SlideShare a Scribd company logo

CyberSec object types & controls Belay controls as close as possible to Way of Working

Robert Kloots
Robert Kloots

The document discusses integrating cybersecurity controls into an organization's Way of Working (WoW). It recommends defining cybersecurity goals and applying the NIST Cybersecurity Framework (CSF) and NIST Special Publication 800-53 controls. Specifically, the document suggests allocating controls to different object types like applications, platforms, and systems. It also advises converting controls into user stories and tests to integrate them into the software development lifecycle according to the WoW. The overall goal is to securely develop and operate systems using a risk-based approach aligned with the organization's processes.

Business
1 of 16
CyberSec object types & controls Belay controls as close as possible to Way of Working Robert Kloots, Brussels Nov 2022 Available for Interim Management
Topics  Main Cyber Security Goals  CSF policies, standards and guidelines  Cyber Security Framework (CSF)  CSF Quality Controls, Risk & Compliance  Object type specific CSF controls  Add Cyber Security to WoW => SSDLC 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 2
Main Cyber Security Goals  Confidentiality  Integrity  Availability  Non-repudiation  Audit 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 3 Provision of Trust services Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. Audit is the mechanism through which proof is obtained and validated. Logging of (trans-) actions is actually the source on which auditing relies.
CSF policies, standards and guidelines  Policies on right level of abstraction  Procedures and guidelines close to WoW  Many examples of best practices available  Dynamic set reflecting maturity of CICD and OPS. 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 4
Cyber Security Framework (CSF) 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 5 IDENTIFY PROTECT DETECT RESPOND RECOVER
Cyber Security Framework (CSF) 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others Asset Management Business Environment Governance IDENTIFY Risk Management Strategy Supply Chain Management Risk Assessment Identity mgt, Authentic. & Access Control Awareness and Training Data Security PROTECT Maintenance Protective Technology Info Protection Processes and Procedures Anomalies and Events Security Continuous Monitoring Detection Processes DETECT Response Planning Communicati ons Analysis RECOVER Improvements Mitigation Recovery Planning Improvements Communica- tions RESPOND 6
 Define Data/Information classification enabling risk analysis & reporting  See “Cyber Security Risk Management” 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 7 CSF Quality Controls, Risk & Compliance Extract from NIST.SP.800-53r5 Risk Management Strategy IDENTIFY
 Target Organisation should apply CSF & NIST.SP.800-53r5.  NIST.SP.800-53r5 document has been converted into (Confluence) wiki  Which facilitates both Development and Operations, as well as Audit and Compliance to incorporate the obligatory mechanisms  Use of capabilities and controls will evolve following the roadmap timeline.  More discussion below 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 8 CSF Quality Controls, Risk & Compliance AC-2(1) Account Management | Automated System Account Management Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. AC-2(2) Account Management | Automated Temporary and Emergency Account Management Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. AC-2(3) Account Management | Disable Accounts Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. AC-2(4) Account Management | Automated Audit Actions Automatically audit account creation, modification, enabling, disabling, and removal actions. AC-2(5) Account Management | Inactivity Logout Require that users log out when [Assignment: organization- defined time period of expected inactivity or description of when to log out]. Extract from NIST.SP.800-53r5 Identity mgt, Authentic. & Access Control PROTECT
Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 9 PROD on premise DEV ACC/INTEG TEST PROD in Cloud Network controller (FW) DEV/ACC-INTEG/PRODs Environments on separate network segments Data in DEV/ACC-INTEG is separated from PROD, Privacy elements from production forbidden Pseuonymisation in place All servers have valid certificate(s) Data in PROD doesn’t use testdata Access rights on DEV/ACC-INTEG/PROD resources to be allocated through RBAC/PAM Monitoring on critical rights
23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 10 Protect any interface/API from/to Internal Source (1S/2T) Protect any interface/API from/to Application A (1T/2S/3S/4T/5S/6T) => Application + Infrastructure certificates, HTTPS Encrypted dataflow Logged dataflow Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob Any DB/Datablob at rest should be encrypted, including logs. Object type specific CSF controls Mobile app in sandbox
23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 11 Allocate controls to Object Types • Per Asset, e.g. Application A • Per API and API manager • Per Platform -- SaaS for Dev (CRM/Openshift/Outsystems/etc) • Per Platform -- IaaS (Azure/AWS/GCP) • Per Platform – PaaS (CRM/OS/…) • Per Solution – Azure AD/:S Dynamics/…) Object type specific CSF controls Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Control list per Asset type/instance, Assembled in Security patterns Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 12 Control list per Asset type/instance, Assembled in Security patterns Allocate controls to Object Types Per Platform – IaaS on/off premise • AWS • Azure • GCP • … Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 13 Control list per Asset type/instance, Assembled in Security patterns Allocate controls to Object Types Per Platform – PaaS on/off premise • Linux • MS Windows • … PaaS DEV/Hosting platform • Odoo • Joomla • Openshift • Outsystems • CRM … Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 14 Control list per Asset type/instance, Assembled in Security patterns Allocate controls to Object Types Per Platform – SaaS • Azure AD • SaaS app 01 … n Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
Add Cyber Security to WoW => SSDLC  Convert Cyber Security controls into User stories & Epics, then code or config  Keep track of control throughout CICD using control number. Approximate steps:  Threat modelling => DFD  Software Architecture => Processing, Flows, Interfaces, APIs and IP##  Business Analysis => user stories  Development => software code  Control suites => test, test, test and pentest 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 15
Matchmaking Need and Mission You are welcome to check my availability to provide you with relevant Cyber Security Services matching your Needs, You can reach me @  robert.kloots@mediqaid.eu  Linkedin.com.in/kloots  Thank you for browsing this slidedeck ;-) 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 16

