The document discusses how to audit outsourced IT environments. It provides guidance on:
- Key challenges when auditing outsourced IT, such as lack of transparency.
- Using the Cloud Security Alliance's (CSA) Cloud Controls Matrix (CCM) to include outsourced IT controls in audits. The CCM contains 98 controls mapped to standards.
- The CSA's Cloud Audit Initiative which provides questionnaires to help assess outsourced IT vendor controls and compliance.
Nimrod Luria, Head of Information Security department at Hi-tech College and the CTO of Qrity.
* Private clouds arcitechture, with focusing
on Microsoft technologies
* Description of threats on cloud systems
* Secure developing & ways to penetrate
and attack systems hosted on cloud
environment
Nimrod Luria, Head of Information Security department at Hi-tech College and the CTO of Qrity.
* Private clouds arcitechture, with focusing
on Microsoft technologies
* Description of threats on cloud systems
* Secure developing & ways to penetrate
and attack systems hosted on cloud
environment
On December 10th Thomas Länger from University of Lausanne presented PRISMACLOUD project during the 6th International Conference on eDemocracy
Citizen rights in the world of the new computing paradigms in Athens, Greece.
PRISMACLOUD generated considerable interest among the participants!
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationITpreneurs
The Certificate of Cloud Security Knowledge (CCSK) has become an important certification and provides a new area of opportunity for training and consulting companies. As cloud computing is being adopted globally, one of the needs is proper implementation of cloud computing with the appropriate security controls.
Securing Servers in Public and Hybrid CloudsRightScale
RightScale Webinar: Security and compliance remain major challenges to adoption of public cloud infrastructure hosting. Technical differences in public cloud environments render many established security models and controls inoperable. Understanding these differences and the options available to you are key to running a secure cloud environment.
Join Carson Sweet, co-founder and CEO of CloudPassage and Uri Budnik, Director, ISV Partner Program of RightScale for a free webinar where industry experts discuss why security and compliance are different in the cloud, outline a model for securing cloud-based hosting environments, and explain best practices for implementing a secure cloud infrastructure.
We will discuss:
- What's different about security in the cloud
- Shared responsibility
- Architectural challenges
- Key features to secure your cloud servers
- Secure deployment via RightScripts
Don't miss out on this opportunity to find out about all you need to secure your cloud servers!
Cloud computing is becoming increasingly important for provision of services and storage of data in the Internet. However there are several significant challenges in securing cloud infrastructures from different types of attacks.
The focus of thisPaper is on the security services that a cloud provider can offer as part of its infrastructure to its customers (tenants) to counteract these attacks.
Our main contribution is a security architecture that provides a flexible security as a service model that a cloud provider can offer to its tenants and customers of its tenants.
Our security as a service model while offering a baseline security to the provider to protect its own cloud infrastructure also provides flexibility to tenants to have additional security functionalities that suit their security requirements.
The paper describes the design of the security architecture and discusses how different
types of attacks are counteracted by the proposed architecture.
We have implemented the security architecture and the paper discusses analysis and performance evaluation results.
TO GET THIS PROJECT COMPLETE SOURCE ON SUPPORT WITH EXECUTION PLEASE CALL BELOW CONTACT DETAILS
MOBILE: 9791938249, 0413-2211159, WEB: WWW.NEXGENPROJECT.COM,WWW.FINALYEAR-IEEEPROJECTS.COM, EMAIL:Praveen@nexgenproject.com
NEXGEN TECHNOLOGY provides total software solutions to its customers. Apsys works closely with the customers to identify their business processes for computerization and help them implement state-of-the-art solutions. By identifying and enhancing their processes through information technology solutions. NEXGEN TECHNOLOGY help it customers optimally use their resources.
Value Journal, a monthly news journal from Redington Value Distribution, intends to update the channel on the latest vendor news and Redington Value’s Channel Initiatives.
