This document summarizes a webinar on cloud security presented by representatives from 6fusion and Network Box USA. It discusses common cloud security myths, challenges related to access, protection, segregation and recovery of cloud data, and best practices for cloud security including implementing security by design, active monitoring and having an incident response plan. The webinar concluded by discussing developing a risk-based security framework and taking questions from attendees.
This document provides an overview of intrusion detection and data loss prevention. It discusses the challenges of data loss and how data loss prevention (DLP) addresses them. DLP helps organizations discover where sensitive data is located, monitor how it is being used, and protect it from leaving the network without authorization. The presentation outlines how DLP works and provides examples of how DLP can be used to fix exposed data, protect intellectual property and customer information, and continuously reduce security risks.
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Symantec APJ
The document discusses information and identity protection solutions from Symantec. It outlines the key threats to data security, such as data breaches, non-compliance, and external attacks. It then describes Symantec's information-centric security approach and solutions portfolio, which includes tools for identity management, data awareness, and data protection through encryption and data loss prevention.
This data centric exercise is intended for individuals who want to gain a better understanding of their information assets and run through a structured brainstorming guide for a Data Loss Prevention (DLP) plan in efforts to protect their data.
Ideal for those looking to gain greater situational awareness on their personal information assets.
Part A: Understand what information assets exist.
Part B: Categorize the information assets identified in part A into Low, Medium and High.
Part C: Identify where the information assets are located. [Mirrors & backups included]
Part D: Considering the sensitivity classification identified in Part B and the location of the information assets identified in Part C, create a Data Loss Prevention (DLP) plan for when the information assets are at rest, in motion, in use, or when they disposed of.
Nothing strikes fear into the heart of an engineer more than the installation of a firewall to achieve the laudable goal of defense-in-depth through network segmentation. Security teams demand the implementation of firewalls telling everyone, “It’s for compliance!” But the addition of firewalls and other security appliances (aka chokepoints) into an infrastructure infuriates network engineers who design to optimize speed and minimize latency. Sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. So it’s down the rabbit hole we go trying to achieve the unachievable with everyone waxing rhapsodic for those bygone days when the end-to-end principle ruled the Internet. Is it really possible to have security coexist with operational efficiency? Organizations seem happy to throw money at technology and operations, but when it comes to policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As engineers, if we don’t have clear policies as a set of requirements, how will we determine the appropriate network segmentation and protections to put in place? The answer lies in aligning network segmentation with an organizational data classification matrix and understanding that while compliance and security often overlap, they’re not the same.
Symantec Data Loss Prevention 11 simplifies the detection and protection of intellectual property. Symantec’s market-leading data security suite features Vector Machine Learning, which makes it easier to detect hard-to-find intellectual property, and enhancements to Data Insight that streamline remediation, increasing the effectiveness of an organization’s data protection initiatives.
Data security in a big data environment swedenIBM Sverige
This document discusses data security challenges in big data environments. It notes that data breaches are common and costly for organizations. Several examples of recent breaches are provided that impacted companies like Target, a Canadian government agency, and healthcare providers. The document advocates for the IBM Guardium suite of data security products to help secure sensitive data across different systems and platforms through discovery, monitoring, masking, encryption and other techniques. It argues these tools are needed to reduce risks, costs, and protect brand reputation for organizations working with big data.
Trend Micro announced new data protection features for several of its security products in September 2011. New versions of ScanMail for Exchange, PortalProtect for SharePoint, and InterScan Messaging Security added data loss prevention capabilities to help organizations comply with regulations and prevent data breaches across email servers, collaboration platforms, and messaging gateways. Trend Micro positioned itself as uniquely able to provide integrated data protection across the enterprise from endpoints to the cloud.
Securing your digital world cybersecurity for sb esSonny Hashmi
This document provides recommendations for small businesses to improve cyber security. It discusses how (1) changing the conversation with end users to be more empathetic and focus on usability can improve security, (2) implementing multi-factor authentication and centralized identity management can replace passwords for stronger access control, and (3) leveraging trusted cloud solutions allows businesses to benefit from economies of scale for security compliance. It also recommends (4) making endpoints as minimal as possible by storing all data in the cloud and browser, and (5) recentralizing content to eliminate silos and enforce consistent policies. The document emphasizes that security should not get in the way of productivity and usability.
This document provides an overview of intrusion detection and data loss prevention. It discusses the challenges of data loss and how data loss prevention (DLP) addresses them. DLP helps organizations discover where sensitive data is located, monitor how it is being used, and protect it from leaving the network without authorization. The presentation outlines how DLP works and provides examples of how DLP can be used to fix exposed data, protect intellectual property and customer information, and continuously reduce security risks.
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Symantec APJ
The document discusses information and identity protection solutions from Symantec. It outlines the key threats to data security, such as data breaches, non-compliance, and external attacks. It then describes Symantec's information-centric security approach and solutions portfolio, which includes tools for identity management, data awareness, and data protection through encryption and data loss prevention.
This data centric exercise is intended for individuals who want to gain a better understanding of their information assets and run through a structured brainstorming guide for a Data Loss Prevention (DLP) plan in efforts to protect their data.
Ideal for those looking to gain greater situational awareness on their personal information assets.
Part A: Understand what information assets exist.
Part B: Categorize the information assets identified in part A into Low, Medium and High.
Part C: Identify where the information assets are located. [Mirrors & backups included]
Part D: Considering the sensitivity classification identified in Part B and the location of the information assets identified in Part C, create a Data Loss Prevention (DLP) plan for when the information assets are at rest, in motion, in use, or when they disposed of.
