SlideShare uma empresa Scribd logo

Neupart Isaca April 2012

Lars Neupart
Lars Neupart

I gave a presentation about recent cloud security developments and how to risk assess a cloud provider at ISACA Scandinavian Conference yesterday. Thanks to Cloud Security Alliance for a lot of input.

1 de 37
Baixar para ler offline
Recent  Cloud   Security   Developments   By  Lars  Neupart,   founder  of  Neupart  –   The  ERP  of  Security                                  
Program   !  Security  Guidance   !  The  new  Security  Guidance  for  Critical  Areas  of  Focus  in  Cloud   Computing?   !  GRC  Stack   ! GRCstack  from  Cloud  Security  Alliance  -­‐  what  it  is,  and  how  you   can  benefit  from  it.   !  Cloud  Vendor  Risk  Assessments   !  How  To  Perform  Cloud  Vendor  Assessments   !  CCSK     !  An  an  individual  certification:  Certificate  of  Cloud  Security   Knowledge  -­‐                                
 CSA  Security  Guidance   !  CSA  =  Cloud  Security  Alliance     !  Version  3  has  been  released   !  Provides  practical  direction  for  adopting  the  cloud  paradigm  safely  and  securely.     !  Extends  with  use  cases     !  14  Domains  emphasize  security,  stability,  and  privacy,  ensuring  corporate  privacy  in  a   multi-­‐tenant  environment.                                  
CSA  Guidance   !  Section  I:  Cloud  Archiecture   !  Section  II:  Governing  in  the  Cloud   !  Section  III:  Operating  in  the  Cloud                                
Section  I.  Cloud  Architecture     !  Domain  1:  Cloud  Computing  Architectural   Framework                                
S-­‐P-­‐I  Framework   You “RFP” security in SaaS Software as a Service You build security in PaaS Platform as a Service IaaS Infrastructure as a Service                              
Section  II.  Governing  in  the  Cloud     !  Domain  2:  Governance  and  Enterprise  Risk   Management     !  Domain  3:  Legal  Issues:  Contracts  and   Electronic  Discovery   !  Domain  4:  Compliance  and  Audit   Management   !   Domain  5:  Information  Management  and   Data  Security   !  Domain  6:  Interoperability  and  Portability                                
 Section  III.  Operating  in  the   Cloud       !  Domain  7:  Traditional  Security,  Business  Continuity,   and  Disaster  Recovery   !  Domain  8:  Data  Center  Operations     !  Domain  9:  Incident  Response   !  Domain  10:  Application  Security   !  Domain  11:  Encryption  and  Key  Management   !  Domain  12:  Identity,  Entitlement,  and  Access   Management     !  Domain  13:  Virtualization   !  Domain  14:  Security  as  a  Service                                
CSA  Guidance:    Risk  Based   !  CSA  Guidance  recommends  a  risk  based   approach  to  control  selection.   !  Also  offers  a  simple  model                                
!  Visit  the  V.3  website  at:   https://cloudsecurityalliance.org/research/ security-­‐guidance/                                
ISO  27017   !  Guidelines  on   Information  security   controls  for  the  use  of   cloud  computing   services  based  on  ISO/ IEC  27002     !  Draft                                
GRCstack  from  CSA   !  Achieving  Governance,  Risk  Management  and  Compliance   (GRC)  goals  requires  appropriate  assessment  criteria,   relevant  control  objectives  and  timely  access  to  necessary   supporting  data.     !  The  shift  to  compute  as  a  service  presents  new  challenges   across  the  spectrum  of  GRC  requirements.     !  To  instrument  and  assess  both  private  and  public  clouds   against  industry  established  best  practices,  standards  and   critical  compliance  requirements.   !  A  toolkit  for  enterprises,  cloud  providers,  security  solution   providers,  IT  auditors  and  other  key  stakeholders                                
