SlideShare uma empresa Scribd logo

Cloud Security using NIST guidelines

Transferir como PPTX, PDF
Srishti Ahuja
Srishti Ahuja

Cloud Security using NIST guidelines, using NIST Cloud Computing Security Reference Architecture (NIST SP 500-299), NIST Cloud Computing Reference Architecture (NIST SP 500-292), NIST's Guide for Applying the Risk Management Framework to Federal Information Systems (NIST SP 800-37)

Tecnologia
1 de 28
CLOUD SECURITY
Since the COVID-19 lockdown has imposed work from home, this has pushed businesses to hasten their adoption to Cloud and its services. Here are NIST’s Guides for Cloud adoption. NIST SP 500-291 Cloud Computing Standards Roadmap NIST SP 500-292 NIST Cloud Computing Reference Architecture NIST SP 500-293 US Government Cloud Computing Technology Roadmap Volume 1, High- Priority requirements to Further USG Agency Cloud Computing Adoption NIST SP 500-293 US Government Cloud Computing Technology Roadmap Volume II, Useful Information for Cloud Adopters (Draft) NIST SP 500-293 US Government Cloud Computing Technology Roadmap Volume III, Technical Considerations for USG Cloud Computing Deployment Decisions (Draft) NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing NIST SP 800-145 The NIST Definition of Cloud Computing NIST SP 800-146 Cloud Computing Synopsis and Recommendations (Draft)
On one hand, the convenience and low cost of cloud computing services have changed our daily lives. However, the security issues associated with cloud computing make us vulnerable to cybercrimes that happen every day. Security is one of the most significant barriers of migrating to cloud, followed by issues regarding compliance, privacy and legal matters. Hackers can apply several techniques to gain access to our cloud without any legal authorization and they can disrupt various services to achieve their objectives. They could even modify the cloud settings to treat an illegal activity as a normal activity and thus gain unauthorized access to data stored in the cloud. Before migrating to cloud, the sensitivity of the stored information needs to be considered against the incurred security and privacy risks. For example, the benefits of a cloud-based solution would depend on the cloud model, type of cloud service considered, the type of data involved, the system’s criticality/impact level, the cost savings, the service type, and any associated regulatory requirements. Importance of Cloud Security
Security Threats  Browser Security  Insecure Interfaces and Application Programming Interfaces (APIs)  Cloud Malware Injection Attack  Flooding Attacks  Data Protection  Incomplete Data Deletion  Locks In Some Common Threats in Cloud With cloud migration, we lose control over physical security. Thus, to understand how to protect our data, we must understand the types of attacks that could occur in our cloud. Network Threats  Denial of Service (DoS)  Network Sniffing  Man in the Middle Attack  Port Scanning  Structured Query Language (SQL) Injection Attack  Cross Site Scripting (XSS)
NIST SP 500-299 Our objective is to study Cloud Security, thus, we would be focusing on the NIST Cloud Computing Security Reference Architecture
The NIST Cloud Computing Security Reference Architecture model is derived from the following models: 01 02 NIST SP 500-292: NIST Cloud Computing Reference Architecture NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems
01 The NIST Cloud Computing Security Reference Architecture is mainly derived from this model as it provides an overall template description of the Cloud architecture. This model is a generic high-level conceptual model that is a powerful tool for discussing the requirements, structures, and operations of cloud computing. This model is Vendor–neutral, it is not tied to any specific vendor products, services, or reference implementation, nor does it define prescriptive solutions that restrict innovation. It provides a blueprint to guide developers in the design of (cloud) services and applications; and defines a set of actors, activities, and functions that can be used in the process of developing cloud computing architectures. NIST SP 500-292 NIST Cloud Computing Reference Architecture
Cloud Consumer: acquires/maintains business relationship with and uses services from Cloud Providers. Cloud Provider: the purveyor of services to Cloud Consumers. Cloud Auditor: conducts independent assessment of cloud services, information system operations, performance and security of the cloud implementation. Cloud Broker: intermediate between Cloud Consumer and Cloud Provider, they hide complexity of services or create new services. Cloud Carrier: provides connectivity and transport of data and services between Cloud Consumers and Cloud Providers. ACTORS AND THEIR FUNCTIONS
CONCEPTUAL REFERENCE MODEL
Software as a Service (SaaS) Software as a Service provides consumers with a completed product that is run and managed by the service provider. In most cases, people referring to Software as a Service are referring to end-user applications. With a SaaS offering, consumers do not have to think about how the service is maintained or how the underlying infrastructure is managed; you only need to think about how you will use that particular piece of software. A common example of a SaaS application is web-based email where you can send and receive email without having to manage feature additions to the email product or maintaining the servers and operating systems that the email program is running on. Platform as a Service (PaaS) Platforms as a service remove the need for consumers to manage the underlying infrastructure and allow you to focus on the deployment and management of your applications. This helps consumers be more efficient as you don’t need to worry about resource procurement, capacity planning, software maintenance, patching, or any of the other undifferentiated heavy lifting involved in running your application. PaaS consumers employ the tools and execution resources provided by cloud providers to develop, test, deploy, and manage the operation of PaaS applications hosted in a cloud environment. SERVICE MODELS
