SlideShare a Scribd company logo

Experiences evaluating cloud services and products

Download as PPTX, PDF
Javier Tallón
Javier Tallón

The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed. Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions. This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards. But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs. To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes. In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…). We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.

Devices & Hardware
1 of 26
Experiences evaluating cloud services and products
JAVIER TALLÓN GUERRI jtsec Beyond IT Security jtallon@jtsec.es • Computer Engineer (University of Granada) • Co-Director & Technical Manager at jtsec Beyond IT Security • Member of ENISA ad-hoc Working Group on SOG-IS successor scheme. • Co Editor of ISO/IEC TS 9569 Patch Management Extension for the ISO/IEC 15408 series and ISO/IEC 18045 • CyberSecurity Teacher at UGR (University of Granada) • OSCP/OSCE/CISSP jtsec Beyond IT Security Experiences evaluating cloud services and products.
INDEX 01 ENS & CPSTIC Catalogue What about the cloud? Qualifying services Experiences Conclusions 02 03 04 05
jtsec Beyond IT Security ENS (RD 311/2022) Artículo 19. Adquisición de productos de seguridad y contratación de servicios de seguridad. • En la adquisición de productos de seguridad o contratación de servicios de seguridad de las tecnologías de la información y la comunicación que vayan a ser empleados en los sistemas de información del ámbito de aplicación de este real decreto, se utilizarán, de forma proporcionada a la categoría del sistema y el nivel de seguridad determinados, aquellos que tengan certificada la funcionalidad de seguridad relacionada con el objeto de su adquisición Article 19. Procurement of security products and contracting of security services. • In the acquisition of security products or contracting of information and communication technology security services to be used in the information systems within the scope of application of this Royal Decree, those that have certified security functionality related to the object of their acquisition shall be used, in 4 Experiences evaluating cloud services and products.
jtsec Beyond IT Security CPSTIC Catalogue What is it? CPSTIC is the reference catalogue for cybersecure ICT products in the Spanish Public Administration. It offers a list of products with security assurance contrasted by the CCN (the Spanish Certification Body). This catalogue includes approved products for handling classified national information qualified products for use in the ENS (a.k.a. the governmental 27001). Advantages 1. Easy acquisition of cybersecure products. 2. Evaluated by a reliable third party. 3. Available to everyone (not just the administration). 5 Experiences evaluating cloud services and products.
jtsec Beyond IT Security CPSTIC CATALOGUE Cybersecurity evaluation methodologies • Fixed-time methodology • National scope • Comprehensive standard oriented to vulnerability analysis and penetration testing. • Limited duration and effort • Economically feasible • Accesible to SMEs • Main use for catalogue inclusion • Spanish National Standard • Heavy methodology • International scope, recognized in more than 30 countries • Different assurance levels • Versatile, applicable to all types of products • Technically hard to meet/understand the standard • Longer time to achieve • Higher economic cost Medium-basic ENS category High ENS category 6 Experiences evaluating cloud services and products.
jtsec Beyond IT Security CPSTIC Catalogue Security Target and taxonomies • The ST (Security Target) collects the security functional requirements implemented by the TOE, as well as the security problem definition. The taxonomies define a set of security functional requirements. E.G. The EDR/EPP taxonomy defines the following requirement (one among many) that every TOE that wants to enter the catalog under the EDR/EPP family must fulfill. Contents of the ST are reviewed by CCN before approval, avoding scoping or TOE vs Product problems. 7 Experiences evaluating cloud services and products.
jtsec Beyond IT Security CPSTIC Catalogue Evaluation, certification, qualification An independent, accredited laboratory verifies whether a product meets its claimed security functionality in a time and effort constrained manner. The Certification Body issues a certificate according to the security functionality stated by the manufacturer. A certification has been passed according to the security functionality required by CCN. Evaluation Certification Qualification 8 Experiences evaluating cloud services and products.
jtsec Beyond IT Security WHAT ABOUT THE CLOUD? More and more SaaS • The SaaS market is currently growing by 18% per year. • Around 85% of small businesses have invested in SaaS options Existing methodologies are product-based • Common Criteria • Spain (LINCE), France (CSPN), Germany (BSZ), The Netherlands (BSPA). 9 Experiences evaluating cloud services and products.
jtsec Beyond IT Security WHAT ABOUT THE CLOUD? IT-015 Requirements for certification of products deployed in the cloud Desployed in the lab REQ-2 Univocal identification REQ-6 Full control of the infrastructure REQ-3 Functionality provided by the infrastructure is outside the scope 10 REQ-5 Experiences evaluating cloud services and products.
jtsec Beyond IT Security The CCUF TC “The CC in the Cloud Technical Work Group (CCitC)" is developing a guide of Essential Security Requirements for Common Criteria in the cloud. *https://github.com/CC-in-the-Cloud/CC-in-the-Cloud.github.io/blob/ main/ESR/CC_in_the_Cloud_ESR.pdf The National Information Assurance Partnership (NIAP), Canada Common Criteria Scheme (CCCS), and Australian Certification Authority (ACA) agree with the content of the CC in the Cloud Essential Security Requirements (ESR), version 0.3, dated 2 March 2022. *https://www.niap-ccevs.org/MMO/GD/CC%20in%20the%20Cloud%20 Position%20Statement%20v1.0.pdf 11 Experiences evaluating cloud services and products. WHAT ABOUT THE CLOUD? Common Criteria efforts
jtsec Beyond IT Security Evaluation, certification, qualification • Analysis is static • Use of cryptography • Platform abstraction • Environmental evaluation • Configuration • Credentials • Data sovereignty • Key management • Insider threat • Multi-tenant Known evaluation gaps New threat models 12 Experiences evaluating cloud services and products. WHAT ABOUT THE CLOUD? The current standard does not allow for service evaluations. We are focused on product evals in a devops deployment