!  A  look  into    the  CSA  Control  Matrix   !  https://cloudsecurityalliance.org/research/ grc-­‐stack/                                  
Cloud  Vendor  Risk  Assessments  –   how  to  do  it                                
Classic  Risk  Assessments     Asset  Hierarchy   Finance   Business  Impact  values   ERP   are  inherited  downward   Finance  DB   Dynamics  AOS   SQL  01   Server  01   Server  02   HP  DL380   Serial  abc0987654321   HP  DL380   Vulnerability  values   Serial  xyz1234567890   are  inherited  upward   Data  Center  A                                
Business  Processes  &  IT  Services   Business Business Business  Impact  Scores   Process 1 Process 2 Inherits  Downwards   IT Services IT Services from (on premise) vendor, e.g. Vulnerability  Scores   cloud Inherits  Upwards                                 G R C
The  good  news:   !  You  can  use  well  known  risk  management   best  practices  (e.g.  ISO  27001  &  ISO   27005)  also  when  assessing  cloud   applications   !  ……  with  a  few  notable  differences                                
Difference  #1:  CAI   !  Cloud  Security  Alliance  Consensus  Assessments   Initiative  (CAI)  was  launched  to  perform   research,  create  tools  and  create  industry   partnerships  to  enable  cloud  computing   assessments.     !  Industry-­‐accepted  ways  to  document  what   security  controls  exist  in  IaaS,  PaaS,  and  SaaS   offerings,  providing  security  control   transparency.     !  Part  of  GRC  Stack                                
Link   ! https://cloudsecurityalliance.org/research/ cai/                                  
Difference  #2:  STAR   !   CSA  Security,  Trust  &  Assurance  Registry   (STAR)     !  Free,  publicly  accessible  registry  that   documents  the  security  controls  provided  by   various  cloud  computing  offerings.     !  Cloud  providers  can  submit  two  different   types  of  reports  to  indicate  their  compliance   with  CSA  best  practices,  the  CAIQ  or  the  CCM.                                
STAR  Links   !  Visit  the  CSA  STAR  website  at:   https://cloudsecurityalliance.org/star/     !  CSA  STAR  faq:   https://cloudsecurityalliance.org/star/faq/   !  Ask  STAR  related  Question  at  our  CSA  STAR  Support   Forum:   http://www.linkedin.com/groups? home=&gid=4066598   !  Watch  the  STAR  briefing  online:   https://cloudsecurityalliance.org/education/online-­‐ learning/star-­‐registry-­‐briefing                                
ISO  27005  =  Threat  Based  Risk  Mngt                                
Example  Threat  Catalogue   Screen  from  SecureAware  Risk  TNG                                
Not  all  assets  burn   !  Recommendation:  The   threats  you’ll  be   assessing  should   depend    on  type  of   asset.   !  Using  Cloud  Service   providers  gives  you   other  threats  than  using   own  IT  operations                                  
Business  Impact  Assessments     Screen  from  SecureAware  Risk  TNG                              
Vulnerability  Assessments     Screen  from  SecureAware  Risk  TNG                              
Shortcut:  Probability  Assesment                                    
In  the  cloud  or  on  the  ground:   !  SecureAware  assesses     risks  to  your  business,   from  own  IT  or  from   vendors  –  also  in  the   cloud   !  SecureAware  is  delivered   as  on-­‐premise  software   or  SaaS                                
What  is  the  CCSK?   CCSK  –  the  Cer*ficate  of  Cloud  Security  Knowledge   •  Industry’s  first  user  cer.fica.on  program  for  secure  cloud  compu.ng   •  Based  on  CSA’s  body  of  knowledge   •  Complimentary  to  popular  IT  Security  &  Audit  user  accredita.ons  and   user  cer.fica.ons   •  Suitable  for  a  wide  variety  of  professions  that  must  be  concerned  with   cloud  compu.ng   •  Self  study  or  classroom  instruc.on   •  Online,  web-­‐based  examina.on   •  www.cloudsecurityalliance.org/cer.fyme     Show  your  knowledge  of  the  next  genera3on     of  informa3on  technology!                                     Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