Infrastructure as a Service (IaaS) Infrastructure as a Service contains the basic building blocks for cloud IT and typically provides consumers access to networking features, computers (virtual or on dedicated hardware), and data storage space. It also provides consumers with the highest level of flexibility and management control over your IT resources and is most like existing IT resources that many IT departments and developers are familiar with today. SERVICE MODELS (cont’d)
CLOUD CONSUMER AND CLOUD PROVIDER SERVICE MODELS CONSUMER ACTIVITIES PROVIDER ACTIVITIES IaaS Creates/installs, manages, and monitors services for IT infrastructure operations. Provisions and manages the physical processing, storage, networking, and the hosting environment and cloud infrastructure for IaaS consumers. PaaS Develops, tests, deploys, and manages applications hosted in a cloud system Provisions and manages cloud infrastructure and middleware for the platform consumers; provides development, deployment, and administration tools to platform consumers. SaaS Uses application/service for business process operations. Installs, manages, maintains, and supports the software application on a cloud infrastructure.
SERVICES AVAILABLE TO A CLOUD CONSUMER
CLOUD COMPUTING STANDARDS FOR SECURITY As most of the Cloud consumers and providers wish to accelerate the adoption of cloud computing, and to advance the deployment of cloud services, solutions coping with cloud security threats need to be addressed. Many of the threats that cloud providers and consumers face can be dealt with through traditional security processes and mechanisms such as security policies, cryptography, identity management, intrusion detection/prevention systems, and supply chain vulnerability analysis. However, risk management activities must also be undertaken to determine how to mitigate the threats specific to different cloud models and to analyze existing standards for gaps that need to be addressed. Securing the information systems and ensuring the confidentiality, integrity, and availability of information and information being processed, stored, and transmitted are particularly relevant as these are the high-priority concerns and present a higher risk of being compromised in a cloud computing system. Having understood the basic Cloud Architecture and its Service Models. We would now focus on the required Cloud Security Standards. Security is a responsibility shared between Cloud Consumer and Cloud Provider.
SECURITY STANDARDS MAPPING – Security Controls
SECURITY STANDARDS MAPPING – Authentication & Authorization
SECURITY STANDARDS MAPPING - Confidentiality
SECURITY STANDARDS MAPPING – Integrity & Availability
SECURITY STANDARDS MAPPING – Identity Management
SECURITY STANDARDS MAPPING – Security Monitoring & Incident Response
SECURITY STANDARDS MAPPING – Security Policy Management
02 NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems This Guide covers the Risk Management Framework (RMF)
A risk management framework (RMF) is the structured process used to identify potential threats to an organization and to define the strategy for eliminating or minimizing the impact of these risks, as well as the mechanisms to effectively monitor and evaluate this strategy. Before acquiring a cloud service, a cloud Consumer needs to analyze the risk associated with the adoption of a cloud-based solution for an information system, and plan for the risk treatment and risk control activities associated with the cloud- based operations of this system. To do so, a cloud Consumer needs to gain the perspective of the entire cloud Ecosystem that will serve the operations of their cloud-based information system. Cloud Consumers must also apply the RMF in a customized way that allows them to:  Perform a risk assessment  Identify the best-fitting cloud architecture  Select the most suitable cloud service  Gain necessary visibility into the cloud offering  Define and negotiate necessary risk treatment and risk control mitigations before finalizing the SLA and proceeding with the security authorization The Risk Management Framework
Risk Management Framework steps
Step-wise Activities Risk Assessment (analyze cloud environment to identify potential vulnerabilities and shortcomings) Step 1: Categorize the information system and the information processed, stored, and transmitted by that system based on a system impact analysis. Identify operational, performance, security, and privacy requirements. Step 2: Select, based on the security categorization, the initial set of security controls for the information system (referred to as baseline security controls). Then, tailor and supplement the baseline security controls set based on the organizational assessment of risk and the conditions of the operational environment. Develop a strategy for the continuous monitoring of security control effectiveness. Document all the controls in the security plan. Review and approve the security plan.
Step-wise Activities (cont’d) Risk Treatment (design mitigation policies and plans) Step 3: Implement the security controls and describe how the controls are employed within the information system and its environment of operation. Step 4: Assess the security controls using appropriate assessment procedures as documented in the assessment plan. The assessment determines if the controls are implemented correctly and if they are effective in producing the desired outcome. Step 5: Authorize information system operation based on the determined risk resulting from the operation of the information system and the decision that this risk is acceptable. The assessment is performed considering the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations. Risk Control (risk monitoring-surveying, reviewing events, identifying policy adjustments) Step 6: Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of these changes, and reporting the security state of the system to designated organizational officials.
This concludes the understanding of Cloud Security Standards as well as their Risk Management requirements when implementing Cloud.
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik. Please keep this slide for attribution. THANK YOU! srishtiahuja16@gmail.com slashsrishti srishtiahuja16

