SlideShare a Scribd company logo

Securing The Journey To The Cloud

Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE

Niloufer Tamboly and Mallik Prasad presented 'Securing The Journey To The Cloud' at the first (ISC)2 New Jersey Chapter meeting. Chapter officers: Gurdeep Kaur, President Niloufer Tamboly, Membership Chair Mallik Prasad, Secretary Anthony Nelson, Treasurer

Technology
1 of 57
Download to read offline
Securing The Journey To The Cloud Niloufer Tamboly Mallik Prasad January 31, 2013
Securing the journey to the Cloud Ø The Essentials of Cloud Computing Ø Cloud Deployment and Service Delivery Models Ø Cloud Security and Risk Considerations Ø Assessing Risk, Audit Program Considerations Ø Virtualization Concepts
How cloud is impacting business models The New Normal Challenges Ø Traditional brick and mortar companies are being challenged by competitive new lean upstart companies utilizing cloud technologies. Ø Business Demand on IT is increasing while expectations are for IT to do more with less. Ø Companies are embracing the mobile proliferation and the race for market share utilizing these newer cloud technologies. Ø What was about the Data Center is now about the data
The New Normal The New Normal Ø It’s a Digital world — The boundaries between work and home are no longer relevant. Ø Open Enterprise — The boundaries between businesses and the consumer have been redrawn. Ø Consumerization of Technology (Online, Mobile, Social Media) are changing the shopping experience. Ø Smarter shopper experience — The consumer is now multi-channel
Demystifying the Cloud
What is Cloud Computing? Definition Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, four deployment models and three service models. Source: http://csrc.nist.gov/groups/SNS/cloud-computing/
Essential Characteristics Ø On-demand self-service Ø Broad network access Ø Resource pooling Ø Rapid elasticity Ø Measured Service
Cloud Is Not… …simply virtualization While many cloud solutions, both public and private, leverage virtualized infrastructure resources to deliver functionality, cloud raises the bar by providing on-demand provisioning. Publicly-announced private clouds are essentially an aggressive virtualization program on top of the traditional enterprise IT stack …just applying SOA principles Service Oriented Architecture (SOA) is a set of design principles, whereas cloud is a service. Cloud based services will be defined and enabled through SOA. As such SOA is a prerequisite to reap cloud computing benefits. However, following SOA design principles alone does not guarantee the ability to easily transition to a cloud based solution …only traditional hosting Cloud and traditional hosting share many characteristics but unlike traditional hosting cloud service is offered on-demand, is scalable and elastic — a user can have as much or as little of the service as they need and pay for the resources actually used
Cloud Deployment Models ØPrivate Cloud ØPublic Cloud ØCommunity Cloud ØHybrid Cloud
Private Cloud The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party, and may exist on-premises or off premises.
Examples of a Private Cloud Ø Openstack software delivers a scalable cloud operating system Ø Some VMWare or Citrix installations Ø Some Social Networks offer private clouds as: MangoApps, Huddle IL3, and Jive
Public Cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Examples of a Public Cloud Ø Gmail Ø SalesForce Ø Amazon Elastic Compute Cloud (EC2) Ø Facebook
Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, objectives, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on-premise or off-premise.
Examples of a Community Cloud Ø NYSE Technologies Capital Markets Cloud Platform: is the first financial services cloud offering platform services to the capital markets community. The platform is for banks, broker-dealers, systematic traders, and buy-side institutions seeking to reduce the costs trading infrastructure and to streamline access to a wide variety of trading applications, and provides turnkey access to trading infrastructure and services, making it far simpler to benefit from the world’s most vibrant capital markets community.
Hybrid Cloud The cloud infrastructure is a composition of cloud models (private or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
Examples of a Hybrid Cloud Ø Organizations may host critical applications on private clouds and applications with relatively less security concerns on the public cloud. The usage of both private and public clouds together is called hybrid cloud. A related term is Cloud Bursting. In Cloud Bursting, an organization can use their own computing infrastructure for normal usage, but access the cloud for high/peak load requirements. This ensures that a sudden increase in computing requirement is handled gracefully. Ø An organization might use a public cloud service, such as Amazon Simple Storage Service (Amazon S3) for archived data but continue to maintain in- house storage for operational customer data.
Demystifying the Cloud
Service Delivery Models Ø Software as a Service (SaaS) Ø Platform as a Service (PaaS) Ø Infrastructure as a Service (IaaS) Ø X as a Service (XaaS)
Software as a Service (SaaS) Ø Definition - Delivers software as a service over the Internet. In most cases, there is no need to install and run the application on the customer's own computers hence simplifying maintenance and support. Ø Customization - User of service have limited customization since they no longer develop the application. Ø Benefits - User of cloud maintains very little or no technical staff to run the application software. User of service could realize additional savings as expenses go from a Capital Expense to an Operating Expense and a reduction in staff.
Platform as a Service (PaaS) Ø Definition – Delivers a computing platform as a service. It facilitates deployment of applications while limiting or reducing the cost and complexity of buying and managing the underlying hardware and software layers. User of Cloud writes application code that integrates with the providers platform. Ø Customization – User of service has moderate customization — build applications within the constraints of the platform. Ø Benefits - User of service maintains the technical staff to develop and maintain the application. User of service could realize additional savings as expenses go from a Capital Expense to an Operating Expense and a reduction in staff.
Infrastructure as a Service (IaaS) Ø Definition - Delivers computer infrastructure, typically a platform virtualization environment as a service. Service is typically billed on a utility computing basis and amount of resources consumed. Ø Customization – Not much as a subscriber of the cloud customization where technology being deployed requires minimal configuration. Ø Benefits -User of service maintains the technical staff to develop and manage its platform and application software. User of service could realize savings as expenses go from a Capital Expense to an Operating Expense.
Exercise 1
Cloud Standards and Related Regulations Are Still Evolving Leading organizations trying to establish Security Standards in the Cloud are: Ø NIST (National Institute of Standards and Technology) Ø CSA (Cloud Security Alliance) Ø ENISA (European Network and Information Security Agency)
Audit Program and Frameworks ØThe National Institute of Standards and Technology (NIST) SP 800-30 ØISACA Cloud Computing Audit Program ØCloud Security Alliance - Cloud Controls Matrix (attached Slide 34) ØFederal Risk and Authorization Management Program (FedRAMP)
Security and Privacy are top cloud concerns
Cloud issues can impact you It is important for cloud consumers to consider and address security when migrating to cloud
Public Cloud – Amazon view of Security • Amazon Web services – EC2, EBS, S3, VPC etc. • Customer responsibility to maintain security, protection and backup of their data and applications on AWS Source: http://aws.amazon.com/security/
CSA Threats – Public Cloud # Threat Examples 1 Abuse and Nefarious Use of Cloud Computing IaaS offerings have hosted the Zeus botnet, InfoStealer trojan horses, botnets, Spam 2 Insecure Interfaces and APIs Anonymous access and/or reusable tokens/passwords/keys, clear text authentication, inflexible access controls, limited monitoring and logging 3 Malicious Insiders Lack of Privileged user management monitoring policies, audits 4 Shared Technology Issues Red and Blue Pill exploits 5 Data Loss or Leakage Insufficient AAA controls; inconsistent use of encryption and software keys, operational failures, disposal challenges, reliability and DR 6 Account or Service Hijacking Lack of internal security controls and detailed auditing/monitoring 7 Unknown Risk Profile IRS asked Amazon EC2 to perform a Certification & Audit; Amazon refused, Heartland Data Breach
