David Slater G-Cloud Meet Up

•Download as PPTX, PDF•

0 likes•194 views

This document discusses key considerations for achieving Restricted (IL3) accreditation for cloud services. It outlines that reviewing solutions against security standards, maintaining current ISO 27001 certification, addressing the OWASP Top Ten risks, and locking down configurations are important. It also recommends keeping support in the UK at Restricted levels, using secure protocols, and considering hosting in a pre-accredited environment. Common issues that can arise include ensuring adequate staff clearances, obtaining key material for approved products, having recent penetration tests, and single vulnerabilities allowing network connections.

Technology Business

Security in G-Cloud
Services at Restricted

dd-mm-yyyy

Introduction

•

Achieving Restricted (IL3) accreditation of service is not easy

•

Presentation covers experiences gained from achieving accreditation of Restricted
(IL3) services for Atos

•

Not an exhaustive list – just the highlights

| Identity, Security and Risk Management from Atos Consulting

Before You Start …

•

Review your solution against:
•
•
•

•

CESG Architectural Patters
CESG Good Practice Guides
IS Standards

Check that your ISO 27001 Certification is:
•
•
•

Current
Suitably scoped
UKAS Certified (recognized)

CESG like compliancy matrices against the relevant GPG’s
Read the PSN Code

| Identity, Security and Risk Management from Atos Consulting

Key Security Controls

•

Make sure applications:
•
•
•

Address the OWASP Top Ten
Think about limiting concurrent logins
Think about defense in depth
• Input Validation
• Parameterized Stored Procedures
• Output Validation

•

Manage Out-of-Bands
• Separate Interface
• Not via the Internet

•

Lock everything down against Industry Guides (Centre for Internet Security)

•

Use CPA approved or Common Criteria Approved products

| Identity, Security and Risk Management from Atos Consulting

Support

•

Keep it in the UK at Restricted (IL3)

•

Use secure protocols
• SSH
• HTTPS

•

Use dedicated support terminals

•

CESG approved encryption across insecure networks
• Issue with approved products

•

Support from the office – not via Internet/Remote Access

•

Cleared staff
• Another issue

6

| Identity, Security and Risk Management from Atos Consulting

Consider hosting in a pre-accredited Service

A number of accredited ‘hosting’ environments:

•

•
•
•
•

Atos
Skyscape
Lockheed Martin
SCC

•

Not all the same, each has its strengths and weaknesses

•

Look at what you get against your needs:
• Internet Connection
• PSN Connection
• Support Connections
• Monitoring
• Patching
• Disaster Recovery
• Protective Monitoring

7

| Identity, Security and Risk Management from Atos Consulting

Things that catch you out ….

•

Staff Clearances
• Cabinet Office will clear small number
• SC for privileged users

•

Key Material for CAPS products
• No easy route to gain
• No real alternative

•

Penetration Tests
• Recent – many month old test is no good

•

Single vulnerability allowing inter-network connection

•

CESG Design Review

8

| Identity, Security and Risk Management from Atos Consulting

The PGA is ….

•

Risk adverse

•

Well briefed

•

Has a lot of backup

•

Aligned with CESG Guidance

9

| Identity, Security and Risk Management from Atos Consulting

Thank You

10

| Identity, Security and Risk Management from Atos Consulting

This document summarizes a presentation given by Vladimir Jirasek on a vulnerability scanning project conducted at DSG International plc to meet PCI DSS compliance requirements and manage risk. DSG International is a major European retailer with both physical and online stores. The project team implemented weekly vulnerability scans of external and critical internal assets across DSG International's distributed IT infrastructure using Qualys. This helped identify and fix 80% of security issues within three months. The scanning is now a routine activity and has helped standardize patching policies while meeting PCI requirements in a cost effective manner.

Qualys Webex 24 June 2008

Vladimir Jirasek

- DSG International is a leading European retailer with over 1,300 stores across 28 countries employing 40,000 people serving over 100 million customers annually. - The document discusses DSGi's PCI DSS requirements which include external and internal vulnerability scanning, system hardening/configuration, and web application scanning. - DSGi implemented Qualys to meet these PCI DSS requirements as it is an Approved Scanning Vendor, is software-as-a-service requiring no hardware/software maintenance, and provides easy to use PCI DSS reports.