jtsec Beyond IT Security SO, HOW CAN WE QUALIFY SERVICES? 13 España y CCN como referentes en la evaluación de ciberseguridad de soluciones en la nube
jtsec Beyond IT Security 14 CPSTIC CATALOGUE Experiences evaluating cloud services and products. Very practical approach: we need secure services
jtsec Beyond IT Security QUALIFYING SERVICES History of the CCN-STIC 106 Guide 1. On-premise certification (including methodology pentesting) 2. Deployment in the cloud 3. Pentesting in the cloud (5 days) 4. + ENS cloud provider 1. We use LINCE adapted to the cloud on top of the already deployed service 2. No additional pentesting required as it is already included in the initial LINCE-based assessmentl 3. + ENS cloud provider 1. Hyperscaler services also want to be qualified Naive approach Most common approach Connecting all the dots Problem: Most cloud services are cloud- native 15 Problem: Who qualifies the hyperscaler services? Experiences evaluating cloud services and products.
jtsec Beyond IT Security QUALIFYING SERVICES Task 1: Requirements Analysis • The first task consists of defining to which taxonomy the service to be qualified belongs. In addition to the appropriate taxonomy, every cloud service must fit into another taxonomy "Cloud Services" (Annex G). • The next step is to analyze the service, defining its components and the scope of the TOE. After this, a new document, the SFR Rationale is generated in which all the SFR included in the taxonomy are listed and the following labels are applied to them 16 APPLICABLE WITNESSING NOT APPLICABLE VENDOR AFFIRMS COVERED Experiences evaluating cloud services and products.
jtsec Beyond IT Security QUALIFYING SERVICES Task 2.1 ST Writing • After finishing the SFR Rationale, the ST is generated. This ST collects the RFS Applicable and those that Cannot be Tested (Witnessing and Vendor Affirms) but are in the scope of the TOE. • The SFR defined in the ST are subsequently verified in the laboratory through witnessing, functional and penetration tests. For this purpose, use is made of any interface available in the TOE. Manufacturer ST Lab 17 Experiences evaluating cloud services and products.
jtsec Beyond IT Security The laboratory is responsible for validating the ST and generating the ETR (Evaluation Technical Report). For this we will use the LINCE methodology adapted to the cloud. • The limit of effort and duration of the methodology is eliminated, adapting it to the scope of the TOE. • Certain tasks are not applicable, e.g. installation phase. • More flexibility is allowed in certain aspects, e.g. product versions ST Lab ETR 18 Experiences evaluating cloud services and products. QUALIFYING SERVICES Task 2.2 ST assessment and generation of the ETR
jtsec Beyond IT Security QUALIFYING SERVICES Task 3. Security architecture The manufacturer must provide some assurance on the security of the cloud architecture. For this purpose, the manufacturer shall define in the document “Cloud Security Architecture": a) The separation in blocks of the solution. b) The connection between blocks. c) Which third-party services used by the solution are qualified (e.g. AWS S3) d) What sensitive data is handled by the solution and how the flow of this data is handled The cloud where the service is hosted must be ENS certified and GDPR compliant. 19 Experiences evaluating cloud services and products.
jtsec Beyond IT Security The veracity of the “Vendor affirmed” SFRs and the information provided in the Cloud Security Architecture is guaranteed. 20 The data handled by the solution complies with the stipulated geographical limits. Future users of the solution will be able to request and receive audit logs related to the use of the service. Furthermore, these logs will not contain information from other users. 1 2 3 Experiences evaluating cloud services and products. QUALIFYING SERVICES Task 4. Cloud form Responsible statement Incident response capabilities and corresponding description. 4 Cryptographic capabilities and key management details. 5
jtsec Beyond IT Security LAB 2.2 ETR CCN 2.1 ST 3 Security architecture 4 Responsible statement 1 Requirements analysis QUALIFYING SERVICES Documentation validation 21 Experiences evaluating cloud services and products.
jtsec Beyond IT Security EXPERIENCES Lack of control over TOE and its versions 1 We need to gain assurance from new sources (Cloud security architecture) and to increase trust in the vendor 5 Interoperability vs. security (cloud services have to be compatible with obsolete software) (e.g. old versions of SSL/TSL) 22 2 Need to ask for permission to test (risk of DoS) 3 Experiences evaluating cloud services and products. Mixed agent + server products (e.g. AV/EDR taxonomy requires both sides to be qualified) 4
jtsec Beyond IT Security EXPERIEN CES • Average number of tests: 30 • Average failed tests: 5 • Average number of pentests: 24 • Average failed pentests: 4 23 Experiences evaluating cloud services and products. 0 2 4 6 8 10 12 14 16 18 20 2021 2022 2023 Scheduled Number of cloud projects Hybrid Cloud Native Hyperscaler 1st Premise, 2nd Cloud
jtsec Beyond IT Security CONCLUSI ONS • All existing methodologies are for evaluating on premise products. • No methodology for evaluating cloud products is expected at European level. • It will probably take years for standardize how to deal with this… • CCitC TC is focused in evaluating DevOps while we are dealing with evaluating SaaS using a CC based approach. • Spain is a pioneer country in qualifying (not certifying) cloud services 24 Experiences evaluating cloud services and products.
jtsec Beyond IT Security CONCLUSIONS CRA (9) “This Regulation ensures a high level of cybersecurity of products with digital elements. It does not regulate services, such as Software-as-a-Service (SaaS), except for remote data processing solutions relating to a product with digital elements understood as any data processing at a distance for which the software is designed and developed by the manufacturer of the product concerned or under the responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing one of its functions” […] [Directive XXX/XXXX (NIS2)] applies to cloud computing services and cloud service models, such as SaaS. All entities providing cloud computing services in the Union that meet or exceed the threshold for medium-sized enterprises fall in the scope of that Directive. 25 Experiences evaluating cloud services and products.
Thank you