Scope and control among cloud service models Application Platform Architecture Virtualized Infrastructure Hardware Facility Cloud Consumer Cloud Provider IaaS PaaS SaaS IaaS PaaS SaaS Regulatory Compliance is a key concern in public cloud - the cloud consumer has to ensure controls for compliance are appropriately addressed either by the provider or by including controls for data & applications on the cloud Source: NIST Guidelines on Security and Privacy in Public Cloud Computing
Cloud – Security Observations Secure Cloud Infrastructure environment •Secure setup and configurations •Inter-VM traffic inspection and control •Manage Privileged Users and their activities How to manage identity and access across physical and virtual environments •Identity Lifecycle Management •Authentication Authorization Audit, Application Security Assurance •Varied trust levels requires different security controls •Application Vulnerabilities •Bespoke Application Re-factoring for Cloud How to manage and monitor the entire Cloud infrastructure •Configuration and Patch Management •Compliance Management and reporting •Incident detection and response Policy and risk Management for Cloud •Extension of ISMS incorporating Cloud Security •Segregation of duties for Cloud How to ensure Data Security •Different classifications of data •Data leakage from suspended, stored images •Production data in orphan test, QA images A B C D E F Test Customer Employee COTS Home-Grown Legacy HYPERVISOR IaaS PaaS SaaS
A view of technical security controls • Approval by Information Security • Process/Policies defined/fine tuned • Risk identification and mitigation Security Governance • Identity and access Management • Privileged user management Privileged Users & SOD • Application Vulnerability Assessment • Zoning/VLAN segregation • Data encryption and obfuscation Application/Data Segregation • Guest and host security • Inter-VM Traffic inspection • Patch and configuration management Virtualization security • Guest /Hypervisor/Application log monitoring • VM/Admin level activity monitoring • Incident Detection and Response capability within Cloud Auditing& Monitoring A B C D E F Challenges Controls
Top Ten Cloud Security Concerns 1. Architecture of the environment (Public V/s. Private, SAAS / PAAS / IAAS) 2. Misconfiguration of the environment, where breaches are caused by errors, omissions and misconfigurations (e.g. hypervisor, OS, storage, switch). 3. Segmentation from other customers (e.g. Multi-tenant Environments) 4. Authentication and Authorization (e.g. form factor, lack of granular permissions).
Top Ten Cloud Security Concerns contd. 5. DDOS attacks (e.g. cloud to cloud, inter/intra cloud). 6. Data location and storage e.g. data loss / privacy / leakage. 7. Security Monitoring e.g. cloud perimeter and inside cloud. 8. Incident Response (e.g. availability of resources). 9. Auditability, Certification and Compliance (e.g. which standards to follow, is the CSP compliant or has been certified, how do I check that?). 10. Legal (e.g. regional, who has access to my data?)
How Do You Scope A Cloud Audit? ØRemember it is not prescriptive ØYou need to understand the environments, service delivery and deployment models ØYou need to understand the risks associated with the environment
Risk Areas In A Cloud Environment Governance Ø All changes logged Ø Reporting on roles, separation of duties. Ø Security monitoring of cloud environment and possible security incidents. Ø Patch Management
Risks Vendor Management ØVendor Selection ØContracting ØMonitoring ØResource Provisioning ØVendor Lock-in
Risks Data Management Ø Data Acquisition Ø Data Usage Ø Data Storage Ø Data Transfer Ø Data Disposal
Risks Infrastructure Security ØVulnerability Management ØSystem Security ØNetwork Security ØApplication Security ØEncryption
Risks Identity and Access Management ØIdentity Management Ø Access Management
Risks Physical Security ØHighly secure physical facility, employee background checks, multi-level / tiered access controls in accordance with a least privilege policy ØAccess logging and monitoring - Video monitoring, Keycard and biometric palm readers, Fixed and roving security guards (depending on data center).
Risks Compliance ØPCI DSS, SAS-70 Type II, FedRamp, FISMA
SSAE16 – SOC Decision Tree Which Report To Use SSAE 16 - SOC Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial Yes SOC 1 Report Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation? Yes SOC 1 Report Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems? Yes SOC 2 or 3 Report Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests? Yes SOC 2 Report No SOC 3 Report Do you need to make the report generally available or use a seal? Yes SOC 3 Report
SSAE16 SOC 2 Overview Five attributes of a system are known as principles and are defined as follows: Ø Security - The system is protected against unauthorized access (both physical and logical). Ø Availability - The system is available for operation and use as committed or agreed. Ø Processing integrity - System processing is complete, accurate, timely, and authorized. Ø Confidentiality - Information designated as confidential is protected as committed or agreed. Ø Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP)
SOC 3 Report - SysTrust for Service Organizations Use ØDistribute the SOC 3 report to customers and publicly display a seal of approval using the SOC 3 Report: SysTrust for Service Organizations seal. Scope ØSOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality, and privacy). For more information about the SysTrust for Service Organization seal program go to www.webtrust.org.
Questions/Feedback
Exercise 2 Background HotShot Enterprise (“HSE”) is a global consumer products company, producing household products with annual revenues of approximately 80 billion USD. HSE Products is ready to expand and is looking for ways to penetrate nontraditional markets. HSE, CEO, has plans to grow the company in size, revenue, and profits in addition to expanding its horizon. However, to maintain a balanced budget HSE is looking to restructure some cost centers and reduce company expenses considerably. Plans are under way to restructure the Information Technology (IT), human resources and supply chain divisions. The three divisions currently have over 10,000 employees across the world and are estimated to incur expenses of up to 20 billion annually.
Exercise 2 contd. It is apparent HSE’s competitors have moved into the cloud and are experimenting with new ways to reach consumers. For example, one of HSE’s competitors, NoShot Enterprise (“NSE”) is utilizing social media and other mobile platforms to reach the consumers. NSE’s quarterly revenue increase highly suggests that their strategy on the cloud has played a vital role. From HSE’s perspective the boundaries between consumers and businesses are being redrawn and the cloud is facilitating this move. Accordingly, HSE’s board of directors accepts the new normal — cloud computing and focuses more on data. Exercise: 1) You are asked to test that controls that Data is securely transmitted and maintained to prevent unauthorized access and modification. 2) Also validate that controls over Virtualized operating systems are hardened to prevent cross-contamination with other customer environments.
Key Properties of Virtualization
Virtualization Hypervisor • A hypervisor is a piece of software/hardware platform- virtualization software that allows multiple operating systems to run on a host computer concurrently. Also called Virtual Machine Monitor (VMM) • Type 1: A type 1 hypervisor runs directly on the computer hardware and manages all operating systems running as guests above it. This is also known as running on ‘Bare Metal’ • Type 2: A type 2 hypervisor is a software application that runs on an operating system.
Types of Virtualization
Types of Virtualization
Virtualization Network Layer
Application and Desktop Layer
Servers and Storage
Additional Documentation Attachments:
Questions Questions