Recomendados

Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and ComplianceQuadrisk
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architectureamiable_indian
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalManageEngine EventLog Analyzer
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud SecurityLegal Services National Technology Assistance Project (LSNTAP)
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 

Recomendados

Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and ComplianceQuadrisk
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architectureamiable_indian
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalManageEngine EventLog Analyzer
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud SecurityLegal Services National Technology Assistance Project (LSNTAP)
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Seminar (network security)
Seminar (network security)Seminar (network security)
Seminar (network security)Gaurav Dalvi
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Asia Pte Ltd
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Amazon Web Services
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0Maganathin Veeraragaloo
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+DesignAlfred Ouyang
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing Reza Pahlava
 
IRJET- An Effective Protection on Content based Retrieval in Cloud Storehouse
IRJET- An Effective Protection on Content based Retrieval in Cloud StorehouseIRJET- An Effective Protection on Content based Retrieval in Cloud Storehouse
IRJET- An Effective Protection on Content based Retrieval in Cloud StorehouseIRJET Journal
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspectivejmcdaniel650
 

Mais conteúdo relacionado

Mais procurados

Seminar (network security)
Seminar (network security)Seminar (network security)
Seminar (network security)Gaurav Dalvi
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Asia Pte Ltd
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Amazon Web Services
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+DesignAlfred Ouyang
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing Reza Pahlava
 

Mais procurados (20)

Seminar (network security)
Seminar (network security)Seminar (network security)
Seminar (network security)
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP Certification
 
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
 
Security policies
Security policiesSecurity policies
Security policies
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing
 

Semelhante a Cloud Security using NIST guidelines

IRJET- An Effective Protection on Content based Retrieval in Cloud Storehouse
IRJET- An Effective Protection on Content based Retrieval in Cloud StorehouseIRJET- An Effective Protection on Content based Retrieval in Cloud Storehouse
IRJET- An Effective Protection on Content based Retrieval in Cloud StorehouseIRJET Journal
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspectivejmcdaniel650
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and managementShamsundar Machale (CISSP, CEH)
 
Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...csandit
 
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...cscpconf
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET Journal
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...IJIR JOURNALS IJIRUSA
 
A Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingA Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingIRJET Journal
 
Data Security Model Enhancement In Cloud Environment
Data Security Model Enhancement In Cloud EnvironmentData Security Model Enhancement In Cloud Environment
Data Security Model Enhancement In Cloud EnvironmentIOSR Journals
 
Cloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher modelCloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher modelijcsit
 
Security in cloud computing kashyap kunal
Security in cloud computing kashyap kunalSecurity in cloud computing kashyap kunal
Security in cloud computing kashyap kunalKashyap Kunal
 
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
SecSecuring Software as a Service Model of Cloud Computing: Issues and SolutionsSecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutionsijccsa
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 

Semelhante a Cloud Security using NIST guidelines (20)

IRJET- An Effective Protection on Content based Retrieval in Cloud Storehouse
IRJET- An Effective Protection on Content based Retrieval in Cloud StorehouseIRJET- An Effective Protection on Content based Retrieval in Cloud Storehouse
IRJET- An Effective Protection on Content based Retrieval in Cloud Storehouse
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspective
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and management
 
Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...
 
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital Forensic
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
 
Rp059 Icect2012 E694
Rp059 Icect2012 E694Rp059 Icect2012 E694
Rp059 Icect2012 E694
 
A Review on Data Protection of Cloud Computing Security, Benefits, Risks and ...
A Review on Data Protection of Cloud Computing Security, Benefits, Risks and ...A Review on Data Protection of Cloud Computing Security, Benefits, Risks and ...
A Review on Data Protection of Cloud Computing Security, Benefits, Risks and ...
 
A Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingA Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud Computing
 
Data Security Model Enhancement In Cloud Environment
Data Security Model Enhancement In Cloud EnvironmentData Security Model Enhancement In Cloud Environment
Data Security Model Enhancement In Cloud Environment
 
Cloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher modelCloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher model
 
Security of the Data Secure the Data SASE, CNAPP and CSMA functions
Security of the Data Secure the Data SASE, CNAPP and CSMA functionsSecurity of the Data Secure the Data SASE, CNAPP and CSMA functions
Security of the Data Secure the Data SASE, CNAPP and CSMA functions
 
Security in cloud computing kashyap kunal
Security in cloud computing kashyap kunalSecurity in cloud computing kashyap kunal
Security in cloud computing kashyap kunal
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
SecSecuring Software as a Service Model of Cloud Computing: Issues and SolutionsSecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
Cloud notes 1
Cloud notes 1Cloud notes 1
Cloud notes 1
 

Último

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 

Último (20)

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Cloud Security using NIST guidelines