Recommended

IoT and M2M Safety and Security
IoT and M2M Safety and Security IoT and M2M Safety and Security
IoT and M2M Safety and Security Real-Time Innovations (RTI)
 
Common Criteria service overview for Developers - jtsec a CC consultancy company
Common Criteria service overview for Developers - jtsec a CC consultancy companyCommon Criteria service overview for Developers - jtsec a CC consultancy company
Common Criteria service overview for Developers - jtsec a CC consultancy companyJavier Tallón
 
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementCisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementAlgoSec
 
Spanish catalogue of qualified products - a new way of using CC for procurement
Spanish catalogue of qualified products - a new way of using CC for procurementSpanish catalogue of qualified products - a new way of using CC for procurement
Spanish catalogue of qualified products - a new way of using CC for procurementJavier Tallón
 
Introducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesIntroducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesCodefresh
 
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...promediakw
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryAshley Zupkus
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalSyam Madanapalli
 

Recommended

IoT and M2M Safety and Security
IoT and M2M Safety and Security IoT and M2M Safety and Security
IoT and M2M Safety and Security Real-Time Innovations (RTI)
 
Common Criteria service overview for Developers - jtsec a CC consultancy company
Common Criteria service overview for Developers - jtsec a CC consultancy companyCommon Criteria service overview for Developers - jtsec a CC consultancy company
Common Criteria service overview for Developers - jtsec a CC consultancy companyJavier Tallón
 
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementCisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementAlgoSec
 
Spanish catalogue of qualified products - a new way of using CC for procurement
Spanish catalogue of qualified products - a new way of using CC for procurementSpanish catalogue of qualified products - a new way of using CC for procurement
Spanish catalogue of qualified products - a new way of using CC for procurementJavier Tallón
 
Introducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesIntroducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesCodefresh
 
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...promediakw
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryAshley Zupkus
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalSyam Madanapalli
 
PTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC
 
Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...CMG - The Digital Transformation Association
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Cisco Security
 
The Latest in Cloud Computing Standards
The Latest in Cloud Computing StandardsThe Latest in Cloud Computing Standards
The Latest in Cloud Computing StandardsCA API Management
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
Webinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdfWebinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdftoncik
 
Towards a certification scheme for IoT security evaluation
Towards a certification scheme for IoT security evaluationTowards a certification scheme for IoT security evaluation
Towards a certification scheme for IoT security evaluationAxel Rennoch
 
Security as an Accelerator for Cloud Adoption
Security as an Accelerator for Cloud AdoptionSecurity as an Accelerator for Cloud Adoption
Security as an Accelerator for Cloud AdoptionMarketingArrowECS_CZ
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
 
Check Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure WebinarCheck Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure WebinarCheck Point Software Technologies
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADAcsandit
 
Security+ Course Overview (2008)
Security+ Course Overview (2008)Security+ Course Overview (2008)
Security+ Course Overview (2008)GTS Learning, Inc.
 
Plataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaPlataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaHamilton Oliveira
 
Mynd company presentation
Mynd company presentationMynd company presentation
Mynd company presentationDavide Enrico Arnoldi
 
Time Sensitive Networking Testbed at a Glance
Time Sensitive Networking Testbed at a GlanceTime Sensitive Networking Testbed at a Glance
Time Sensitive Networking Testbed at a GlanceIndustrial Internet Consortium
 
CCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxCCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxEBERTE
 
Directory of-infosec-assured-products
Directory of-infosec-assured-productsDirectory of-infosec-assured-products
Directory of-infosec-assured-productsbertram_wooster
 
Cloud Security @ TIM - Current Practises and Future Challanges
Cloud Security @ TIM - Current Practises and Future ChallangesCloud Security @ TIM - Current Practises and Future Challanges
Cloud Security @ TIM - Current Practises and Future ChallangesMichele Vecchione
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of buildingCharles "Chuck" Speicher Jr.
 
Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
 

More Related Content

Similar to Experiences evaluating cloud services and products

PTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Cisco Security
 
The Latest in Cloud Computing Standards
The Latest in Cloud Computing StandardsThe Latest in Cloud Computing Standards
The Latest in Cloud Computing StandardsCA API Management
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
Webinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdfWebinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdftoncik
 
Towards a certification scheme for IoT security evaluation
Towards a certification scheme for IoT security evaluationTowards a certification scheme for IoT security evaluation
Towards a certification scheme for IoT security evaluationAxel Rennoch
 
Security as an Accelerator for Cloud Adoption
Security as an Accelerator for Cloud AdoptionSecurity as an Accelerator for Cloud Adoption
Security as an Accelerator for Cloud AdoptionMarketingArrowECS_CZ
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADAcsandit
 
Security+ Course Overview (2008)
Security+ Course Overview (2008)Security+ Course Overview (2008)
Security+ Course Overview (2008)GTS Learning, Inc.
 
Plataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaPlataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaHamilton Oliveira
 
CCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxCCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxEBERTE
 
Directory of-infosec-assured-products
Directory of-infosec-assured-productsDirectory of-infosec-assured-products
Directory of-infosec-assured-productsbertram_wooster
 
Cloud Security @ TIM - Current Practises and Future Challanges
Cloud Security @ TIM - Current Practises and Future ChallangesCloud Security @ TIM - Current Practises and Future Challanges
Cloud Security @ TIM - Current Practises and Future ChallangesMichele Vecchione
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of buildingCharles "Chuck" Speicher Jr.
 

Similar to Experiences evaluating cloud services and products (20)

PTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security Primer
 
Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
 
The Latest in Cloud Computing Standards
The Latest in Cloud Computing StandardsThe Latest in Cloud Computing Standards
The Latest in Cloud Computing Standards
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
Webinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdfWebinar achieving cybersecurity maturity.pdf
Webinar achieving cybersecurity maturity.pdf
 
Towards a certification scheme for IoT security evaluation
Towards a certification scheme for IoT security evaluationTowards a certification scheme for IoT security evaluation
Towards a certification scheme for IoT security evaluation
 
Security as an Accelerator for Cloud Adoption
Security as an Accelerator for Cloud AdoptionSecurity as an Accelerator for Cloud Adoption
Security as an Accelerator for Cloud Adoption
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
Check Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure WebinarCheck Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure Webinar
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
 
Security+ Course Overview (2008)
Security+ Course Overview (2008)Security+ Course Overview (2008)
Security+ Course Overview (2008)
 
Plataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaPlataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação Cibernética
 
Mynd company presentation
Mynd company presentationMynd company presentation
Mynd company presentation
 
Time Sensitive Networking Testbed at a Glance
Time Sensitive Networking Testbed at a GlanceTime Sensitive Networking Testbed at a Glance
Time Sensitive Networking Testbed at a Glance
 
CCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxCCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptx
 
Directory of-infosec-assured-products
Directory of-infosec-assured-productsDirectory of-infosec-assured-products
Directory of-infosec-assured-products
 
Cloud Security @ TIM - Current Practises and Future Challanges
Cloud Security @ TIM - Current Practises and Future ChallangesCloud Security @ TIM - Current Practises and Future Challanges
Cloud Security @ TIM - Current Practises and Future Challanges
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of building
 