Recommended

Top Ten Challenges of Securing Smart Infrastructure
Top Ten Challenges of Securing Smart InfrastructureTop Ten Challenges of Securing Smart Infrastructure
Top Ten Challenges of Securing Smart Infrastructure
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
Manage Risk By Protecting the Apps and Data Infographic
Manage Risk By Protecting the Apps and Data InfographicManage Risk By Protecting the Apps and Data Infographic
Manage Risk By Protecting the Apps and Data Infographic
Citrix
 
4B - Is the cloud safe - Ed Zedlewski
4B - Is the cloud safe - Ed Zedlewski4B - Is the cloud safe - Ed Zedlewski
4B - Is the cloud safe - Ed ZedlewskiCFG
 
Building A Cloud-Ready Security Program
Building A Cloud-Ready Security ProgramBuilding A Cloud-Ready Security Program
Building A Cloud-Ready Security Program
NetIQ
 
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
Trust based Mechanism for Secure Cloud Computing Environment: A SurveyTrust based Mechanism for Secure Cloud Computing Environment: A Survey
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
inventionjournals
 
Cybersecurity | Cylus: Railway Cybersecurity
Cybersecurity | Cylus: Railway CybersecurityCybersecurity | Cylus: Railway Cybersecurity
Cybersecurity | Cylus: Railway Cybersecurity
Vertex Holdings
 
Cybersecurity | Meta Networks: Software defined perimeter platform
Cybersecurity | Meta Networks: Software defined perimeter platformCybersecurity | Meta Networks: Software defined perimeter platform
Cybersecurity | Meta Networks: Software defined perimeter platform
Vertex Holdings
 
Adapting for the Internet of Things
Adapting for the Internet of ThingsAdapting for the Internet of Things
Adapting for the Internet of Things
Tripwire
 

Recommended

Top Ten Challenges of Securing Smart Infrastructure
Top Ten Challenges of Securing Smart InfrastructureTop Ten Challenges of Securing Smart Infrastructure
Top Ten Challenges of Securing Smart Infrastructure
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
Manage Risk By Protecting the Apps and Data Infographic
Manage Risk By Protecting the Apps and Data InfographicManage Risk By Protecting the Apps and Data Infographic
Manage Risk By Protecting the Apps and Data Infographic
Citrix
 
4B - Is the cloud safe - Ed Zedlewski
4B - Is the cloud safe - Ed Zedlewski4B - Is the cloud safe - Ed Zedlewski
4B - Is the cloud safe - Ed ZedlewskiCFG
 
