cloud security guidance
play

Cloud Security Guidance Tania Martin Smals Research January 2015 - PowerPoint PPT Presentation

May 29, 2023 •28 likes •688 views

Cloud Security Guidance Tania Martin Smals Research January 2015 www.smalsresearch.be Overview of the cloud Intro Model Govern IAM IT Sec Oper Sec Dropbox Choose Conclu 2/66 What about the security of the

  1. Cloud Security Guidance Tania Martin Smals Research January 2015 www.smalsresearch.be

  2. Overview of the cloud Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 2/66

  3. What about the security of the cloud? • Not 100% garanteed by the cloud services • Problematic for sensitive data  Especially in our context « social security and eHealth» Assess the security of a cloud service before using it Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 3/66

  4. During this presentation… Look through the key-points of cloud security __________ Common thread Security assessment model of cloud services + Dropbox for Business Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 4/66

  5. Agenda 1 2 Example: Security assessment model Dropbox for Business Governance Identity and access management 3 IT security How to choose Operational security a cloud service 4 Conclusion Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 5/66

  6. Security assessment model

  7. Goal of the model Help for Practical security model experts « Which cloud service can I use if I want to send there a given type X of data? » Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 7/66

  8. Goal of the model Eliminate/filter non fruitful Help for Pratical security model tracks experts « Which cloud service can I use if I want to send there a given type X of data? » Select potential candidates Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 8/66

  9. Components of the model • Governance • Identity and Access Management 4 major criteria • IT Security • Operational Security Cloud Policy of the Type of data Belgian social security 2 evaluation • Assess the security level of a cloud service forms • Assess the possibility of using a cloud service Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 9/66

  10. Components of the model • Governance • Identity and Access Management 4 major criteria • IT Security • Operational Security Cloud Policy of the Type of data Belgian social security 2 evaluation • Assess the security level of a cloud service forms • Assess the possibility of using a cloud service Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 10/66

  11. What looks like the model? Dropbox for Business Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 11/66

  12. Governance

  13. Legal implications Which laws apply to the data? REF Not OK!!! Voc: CSP (Cloud Service Provider) Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 13/66

  14. Supply chain management CSP always responsible for its contractual commitments? ! Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 14/66

  15. Audit Every 6 months Every year 10 /10 Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 15/66

  16. Meta-data extracts? Meta-data only used for ! the cloud service? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 16/66

  17. Quality of the service Plan of business continuity SLA Reversibility of the service Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 17/66

  18. Governance: to remember Reliable Regular Which laws? supply chain? audit? No misuse of Good quality meta-data? of service? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 18/66

  19. Identity and Access Management

  20. Authentication level ! Username + Password Username + Password + Token Username + Password + Certificat Username + Password + Certificat/Token + Location 10 /10 Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 20/66

  21. Authentication level « 2-factor » authentication Username + Password + Token Username + Password + Certificat Username + Password + Certificat/Token + Location 10 /10 Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 21/66

  22. User management ! 10 /10 trusted Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 22/66

  23. Access management Well defined Forbidden Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 23/66

  24. IAM: to remember 2-factor Controlled user authentication? management? Well-defined access management? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 24/66

  25. IT Security

  26. Security standards • Anti-virus, anti-malwares OS • Patch management process • Acceptance environments Physical • Network security: firewall, APT detection tools REF + • Monitoring: IDS/IPS, file integrity Virtual • Data leak detection: DLP tools • Protection of hypervisors and admin consoles • Secure data deletion: crypto wiping, demagnetization Infra • Data integrity and security in input and output Interface • API developed according to standards (e.g. OWASP) REF Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 26/66

  27. Segregation of data Private Community Off-premises/On-premises Off-premises/On-premises ! Very important point BUT often not documented Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 27/66

  28. Cryptography Confidentiality towards the CSP  encryption Strong crypto ??? Outils: REF Confidentiality Integrity  hash, digital signature  encryption ??? ??? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 28/66

  29. Key management ! At the CSP’s At the user’s + = J’ai oublié/perdu ma . Mes données sont irrécupérables !!! At the sysadmin’s or TTP’s ??? ??? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 29/66

  30. IT security: to remember Security Segregation of Cryptography standards in data? standards used? place? Data Key confidentiality management at and integrity? the sysadmin’s? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 30/66