Alert Logic - Corporate Overview

bmiller144

This document discusses Alert Logic's cloud-based security and compliance solutions including vulnerability assessment, intrusion protection, and log management. It highlights how the cloud-based solutions solve key problems by identifying weaknesses before attacks, isolating attacks during, and investigating incidents after. The solutions help customers meet compliance requirements, improve network security, and enable regulatory compliance with easy deployment and no capital expenses.

How to Rightsize Your Citrix Investment

Zivaro Inc

IT investments, by their nature, must be adjusted over time to fit ever-changing business requirements. If you’ve been tasked with ‘right-sizing’ your Citrix environment – or want to show value by getting ahead of that request – join Craig Jeske, Director of Engineering at GTRI, for a rundown of Citrix optimization techniques and tasks. The interactive discussion will cover topics including: - Auditing and assessment frameworks - Use case development - Security and access concerns & controls - Hosting strategies - User experience & feedback View the webinar here: https://youtu.be/SV9N-6bwbSY

21.06.2017 - KYOS Breakfast Event

Kyos

This document provides an agenda and summaries for a breakfast event on database security. The event includes presentations from KYOS Sàrl, Thales e-Security, and Trustwave on their companies and database security topics. The agenda includes welcome remarks, three company presentations, a break with networking, a discussion on database security risks, and a question and answer session. Presentation topics include the companies' backgrounds and expertise in security services, encryption, managed security solutions, and database assessment and protection tools.

Sam Herath - Six Critical Criteria for Cloud Workload Security

centralohioissa

Modern elastic cloud infrastructure is fundamentally breaking traditional security approaches. Public cloud has no natural perimeter and network segmentation leaving individual cloud servers exposed. In private cloud, malicious East-West traffic inside the network is a serious threat. As new workloads are added and retired dynamically, change control is difficult, and updating granular firewall rules and security policies becomes a risky, manual process. Join us and learn the 6 Critical Criteria to secure your public, private or hybrid cloud – on-demand, anywhere, at any scale.

Conquest Security Capabilities

Conquest Security, Inc.

Conquest Security is an information security service provider serving government and commercial markets. We offer services, training, and products to address key information security, regulatory and operational requirements of today’s enterprise organizations, from small businesses up to large government agencies. Our offerings include: - Vulnerability Assessments - Penetration Testing - Remediation Services - Cyber Intelligence Services - Information Security Training - Advanced Solutions from Industry Leading Manufacturers Founded in 2005 and based in Bethesda, Maryland, Conquest Security provides comprehensive solutions that address the challenges facing information technology professionals.

Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...

centralohioissa

Collaboration often drives how we work especially when our workforce is mobile, when it is working off premises and serving clients in the field. Our employees adopt cloud solutions to communicate, exchange ideas and files, and to collaborate without our knowledge…this approach keeps security officers sleepless not only in Seattle but also in Columbus… This presentation is an overview of Office 365 functionality, security and compliance (reporting) capabilities to manage information privacy, security and compliance risks, and related documentation. Office 365 email security and management, SharePoint collaboration platform and Azure Active Directory reporting will be reviewed. This is a business/technical (not in depth technical) presentation to help business / technical audience understand the security and functionality of Office 365 solution when considering cloud solutions adoption.

Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds

centralohioissa

The document discusses how cloud security and privacy do not need to be at odds. It notes that there are over 10,000 enterprise apps used today, but IT is only aware of about 40-50 apps. Most cloud apps enter the enterprise through business or user-led adoption rather than IT-led processes. The document outlines seven requirements for mitigating cloud usage risk while maintaining privacy, such as finding all cloud apps, understanding usage details, using precise policies, and educating users on safe usage. It promotes the idea that allowing usage with proper controls is better than outright bans.

Discover an IT Infrastructure Services & Management

Webindia Internet Services (Chennai) Pvt. Ltd.

Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...

Skybox Security

Featuring Dave Robinson, Senior IT Security Manager, Capita. Robinson discusses how Capita used Skybox to enable complete network visibility, even finding devices that have never shown up with other security tools or searches. Robinson details how Capita uses Skybox for firewall optimization and clean up, policy compliance and firewall change management. Lastly Robinson discusses how Capita is rolling out the Skybox risk analytics platform to reduce risk. Capita Customer Management is the UK's largest customer management outsourcer, managing customers for clients for more than 40 years. Capita Customer Management partners with leading public and private organizations worldwide including O2, Google, British Gas, BMW, and William Hill.