Building A Cloud-Ready Security Program
Building A Cloud-Ready Security ProgramBuilding A Cloud-Ready Security Program
Building A Cloud-Ready Security Program
NetIQ
 
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
Trust based Mechanism for Secure Cloud Computing Environment: A SurveyTrust based Mechanism for Secure Cloud Computing Environment: A Survey
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
inventionjournals
 
Cybersecurity | Cylus: Railway Cybersecurity
Cybersecurity | Cylus: Railway CybersecurityCybersecurity | Cylus: Railway Cybersecurity
Cybersecurity | Cylus: Railway Cybersecurity
Vertex Holdings
 
Cybersecurity | Meta Networks: Software defined perimeter platform
Cybersecurity | Meta Networks: Software defined perimeter platformCybersecurity | Meta Networks: Software defined perimeter platform
Cybersecurity | Meta Networks: Software defined perimeter platform
Vertex Holdings
 
Adapting for the Internet of Things
Adapting for the Internet of ThingsAdapting for the Internet of Things
Adapting for the Internet of Things
Tripwire
 
Efficiency, effectiveness, productivity: Dell Connected Security in action
Efficiency, effectiveness, productivity: Dell Connected Security in actionEfficiency, effectiveness, productivity: Dell Connected Security in action
Efficiency, effectiveness, productivity: Dell Connected Security in action
Kenneth de Brucq
 
Cybersecurity | D-fend: Counter drone solution for urban environments
Cybersecurity | D-fend: Counter drone solution for urban environmentsCybersecurity | D-fend: Counter drone solution for urban environments
Cybersecurity | D-fend: Counter drone solution for urban environments
Vertex Holdings
 
Leveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and ComplexityLeveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and Complexity
NetIQ
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire
 
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Unisys Corporation
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
Tripwire
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and audit
Marc Vael
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Troy Marshall
 
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas Wespi
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas WespiIT Security Bedrohungen optimal abwehren_Tom Turner und Andreas Wespi
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas WespiIBM Switzerland
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMCloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Hector Del Castillo, CPM, CPMM
 
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Codero
 
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0Fabrizio Cilli
 
Sleeping well with cloud services
Sleeping well with cloud servicesSleeping well with cloud services
Sleeping well with cloud services
Comarch_Services
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
Carlo Dapino
 
bishu pdf1
bishu pdf1bishu pdf1
bishu pdf1Bishwanth Konathala
 
Safety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoTSafety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoT
IoT613
 
ciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overviewciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overview
Priyanka Aash
 
Security and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewSecurity and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level view
ragibhasan
 
Codero: The Future of IT is Here
Codero: The Future of IT is HereCodero: The Future of IT is Here
Codero: The Future of IT is Here
Codero
 
Security in the Cloud
Security in the CloudSecurity in the Cloud
Security in the Cloud
WindTalker Security
 
CLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACHCLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACH
SHAIMA A R
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Nibi Maouriyan
 

More Related Content

What's hot

Efficiency, effectiveness, productivity: Dell Connected Security in action
Efficiency, effectiveness, productivity: Dell Connected Security in actionEfficiency, effectiveness, productivity: Dell Connected Security in action
Efficiency, effectiveness, productivity: Dell Connected Security in action
Kenneth de Brucq
 
Cybersecurity | D-fend: Counter drone solution for urban environments
Cybersecurity | D-fend: Counter drone solution for urban environmentsCybersecurity | D-fend: Counter drone solution for urban environments
Cybersecurity | D-fend: Counter drone solution for urban environments
Vertex Holdings
 
Leveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and ComplexityLeveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and Complexity
NetIQ
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire
 
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Unisys Corporation
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
Tripwire
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and audit
Marc Vael
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Troy Marshall
 
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas Wespi
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas WespiIT Security Bedrohungen optimal abwehren_Tom Turner und Andreas Wespi
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas WespiIBM Switzerland
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMCloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Hector Del Castillo, CPM, CPMM
 
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Codero
 
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0Fabrizio Cilli
 
Sleeping well with cloud services
Sleeping well with cloud servicesSleeping well with cloud services
Sleeping well with cloud services
Comarch_Services
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
Carlo Dapino
 
Safety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoTSafety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoT
IoT613
 
ciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overviewciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overview
Priyanka Aash
 
Security and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewSecurity and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level view
ragibhasan
 
Codero: The Future of IT is Here
Codero: The Future of IT is HereCodero: The Future of IT is Here
Codero: The Future of IT is Here
Codero
 
Security in the Cloud
Security in the CloudSecurity in the Cloud
Security in the Cloud
WindTalker Security
 

What's hot (20)

Efficiency, effectiveness, productivity: Dell Connected Security in action
Efficiency, effectiveness, productivity: Dell Connected Security in actionEfficiency, effectiveness, productivity: Dell Connected Security in action
Efficiency, effectiveness, productivity: Dell Connected Security in action
 
Cybersecurity | D-fend: Counter drone solution for urban environments
Cybersecurity | D-fend: Counter drone solution for urban environmentsCybersecurity | D-fend: Counter drone solution for urban environments
Cybersecurity | D-fend: Counter drone solution for urban environments
 
Leveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and ComplexityLeveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and Complexity
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
 
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and audit
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
 
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas Wespi
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas WespiIT Security Bedrohungen optimal abwehren_Tom Turner und Andreas Wespi
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas Wespi
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMCloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
 
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
 
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
 
Sleeping well with cloud services
Sleeping well with cloud servicesSleeping well with cloud services
Sleeping well with cloud services
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
 
bishu pdf1
bishu pdf1bishu pdf1
bishu pdf1
 
Safety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoTSafety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoT
 
ciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overviewciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overview
 
Security and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewSecurity and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level view
 
