The document provides an overview of an authentic intelligence data security assessment service. It discusses the rationale for such a service and outlines an iterative approach involving identifying, assessing, analyzing, and formulating strategies for risks across 8 key areas affecting internal security. These areas are then evaluated in terms of confidentiality, integrity and availability. The process, deliverables, costs and additional services are also summarized.
This is a talk that I presented at a local .NET user group. The goal of this talk is to present some tools that developers/architects can use as they describe/design/build/release applications
8 Guiding Principles to Kickstart Your Healthcare Big Data ProjectCitiusTech
This white paper illustrates our experiences and learnings across multiple Big Data implementation projects. It contains a broad set of guidelines and best practices around Big Data management.
Protect What Matters Most: Business Critical Apps and Data : Hackers and malicious insiders steal your data by exploiting the gaps left by traditional endpoint and network security. As many companies have painfully discovered, a breach goes far beyond the loss of data. It results in financial losses, regulatory fines, and damage to a company’s reputation. The Imperva SecureSphere, Incapsula and Skyfence product lines enable organizations to discover assets and vulnerabilities, protect information wherever it lives – in the cloud and on-premises – and comply with regulations. check this out and thanks
Regulatory control functions, such as Operational Risk, Compliance and Audit, increasingly raise questions around the scope, management, and clarity of entitlements within distributed and mainframe application environments
This is a talk that I presented at a local .NET user group. The goal of this talk is to present some tools that developers/architects can use as they describe/design/build/release applications
8 Guiding Principles to Kickstart Your Healthcare Big Data ProjectCitiusTech
This white paper illustrates our experiences and learnings across multiple Big Data implementation projects. It contains a broad set of guidelines and best practices around Big Data management.
Protect What Matters Most: Business Critical Apps and Data : Hackers and malicious insiders steal your data by exploiting the gaps left by traditional endpoint and network security. As many companies have painfully discovered, a breach goes far beyond the loss of data. It results in financial losses, regulatory fines, and damage to a company’s reputation. The Imperva SecureSphere, Incapsula and Skyfence product lines enable organizations to discover assets and vulnerabilities, protect information wherever it lives – in the cloud and on-premises – and comply with regulations. check this out and thanks
Regulatory control functions, such as Operational Risk, Compliance and Audit, increasingly raise questions around the scope, management, and clarity of entitlements within distributed and mainframe application environments
Advanced Authorization for SAP Global Deployments Part III of IIINextLabs, Inc.
Part 3: SAP authorization model for secure Partner Collaboration
Global companies need to accelerate collaboration with design partners and suppliers while protecting intellectual property and complying with information protection agreements. In Part 3, we will show how the toolbox and models can be used to enable secure partner collaboration with a customer example.
Given the wide range of Source Code Analysis Tools, security professionals, auditors and developers alike are faced with the same developers alike are faced with the question: What is the best way to assess a Static Application Security Testing (SAST) tool for deployment?
Choosing the right tool requires different considerations during each stage of the SAST tool evaluation process.
Aricent’s Highly Automated Vulnerability Assessment
Orchestration Containers (HAVOC) framework automates
security testing—enabling clients to harden products/ecosystems, and reduce risk of zero-day vulnerabilities. HAVOC provides extensive tool coverage, accelerates security analysts’ processes, and is highly scalable. Organizations leveraging HAVOC no longer require large, highly skilled, and expensive-to-maintain workforces to design for security, and ensure a high degree of consumer trust.
Lexcomply - ERM enables organizations to implement an Enterprise Risk management (ERM) & Internal Controls framework. Risk Manager captures information such as loss events, key risk indicators (KRIs), assessment responses and scenario analysis data in a flexible and connected way. Connecting the entire risk eco system including internal and external stakeholders, it allows Risk managers to analyse risk intelligence and communicate effectively.
Verax Trouble Ticketing is a comprehensive customer service and support management application automating and streamlining service desk and incident resolution process, and ensuring SLA (Service Level Agreements) compliance.