More from Javier Tallón

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNJavier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...Javier Tallón
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfJavier Tallón
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaJavier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...Javier Tallón
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesJavier Tallón
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045Javier Tallón
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Javier Tallón
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?Javier Tallón
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Javier Tallón
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2Javier Tallón
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...Javier Tallón
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...Javier Tallón
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria Javier Tallón
 
CCCAB - Making CABs life easy
CCCAB - Making CABs life easyCCCAB - Making CABs life easy
CCCAB - Making CABs life easyJavier Tallón
 

More from Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
 
CCCAB - Making CABs life easy
CCCAB - Making CABs life easyCCCAB - Making CABs life easy
CCCAB - Making CABs life easy
 

Recently uploaded

Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作f3774p8b
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作f3774p8b
 
萨斯喀彻温大学毕业证学位证成绩单-购买流程
萨斯喀彻温大学毕业证学位证成绩单-购买流程萨斯喀彻温大学毕业证学位证成绩单-购买流程
萨斯喀彻温大学毕业证学位证成绩单-购买流程1k98h0e1
 
《1:1仿制麦克马斯特大学毕业证|订制麦克马斯特大学文凭》
《1:1仿制麦克马斯特大学毕业证|订制麦克马斯特大学文凭》《1:1仿制麦克马斯特大学毕业证|订制麦克马斯特大学文凭》
《1:1仿制麦克马斯特大学毕业证|订制麦克马斯特大学文凭》o8wvnojp
 
定制(USF学位证)旧金山大学毕业证成绩单原版一比一
定制(USF学位证)旧金山大学毕业证成绩单原版一比一定制(USF学位证)旧金山大学毕业证成绩单原版一比一
定制(USF学位证)旧金山大学毕业证成绩单原版一比一ss ss
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubaikojalkojal131
 
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degreeyuu sss
 
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesVip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Servicesnajka9823
 
(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一
(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一
(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一Fi sss
 
Beautiful Sapna Call Girls CP 9711199012 ☎ Call /Whatsapps
Beautiful Sapna Call Girls CP 9711199012 ☎ Call /WhatsappsBeautiful Sapna Call Girls CP 9711199012 ☎ Call /Whatsapps
Beautiful Sapna Call Girls CP 9711199012 ☎ Call /Whatsappssapnasaifi408
 
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...ttt fff
 
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degreeyuu sss
 
Call Girls in Dwarka Sub City 💯Call Us 🔝8264348440🔝
Call Girls in Dwarka Sub City 💯Call Us 🔝8264348440🔝Call Girls in Dwarka Sub City 💯Call Us 🔝8264348440🔝
Call Girls in Dwarka Sub City 💯Call Us 🔝8264348440🔝soniya singh
 
Hifi Babe North Delhi Call Girl Service Fun Tonight
Hifi Babe North Delhi Call Girl Service Fun TonightHifi Babe North Delhi Call Girl Service Fun Tonight
Hifi Babe North Delhi Call Girl Service Fun TonightKomal Khan
 
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)861c7ca49a02
 
定制(Salford学位证)索尔福德大学毕业证成绩单原版一比一
定制(Salford学位证)索尔福德大学毕业证成绩单原版一比一定制(Salford学位证)索尔福德大学毕业证成绩单原版一比一
定制(Salford学位证)索尔福德大学毕业证成绩单原版一比一ss ss
 
毕业文凭制作#回国入职#diploma#degree加拿大瑞尔森大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree加拿大瑞尔森大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree 毕业文凭制作#回国入职#diploma#degree加拿大瑞尔森大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree加拿大瑞尔森大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree z zzz
 
定制(RHUL学位证)伦敦大学皇家霍洛威学院毕业证成绩单原版一比一
定制(RHUL学位证)伦敦大学皇家霍洛威学院毕业证成绩单原版一比一定制(RHUL学位证)伦敦大学皇家霍洛威学院毕业证成绩单原版一比一
定制(RHUL学位证)伦敦大学皇家霍洛威学院毕业证成绩单原版一比一ss ss
 
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一diploma 1
 

Recently uploaded (20)

Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作
 
萨斯喀彻温大学毕业证学位证成绩单-购买流程
萨斯喀彻温大学毕业证学位证成绩单-购买流程萨斯喀彻温大学毕业证学位证成绩单-购买流程
萨斯喀彻温大学毕业证学位证成绩单-购买流程
 
《1:1仿制麦克马斯特大学毕业证|订制麦克马斯特大学文凭》
《1:1仿制麦克马斯特大学毕业证|订制麦克马斯特大学文凭》《1:1仿制麦克马斯特大学毕业证|订制麦克马斯特大学文凭》
《1:1仿制麦克马斯特大学毕业证|订制麦克马斯特大学文凭》
 