What  is  the  CCSK  Body  of   Knowledge?   Based  upon  two  industry  leading  whitepapers   •  Security  Guidance  for  Cri.cal  Areas  of  Focus  in  Cloud  Compu.ng   •  Current  test  based  upon  Version  2.1  of  Guidance   •  hMp://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf     •  70%  of  test  ques.ons  based  upon  this  document   •  ENISA’s  report  “Cloud  Compu.ng:  Benefits,  Risks  and  Recommenda.ons   for  Informa.on  Security”.   •  hMp://www.enisa.europa.eu/act/rm/files/deliverables/cloud-­‐compu.ng-­‐risk-­‐ assessment     •  20%  of  test  ques.ons  based  upon  this  document   •  Final  10%  of  Test  Ques.ons  are  applied  knowledge  based  upon  both   documents  above   •  Prepara.on  guide  available   •  hMps://cloudsecurityalliance.org/CCSK-­‐prep.pdf                                       Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
Taking  the  CCSK  Examination   CCSK  –  On  Demand,  24  hours  a  day   •  Online  web-­‐based  examina.on,  no  appointment  necessary   •  50  ques.ons  in  the  examina.on   •  60  minutes  to  complete  the  examina.on   •  80%  correct  answers  required  to  successfully  complete  the  test   •  Two  chances  with  a  test  token   •  Test  available  at  hMps://ccsk.cloudsecurityalliance.org/     •  FAQ  at   hMps://cloudsecurityalliance.org/educa.on/cer.ficate-­‐of-­‐cloud-­‐ security-­‐knowledge/ccsk-­‐faq/                                     Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
Preparing  for  the  CCSK   CCSK  Self  Study   •  Review  body  knowledge  a^er  consul.ng  prepara.on  guide   •  hMps://cloudsecurityalliance.org/CCSK-­‐prep.pdf     •  Study  with  a  colleague   •  Form  study  groups  in  a  CSA  chapter   •  hMps://cloudsecurityalliance.org/chapters/     CCSK  Classroom  Instruc*on   •  Classes  offered  worldwide  through  training  partners   •  CCSK  Basic  1  Day  course  covers  everything  needed  to  pass  CCSK   •  CCSK  Plus  includes  Basic  plus  addi.onal  1  Day  lab  exercises   •  Find  training  partners  and  training  schedule  here:   hMps://cloudsecurityalliance.org/educa.on/training/                                       Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
CCSK  –  Set  yourself  apart   Become  an  early  adopter  of  the  future  of  IT  Security   •  For  cloud  service  providers,  informa.on  security  experts,  IT   professionals,  IT  audit  &  governance  –  everyone!   •  Enhance  your  exper.se  with  proven  knowledge  from  the  broadest   best  prac.ces  developed  in  the  industry   •  Differen.ate  your  resume  from  the  crowd   •  www.cloudsecurityalliance.org/cer.fyme                                   Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
ISACA  Member  offer   Learn  about  cloud  security  &  prepare  for  your   Certificate  of  Cloud  Security  Knowledge     Neupart  is  CSA  training  partner  using  CSA   certified  CCSK-­‐instructors.     Oslo  May  31   Copenhagen  June  20     ISACA  Member  Discount  kr.  500,-­‐     Sign  up  before  May  15  and  May  31  respectively.   Use  code  ISACA-­‐Conf-­‐Cph    in  comment  field  in  sign  up  form     at  www.neupart.com                              
Meet  Neupart  Today   PLEASE  GO  TO  THE  NEUPART  SPONSOR  TABLE  TO   PICK  UP  YOUR  CCSK  TRANING  DISCOUNT  CODE  OR     SEE  A  SECUREAWARE  DEMO     About  Neupart:   !  ISO  27001  certified  company.   !  IT  GRC  all-­‐in-­‐one  solution  enables   organizations  to  manage  their  IT  risks  and  to   comply  with  IT  security  requirements  -­‐  Also  in   the  Cloud!   !  “The  ERP  of  Security”   !  Get  SecureAware  demo  or  free  trial:   www.neupart.com                                