Key stories from the September Edition:
• Redington Value Joins Digital Guardian’s Synergy Partner Program
• Oracle Cloud VMware Solution Now Available
• Cybercriminals Exploiting Global Pandemic at Enormous Scale: Fortinet
• Nutanix Hybrid Cloud Infrastructure Now Available on Amazon Web Service.
• CyberArk Alero Enhances Remote User Security with New Authentication Options
• PTC Enhances Industrial IoT Platform
• Ivanti Announces New Service and Asset Management Releases
• Massive Gaps in Cybersecurity as Employees Work at Home: Malwarebytes
• Micro Focus Announces General Availability of ArcSight 2020
• Gigamon Attains New Validation to Deliver Security Solutions to Government Sector
• MobileIron Offers Complete Mobile Phishing Protection
• VMware Brings Kubernetes to Fusion 12 and Workstation 16 Releases
• Palo Alto Networks Introduces Marketplace for Cortex XSOAR
• Huawei Announces Next-Gen OceanStor Pacific Series
• Tableau 2020.3 Adds External Write to Database, Enhanced Administrator Tools
• Trend Micro Announces XDR Suite in the UAE
The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part.
Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions – The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks – Modes and Types
The Notorious Nine – Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEMNexgen Technology
TO GET THIS PROJECT COMPLETE SOURCE ON SUPPORT WITH EXECUTION PLEASE CALL BELOW CONTACT DETAILS
MOBILE: 9791938249, 0413-2211159, WEB: WWW.NEXGENPROJECT.COM,WWW.FINALYEAR-IEEEPROJECTS.COM, EMAIL:Praveen@nexgenproject.com
NEXGEN TECHNOLOGY provides total software solutions to its customers. Apsys works closely with the customers to identify their business processes for computerization and help them implement state-of-the-art solutions. By identifying and enhancing their processes through information technology solutions. NEXGEN TECHNOLOGY help it customers optimally use their resources.
Security in Clouds: Cloud security challenges – Software as a
Service Security, Common Standards: The Open Cloud Consortium – The Distributed management Task Force – Standards for application Developers – Standards for Messaging – Standards for Security, End user access to cloud computing, Mobile Internet devices and the cloud. Hadoop – MapReduce – Virtual Box — Google App Engine – Programming Environment for Google App Engine.
On December 10th Thomas Länger from University of Lausanne presented PRISMACLOUD project during the 6th International Conference on eDemocracy
Citizen rights in the world of the new computing paradigms in Athens, Greece.
PRISMACLOUD generated considerable interest among the participants!
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationITpreneurs
The Certificate of Cloud Security Knowledge (CCSK) has become an important certification and provides a new area of opportunity for training and consulting companies. As cloud computing is being adopted globally, one of the needs is proper implementation of cloud computing with the appropriate security controls.
Securing Servers in Public and Hybrid CloudsRightScale
RightScale Webinar: Security and compliance remain major challenges to adoption of public cloud infrastructure hosting. Technical differences in public cloud environments render many established security models and controls inoperable. Understanding these differences and the options available to you are key to running a secure cloud environment.
Join Carson Sweet, co-founder and CEO of CloudPassage and Uri Budnik, Director, ISV Partner Program of RightScale for a free webinar where industry experts discuss why security and compliance are different in the cloud, outline a model for securing cloud-based hosting environments, and explain best practices for implementing a secure cloud infrastructure.
We will discuss:
- What's different about security in the cloud
- Shared responsibility
- Architectural challenges
- Key features to secure your cloud servers
- Secure deployment via RightScripts
Don't miss out on this opportunity to find out about all you need to secure your cloud servers!
Cloud computing is becoming increasingly important for provision of services and storage of data in the Internet. However there are several significant challenges in securing cloud infrastructures from different types of attacks.
The focus of thisPaper is on the security services that a cloud provider can offer as part of its infrastructure to its customers (tenants) to counteract these attacks.
Our main contribution is a security architecture that provides a flexible security as a service model that a cloud provider can offer to its tenants and customers of its tenants.