Codero: The Future of IT is Here
Codero: The Future of IT is HereCodero: The Future of IT is Here
Codero: The Future of IT is Here
 
Security in the Cloud
Security in the CloudSecurity in the Cloud
Security in the Cloud
 

Similar to Securing The Journey To The Cloud

CLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACHCLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACH
SHAIMA A R
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Nibi Maouriyan
 
Cloud Computing
Cloud Computing Cloud Computing
Cloud ComputingAbdul Aslam
 
INTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTINGINTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTING
Tanmoy Barman
 
A revolution in information technology cloud computing.
A revolution in information technology cloud computing.A revolution in information technology cloud computing.
A revolution in information technology cloud computing.
Minor33
 
Basics of Cloud Computing
Basics of Cloud ComputingBasics of Cloud Computing
Basics of Cloud Computing
ijsrd.com
 
Best cloud computing training institute in noida
Best cloud computing training institute in noidaBest cloud computing training institute in noida
Best cloud computing training institute in noida
taramandal
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Uttam Kumar
 
Introduction au Cloud computing
Introduction au Cloud computingIntroduction au Cloud computing
Introduction au Cloud computing
Prof. Jacques Folon (Ph.D)
 
cloud computing
cloud computingcloud computing
cloud computing
Likhitha Tellakula
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud ComputingImane SBAI
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
vijay_m_chaudhary
 
Cloud computing final format(1)
Cloud computing final format(1)Cloud computing final format(1)
Cloud computing final format(1)
ahmed elmeghiny
 
The why of a cloud ppt
The why of a cloud pptThe why of a cloud ppt
The why of a cloud ppt
Sana Nasar
 
Demystifying The Cloud-iON Cloud ERP
Demystifying The Cloud-iON Cloud ERPDemystifying The Cloud-iON Cloud ERP
Demystifying The Cloud-iON Cloud ERP
Chirantan Ghosh
 
Cloud Computing Made Easy
Cloud Computing Made EasyCloud Computing Made Easy
Cloud Computing Made Easy
Mayank Aggarwal
 
Cloud computing - Latest Trend
Cloud computing - Latest TrendCloud computing - Latest Trend
Cloud computing - Latest Trend
poojanov04
 
An introduction to the cloud 11 v1
An introduction to the cloud 11 v1An introduction to the cloud 11 v1
An introduction to the cloud 11 v1
charan7575
 
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue ...
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue ...The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue ...
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue ...
RapidValue
 
Security of Data in Cloud Environment Using DPaaS
Security of Data in Cloud Environment Using DPaaSSecurity of Data in Cloud Environment Using DPaaS
Security of Data in Cloud Environment Using DPaaS
IJMER
 

Similar to Securing The Journey To The Cloud (20)

CLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACHCLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACH
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cloud Computing
Cloud Computing Cloud Computing
Cloud Computing
 
INTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTINGINTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTING
 
A revolution in information technology cloud computing.
A revolution in information technology cloud computing.A revolution in information technology cloud computing.
A revolution in information technology cloud computing.
 
Basics of Cloud Computing
Basics of Cloud ComputingBasics of Cloud Computing
Basics of Cloud Computing
 
Best cloud computing training institute in noida
Best cloud computing training institute in noidaBest cloud computing training institute in noida
Best cloud computing training institute in noida
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Introduction au Cloud computing
Introduction au Cloud computingIntroduction au Cloud computing
Introduction au Cloud computing
 
cloud computing
cloud computingcloud computing
cloud computing
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Cloud computing final format(1)
Cloud computing final format(1)Cloud computing final format(1)
Cloud computing final format(1)
 
The why of a cloud ppt
The why of a cloud pptThe why of a cloud ppt
The why of a cloud ppt
 
Demystifying The Cloud-iON Cloud ERP
Demystifying The Cloud-iON Cloud ERPDemystifying The Cloud-iON Cloud ERP
Demystifying The Cloud-iON Cloud ERP
 
Cloud Computing Made Easy
Cloud Computing Made EasyCloud Computing Made Easy
Cloud Computing Made Easy
 
Cloud computing - Latest Trend
Cloud computing - Latest TrendCloud computing - Latest Trend
Cloud computing - Latest Trend
 
An introduction to the cloud 11 v1
An introduction to the cloud 11 v1An introduction to the cloud 11 v1
An introduction to the cloud 11 v1
 
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue ...
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue ...The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue ...
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue ...
 
Security of Data in Cloud Environment Using DPaaS
Security of Data in Cloud Environment Using DPaaSSecurity of Data in Cloud Environment Using DPaaS
Security of Data in Cloud Environment Using DPaaS
 

More from Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE

Cybersecurity Careers - Step Up Skill Feb2023 (1).pdf
Cybersecurity Careers - Step Up Skill Feb2023 (1).pdfCybersecurity Careers - Step Up Skill Feb2023 (1).pdf
Cybersecurity Careers - Step Up Skill Feb2023 (1).pdf
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
How to Secure Your Small Business from Cyber Threats
How to Secure Your Small Business from Cyber ThreatsHow to Secure Your Small Business from Cyber Threats
How to Secure Your Small Business from Cyber Threats
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
How To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdfHow To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdf
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
Drive Digital Trust One Code At A Time
Drive Digital Trust One Code At A TimeDrive Digital Trust One Code At A Time
Drive Digital Trust One Code At A Time
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
CyberCorps: Scholarship for Service Program
CyberCorps: Scholarship for Service ProgramCyberCorps: Scholarship for Service Program
CyberCorps: Scholarship for Service Program
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
IT Audit Career Path
IT Audit Career PathIT Audit Career Path
IT Audit Career Path
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
How To Become An IT Security Risk Analyst
How To Become An IT Security Risk AnalystHow To Become An IT Security Risk Analyst
How To Become An IT Security Risk Analyst
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
Cybersecurity Careers For Students
Cybersecurity Careers For StudentsCybersecurity Careers For Students
Cybersecurity Careers For Students
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
Top cloud security certifications 2019
Top cloud security certifications 2019Top cloud security certifications 2019
Top cloud security certifications 2019
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
Need For Hardware Security Controls in IoT
Need For Hardware Security Controls in IoTNeed For Hardware Security Controls in IoT
Need For Hardware Security Controls in IoT
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
5 Ways To Improve Cissp Exam Score Without Studying
5 Ways To Improve Cissp Exam Score Without Studying5 Ways To Improve Cissp Exam Score Without Studying
5 Ways To Improve Cissp Exam Score Without Studying
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 

