SlideShare a Scribd company logo

20 Security Controls for the Cloud

NetStandard
NetStandard

NetStandard CTO John Leek presents 20 Critical Security Controls for the Cloud at Interface Kansas City. This presentation is based on controls set forth by the SANS Institute. Learn more at http://www.netstandard.com.

Technology
1 of 32
Download to read offline
20 Critical Security Controls for the Cloud John Leek, CTO NetStandard
How Much Security Is Enough? Risk Types: • Strategy • Demand • Market • Implementation • Performance Cost Drivers: • Price • Service levels • Specifications • Policies • Velocity
20 Security Controls for the Cloud http://www.sans.org/critical-security-controls/
#1: Know Your Physical Devices
Your Physical Devices Source: SANS Institute 1. Review cloud provider’s SSAE 16 to understand controls in place and note 3rd party auditors’ assessment of the effectiveness of these controls. 2. Where IaaS or PaaS is engaged, implement controls to monitor performance and review logs to ensure services remain secure.
Hardware: The Nightmare to Come… the Internet of Things
#2: Know Your Software Company 1 Company 2 Manufacturing Company 3 Media Company Company 1 Cloud Voice Businesses now have many cloud apps 1. Document known business application inventory 2. Empowered users require extra effort to identify. all known applications in use. 3. Maintain whitelist of applications. 4. Create alerts for new applications that are used outside the inventory. 5. Create an “application authorization process,” including a process to evaluate application security requirements.
#3: Secure All Devices Build secure configurations on each of the devices (servers, desktops, laptops, mobile devices). 1. Review cloud provider’s SSAE 16 to understand controls in place and note 3rd party auditors’ assessment of the effectiveness of these controls. 2. Where Infrastructure-as-a-Service cloud services are engaged, implement standards to deploy secure configurations. 3. Coordinate with cloud provider to see if they have pre-hardened server images.
Secure Devices: Responsibility Matrix MSP IaaS SaaS Patching  Customer Hosting Provider Removing Unnecessary Services, Applications and Network  Customer Hosting Provider Configure OS User Authentication, Enforce Password/ Password Complexity Rules  Customer Hosting Provider Coordinated with Customer Configure Resource Controls  Customer Hosting Provider
Source: SANS Institute #4: Continuously Scan for Vulnerabilities and Remediate Them 1. Review cloud provider’s SSAE16 to understand controls in place and note 3rd party auditors’ assessment of the effectiveness of these controls. 2. Where IaaS or PaaS is in place, implement controls to scan for vulnerabilities. 3. Coordinate scans with your cloud hoster to ensure their tools don’t highlight the scans as an attack.
#5: Implement Malware Defenses Source: SANS Institute 1. Review the SSAE 16 to understand the cloud provider’s antimalware defense offerings. 2. Ensure your cloud agreement includes antimalware defenses. 3. Implement mitigating controls.
Source: SANS Institute #6: Implement Application Security 1. Review cloud services; understand controls placed by cloud provider (if any). 2. Review application and data risks. 3. Analyze risks. 4. Mitigate residual risks.
Source: SANS Institute #7: Wireless Access Control 1. Cloud-based Wi-Fi controllers are emerging as part of virtual networking strategies. 2. Remote offices may receive Wi-Fi services from WAN providers. 3. Ensure security controls are enforced.
Source: Fortinet Wireless Access Control
Wireless Access Control
#8: Data Recovery Capability 1. Review the cloud provider’s controls. 2. Analyze risks. 3. Understand data backup and replication. 4. Design mitigating controls.
#9: Security Skill Gap Assessment and Training • Follow same process whether in the cloud or on premise. • Review cloud provider’s SSAE 16 controls to ensure controls you require are in place. • If controls are missing at the cloud provider, work with them to address through SLA adjustments. For information on the skill gap analysis, see: http://www.counciloncybersecurity.org/practice-areas/people
Source: SANS Institute #10: Secure Network Configurations 1. Review roster of cloud-based services. 2. Secure all devices that may access cloud services. 3. Work with cloud provider to understand their security posture and mitigate risks as necessary.
#11: Control Network Ports, Protocols and Services Source: SANS Institute 1. Review roster of cloud-based services. 2. Document required network ports, protocols and services that must be in use. 3. Review the risks and apply controls to mitigate those risks.
#12: Control Use of Privileged Accounts 1. Review roster of cloud-based services. 2. Document privileged accounts and who must have access. 3. Understand cloud provider’s controls and work with them to reduce risk. In some cases, cloud provider will maintain control.
#13: Boundary Defense 1. Understand the cloud application’s security. 2. Manage what can be controlled. 3. Identify gaps. 4. Review gaps with hosting provider. 5. Address residual risk.
#14: Maintenance, Monitoring and Analysis of Audit Logs 1. Understand the cloud application’s security. 2. Manage what can be controlled. 3. Identify gaps. 4. Review gaps with hosting provider. 5. Address residual risk.
Security Event and Correlation Management Internet Firewall Intrusion PreventionEvent Correlation Engine (SIEM) SIEM TECHNOLOGY aggregates event data produced by security devices, network infrastructures, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data. Event data is combined with contextual information about users, assets, threats and vulnerabilities. The data is normalized, so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real- time security monitoring, historical analysis and other support for incident investigation and compliance reporting. DOS SHIELD DETECTS WHEN ACTIVE ATTACKS BEGIN TO CONSUME LARGE AMOUNTS OF THE NETWORK'S BANDWIDTH, AND IMMEDIATELY BLOCK THEM. LEGITIMATE TRAFFIC PROCEEDS NORMALLY. BGP Router WAFS DataBase Server WEB Server With Anti-Malware DoS Pattern Filter 1. Engineer how you will review/aggregate logs across all cloud environments associated with your company. 2. Work with cloud provider to understand reports and services that can be provided and/or recommended. Maintenance, Monitoring and Analysis of Audit Logs
#15: Control Access Based on “Need to Know” 1. Review roster of cloud applications and establish granular access controls based upon data classification matrix. 2. Work with cloud provider to understand reporting or rights review tools that may be available.
#16: Account Monitoring and Control 1. Review roster of cloud applications and document account monitoring and control procedures. 2. Work with cloud provider to understand reports that can be provided.
Account Monitoring and Control
#17: Data Loss Prevention 1. Ensure controls are in place, including rules for encrypting data that is commonly shared outside the organization. 2. Understand the cloud provider’s offering to ensure it complies with standards. If it doesn’t, work with cloud provider to improve controls.
#18: Incident Response 2014 Common Attack Sources
Incident Response and Management 1. Review the cloud provider’s Security Incident Response Plan. 2. Contact cloud provider to discuss how customers will be engaged in incident response.
#19: Engineer Security 1. Review the SSAE 16 for all cloud providers. 2. Perform vendor management. 3. Understand the security of the hosted application and how it will be accessed.
#20: Penetration Tests and Red Team Exercises 1. Review the SSAE 16 for all cloud providers to obtain 3rd party verification of the effectiveness of the control. 2. Do not use hosters who do not have this control.
Next Steps • Review your security programs and enhance them to address cloud controls. • Review SAN’s Institute’s data to look at suggested metrics and detailed process steps. • Encourage your company leaders to engage the security team for assessment before they implement a cloud-based application. • The cloud is hear to stay; we must adapt our processes and controls. • For a copy of the presentation, please leave your card with me.

