secure by design codified controls for cloud services
play

Secure By Design: Codified Controls For Cloud Services This talk - PowerPoint PPT Presentation

Apr 25, 2023 •298 likes •540 views

Secure By Design: Codified Controls For Cloud Services This talk will introduce the idea and method used by JPMorgan Chase & Co. to get cloud services approved for use in an accelerated timeline. This idea and method are now a project at

  1. Secure By Design: Codified Controls For Cloud Services This talk will introduce the idea and method used by JPMorgan Chase & Co. to get cloud services approved for use in an accelerated timeline. This idea and method are now a project at FINOS and will use the collective efforts of members to build codified controls for cloud services so that we all can leverage secure by design cloud services. Fintech Open Source Foundation finos.org

  2. FINOS Project Financial Delivery Accelerator (FDX)– Cloud Service Certification Project Leader: Jason Nelson Confidential Fintech Open Source Foundation finos.org

  3. 
 Where Github: 
 https://github.com/finos/cloud-service- certification 
 to find it: https://github.com/ScottLogic/finos-cloud- services-certification 
 
 Google Group: 
 https://groups.google.com/a/finos.org/forum/#! forum/fdx-cloud-service-certification 
 
 Wiki: 
 https://finosfoundation.atlassian.net/wiki/ spaces/FDX/pages/904626436/ Cloud+Service+Certification+Working+Group 
 Fintech Open Source Foundation finos.org

  4. Using Cloud Services at a Bank • On-premise security controls must be adjusted for cloud security models • How to map control frameworks to cloud service implementation? • How to change a culture of NO into a culture of Yes. Fintech Open Source Foundation finos.org

  5. What is the benefit? • All financial institutions are re-inventing the wheel: Institutions have similar control frameworks, we are all trying to secure and stand up the same providers and services. • This takes significant time and resources, delaying innovation: 6 - 18 months elapsed time, every institution is fact finding with cloud providers • Results vary…: No guidance on how to implement controls, in-depth cloud service knowledge required to deliver this, we are not the cloud provider security experts Fintech Open Source Foundation finos.org

  6. We built a process to 
 solve a problem. • How do you know your process is broken? • Why do accelerators solve for the problem? • What does it look like? Fintech Open Source Foundation finos.org

  7. What artefacts make 
 an accelerator? • Define standard control questions for cloud service: Prior art here - Cloud Security Alliance Cloud Controls Matrix (CCM), EU-CERT initiative • Reference security document: Document to provide detailed guidance on implementation, answering standard process questions for compliance and security review • Implementation of service to meet controls: Write infrastructure as code to stand up service and meet control objectives (Terraformor platform agnostic code) • Test cases to prove efficacy: BDD test cases to prove efficacy of controls Fintech Open Source Foundation finos.org

  8. Define standard control questions for cloud service Example : https://github.com/finos/cloud-servicecertification/ blob/master/templates/ S3%20control%20spreadsheet.xlsx SECURITY DOMAIN CONTROL STANDARD BDD TEST SCENARIO Must ensure that end-to- Scenario: User attempts to save data without specifying encryption, should be Encryption end encryption is rejected (or enforce encryption - to confirm) 
 implemented such that Scenario: User attempts to save data specifying SSE-S3 encryption, should be Encryption of data at-rest data is encrypted at-rest rejected 
 and in-transit at all times. Scenario: User attempts to save data specifying SSE-C encryption, should be rejected 
 Scenario: User saves data to S3 bucket, validate that the cloud trail logs are updated appropriately 
 Scenario: User creates cfn for an S3 bucket and does not reference SSE-KMS encryption, SDLC should reject the cfn 
 Scenario: Validate encrypted objects being stored (store a known object to S3, pull HEAD object and check the KMS key ID or compare MD5 of plaintext vs ETag of the encrypted object (above and beyond - nice to have) Fintech Open Source Foundation finos.org

  9. Reference security document Example: https://github.com/finos/cloud-servicecertification/ blob/master/aws/dynamodb/ ServiceApprovalAccelerator-DynamoDB.docx SECURITY DOMAIN CONTROL & ARCHITECTURAL SUGGESTIONS REFERENCES To support SSL connections, Amazon Redshift creates 1. How to encrypt end to end: https:// Encryption and installs an AWS Certificate Manager (ACM) issued aws.amazon.com/blogs/big-data/encrypt-your- SSL certificate on each cluster. The set of Certificate amazon-redshift-loads-with-amazon-s3-and-aws- Encryption of data at-rest Authorities that you must trust in order to properly kms/ support SSL connections can be found at https:// 2. To make client side encryption work follow this s3.amazonaws.com/redshift-downloads/redshift-ca- pattern https://docs.aws.amazon.com/AmazonS3/ bundle.crt. latest/dev/UsingClientSideEncryption.html 3. https://docs.aws.amazon.com/acm/latest/ RedShift endpoints are available over HTTPS at a userguide/import-certificate.html selection of regions. Best practice: Set the “require_SSL” parameter to “true” in the parameter group that is associated with the cluster. For workloads that require FIPS-140-2 SSL compliance an additional step is required to set parameter “use_fips_ssl” to “true” Fintech Open Source Foundation finos.org