More from Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE (11)

Cybersecurity Careers - Step Up Skill Feb2023 (1).pdf
Cybersecurity Careers - Step Up Skill Feb2023 (1).pdfCybersecurity Careers - Step Up Skill Feb2023 (1).pdf
Cybersecurity Careers - Step Up Skill Feb2023 (1).pdf
 
How to Secure Your Small Business from Cyber Threats
How to Secure Your Small Business from Cyber ThreatsHow to Secure Your Small Business from Cyber Threats
How to Secure Your Small Business from Cyber Threats
 
How To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdfHow To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdf
 
Drive Digital Trust One Code At A Time
Drive Digital Trust One Code At A TimeDrive Digital Trust One Code At A Time
Drive Digital Trust One Code At A Time
 
CyberCorps: Scholarship for Service Program
CyberCorps: Scholarship for Service ProgramCyberCorps: Scholarship for Service Program
CyberCorps: Scholarship for Service Program
 
IT Audit Career Path
IT Audit Career PathIT Audit Career Path
IT Audit Career Path
 
How To Become An IT Security Risk Analyst
How To Become An IT Security Risk AnalystHow To Become An IT Security Risk Analyst
How To Become An IT Security Risk Analyst
 
Cybersecurity Careers For Students
Cybersecurity Careers For StudentsCybersecurity Careers For Students
Cybersecurity Careers For Students
 
Top cloud security certifications 2019
Top cloud security certifications 2019Top cloud security certifications 2019
Top cloud security certifications 2019
 
Need For Hardware Security Controls in IoT
Need For Hardware Security Controls in IoTNeed For Hardware Security Controls in IoT
Need For Hardware Security Controls in IoT
 
5 Ways To Improve Cissp Exam Score Without Studying
5 Ways To Improve Cissp Exam Score Without Studying5 Ways To Improve Cissp Exam Score Without Studying
5 Ways To Improve Cissp Exam Score Without Studying
 

Recently uploaded

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 

Recently uploaded (20)

