. Hackers broke into a Yahoo subdomain by sending commands through an inadequately secured URL and managed to steal filesfrom Yahoo’s Contributor Network. Shockingly, these files were not encrypted and were instead stored in plain text.19. Epsilon - March 2011 - Exposed names and e-mails of millions of customers stored in more than 108 retail stores plus several huge financial firms20. RSA Security - Date: March 2011 - 40 million employee records stolen. Breached the systems of EMCs RSA in April, stealing information relating to its SecurID system RSA ultimately tracedthe attack to an unnamed nation state, and revealed that the exploit had relied on a very low-tech spear-phishing attack.21. Stuxnet - Sometime in 2010, but origins date to 2007 - Attack Irans nuclear power program, serves as a template for real-world intrusion and service disruption22. VeriSign - Throughout 2010 - Impact: Undisclosed information stolen23. Gawker Media - December 2010 - Compromised e-mail addresses and passwords of about 1.3 million users on popular blogs like Lifehacker, Gizmodo, and Jezebel, plus the theft of thesource code for Gawkers custom-built content management system.24. Google/ Yahoo / Silicon Valley companies - Mid-2009 – Stolen intellectual property - In an act of industrial espionage, the Chinese government launched a massive and unprecedentedattack on Google, Yahoo, and dozens of other Silicon Valley companies.25. US Military Networks - 2008 cyberattack “Worst breach of U.S. military computers in history" and "the most significant breach of U.S. military computers ever.” Pentagon spent 14months cleaning military networks. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknownadversary,”- William J. Lynn 3d, Deputy Secretary of Defense. Led to creation of the US Cyber Command.26. Heartland Payment Systems - March 2008 - Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartlands data systems.Notable Security Incidents Since 2008
  15. 15. 15Increasing Security Threat for SMBsFlags Rise in SMB Security BreachesSMBs can no longer afford to assume their small size willkeep them off the radar of cyber criminals and hackers -PWC InfoSec 2013
  16. 16. “Hacking at small businesses is a prolificproblem…Its going to get much worsebefore it gets better."D e a n K i n s m a n , S p e c i a l A g e n tF B I s C y b e r D i v i s i o n
  17. 17. 17Revealed: Operation Shady RatOperation Shady Rat - August 2011Targeted intrusions into more than 70 globalcompanies, governments and non-profitorganizations over five yearsSource:
  18. 18. 18Revealed: Operation Shady RatSource:
  19. 19. “Targeted intrusion is a problem ofmassive scale that affects nearly everyindustry … and the only organizationsthat are exempt from this threat arethose that don‟t have anythingvaluable or interesting worthstealing.”D m i t r i Al p e r o v i t c h , Vi c e P r e s i d e n t o fT h r e a t R e s e a r c h , M c A f e e , 2 0 11
  20. 20. 20Operation Red OctoberOperation Red October - January 11, 2013 Kaspersky Lab research report which identified a cyber-espionage campaign targeting diplomatic, governmentaland scientific research organizations in several countriesfor at least five years. Attackers gathered sensitive documents from thecompromised organizations, which included geopoliticalintelligence, credentials to access classified computersystems, and data from personal mobile devices andnetwork equipment.Source:
  21. 21. “There is sensitive geopolitical informationbeing stolen, which is very valuable... Overthe course of the last five years, webelieve several terabytes of datawas stolen - its massive.”Vi t a l y K a m l u k , C h i e f M a l wa r e E x p e r ta t K a s p e r s k y L a b , 2 0 1 3
  22. 22. 22DoD Networks Completely Compromised by Foreign Spies“We‟ve got the wrong model here.…this model for cyber that says,„We‟re going to develop a systemwhere we‟re not attacked… I thinkwe have to go to a model wherewe assume that the adversary is inour networks. It‟s on ourmachines, and we‟ve got tooperate anyway. We have toprotect the data anyway."J a m e s P e e r y , D i r e c t o r o f S a n d i aN a t i o n a l L a b s ‟ I n f o r m a t i o n S y s t e m sA n a l y s i s C e n t e r
  23. 23. 23U.S. Weapons Systems Compromised by Chinese Cyberspies Designs for many of the nation’s most sensitiveadvanced weapons systems have been stolen andcompromised by Chinese hackers. Designs Stolen: Patriot missile system, known as PAC-3; an Army system for shooting down ballistic missiles,known as the Terminal High Altitude Area Defense, orTHAAD The Navys Aegis ballistic-missile defense system F/A-18 fighter jet, The V-22 Osprey, the Black Hawk helicopter The Navy’s new Littoral Combat Ship The most expensive weapons system ever built - the F-35 Joint Strike Fighter, on track to cost about $1.4trillion, stolen by Chinese Cyberhackers in 2007. Drone video systems, nanotechnology, tactical data linksand electronic warfare systems also compromised. Defense Contractors include: Boeing, LockheedMartin, Raytheon and Northrop Grumman.
