SlideShare a Scribd company logo

Cyber object types and controls.pdf

Robert Kloots
Robert Kloots

The document discusses integrating cybersecurity controls into an organization's Way of Working (WoW). It recommends defining cybersecurity goals and applying the NIST Cybersecurity Framework (CSF) and NIST Special Publication 800-53 controls. Specifically, the document suggests allocating controls to different object types like applications, platforms, and systems. It also advises converting controls into user stories and tests to integrate them into the software development lifecycle according to the WoW. The overall goal is to securely develop and operate systems using a risk-based approach aligned with the organization's processes.

Business
1 of 16
CyberSec object types & controls Belay controls as close as possible to Way of Working Robert Kloots, Brussels Nov 2022 Available for Interim Management
Topics  Main Cyber Security Goals  CSF policies, standards and guidelines  Cyber Security Framework (CSF)  CSF Quality Controls, Risk & Compliance  Object type specific CSF controls  Add Cyber Security to WoW => SSDLC 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 2
Main Cyber Security Goals  Confidentiality  Integrity  Availability  Non-repudiation  Audit 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 3 Provision of Trust services Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. Audit is the mechanism through which proof is obtained and validated. Logging of (trans-) actions is actually the source on which auditing relies.
CSF policies, standards and guidelines  Policies on right level of abstraction  Procedures and guidelines close to WoW  Many examples of best practices available  Dynamic set reflecting maturity of CICD and OPS. 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 4
Cyber Security Framework (CSF) 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 5 IDENTIFY PROTECT DETECT RESPOND RECOVER
Cyber Security Framework (CSF) 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others Asset Management Business Environment Governance IDENTIFY Risk Management Strategy Supply Chain Management Risk Assessment Identity mgt, Authentic. & Access Control Awareness and Training Data Security PROTECT Maintenance Protective Technology Info Protection Processes and Procedures Anomalies and Events Security Continuous Monitoring Detection Processes DETECT Response Planning Communicati ons Analysis RECOVER Improvements Mitigation Recovery Planning Improvements Communica- tions RESPOND 6
 Define Data/Information classification enabling risk analysis & reporting  See “Cyber Security Risk Management” 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 7 CSF Quality Controls, Risk & Compliance Extract from NIST.SP.800-53r5 Risk Management Strategy IDENTIFY
 Target Organisation should apply CSF & NIST.SP.800-53r5.  NIST.SP.800-53r5 document has been converted into (Confluence) wiki  Which facilitates both Development and Operations, as well as Audit and Compliance to incorporate the obligatory mechanisms  Use of capabilities and controls will evolve following the roadmap timeline.  More discussion below 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 8 CSF Quality Controls, Risk & Compliance AC-2(1) Account Management | Automated System Account Management Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. AC-2(2) Account Management | Automated Temporary and Emergency Account Management Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. AC-2(3) Account Management | Disable Accounts Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. AC-2(4) Account Management | Automated Audit Actions Automatically audit account creation, modification, enabling, disabling, and removal actions. AC-2(5) Account Management | Inactivity Logout Require that users log out when [Assignment: organization- defined time period of expected inactivity or description of when to log out]. Extract from NIST.SP.800-53r5 Identity mgt, Authentic. & Access Control PROTECT
Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 9 PROD on premise DEV ACC/INTEG TEST PROD in Cloud Network controller (FW) DEV/ACC-INTEG/PRODs Environments on separate network segments Data in DEV/ACC-INTEG is separated from PROD, Privacy elements from production forbidden Pseuonymisation in place All servers have valid certificate(s) Data in PROD doesn’t use testdata Access rights on DEV/ACC-INTEG/PROD resources to be allocated through RBAC/PAM Monitoring on critical rights
23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 10 Protect any interface/API from/to Internal Source (1S/2T) Protect any interface/API from/to Application A (1T/2S/3S/4T/5S/6T) => Application + Infrastructure certificates, HTTPS Encrypted dataflow Logged dataflow Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob Any DB/Datablob at rest should be encrypted, including logs. Object type specific CSF controls Mobile app in sandbox
23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 11 Allocate controls to Object Types • Per Asset, e.g. Application A • Per API and API manager • Per Platform -- SaaS for Dev (CRM/Openshift/Outsystems/etc) • Per Platform -- IaaS (Azure/AWS/GCP) • Per Platform – PaaS (CRM/OS/…) • Per Solution – Azure AD/:S Dynamics/…) Object type specific CSF controls Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Control list per Asset type/instance, Assembled in Security patterns Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 12 Control list per Asset type/instance, Assembled in Security patterns Allocate controls to Object Types Per Platform – IaaS on/off premise • AWS • Azure • GCP • … Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 13 Control list per Asset type/instance, Assembled in Security patterns Allocate controls to Object Types Per Platform – PaaS on/off premise • Linux • MS Windows • … PaaS DEV/Hosting platform • Odoo • Joomla • Openshift • Outsystems • CRM … Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 14 Control list per Asset type/instance, Assembled in Security patterns Allocate controls to Object Types Per Platform – SaaS • Azure AD • SaaS app 01 … n Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
Add Cyber Security to WoW => SSDLC  Convert Cyber Security controls into User stories & Epics, then code or config  Keep track of control throughout CICD using control number. Approximate steps:  Threat modelling => DFD  Software Architecture => Processing, Flows, Interfaces, APIs and IP##  Business Analysis => user stories  Development => software code  Control suites => test, test, test and pentest 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 15
Matchmaking Need and Mission You are welcome to check my availability to provide you with relevant Cyber Security Services matching your Needs, You can reach me @  robert.kloots@mediqaid.eu  Linkedin.com.in/kloots  Thank you for browsing this slidedeck ;-) 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 16