Cloud computing is a paradigm evolution that benefits from virtualisation technologies and introduces “everything-as-a-service” as a technical and business concept supported by pay-per-use pricing models. Whilst the on-demand characteristics of this novel paradigm provide revolutionary advances in technical ability, the changes while incorporating this into an IT infrastructure raise many complex problems and risks with regards to auditing. Auditing is the process of tracing and logging significant events the take place during the system run-time for analysis, and can be seen as a vital tool in validating and securing systems.
Slides from the first Silicon Valley IDSA Meetup held October 25th. The agenda included an overview of the IDSA, a case study from Adobe Security, including an integration demo with Okta and VMware, and a review of the IDSA security controls and IAM hygiene tips that are currently in development.
Advanced Authorization for SAP Global Deployments Part III of IIINextLabs, Inc.
Part 3: SAP authorization model for secure Partner Collaboration
Global companies need to accelerate collaboration with design partners and suppliers while protecting intellectual property and complying with information protection agreements. In Part 3, we will show how the toolbox and models can be used to enable secure partner collaboration with a customer example.
Given the wide range of Source Code Analysis Tools, security professionals, auditors and developers alike are faced with the same developers alike are faced with the question: What is the best way to assess a Static Application Security Testing (SAST) tool for deployment?
Choosing the right tool requires different considerations during each stage of the SAST tool evaluation process.
Aricent’s Highly Automated Vulnerability Assessment
Orchestration Containers (HAVOC) framework automates
security testing—enabling clients to harden products/ecosystems, and reduce risk of zero-day vulnerabilities. HAVOC provides extensive tool coverage, accelerates security analysts’ processes, and is highly scalable. Organizations leveraging HAVOC no longer require large, highly skilled, and expensive-to-maintain workforces to design for security, and ensure a high degree of consumer trust.
Lexcomply - ERM enables organizations to implement an Enterprise Risk management (ERM) & Internal Controls framework. Risk Manager captures information such as loss events, key risk indicators (KRIs), assessment responses and scenario analysis data in a flexible and connected way. Connecting the entire risk eco system including internal and external stakeholders, it allows Risk managers to analyse risk intelligence and communicate effectively.
Verax Trouble Ticketing is a comprehensive customer service and support management application automating and streamlining service desk and incident resolution process, and ensuring SLA (Service Level Agreements) compliance.
Cloud computing is a paradigm evolution that benefits from virtualisation technologies and introduces “everything-as-a-service” as a technical and business concept supported by pay-per-use pricing models. Whilst the on-demand characteristics of this novel paradigm provide revolutionary advances in technical ability, the changes while incorporating this into an IT infrastructure raise many complex problems and risks with regards to auditing. Auditing is the process of tracing and logging significant events the take place during the system run-time for analysis, and can be seen as a vital tool in validating and securing systems.
Slides from the first Silicon Valley IDSA Meetup held October 25th. The agenda included an overview of the IDSA, a case study from Adobe Security, including an integration demo with Okta and VMware, and a review of the IDSA security controls and IAM hygiene tips that are currently in development.
Microsoft Office 365 Security and Compliance UpdatesDavid J Rosenthal
If your business has legal, regulatory, and technical standards to meet for content security and data use, you're in the right place. You can also use Office 365 security and compliance features if your business has specific security requirements for controlling sensitive information. In this section, you can also find out how Office 365 uses encryption and other security technologies to protect your data.
TrustedAgent GRC streamlines the complexity of obtaining security authorization from FedRAMP for cloud IaaS, PaaS, and SaaS services and applications. From tracking evidence and key control implementation to create key deliverables like security plans and managing continuous monitoring for ongoing compliance. TrustedAgent significantly reduces the amount of work to be done manually including managing vulnerabilities from ongoing compliance. Download and contact us to learn more how TrustedAgent GRC can create opportunities for your cloud offerings in the Federal Government.
Make sure you exercise due diligence when selecting a cloud service provider.
Make sure the cloud environment supports the regulatory requirements of your industry and data.
Conduct data classification to understand the sensitivity of your data before moving to the cloud.
Clearly define who owns the data and how it will be “returned” to you and the timing in the event you cancel your agreement.
Understand if you are leveraging the cloud in IaaS, PaaS, SaaS or other model.