Recommended

Cyber Security Management.pdf
Cyber Security Management.pdfCyber Security Management.pdf
Cyber Security Management.pdfRobert Kloots
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewAlert Logic
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureCitiusTech
 
Up 2011-ken huang
Up 2011-ken huangUp 2011-ken huang
Up 2011-ken huangKen Huang
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
 
Zero Trust 20211105
Zero Trust 20211105 Zero Trust 20211105
Zero Trust 20211105 Thomas Treml
 
IoT and M2M Safety and Security
IoT and M2M Safety and Security IoT and M2M Safety and Security
IoT and M2M Safety and Security Real-Time Innovations (RTI)
 

Recommended

Cyber Security Management.pdf
Cyber Security Management.pdfCyber Security Management.pdf
Cyber Security Management.pdfRobert Kloots
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewAlert Logic
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureCitiusTech
 
Up 2011-ken huang
Up 2011-ken huangUp 2011-ken huang
Up 2011-ken huangKen Huang
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
 
Zero Trust 20211105
Zero Trust 20211105 Zero Trust 20211105
Zero Trust 20211105 Thomas Treml
 
IoT and M2M Safety and Security
IoT and M2M Safety and Security IoT and M2M Safety and Security
IoT and M2M Safety and Security Real-Time Innovations (RTI)
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningValdez Ladd MBA, CISSP, CISA,
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...apidays
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoringElasticsearch
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingAlienVault
 
Insuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud EnvironmentInsuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud EnvironmentEditor IJCATR
 
Identity-Based Distributed Provable Data Possession in Multicloud Storage
Identity-Based Distributed Provable Data Possession in Multicloud StorageIdentity-Based Distributed Provable Data Possession in Multicloud Storage
Identity-Based Distributed Provable Data Possession in Multicloud Storage1crore projects
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudPaaSword EU Project
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
Security Check in Cloud Computing through Third Party Auditor
Security Check in Cloud Computing through Third Party AuditorSecurity Check in Cloud Computing through Third Party Auditor
Security Check in Cloud Computing through Third Party Auditorijsrd.com
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Ryan Hodgin
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Brianna Johnson
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securityAndy Bochman
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSIRJET Journal
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresGeneric Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresIJRES Journal
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 
Security issues in grid computing
Security issues in grid computingSecurity issues in grid computing
Security issues in grid computingijcsa
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...lizamodels9
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitHolger Mueller
 