  10. Implementation of { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Amazon DynamoDB Template", "Metadata": { "AWS::CloudFormation::Interface": { service to meet controls "ParameterGroups": [ { "Label": { "default": "DynamoDB Table Settings" }, "Parameters": [ "pTableName", "pSSESpecification", "pHashKeyElementName", "pHashKeyElementType", "pReadCapacityUnits", "pWriteCapacityUnits" ] } ], "ParameterLabels": { "pHashKeyElementName": { "default": "Partition Key Name" }, "pHashKeyElementType": { "default": "Partition Key Type" }, "pReadCapacityUnits": { "default": "Read Capacity" }, "pWriteCapacityUnits": { "default": "Write Capacity" Fintech Open Source Foundation finos.org

  11. What is BDD? • Changes how your project management approach defines work Defines outcome in simple full sentences • the needed outcome of the work Can be tested, like code • Example Please? https://github.com/finos/ • cloud-servicecertification/blob/master/aws/ sqs/SQS%20BDD%20examples.txt Fintech Open Source Foundation finos.org

  12. BDD Example Feature: Create the SQS Cfn stacks in the correct region Test that we can create the right SQS stack correctly in US and non-US region Scenario Outline: Create the SQS Cfn stack in US and non-US regions Given that I have valid AWS credentials with privileges to use CloudFormation When I try to deploy the <regional> SQS stack in <region> Then the stack creation should <result> Examples: |regional | region | result | |US | us-east-1 | SUCCEED | |Non-US | eu-west-1 | SUCCEED | |US | eu-west-1 | FAIL | |Non-US | us-east-1 | FAIL | Fintech Open Source Foundation finos.org

  13. We built a tool to solve a problem. • Why build when you can buy? • How do you know you have a secure by design approach? • How do you integrate BDD into your SDLC? • Project participants are building tools to automate the implementation. Fintech Open Source Foundation finos.org

  14. End results • We were able to observe shorter time from use case to service approval. • Having a structured approach enables cloud services adoption at a more rapid pace. • Using code for controls allowed for reuse instead of reinvention. Fintech Open Source Foundation finos.org

  15. Participant Perspective • Deutsche Bank has been involved since early 2019 • Let’s hear how this project benefits DB and their approach to cloud. Fintech Open Source Foundation finos.org

  16. Project Status • We have active participation from several global banks, vendors, and cloud providers. • About to release first complete set of CSC artifacts. • Looking for more participants to actively engage. Fintech Open Source Foundation finos.org

  17. Q& A Fintech Open Source Foundation finos.org

  18. FINOS Project Financial Delivery Accelerator – 
 Cloud Service Certification Confidential Fintech Open Source Foundation finos.org

  19. 
 Where Github: 
 https://github.com/finos/cloud- servicecertification 
 is this 
 Google Group: 
 Group: https://groups.google.com/a/finos.org/fo project? rum/#!forum/fdx-cloud-service-certification 
 
 Wiki: 
 https://finosfoundation.atlassian.net/wiki/sp aces/FDX/pages/904626436/Cloud+Service+Cer tification+Working+Group Fintech Open Source Foundation finos.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Export Controls and Cloud Computing: Legal Risks Complying with ITAR, EAR and Sanctions Laws When

Export Controls and Cloud Computing: Legal Risks Complying with ITAR, EAR and Sanctions Laws When

Presenting a live 90-minute webinar with interactive Q&amp;A Export Controls and Cloud Computing: Legal Risks Complying with ITAR, EAR and Sanctions Laws When Using Cloud Storage and Services TUESDAY, APRIL 2, 2013 1pm Eastern | 12pm

461 views • 42 slides
Computations on Encrypted Data for the Cloud David Pointcheval CNRS - ENS - INRIA Secure Cloud

Computations on Encrypted Data for the Cloud David Pointcheval CNRS - ENS - INRIA Secure Cloud

Computations on Encrypted Data for the Cloud David Pointcheval CNRS - ENS - INRIA Secure Cloud Services and Storage Workshop Oslo, Norway - September 10th, 2017 The Cloud David Pointcheval Introduction 2 / 17 Anything from Anywhere One

290 views • 17 slides
Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by design Ecosystem integration Strong momentum Founded by Wireshark Cloud-native security Customer expansion mirrors co-creator and