Our security as a service model while offering a baseline security to the provider to protect its own cloud infrastructure also provides flexibility to tenants to have additional security functionalities that suit their security requirements.
The paper describes the design of the security architecture and discusses how different
types of attacks are counteracted by the proposed architecture.
We have implemented the security architecture and the paper discusses analysis and performance evaluation results.
TO GET THIS PROJECT COMPLETE SOURCE ON SUPPORT WITH EXECUTION PLEASE CALL BELOW CONTACT DETAILS
MOBILE: 9791938249, 0413-2211159, WEB: WWW.NEXGENPROJECT.COM,WWW.FINALYEAR-IEEEPROJECTS.COM, EMAIL:Praveen@nexgenproject.com
NEXGEN TECHNOLOGY provides total software solutions to its customers. Apsys works closely with the customers to identify their business processes for computerization and help them implement state-of-the-art solutions. By identifying and enhancing their processes through information technology solutions. NEXGEN TECHNOLOGY help it customers optimally use their resources.
Value Journal, a monthly news journal from Redington Value Distribution, intends to update the channel on the latest vendor news and Redington Value’s Channel Initiatives.
Key stories from the September Edition:
• Redington Value Joins Digital Guardian’s Synergy Partner Program
• Oracle Cloud VMware Solution Now Available
• Cybercriminals Exploiting Global Pandemic at Enormous Scale: Fortinet
• Nutanix Hybrid Cloud Infrastructure Now Available on Amazon Web Service.
• CyberArk Alero Enhances Remote User Security with New Authentication Options
• PTC Enhances Industrial IoT Platform
• Ivanti Announces New Service and Asset Management Releases
• Massive Gaps in Cybersecurity as Employees Work at Home: Malwarebytes
• Micro Focus Announces General Availability of ArcSight 2020
• Gigamon Attains New Validation to Deliver Security Solutions to Government Sector
• MobileIron Offers Complete Mobile Phishing Protection
• VMware Brings Kubernetes to Fusion 12 and Workstation 16 Releases
• Palo Alto Networks Introduces Marketplace for Cortex XSOAR
• Huawei Announces Next-Gen OceanStor Pacific Series
• Tableau 2020.3 Adds External Write to Database, Enhanced Administrator Tools
• Trend Micro Announces XDR Suite in the UAE
The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part.
Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions – The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks – Modes and Types
The Notorious Nine – Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEMNexgen Technology
TO GET THIS PROJECT COMPLETE SOURCE ON SUPPORT WITH EXECUTION PLEASE CALL BELOW CONTACT DETAILS
MOBILE: 9791938249, 0413-2211159, WEB: WWW.NEXGENPROJECT.COM,WWW.FINALYEAR-IEEEPROJECTS.COM, EMAIL:Praveen@nexgenproject.com
NEXGEN TECHNOLOGY provides total software solutions to its customers. Apsys works closely with the customers to identify their business processes for computerization and help them implement state-of-the-art solutions. By identifying and enhancing their processes through information technology solutions. NEXGEN TECHNOLOGY help it customers optimally use their resources.
Security in Clouds: Cloud security challenges – Software as a
Service Security, Common Standards: The Open Cloud Consortium – The Distributed management Task Force – Standards for application Developers – Standards for Messaging – Standards for Security, End user access to cloud computing, Mobile Internet devices and the cloud. Hadoop – MapReduce – Virtual Box — Google App Engine – Programming Environment for Google App Engine.
A breakdown of the top misconceptions enterprises are facing when assessing the security levels of cloud computing environments, and the realities behind them
Security Authorization: An Approach for Community Cloud Computing EnvironmentsBooz Allen Hamilton
White paper explores some of the challenges encountered when attempting to perform traditional security authorization or certification and authentication processes for cloud computing environments (CCEs).