  31. Operational Security

  32. Backup and disaster recovery Adaptable plan of backup Plan of disaster recovery No No panic!!! problem! Hey I want We have: We have: some backups • Plan A for my data! • Plan B • Plan C Some values on the RTO and RPO ≈ 1 hour 10 /10 ≈ 1 day ! ≈ 1 week Voc: RTO (Recovery Time Objective), RPO (Recovery Point Objective) Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 32/66

  33. Incident management Appropriate incident management User activity Log collection monitoring Preparation Log forensics Log retention SIEM Mitigation Response File integrity IT compliance monitoring Event Recovery Dashboards correlation REF Security training of employees REF Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 33/66

  34. Operational security: to remember Adaptable RTO and RPO plan of SIEM? < 1 day? backup? Appropriate Security incident training of management? employees? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 34/66

  35. Example: Dropbox for Business

  36. How works the model? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 36/66

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cloud Security Guidance Tania Martin Smals Research February 2015 www.smalsresearch.be Overview

Cloud Security Guidance Tania Martin Smals Research February 2015 www.smalsresearch.be Overview

Cloud Security Guidance Tania Martin Smals Research February 2015 www.smalsresearch.be Overview of the cloud Intro Model Govern IAM IT Sec Oper Sec Dropbox Choose Conclu 2/66 What about the security of the

703 views • 66 slides
Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides
Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the Cloud? How the Cloud is delivered: Iaas, PaaS and SaaS Cloud security challenges and risk Current Cloud security report Cloud security technology

302 views • 27 slides
Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined) Administrative discussions Stephen McCamant University of Minnesota Multi-Cloud Oblivious Storage Old and new topics in security Cloud threats, old and new

645 views • 8 slides
1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

Agenda Related Polices to Cloud Computing I. Guidelines for Information Security of Cloud II. Computing Cloud Security Certification Scheme in KOREA Cloud Security Certification Program in Korea III. April. 11, 2017 Jungduk (JD) KIM, Ph.

403 views • 5 slides
PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer

PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer

PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com www.HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e - commerce guidance

323 views • 20 slides
Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing Storage Computation High availability No maintenance Decreased Costs Elasticity &amp; Flexibility Security and Privacy for Cloud

529 views • 36 slides
The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud

The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud

The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud Engineering Immunet, Inc. Monday, August 22, 2011 The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Chief Architect, Cloud

848 views • 68 slides
Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud Computing model. Presented By: Marissa Hollingsworth Overview What is Cloud Computing? Unique Security Concerns in the Cloud

556 views • 34 slides
Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by design Ecosystem integration Strong momentum Founded by Wireshark Cloud-native security Customer expansion mirrors co-creator and

247 views • 22 slides
Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security

Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security

Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security Cap-ex Free Resilience Infrastructure Elasticity Infrastructure Flexibility Sevices 5% of organizations have migrated at least 30% 41% 52%

540 views • 11 slides
Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste

Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste

Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS15 Workshop on Cloud Security Lille, June 30, 2015 Cloud Security Today Security = key concern in cloud adoption for the

2.73k views • 33 slides
CS573 Data privacy and security in the cloud in the cloud Slide credits: Ragib Hasan, Johns

CS573 Data privacy and security in the cloud in the cloud Slide credits: Ragib Hasan, Johns

CS573 Data privacy and security in the cloud in the cloud Slide credits: Ragib Hasan, Johns Hopkins University What is Cloud Computing ? Lets hear from the experts 2 What is Cloud Computing ? The infinite wisdom of the crowds (via

709 views • 38 slides
Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. To provide an overview of

Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. To provide an overview of

Agenda Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. To provide an overview of Multi-Tier Cloud Security (MTCS SS584:2013) standard 2. To detail the deployment considerations and related initiatives Wong Onn Chee, Cloud

352 views • 6 slides
Securing the Cloud Identity Management and Network Security in the Cloud Mark Ryland Chief

Securing the Cloud Identity Management and Network Security in the Cloud Mark Ryland Chief

Securing the Cloud Identity Management and Network Security in the Cloud Mark Ryland Chief Solutions Architect AWS Public Sector team Khawaja Shams Cloud Architect Jet Propulsion Labs / NASA QCon New York 2012 Agenda Identity &amp;

594 views • 21 slides
Cloud: How Big Is Your Risk? Prasidh Srikanth Booth #450 Agenda Cloud BYOD Security Booth