247 views • 22 slides
Enterprise 2.0 Secure Cloud Mail and Content Collaboration

Enterprise 2.0 Secure Cloud Mail and Content Collaboration

Use Case Sharing: Enterprise 2.0 Secure Cloud Mail and Content Collaboration Market Development Director / Andy Lin Secure Mail &amp; Collaboration Solution Provider 4 5 On-Premise Cloud OEM Cloud

657 views • 32 slides
AdL SUS/US Quad Controls Conceptual Design J. Heefner 7/12/2005 LIGO-G050318-00-C AdL SUS

AdL SUS/US Quad Controls Conceptual Design J. Heefner 7/12/2005 LIGO-G050318-00-C AdL SUS

AdL SUS/US Quad Controls Conceptual Design J. Heefner 7/12/2005 LIGO-G050318-00-C AdL SUS Controls Conceptual Design Design Considerations AdL Controls Architecture has yet to be determined Controls block diagram based on scaling

180 views • 17 slides
Flow-Secure Access Controls Integration of Simple flow controls into the access control

Flow-Secure Access Controls Integration of Simple flow controls into the access control

Flow-Secure Access Controls Integration of Simple flow controls into the access control mechanisms of say operating systems. General: p can read from x1,. . . , xm and write into Y1, . . . . Yn only if This automatically

1.06k views • 36 slides
Electronic Design and Manufacturing Services www.e-micrologix.com MicroLOGIX Embedded Controls

Electronic Design and Manufacturing Services www.e-micrologix.com MicroLOGIX Embedded Controls

Electronic Design and Manufacturing Services www.e-micrologix.com MicroLOGIX Embedded Controls (P) Ltd., www.e-micrologix.com MicroLOGIX Embedded Controls (P) Ltd., MicroLOGIX MicroLOGIX is a Full Services Electronics Company offering OEM

1.02k views • 34 slides
SECURE-ONLINE (ZEKER-ONLINE) Quality mark for online cloud services Tom Vreeburg Boardmember

SECURE-ONLINE (ZEKER-ONLINE) Quality mark for online cloud services Tom Vreeburg Boardmember

SECURE-ONLINE (ZEKER-ONLINE) Quality mark for online cloud services Tom Vreeburg Boardmember DRAFT DRAFT DRAFT Some facts Founded on 16 April, 2013 Founders: The Dutch Tax Authority Suppliers of online bookkeeping services

134 views • 9 slides
Using Office 365 Secure Score to Enhance your Microsoft Cloud Security Chris Rhoda VP for

Using Office 365 Secure Score to Enhance your Microsoft Cloud Security Chris Rhoda VP for

Using Office 365 Secure Score to Enhance your Microsoft Cloud Security Chris Rhoda VP for Information Services and CIO Thomas College 31st ANNUAL MTUG IT SUMMIT May 31, 2018 History of Microsoft Cloud use at Thomas Started in 2014

402 views • 8 slides
ATARC Cloud &amp; Data Center Summit Jay Huie Secure Cloud Portfolio Director U.S. General

ATARC Cloud &amp; Data Center Summit Jay Huie Secure Cloud Portfolio Director U.S. General

ATARC Cloud &amp; Data Center Summit Jay Huie Secure Cloud Portfolio Director U.S. General Services Administration JUNE 13, 2018 1 Traditional: Transformation People Processes Products 2 Cloud: Transformation People Products Processes

552 views • 16 slides
Database Design 340151 Big Databases &amp; Cloud Services (P. Baumann) 1 Core Database Design

Database Design 340151 Big Databases &amp; Cloud Services (P. Baumann) 1 Core Database Design

Database Design 340151 Big Databases &amp; Cloud Services (P. Baumann) 1 Core Database Design Steps Our focus in this section Conceptual design Construct a description of the information used in an enterprise Focus on

476 views • 12 slides
Cloud-Integrated IP Design: Bursting EDA Workflows to the Public Cloud Jerome McFarland,

Cloud-Integrated IP Design: Bursting EDA Workflows to the Public Cloud Jerome McFarland,

Cloud-Integrated IP Design: Bursting EDA Workflows to the Public Cloud Jerome McFarland, Marketing Director, Elastifile Agenda Why Cloud? How Cloud? Real-World Example Why Cloud? IC Design Complexity is Steadily Increasing Process

604 views • 31 slides
Supercharging Enterprise MultiClouds Empowering The Enterprise Cloud SIMPLE OPEN SECURE Run

Supercharging Enterprise MultiClouds Empowering The Enterprise Cloud SIMPLE OPEN SECURE Run

Winning As One Supercharging Enterprise MultiClouds Empowering The Enterprise Cloud SIMPLE OPEN SECURE Run applications and Be unshackled from Enable comprehensive services seamlessly in legacy technologies and and multi-dimensional

465 views • 7 slides
Architecture Principles for Data Privacy of Cloud-based Medical Device Services Dr. Andrzej J.

Architecture Principles for Data Privacy of Cloud-based Medical Device Services Dr. Andrzej J.