Recomendados

Safe Net: Cloud Security Solutions
Safe Net: Cloud Security SolutionsSafe Net: Cloud Security Solutions
Safe Net: Cloud Security SolutionsASBIS SK
 
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceDeepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceUNIT4 IT Solutions
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntelAPAC
 
Trend micro v2
Trend micro v2Trend micro v2
Trend micro v2JD Sherry
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...Amazon Web Services
 
Appistry Cloud Computing for Government Featuring FedEx
Appistry Cloud Computing for Government Featuring FedExAppistry Cloud Computing for Government Featuring FedEx
Appistry Cloud Computing for Government Featuring FedExAppistry
 
Ccsw
CcswCcsw
CcswVinit Zunjarrao
 
Cloud computing
Cloud computingCloud computing
Cloud computingsaralaanuj
 

Recomendados

Safe Net: Cloud Security Solutions
Safe Net: Cloud Security SolutionsSafe Net: Cloud Security Solutions
Safe Net: Cloud Security SolutionsASBIS SK
 
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceDeepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceUNIT4 IT Solutions
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntelAPAC
 
Trend micro v2
Trend micro v2Trend micro v2
Trend micro v2JD Sherry
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...Amazon Web Services
 
Appistry Cloud Computing for Government Featuring FedEx
Appistry Cloud Computing for Government Featuring FedExAppistry Cloud Computing for Government Featuring FedEx
Appistry Cloud Computing for Government Featuring FedExAppistry
 
Ccsw
CcswCcsw
CcswVinit Zunjarrao
 
Cloud computing
Cloud computingCloud computing
Cloud computingsaralaanuj
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS RealityKVH Co. Ltd.
 
Protecting Data in the Cloud
Protecting Data in the CloudProtecting Data in the Cloud
Protecting Data in the CloudNeil Readshaw
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - securityLilian Schaffer
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep securityTrend Micro
 
What is your alternative to Cisco MARS?
What is your alternative to Cisco MARS?What is your alternative to Cisco MARS?
What is your alternative to Cisco MARS?SolarWinds
 
The Cloud according to VMware
The Cloud according to VMwareThe Cloud according to VMware
The Cloud according to VMwareOpSource
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesNiranjana Padmanabhan
 
TrendMicro
TrendMicroTrendMicro
TrendMicro1CloudRoad.com
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Cloudsecurity
CloudsecurityCloudsecurity
Cloudsecuritydrewz lin
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityBob Rhubart
 
Why the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureWhy the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureInnoTech
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
AIIM Cloud Webinar - EMC Corporation
AIIM Cloud Webinar - EMC CorporationAIIM Cloud Webinar - EMC Corporation
AIIM Cloud Webinar - EMC CorporationShadrach White
 
I pv6 mechanism
I pv6 mechanismI pv6 mechanism
I pv6 mechanismShivam Singh
 
Democracy is mobocracy in india
Democracy is mobocracy in indiaDemocracy is mobocracy in india
Democracy is mobocracy in indiaShivam Singh
 
Cloud computing
Cloud computingCloud computing
Cloud computingShivam Singh
 
Data security in cloud environment
Data security in cloud environmentData security in cloud environment
Data security in cloud environmentShivam Singh
 

Mais conteúdo relacionado

Mais procurados

Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS RealityKVH Co. Ltd.
 
Protecting Data in the Cloud
Protecting Data in the CloudProtecting Data in the Cloud
Protecting Data in the CloudNeil Readshaw
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep securityTrend Micro
 
What is your alternative to Cisco MARS?
What is your alternative to Cisco MARS?What is your alternative to Cisco MARS?
What is your alternative to Cisco MARS?SolarWinds
 
The Cloud according to VMware
The Cloud according to VMwareThe Cloud according to VMware
The Cloud according to VMwareOpSource
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesNiranjana Padmanabhan
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Cloudsecurity
CloudsecurityCloudsecurity
Cloudsecuritydrewz lin
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityBob Rhubart
 
Why the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureWhy the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureInnoTech
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
AIIM Cloud Webinar - EMC Corporation
AIIM Cloud Webinar - EMC CorporationAIIM Cloud Webinar - EMC Corporation
AIIM Cloud Webinar - EMC CorporationShadrach White
 

Mais procurados (18)

Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS Reality
 
Protecting Data in the Cloud
Protecting Data in the CloudProtecting Data in the Cloud
Protecting Data in the Cloud
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
 
What is your alternative to Cisco MARS?
What is your alternative to Cisco MARS?What is your alternative to Cisco MARS?
What is your alternative to Cisco MARS?
 