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 

Securing The Journey To The Cloud

  • 1. Securing The Journey To The Cloud Niloufer Tamboly Mallik Prasad January 31, 2013
  • 2. Securing the journey to the Cloud Ø The Essentials of Cloud Computing Ø Cloud Deployment and Service Delivery Models Ø Cloud Security and Risk Considerations Ø Assessing Risk, Audit Program Considerations Ø Virtualization Concepts
  • 3. How cloud is impacting business models The New Normal Challenges Ø Traditional brick and mortar companies are being challenged by competitive new lean upstart companies utilizing cloud technologies. Ø Business Demand on IT is increasing while expectations are for IT to do more with less. Ø Companies are embracing the mobile proliferation and the race for market share utilizing these newer cloud technologies. Ø What was about the Data Center is now about the data
  • 4. The New Normal The New Normal Ø It’s a Digital world — The boundaries between work and home are no longer relevant. Ø Open Enterprise — The boundaries between businesses and the consumer have been redrawn. Ø Consumerization of Technology (Online, Mobile, Social Media) are changing the shopping experience. Ø Smarter shopper experience — The consumer is now multi-channel
  • 6. What is Cloud Computing? Definition Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, four deployment models and three service models. Source: http://csrc.nist.gov/groups/SNS/cloud-computing/
  • 7. Essential Characteristics Ø On-demand self-service Ø Broad network access Ø Resource pooling Ø Rapid elasticity Ø Measured Service
  • 8. Cloud Is Not… …simply virtualization While many cloud solutions, both public and private, leverage virtualized infrastructure resources to deliver functionality, cloud raises the bar by providing on-demand provisioning. Publicly-announced private clouds are essentially an aggressive virtualization program on top of the traditional enterprise IT stack …just applying SOA principles Service Oriented Architecture (SOA) is a set of design principles, whereas cloud is a service. Cloud based services will be defined and enabled through SOA. As such SOA is a prerequisite to reap cloud computing benefits. However, following SOA design principles alone does not guarantee the ability to easily transition to a cloud based solution …only traditional hosting Cloud and traditional hosting share many characteristics but unlike traditional hosting cloud service is offered on-demand, is scalable and elastic — a user can have as much or as little of the service as they need and pay for the resources actually used
  • 9. Cloud Deployment Models ØPrivate Cloud ØPublic Cloud ØCommunity Cloud ØHybrid Cloud
  • 10. Private Cloud The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party, and may exist on-premises or off premises.
  • 11. Examples of a Private Cloud Ø Openstack software delivers a scalable cloud operating system Ø Some VMWare or Citrix installations Ø Some Social Networks offer private clouds as: MangoApps, Huddle IL3, and Jive
  • 12. Public Cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
  • 13. Examples of a Public Cloud Ø Gmail Ø SalesForce Ø Amazon Elastic Compute Cloud (EC2) Ø Facebook
  • 14. Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, objectives, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on-premise or off-premise.
  • 15. Examples of a Community Cloud Ø NYSE Technologies Capital Markets Cloud Platform: is the first financial services cloud offering platform services to the capital markets community. The platform is for banks, broker-dealers, systematic traders, and buy-side institutions seeking to reduce the costs trading infrastructure and to streamline access to a wide variety of trading applications, and provides turnkey access to trading infrastructure and services, making it far simpler to benefit from the world’s most vibrant capital markets community.
  • 16. Hybrid Cloud The cloud infrastructure is a composition of cloud models (private or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
  • 17. Examples of a Hybrid Cloud Ø Organizations may host critical applications on private clouds and applications with relatively less security concerns on the public cloud. The usage of both private and public clouds together is called hybrid cloud. A related term is Cloud Bursting. In Cloud Bursting, an organization can use their own computing infrastructure for normal usage, but access the cloud for high/peak load requirements. This ensures that a sudden increase in computing requirement is handled gracefully. Ø An organization might use a public cloud service, such as Amazon Simple Storage Service (Amazon S3) for archived data but continue to maintain in- house storage for operational customer data.
  • 19. Service Delivery Models Ø Software as a Service (SaaS) Ø Platform as a Service (PaaS) Ø Infrastructure as a Service (IaaS) Ø X as a Service (XaaS)
  • 20. Software as a Service (SaaS) Ø Definition - Delivers software as a service over the Internet. In most cases, there is no need to install and run the application on the customer's own computers hence simplifying maintenance and support. Ø Customization - User of service have limited customization since they no longer develop the application. Ø Benefits - User of cloud maintains very little or no technical staff to run the application software. User of service could realize additional savings as expenses go from a Capital Expense to an Operating Expense and a reduction in staff.
  • 21. Platform as a Service (PaaS) Ø Definition – Delivers a computing platform as a service. It facilitates deployment of applications while limiting or reducing the cost and complexity of buying and managing the underlying hardware and software layers. User of Cloud writes application code that integrates with the providers platform. Ø Customization – User of service has moderate customization — build applications within the constraints of the platform. Ø Benefits - User of service maintains the technical staff to develop and maintain the application. User of service could realize additional savings as expenses go from a Capital Expense to an Operating Expense and a reduction in staff.
  • 22. Infrastructure as a Service (IaaS) Ø Definition - Delivers computer infrastructure, typically a platform virtualization environment as a service. Service is typically billed on a utility computing basis and amount of resources consumed. Ø Customization – Not much as a subscriber of the cloud customization where technology being deployed requires minimal configuration. Ø Benefits -User of service maintains the technical staff to develop and manage its platform and application software. User of service could realize savings as expenses go from a Capital Expense to an Operating Expense.
  • 24. Cloud Standards and Related Regulations Are Still Evolving Leading organizations trying to establish Security Standards in the Cloud are: Ø NIST (National Institute of Standards and Technology) Ø CSA (Cloud Security Alliance) Ø ENISA (European Network and Information Security Agency)
  • 25. Audit Program and Frameworks ØThe National Institute of Standards and Technology (NIST) SP 800-30 ØISACA Cloud Computing Audit Program ØCloud Security Alliance - Cloud Controls Matrix (attached Slide 34) ØFederal Risk and Authorization Management Program (FedRAMP)
  • 26. Security and Privacy are top cloud concerns
  • 27. Cloud issues can impact you It is important for cloud consumers to consider and address security when migrating to cloud
  • 28. Public Cloud – Amazon view of Security • Amazon Web services – EC2, EBS, S3, VPC etc. • Customer responsibility to maintain security, protection and backup of their data and applications on AWS Source: http://aws.amazon.com/security/
  • 29. CSA Threats – Public Cloud # Threat Examples 1 Abuse and Nefarious Use of Cloud Computing IaaS offerings have hosted the Zeus botnet, InfoStealer trojan horses, botnets, Spam 2 Insecure Interfaces and APIs Anonymous access and/or reusable tokens/passwords/keys, clear text authentication, inflexible access controls, limited monitoring and logging 3 Malicious Insiders Lack of Privileged user management monitoring policies, audits 4 Shared Technology Issues Red and Blue Pill exploits 5 Data Loss or Leakage Insufficient AAA controls; inconsistent use of encryption and software keys, operational failures, disposal challenges, reliability and DR 6 Account or Service Hijacking Lack of internal security controls and detailed auditing/monitoring 7 Unknown Risk Profile IRS asked Amazon EC2 to perform a Certification & Audit; Amazon refused, Heartland Data Breach