Nothing strikes fear into the heart of an engineer more than the installation of a firewall to achieve the laudable goal of defense-in-depth through network segmentation. Security teams demand the implementation of firewalls telling everyone, “It’s for compliance!” But the addition of firewalls and other security appliances (aka chokepoints) into an infrastructure infuriates network engineers who design to optimize speed and minimize latency. Sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. So it’s down the rabbit hole we go trying to achieve the unachievable with everyone waxing rhapsodic for those bygone days when the end-to-end principle ruled the Internet. Is it really possible to have security coexist with operational efficiency? Organizations seem happy to throw money at technology and operations, but when it comes to policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As engineers, if we don’t have clear policies as a set of requirements, how will we determine the appropriate network segmentation and protections to put in place? The answer lies in aligning network segmentation with an organizational data classification matrix and understanding that while compliance and security often overlap, they’re not the same.
Symantec Data Loss Prevention 11 simplifies the detection and protection of intellectual property. Symantec’s market-leading data security suite features Vector Machine Learning, which makes it easier to detect hard-to-find intellectual property, and enhancements to Data Insight that streamline remediation, increasing the effectiveness of an organization’s data protection initiatives.
Data security in a big data environment swedenIBM Sverige
This document discusses data security challenges in big data environments. It notes that data breaches are common and costly for organizations. Several examples of recent breaches are provided that impacted companies like Target, a Canadian government agency, and healthcare providers. The document advocates for the IBM Guardium suite of data security products to help secure sensitive data across different systems and platforms through discovery, monitoring, masking, encryption and other techniques. It argues these tools are needed to reduce risks, costs, and protect brand reputation for organizations working with big data.
Trend Micro announced new data protection features for several of its security products in September 2011. New versions of ScanMail for Exchange, PortalProtect for SharePoint, and InterScan Messaging Security added data loss prevention capabilities to help organizations comply with regulations and prevent data breaches across email servers, collaboration platforms, and messaging gateways. Trend Micro positioned itself as uniquely able to provide integrated data protection across the enterprise from endpoints to the cloud.
Securing your digital world cybersecurity for sb esSonny Hashmi
This document provides recommendations for small businesses to improve cyber security. It discusses how (1) changing the conversation with end users to be more empathetic and focus on usability can improve security, (2) implementing multi-factor authentication and centralized identity management can replace passwords for stronger access control, and (3) leveraging trusted cloud solutions allows businesses to benefit from economies of scale for security compliance. It also recommends (4) making endpoints as minimal as possible by storing all data in the cloud and browser, and (5) recentralizing content to eliminate silos and enforce consistent policies. The document emphasizes that security should not get in the way of productivity and usability.
Data Loss Prevention: Challenges, Impacts & Effective StrategiesSeccuris Inc.
The document discusses data loss prevention challenges and strategies. It notes that data loss incidents have increased significantly in recent years and now cost organizations millions on average. Many data losses are caused by employees and insiders. The document outlines various types of employee, application, and process exposures that can lead to data loss and recommends assessing current controls and focusing on technical controls, access management, and process controls to better mitigate risks.
At the highest level, our mission continues to be about keeping our customers (companies and governments) safe from ever-evolving digital threats, so they are confident to move business forward. Our strategy to accomplish this mission centers around four key pillars: Advanced Threat Protection, Information Protection for On Premise and Cloud, Security as a Service -- all anchored by a Unified Security Analytics Platform. Symantec Data Loss Prevention is a foundational product in the Information Protection for On Premise and Cloud pillar.
Everyone knows that storing and accessing data and applications in the cloud and on mobile devices provides makes work much easier and productive by allowing employees to work everywhere they need to.
It allows for great business agility – applications are always up to date, new functionality and processes can be deployed and activated quickly and organizations can adjust things on the fly if they need to.
It also brings the convenience factor – all employees to work in the way that they need to, collaboration and sharing is made vastly easier with cloud applications and storage.
But it brings with it all the challenges of securing devices and applications that your don’t own, and whilst saying NO might be the right thing for security, end users will find a way around it. Right now, close to 30% of employees use their personal devices for work. And that number is on the rise, potentially turning BYOD into Bring Your Own Disaster.
The document discusses API security best practices. It describes how APIs can be secured at different layers including authentication, authorization, perimeter defense, and the service/API layer. It also discusses how a blended API gateway and data loss prevention deployment can help control access to APIs and sensitive data. The presentation included examples of securing mobile access to enterprise services and controlling use of cloud infrastructure through an API gateway.
Symantec Data Loss Prevention. Las tendencias mundiales nos muestran que el mayor porcentaje de perdida y robo de datos responde a la falta de visibilidad y el error en el manejo de los mismos. Conozca como prevenirse.
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Danny Miller
The document discusses emerging technology challenges and solutions related to internal audit and compliance, focusing on cloud computing and mobile platforms. It covers topics like cloud computing trends, risks of cloud computing and mobile platforms, and strategies to mitigate risks. The presentation provides an overview of cloud computing models and types, emerging technology trends, potential new complexities for internal audit, and risks and audit strategies for cloud computing related to security, multi-tenancy, and data location.
Iia 2012 Spring Conference Philly V FinalDanny Miller
Presentation given to the IIA 2012 Spring Conference on Emerging Technology Challenges for Internal Auditors. Includes discussion on Cloud Security,Mobile Device Security, PCI, Data Governance and Privacy.
Introduction - The Smart Protection NetworkAndrew Wong
Trend Micro is introducing its Smart Protection Network, a next-generation security architecture. It collects threat data from various sources and analyzes it using TrendLabs to provide up-to-date threat information to lightweight endpoint clients in near real-time. This network removes the need for pattern monitoring and management on individual endpoints, reducing network traffic and memory usage. It also protects customers faster and with less staff time compared to traditional security solutions.
This document discusses originator control (ORCON) and how it can provide persistent control over data as it is shared beyond the enterprise. ORCON is related to digital rights management and information rights management as it allows the originator or enterprise to specify access controls for shared data, such as preventing forwarding or rescinding access. The document argues that while networks and infrastructure are difficult to secure, focusing protection at the data layer through encryption and ORCON can provide better persistent control over sensitive data as it moves to different domains.