Cloud: How Big Is Your Risk? Prasidh Srikanth Booth #450 Agenda Cloud BYOD Security Booth

psrikanth@bitglass.com Booth #450 Surviving the Cloud: How Big Is Your Risk? Prasidh Srikanth Booth #450 Agenda Cloud BYOD Security Booth #450 Time Travel to 2004 Virtual Private Server Dedicated Server Shared Hosting Cloud Booth

498 views • 14 slides
An Analysis of the GWV An Analysis of the GWV Security Policy Security Policy Jim Alves- -Foss

An Analysis of the GWV An Analysis of the GWV Security Policy Security Policy Jim Alves- -Foss

An Analysis of the GWV An Analysis of the GWV Security Policy Security Policy Jim Alves- -Foss and Carol Taylor Foss and Carol Taylor Jim Alves Center for Secure and Dependable Systems Center for Secure and Dependable Systems University of

455 views • 23 slides
HIGHLIGHTS ASTM Group is a global player in the design, construction and management of major

HIGHLIGHTS ASTM Group is a global player in the design, construction and management of major

ASTM GROUP A global player in the major infrastructure sector 2 ASTM GROUP PRESENTATION ASTM GROUP HIGHLIGHTS ASTM Group is a global player in the design, construction and management of major infrastructural projects . Today, the Group is the

677 views • 49 slides
HMS Group FY 2013 IFRS Results Conference call presentation April 2014 Financial results

HMS Group FY 2013 IFRS Results Conference call presentation April 2014 Financial results

HMS Group FY 2013 IFRS Results Conference call presentation April 2014 Financial results Business &amp; Outlook Appendix 2 Financial Highlights Financial highlights*, Rub mn Revenue performance 2007-2013 * 2013 2012 Change 31,460 32,358

482 views • 21 slides
Investors Presentation December 2018 Page 1 Contents Executive Summary Corporate Profile &amp;

Investors Presentation December 2018 Page 1 Contents Executive Summary Corporate Profile &amp;

IWT Terminal, Haldia Bangalore Metro Investors Presentation December 2018 Page 1 Contents Executive Summary Corporate Profile &amp; Shareholding Structure Corporate Vision &amp; Mission Corporate Structure Parent Profile Financial

696 views • 37 slides
Commission Meeting June 12, 2013 Innovation Platform Program Purpose To link the development

Commission Meeting June 12, 2013 Innovation Platform Program Purpose To link the development

Commission Meeting June 12, 2013 Innovation Platform Program Purpose To link the development and innovation capabilities and capacities of an already established Innovation Platform at an Ohio college or university or not-for-profit research

655 views • 31 slides
IT SERVICE INVESTMENT BOARD May 8, 2018 AGENDA &gt; Call to order &gt; IT Governance evaluation

IT SERVICE INVESTMENT BOARD May 8, 2018 AGENDA &gt; Call to order &gt; IT Governance evaluation

IT SERVICE INVESTMENT BOARD May 8, 2018 AGENDA &gt; Call to order &gt; IT Governance evaluation findings Discussion and input &gt; Finance Transformation update &gt; Date Governance update &gt; UW-IT and UW Major IT Project Portfolios &gt;

1.52k views • 87 slides
CAPITAL CLINICAL INTEGRATED NETWORK A RESPONSE TO CARE COORDINATION GINA PISTULKA DEPARTMENT

CAPITAL CLINICAL INTEGRATED NETWORK A RESPONSE TO CARE COORDINATION GINA PISTULKA DEPARTMENT

CAPITAL CLINICAL INTEGRATED NETWORK A RESPONSE TO CARE COORDINATION GINA PISTULKA DEPARTMENT OF HEALTHCARE FINANCE SEPTEMBER 29, 2015 CCIN - Capital Clinical Integrated Network 1 Goals &amp; Objectives Funded by the Center for Medicare and

495 views • 11 slides
16/4/2014 Presentation Outline SEMINAR ON ISO 28000 Objectives of the Seminar on ISO 28000

16/4/2014 Presentation Outline SEMINAR ON ISO 28000 Objectives of the Seminar on ISO 28000

16/4/2014 Presentation Outline SEMINAR ON ISO 28000 Objectives of the Seminar on ISO 28000 SUPPLY CHAIN SECURITY Overview of ISO 28000 Supply Chain Security MANAGEMENT SYSTEM (SCSMS) Management System (SCSMS) Other Supply Chain

398 views • 11 slides

More recommend