定制(USF学位证)旧金山大学毕业证成绩单原版一比一
定制(USF学位证)旧金山大学毕业证成绩单原版一比一定制(USF学位证)旧金山大学毕业证成绩单原版一比一
定制(USF学位证)旧金山大学毕业证成绩单原版一比一
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
 
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
 
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesVip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
 
young call girls in Gtb Nagar,🔝 9953056974 🔝 escort Service
young call girls in Gtb Nagar,🔝 9953056974 🔝 escort Serviceyoung call girls in Gtb Nagar,🔝 9953056974 🔝 escort Service
young call girls in Gtb Nagar,🔝 9953056974 🔝 escort Service
 
(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一
(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一
(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一
 
Beautiful Sapna Call Girls CP 9711199012 ☎ Call /Whatsapps
Beautiful Sapna Call Girls CP 9711199012 ☎ Call /WhatsappsBeautiful Sapna Call Girls CP 9711199012 ☎ Call /Whatsapps
Beautiful Sapna Call Girls CP 9711199012 ☎ Call /Whatsapps
 
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
 
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
 
Call Girls in Dwarka Sub City 💯Call Us 🔝8264348440🔝
Call Girls in Dwarka Sub City 💯Call Us 🔝8264348440🔝Call Girls in Dwarka Sub City 💯Call Us 🔝8264348440🔝
Call Girls in Dwarka Sub City 💯Call Us 🔝8264348440🔝
 
Hifi Babe North Delhi Call Girl Service Fun Tonight
Hifi Babe North Delhi Call Girl Service Fun TonightHifi Babe North Delhi Call Girl Service Fun Tonight
Hifi Babe North Delhi Call Girl Service Fun Tonight
 
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
 
定制(Salford学位证)索尔福德大学毕业证成绩单原版一比一
定制(Salford学位证)索尔福德大学毕业证成绩单原版一比一定制(Salford学位证)索尔福德大学毕业证成绩单原版一比一
定制(Salford学位证)索尔福德大学毕业证成绩单原版一比一
 
毕业文凭制作#回国入职#diploma#degree加拿大瑞尔森大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree加拿大瑞尔森大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree 毕业文凭制作#回国入职#diploma#degree加拿大瑞尔森大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree加拿大瑞尔森大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
 
定制(RHUL学位证)伦敦大学皇家霍洛威学院毕业证成绩单原版一比一
定制(RHUL学位证)伦敦大学皇家霍洛威学院毕业证成绩单原版一比一定制(RHUL学位证)伦敦大学皇家霍洛威学院毕业证成绩单原版一比一
定制(RHUL学位证)伦敦大学皇家霍洛威学院毕业证成绩单原版一比一
 