The Cloud according to VMware
The Cloud according to VMwareThe Cloud according to VMware
The Cloud according to VMware
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud Resources
 
TrendMicro
TrendMicroTrendMicro
TrendMicro
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Cloudsecurity
CloudsecurityCloudsecurity
Cloudsecurity
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
Why the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureWhy the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and Secure
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
 
AIIM Cloud Webinar - EMC Corporation
AIIM Cloud Webinar - EMC CorporationAIIM Cloud Webinar - EMC Corporation
AIIM Cloud Webinar - EMC Corporation
 

Destaque

Democracy is mobocracy in india
Democracy is mobocracy in indiaDemocracy is mobocracy in india
Democracy is mobocracy in indiaShivam Singh
 
Data security in cloud environment
Data security in cloud environmentData security in cloud environment
Data security in cloud environmentShivam Singh
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesDheeraj Negi
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 

Destaque (6)

I pv6 mechanism
I pv6 mechanismI pv6 mechanism
I pv6 mechanism
 
Democracy is mobocracy in india
Democracy is mobocracy in indiaDemocracy is mobocracy in india
Democracy is mobocracy in india
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Data security in cloud environment
Data security in cloud environmentData security in cloud environment
Data security in cloud environment
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 

Semelhante a Neupart Isaca April 2012

Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simpleSameer Paradia
 
Resarch paper i cloud computing
Resarch paper i cloud computingResarch paper i cloud computing
Resarch paper i cloud computingBharat Gupta
 
Enterprise Security in Cloud
Enterprise Security in CloudEnterprise Security in Cloud
Enterprise Security in CloudLenin Aboagye
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementNishant Kaushik
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14L S Subramanian
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...cVidya Networks
 
Oded Tsur - Ca Cloud Security
Oded Tsur - Ca Cloud SecurityOded Tsur - Ca Cloud Security
Oded Tsur - Ca Cloud SecurityCSAIsrael
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaWise Pacific Venture
 
Extending Your Infrastructure & Data to the Cloud
Extending Your Infrastructure & Data to the CloudExtending Your Infrastructure & Data to the Cloud
Extending Your Infrastructure & Data to the CloudMargaret Dawson
 
Security in a Cloudy Architecture
Security in a Cloudy ArchitectureSecurity in a Cloudy Architecture
Security in a Cloudy ArchitectureBob Rhubart
 
Becloud hybrid cloud
Becloud hybrid cloudBecloud hybrid cloud
Becloud hybrid cloudBecloud
 
IAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryIAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryPhil Agcaoili
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudnooralmousa
 

Semelhante a Neupart Isaca April 2012 (20)

Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simple
 
Resarch paper i cloud computing
Resarch paper i cloud computingResarch paper i cloud computing
Resarch paper i cloud computing
 
Enterprise Security in Cloud
Enterprise Security in CloudEnterprise Security in Cloud
Enterprise Security in Cloud
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity Management
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
 
Oded Tsur - Ca Cloud Security
Oded Tsur - Ca Cloud SecurityOded Tsur - Ca Cloud Security
Oded Tsur - Ca Cloud Security
 
null Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Securitynull Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Security
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
 
Rp059 Icect2012 E694
Rp059 Icect2012 E694Rp059 Icect2012 E694
Rp059 Icect2012 E694
 
Smart cloud - single to multi cloud
Smart cloud - single to multi cloud Smart cloud - single to multi cloud
Smart cloud - single to multi cloud
 
Cloud Security Alliance - Guidance
Cloud Security Alliance - GuidanceCloud Security Alliance - Guidance
Cloud Security Alliance - Guidance
 
Extending Your Infrastructure & Data to the Cloud
Extending Your Infrastructure & Data to the CloudExtending Your Infrastructure & Data to the Cloud
Extending Your Infrastructure & Data to the Cloud
 
Security in a Cloudy Architecture
Security in a Cloudy ArchitectureSecurity in a Cloudy Architecture
Security in a Cloudy Architecture
 
Becloud hybrid cloud
Becloud hybrid cloudBecloud hybrid cloud
Becloud hybrid cloud
 
IAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryIAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 February
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
 

Mais de Lars Neupart

Neupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsNeupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsLars Neupart
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementLars Neupart
 
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22Lars Neupart
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
 
Til ledelsen it-sikkerhed for forretningen
Til ledelsen it-sikkerhed for forretningen Til ledelsen it-sikkerhed for forretningen
Til ledelsen it-sikkerhed for forretningen Lars Neupart
 
Dansk It Neupart Cloud Sikkerhed Risikovurdering
Dansk It Neupart Cloud Sikkerhed RisikovurderingDansk It Neupart Cloud Sikkerhed Risikovurdering
Dansk It Neupart Cloud Sikkerhed RisikovurderingLars Neupart
 
Muligheder for sikker cloud computing
Muligheder for sikker cloud computingMuligheder for sikker cloud computing
Muligheder for sikker cloud computingLars Neupart
 