Recommended

Cyber Security Management.pdf
Cyber Security Management.pdfCyber Security Management.pdf
Cyber Security Management.pdf
Robert Kloots
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on Azure
CitiusTech
 
Up 2011-ken huang
Up 2011-ken huangUp 2011-ken huang
Up 2011-ken huang
Ken Huang
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
Qualys
 
Zero Trust 20211105
Zero Trust 20211105 Zero Trust 20211105
Zero Trust 20211105
Thomas Treml
 
IoT and M2M Safety and Security
IoT and M2M Safety and Security IoT and M2M Safety and Security
IoT and M2M Safety and Security
Real-Time Innovations (RTI)
 

Recommended

Cyber Security Management.pdf
Cyber Security Management.pdfCyber Security Management.pdf
Cyber Security Management.pdf
Robert Kloots
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on Azure
CitiusTech
 
Up 2011-ken huang
Up 2011-ken huangUp 2011-ken huang
Up 2011-ken huang
Ken Huang
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
Qualys
 
Zero Trust 20211105
Zero Trust 20211105 Zero Trust 20211105
Zero Trust 20211105
Thomas Treml
 
IoT and M2M Safety and Security
IoT and M2M Safety and Security IoT and M2M Safety and Security
IoT and M2M Safety and Security
Real-Time Innovations (RTI)
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
Valdez Ladd MBA, CISSP, CISA,
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
apidays
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoring
Elasticsearch
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
AlienVault
 
Insuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud EnvironmentInsuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud Environment
Editor IJCATR
 
Identity-Based Distributed Provable Data Possession in Multicloud Storage
Identity-Based Distributed Provable Data Possession in Multicloud StorageIdentity-Based Distributed Provable Data Possession in Multicloud Storage
Identity-Based Distributed Provable Data Possession in Multicloud Storage
1crore projects
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
PaaSword EU Project
 
Kripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdfKripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdf
langkahgontay88
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
Yusuf Hadiwinata Sutandar
 