  • 30. Scope and control among cloud service models Application Platform Architecture Virtualized Infrastructure Hardware Facility Cloud Consumer Cloud Provider IaaS PaaS SaaS IaaS PaaS SaaS Regulatory Compliance is a key concern in public cloud - the cloud consumer has to ensure controls for compliance are appropriately addressed either by the provider or by including controls for data & applications on the cloud Source: NIST Guidelines on Security and Privacy in Public Cloud Computing
  • 31. Cloud – Security Observations Secure Cloud Infrastructure environment •Secure setup and configurations •Inter-VM traffic inspection and control •Manage Privileged Users and their activities How to manage identity and access across physical and virtual environments •Identity Lifecycle Management •Authentication Authorization Audit, Application Security Assurance •Varied trust levels requires different security controls •Application Vulnerabilities •Bespoke Application Re-factoring for Cloud How to manage and monitor the entire Cloud infrastructure •Configuration and Patch Management •Compliance Management and reporting •Incident detection and response Policy and risk Management for Cloud •Extension of ISMS incorporating Cloud Security •Segregation of duties for Cloud How to ensure Data Security •Different classifications of data •Data leakage from suspended, stored images •Production data in orphan test, QA images A B C D E F Test Customer Employee COTS Home-Grown Legacy HYPERVISOR IaaS PaaS SaaS
  • 32. A view of technical security controls • Approval by Information Security • Process/Policies defined/fine tuned • Risk identification and mitigation Security Governance • Identity and access Management • Privileged user management Privileged Users & SOD • Application Vulnerability Assessment • Zoning/VLAN segregation • Data encryption and obfuscation Application/Data Segregation • Guest and host security • Inter-VM Traffic inspection • Patch and configuration management Virtualization security • Guest /Hypervisor/Application log monitoring • VM/Admin level activity monitoring • Incident Detection and Response capability within Cloud Auditing& Monitoring A B C D E F Challenges Controls
  • 33. Top Ten Cloud Security Concerns 1. Architecture of the environment (Public V/s. Private, SAAS / PAAS / IAAS) 2. Misconfiguration of the environment, where breaches are caused by errors, omissions and misconfigurations (e.g. hypervisor, OS, storage, switch). 3. Segmentation from other customers (e.g. Multi-tenant Environments) 4. Authentication and Authorization (e.g. form factor, lack of granular permissions).
  • 34. Top Ten Cloud Security Concerns contd. 5. DDOS attacks (e.g. cloud to cloud, inter/intra cloud). 6. Data location and storage e.g. data loss / privacy / leakage. 7. Security Monitoring e.g. cloud perimeter and inside cloud. 8. Incident Response (e.g. availability of resources). 9. Auditability, Certification and Compliance (e.g. which standards to follow, is the CSP compliant or has been certified, how do I check that?). 10. Legal (e.g. regional, who has access to my data?)
  • 35. How Do You Scope A Cloud Audit? ØRemember it is not prescriptive ØYou need to understand the environments, service delivery and deployment models ØYou need to understand the risks associated with the environment
  • 36. Risk Areas In A Cloud Environment Governance Ø All changes logged Ø Reporting on roles, separation of duties. Ø Security monitoring of cloud environment and possible security incidents. Ø Patch Management
  • 38. Risks Data Management Ø Data Acquisition Ø Data Usage Ø Data Storage Ø Data Transfer Ø Data Disposal
  • 39. Risks Infrastructure Security ØVulnerability Management ØSystem Security ØNetwork Security ØApplication Security ØEncryption
  • 40. Risks Identity and Access Management ØIdentity Management Ø Access Management
  • 41. Risks Physical Security ØHighly secure physical facility, employee background checks, multi-level / tiered access controls in accordance with a least privilege policy ØAccess logging and monitoring - Video monitoring, Keycard and biometric palm readers, Fixed and roving security guards (depending on data center).
  • 42. Risks Compliance ØPCI DSS, SAS-70 Type II, FedRamp, FISMA
  • 43. SSAE16 – SOC Decision Tree Which Report To Use SSAE 16 - SOC Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial Yes SOC 1 Report Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law or regulation? Yes SOC 1 Report Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems? Yes SOC 2 or 3 Report Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests? Yes SOC 2 Report No SOC 3 Report Do you need to make the report generally available or use a seal? Yes SOC 3 Report
  • 44. SSAE16 SOC 2 Overview Five attributes of a system are known as principles and are defined as follows: Ø Security - The system is protected against unauthorized access (both physical and logical). Ø Availability - The system is available for operation and use as committed or agreed. Ø Processing integrity - System processing is complete, accurate, timely, and authorized. Ø Confidentiality - Information designated as confidential is protected as committed or agreed. Ø Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP)
  • 45. SOC 3 Report - SysTrust for Service Organizations Use ØDistribute the SOC 3 report to customers and publicly display a seal of approval using the SOC 3 Report: SysTrust for Service Organizations seal. Scope ØSOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality, and privacy). For more information about the SysTrust for Service Organization seal program go to www.webtrust.org.
  • 47. Exercise 2 Background HotShot Enterprise (“HSE”) is a global consumer products company, producing household products with annual revenues of approximately 80 billion USD. HSE Products is ready to expand and is looking for ways to penetrate nontraditional markets. HSE, CEO, has plans to grow the company in size, revenue, and profits in addition to expanding its horizon. However, to maintain a balanced budget HSE is looking to restructure some cost centers and reduce company expenses considerably. Plans are under way to restructure the Information Technology (IT), human resources and supply chain divisions. The three divisions currently have over 10,000 employees across the world and are estimated to incur expenses of up to 20 billion annually.
  • 48. Exercise 2 contd. It is apparent HSE’s competitors have moved into the cloud and are experimenting with new ways to reach consumers. For example, one of HSE’s competitors, NoShot Enterprise (“NSE”) is utilizing social media and other mobile platforms to reach the consumers. NSE’s quarterly revenue increase highly suggests that their strategy on the cloud has played a vital role. From HSE’s perspective the boundaries between consumers and businesses are being redrawn and the cloud is facilitating this move. Accordingly, HSE’s board of directors accepts the new normal — cloud computing and focuses more on data. Exercise: 1) You are asked to test that controls that Data is securely transmitted and maintained to prevent unauthorized access and modification. 2) Also validate that controls over Virtualized operating systems are hardened to prevent cross-contamination with other customer environments.
  • 49. Key Properties of Virtualization
  • 50. Virtualization Hypervisor • A hypervisor is a piece of software/hardware platform- virtualization software that allows multiple operating systems to run on a host computer concurrently. Also called Virtual Machine Monitor (VMM) • Type 1: A type 1 hypervisor runs directly on the computer hardware and manages all operating systems running as guests above it. This is also known as running on ‘Bare Metal’ • Type 2: A type 2 hypervisor is a software application that runs on an operating system.