Slides from the IDSA Session at the Denver IAM Meetup on October 30th. The agenda included an overview of the IDSA, a review of the IDSA security controls and IAM hygiene tips that are currently in development and an integration demo SecureAuth, Netskope and LogRhythm. Presenters included Julie Smith from IDSA and Ian Barnett from SecureAuth.
Cloud Security is critical to Data Security and Application Resilience against CyberAttacks. This talk looks at Security Best Practices that need to be practised.
This talk was presented at AWS Community Day Bengaluru 2019 by Amar Prusty, Cloud-Data Center Consultant Architect, DXC Technology
Presented at ISACA Indonesia Monthly Technical Meeting, 11 Dec 2019 at Telkom Landmark.
Key takeaways from my presentation:
1. Cloud customers have to understand the share responsibilities between customer and cloud provider
2. Different cloud service model (IaaS, PaaS, SaaS) has different audit methodology
3. Customer’s IT Auditor have to be trained to have the skills needed to audit the cloud service
4. Understanding IAM in Cloud is very important. Each Cloud Service Provider has different IAM mechanism
5. Understanding different type of audit logs in cloud platform is important for IT Auditor
put the
finishing touches on this book, Twitter is busy recovering
from the latest very public and newsworthy cybersecurity
incident widely reported in the media. For every one of
these highly publicized breaches there are hundreds of
other damaging cyberattacks experienced by businesses
and government entities. To help organizations protect
themselves against and respond to information security
incidents, many of them turn to the chief information
security officer (CISO) for leadership. The CISO is
becoming the guardian of the modern business, charged
with protecting the organization against security threats
in the digital world.
Security Architecture Best Practices for SaaS ApplicationsTechcello
Gartner has predicted 18-20% growth in SaaS market, and expects it to hit US $22.1 billion by the year 2015. They have also measured that SaaS adoption rate has increased many fold in the last few years (almost 71% of enterprises use SaaS solutions).
Security and compliance is an ongoing process, not a steady state. It is constantly maintained, enhanced, and verified by highly-skilled, experienced and trained personnel. We strive to keep software and hardware technologies up to date through robust processes. To help keep Office 365 security at the top of the industry, we use processes such as the Security Development Lifecycle; we also employ techniques that throttle traffic and prevent, detect, and mitigate breaches.
https://runfrictionless.com/b2b-white-paper-service/
My Presentation on using SSO as both a Business tool and a Security tool. Examples show how working with the business one can bring productivity and cost savings while also implementing the same tool as a security control.
1. Page 1 of 5
AUTHENTIC INTELLIGENCE
DATA SECURITY ASSESSMENT SERVICE
RATIONALE
Overwhelming number of inside-out vulnerabilities on most corporate networks requires a risk driven
cost/benefits approach to prioritize and attack.
Far more important to have insight and control on what leaves your network than what comes in
Many vulnerabilities are easily fixed without extensive effort once they are identified.
Regulatory policy as well as asset exposure drives priorities and must be recognized and accounted for
based on organizational profile.
Other vulnerabilities need to be evaluated in terms of multiple mitigation approaches including third-
party service or product, in-house, acceptable use policy changes. Decisions need to be made based on
time and cost implement relative to the security risks.
Point-in-time assessment is valuable, but ongoing assessment is needed as assets, risks, and policies all
change rapidly.
APPROACH
Address the 3 areas of security described by the International Information Systems Security Certification
Consortium (ISC2
)i
– Confidentiality, Integrity, and Availability (CIA).
Iterative approach based on a cycle of identification, assessment, analysis, and strategy formulation.
Matrix of risks across 8 keys areas affecting with inside-out security:
o Databases
o Files
o Servers
o Environments
o Applications
o Client devices
o Account Management
o Personnel and Training
These areas are identified, assessed, analyzed, and targeted for remediation in regard to policies,
vulnerabilities, and potential controls including monitoring and prevention strategies.