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
 

Experiences evaluating cloud services and products

  • 2. JAVIER TALLÓN GUERRI jtsec Beyond IT Security jtallon@jtsec.es • Computer Engineer (University of Granada) • Co-Director & Technical Manager at jtsec Beyond IT Security • Member of ENISA ad-hoc Working Group on SOG-IS successor scheme. • Co Editor of ISO/IEC TS 9569 Patch Management Extension for the ISO/IEC 15408 series and ISO/IEC 18045 • CyberSecurity Teacher at UGR (University of Granada) • OSCP/OSCE/CISSP jtsec Beyond IT Security Experiences evaluating cloud services and products.
  • 3. INDEX 01 ENS & CPSTIC Catalogue What about the cloud? Qualifying services Experiences Conclusions 02 03 04 05
  • 4. jtsec Beyond IT Security ENS (RD 311/2022) Artículo 19. Adquisición de productos de seguridad y contratación de servicios de seguridad. • En la adquisición de productos de seguridad o contratación de servicios de seguridad de las tecnologías de la información y la comunicación que vayan a ser empleados en los sistemas de información del ámbito de aplicación de este real decreto, se utilizarán, de forma proporcionada a la categoría del sistema y el nivel de seguridad determinados, aquellos que tengan certificada la funcionalidad de seguridad relacionada con el objeto de su adquisición Article 19. Procurement of security products and contracting of security services. • In the acquisition of security products or contracting of information and communication technology security services to be used in the information systems within the scope of application of this Royal Decree, those that have certified security functionality related to the object of their acquisition shall be used, in 4 Experiences evaluating cloud services and products.
  • 5. jtsec Beyond IT Security CPSTIC Catalogue What is it? CPSTIC is the reference catalogue for cybersecure ICT products in the Spanish Public Administration. It offers a list of products with security assurance contrasted by the CCN (the Spanish Certification Body). This catalogue includes approved products for handling classified national information qualified products for use in the ENS (a.k.a. the governmental 27001). Advantages 1. Easy acquisition of cybersecure products. 2. Evaluated by a reliable third party. 3. Available to everyone (not just the administration). 5 Experiences evaluating cloud services and products.
  • 6. jtsec Beyond IT Security CPSTIC CATALOGUE Cybersecurity evaluation methodologies • Fixed-time methodology • National scope • Comprehensive standard oriented to vulnerability analysis and penetration testing. • Limited duration and effort • Economically feasible • Accesible to SMEs • Main use for catalogue inclusion • Spanish National Standard • Heavy methodology • International scope, recognized in more than 30 countries • Different assurance levels • Versatile, applicable to all types of products • Technically hard to meet/understand the standard • Longer time to achieve • Higher economic cost Medium-basic ENS category High ENS category 6 Experiences evaluating cloud services and products.
  • 7. jtsec Beyond IT Security CPSTIC Catalogue Security Target and taxonomies • The ST (Security Target) collects the security functional requirements implemented by the TOE, as well as the security problem definition. The taxonomies define a set of security functional requirements. E.G. The EDR/EPP taxonomy defines the following requirement (one among many) that every TOE that wants to enter the catalog under the EDR/EPP family must fulfill. Contents of the ST are reviewed by CCN before approval, avoding scoping or TOE vs Product problems. 7 Experiences evaluating cloud services and products.
  • 8. jtsec Beyond IT Security CPSTIC Catalogue Evaluation, certification, qualification An independent, accredited laboratory verifies whether a product meets its claimed security functionality in a time and effort constrained manner. The Certification Body issues a certificate according to the security functionality stated by the manufacturer. A certification has been passed according to the security functionality required by CCN. Evaluation Certification Qualification 8 Experiences evaluating cloud services and products.
  • 9. jtsec Beyond IT Security WHAT ABOUT THE CLOUD? More and more SaaS • The SaaS market is currently growing by 18% per year. • Around 85% of small businesses have invested in SaaS options Existing methodologies are product-based • Common Criteria • Spain (LINCE), France (CSPN), Germany (BSZ), The Netherlands (BSPA). 9 Experiences evaluating cloud services and products.
  • 10. jtsec Beyond IT Security WHAT ABOUT THE CLOUD? IT-015 Requirements for certification of products deployed in the cloud Desployed in the lab REQ-2 Univocal identification REQ-6 Full control of the infrastructure REQ-3 Functionality provided by the infrastructure is outside the scope 10 REQ-5 Experiences evaluating cloud services and products.
  • 11. jtsec Beyond IT Security The CCUF TC “The CC in the Cloud Technical Work Group (CCitC)" is developing a guide of Essential Security Requirements for Common Criteria in the cloud. *https://github.com/CC-in-the-Cloud/CC-in-the-Cloud.github.io/blob/ main/ESR/CC_in_the_Cloud_ESR.pdf The National Information Assurance Partnership (NIAP), Canada Common Criteria Scheme (CCCS), and Australian Certification Authority (ACA) agree with the content of the CC in the Cloud Essential Security Requirements (ESR), version 0.3, dated 2 March 2022. *https://www.niap-ccevs.org/MMO/GD/CC%20in%20the%20Cloud%20 Position%20Statement%20v1.0.pdf 11 Experiences evaluating cloud services and products. WHAT ABOUT THE CLOUD? Common Criteria efforts
  • 12. jtsec Beyond IT Security Evaluation, certification, qualification • Analysis is static • Use of cryptography • Platform abstraction • Environmental evaluation • Configuration • Credentials • Data sovereignty • Key management • Insider threat • Multi-tenant Known evaluation gaps New threat models 12 Experiences evaluating cloud services and products. WHAT ABOUT THE CLOUD? The current standard does not allow for service evaluations. We are focused on product evals in a devops deployment
  • 13. jtsec Beyond IT Security SO, HOW CAN WE QUALIFY SERVICES? 13 España y CCN como referentes en la evaluación de ciberseguridad de soluciones en la nube