  24. 24. “In many cases, they (DoD Contractors) don‟tknow they‟ve been hacked until the FBIcomes knocking on their door. This is billionsof dollars of combat advantage for China.They‟ve just saved themselves 25 yearsof research and development.It‟s nuts.”S e n i o r M i l i t a r y O ff i c i a l , o n C o m p r o m i s eo f U S We a p o n s S y s t e m s D e s i g n s
  25. 25. Proactively Managing Governance,Risk & ComplianceEducate, Build A Framework, LayerProtection, Implement Incrementally
  26. 26. “No single product will stop spear-phishing,protect sensitive data, thwart malware, or putan end to malicious insiders… Instead thereare several solutions across endpoint, network,data security and security managementthat can and should be used in aconnected framework to enricheach other and thus mitigate risk…”M c A f e e - B u i l d i n g a B e t t e r S h a d y R AT Tr a p
  27. 27. 27Elevate Security Importance - Build a Governance Framework CSA Governance, Risk Management and Compliance (GRC) Stack• Integrated Cloud Framework: Security, Governance, Compliance•
  28. 28. 28Build Incremental Security Layers Integrate Complete Security Solutions in Cloud Environments• Deep Code-Level Security Vulnerability Reviews on All Cloud Applications• Security Services Security Services Single Sign On (SSO) & PKI & Certificate Management• Identity Management & Vulnerability Scanning & PII Detection & Continuous Auditing• SIEM with Root Cause Analysis & Risk Assessment, Patch & Log Management System• AntiVirus & AntiMalware System & IPS/IDS Event Management & Data Loss Prevention• Data Encryption for Data at Rest, SSL/HTTPS for Data in Transit
  29. 29. “If you cant stop attacks (spear-phishing), you can at leastknow when they occur if you have a properly tuned SecurityIncident & Event Management (SIEM) system in place. Youneed all the key components feeding data into it including:• Proactive, organized response procedures for security incidents• A Security Operations Center (SOC) & monitoring system• Intrusion Detection & Prevention System (IDS/IPS)• Security logs with monitoring and analysis• Data Loss Prevention (DLP) & Encryption• Host-based anti-malware & antivirus “J e r o m m e L a wl e r, C I S S P, C R I S C ,S e c u r i t y A r c h i t e c t , A s Te c h C o n s u l t i n g , 2 0 1 3
  30. 30. 30 SysAdmin, Audit, Networking and Security (SANS) Top 20 Critical Controls for Effective Cyber Defense SANS News Letters - Open Web Application Security Project (OWASP) Top 10 Most Critical Web Application Security Risks Open Web Application Security Project (OWASP) Top 10 Mobile Risks Open Web Application Security Project (OWASP) Cheat Sheets Australian Department of Defense (DOD) Top 35 Mitigation Strategies National Institute of Standards and Technology (NIST) Special Publications 800 Series European Network and Information Security Agency (ENISA) Threat Landscape International Organization for Standardization (ISO) 27000 Series Information Systems Audit and Control Association (ISACA) COBIT FrameworkTop Security Resources
  31. 31. 31Understand that Security in the Cloud Must be ManagedImplement a Policy that Calculates & Quantifies Cloud Application RiskEvaluate Application & Data Security RequirementsPlan & Budget for Implementing Security ServicesLeverage a Framework Which Covers all Key Risk, Liability Areas Implement & Adhere to Your Framework as a Roadmap to Reduce RisksProactively Managing Governance, Risk & ComplianceBe Proactive in Working to Mitigate Liabilities & Risks
  32. 32. CSA - Research & StandardsResources, Education & Best Practices
  33. 33. www.cloudsecurityalliance.orgAbout the Cloud Security Alliance• Global, not-for-profit organization• Over 33,000 individual members, 150 corporate members, 60 chapters• Building best practices and a trusted cloud ecosystem• Research• Education• Certification• Advocacy of prudent public policy• Innovation, Transparency, GRC, Identity“To promote the use of best practices for providing security assurance within Cloud Computing, andprovide education on the uses of Cloud Computing to help secure all other forms of computing.”Copyright © 2013 Cloud Security Alliance
  34. 34. www.cloudsecurityalliance.orgGlobal Efforts• Europe• Proposed EU Data Privacy Regulation• EC European Cloud Partnership• US Federal government• NIST• FedRAMP• APAC• Standards bodies• ISO SC 27• ITU-T FG 17• DMTF, PCI Standards CouncilCopyright © 2013 Cloud Security Alliance