NEWSentinel_services15

Bilha Diaz

WhiteHat Sentinel Services provide continuous web application security assessments to identify vulnerabilities, track remediation progress over time, and reduce security risks. The services range from foundational to comprehensive options and include features such as continuous assessment, zero false positives, threat research support, and scalability for organizations of all sizes. The most advanced offering, Sentinel Elite, guarantees security and provides financial coverage in the event of a breach.

10 tips for hardening your system

Revital Lapidot

Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...

DevOps.com

This year has been full of surprises — and cloud security data breaches have been no exception. From hotel chains to dating apps and video conferencing, misconfigurations and mistakes have left many organizations with exposed data. Knowing how data breaches happen and how to prevent them from happening is key when it comes to defending your identities and data access. In this webinar, Eric Kedrosky, CISO and director of cloud research at Sonrai Security, dissects the top 10 notorious cloud data breaches from 2020, breaking down how each was caused and how they could have been prevented. This webinar will detail the anatomy of each type of data breach, what we can learn, what allowed the data breach to happen and the preventative measures. Join this webinar as we dissect the year’s top cloud data breaches and what caused them, including: Identity and authentication for data storage Public cloud misconfiguration Key and secret management Overprivileged identities Malicious Bad Actors

Managing risk and vulnerabilities in a business context

AlgoSec

Cyber attacks have a direct impact on the bottom line, yet most organizations lack the visibility and understanding to manage IT risk from the business perspective. This presentation is from a webcast where a panel of experts examined how to shift from viewing IT risk in bits and bytes to having an impact on critical applications in the data center. - Learn why and how more organizations are beginning to move ownership of IT risk to the business - Understand how to aggregate and score vulnerabilities associated with data center applications and their associated physical or virtual servers - Learn about the integration between Qualys and AlgoSec that enables business stakeholders to “own the risk”

It Infrastructure Security - 24x7 Security Monitoring

Webindia Internet Services

The Compliancy Group : The Guard, a HIPAA Compliance Solution

Compliancy Group

BeyondCorp and Zero Trust

Ivan Dwyer

1. Google implemented a zero trust architecture called BeyondCorp to allow employees to work from untrusted networks without using a VPN. It granted access based on identity and device attributes rather than network location. 2. BeyondCorp has several components including an identity provider, device inventory, trust inferer, access policies, access proxy, and access control engine. It eliminated VPNs, streamlined the user experience, and reduced IT support tickets. 3. Zero trust is applying BeyondCorp principles to other organizations. It redefines identity as the user and device attributes. Access decisions are made in real time based on those attributes and dynamic conditions like being on an up-to-date device. This improves security by enforcing encryption and

collateral_datasheet_sungard

Cheryl Goldberg

IT security threats from web vulnerabilities are increasingly common, with 97% of breaches caused by web vulnerabilities. Web Application Firewalls (WAFs) are designed to protect against such threats by monitoring incoming traffic and intercepting attacks before applications and data can be compromised. SunGard's Managed WAF service provides 24/7 monitoring and management of the WAF by security analysts, eliminating the need for organizations to implement and maintain their own WAF solution.

BeyondCorp and Zero Trust

Ivan Dwyer

BeyondCorp is Google's implementation of a Zero Trust security model that eliminates the use of network-based controls like VPNs. It authenticates and authorizes access to resources based on dynamic factors like the user, device, location, and time. This provides stronger security, visibility, and a better user experience than traditional perimeter-based approaches. The presentation outlines how to achieve a similar BeyondCorp-inspired architecture by collecting relevant data, defining access policies, writing user scenarios, and implementing dynamic access controls and ephemeral credentials. Moving to this model will impact VPN and legacy security vendors and lead to converged access management categories.

Bitglass Webinar - Top 6 CASB Use Cases

Bitglass

This document discusses the top 6 use cases for cloud access security broker (CASB) technology: 1) Prevent data loss with data loss prevention policies; 2) Control access from unmanaged devices; 3) Stop cloud malware and ransomware; 4) Limit risky external sharing; 5) Securely authenticate users; and 6) Control unsanctioned app usage. It provides examples of how CASBs can address these use cases for two organizations - a large university and a non-profit healthcare organization - by distinguishing managed and unmanaged devices, limiting access to protected health information from risky devices, and regularly scanning cloud apps for malware.