Recommended

The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
Cheatsheet for your cloud project
Cheatsheet for your cloud projectCheatsheet for your cloud project
Cheatsheet for your cloud projectPetteri Heino
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsEbook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsDominique Dessy
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 

Recommended

The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
Cheatsheet for your cloud project
Cheatsheet for your cloud projectCheatsheet for your cloud project
Cheatsheet for your cloud projectPetteri Heino
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsEbook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsDominique Dessy
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmasterHafid CHEBRAOUI
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...Risk Analysis Consultants, s.r.o.
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG ReportPriyanka Aash
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlienVault
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides finalAlienVault
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited ResourcesLogRhythm
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...James W. De Rienzo
 
Security of,for & by cloud
Security of,for & by cloudSecurity of,for & by cloud
Security of,for & by cloudLakshmi Subramanian
 

More Related Content

What's hot

Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...Risk Analysis Consultants, s.r.o.
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlienVault
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides finalAlienVault
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited ResourcesLogRhythm
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 

What's hot (20)

Cs cmaster
Cs cmasterCs cmaster
Cs cmaster
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligence
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 

Viewers also liked

Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...James W. De Rienzo
 
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)James W. De Rienzo
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)James W. De Rienzo
 
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...James W. De Rienzo
 
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...James W. De Rienzo
 
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...James W. De Rienzo
 
Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4James W. De Rienzo
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJob aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJames W. De Rienzo
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aJames W. De Rienzo
 
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...James W. De Rienzo
 
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)James W. De Rienzo
 
Information Security Fundamentals
Information Security FundamentalsInformation Security Fundamentals
Information Security FundamentalsJames W. De Rienzo
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...James W. De Rienzo
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)James W. De Rienzo
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804James W. De Rienzo
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...James W. De Rienzo
 

Viewers also liked (20)

Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
 
Security of,for & by cloud
Security of,for & by cloudSecurity of,for & by cloud
Security of,for & by cloud
 
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
 
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
 
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
 
Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJob aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
 