The document describes Egress Switch, a software product that provides security when sharing sensitive data outside an organization. Key features include:
- Protecting and controlling sensitive information as it moves outside the organization, regardless of how it's shared. This includes real-time access revocation.
- Providing full visibility and audit trails for all authorized and unauthorized access attempts on shared data.
- Requiring no additional infrastructure since it's provided as a software-as-a-service product. There are no costs for recipients to use the product.
- Supporting secure sharing of large files through encryption and integration with tools like email clients, removable media, and file sharing services. Flexible policies can be set
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
Get an inside look at practical examples of how hackers target control systems networks from the recent Lunch and Learn event put on by Infonaligy and Flexware Innovation.
Cloud can provide great flexibility to IT, ensuring business continuity and optimizing costs. But what are the implications for IT security? Even big names such as IEEE, Apple and Samsung are among the victims of identity theft in the Cloud. If you choose to adopt virtual data center (IaaS) or on-line applications (SaaS), you shift the paradigm of security as it was conceived up to now. The presentation will examine the security implications of a Cloud infrastructure and possible remedies with practical examples.
The document discusses 7 ways for businesses to better protect data and improve their security posture in the modern workplace. It outlines steps to reduce threats through identity and access management, manage mobile devices and apps, leverage conditional access, increase enterprise data protection, prevent data loss, enable secured collaboration, and reduce malware exposure. The overall message is that businesses can give employees mobility and productivity while also protecting sensitive data through proper planning, tools, and education.
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
The document discusses the need for new security approaches using big data and advanced analytics to address modern security challenges. It notes that yesterday's security practices are insufficient, and that automated big data security solutions using integrated defenses across cloud, mobile, and on-premise systems can help organizations stay ahead of threats by providing greater intelligence, innovation, and integration.
Small businesses are often targeted by cybercriminals because they lack dedicated security staff and proper security policies and procedures. Identity theft and data breaches can happen for many reasons, including accidents, malicious attacks, viruses, and lack of preparedness. These incidents cost businesses on average $214 per stolen record and can damage reputation. Developing a data protection plan and communicating it to customers is key to building trust. Common cyber threats include viruses, malware, rootkits, key loggers, adware, and spam, which can steal user names, passwords, and sensitive data. Hackers also use drive-by downloads from infected websites to automatically install malicious software on unprotected computers.
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
This document provides an overview of network security architectures and firewalls. It discusses challenges with current firewall models and compliance-focused approaches. Recommendations include establishing an information classification matrix to design network segmentation, focusing on containment and monitoring over rules, and integrating security into the overall enterprise architecture using frameworks like OSA and SABSA. References are provided for additional information on these topics.
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
It does not have an ISO standard. NIST barely mentions it. Despite hundreds of publications, no dedicated book is in sight. Enterprise Risk Management frameworks barely touch on it - if they even do. A chapter in Tipton's book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet - and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don't like thinking about Information Security risks anyway. Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises - but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with an actionable material you can start using tomorrow.
Learning Objectives:
- Understand information security risks and threats connected with merger and acquisition activities, which include months of often precarious IT migrations, a Cloud mess, and legacy services left exposed for months or years.
- Understand how Cloud Computing affects information security risks and threats during a merger and acquisition activities, as well as the positive opportunities they can offer.
- Why it is important that Information Security is involved in the early phases of due diligence, including during the phases in which the deal is structured and evaluated, and the acquisition model is defined.
- Walk home with a simple framework and actionable material they can start using the day after.
This document outlines a 7 step framework for developing and deploying an effective data loss prevention (DLP) strategy. The steps include prioritizing sensitive data, classifying data, understanding risks to data, monitoring data movement, developing controls, training employees, and rolling out the full DLP program over time. The framework advises starting with high priority data and demonstrating tactical successes to avoid failure due to complexity or organizational issues.
The document discusses how information security practitioners are overburdened due to the increasing complexity of technologies and rate of change. It proposes forming "Infosec Trust Groups" where organizations in the same sector or region can share resources and intelligence to help specialize skills, increase efficiency, and reduce costs. Working together in these groups could help address issues like staff shortages and help turn raw intelligence into more actionable threat analysis.
DSS ITSEC 2013 Conference 07.11.2013 - For your eyes only - Symantec PGP Re-L...Andris Soroka
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
This document discusses network security considerations for cloud computing. It begins with an introduction to different cloud deployment models including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). It then covers each model in more detail, describing features and benefits. The document also discusses virtualization techniques, risks of cloud computing including loss of control and operational risks, and security best practices such as host hardening and securing inter-host communication. Standard organizations developing cloud computing security standards are also mentioned.
The Zero Trust Model of Information Security Tripwire
In today’s IT threat landscape, the attacker might just as easily be over the cubicle wall as in another country. In the past, organizations have been content to use a trust and verify approach to information security, but that’s not working as threats from malicious insiders represent the most risk to organizations. Listen in as John Kindervag, Forrester Senior Analyst, explains why it’s not working and what you can do to address this IT security shortcoming.
In this webcast, you’ll hear:
Examples of major data breaches that originated from within the organization
Why it’s cheaper to invest in proactive breach prevention—even when the organization hasn’t been breached
What’s broken about the traditional trust and verify model of information security
About a new model for information security that works—the zero-trust model
Immediate and long-term activities to move organizations from the "trust and verify" model to the "verify and never trust" model
Data Loss Prevention: Challenges, Impacts & Effective StrategiesSeccuris Inc.
The document discusses data loss prevention challenges and strategies. It notes that data loss incidents have increased significantly in recent years and now cost organizations millions on average. Many data losses are caused by employees and insiders. The document outlines various types of employee, application, and process exposures that can lead to data loss and recommends assessing current controls and focusing on technical controls, access management, and process controls to better mitigate risks.