Bengt Berg, Cybercom Security, Polen

Cybercom Group

Bengt Berg is the Head of Compliance Management Services at Cybercom Sweden East AB, an IT security company with 1800 employees. He discusses how external compliance requirements like PCI DSS, ISO 27001, and others have transformed security practices. PCI DSS in particular drove changes where software developers now focus on security and retailers leverage security investments across their companies. Compliance portals, issue management systems, and wikis have emerged as popular tools for managing compliance documentation and requirements.

Bitglass Webinar - BlueCross BlueShield of Tennessee's CASB Journey to Secure...

Bitglass

Outpost24 webinar - Mastering the art of multicloud security

Outpost24

Moving Security to the Left

Javier Godinez

The document discusses moving security practices left in the software development lifecycle (SDLC) at Teradata. It outlines challenges like security being bolted on and default settings being insecure. The proposed approach is a secure SDLC that includes threat modeling, security training, integrating security tools and testing. Dynamic testing like fuzzing and static analysis would find defects early. Metrics would measure security performance and drive continuous improvement in building a security-focused culture.

Bitglass Webinar - 5 Cloud Security Best Practices for 2018

Bitglass

The Share Responsibility Model of Cloud Computing - ILTA Philadelphia

Patrick Sklodowski

Steve Cliff G-Cloud UK Meet Up

WeAreEsynergy

IBM is proposing an integrated secure shared delivery capability called IBM Secure Shared Delivery (SSD) to deliver cloud services to the UK government. SSD is built on high security, quality, efficiency and aims to be consistent with the government's cloud strategy. It provides a center of excellence for consultancy, development and support resources as well as a secure sandbox for prototyping initiatives focused on small to medium enterprises. IBM also outlines its platform as a service offerings on G-Cloud including web server, application server, database and application management services available at different security levels.

Development platforms for startups by shawn gosh at guru program spring 2014

TechMeetups

What's hot

Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......

centralohioissa

Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds

centralohioissa

Discover an IT Infrastructure Services & Management

Webindia Internet Services (Chennai) Pvt. Ltd.

Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...

Skybox Security

NEWSentinel_services15

Bilha Diaz

10 tips for hardening your system

Revital Lapidot

Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...

DevOps.com

Managing risk and vulnerabilities in a business context

AlgoSec

It Infrastructure Security - 24x7 Security Monitoring

Webindia Internet Services

The Compliancy Group : The Guard, a HIPAA Compliance Solution

Compliancy Group

BeyondCorp and Zero Trust

Ivan Dwyer

collateral_datasheet_sungard

Cheryl Goldberg

BeyondCorp and Zero Trust

Ivan Dwyer

Bitglass Webinar - Top 6 CASB Use Cases

Bitglass

Bengt Berg, Cybercom Security, Polen

Cybercom Group

Bitglass Webinar - BlueCross BlueShield of Tennessee's CASB Journey to Secure...

Bitglass

Outpost24 webinar - Mastering the art of multicloud security

Outpost24

Moving Security to the Left

Javier Godinez

Bitglass Webinar - 5 Cloud Security Best Practices for 2018

Bitglass

The Share Responsibility Model of Cloud Computing - ILTA Philadelphia

Patrick Sklodowski

What's hot (20)

Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......

Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds

Discover an IT Infrastructure Services & Management

Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...

NEWSentinel_services15

10 tips for hardening your system

Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...

Managing risk and vulnerabilities in a business context

It Infrastructure Security - 24x7 Security Monitoring

The Compliancy Group : The Guard, a HIPAA Compliance Solution

BeyondCorp and Zero Trust

collateral_datasheet_sungard

BeyondCorp and Zero Trust

Bitglass Webinar - Top 6 CASB Use Cases

Bengt Berg, Cybercom Security, Polen

Bitglass Webinar - BlueCross BlueShield of Tennessee's CASB Journey to Secure...