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
 
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
 
Information Security Fundamentals
Information Security FundamentalsInformation Security Fundamentals
Information Security Fundamentals
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
 
CNDSP Assessment Template
CNDSP Assessment TemplateCNDSP Assessment Template
CNDSP Assessment Template
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
 

Similar to 20 Security Controls for the Cloud

Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxLokNathRegmi1
 
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...cyberprosocial
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAmazon Web Services
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Fortifying the Digital Sky Exploring the Application of Cybersecurity for Clo...
Fortifying the Digital Sky Exploring the Application of Cybersecurity for Clo...Fortifying the Digital Sky Exploring the Application of Cybersecurity for Clo...
Fortifying the Digital Sky Exploring the Application of Cybersecurity for Clo...cyberprosocial
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat managementRajendra Menon
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
 
Defending industrial control systems from cyber attack
Defending industrial control systems from cyber attackDefending industrial control systems from cyber attack
Defending industrial control systems from cyber attackAnalynk Wireless, LLC
 
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsNCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsMiller Energy, Inc.
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackCTi Controltech
 
Seven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securitySeven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securityCTi Controltech
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfElanusTechnologies
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfsarah david
 
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxthe_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxsarah david
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issuesAleem Mohammed
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 

Similar to 20 Security Controls for the Cloud (20)

Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptx
 
User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016
 
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...
Fortifying the Digital Sky: Exploring the Application of Cybersecurity for Cl...
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS Cloud
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Fortifying the Digital Sky Exploring the Application of Cybersecurity for Clo...
Fortifying the Digital Sky Exploring the Application of Cybersecurity for Clo...Fortifying the Digital Sky Exploring the Application of Cybersecurity for Clo...
Fortifying the Digital Sky Exploring the Application of Cybersecurity for Clo...
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat management
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICS
 
Defending industrial control systems from cyber attack
Defending industrial control systems from cyber attackDefending industrial control systems from cyber attack
Defending industrial control systems from cyber attack
 
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsNCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
Seven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securitySeven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber security
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices Framework
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
 
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxthe_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 