  • 2. Since the COVID-19 lockdown has imposed work from home, this has pushed businesses to hasten their adoption to Cloud and its services. Here are NIST’s Guides for Cloud adoption. NIST SP 500-291 Cloud Computing Standards Roadmap NIST SP 500-292 NIST Cloud Computing Reference Architecture NIST SP 500-293 US Government Cloud Computing Technology Roadmap Volume 1, High- Priority requirements to Further USG Agency Cloud Computing Adoption NIST SP 500-293 US Government Cloud Computing Technology Roadmap Volume II, Useful Information for Cloud Adopters (Draft) NIST SP 500-293 US Government Cloud Computing Technology Roadmap Volume III, Technical Considerations for USG Cloud Computing Deployment Decisions (Draft) NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing NIST SP 800-145 The NIST Definition of Cloud Computing NIST SP 800-146 Cloud Computing Synopsis and Recommendations (Draft)
  • 3. On one hand, the convenience and low cost of cloud computing services have changed our daily lives. However, the security issues associated with cloud computing make us vulnerable to cybercrimes that happen every day. Security is one of the most significant barriers of migrating to cloud, followed by issues regarding compliance, privacy and legal matters. Hackers can apply several techniques to gain access to our cloud without any legal authorization and they can disrupt various services to achieve their objectives. They could even modify the cloud settings to treat an illegal activity as a normal activity and thus gain unauthorized access to data stored in the cloud. Before migrating to cloud, the sensitivity of the stored information needs to be considered against the incurred security and privacy risks. For example, the benefits of a cloud-based solution would depend on the cloud model, type of cloud service considered, the type of data involved, the system’s criticality/impact level, the cost savings, the service type, and any associated regulatory requirements. Importance of Cloud Security
  • 4. Security Threats  Browser Security  Insecure Interfaces and Application Programming Interfaces (APIs)  Cloud Malware Injection Attack  Flooding Attacks  Data Protection  Incomplete Data Deletion  Locks In Some Common Threats in Cloud With cloud migration, we lose control over physical security. Thus, to understand how to protect our data, we must understand the types of attacks that could occur in our cloud. Network Threats  Denial of Service (DoS)  Network Sniffing  Man in the Middle Attack  Port Scanning  Structured Query Language (SQL) Injection Attack  Cross Site Scripting (XSS)
  • 5. NIST SP 500-299 Our objective is to study Cloud Security, thus, we would be focusing on the NIST Cloud Computing Security Reference Architecture
  • 6. The NIST Cloud Computing Security Reference Architecture model is derived from the following models: 01 02 NIST SP 500-292: NIST Cloud Computing Reference Architecture NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems
  • 7. 01 The NIST Cloud Computing Security Reference Architecture is mainly derived from this model as it provides an overall template description of the Cloud architecture. This model is a generic high-level conceptual model that is a powerful tool for discussing the requirements, structures, and operations of cloud computing. This model is Vendor–neutral, it is not tied to any specific vendor products, services, or reference implementation, nor does it define prescriptive solutions that restrict innovation. It provides a blueprint to guide developers in the design of (cloud) services and applications; and defines a set of actors, activities, and functions that can be used in the process of developing cloud computing architectures. NIST SP 500-292 NIST Cloud Computing Reference Architecture
  • 8. Cloud Consumer: acquires/maintains business relationship with and uses services from Cloud Providers. Cloud Provider: the purveyor of services to Cloud Consumers. Cloud Auditor: conducts independent assessment of cloud services, information system operations, performance and security of the cloud implementation. Cloud Broker: intermediate between Cloud Consumer and Cloud Provider, they hide complexity of services or create new services. Cloud Carrier: provides connectivity and transport of data and services between Cloud Consumers and Cloud Providers. ACTORS AND THEIR FUNCTIONS
  • 10. Software as a Service (SaaS) Software as a Service provides consumers with a completed product that is run and managed by the service provider. In most cases, people referring to Software as a Service are referring to end-user applications. With a SaaS offering, consumers do not have to think about how the service is maintained or how the underlying infrastructure is managed; you only need to think about how you will use that particular piece of software. A common example of a SaaS application is web-based email where you can send and receive email without having to manage feature additions to the email product or maintaining the servers and operating systems that the email program is running on. Platform as a Service (PaaS) Platforms as a service remove the need for consumers to manage the underlying infrastructure and allow you to focus on the deployment and management of your applications. This helps consumers be more efficient as you don’t need to worry about resource procurement, capacity planning, software maintenance, patching, or any of the other undifferentiated heavy lifting involved in running your application. PaaS consumers employ the tools and execution resources provided by cloud providers to develop, test, deploy, and manage the operation of PaaS applications hosted in a cloud environment. SERVICE MODELS
  • 11. Infrastructure as a Service (IaaS) Infrastructure as a Service contains the basic building blocks for cloud IT and typically provides consumers access to networking features, computers (virtual or on dedicated hardware), and data storage space. It also provides consumers with the highest level of flexibility and management control over your IT resources and is most like existing IT resources that many IT departments and developers are familiar with today. SERVICE MODELS (cont’d)