Security Check in Cloud Computing through Third Party Auditor
Security Check in Cloud Computing through Third Party AuditorSecurity Check in Cloud Computing through Third Party Auditor
Security Check in Cloud Computing through Third Party Auditor
ijsrd.com
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Ryan Hodgin
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
Brianna Johnson
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
Michelle Singh
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data security
Andy Bochman
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
IRJET Journal
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresGeneric Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
IJRES Journal
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
PROIDEA
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Splunk
 
8328958814KALYAN MATKA | MATKA RESULT | KALYAN
8328958814KALYAN MATKA | MATKA RESULT | KALYAN8328958814KALYAN MATKA | MATKA RESULT | KALYAN
8328958814KALYAN MATKA | MATKA RESULT | KALYAN
➑➌➋➑➒➎➑➑➊➍
 
TriStar Gold Corporate Presentation - June 2024
TriStar Gold Corporate Presentation - June 2024TriStar Gold Corporate Presentation - June 2024
TriStar Gold Corporate Presentation - June 2024
Adnet Communications
 

More Related Content

Similar to Cyber object types and controls.pdf

(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
Valdez Ladd MBA, CISSP, CISA,
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
apidays
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoring
Elasticsearch
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
AlienVault
 
Insuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud EnvironmentInsuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud Environment
Editor IJCATR
 
Identity-Based Distributed Provable Data Possession in Multicloud Storage
Identity-Based Distributed Provable Data Possession in Multicloud StorageIdentity-Based Distributed Provable Data Possession in Multicloud Storage
Identity-Based Distributed Provable Data Possession in Multicloud Storage
1crore projects
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
PaaSword EU Project
 
Kripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdfKripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdf
langkahgontay88
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
Yusuf Hadiwinata Sutandar
 
Security Check in Cloud Computing through Third Party Auditor
Security Check in Cloud Computing through Third Party AuditorSecurity Check in Cloud Computing through Third Party Auditor
Security Check in Cloud Computing through Third Party Auditor
ijsrd.com
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Ryan Hodgin
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
Brianna Johnson
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
Michelle Singh
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data security
Andy Bochman
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
IRJET Journal
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresGeneric Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
IJRES Journal
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
PROIDEA
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Splunk
 

Similar to Cyber object types and controls.pdf (20)

(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoring
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
 
Insuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud EnvironmentInsuring Security for Outsourced Data Stored in Cloud Environment
Insuring Security for Outsourced Data Stored in Cloud Environment
 
Identity-Based Distributed Provable Data Possession in Multicloud Storage
Identity-Based Distributed Provable Data Possession in Multicloud StorageIdentity-Based Distributed Provable Data Possession in Multicloud Storage
Identity-Based Distributed Provable Data Possession in Multicloud Storage
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
 
Kripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdfKripta Key Product Key Management System.pdf
Kripta Key Product Key Management System.pdf
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
Security Check in Cloud Computing through Third Party Auditor
Security Check in Cloud Computing through Third Party AuditorSecurity Check in Cloud Computing through Third Party Auditor
Security Check in Cloud Computing through Third Party Auditor
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data security
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresGeneric Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

8328958814KALYAN MATKA | MATKA RESULT | KALYAN
8328958814KALYAN MATKA | MATKA RESULT | KALYAN8328958814KALYAN MATKA | MATKA RESULT | KALYAN
8328958814KALYAN MATKA | MATKA RESULT | KALYAN
➑➌➋➑➒➎➑➑➊➍
 
TriStar Gold Corporate Presentation - June 2024
TriStar Gold Corporate Presentation - June 2024TriStar Gold Corporate Presentation - June 2024
TriStar Gold Corporate Presentation - June 2024
Adnet Communications
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results
 
Discover the Beauty and Functionality of The Expert Remodeling Service
Discover the Beauty and Functionality of The Expert Remodeling ServiceDiscover the Beauty and Functionality of The Expert Remodeling Service
Discover the Beauty and Functionality of The Expert Remodeling Service
obriengroupinc04
 