At the highest level, our mission continues to be about keeping our customers (companies and governments) safe from ever-evolving digital threats, so they are confident to move business forward. Our strategy to accomplish this mission centers around four key pillars: Advanced Threat Protection, Information Protection for On Premise and Cloud, Security as a Service -- all anchored by a Unified Security Analytics Platform. Symantec Data Loss Prevention is a foundational product in the Information Protection for On Premise and Cloud pillar.
Everyone knows that storing and accessing data and applications in the cloud and on mobile devices provides makes work much easier and productive by allowing employees to work everywhere they need to.
It allows for great business agility – applications are always up to date, new functionality and processes can be deployed and activated quickly and organizations can adjust things on the fly if they need to.
It also brings the convenience factor – all employees to work in the way that they need to, collaboration and sharing is made vastly easier with cloud applications and storage.
But it brings with it all the challenges of securing devices and applications that your don’t own, and whilst saying NO might be the right thing for security, end users will find a way around it. Right now, close to 30% of employees use their personal devices for work. And that number is on the rise, potentially turning BYOD into Bring Your Own Disaster.
The document discusses API security best practices. It describes how APIs can be secured at different layers including authentication, authorization, perimeter defense, and the service/API layer. It also discusses how a blended API gateway and data loss prevention deployment can help control access to APIs and sensitive data. The presentation included examples of securing mobile access to enterprise services and controlling use of cloud infrastructure through an API gateway.
Symantec Data Loss Prevention. Las tendencias mundiales nos muestran que el mayor porcentaje de perdida y robo de datos responde a la falta de visibilidad y el error en el manejo de los mismos. Conozca como prevenirse.
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Danny Miller
The document discusses emerging technology challenges and solutions related to internal audit and compliance, focusing on cloud computing and mobile platforms. It covers topics like cloud computing trends, risks of cloud computing and mobile platforms, and strategies to mitigate risks. The presentation provides an overview of cloud computing models and types, emerging technology trends, potential new complexities for internal audit, and risks and audit strategies for cloud computing related to security, multi-tenancy, and data location.
Iia 2012 Spring Conference Philly V FinalDanny Miller
Presentation given to the IIA 2012 Spring Conference on Emerging Technology Challenges for Internal Auditors. Includes discussion on Cloud Security,Mobile Device Security, PCI, Data Governance and Privacy.
Introduction - The Smart Protection NetworkAndrew Wong
Trend Micro is introducing its Smart Protection Network, a next-generation security architecture. It collects threat data from various sources and analyzes it using TrendLabs to provide up-to-date threat information to lightweight endpoint clients in near real-time. This network removes the need for pattern monitoring and management on individual endpoints, reducing network traffic and memory usage. It also protects customers faster and with less staff time compared to traditional security solutions.
This document discusses originator control (ORCON) and how it can provide persistent control over data as it is shared beyond the enterprise. ORCON is related to digital rights management and information rights management as it allows the originator or enterprise to specify access controls for shared data, such as preventing forwarding or rescinding access. The document argues that while networks and infrastructure are difficult to secure, focusing protection at the data layer through encryption and ORCON can provide better persistent control over sensitive data as it moves to different domains.
The document describes Egress Switch, a software product that provides security when sharing sensitive data outside an organization. Key features include:
- Protecting and controlling sensitive information as it moves outside the organization, regardless of how it's shared. This includes real-time access revocation.
- Providing full visibility and audit trails for all authorized and unauthorized access attempts on shared data.
- Requiring no additional infrastructure since it's provided as a software-as-a-service product. There are no costs for recipients to use the product.
- Supporting secure sharing of large files through encryption and integration with tools like email clients, removable media, and file sharing services. Flexible policies can be set
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
Get an inside look at practical examples of how hackers target control systems networks from the recent Lunch and Learn event put on by Infonaligy and Flexware Innovation.
Cloud can provide great flexibility to IT, ensuring business continuity and optimizing costs. But what are the implications for IT security? Even big names such as IEEE, Apple and Samsung are among the victims of identity theft in the Cloud. If you choose to adopt virtual data center (IaaS) or on-line applications (SaaS), you shift the paradigm of security as it was conceived up to now. The presentation will examine the security implications of a Cloud infrastructure and possible remedies with practical examples.
The document discusses 7 ways for businesses to better protect data and improve their security posture in the modern workplace. It outlines steps to reduce threats through identity and access management, manage mobile devices and apps, leverage conditional access, increase enterprise data protection, prevent data loss, enable secured collaboration, and reduce malware exposure. The overall message is that businesses can give employees mobility and productivity while also protecting sensitive data through proper planning, tools, and education.
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
The document discusses the need for new security approaches using big data and advanced analytics to address modern security challenges. It notes that yesterday's security practices are insufficient, and that automated big data security solutions using integrated defenses across cloud, mobile, and on-premise systems can help organizations stay ahead of threats by providing greater intelligence, innovation, and integration.
Small businesses are often targeted by cybercriminals because they lack dedicated security staff and proper security policies and procedures. Identity theft and data breaches can happen for many reasons, including accidents, malicious attacks, viruses, and lack of preparedness. These incidents cost businesses on average $214 per stolen record and can damage reputation. Developing a data protection plan and communicating it to customers is key to building trust. Common cyber threats include viruses, malware, rootkits, key loggers, adware, and spam, which can steal user names, passwords, and sensitive data. Hackers also use drive-by downloads from infected websites to automatically install malicious software on unprotected computers.
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
This document provides an overview of network security architectures and firewalls. It discusses challenges with current firewall models and compliance-focused approaches. Recommendations include establishing an information classification matrix to design network segmentation, focusing on containment and monitoring over rules, and integrating security into the overall enterprise architecture using frameworks like OSA and SABSA. References are provided for additional information on these topics.
