developing a cloud security roadmap
play

Developing a Cloud Security Roadmap March 2, 2016 Gary Seay Chris - PowerPoint PPT Presentation

Feb 16, 2024 •353 likes •641 views

Developing a Cloud Security Roadmap March 2, 2016 Gary Seay Chris Bowen Former CIO, Community Health Systems Founder, CPSO, ClearDATA Conflict of Interest Gary Seay Has no real or apparent conflicts of interest to report. Chris Bowen, MBA,

  1. Developing a Cloud Security Roadmap March 2, 2016 Gary Seay Chris Bowen Former CIO, Community Health Systems Founder, CPSO, ClearDATA

  2. Conflict of Interest Gary Seay Has no real or apparent conflicts of interest to report. Chris Bowen, MBA, CISSP, CIPP/US, CIPT Has no real or apparent conflicts of interest to report.

  3. Agenda Healthcare Data Under Attack • Trends and Sources of Healthcare Data Breaches Security Roadmap Essentials • Defense in Depth • A Closer Look • Shared Responsibility Model Threat Diligence: On or Off Premise Conclusion CB

  4. Learning Objectives • Evaluate primary causes of data breaches as it relates to current 1 health system infrastructure • List major considerations for selecting a cloud computing vendor 2 • Assess benefits of cloud platforms beyond security, including cost- 3 savings and data analytics • Recognize key layers of a “Defense in Depth” approach to 4 healthcare data security CB

  5. Our Healthcare Data is under Attack! An increase of 10 x more than in Health 2014 records breached In 2015 alone 115,000,000 Source: CSO Online CB http://www.csoonline.com/article/3026661/data-breach/over-113-million-health-records-breached-in-2015-up-10-fold-from-2014.html

  6.  Learning Objective: 1 The Role of the Healthcare Network Regional Medical Physician Home Secondary Care Center Office Hospital SMB Health VOIP Data Patient Wireless Telemedicine EMR Collaboratio Phone Exchange Consent Integrati n on Enterprise VOIP Enterprise Immersive Wireless Phone Wireless Telepresence Enterprise Telemedicine Telemedicine Enterprise Remote Wireless Wireless Radiology EMR Mobile EMR VoIP Conference Remote Integrati SMB Access phone Monitoring on Wireless Community Health Affiliate Office Military, Prison Health Center CB

  7.  Learning Objective: 1 The Role of HIT in the Patient Journey Injury Ambulance Occurs Takes Patient to Clinic Preliminary Patient Treatment at Patient Care Record Monitoring Local Clinic Collaboration Patient Transferred to Hospital Patient Monitorin Patient Patient EMR X-ray g Management Consent System Post Procedure Care Continuo Patient us Service Monitori s ng Med Home Further Telemedicine Patien Mgmt Monitoring Tests t Care CB

  8.  Learning Objective: 1 The Data Security Imperative 91% of small North American • healthcare practices have been breached. 70% aren’t confident that their • budget meets risk management, compliance, and governance requirements. Six in ten security systems aren’t • mature enough to detect or react to data breaches. CB

  9.  Learning Objective: 1 The Data Breach Epidemic • 94% of providers have suffered at least one data breach in the last two years. • Nearly 50% have experienced more than five data breaches. CB

  10.  Learning Objective: 1 Incident Patterns Verizon’s Nefarious Nine 93% of PHI Breaches Just 3 Patterns Exhibit Nine Incident Patterns Describe 85% of Incidents Lost & Stolen Assets 807 ( 45.4%) Privilege Misuse 361 ( 20.3%) Miscellaneous Errors 357 ( 20.1%) Everything Else 119 ( 6.7%) Point of Sale 68 ( 3.8%) Web Applications 33 ( 1.9%) Crimeware 25 ( 1.4%) Cyber-Espionage 6 ( 0.3 %) Card Skimmers 0 ( 0.0%) Source: Verizon 2015 Protected Health Information Data Breach Report CB

  11. Most Hackers Invest Limited Time Average Hacker Time Investment • 70 hours per attack against "typical" IT security infrastructure • 147 hours battling "excellent" IT security infrastructure • Give up completely after 209 hours. Average Return • Make Less Than $15,000 per attack • Average less that $29,000 per year Cyber Attacks “If you can delay them by two days, you can deter 60 percent of attacks.” Scott Simkin, senior threat intelligence manager at Palo Alto Networks CSO Online - Survey: Average successful hack nets less than $15,000 http://www.csoonline.com/article/3028787/cyber-attacks-espionage/survey-average-successful-hack-nets-less-than-15-000.html