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...IndicThreads
Session presented at the 2nd IndicThreads.com Conference on Cloud Computing held in Pune, India on 3-4 June 2011.
http://CloudComputing.IndicThreads.com
Abstract:As the cloud adoption increases, there is a growing concern about the lock-in of customers into the various cloud platforms. This session will discuss various major cloud platforms, the type of lock-in the customer will face in each of these platforms and what each customer can do to minimize their lock-in.
Key takeaways for audience are:
Understand what is cloud lock-in
Types of cloud vendor lock-ins
What is cloud interoperability
Major initiatives around cloud interoperability standards
Goals, differences and players/proponents of these major standards
Steps to minimize cloud lock-in for your customers
Speaker: Ashwin Waknis is a Sr. IT professional with 15 years in the industry. Ashwin is currently head of the Cloud Professional Services Business at Persistent Systems. Before that Ashwin was a Sr. Product Manager at Cisco Systems where he lead major initiatives around Knowledge Management, Enterprise Portal, Web 2.0/Social softwares and Enterprise Search. For the last 2 years, Ashwin has been involved in Cloud Computing initiatives first at Cisco and then at Persistent Systems.Ashwin has spoken at many customer workshops and events organized for educational institutes.
Introduction to the CSA Cloud Controls MatrixJohn Yeoh
The Cloud Controls Matrix (CCM) is an industry accepted set of principles and guidelines that can be leveraged to assess services, products, and your own security posture in the cloud. The framework is based on security requirements and criteria from research conducted by the Cloud Security Alliance (CSA). Learn about the architectural elements of the framework, its impact on international standards, and how it maps to over 30 other industry regulations.
Making of a Successful Cloud Business:
Current Status & Future Requirements
Rajarshi Bhose and Sumit Kumar Bose
Infosys Technologies Limited
Delivered as part of Cloud symposium, at ACM Bangalore COmpute 2009.
1. How to Audit Outsourced IT
Environments?
• What are the challenges when auditing outsourced IT environments?
• How to include outsourced IT environments in your audit?
Rob Kloots – CISA CISM CRISC,
Owner, TrustingtheCloud
CSA-BE volunteer
Berlin, June 2012
2. Topics
Key Cloud Security Problems
The GRC Stack
CSA Guidance Research
Transparancy
Cloud Controls Matrix (CCM)
CCM – 98 Controls
Guidance
The CAI Questionnaire
CloudAudit Objectives & Alignment
Berlin, June 2012 2
3. Key Cloud Security Problems
From CSA Top Threats Research:
Trust: Lack of Provider transparency, impacts Governance,
Risk Management, Compliance, and the capture of real value
Data: Leakage, Loss or Storage in unfriendly geography
Insecure Cloud software
Malicious use of Cloud services
Account/Service Hijacking
Malicious Insiders
Cloud-specific attacks
Berlin, June 2012 3
4. 4
The GRC Stack
Provides trust in the Cloud
GRC Stack
Needs and Evidence and Payoffs and
Claims Assurance Protection
Security
Security Compliance
Requirements
and Transparency and
Capabilities and Visibility Trust
Delivering evidence-based confidence…
with compliance-supporting data & artifacts.
Berlin, June 2012 4
5. A Complete Cloud Security Governance,
Risk, and Compliance (GRC) Stack
Delivering Stack Pack Description
• Common technique and nomenclature to
Continuous monitoring … request and receive evidence and affirmation
with a purpose of current cloud service operating
circumstances from cloud providers
Claims, offers, and the • Common interface and namespace to
basis for auditing service automate the Audit, Assertion, Assessment,
delivery and Assurance (A6) of cloud environments
Pre-audit checklists and • Industry-accepted ways to document what
questionnaires to
security controls exist
inventory controls
• Fundamental security principles in specifying
The recommended the overall security needs of a cloud
foundations for controls consumers and assessing the overall security
risk of a cloud provider
Berlin, June 2012 5
6. A Headstart for Control and Compliance
Forged by the Global Marketplace; Ready for All
Professional
Government Commercial
Legend
In place
Offered
• Common technique and
Continuous monitoring … nomenclature to request and
???