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
It does not have an ISO standard. NIST barely mentions it. Despite hundreds of publications, no dedicated book is in sight. Enterprise Risk Management frameworks barely touch on it - if they even do. A chapter in Tipton's book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet - and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don't like thinking about Information Security risks anyway. Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises - but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with an actionable material you can start using tomorrow.
Learning Objectives:
- Understand information security risks and threats connected with merger and acquisition activities, which include months of often precarious IT migrations, a Cloud mess, and legacy services left exposed for months or years.
- Understand how Cloud Computing affects information security risks and threats during a merger and acquisition activities, as well as the positive opportunities they can offer.
- Why it is important that Information Security is involved in the early phases of due diligence, including during the phases in which the deal is structured and evaluated, and the acquisition model is defined.
- Walk home with a simple framework and actionable material they can start using the day after.
This document outlines a 7 step framework for developing and deploying an effective data loss prevention (DLP) strategy. The steps include prioritizing sensitive data, classifying data, understanding risks to data, monitoring data movement, developing controls, training employees, and rolling out the full DLP program over time. The framework advises starting with high priority data and demonstrating tactical successes to avoid failure due to complexity or organizational issues.
The document discusses how information security practitioners are overburdened due to the increasing complexity of technologies and rate of change. It proposes forming "Infosec Trust Groups" where organizations in the same sector or region can share resources and intelligence to help specialize skills, increase efficiency, and reduce costs. Working together in these groups could help address issues like staff shortages and help turn raw intelligence into more actionable threat analysis.
DSS ITSEC 2013 Conference 07.11.2013 - For your eyes only - Symantec PGP Re-L...Andris Soroka
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
This document discusses network security considerations for cloud computing. It begins with an introduction to different cloud deployment models including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). It then covers each model in more detail, describing features and benefits. The document also discusses virtualization techniques, risks of cloud computing including loss of control and operational risks, and security best practices such as host hardening and securing inter-host communication. Standard organizations developing cloud computing security standards are also mentioned.
The Zero Trust Model of Information Security Tripwire
In today’s IT threat landscape, the attacker might just as easily be over the cubicle wall as in another country. In the past, organizations have been content to use a trust and verify approach to information security, but that’s not working as threats from malicious insiders represent the most risk to organizations. Listen in as John Kindervag, Forrester Senior Analyst, explains why it’s not working and what you can do to address this IT security shortcoming.
In this webcast, you’ll hear:
Examples of major data breaches that originated from within the organization
Why it’s cheaper to invest in proactive breach prevention—even when the organization hasn’t been breached
What’s broken about the traditional trust and verify model of information security
About a new model for information security that works—the zero-trust model
Immediate and long-term activities to move organizations from the "trust and verify" model to the "verify and never trust" model
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
How we think about and architect network security has stayed fairly constant for quite some time.
Until we moved to the cloud.
Things may look the same on the surface, but dig a little deeper and you quickly realize that network security for cloud computing and hybrid networks requires a different mindset, different tools, and a new approach. Hybrid networks complicate management, both in your data center and in the cloud. Each side uses a different basic configuration and security controls, so the challenge is to maintain consistency across both, even though the tools you use – such as your nifty next generation firewall – might not work the same (if at all) in both environments.
Presented by AlgoSec and Rich Mogull, Analyst and CEO at Securosis, this webinar explains how cloud network security is different, and how to pragmatically manage it for both pure cloud and hybrid cloud networks. We will start with some background material and Cloud Networking 101, then move into cloud network security controls, and specific recommendations on how to use and manage them in a hybrid environment.
Enterprise-sanctioned application deployments on Infrastructure as a Service (IaaS) cloud platforms are fast becoming a reality. But while IaaS’s flexibility and cost-savings benefits are important, its success as a business solution hinges on its security.
Presented by the renowned industry expert Dr. Avishai Wool, this technical webinar covers security best practices for the Amazon Web Services (AWS) IaaS, including:
* The AWS firewall: what is it, how it differs from traditional firewalls, how it works, and tips for how to use it based on your business and technical needs
* AWS Security Groups: understanding them, recommendations for how to structure Security Groups to gain visibility and control of security polices effectively
* Integrating AWS into your enterprise data center: recommendations for setup, organization and configuration considerations on AWS
* Auditing and compliance: tools and techniques for tracking security policies across the hybrid data center
Cloud Security Topics: Network Intrusion Detection for Amazon EC2Alert Logic
With the rapid growth of online commerce, the challenge to secure and monitor internal and customer-facing websites, card processing systems and other critical infrastructure has never been greater. Deploying full-featured intrusion detection in a public cloud has been challenging – the network models and multi-tenancy of public clouds do not make deep network services easy to deploy. Misha Govshteyn, VP of Emerging Products at Alert Logic will present a new approach for a an IDS solution in a public cloud.
5 Steps to a Zero Trust Network - From Theory to PracticeAlgoSec
A Zero Trust network abolishes the quaint idea of a “trusted” internal network demarcated by a corporate perimeter. Instead it advocates microperimeters of control and visibility around the enterprise’s most sensitive data assets and the ways in which the enterprise uses its data to achieve its business objectives.
In this webinar, guest speaker John Kindervag, Vice President and Principal Analyst at Forrester Research, and Nimmy Reichenberg, VP of Strategy at AlgoSec will explain why a Zero Trust network should be the foundation of your security strategy, and present best practices to help companies achieve a Zero Trust state.
The webinar will cover:
• What is a Zero Trust network, and why it should be a core component of your threat detection and response strategy
• Turning theory into practice: Five steps to achieve Zero Trust information security
• How security policy management can help you define and enforce a Zero Trust network
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
Your organisation’s data are now everywhere: on your servers and your desktop PCs; on your employees’ smart phones, tablet computers and laptops; on social networks; and in public clouds. Some of these data require special protection but they also need to be accessed remotely, which makes security a considerable challenge. Can you trust public clouds to keep your data safe and secure? Can you trust your own internal systems? And on what criteria and risk management strategies should you base your trust? -- Dr Mark Ian Williams's presentation at the April 2012 'Why Cloud? Why now?' conference at the headquarters of the Institute of Chartered of Accountants of England Wales.