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?Lars Neupart
 

Mais de Lars Neupart (8)

Neupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsNeupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessments
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk Management
 
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
 
Til ledelsen it-sikkerhed for forretningen
Til ledelsen it-sikkerhed for forretningen Til ledelsen it-sikkerhed for forretningen
Til ledelsen it-sikkerhed for forretningen
 
Dansk It Neupart Cloud Sikkerhed Risikovurdering
Dansk It Neupart Cloud Sikkerhed RisikovurderingDansk It Neupart Cloud Sikkerhed Risikovurdering
Dansk It Neupart Cloud Sikkerhed Risikovurdering
 
Muligheder for sikker cloud computing
Muligheder for sikker cloud computingMuligheder for sikker cloud computing
Muligheder for sikker cloud computing
 
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
 

Neupart Isaca April 2012

  • 1. Recent  Cloud   Security   Developments   By  Lars  Neupart,   founder  of  Neupart  –   The  ERP  of  Security                                  
  • 2. Program   !  Security  Guidance   !  The  new  Security  Guidance  for  Critical  Areas  of  Focus  in  Cloud   Computing?   !  GRC  Stack   ! GRCstack  from  Cloud  Security  Alliance  -­‐  what  it  is,  and  how  you   can  benefit  from  it.   !  Cloud  Vendor  Risk  Assessments   !  How  To  Perform  Cloud  Vendor  Assessments   !  CCSK     !  An  an  individual  certification:  Certificate  of  Cloud  Security   Knowledge  -­‐                                
  • 3.  CSA  Security  Guidance   !  CSA  =  Cloud  Security  Alliance     !  Version  3  has  been  released   !  Provides  practical  direction  for  adopting  the  cloud  paradigm  safely  and  securely.     !  Extends  with  use  cases     !  14  Domains  emphasize  security,  stability,  and  privacy,  ensuring  corporate  privacy  in  a   multi-­‐tenant  environment.                                  
  • 4. CSA  Guidance   !  Section  I:  Cloud  Archiecture   !  Section  II:  Governing  in  the  Cloud   !  Section  III:  Operating  in  the  Cloud                                
  • 5. Section  I.  Cloud  Architecture     !  Domain  1:  Cloud  Computing  Architectural   Framework                                
  • 6.
  • 7. S-­‐P-­‐I  Framework   You “RFP” security in SaaS Software as a Service You build security in PaaS Platform as a Service IaaS Infrastructure as a Service                              
  • 8. Section  II.  Governing  in  the  Cloud     !  Domain  2:  Governance  and  Enterprise  Risk   Management     !  Domain  3:  Legal  Issues:  Contracts  and   Electronic  Discovery   !  Domain  4:  Compliance  and  Audit   Management   !   Domain  5:  Information  Management  and   Data  Security   !  Domain  6:  Interoperability  and  Portability                                
  • 9.  Section  III.  Operating  in  the   Cloud       !  Domain  7:  Traditional  Security,  Business  Continuity,   and  Disaster  Recovery   !  Domain  8:  Data  Center  Operations     !  Domain  9:  Incident  Response   !  Domain  10:  Application  Security   !  Domain  11:  Encryption  and  Key  Management   !  Domain  12:  Identity,  Entitlement,  and  Access   Management     !  Domain  13:  Virtualization   !  Domain  14:  Security  as  a  Service                                
  • 10. CSA  Guidance:    Risk  Based   !  CSA  Guidance  recommends  a  risk  based   approach  to  control  selection.   !  Also  offers  a  simple  model                                
  • 11. !  Visit  the  V.3  website  at:   https://cloudsecurityalliance.org/research/ security-­‐guidance/                                
  • 12. ISO  27017   !  Guidelines  on   Information  security   controls  for  the  use  of   cloud  computing   services  based  on  ISO/ IEC  27002     !  Draft                                