Prescriptive analytics BA4206 Anna University PPT
Prescriptive analytics BA4206 Anna University PPTPrescriptive analytics BA4206 Anna University PPT
Prescriptive analytics BA4206 Anna University PPT
Freelance
 
Lukas Rycek - GreenChemForCE - project structure.pptx
Lukas Rycek - GreenChemForCE - project structure.pptxLukas Rycek - GreenChemForCE - project structure.pptx
Lukas Rycek - GreenChemForCE - project structure.pptx
pavelborek
 
Efficient PHP Development Solutions for Dynamic Web Applications
Efficient PHP Development Solutions for Dynamic Web ApplicationsEfficient PHP Development Solutions for Dynamic Web Applications
Efficient PHP Development Solutions for Dynamic Web Applications
Harwinder Singh
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results
 
Kalyan Chart Satta Matka Dpboss Kalyan Matka Results
Kalyan Chart Satta Matka Dpboss Kalyan Matka ResultsKalyan Chart Satta Matka Dpboss Kalyan Matka Results
Kalyan Chart Satta Matka Dpboss Kalyan Matka Results
Satta Matka Dpboss Kalyan Matka Results
 
list of states and organizations .pdf
list of states and organizations .pdflist of states and organizations .pdf
list of states and organizations .pdf
Rbc Rbcua
 
Cover Story - China's Investment Leader - Dr. Alyce SU
Cover Story - China's Investment Leader - Dr. Alyce SUCover Story - China's Investment Leader - Dr. Alyce SU
Cover Story - China's Investment Leader - Dr. Alyce SU
msthrill
 
2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf
2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf
2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf
Cambridge Product Management Network
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results
 
High-Quality IPTV Monthly Subscription for $15
High-Quality IPTV Monthly Subscription for $15High-Quality IPTV Monthly Subscription for $15
High-Quality IPTV Monthly Subscription for $15
advik4387
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results
 
The Steadfast and Reliable Bull: Taurus Zodiac Sign
The Steadfast and Reliable Bull: Taurus Zodiac SignThe Steadfast and Reliable Bull: Taurus Zodiac Sign
The Steadfast and Reliable Bull: Taurus Zodiac Sign
my Pandit
 
AI Transformation Playbook: Thinking AI-First for Your Business
AI Transformation Playbook: Thinking AI-First for Your BusinessAI Transformation Playbook: Thinking AI-First for Your Business
AI Transformation Playbook: Thinking AI-First for Your Business
Arijit Dutta
 
Pro Tips for Effortless Contract Management
Pro Tips for Effortless Contract ManagementPro Tips for Effortless Contract Management
Pro Tips for Effortless Contract Management
Eternity Paralegal Services
 
Science Around Us Module 2 Matter Around Us
Science Around Us Module 2 Matter Around UsScience Around Us Module 2 Matter Around Us
Science Around Us Module 2 Matter Around Us
PennapaKeavsiri
 

Recently uploaded (20)

8328958814KALYAN MATKA | MATKA RESULT | KALYAN
8328958814KALYAN MATKA | MATKA RESULT | KALYAN8328958814KALYAN MATKA | MATKA RESULT | KALYAN
8328958814KALYAN MATKA | MATKA RESULT | KALYAN
 
TriStar Gold Corporate Presentation - June 2024
TriStar Gold Corporate Presentation - June 2024TriStar Gold Corporate Presentation - June 2024
TriStar Gold Corporate Presentation - June 2024
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
 
Discover the Beauty and Functionality of The Expert Remodeling Service
Discover the Beauty and Functionality of The Expert Remodeling ServiceDiscover the Beauty and Functionality of The Expert Remodeling Service
Discover the Beauty and Functionality of The Expert Remodeling Service
 
Prescriptive analytics BA4206 Anna University PPT
Prescriptive analytics BA4206 Anna University PPTPrescriptive analytics BA4206 Anna University PPT
Prescriptive analytics BA4206 Anna University PPT
 