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
Despite the meteoric rise of cloud based applications and services, as well as its subsequent adoption by a significant number of enterprises, security still remains a major concern for many organizations. The elephant in the room is the misconception that the cloud is less secure than on-premise capabilities. Gartner eloquently describes this as “more of a trust issue than based on any reasonable analysis of actual security capabilities”.
A recent global study by BT revealed that 76% of large organizations cited security as their main concern for using cloud-based services. 49% admitted being “very” or “extremely anxious” about the security complications of these services. However according to Gartner, the reality is “most breaches continue to involve on-premises data center environments”
Where do you stand on this issue?
In this talk. we will debunk the top myths of cloud security, including:
Myth 1: We don’t really use the cloud
Myth 2: I lose control of my data when it goes to the cloud
Myth 3: Cloud is less secure than on-premise solutions
Myth 4: I’m at the mercy of cloud vendors for patching
Myth 5: Appliances provide greater control over
scalability/performance
Myth 6: Cloud security is more difficult to manage
Myth 7: Cloud resources are more exposed to attack
Myth 8: Multi-Tenant Clouds Expose Privacy Concerns
Myth 9: Cloud vendors lack transparency
Myth 9: Cloud vendors lack transparency
Myth 10: Appliances are more reliable than the cloud
This document provides a summary of core security requirements for cloud computing. It discusses the need to plan for security in cloud environments given issues like multi-tenancy, availability, confidentiality, and integrity. Specific requirements mentioned include secure access and separation of resources for multi-tenancy, assurances around availability, strong identity management, encryption of data at rest and in motion, and checks to ensure data integrity. The document emphasizes the importance of independent audits of cloud providers and having clear expectations around security requirements and notifications of any failures to meet requirements.
This document provides an overview of practical cloud security advice. It discusses security risks in cloud computing like unauthorized data exposure and loss of availability. It recommends technical controls like CASB for access monitoring, DLP for data protection, and IRM for persistent data protection. The document also stresses the importance of identity and access management, encryption, and secure configurations.
This document discusses security risks associated with cloud computing and databases. The main security risks are data breaches, data loss, and service hijacking that can occur when sensitive data is stored in cloud databases. Two examples of past data breaches at large companies, Home Depot and Target, are described along with the steps they took to strengthen security and regain customer trust. Methods to overcome security challenges in cloud computing discussed are encrypting data, implementing strong key management practices, and giving users control over their encryption keys.
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
The document discusses securing payment transactions in the cloud. It discusses common myths about cloud security, including that the cloud is not secure, trusted, or compliant. However, it argues that following best practices like PCI guidelines and using a managed cloud solution can securely decouple payment data. It provides an example of a utility company that processes millions of transactions securely in the cloud each month and discusses how to evaluate cloud vendors to find one that can help mitigate risks and address compliance needs.
IBM Messaging Security - Why securing your environment is important : IBM Int...Leif Davidsen
Presentation from IBM InterConnect 2016 . With growth in the number of business applications and exponential growth in connectivity between applications and systems, it is important to understand not just how to implement security, but why it is important to ensure all parts of the business can appreciate it and apply the right levels of security to their messaging system use. - jointly presented by Leif Davidsen and Rob Parker
3433 IBM messaging security why securing your environment is important-feb2...Robert Parker
These slides were presented at Interconnect with Leif Davidsen presenting why securing your environment is important and then i presented what security features in IBM MQ can be used to protect your environment.
Security Considerations When Using Cloud Infrastructure Services.pdfCiente
Vast amounts of data, massive networks of virtual machines, and the limitless potential of the cloud — are the hallmarks of cloud infrastructure services.
Read this Article here: https://ciente.io/blogs/security-considerations-when-using-cloud-infrastructure-services/
Learn more: https://ciente.io/blog/
Follow for more Articles here: https://ciente.io/
Enterprise IT is transitioning from the use of traditional on-premise data centers to hybrid cloud environments. As a result, we’re experiencing a paradigm shift in the way we must think about and manage enterprise security. From Four Walls to No Walls Until now, the conventional view on IT security has been that applications and data are safe because they’re physically housed within the confines of a company’s data center walls using company-owned equipment. So, it’s not surprising that many decision makers perceive greater risks as they trade physical assets for cloud-based solutions.
Through our partnerships with leading cloud providers, we are able to offer hybrid, private and public cloud solutions. At Epoch Universal, we supply cloud the way you want it with deep control, extreme performance, and broad customization capabilities. When you join the Epoch Universal fold, you take back the keys to your kingdom. Reign as supreme commander in chief of your cloud. No compromises. No exceptions.
This document provides a 7-step guide for building security in the cloud from the ground up. It discusses starting security planning early, identifying vulnerabilities for cloud services, protecting data during transmission and storage, securing the cloud platform, extending trust across multiple cloud providers, choosing a secure cloud service provider, and learning more from Intel resources. The document aims to help readers strengthen data and platform protection when using cloud computing.
The document discusses security and compliance challenges related to cloud adoption, including concerns around data security, regulatory compliance, and lack of visibility and control over cloud infrastructure. It analyzes predictions that cloud adoption will continue growing rapidly but security concerns will remain a hindrance. Recommendations are provided around conducting risk assessments, deciding what assets to move to the cloud based on sensitivity, and strategies for managing security, compliance, and service level agreements with cloud providers.