Outpost24 webinar - Mastering the art of multicloud security

Moving Security to the Left

Bitglass Webinar - 5 Cloud Security Best Practices for 2018

The Share Responsibility Model of Cloud Computing - ILTA Philadelphia

Viewers also liked

Steve Cliff G-Cloud UK Meet Up

WeAreEsynergy

Development platforms for startups by shawn gosh at guru program spring 2014

TechMeetups

Fast forward SETsquared IP network

Alan Scrase

Presenter – David Bream from UofS will describe how the Intellectual Property Office (IPO) Fast Forward funding will create a network of SME forums and meetings to consider how IP can be the bedrock of growing a business. The IPO are an Executive Agency of the Department for Business Innovation and Skills (BIS) that promote innovation by providing a clear, accessible and widely understood IP system, which enables the economy and society to benefit from knowledge and ideas.

IBM SmartCloud and ISVs September 2013 (Softlayer)

Simon Baker

IBM is positioning its SmartCloud and SoftLayer platforms to capitalize on growing demand for cloud computing. SoftLayer provides a global cloud infrastructure platform with robust APIs, extensive customization options, and proven performance for high-intensity workloads. IBM plans to integrate SoftLayer across its sales, support, and technology teams to deliver a unified cloud platform optimized for both web-native and enterprise workloads. This will strengthen IBM's cloud strategy by combining SoftLayer's infrastructure-as-a-service capabilities with IBM's software and services portfolio.

How to increase the business value of your IT team

BCS-IT

Netflix in the cloud 2011

Adrian Cockcroft

Netflix has over 20 million subscribers in the US and Canada and is expanding internationally. It is moving its operations entirely to the cloud to gain the scalability and flexibility needed to support unpredictable growth. Netflix uses Amazon Web Services extensively to handle its increasing capacity needs, leveraging AWS's large scale and feature set. The cloud allows Netflix to focus on its core business instead of managing infrastructure.

node.js on Google Compute Engine

Arun Nagarajan

Slides for the day-long Lean Analytics workshop at the 2014 Lean Startup conf...

Lean Analytics

Comparison of it governance framework-COBIT, ITIL, BS7799

Meghna Verma

COBIT, ITIL, and ISO/IEC 27001 are frameworks for IT governance, service management, and information security respectively. COBIT provides IT processes, goals, and metrics for governance and was created by ISACA. ITIL provides best practices for managing IT services and was created by the UK government. ISO/IEC 27001 specifies requirements for an information security management system and was created by the International Organization for Standardization. While each framework addresses different aspects, they are complementary and organizations often use a combination to ensure IT supports business needs, services are effectively managed, and information security is maintained.

NIST Cloud Computing Reference Architecture

Thanakrit Lersmethasakul

Defining Services for a Service Catalog

Axios Systems

The document discusses designing and defining services for a service catalog. It outlines that a service catalog involves defining IT services and components, as well as business services, and mapping their relationships. It also discusses involving both IT and customers to understand key needs and priorities. The document provides guidance on how to structure services in a service catalog hierarchy and design the various elements and views needed, including user, business and technical views. It emphasizes the importance of strategy workshops to get input from stakeholders and ensure buy-in for a successful service catalog.

Intro to AWS Security

Amazon Web Services

Viewers also liked (12)

Steve Cliff G-Cloud UK Meet Up

Development platforms for startups by shawn gosh at guru program spring 2014

Fast forward SETsquared IP network

IBM SmartCloud and ISVs September 2013 (Softlayer)

How to increase the business value of your IT team

Netflix in the cloud 2011

node.js on Google Compute Engine

Slides for the day-long Lean Analytics workshop at the 2014 Lean Startup conf...

Comparison of it governance framework-COBIT, ITIL, BS7799

NIST Cloud Computing Reference Architecture

Defining Services for a Service Catalog

Intro to AWS Security

Similar to David Slater G-Cloud Meet Up

When Your CISO Says No - Security & Compliance in Office 365

Ricardo Wilkins

(SEC310) Keeping Developers and Auditors Happy in the Cloud

Amazon Web Services

Often times, developers and auditors can be at odds. The agile, fast-moving environments that developers enjoy will typically give auditors heartburn. The more controlled and stable environments that auditors prefer to demonstrate and maintain compliance are traditionally not friendly to developers or innovation. We'll walk through how Netflix moved its PCI and SOX environments to the cloud and how we were able to leverage the benefits of the cloud and agile development to satisfy both auditors and developers. Topics covered will include shared responsibility, using compartmentalization and microservices for scope control, immutable infrastructure, and continuous security testing.