More Related Content

Similar to CyberSec object types & controls Belay controls as close as possible to Way of Working

(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...apidays
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoringElasticsearch
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingAlienVault
 
Insuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud EnvironmentInsuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud EnvironmentEditor IJCATR
 
Identity-Based Distributed Provable Data Possession in Multicloud Storage
Identity-Based Distributed Provable Data Possession in Multicloud StorageIdentity-Based Distributed Provable Data Possession in Multicloud Storage
Identity-Based Distributed Provable Data Possession in Multicloud Storage1crore projects
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudPaaSword EU Project
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
Security Check in Cloud Computing through Third Party Auditor
Security Check in Cloud Computing through Third Party AuditorSecurity Check in Cloud Computing through Third Party Auditor
Security Check in Cloud Computing through Third Party Auditorijsrd.com
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Ryan Hodgin
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Brianna Johnson
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securityAndy Bochman
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSIRJET Journal
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresGeneric Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresIJRES Journal
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 
Security issues in grid computing
Security issues in grid computingSecurity issues in grid computing
Security issues in grid computingijcsa
 

Similar to CyberSec object types & controls Belay controls as close as possible to Way of Working (20)

(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoring
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
 
Insuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud EnvironmentInsuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud Environment
 
Identity-Based Distributed Provable Data Possession in Multicloud Storage
Identity-Based Distributed Provable Data Possession in Multicloud StorageIdentity-Based Distributed Provable Data Possession in Multicloud Storage
Identity-Based Distributed Provable Data Possession in Multicloud Storage
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
Security Check in Cloud Computing through Third Party Auditor
Security Check in Cloud Computing through Third Party AuditorSecurity Check in Cloud Computing through Third Party Auditor
Security Check in Cloud Computing through Third Party Auditor
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data security
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresGeneric Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 
Security issues in grid computing
Security issues in grid computingSecurity issues in grid computing
Security issues in grid computing
 

Recently uploaded

Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...lizamodels9
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitHolger Mueller
 
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...lizamodels9
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creationsnakalysalcedo61
 
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckHajeJanKamps
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...anilsa9823
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdfRenandantas16
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in managementchhavia330
 
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneVIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...lizamodels9
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 

Recently uploaded (20)

Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst Summit
 
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdf
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creations
 
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.
 
KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in management
 
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneVIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
 
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 

CyberSec object types & controls Belay controls as close as possible to Way of Working