2. Page 2 of 5
EVALUATION OF COMPONENTS BY AREA
Confidentiality Integrity Availability
Databases Sensitive content Identified
& encrypted
Role-based access control
Unnecessary data exposure
Row level auditing
Row/Column level
ownership
enforcement
Data distribution
latencies,
synchronization, &
conflict resolution
Resource governance
Port exposure
Security delegation
Backup aligned to business
Q/A environment
Staging & rollback
Recoverability testing
High availability strategy
Files Exposure of sensitive
business information
Exposure of sensitive
credential information
Folder & file level
permissions
Change tracking
Workflow controls
Delegation of content control
& change approval
Backup aligned to business
needs
Recoverability testing
High availability strategy
Servers Remote access controls
Content-oriented access
controls
Role-based permissions
O/S Patch levels
O/S vulnerabilities
Use of least privilege
for service accounts
(LUA)
Port exposure
Backup aligned to business
Recoverability testing
High availability strategy
Template-based Imaging
Environments Credential protection
Secure transport (SSL)
Protective content barriers
Sensitive content detection
with automated
obfuscation
Non-repudiation with
source credential
tracking
Adequate Q/A
environment
Staging & rollback
PKI governance
Installation/configuration
automation
Complete environment
snapshot capability
Applications Best practices for
endpoints, credential
storage, & key management
Audit trails
Non-repudiation
across tiers
Least privileged
application account
Security patch
strategy
Automated deployment
Scalability support including
failover & load balancing
capabilities
Port exposure profile and DoS
risks
Client Devices Organizational Security
policy enforcement
Multi-factor authentication
enforcement
Encryption policy
Non-repudiation for
all services utilized
from device
Server-level auditing
Policies/Procedures for lost or
stolen devices
Server-based backup
automation
Account
Management
& Personnel
Management
Role-based
Least-user privilege needed
Delegation infrastructure
Auditing
Delegation based on
business structure
Group membership
Shared responsibilities
Role-based training
3. Page 3 of 5
PROCESS
IDENTIFY
Personnel: interview individuals as well as groups. Obtain key information in an anonymous non-
threatening fashion to promote accuracy for the assessment. Interview across all groups: IT Infrastructure,
developers, database administrators, users, network administrators, and policy makers. Ensure
appropriate containership (granting privileges to individual groups and roles rather than users, delegated
security management, and sufficient policies for password/multi-factor authentication. Verify that the
necessary security training is in place based on individual and group roles.
Databases: Identify over-privileged accounts, unpatched or vulnerable instances, sensitive information
unencrypted, unsecured partitions of data whether horizontal (by row) or vertical (by column), lack of
adequate auditing, lack of instance protection (non-use of resource governor or other controls to limit
denial of service), status of high-availability implementation, backup and recovery controls
File systems: Over privileged users, exposed credentials, sensitive content, lack of adequate access
control lists, file change tracking
Servers: Over-privileged service accounts, unsecured pathways between servers and environments (i.e.
database server exposed directly to clients instead of only to a gateway application server), backup and
recovery controls
Applications: Lack of best practices in areas of encryption, auditing, role-based security, high-availability,
adequate test and development environments, code configuration management, q/a process, use of
secure coding techniques
Client devices: Multi-factor authentication, over-privileged accounts for services on devices, password
and encryption protections
Environments: Controls on moving information between environments, adequate/realistic testing,
staging, disaster recovery testing, and development environments, separation of environments.
ASSESS
Enumerate all of the above in regard to vulnerabilities found and rate the risks based on policies relevant
to organization.
ANALYZE
Analyze all areas to rate risks, costs to mitigate with scoring in ranked, point, and dollar fashion.
STRATEGIZE
Define potential remediation and integration strategies including high level project plan for integrating
multiple solutions that may have dependencies.
Prioritize and identify mitigation options
REPORT
Implement Microsoft™ ii
Power BI Dashboard or help deploy dashboard to an internal Microsoft
SharePoint site
Provide a comprehensive detailed report for all of the findings along with recommendation strategies
4. Page 4 of 5
DELIVERABLES
Matrix reports by CIA across each area with sub-items for the various tasks and the grades, potential costs
due to risks, and costs to mitigate
Implement Power BI interface with a gateway to auto-update from the customer’s assets through
implementation of scripts to search/identify the various types of assets operating on the network. For
some asset types such as people and environment, along with policies, and strategies – a web interface
will be provided as well as a drop file location for comma-delimited files to upload into the system.