The What, Why, and How of DevSecOps

Cprime

The document discusses the principles and practices of DevSecOps. It begins with an agenda that covers DevSecOps prerequisites, foundations, roles and responsibilities, and practical tips. It discusses concepts like shifting security left, continuous integration/delivery pipelines, and the importance of collaboration across roles. It provides overviews of risk management, static and dynamic testing, feature toggles, and recommends DevSecOps training and tools from Cprime. The presentation aims to help organizations adopt DevSecOps practices to improve security and deployment processes.

Open Architecture: The Key to Aviation Security

agoldsmith1

Security architecture best practices for saas applications

kanimozhin

This document discusses security best practices for Software as a Service (SaaS) applications. It recommends adopting a holistic governance framework to manage operational risks, using standards like COBIT 5. Key aspects covered include tenant data isolation, role-based access control, preventing common web attacks, and implementing robust security auditing of events, transactions, and user actions. The goal is to establish trust with customers by providing protection of information, access controls, data security, and audit capabilities.

Security Architecture Best Practices for SaaS Applications

Techcello

Cyber Security in The Cloud

PECB

As public and private cloud adoption skyrockets, the number of attacks against cloud infrastructure is also increasing dramatically. Now more than ever, it is crucial to secure your cloud assets and data against advanced threats. We’ll dig into what it means to be successful in the cloud and what successful organizations do more of (and less of) than their less successful peers. We’ll look across technologies adopted, organizational and operational practices, and vendors embraced. Recorded webinar: https://youtu.be/Og1-xcc7JNs

The New Assure Security: Complete IBM i Compliance and Security

Precisely

This document introduces Assure Security, a comprehensive security solution from Syncsort that addresses IBM i security. It provides an overview of the topics that will be covered in the webinar, including Assure's access control, data privacy, compliance monitoring, security risk assessment, and integration capabilities. The document discusses how Assure Security combines security capabilities from Cilasoft and Townsend Security to provide a complete security and compliance solution for IBM i. It highlights some of Assure Security's key capabilities such as access control, data privacy, compliance monitoring, and security risk assessment. Customer stories are also provided as examples of how Assure Security has helped organizations address security and compliance challenges.

Implementing Legal within Tech. What are the Cyber Security issues?

Cyber Security Partners

Rightscale Webinar: PCI in Public Cloud

RightScale

Over the past few years, PCI compliance in the public cloud has been a growing topic of concern and interest. Like us, you probably have heard assertions from both sides of the topic - some stating that one can be a PCI compliant merchant using public IaaS cloud, others stating that it is impossible. Join us in this webinar as our Director of Security and Compliance, Phil Cox, addresses these concerns and demonstrates how PCI compliance in the public IaaS cloud is indeed possible. In this webinar we’ll discuss: - Foundational principles and mindsets for PCI compliance - How to determine system/application scope and requirement applicability - Top-level PCI DSS (Data Security Standard) requirements and how to meet them in the public IaaS cloud This webinar is perfect for those who are searching for solid answers on security in the public cloud. Our goal with this webinar is to educate you with the information you need to have confidence and make the most of your public cloud, while dispelling any myths surrounding the topic of security and the public cloud.

JDA: Building an Open Source Center of Excellence

Black Duck by Synopsys

Latest Developments in Cloud Security Standards and Privacy

Cloud Standards Customer Council

The document summarizes key points from a presentation on latest developments in cloud security standards and privacy. It discusses the benefits of standards, outlines some current security standards and frameworks, and provides recommendations for cloud customers to evaluate a cloud service provider's security capabilities. The presentation emphasizes that customers should ensure cloud providers support relevant security standards to ensure governance, risk management and regulatory compliance.

Cloud Security Standards: What to Expect and What to Negotiate V2.0

Cloud Standards Customer Council

The document summarizes key points from a presentation on cloud security standards. It discusses the benefits of standards in promoting interoperability and regulatory compliance. It analyzes the current landscape of standards, including specifications, advisory standards, and security frameworks. It also provides recommendations for 10 steps customers can take to evaluate a cloud provider's security, including ensuring governance and compliance, auditing processes, managing access controls, and assessing physical infrastructure security. The document recommends cloud security standards and certifications customers should expect providers to support.