2012-01 How to Secure a Cloud Identity RoadmapRaleigh ISSA
This document provides a summary of cloud identity and security topics. It begins with an overview of cloud computing market dynamics and the evolution to cloud-based services. It then discusses building a cloud roadmap and key security considerations when integrating internal IT with external cloud services. The concept of a "cloud broker" is introduced as a way to centrally manage user access and identities across multiple cloud applications and services. The document concludes with an introduction to Symplified as a provider of cloud identity broker solutions.
This document discusses various aspects of cloud security including cloud security challenges, areas of concern in cloud computing, how to evaluate risks, cloud computing categories, the cloud security alliance, security service boundaries, responsibilities by service models, securing data, auditing and compliance, identity management protocols, and Windows Azure identity standards. It provides information on policies, controls, and technologies used to secure cloud environments, applications, and data.
This document discusses the risks and benefits of cloud computing from legal perspectives such as employment and labour law, litigation and e-discovery obligations, and privacy law compliance. Some key risks discussed include issues around data ownership, business interruption if the service provider fails, security of personal information, and ensuring cloud contracts maintain legal control over user data and provide ability to retrieve data. Public bodies also have specific obligations to ensure personal information storage and access occurs only in Canada. Overall, the document emphasizes legal issues organizations should consider with cloud computing contracts and arrangements.
This paper discusses how information security function in enterprises must engage with business users and stakeholders to ensure innovation and adoption of digital transformation.
The promises of the digital new world is inextricably locked with cloud computing technologies.
Cloud computing technology is central to the converging interconnecting forces of collaboration, mobility, BYOD, IoT and social enterprise.
The information/data security and entitlements of users of these services and apps is bound to their identities and the contexts within which they may partake in this ecosystem.
Traditional security models, information governance, identity management and role based access control don’t quite cut the mustard.
However, new technologies are yet to be tested both commercially and functionally.
The potential benefits to the enterprise such as seamless collaboration, agility and efficiency are too rewarding to ignore. The security industry must help organisations balance the risks and rewards.
SMBs are fast at adapting to innovation and change, cloud computing has grabbed the spotlight for safer business with data security solutions. Know how today's business can reap and adopt cloud security features for public cloud.
Similar to Extending security in the cloud network box - v4 (20)
Giga om 6fusion webinar iaas marketplaces - final for slideshareValencell, Inc.
GigaOm Research held a webinar on IT infrastructure marketplaces and the impact of utility computing. Paul Miller moderated a panel that included:
David Linthicum, SVP at Cloud Technology Partners
Jo Maitland, Cloud Research Director, GigaOm
Rob Bissett, VP Product Management, 6fusion
It was an open dialogue that covered a range of topics in the emerging arena of IaaS marketplaces, including:
Why do we need a market for IaaS?
How markets succeed… and fail
Comparing apples, oranges, and straight bananas
How do we get there?
This document summarizes the results of a 2013 cloud and IT metering survey. 205 organizations responded to questions about their cloud usage, infrastructure, spending expectations, and concerns. Key findings include that most use public IaaS for test/dev and production, with cost savings and flexibility as top benefits. Private cloud is used more for production, with flexibility and cost savings as top benefits. Spending on both public and private clouds is expected to increase in 2013 for most respondents. Security is a top concern for both public and private clouds. IT metering is used by 39% primarily through on-premise or custom applications to optimize costs and efficiency.
This document discusses the need for consistent measurement in cloud computing to enable utility-style pricing models. It explores different methods for measuring computing resources like CPU, memory, storage and networking. Accurately measuring usage allows for charging based on actual consumption rather than allocated resources. This could open the door to more meaningful comparisons between internal and external cloud options, treating computing more like a utility that can be easily evaluated and shifted between providers. Standardizing measurement is key to realizing the benefits of utility computing.
Do you know how the cloud is
impacting your IT group today?
Regardless of how much or how little you are using the cloud today, it's having an impact on how your users consume IT and your view your services. Emerging trends in the IT and cloud industry will have profound impacts on how you deliver IT services to your users in 2013.
This presentations covers:
- How to take advantage of shifting IT delivery models
- Detailed real-world examples of organizations like your shifting IT from a cost center to an internal service provider
- How metering IT resource consumption gives you the foundation to massively improve your IT efficiency
- How you can make better decisions about where and how IT workloads are deployed
The document discusses 6fusion's utility metered cloud platform. 6fusion profiles existing computing environments to determine supply, demand and cost. It meters workloads across private and public clouds for efficient resource allocation. 6fusion's tools allow modeling optimal workload distribution and estimating cloud costs before deployment.
3. Who We Are
6fusion Network Box USA
6fusion provides a utility-metered cloud Network Box USA provides
platform that enables global workload comprehensive, fully managed perimeter
distribution by turning public, private and internet security solutions. The Network Box
hybrid clouds into pay-per-use billable utilities. Unified Threat Management (UTM) solution
The unique metering algorithm, Workload combines numerous applications such as
Allocation Cube (WAC), creates a commercial firewall, intrusion prevention and
standard to quantify supply and demand for detection, anti-virus, content filtering, anti-
compute resources. span, anti-phishing, anti-spyware and VPN into
one single, sophisticated mix of hardware and
software. Network Box USA enables
businesses of all sizes to secure their networks
easily and cost effectively.
This is the first in a series of webinars on cloud security. We will let you
shape the content of the next webinar at the end of this webinar.
5. Cloud Security Myths
• Cloud cannot be secure
• All Cloud models are not created equal
- Private, Hybrid, Public
- IaaS, PaaS, SaaS
• All Cloud providers are not created equal
- Look for independent audit reports
• Cloud security is new
• The security concepts remain unchanged
• Unfortunately many used network defenses to compensate for
weak application security
• Cloud requires more effort or tools to be as secure
• NIST used the existing SP 800-53 and SP 800-37 to develop FedRAMP
• Oh by the way, Department of Homeland Security recently announced it is moving services
to a cloud provider that has been reviewed under FedRAMP
• The only reason enterprises move to the cloud is cost
reduction, reallocation, etc.