Lukas Rycek - GreenChemForCE - project structure.pptx
Lukas Rycek - GreenChemForCE - project structure.pptxLukas Rycek - GreenChemForCE - project structure.pptx
Lukas Rycek - GreenChemForCE - project structure.pptx
 
Efficient PHP Development Solutions for Dynamic Web Applications
Efficient PHP Development Solutions for Dynamic Web ApplicationsEfficient PHP Development Solutions for Dynamic Web Applications
Efficient PHP Development Solutions for Dynamic Web Applications
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
 
Kalyan Chart Satta Matka Dpboss Kalyan Matka Results
Kalyan Chart Satta Matka Dpboss Kalyan Matka ResultsKalyan Chart Satta Matka Dpboss Kalyan Matka Results
Kalyan Chart Satta Matka Dpboss Kalyan Matka Results
 
list of states and organizations .pdf
list of states and organizations .pdflist of states and organizations .pdf
list of states and organizations .pdf
 
Cover Story - China's Investment Leader - Dr. Alyce SU
Cover Story - China's Investment Leader - Dr. Alyce SUCover Story - China's Investment Leader - Dr. Alyce SU
Cover Story - China's Investment Leader - Dr. Alyce SU
 
2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf
2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf
2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
 
High-Quality IPTV Monthly Subscription for $15
High-Quality IPTV Monthly Subscription for $15High-Quality IPTV Monthly Subscription for $15
High-Quality IPTV Monthly Subscription for $15
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
 
The Steadfast and Reliable Bull: Taurus Zodiac Sign
The Steadfast and Reliable Bull: Taurus Zodiac SignThe Steadfast and Reliable Bull: Taurus Zodiac Sign
The Steadfast and Reliable Bull: Taurus Zodiac Sign
 
AI Transformation Playbook: Thinking AI-First for Your Business
AI Transformation Playbook: Thinking AI-First for Your BusinessAI Transformation Playbook: Thinking AI-First for Your Business
AI Transformation Playbook: Thinking AI-First for Your Business
 
Pro Tips for Effortless Contract Management
Pro Tips for Effortless Contract ManagementPro Tips for Effortless Contract Management
Pro Tips for Effortless Contract Management
 
Science Around Us Module 2 Matter Around Us
Science Around Us Module 2 Matter Around UsScience Around Us Module 2 Matter Around Us
Science Around Us Module 2 Matter Around Us
 