  • 12. CLOUD CONSUMER AND CLOUD PROVIDER SERVICE MODELS CONSUMER ACTIVITIES PROVIDER ACTIVITIES IaaS Creates/installs, manages, and monitors services for IT infrastructure operations. Provisions and manages the physical processing, storage, networking, and the hosting environment and cloud infrastructure for IaaS consumers. PaaS Develops, tests, deploys, and manages applications hosted in a cloud system Provisions and manages cloud infrastructure and middleware for the platform consumers; provides development, deployment, and administration tools to platform consumers. SaaS Uses application/service for business process operations. Installs, manages, maintains, and supports the software application on a cloud infrastructure.
  • 13. SERVICES AVAILABLE TO A CLOUD CONSUMER
  • 14. CLOUD COMPUTING STANDARDS FOR SECURITY As most of the Cloud consumers and providers wish to accelerate the adoption of cloud computing, and to advance the deployment of cloud services, solutions coping with cloud security threats need to be addressed. Many of the threats that cloud providers and consumers face can be dealt with through traditional security processes and mechanisms such as security policies, cryptography, identity management, intrusion detection/prevention systems, and supply chain vulnerability analysis. However, risk management activities must also be undertaken to determine how to mitigate the threats specific to different cloud models and to analyze existing standards for gaps that need to be addressed. Securing the information systems and ensuring the confidentiality, integrity, and availability of information and information being processed, stored, and transmitted are particularly relevant as these are the high-priority concerns and present a higher risk of being compromised in a cloud computing system. Having understood the basic Cloud Architecture and its Service Models. We would now focus on the required Cloud Security Standards. Security is a responsibility shared between Cloud Consumer and Cloud Provider.
  • 15. SECURITY STANDARDS MAPPING – Security Controls
  • 17. SECURITY STANDARDS MAPPING - Confidentiality
  • 18. SECURITY STANDARDS MAPPING – Integrity & Availability
  • 19. SECURITY STANDARDS MAPPING – Identity Management
  • 20. SECURITY STANDARDS MAPPING – Security Monitoring & Incident Response
  • 21. SECURITY STANDARDS MAPPING – Security Policy Management
  • 22. 02 NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems This Guide covers the Risk Management Framework (RMF)
  • 23. A risk management framework (RMF) is the structured process used to identify potential threats to an organization and to define the strategy for eliminating or minimizing the impact of these risks, as well as the mechanisms to effectively monitor and evaluate this strategy. Before acquiring a cloud service, a cloud Consumer needs to analyze the risk associated with the adoption of a cloud-based solution for an information system, and plan for the risk treatment and risk control activities associated with the cloud- based operations of this system. To do so, a cloud Consumer needs to gain the perspective of the entire cloud Ecosystem that will serve the operations of their cloud-based information system. Cloud Consumers must also apply the RMF in a customized way that allows them to:  Perform a risk assessment  Identify the best-fitting cloud architecture  Select the most suitable cloud service  Gain necessary visibility into the cloud offering  Define and negotiate necessary risk treatment and risk control mitigations before finalizing the SLA and proceeding with the security authorization The Risk Management Framework
  • 25. Step-wise Activities Risk Assessment (analyze cloud environment to identify potential vulnerabilities and shortcomings) Step 1: Categorize the information system and the information processed, stored, and transmitted by that system based on a system impact analysis. Identify operational, performance, security, and privacy requirements. Step 2: Select, based on the security categorization, the initial set of security controls for the information system (referred to as baseline security controls). Then, tailor and supplement the baseline security controls set based on the organizational assessment of risk and the conditions of the operational environment. Develop a strategy for the continuous monitoring of security control effectiveness. Document all the controls in the security plan. Review and approve the security plan.
  • 26. Step-wise Activities (cont’d) Risk Treatment (design mitigation policies and plans) Step 3: Implement the security controls and describe how the controls are employed within the information system and its environment of operation. Step 4: Assess the security controls using appropriate assessment procedures as documented in the assessment plan. The assessment determines if the controls are implemented correctly and if they are effective in producing the desired outcome. Step 5: Authorize information system operation based on the determined risk resulting from the operation of the information system and the decision that this risk is acceptable. The assessment is performed considering the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations. Risk Control (risk monitoring-surveying, reviewing events, identifying policy adjustments) Step 6: Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of these changes, and reporting the security state of the system to designated organizational officials.
  • 27. This concludes the understanding of Cloud Security Standards as well as their Risk Management requirements when implementing Cloud.
  • 28. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik. Please keep this slide for attribution. THANK YOU! srishtiahuja16@gmail.com slashsrishti srishtiahuja16