  35. 35. www.cloudsecurityalliance.orgCSA Contributions - Research Projects -“Security Guidance For Critical Areas of Focus”Governance and Enterprise Risk ManagementLegal and Electronic DiscoveryCompliance and AuditInformation Lifecycle ManagementPortability and InteroperabilitySecurity, Bus. Cont,, and Disaster RecoveryData Center OperationsIncident Response, Notification, RemediationApplication SecurityEncryption and Key ManagementIdentity and Access ManagementVirtualizationCloud ArchitectureOperatingintheCloudGoverningtheCloudSecurity as a ServiceCopyright © 2013 Cloud Security Alliance
  36. 36. www.cloudsecurityalliance.orgCSA GRC StackControl RequirementsProvider AssertionsPrivate,Community &Public Clouds• Family of 4 Research Projects• Cloud Controls Matrix• Consensus Assessments Initiative• Cloud Audit• Cloud Trust Protocol• Tools• Tools for governance, risk andcompliance management• Enabling automation andcontinuous monitoring of GRCCopyright © 2013 Cloud Security Alliance
  37. 37. www.cloudsecurityalliance.orgCSA STAR Registry• CSA STAR (Security, Trust and Assurance Registry)• Public Registry of Cloud Provider self assessments• Based on Consensus Assessments Initiative Questionnaire• Provider may substitute documented Cloud Controls Matrix compliance• Voluntary industry action promoting transparency• Security as a market differentiator• © 2013 Cloud Security Alliance
  38. 38. www.cloudsecurityalliance.orgCCSK - Certificate of Cloud Security Knowledge• Benchmark of cloud security competency• Measures mastery of CSA guidance and ENISA cloud riskswhitepaper• Understand cloud issues• Look for the CCSKs at cloud providers, consulting partners• Online web-based examination•• © 2013 Cloud Security Alliance
  39. 39. www.cloudsecurityalliance.orgCSA Resources & Activities• Resources Research: CCSK Certification: Chapters: National Email: National LinkedIn Group: Twitter: @cloudsa• Local DFW CSA North Texas Resources & Activities CSA North Texas LinkedIn Group: CSA North Texas Meetup: CSA North Texas Email: Norm Smith CSA North Texas Industry Days & Local University CSA Academic Days CSA North Texas Town Hall Meetings & Monthly Luncheons
  40. 40. 40Lessons to Walk Away With from Today’s DiscussionThe New IT Landscape - All About Cloud, Mobile & SecurityEducate, Build Framework, Layer Protection, Implement IncrementallyThe Future of IT Is Cloud & Mobile - With Increasing Control in the Hands of End UsersSecurity is More Important than Ever - Risks & Liabilities from Security Threats are SubstantialYou Must Take a Proactive Approach to SecuritySecurity Must Be a Major Investment for All Organizations & Begins with EducationAddressing Security Risks and Liabilities Starts with Education and InformationBuild A Framework of Policies, Procedures & Security Technologies to Reduce Risks/LiabilitiesStart Today! - CSA Can Help with an Array of Free Valuable Guides & Resources
  41. 41. 41 Revealed: Operation Shady Rat - McAfee Operation Red October - Kapersky Labs DoD Defense Science Board Task Force Report: Resilient Military Systems and the Advanced Cyber Threat Cyber-Security: The vexed question of global rules - Security & Defense Agenda (SDA) The Global State of Information Security Survey 2013 McAfee 2013 Threats Predictions - McAfee State of Security whitepaper - TrustWave2013 Global Security Report - The 2013 Data Breach Investigations Report - Verizon - 2013 Information Security Breaches Survey: Technical Report - PWC Government Internet Security Threat Report, Volume 18 - Symantec - Internet Security Threat Report (ISTR), Volume 18 - Symantec - The Secret War - Wired Magazine - Reading
  42. 42. 42Thank You & Contact InformationChad M. Lawler, Ph.D.Director of Consulting ServicesCloud Computing14643 Dallas Parkway, Suite 800, Dallas, Texas 75254Office: 469.221.2894Email: with Me:
  43. 43. Security & Compliance in the CloudPanel DiscussionNORTH TEXASCHAPTERDALLAS / FT.WORTHChad M Lawler, Ph.D.Director of CloudComputing, HitachiConsultingNathaniel Kummerfeld, J.D.Assistant United States AttorneyUnited States Attorneys OfficeEastern District of TexasScot MillerDirector, SecurityArchitecture at HealthManagement SystemsTom LargeDirector CorporateInformation Security atAlliance DataTony Scott, CISSPSenior Security andCompliance ExecutiveGTR Medical Group
  44. 44. Security & Compliance in the CloudS t a n d a r d s , S e c u r i t y & P r o a c t i v e l y M a n a g i n g G o v e r n a n c e ,R i s k & C o m p l i a n c eNORTH TEXASCHAPTERDALLAS / FT.WORTHF r i d a y , J u n e 2 8 , 2 0 1 3F C D a l l a s S t a d i u m9 2 0 0 W o r l d C u p W a y ,S u i t e 2 0 2 , F r i s c o , T XK e y N o t e S p e a k e r -C h a d M . L a w l e r, P h . D.D i r e c t o r o f C o n s u l t i n g ,C l o u d C o m p u t i n gH i t a c h i C o n s u l t i n g