  • 13. GRCstack  from  CSA   !  Achieving  Governance,  Risk  Management  and  Compliance   (GRC)  goals  requires  appropriate  assessment  criteria,   relevant  control  objectives  and  timely  access  to  necessary   supporting  data.     !  The  shift  to  compute  as  a  service  presents  new  challenges   across  the  spectrum  of  GRC  requirements.     !  To  instrument  and  assess  both  private  and  public  clouds   against  industry  established  best  practices,  standards  and   critical  compliance  requirements.   !  A  toolkit  for  enterprises,  cloud  providers,  security  solution   providers,  IT  auditors  and  other  key  stakeholders                                
  • 14. !  A  look  into    the  CSA  Control  Matrix   !  https://cloudsecurityalliance.org/research/ grc-­‐stack/                                  
  • 15. Cloud  Vendor  Risk  Assessments  –   how  to  do  it                                
  • 16. Classic  Risk  Assessments     Asset  Hierarchy   Finance   Business  Impact  values   ERP   are  inherited  downward   Finance  DB   Dynamics  AOS   SQL  01   Server  01   Server  02   HP  DL380   Serial  abc0987654321   HP  DL380   Vulnerability  values   Serial  xyz1234567890   are  inherited  upward   Data  Center  A                                
  • 17. Business  Processes  &  IT  Services   Business Business Business  Impact  Scores   Process 1 Process 2 Inherits  Downwards   IT Services IT Services from (on premise) vendor, e.g. Vulnerability  Scores   cloud Inherits  Upwards                                 G R C
  • 18. The  good  news:   !  You  can  use  well  known  risk  management   best  practices  (e.g.  ISO  27001  &  ISO   27005)  also  when  assessing  cloud   applications   !  ……  with  a  few  notable  differences                                
  • 19. Difference  #1:  CAI   !  Cloud  Security  Alliance  Consensus  Assessments   Initiative  (CAI)  was  launched  to  perform   research,  create  tools  and  create  industry   partnerships  to  enable  cloud  computing   assessments.     !  Industry-­‐accepted  ways  to  document  what   security  controls  exist  in  IaaS,  PaaS,  and  SaaS   offerings,  providing  security  control   transparency.     !  Part  of  GRC  Stack                                
  • 20. Link   ! https://cloudsecurityalliance.org/research/ cai/                                  
  • 21. Difference  #2:  STAR   !   CSA  Security,  Trust  &  Assurance  Registry   (STAR)     !  Free,  publicly  accessible  registry  that   documents  the  security  controls  provided  by   various  cloud  computing  offerings.     !  Cloud  providers  can  submit  two  different   types  of  reports  to  indicate  their  compliance   with  CSA  best  practices,  the  CAIQ  or  the  CCM.                                
  • 22. STAR  Links   !  Visit  the  CSA  STAR  website  at:   https://cloudsecurityalliance.org/star/     !  CSA  STAR  faq:   https://cloudsecurityalliance.org/star/faq/   !  Ask  STAR  related  Question  at  our  CSA  STAR  Support   Forum:   http://www.linkedin.com/groups? home=&gid=4066598   !  Watch  the  STAR  briefing  online:   https://cloudsecurityalliance.org/education/online-­‐ learning/star-­‐registry-­‐briefing                                
  • 23. ISO  27005  =  Threat  Based  Risk  Mngt                                
  • 24. Example  Threat  Catalogue   Screen  from  SecureAware  Risk  TNG                                
  • 25. Not  all  assets  burn   !  Recommendation:  The   threats  you’ll  be   assessing  should   depend    on  type  of   asset.   !  Using  Cloud  Service   providers  gives  you   other  threats  than  using   own  IT  operations                                  
  • 26. Business  Impact  Assessments     Screen  from  SecureAware  Risk  TNG                              
  • 27. Vulnerability  Assessments     Screen  from  SecureAware  Risk  TNG                              
  • 28. Shortcut:  Probability  Assesment                                    
  • 29. In  the  cloud  or  on  the  ground:   !  SecureAware  assesses     risks  to  your  business,   from  own  IT  or  from   vendors  –  also  in  the   cloud   !  SecureAware  is  delivered   as  on-­‐premise  software   or  SaaS                                
  • 30.