  12.  Learning Objective: 4 Security Roadmap Essentials DEFENSE IN DEPTH DEFENSE IN BREADTH Applied Across Each Use Case to Appropriate Level Multi-level Security User, Process, Device Physical Infrastructure Network Security Air-tight - properly configured System Security Data & Application Security APPLYING DEFENSE IN DEPTH & BREADTH REDUCE DEPLOY CREATE SECURE PEOPLE, ATTACK SURFACES CRYPTO KEYS PROCESSES & SYSTEMS JGS

  13.  Learning Objective: 4 Defense in Depth: Multi-level User Cloud Service Provider • Leverage CSP policies and procedures Multi-Level User as extensions of your own • Leverage RBAC tools • Regular security awareness training • Use CSP team for Segregation of Duties • Cyclical policies and procedure review • Convenient policies & procedures access • Background checks • On and Off boarding checklists • Minimum Necessary, Role Based Access Controls (RBAC) • Segregation of Duties • Fair and equal sanctions • Whistleblower hotline JGS

  14.  Learning Objective: 4 Defense in Depth: Device & Workstation Cloud Service Provider • Leverage Anti Virus / Malware Device & Workstation • Leverage Content Filters • Leverage password expiration & support • Screen lock (15 minutes) policies • One user, one account • Leverage remote wipe features • Anti-virus, anti-malware • Prohibit storing PHI on devices or • Appropriate use of network resources workstations leveraging controls (questionable sites, prevent drive-by downloads) • Keep credentials secure and fresh • Enable remote-wipe • Prohibit PHI storage on device or workstation JGS

  15.  Learning Objective: 4 Defense in Depth: Physical Infrastructure Cloud Service Provider • Keep your data in secure physical facility Physical Infrastructure at no extra cost to you • Use Physical access controls: gates, • Access controls guards, biometric two factor authentication, surveillance • Surveillance • CSP can be your hands on the ground - • Workstation timeouts No need to access the data center • Appropriates use of locks for sensitive areas • Limited entry points • Physical barriers JGS

  16.  Learning Objective: 4 Defense in Depth: Network Cloud Service Provider • Leverage IDS / IPS Network Security • Reduce inventory of Firewalls, VPNs, and other network assets • Formal network and acceptable use policy • Leverage SIEM for your own use. • Active network asset inventory: • Let CSP analyze logs for you. - Firewalls, VPNs, IPS/IDS, Content Security, Wireless Access Points, Identity Management • Let CSP manage your port restrictions and regular port reviews • Know your data, and its logical flows • Let CSP detect and alert you of • Lock down traffic that could touch PHI anomalous activity • Review settings regularly • Visualize network activity • Implement a SIEM • Manage logs effectively JGS

  17.  Learning Objective: 4 Defense in Depth: System Server / OS Cloud Service Provider • Leverage hardening templates of your CSP System Server / OS • Let your CSP do patching for you. • Understand server relationships to sensitive • Leverage your CSP’s tools for data backup/restore testing. • Maintain up-to-date vendor software • Let your CSP collect audit artifacts required versions/patches for compliance, and investigation • Perform penetration tests and vulnerability scans on server ecosystem • Server/OS hardened to standards • Backup/restore testing regularly performed • Logging enabled and preserved JGS

  18.  Learning Objective: 4 Defense in Depth: Data & Applications Cloud Service Provider • Leverage Web Application Firewalls from Data & Applications your CSP • Let CSP help design your Tier-based system • Understand application relationship to sensitive data • Leverage security expertise of CSP to restrict traffic in secure zones • Maintain up-to-date software versions • Let CSP help you perform penetration testing • Ensure vendor provides support and patches • Use CSP’s solution for vulnerability scanning • Perform security and privacy reviews on applications • Let CSP manage log preservation • Perform penetration tests and vulnerability scans on key applications • Enabled and preserved logs JGS