Architecture Principles for Data Privacy of Cloud-based Medical Device Services Dr. Andrzej J. Knafel Data Protection Laws Architecture for Selected Technical Controls of Data Privacy Conclusions Data Protection Overview of laws and controls

411 views • 22 slides
Qt and Cloud Services Sami Makkonen Qt R&amp;D Digia Content Different types of Cloud services

Qt and Cloud Services Sami Makkonen Qt R&amp;D Digia Content Different types of Cloud services

Qt and Cloud Services Sami Makkonen Qt R&amp;D Digia Content Different types of Cloud services Qt and Cloud Services Cloud API for Qt Using PaaS Services from Qt application engin.io Using BaaS from Qt application Different Type of Cloud

670 views • 19 slides
Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing gives rest but the sincere search for truth. -Pascal Greetz from Room 101 Kenneth Geers 1984 # Nineteen Eighty-Four (Orwell) # Govt IW vs own

1.03k views • 77 slides
Are Low-Power SoCs Feasible for Heterogenous HPC Workloads? Max Plauth and Andreas Polze

Are Low-Power SoCs Feasible for Heterogenous HPC Workloads? Max Plauth and Andreas Polze

Are Low-Power SoCs Feasible for Heterogenous HPC Workloads? Max Plauth and Andreas Polze Operating Systems and Middleware Group Hasso Plattner Institute, University of Potsdam, Germany Introduction Operating Systems and Middleware Group

1k views • 20 slides
A Hierarchical Analysis of Propositional Temporal Logic based on Intervals Ben Moszkowski

A Hierarchical Analysis of Propositional Temporal Logic based on Intervals Ben Moszkowski

A Hierarchical Analysis of Propositional Temporal Logic based on Intervals Ben Moszkowski Software Technology Research Laboratory De Montfort University Leicester Great Britain email: x@y , where x=benm and y=dmu.ac.uk

919 views • 52 slides
Redundancy-free Residual Dispatch Using Ordered Binary Decision Diagrams for Efficient Dispatch

Redundancy-free Residual Dispatch Using Ordered Binary Decision Diagrams for Efficient Dispatch

Formula-based Dispatch BDD-based Dispatch Assessment Redundancy-free Residual Dispatch Using Ordered Binary Decision Diagrams for Efficient Dispatch Andreas Sewe Christoph Bockisch Mira Mezini Seventh International Workshop on Foundations

408 views • 39 slides
Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What

Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What

Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What this talk is about? Automotive intrusion detection Automotive cyber-security architecture From the highest viewpoint J 3 Outline Quick

926 views • 63 slides
Evaluating the Impact of Interconnections in Quantum-dot Cellular Automata (QCA) Frank Sill Torres

Evaluating the Impact of Interconnections in Quantum-dot Cellular Automata (QCA) Frank Sill Torres

Evaluating the Impact of Interconnections in Quantum-dot Cellular Automata (QCA) Frank Sill Torres 1,2 , Robert Wille 1,3 , Marcel Walter 2 , Philipp Niemann 1,2 , Daniel Groe 1,2 , Rolf Drechsler 1,2 1 DFKI GmbH (Germany), 2 University of Bremen

379 views • 18 slides
Ordering Metro Lines by Block Crossings Martin Fink Lehrstuhl f ur Informatik I Universit

Ordering Metro Lines by Block Crossings Martin Fink Lehrstuhl f ur Informatik I Universit

Ordering Metro Lines by Block Crossings Martin Fink Lehrstuhl f ur Informatik I Universit at W urzburg Joint work with Sergey Pupyrev 1 /18 Metro Maps Vienna 2 /18 Metro Maps Paris 3 /18 Metro Maps Metro Lines 4

1.2k views • 119 slides
Publishing date: 19/ 01/ 2015 Document title: 4b - Oil and gas UK slides ACER meeting 5 Dec 2014

Publishing date: 19/ 01/ 2015 Document title: 4b - Oil and gas UK slides ACER meeting 5 Dec 2014

Publishing date: 19/ 01/ 2015 Document title: 4b - Oil and gas UK slides ACER meeting 5 Dec 2014 We appreciate your feedback Please click on the icon to take a 5 online survey and provide your feedback about this document UK gas industry

348 views • 15 slides
Centaur Verification Approach Jared Davis, Warren Hunt, Jr., Anna Slobodova, Sol Swords Bob

Centaur Verification Approach Jared Davis, Warren Hunt, Jr., Anna Slobodova, Sol Swords Bob

Centaur Verification Approach Jared Davis, Warren Hunt, Jr., Anna Slobodova, Sol Swords Bob Boyer, Gary Byers, Matt Kaufmann, Robert Krug November, 2010 Computer Sciences Department Centaur Technology, Inc. University of Texas 7600-C N.

576 views • 32 slides

More recommend