Compliance with AWS

Amazon Web Services

AWS Meetup CGN 11/2021

Theo Pack

This document discusses strategies for using multiple AWS accounts to isolate workloads and control access. It recommends separating accounts by stages of the software development lifecycle (e.g. separate accounts for development, test, and production) or by business units/projects. Landing zones are introduced as a baseline configuration for accounts that enforces best practices for security and governance. AWS Control Tower is highlighted as an easy way to set up and govern multiple accounts by enforcing service control policies and detecting policy violations. Specific account types are defined including master accounts, security accounts, log archive accounts, and workload accounts separated by environment or project.

CompTIA CAS-002 VCE Outline

Examcollection

Professional Designations IT Assurance

a3virani

This document provides an overview of the roles and certifications available for assurance professionals working with information systems. It discusses why IS auditing is important given regulations like Sarbanes-Oxley that require verifying system controls. Common certifications include CISA, CISM, and CGEIT from ISACA, which focus on auditing, security management, and IT governance respectively. The CISSP from (ISC)2 demonstrates broad security knowledge, while the GIAC GSNA tests systems and network auditing skills. Obtaining certifications provides credibility, ensures competence, and allows professionals to efficiently add value through activities like risk assessments, security evaluations, and enhancing audit effectiveness.

AWS Enterprise Summit London 2015 | Security in the Cloud

Amazon Web Services

The document discusses security in the cloud using Amazon Web Services (AWS). It notes that AWS provides strong security capabilities that allow customers to be more secure in the cloud than in their own data centers. It outlines how AWS offers security at no extra cost and discusses principles of security compliance, certifications, and tools available on AWS like Inspector, WAF, and CloudTrail to help customers with security. The document advocates for taking a security-by-design approach and leveraging AWS services and professional services to help customers prepare, prevent, detect, and respond to security issues in the cloud.

Top Security Challenges Facing Credit Unions Today

Chris Gates

7 Secrets to Becoming a Citrix Hero

eG Innovations

Among all the administration, maintenance and troubleshooting chaos in your daily life as a Citrix admin, don’t you dream of becoming a Citrix hero? Watch this on-demand webinar where DJ Eshelman, Citrix Coach, CUGC Leader and a CTA, walks us through seven essential dos and don’ts for Citrix professionals, based on over a decade’s worth of real-world experience. In this session, you’ll learn: • The methods and practices that successful Citrix professionals adopt • How to take cues from users and data to build Citrix environments that run smoothly and efficiently, and yet cut down on risks and workarounds • How being proactive instead of reactive unlocks a world where you are less stressed and more fulfilled in what you are doing Every Citrix admin can become a Citrix Hero. By applying these seven lessons, you can spend less time worrying about your next Sev1 outage and more time enjoying life outside the office.

Similar to David Slater G-Cloud Meet Up (20)

When Your CISO Says No - Security & Compliance in Office 365

(SEC310) Keeping Developers and Auditors Happy in the Cloud

The What, Why, and How of DevSecOps

Open Architecture: The Key to Aviation Security

Security architecture best practices for saas applications

Security Architecture Best Practices for SaaS Applications

Cyber Security in The Cloud

The New Assure Security: Complete IBM i Compliance and Security

Implementing Legal within Tech. What are the Cyber Security issues?

Rightscale Webinar: PCI in Public Cloud

JDA: Building an Open Source Center of Excellence

Latest Developments in Cloud Security Standards and Privacy

Cloud Security Standards: What to Expect and What to Negotiate V2.0

Compliance with AWS

AWS Meetup CGN 11/2021

CompTIA CAS-002 VCE Outline

Professional Designations IT Assurance

AWS Enterprise Summit London 2015 | Security in the Cloud

Top Security Challenges Facing Credit Unions Today

7 Secrets to Becoming a Citrix Hero

Recently uploaded

Large Language Model (LLM) and it’s Geospatial Applications

Rohit Gautam

Data structures and Algorithms in Python.pdf

TIPNGVN2

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

SOFTTECHHUB

The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing. One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.

Full-RAG: A modern architecture for hyper-personalization

Zilliz

Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.

20 Comprehensive Checklist of Designing and Developing a Website

Pixlogix Infotech

Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

UiPath Test Automation using UiPath Test Suite series, part 5

DianaGray10

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Speck&Tech

ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune. Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile. BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

“I’m still / I’m still / Chaining from the Block”

Claudio Di Ciccio

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

shyamraj55

Mind map of terminologies used in context of Generative AI

Kumud Singh

UiPath Test Automation using UiPath Test Suite series, part 6

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

Building RAG with self-deployed Milvus vector database and Snowpark Container...