  19.  Learning Objective: 4 Defense in Breadth: Reduce Attack Surfaces Cloud Service Provider • Automated port reviews and network traffic Reduce Attack Surfaces analysis • Opinionated, purpose-built hardening General templates • Secure the Right Boundary • Vulnerability management Network Surface • 24x7 security monitoring • Close unnecessarily open ports • Automated policy enforcement • Adopt white-list models to reduce port traffic • Keep things simple - eliminate expired or unnecessary rules Software Surface • Build security into applications • Reduce the amount of running code Physical Surface • Enforcing strong authentication • Laptop encryption JGS

  20.  Learning Objective: 4 Defense in Breadth: People Cloud Service Provider • Security awareness training People • Social engineering drills • Security awareness training • Background checks • Social engineering drills • Proper onboarding and offboarding • Background checks • Sanctions • Proper onboarding and offboarding • Workstation security • Sanctions • Workstation security JGS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides
Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the Cloud? How the Cloud is delivered: Iaas, PaaS and SaaS Cloud security challenges and risk Current Cloud security report Cloud security technology

302 views • 27 slides
The Cloud Reality Agenda Introductions The Cloud Environment Migration Roadmap

The Cloud Reality Agenda Introductions The Cloud Environment Migration Roadmap

The Cloud Reality Agenda Introductions The Cloud Environment Migration Roadmap Commercial Implications Longevity Questions Dan Siewers Executive Director, Systems Engineering at Fox (TV, Film & Sports) Brinton

481 views • 16 slides
Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined) Administrative discussions Stephen McCamant University of Minnesota Multi-Cloud Oblivious Storage Old and new topics in security Cloud threats, old and new

645 views • 8 slides
1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

Agenda Related Polices to Cloud Computing I. Guidelines for Information Security of Cloud II. Computing Cloud Security Certification Scheme in KOREA Cloud Security Certification Program in Korea III. April. 11, 2017 Jungduk (JD) KIM, Ph.

403 views • 5 slides
The SIENA European Roadmap on Grid and Cloud Standards for e-Science and and Cloud Standards for

The SIENA European Roadmap on Grid and Cloud Standards for e-Science and and Cloud Standards for

The SIENA European Roadmap on Grid and Cloud Standards for e-Science and and Cloud Standards for e-Science and Beyond Status and plans EGI User Forum, 11 th April 2001 Vilnius, Lithuania David Wallom, Associate Director - Innovation Oxford

230 views • 8 slides
Proposal for an European Cloud Security Certification Scheme for the EU An update by the CSP

Proposal for an European Cloud Security Certification Scheme for the EU An update by the CSP

Proposal for an European Cloud Security Certification Scheme for the EU An update by the CSP Certification WG with Q&A Objectives 1. The objective of the group is to explore the possibility of developing a European Cloud Certification

144 views • 13 slides
L-CLOUD: Developing Tomorrows Cloud Education Leaders WORKSHOP FOCUS GROUP European

L-CLOUD: Developing Tomorrows Cloud Education Leaders WORKSHOP FOCUS GROUP European

L-CLOUD: Developing Tomorrows Cloud Education Leaders WORKSHOP FOCUS GROUP European Association of Career Guidance www.L-Cloud.eu Nicosia, 2 September 2019 Reference Number: 2018-1-CY01-KA201-046859 (2018- 2020) AGENDA 1. Presentation

322 views • 28 slides
BradStack Developing Cloud computing Research and Capabilities Cloud Modelling & Simulation

BradStack Developing Cloud computing Research and Capabilities Cloud Modelling & Simulation

BradStack Developing Cloud computing Research and Capabilities Cloud Modelling & Simulation Research Group(CloudMSGroup) University of Bradford. UK Dr. Mariam Kiran Bashir Mohammed Kabiru.M.Maiyama Mumtaz Kamala Al Noaman Al Shaidy

504 views • 29 slides
Final Public-Private recommendation for a European Cloud Security Certification Scheme Timeline

Final Public-Private recommendation for a European Cloud Security Certification Scheme Timeline

Amsterdam 12 th June 2019 Final Public-Private recommendation for a European Cloud Security Certification Scheme Timeline To explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act

663 views • 42 slides
Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing Storage Computation High availability No maintenance Decreased Costs Elasticity & Flexibility Security and Privacy for Cloud

529 views • 36 slides
The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud

The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud

The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud Engineering Immunet, Inc. Monday, August 22, 2011 The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Chief Architect, Cloud