  • 31. What  is  the  CCSK?   CCSK  –  the  Cer*ficate  of  Cloud  Security  Knowledge   •  Industry’s  first  user  cer.fica.on  program  for  secure  cloud  compu.ng   •  Based  on  CSA’s  body  of  knowledge   •  Complimentary  to  popular  IT  Security  &  Audit  user  accredita.ons  and   user  cer.fica.ons   •  Suitable  for  a  wide  variety  of  professions  that  must  be  concerned  with   cloud  compu.ng   •  Self  study  or  classroom  instruc.on   •  Online,  web-­‐based  examina.on   •  www.cloudsecurityalliance.org/cer.fyme     Show  your  knowledge  of  the  next  genera3on     of  informa3on  technology!                                     Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • 32. What  is  the  CCSK  Body  of   Knowledge?   Based  upon  two  industry  leading  whitepapers   •  Security  Guidance  for  Cri.cal  Areas  of  Focus  in  Cloud  Compu.ng   •  Current  test  based  upon  Version  2.1  of  Guidance   •  hMp://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf     •  70%  of  test  ques.ons  based  upon  this  document   •  ENISA’s  report  “Cloud  Compu.ng:  Benefits,  Risks  and  Recommenda.ons   for  Informa.on  Security”.   •  hMp://www.enisa.europa.eu/act/rm/files/deliverables/cloud-­‐compu.ng-­‐risk-­‐ assessment     •  20%  of  test  ques.ons  based  upon  this  document   •  Final  10%  of  Test  Ques.ons  are  applied  knowledge  based  upon  both   documents  above   •  Prepara.on  guide  available   •  hMps://cloudsecurityalliance.org/CCSK-­‐prep.pdf                                       Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • 33. Taking  the  CCSK  Examination   CCSK  –  On  Demand,  24  hours  a  day   •  Online  web-­‐based  examina.on,  no  appointment  necessary   •  50  ques.ons  in  the  examina.on   •  60  minutes  to  complete  the  examina.on   •  80%  correct  answers  required  to  successfully  complete  the  test   •  Two  chances  with  a  test  token   •  Test  available  at  hMps://ccsk.cloudsecurityalliance.org/     •  FAQ  at   hMps://cloudsecurityalliance.org/educa.on/cer.ficate-­‐of-­‐cloud-­‐ security-­‐knowledge/ccsk-­‐faq/                                     Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • 34. Preparing  for  the  CCSK   CCSK  Self  Study   •  Review  body  knowledge  a^er  consul.ng  prepara.on  guide   •  hMps://cloudsecurityalliance.org/CCSK-­‐prep.pdf     •  Study  with  a  colleague   •  Form  study  groups  in  a  CSA  chapter   •  hMps://cloudsecurityalliance.org/chapters/     CCSK  Classroom  Instruc*on   •  Classes  offered  worldwide  through  training  partners   •  CCSK  Basic  1  Day  course  covers  everything  needed  to  pass  CCSK   •  CCSK  Plus  includes  Basic  plus  addi.onal  1  Day  lab  exercises   •  Find  training  partners  and  training  schedule  here:   hMps://cloudsecurityalliance.org/educa.on/training/                                       Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • 35. CCSK  –  Set  yourself  apart   Become  an  early  adopter  of  the  future  of  IT  Security   •  For  cloud  service  providers,  informa.on  security  experts,  IT   professionals,  IT  audit  &  governance  –  everyone!   •  Enhance  your  exper.se  with  proven  knowledge  from  the  broadest   best  prac.ces  developed  in  the  industry   •  Differen.ate  your  resume  from  the  crowd   •  www.cloudsecurityalliance.org/cer.fyme                                   Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • 36. ISACA  Member  offer   Learn  about  cloud  security  &  prepare  for  your   Certificate  of  Cloud  Security  Knowledge     Neupart  is  CSA  training  partner  using  CSA   certified  CCSK-­‐instructors.     Oslo  May  31   Copenhagen  June  20     ISACA  Member  Discount  kr.  500,-­‐     Sign  up  before  May  15  and  May  31  respectively.   Use  code  ISACA-­‐Conf-­‐Cph    in  comment  field  in  sign  up  form     at  www.neupart.com                              
  • 37. Meet  Neupart  Today   PLEASE  GO  TO  THE  NEUPART  SPONSOR  TABLE  TO   PICK  UP  YOUR  CCSK  TRANING  DISCOUNT  CODE  OR     SEE  A  SECUREAWARE  DEMO     About  Neupart:   !  ISO  27001  certified  company.   !  IT  GRC  all-­‐in-­‐one  solution  enables   organizations  to  manage  their  IT  risks  and  to   comply  with  IT  security  requirements  -­‐  Also  in   the  Cloud!   !  “The  ERP  of  Security”   !  Get  SecureAware  demo  or  free  trial:   www.neupart.com