Zilliz

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

How to use Firebase Data Connect For Flutter

Daiki Mogmet Ito

TrustArc Webinar - 2024 Global Privacy Survey

TrustArc

How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024? In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores. See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe. This webinar will review: - The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey - The top challenges for privacy leaders, practitioners, and organizations in 2024 - Key themes to consider in developing and maintaining your privacy program

Recently uploaded (20)

Large Language Model (LLM) and it’s Geospatial Applications

Data structures and Algorithms in Python.pdf

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

Full-RAG: A modern architecture for hyper-personalization

20 Comprehensive Checklist of Designing and Developing a Website

Artificial Intelligence for XMLDevelopment

UiPath Test Automation using UiPath Test Suite series, part 5

Essentials of Automations: The Art of Triggers and Actions in FME

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Climate Impact of Software Testing at Nordic Testing Days

“I’m still / I’m still / Chaining from the Block”

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

Mind map of terminologies used in context of Generative AI

UiPath Test Automation using UiPath Test Suite series, part 6

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Building RAG with self-deployed Milvus vector database and Snowpark Container...

Introduction to CHERI technology - Cybersecurity

Monitoring Java Application Security with JDK Tools and JFR Events

How to use Firebase Data Connect For Flutter

TrustArc Webinar - 2024 Global Privacy Survey

David Slater G-Cloud Meet Up

1. David Slater, CLAS Consultant

2. Security in G-Cloud Services at Restricted dd-mm-yyyy

3. Introduction • Achieving Restricted (IL3) accreditation of service is not easy • Presentation covers experiences gained from achieving accreditation of Restricted (IL3) services for Atos • Not an exhaustive list – just the highlights | Identity, Security and Risk Management from Atos Consulting

4. Before You Start … • Review your solution against: • • • • CESG Architectural Patters CESG Good Practice Guides IS Standards Check that your ISO 27001 Certification is: • • • Current Suitably scoped UKAS Certified (recognized) CESG like compliancy matrices against the relevant GPG’s Read the PSN Code | Identity, Security and Risk Management from Atos Consulting

5. Key Security Controls • Make sure applications: • • • Address the OWASP Top Ten Think about limiting concurrent logins Think about defense in depth • Input Validation • Parameterized Stored Procedures • Output Validation • Manage Out-of-Bands • Separate Interface • Not via the Internet • Lock everything down against Industry Guides (Centre for Internet Security) • Use CPA approved or Common Criteria Approved products | Identity, Security and Risk Management from Atos Consulting

6. Support • Keep it in the UK at Restricted (IL3) • Use secure protocols • SSH • HTTPS • Use dedicated support terminals • CESG approved encryption across insecure networks • Issue with approved products • Support from the office – not via Internet/Remote Access • Cleared staff • Another issue 6 | Identity, Security and Risk Management from Atos Consulting

7. Consider hosting in a pre-accredited Service A number of accredited ‘hosting’ environments: • • • • • Atos Skyscape Lockheed Martin SCC • Not all the same, each has its strengths and weaknesses • Look at what you get against your needs: • Internet Connection • PSN Connection • Support Connections • Monitoring • Patching • Disaster Recovery • Protective Monitoring 7 | Identity, Security and Risk Management from Atos Consulting

8. Things that catch you out …. • Staff Clearances • Cabinet Office will clear small number • SC for privileged users • Key Material for CAPS products • No easy route to gain • No real alternative • Penetration Tests • Recent – many month old test is no good • Single vulnerability allowing inter-network connection • CESG Design Review 8 | Identity, Security and Risk Management from Atos Consulting

9. The PGA is …. • Risk adverse • Well briefed • Has a lot of backup • Aligned with CESG Guidance 9 | Identity, Security and Risk Management from Atos Consulting

10. Thank You 10 | Identity, Security and Risk Management from Atos Consulting

David Slater G-Cloud Meet Up

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (12)

Similar to David Slater G-Cloud Meet Up

Similar to David Slater G-Cloud Meet Up (20)

Recently uploaded

Recently uploaded (20)

David Slater G-Cloud Meet Up