Recently uploaded

Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

20 Security Controls for the Cloud

  • 1. 20 Critical Security Controls for the Cloud John Leek, CTO NetStandard
  • 2. How Much Security Is Enough? Risk Types: • Strategy • Demand • Market • Implementation • Performance Cost Drivers: • Price • Service levels • Specifications • Policies • Velocity
  • 3. 20 Security Controls for the Cloud http://www.sans.org/critical-security-controls/
  • 5. Your Physical Devices Source: SANS Institute 1. Review cloud provider’s SSAE 16 to understand controls in place and note 3rd party auditors’ assessment of the effectiveness of these controls. 2. Where IaaS or PaaS is engaged, implement controls to monitor performance and review logs to ensure services remain secure.
  • 6. Hardware: The Nightmare to Come… the Internet of Things
  • 7. #2: Know Your Software Company 1 Company 2 Manufacturing Company 3 Media Company Company 1 Cloud Voice Businesses now have many cloud apps 1. Document known business application inventory 2. Empowered users require extra effort to identify. all known applications in use. 3. Maintain whitelist of applications. 4. Create alerts for new applications that are used outside the inventory. 5. Create an “application authorization process,” including a process to evaluate application security requirements.
  • 8. #3: Secure All Devices Build secure configurations on each of the devices (servers, desktops, laptops, mobile devices). 1. Review cloud provider’s SSAE 16 to understand controls in place and note 3rd party auditors’ assessment of the effectiveness of these controls. 2. Where Infrastructure-as-a-Service cloud services are engaged, implement standards to deploy secure configurations. 3. Coordinate with cloud provider to see if they have pre-hardened server images.
  • 9. Secure Devices: Responsibility Matrix MSP IaaS SaaS Patching  Customer Hosting Provider Removing Unnecessary Services, Applications and Network  Customer Hosting Provider Configure OS User Authentication, Enforce Password/ Password Complexity Rules  Customer Hosting Provider Coordinated with Customer Configure Resource Controls  Customer Hosting Provider
  • 10. Source: SANS Institute #4: Continuously Scan for Vulnerabilities and Remediate Them 1. Review cloud provider’s SSAE16 to understand controls in place and note 3rd party auditors’ assessment of the effectiveness of these controls. 2. Where IaaS or PaaS is in place, implement controls to scan for vulnerabilities. 3. Coordinate scans with your cloud hoster to ensure their tools don’t highlight the scans as an attack.
  • 11. #5: Implement Malware Defenses Source: SANS Institute 1. Review the SSAE 16 to understand the cloud provider’s antimalware defense offerings. 2. Ensure your cloud agreement includes antimalware defenses. 3. Implement mitigating controls.
  • 12. Source: SANS Institute #6: Implement Application Security 1. Review cloud services; understand controls placed by cloud provider (if any). 2. Review application and data risks. 3. Analyze risks. 4. Mitigate residual risks.
  • 13. Source: SANS Institute #7: Wireless Access Control 1. Cloud-based Wi-Fi controllers are emerging as part of virtual networking strategies. 2. Remote offices may receive Wi-Fi services from WAN providers. 3. Ensure security controls are enforced.
  • 16. #8: Data Recovery Capability 1. Review the cloud provider’s controls. 2. Analyze risks. 3. Understand data backup and replication. 4. Design mitigating controls.
  • 17. #9: Security Skill Gap Assessment and Training • Follow same process whether in the cloud or on premise. • Review cloud provider’s SSAE 16 controls to ensure controls you require are in place. • If controls are missing at the cloud provider, work with them to address through SLA adjustments. For information on the skill gap analysis, see: http://www.counciloncybersecurity.org/practice-areas/people
  • 18. Source: SANS Institute #10: Secure Network Configurations 1. Review roster of cloud-based services. 2. Secure all devices that may access cloud services. 3. Work with cloud provider to understand their security posture and mitigate risks as necessary.
  • 19. #11: Control Network Ports, Protocols and Services Source: SANS Institute 1. Review roster of cloud-based services. 2. Document required network ports, protocols and services that must be in use. 3. Review the risks and apply controls to mitigate those risks.
  • 20. #12: Control Use of Privileged Accounts 1. Review roster of cloud-based services. 2. Document privileged accounts and who must have access. 3. Understand cloud provider’s controls and work with them to reduce risk. In some cases, cloud provider will maintain control.
  • 21. #13: Boundary Defense 1. Understand the cloud application’s security. 2. Manage what can be controlled. 3. Identify gaps. 4. Review gaps with hosting provider. 5. Address residual risk.
  • 22. #14: Maintenance, Monitoring and Analysis of Audit Logs 1. Understand the cloud application’s security. 2. Manage what can be controlled. 3. Identify gaps. 4. Review gaps with hosting provider. 5. Address residual risk.
  • 23. Security Event and Correlation Management Internet Firewall Intrusion PreventionEvent Correlation Engine (SIEM) SIEM TECHNOLOGY aggregates event data produced by security devices, network infrastructures, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data. Event data is combined with contextual information about users, assets, threats and vulnerabilities. The data is normalized, so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real- time security monitoring, historical analysis and other support for incident investigation and compliance reporting. DOS SHIELD DETECTS WHEN ACTIVE ATTACKS BEGIN TO CONSUME LARGE AMOUNTS OF THE NETWORK'S BANDWIDTH, AND IMMEDIATELY BLOCK THEM. LEGITIMATE TRAFFIC PROCEEDS NORMALLY. BGP Router WAFS DataBase Server WEB Server With Anti-Malware DoS Pattern Filter 1. Engineer how you will review/aggregate logs across all cloud environments associated with your company. 2. Work with cloud provider to understand reports and services that can be provided and/or recommended. Maintenance, Monitoring and Analysis of Audit Logs
  • 24. #15: Control Access Based on “Need to Know” 1. Review roster of cloud applications and establish granular access controls based upon data classification matrix. 2. Work with cloud provider to understand reporting or rights review tools that may be available.
  • 25. #16: Account Monitoring and Control 1. Review roster of cloud applications and document account monitoring and control procedures. 2. Work with cloud provider to understand reports that can be provided.
  • 27. #17: Data Loss Prevention 1. Ensure controls are in place, including rules for encrypting data that is commonly shared outside the organization. 2. Understand the cloud provider’s offering to ensure it complies with standards. If it doesn’t, work with cloud provider to improve controls.
  • 28. #18: Incident Response 2014 Common Attack Sources
  • 29. Incident Response and Management 1. Review the cloud provider’s Security Incident Response Plan. 2. Contact cloud provider to discuss how customers will be engaged in incident response.
  • 30. #19: Engineer Security 1. Review the SSAE 16 for all cloud providers. 2. Perform vendor management. 3. Understand the security of the hosted application and how it will be accessed.
  • 31. #20: Penetration Tests and Red Team Exercises 1. Review the SSAE 16 for all cloud providers to obtain 3rd party verification of the effectiveness of the control. 2. Do not use hosters who do not have this control.
  • 32. Next Steps • Review your security programs and enhance them to address cloud controls. • Review SAN’s Institute’s data to look at suggested metrics and detailed process steps. • Encourage your company leaders to engage the security team for assessment before they implement a cloud-based application. • The cloud is hear to stay; we must adapt our processes and controls. • For a copy of the presentation, please leave your card with me.