• Security can also be enhanced if you incorporate the following in your migration
- Security by Design, Active Monitoring, Incident Response Plan
6. A Quick Cloud Analogy
Your data happily in the cloud
Procurement
PII
Financial
Email
Payroll
HR An incident
beyond yourYour data no longer just in the cloud
control occurs
Payroll PII
Email
Procurement Financial
HR
7. Data Loss in Summary
To an Resulting in
Data Can Leak
Outsider Breach
• Trade Secrets • Stored on the • Thieves, • Company
• Account network or mobsters, defamation
Numbers shared drives other • Monetary
• Social Security • Copied on nefarious expense per
Numbers removable characters record lost
• Intellectual media • Competitors • Loss of assets
Property • Transferred • Regulators • Breach of
• Health electronically • Unauthorized customer
Records Internal Users trust
• Other • Press/Media
Personal
Information
8. Top Reasons for Data Loss
Hardware
Failure Human
35% Error
28% Software
Theft/Mal Failure
icious 14%
Employee
Action Virus
17% 6%
9. Cloud Security Challenges
There are a number of security issues associated with cloud
computing, but data security is arguably the biggest issue.
Main areas of concern specific to data security include:
Access Protection Segregation Recovery
10. Access
Data placed in the cloud are accessed and managed by persons other
than privileged users within the customer’s organization.
• What type and level of security checks are
Access enforced on those individuals?
• How are those checks enforced?
• What policies are in place to ensure roles and
privileges are enforced?
11. Protection
The nature of cloud computing means data can be stored at any
geographical location at any given time.
• Apart from some cloud service providers such as
Amazon who offers their customers the option of
Protection choosing between different zones in which to store
their data, it is uncommon to see a cloud computing
service contract where the customer is guaranteed that
their data would not be transferred outside a specified
region.
• Customers need to be aware that local laws may apply
to data held on servers within the cloud, and that it is
their responsibility to comply with data protection laws
under various jurisdictions worldwide where their data
is held.
12. Segregation
Data in the cloud is typically stored in a shared environment whereby
one customer’s data is stored alongside another customer’s data.
• While it is difficult to assure data
segregation, customers should review the cloud
Segregation vendor’s architecture to ensure proper data
segregation is available and that data leak
prevention (DLP) measures are in place.
13. Recovery
As with traditional IT systems, unexpected problems can and will occur
with cloud computing.
• What plan is in place to recover customer’s data
in event of a disaster, how long will data
Recovery restoration take and the impact on business
continuity?
14. Cloud Security Best Practices
• Ask where data will be kept and enquire the details of data protection laws in
the relevant jurisdictions.
• Include clauses in the cloud service contract that your data always belong to
you, that you can reclaim your data at any time and that your data shall not be
disclosed to any third party.
• Make it as hard as possible to gain access to your systems and then to your data
by implementing two-factor user authentication.
• Ensure that data is encrypted both ways across the Internet by using, for
example, mutual SSL. Ensure that data is encrypted when at rest, as well as
when in motion from one location to another. You, the customer, should have
control of key materials used for encrypting and decrypting data.
• Develop good password policies – how they’re created, changed and protected.
• Seek an independent security audit of the cloud vendor.
17. Security by DESIGN
• Understand your
security philosophy
• Know all of the
components for
each information
system
• Implement the
controls that bring
risk down to the
level acceptable to
your organization
18. Implement Active MONITORING
• Customers would
rather hear bad
news from you than
from the media
• Mitigation cannot
happen if you do
not know adverse
events are
occurring
• What, How, Who
19. Develop a RESPONSE Team and Plan
• Security is not a
guarantee
• Most events can be
categorized with
operational, technic
al, and legal
responses planned
• Training and
awareness are key
21. Thank You!
Resources What’s next?
FedRAMP 2nd Webinar in the Series
http://www.gsa.gov/portal/category/1
02371 • Timing: Early March
• Topic: How to advance your
Cloud Security Alliance
https://cloudsecurityalliance.org/
organizational security
• Details: You tell us…
FFIEC (not really cloud but outsourced
providers)
http://ithandbook.ffiec.gov/it- What do you want to hear about in
booklets/outsourcing-technology- the next webinar?
services/appendix-d-managed-security-
service-providers.aspx
NIST (SP800-144)
Email us at marketing@6fusion.com
http://www.nist.gov/customcf/get_pdf. with your ideas!
cfm?pub_id=909494
Editor's Notes
Embrace a secure-by-design approach: IT organizations need to focus on identifying controls that address the lack of direct access to information. Taking an approach that is secure by design forms the foundation of the organizations strategy for entering the cloud and allows the organization to consistently approach security needs based on the workloads and granular data represented in their cloud efforts. This also facilitates the implementation of resiliency and audit capabilities in the cloud, allowing organizations to extend their security philosophy into the cloud.
Embrace a secure-by-design approach: IT organizations need to focus on identifying controls that address the lack of direct access to information. Taking an approach that is secure by design forms the foundation of the organizations strategy for entering the cloud and allows the organization to consistently approach security needs based on the workloads and granular data represented in their cloud efforts. This also facilitates the implementation of resiliency and audit capabilities in the cloud, allowing organizations to extend their security philosophy into the cloud.
Implement an active monitoring solution: For organizations to address availability or instability conditions they must implement an active monitoring solution, failure to do so relies on cues from users which could result in damages ranging from poor customer satisfaction, to loss of customers. Organizations need to make determinations as to the monitoring and intervals based on data content and should implement manual or automated procedures to respond to related events.
Develop a plan and educate the response team: A large element of security is the response to threats and how rapidly an organization can respond to threats and adverse events. Organizations should document logical responses to event classes and implement education programs to facilitate response to said conditions.