with a purpose receive evidence and affirmation
of controls from cloud providers
• Common interface and namespace
Claims, offers, and the
to automate the Audit, Assertion,
??? basis for auditing service
delivery Assessment, and Assurance (A6) of
cloud environments
FedRAMP
Pre-audit checklists and • Industry-accepted ways to
DIACAP questionnaires to document what security controls
inventory controls exist
Other C&A standards
NIST 800-53, HITRUST CSF,
SSAE SOC2
control ISO 27001/27002, ISACA • Fundamental security principles in
A recommended
assessment COBIT, PCI, HIPAA, SOX, assessing the overall security risk
foundations for controls
criteria GLBA, STIG, NIST 800-144, of a cloud provider
SAS 70, …
Berlin, June 2012 6
7. CSA Guidance Research
Cloud Architecture
Popular best
Governance and Enterprise Risk Management
Governing the
Legal and Electronic Discovery
practices for
Cloud
Compliance and Audit
securing cloud Information Lifecycle Management
Portability and Interoperability
computing T
c
n
e
a
p
n
a
y
s
r
r
14 Domains of
Security, Bus. Cont,, and Disaster Recovery
Operating in the Cloud
Data Center Operations
concern Incident Response, Notification, Remediation
Application Security
governing & Encryption and Key Management
operating groupings Identity and Access Management
Virtualization
Berlin, June 2012 7
8. Transparancy
Transparency
Source: NIST SP500-291-v1.0, p. 42, Figure 12
Berlin, June 2012 8
16. Sample Questions to Vendors
Compliance - CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or
Independent Audits similar third party audit reports?
CO-02b - Do you conduct network penetration tests of your cloud service infrastructure
regularly as prescribed by industry best practices and guidance?
CO-02c - Do you conduct application penetration tests of your cloud service
infrastructure regularly as prescribed by industry best practices and guidance?
CO-02d - Do you conduct internal audits regularly as prescribed by industry best
practices and guidance?
CO-02e - Do you conduct external audits regularly as prescribed by industry best
practices and guidance?
CO-02f - Are the results of the network penetration tests available to tenants at their
request?
CO-02g - Are the results of internal and external audits available to tenants at their
request?
Data Governance - DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata
Classification (ex. Tags can be used to limit guest operating systems from
booting/instanciating/transporting data in the wrong country, etc.?)
DG-02b - Do you provide a capability to identify hardware via policy
tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)?
DG-02c - Do you have a capability to use system geographic location as an
authentication factor?
DG-02d - Can you provide the physical location/geography of storage of a tenant’s data
upon request?
DG-02e - Do you allow tenants to define acceptable geographical locations for data
routing or resource instantiation?
Berlin, June 2012 16
17. CloudAudit Objectives
Provide a common interface and
namespace that allows cloud computing
providers to automate collection of
Audit, Assertion, Assessment, and
Assurance Artifacts (A6) of their
operating environments
Allow authorized consumers of services
and concerned parties to do likewise via
an open, extensible and secure interface
and methodology.
Berlin, June 2012 17
18. Aligned to CSA Control Matrix
Officially folded CloudAudit under the Cloud Security Alliance in October,
2010
First efforts aligned to compliance frameworks as established by CSA
Control Matrix:
PCI DSS
NIST 800-53
HIPAA
COBIT
ISO 27002
Incorporate CSA’s CAI and additional CompliancePacks
Expand alignment to “infrastructure” and “operations”
-centric views also
Berlin, June 2012 18
20. … and Architecture best
practices
https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
Berlin, June 2012 20
21. Any Questions?
Rob Kloots – CISA CISM CRISC,
Owner, TrustingtheCloud
volunteer CSA-BE
M +32.499-374713 e rob.kloots@trustingthecloud.eu
Berlin, June 2012 21