  • 14. jtsec Beyond IT Security 14 CPSTIC CATALOGUE Experiences evaluating cloud services and products. Very practical approach: we need secure services
  • 15. jtsec Beyond IT Security QUALIFYING SERVICES History of the CCN-STIC 106 Guide 1. On-premise certification (including methodology pentesting) 2. Deployment in the cloud 3. Pentesting in the cloud (5 days) 4. + ENS cloud provider 1. We use LINCE adapted to the cloud on top of the already deployed service 2. No additional pentesting required as it is already included in the initial LINCE-based assessmentl 3. + ENS cloud provider 1. Hyperscaler services also want to be qualified Naive approach Most common approach Connecting all the dots Problem: Most cloud services are cloud- native 15 Problem: Who qualifies the hyperscaler services? Experiences evaluating cloud services and products.
  • 16. jtsec Beyond IT Security QUALIFYING SERVICES Task 1: Requirements Analysis • The first task consists of defining to which taxonomy the service to be qualified belongs. In addition to the appropriate taxonomy, every cloud service must fit into another taxonomy "Cloud Services" (Annex G). • The next step is to analyze the service, defining its components and the scope of the TOE. After this, a new document, the SFR Rationale is generated in which all the SFR included in the taxonomy are listed and the following labels are applied to them 16 APPLICABLE WITNESSING NOT APPLICABLE VENDOR AFFIRMS COVERED Experiences evaluating cloud services and products.
  • 17. jtsec Beyond IT Security QUALIFYING SERVICES Task 2.1 ST Writing • After finishing the SFR Rationale, the ST is generated. This ST collects the RFS Applicable and those that Cannot be Tested (Witnessing and Vendor Affirms) but are in the scope of the TOE. • The SFR defined in the ST are subsequently verified in the laboratory through witnessing, functional and penetration tests. For this purpose, use is made of any interface available in the TOE. Manufacturer ST Lab 17 Experiences evaluating cloud services and products.
  • 18. jtsec Beyond IT Security The laboratory is responsible for validating the ST and generating the ETR (Evaluation Technical Report). For this we will use the LINCE methodology adapted to the cloud. • The limit of effort and duration of the methodology is eliminated, adapting it to the scope of the TOE. • Certain tasks are not applicable, e.g. installation phase. • More flexibility is allowed in certain aspects, e.g. product versions ST Lab ETR 18 Experiences evaluating cloud services and products. QUALIFYING SERVICES Task 2.2 ST assessment and generation of the ETR
  • 19. jtsec Beyond IT Security QUALIFYING SERVICES Task 3. Security architecture The manufacturer must provide some assurance on the security of the cloud architecture. For this purpose, the manufacturer shall define in the document “Cloud Security Architecture": a) The separation in blocks of the solution. b) The connection between blocks. c) Which third-party services used by the solution are qualified (e.g. AWS S3) d) What sensitive data is handled by the solution and how the flow of this data is handled The cloud where the service is hosted must be ENS certified and GDPR compliant. 19 Experiences evaluating cloud services and products.
  • 20. jtsec Beyond IT Security The veracity of the “Vendor affirmed” SFRs and the information provided in the Cloud Security Architecture is guaranteed. 20 The data handled by the solution complies with the stipulated geographical limits. Future users of the solution will be able to request and receive audit logs related to the use of the service. Furthermore, these logs will not contain information from other users. 1 2 3 Experiences evaluating cloud services and products. QUALIFYING SERVICES Task 4. Cloud form Responsible statement Incident response capabilities and corresponding description. 4 Cryptographic capabilities and key management details. 5
  • 21. jtsec Beyond IT Security LAB 2.2 ETR CCN 2.1 ST 3 Security architecture 4 Responsible statement 1 Requirements analysis QUALIFYING SERVICES Documentation validation 21 Experiences evaluating cloud services and products.
  • 22. jtsec Beyond IT Security EXPERIENCES Lack of control over TOE and its versions 1 We need to gain assurance from new sources (Cloud security architecture) and to increase trust in the vendor 5 Interoperability vs. security (cloud services have to be compatible with obsolete software) (e.g. old versions of SSL/TSL) 22 2 Need to ask for permission to test (risk of DoS) 3 Experiences evaluating cloud services and products. Mixed agent + server products (e.g. AV/EDR taxonomy requires both sides to be qualified) 4
  • 23. jtsec Beyond IT Security EXPERIEN CES • Average number of tests: 30 • Average failed tests: 5 • Average number of pentests: 24 • Average failed pentests: 4 23 Experiences evaluating cloud services and products. 0 2 4 6 8 10 12 14 16 18 20 2021 2022 2023 Scheduled Number of cloud projects Hybrid Cloud Native Hyperscaler 1st Premise, 2nd Cloud
  • 24. jtsec Beyond IT Security CONCLUSI ONS • All existing methodologies are for evaluating on premise products. • No methodology for evaluating cloud products is expected at European level. • It will probably take years for standardize how to deal with this… • CCitC TC is focused in evaluating DevOps while we are dealing with evaluating SaaS using a CC based approach. • Spain is a pioneer country in qualifying (not certifying) cloud services 24 Experiences evaluating cloud services and products.
  • 25. jtsec Beyond IT Security CONCLUSIONS CRA (9) “This Regulation ensures a high level of cybersecurity of products with digital elements. It does not regulate services, such as Software-as-a-Service (SaaS), except for remote data processing solutions relating to a product with digital elements understood as any data processing at a distance for which the software is designed and developed by the manufacturer of the product concerned or under the responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing one of its functions” […] [Directive XXX/XXXX (NIS2)] applies to cloud computing services and cloud service models, such as SaaS. All entities providing cloud computing services in the Union that meet or exceed the threshold for medium-sized enterprises fall in the scope of that Directive. 25 Experiences evaluating cloud services and products.