848 views • 68 slides
Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud Computing model. Presented By: Marissa Hollingsworth Overview What is Cloud Computing? Unique Security Concerns in the Cloud

556 views • 34 slides
Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Unit OS7: Security 7.2. Windows Security Components and Concepts Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 7.2. Windows Security Features Components of the Security

453 views • 14 slides
Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by design Ecosystem integration Strong momentum Founded by Wireshark Cloud-native security Customer expansion mirrors co-creator and

247 views • 22 slides
Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security

Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security

Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security Cap-ex Free Resilience Infrastructure Elasticity Infrastructure Flexibility Sevices 5% of organizations have migrated at least 30% 41% 52%

540 views • 11 slides
Parent and Student Information (2018-2019) Learn. Share. Live. What is happening ? Thanks

Parent and Student Information (2018-2019) Learn. Share. Live. What is happening ? Thanks

Cape Fear Center for Inquiry Parent and Student Information (2018-2019) Learn. Share. Live. What is happening ? Thanks to all of the efforts around Great Art, the Manna Fundraiser, Grants and State Funding, CFCI has: Introduced iPads

361 views • 13 slides
District 90 Acceptable Use Policy Agreements & Resources Instructional

District 90 Acceptable Use Policy Agreements & Resources Instructional

District 90 Acceptable Use Policy Agreements & Resources Instructional Technology/Student Data Privacy Resource Guide Technology Lending Agreement Parent Tech Tips Site A Shared Responsibility for Success Students

73 views • 6 slides
BYOT THANKS TO THE TECHNOLOGY LEADERSHIP TEAM BACKCHANNEL: TODAY'S MEET to todaysmeet.

BYOT THANKS TO THE TECHNOLOGY LEADERSHIP TEAM BACKCHANNEL: TODAY'S MEET to todaysmeet.

BYOT THANKS TO THE TECHNOLOGY LEADERSHIP TEAM BACKCHANNEL: TODAY'S MEET to todaysmeet. t.com/BEMSta taffMeetin ting WHAT IS BYOT? Instructional Tool Opportunity for students to bring their own devices to school as an educational

651 views • 22 slides
Welcome to Odyssey Join the Journey for the 2016-17 School Year! Odyssey Facts Accredited by

Welcome to Odyssey Join the Journey for the 2016-17 School Year! Odyssey Facts Accredited by

Welcome to Odyssey Join the Journey for the 2016-17 School Year! Odyssey Facts Accredited by SACS CASI, a division of AdvancEd All teachers are Certified or Highly Qualified Paraprofessional in all K-5 classes Open to any

499 views • 20 slides
Access Control Dr George Danezis (g.danezis@ucl.ac.uk) Resources Key paper: Carl E.

Access Control Dr George Danezis (g.danezis@ucl.ac.uk) Resources Key paper: Carl E.

Access Control Dr George Danezis (g.danezis@ucl.ac.uk) Resources Key paper: Carl E. Landwehr: Formal Models for Computer Security. ACM Comput. Surv. 13(3): 247-278 (1981) See references to other optional papers throughout slides.

640 views • 43 slides
Electronic Access Control Policy Presented by Thomas Sonoff, Director of College Safety What is

Electronic Access Control Policy Presented by Thomas Sonoff, Director of College Safety What is

Electronic Access Control Policy Presented by Thomas Sonoff, Director of College Safety What is Access Control The ability to regulate or restrict building access via a centralized electronic control system Electronic Access Control System

292 views • 4 slides
Potential Weaknesses in the Cyber Systems of High-Security Physical Protection Systems John F.

Potential Weaknesses in the Cyber Systems of High-Security Physical Protection Systems John F.

Photos placed in horizontal position with even amount of white space between photos and header Potential Weaknesses in the Cyber Systems of High-Security Physical Protection Systems John F. Clem IAEA-CN-254-298 Sandia National Laboratories is

503 views • 17 slides
Learning Objectives At the end of the this session, Participant will: Have introduction to

Learning Objectives At the end of the this session, Participant will: Have introduction to

SDiB ( Safety Design in Buildings) Access Control & Egress Planning Altaf A. Afridi, PMP, LEED AP, FDAI June 2014 altaf.afridi@dorma.com, 00971-50-5507892 Learning Objectives At the end of the this session, Participant will: Have

954 views • 46 slides

More recommend