COSTS AND DELIVERY OPTIONS
Service costs: $35,000 - $50,000 depending on organizational size performed over a 3 - 5 week period. The offering
is customizable and may be performed on an hourly basis with rates varying from $150.00 to $250.00 per hour
depending on the particular components desired. Customers that choose a level of service which meets the
$35,000 minimum will be provided an automated process for the Power BI system to automatically update asset
information based on the corporate assets. The customer may also choose deployment of an in-house SharePoint
infrastructure for Power View to achieve similar capability using Microsoft Power View without Power BI. In such
case the quick insights and guided Question/Answer features are not provided. The organization will receive free
patches and upgrades to the assessment software implemented. Follow-on work may be contracted to resolve
specific security areas.
MICROSOFT POWER BI SECURITY ASSESSMENT EXAMPLE
5. Page 5 of 5
OTHER SERVICES
In addition to the data security assessment service, we offer the following additional services on fixed-price or
hourly basis. Hourly rates vary between $150.00 to $250.00 depending on the level of expertise, duration of
engagement, and travel requirements/expenses.
Operational Efficiency Data Audit – Focuses on the data flows within an organization including the
physical and technical constraints that result in inefficiencies. Provides identification of choke points,
inside data security vulnerabilities, inadequate audit controls, data quality issues, concurrency and
consistency problems, and inadequate analytic support along with recommendations for resolution.
Custom Training – Microsoft Certified training delivered in a mentorship venue that works around staff
availabilities to help individuals gain training to improve job performance and acquire job-related
credentials. Training delivery is provided in most areas related to Microsoft data and platform including
Azure, Hyper-V, and SQL Server as well as introductory topics in data science.
Chief Technology Officer contract consulting – Act as a CTO advisor, particularly well-suited to technology
startup companies with inadequate budget for a full-time CTO or require short-term assistance to verify
their vision and define a technological approach aligned to business goals.
DBA Supercharge service: Delivered by a Microsoft Certified Master with 20 years’ experience in SQL
Server to rapidly resolve performance issues, automate instance and database management backup,
recovery, and tuning, and provide advanced skills mentoring to ensure customer database self-sufficiency.
24 x 7 Database support: Allows outsourcing database administration on a monthly basis with a retainer
to resolve issues while also implementing automated database processes to ensure adequate database
backup, recovery, and optimal performance.
WHY AUTHENTIC INTELLIGENCE?
Authentic Intelligence is uniquely equipped with expertise and experience to address the entire spectrum of
enterprise data systems. Our staff hold a wide variety of Microsoft and industry-standard certifications and
distinctions. The company founder holds a Ph.D. in the area of frameworks for automated problem solving. Our
technical credentials includes Microsoft SQL Server master, .NET Developer, System Engineer, Microsoft Certified
Trainer certifications and industry-standard CISSP and CompTIA certifications with individuals having over 30 years’
experience. We are a Microsoft Bizspark partner with practical experience in the Microsoft platform as well as
VMware ESXi including vCenter. We host several servers in a secure co-location facility operating on a 10GbE
network, running high-speed storage supporting nested virtualization to enable rapid sandboxing, custom training,
large-scale lab testing, and complex software development ventures.
Our focus is on automation. In all of our services, we utilize authentic intelligence™ over artificial intelligence, and
machine solving™ over machine learning to provide a framework for system automation which enables continuous
improvement based on feedback. We have great confidence in our ability to solve your challenges and are willing
to work with smaller firms or startup firms that cannot make large commitments. Once a NDA is in place, but even
before agreement for paid services, we will come onsite and work with the customer to establish a value
proposition and gain the trust and confidence of the customer to move forward.
i
ISC2
is a registered trademark of the International Information Systems Security Certification Consortium.
www.isc2.com
ii
Microsoft and i’s associated products (Power BI, SharePoint, and SQL Server) are registered trademarks of
Microsoft Corporation.