Cyber object types and controls.pdf

  • 1. CyberSec object types & controls Belay controls as close as possible to Way of Working Robert Kloots, Brussels Nov 2022 Available for Interim Management
  • 2. Topics  Main Cyber Security Goals  CSF policies, standards and guidelines  Cyber Security Framework (CSF)  CSF Quality Controls, Risk & Compliance  Object type specific CSF controls  Add Cyber Security to WoW => SSDLC 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 2
  • 3. Main Cyber Security Goals  Confidentiality  Integrity  Availability  Non-repudiation  Audit 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 3 Provision of Trust services Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. Audit is the mechanism through which proof is obtained and validated. Logging of (trans-) actions is actually the source on which auditing relies.
  • 4. CSF policies, standards and guidelines  Policies on right level of abstraction  Procedures and guidelines close to WoW  Many examples of best practices available  Dynamic set reflecting maturity of CICD and OPS. 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 4
  • 5. Cyber Security Framework (CSF) 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 5 IDENTIFY PROTECT DETECT RESPOND RECOVER
  • 6. Cyber Security Framework (CSF) 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others Asset Management Business Environment Governance IDENTIFY Risk Management Strategy Supply Chain Management Risk Assessment Identity mgt, Authentic. & Access Control Awareness and Training Data Security PROTECT Maintenance Protective Technology Info Protection Processes and Procedures Anomalies and Events Security Continuous Monitoring Detection Processes DETECT Response Planning Communicati ons Analysis RECOVER Improvements Mitigation Recovery Planning Improvements Communica- tions RESPOND 6
  • 7.  Define Data/Information classification enabling risk analysis & reporting  See “Cyber Security Risk Management” 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 7 CSF Quality Controls, Risk & Compliance Extract from NIST.SP.800-53r5 Risk Management Strategy IDENTIFY
  • 8.  Target Organisation should apply CSF & NIST.SP.800-53r5.  NIST.SP.800-53r5 document has been converted into (Confluence) wiki  Which facilitates both Development and Operations, as well as Audit and Compliance to incorporate the obligatory mechanisms  Use of capabilities and controls will evolve following the roadmap timeline.  More discussion below 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 8 CSF Quality Controls, Risk & Compliance AC-2(1) Account Management | Automated System Account Management Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. AC-2(2) Account Management | Automated Temporary and Emergency Account Management Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. AC-2(3) Account Management | Disable Accounts Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. AC-2(4) Account Management | Automated Audit Actions Automatically audit account creation, modification, enabling, disabling, and removal actions. AC-2(5) Account Management | Inactivity Logout Require that users log out when [Assignment: organization- defined time period of expected inactivity or description of when to log out]. Extract from NIST.SP.800-53r5 Identity mgt, Authentic. & Access Control PROTECT
  • 9. Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 9 PROD on premise DEV ACC/INTEG TEST PROD in Cloud Network controller (FW) DEV/ACC-INTEG/PRODs Environments on separate network segments Data in DEV/ACC-INTEG is separated from PROD, Privacy elements from production forbidden Pseuonymisation in place All servers have valid certificate(s) Data in PROD doesn’t use testdata Access rights on DEV/ACC-INTEG/PROD resources to be allocated through RBAC/PAM Monitoring on critical rights
  • 10. 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 10 Protect any interface/API from/to Internal Source (1S/2T) Protect any interface/API from/to Application A (1T/2S/3S/4T/5S/6T) => Application + Infrastructure certificates, HTTPS Encrypted dataflow Logged dataflow Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob Any DB/Datablob at rest should be encrypted, including logs. Object type specific CSF controls Mobile app in sandbox
  • 11. 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 11 Allocate controls to Object Types • Per Asset, e.g. Application A • Per API and API manager • Per Platform -- SaaS for Dev (CRM/Openshift/Outsystems/etc) • Per Platform -- IaaS (Azure/AWS/GCP) • Per Platform – PaaS (CRM/OS/…) • Per Solution – Azure AD/:S Dynamics/…) Object type specific CSF controls Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Control list per Asset type/instance, Assembled in Security patterns Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
  • 12. Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 12 Control list per Asset type/instance, Assembled in Security patterns Allocate controls to Object Types Per Platform – IaaS on/off premise • AWS • Azure • GCP • … Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
  • 13. Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 13 Control list per Asset type/instance, Assembled in Security patterns Allocate controls to Object Types Per Platform – PaaS on/off premise • Linux • MS Windows • … PaaS DEV/Hosting platform • Odoo • Joomla • Openshift • Outsystems • CRM … Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
  • 14. Object type specific CSF controls 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 14 Control list per Asset type/instance, Assembled in Security patterns Allocate controls to Object Types Per Platform – SaaS • Azure AD • SaaS app 01 … n Cloud-IaaS (Azure/AWS/GCP/…) Cloud-PaaS (Application platforms Internal Source Applicatio n A Application B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S DB Dat a Blob
  • 15. Add Cyber Security to WoW => SSDLC  Convert Cyber Security controls into User stories & Epics, then code or config  Keep track of control throughout CICD using control number. Approximate steps:  Threat modelling => DFD  Software Architecture => Processing, Flows, Interfaces, APIs and IP##  Business Analysis => user stories  Development => software code  Control suites => test, test, test and pentest 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 15
  • 16. Matchmaking Need and Mission You are welcome to check my availability to provide you with relevant Cyber Security Services matching your Needs, You can reach me @  robert.kloots@mediqaid.eu  Linkedin.com.in/kloots  Thank you for browsing this slidedeck ;-) 23/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 16