  • 1. CyberSec object types & controls Belay controls as close as possible to Way of Working Robert Kloots, Brussels Nov 2022 Available for Interim Management
  • 2. Topics  Main Cyber Security Goals  CSF policies, standards and guidelines  Cyber Security Framework (CSF)  CSF Quality Controls, Risk & Compliance  Object type specific CSF controls  Add Cyber Security to WoW => SSDLC 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 2
  • 3. Main Cyber Security Goals  Confidentiality  Integrity  Availability  Non-repudiation  Audit 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 3 Provision of Trust services Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. Audit is the mechanism through which proof is obtained and validated. Logging of (trans-) actions is actually the source on which auditing relies.
  • 4. CSF policies, standards and guidelines  Policies on right level of abstraction  Procedures and guidelines close to WoW  Many examples of best practices available  Dynamic set reflecting maturity of CICD and OPS. 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 4
  • 5. Cyber Security Framework (CSF) 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 5 IDENTIFY PROTECT DETECT RESPOND RECOVER
  • 6. Cyber Security Framework (CSF) 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others Asset Management Business Environment Governance IDENTIFY Risk Management Strategy Supply Chain Management Risk Assessment Identity mgt, Authentic. & Access Control Awareness and Training Data Security PROTECT Maintenance Protective Technology Info Protection Processes and Procedures Anomalies and Events Security Continuous Monitoring Detection Processes DETECT Response Planning Communicati ons Analysis RECOVER Improvements Mitigation Recovery Planning Improvements Communica- tions RESPOND 6
  • 7.  Define Data/Information classification enabling risk analysis & reporting  See “Cyber Security Risk Management” 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 7 CSF Quality Controls, Risk & Compliance Extract from NIST.SP.800-53r5 Risk Management Strategy IDENTIFY
  • 8.  Target Organisation should apply CSF & NIST.SP.800-53r5.  NIST.SP.800-53r5 document has been converted into (Confluence) wiki  Which facilitates both Development and Operations, as well as Audit and Compliance to incorporate the obligatory mechanisms  Use of capabilities and controls will evolve following the roadmap timeline.  More discussion below 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 8 CSF Quality Controls, Risk & Compliance AC-2(1) Account Management | Automated System Account Management Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. AC-2(2) Account Management | Automated Temporary and Emergency Account Management Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. AC-2(3) Account Management | Disable Accounts Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. AC-2(4) Account Management | Automated Audit Actions Automatically audit account creation, modification, enabling, disabling, and removal actions. AC-2(5) Account Management | Inactivity Logout Require that users log out when [Assignment: organization- defined time period of expected inactivity or description of when to log out]. Extract from NIST.SP.800-53r5 Identity mgt, Authentic. & Access Control PROTECT
  • 9. Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 9 PROD on premise DEV ACC/INTEG TEST PROD in Cloud Network controller (FW) DEV/ACC-INTEG/PRODs Environments on separate network segments Data in DEV/ACC-INTEG is separated from PROD, Privacy elements from production forbidden Pseuonymisation in place All servers have valid certificate(s) Data in PROD doesn’t use testdata Access rights on DEV/ACC-INTEG/PROD resources to be allocated through RBAC/PAM Monitoring on critical rights
  • 10. 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 10 Protect any interface/API from/to Internal Source (1S/2T) Protect any interface/API from/to Application A (1T/2S/3S/4T/5S/6T) => Application + Infrastructure certificates, HTTPS Encrypted dataflow Logged dataflow Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob Any DB/Datablob at rest should be encrypted, including logs. Object type specific CSF controls Mobile app in sandbox
  • 11. 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 11 Allocate controls to Object Types • Per Asset, e.g. Application A • Per API and API manager • Per Platform -- SaaS for Dev (CRM/Openshift/Outsystems/etc) • Per Platform -- IaaS (Azure/AWS/GCP) • Per Platform – PaaS (CRM/OS/…) • Per Solution – Azure AD/:S Dynamics/…) Object type specific CSF controls Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Control list per Asset type/instance, Assembled in Security patterns Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
  • 12. Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 12 Control list per Asset type/instance, Assembled in Security patterns Allocate controls to Object Types Per Platform – IaaS on/off premise • AWS • Azure • GCP • … Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
  • 13. Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 13 Control list per Asset type/instance, Assembled in Security patterns Allocate controls to Object Types Per Platform – PaaS on/off premise • Linux • MS Windows • … PaaS DEV/Hosting platform • Odoo • Joomla • Openshift • Outsystems • CRM … Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
  • 14. Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 14 Control list per Asset type/instance, Assembled in Security patterns Allocate controls to Object Types Per Platform – SaaS • Azure AD • SaaS app 01 … n Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
  • 15. Add Cyber Security to WoW => SSDLC  Convert Cyber Security controls into User stories & Epics, then code or config  Keep track of control throughout CICD using control number. Approximate steps:  Threat modelling => DFD  Software Architecture => Processing, Flows, Interfaces, APIs and IP##  Business Analysis => user stories  Development => software code  Control suites => test, test, test and pentest 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 15
  • 16. Matchmaking Need and Mission You are welcome to check my availability to provide you with relevant Cyber Security Services matching your Needs, You can reach me @  robert.kloots@mediqaid.eu  Linkedin.com.in/kloots  Thank you for browsing this slidedeck ;-) 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 16