SlideShare une entreprise Scribd logo

How to Gain Comfort Using Cloud Services

Rochester Security Summit
Rochester Security Summit

The document discusses how to gain comfort using cloud computing. It begins by defining key cloud concepts like deployment models, service models, and characteristics from NIST. It then addresses common questions around security and compliance in the cloud. Existing frameworks are discussed for assessing cloud providers, but they are not standardized and don't scale well. Resources from NIST, ENISA, and the Cloud Security Alliance can help, such as cloud security guidance and continuous monitoring tools. Overall the document provides context around cloud definitions and outlines challenges in securing the cloud while identifying available guidance materials.

TechnologieBusiness
1  sur  35
Télécharger pour lire hors ligne
How to Gain Comfort in Using the Cloud by Jason Falciola, GCIH, GAWN! Technical Account Manager, Northeast October 20th 2010
Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   1!
Private Clouds" SaaS" PaaS
 IaaS" Internet" COMPANY  CONFIDENTIAL   2! Technology and Market Trends" Cloud Computing a disruptive technology    Accelerated Industry " Consolidation  Moving toward thin clients and a Data Center centric model  Security moving into the " Infrastructure and toward " Cloud Services QualysGuard 
 Service"
 “In  our  February  2010  survey  of  518   business  technology  pros,  security   concerns  again  led  the  list  of  reasons  not   to  use  cloud  services,  while  on  the  roster   of  drivers,  77%  cited  cost  savings.”       -­‐-­‐  InformaPon  Week   hSp://www.informaPonweek.com/news/security/management/showArPcle.jhtml?arPcleID=224202319   Survey Says… (Information Week)
Key  Findings:   • Sixty  percent  (60%)  more  survey  respondents  are  willing  to  use  soaware  as  a  service  (SaaS)  for   sensiPve  data  than  are  willing  to  use  tradiPonal  outsourcing.   • The  quesPonnaire  is  the  most  common  form  of  external  party  risk  assessment,  with  half  of  the   quesPonnaires  based  on  industry-­‐standard  frameworks  and  the  other  half  being  organizaPonally   unique.   Recommenda1ons:   • Develop  internal  experPse  on  external  risk  assessment,  and  on  the  contractual  clauses  that   address  security,  privacy,  regulatory  compliance,  conPnuity  and  disaster  recovery.   • Take  an  organized  approach  to  SaaS  and  public  cloud  purchases,  and  build  a  team  and  processes   to  work  with  the  business  to  address  all  security,  compliance,  integraPon  and  contractual  needs   so  that  a  decision  can  be  made  on  whether  a  potenPal  seller  can  meet  those  requirements.          -­‐-­‐  Gartner  “Assessment  Prac1ces  for  Cloud,  SaaS  and  Partner  Risks”,  April  2010   hSp://www.gartner.com/DisplayDocument?doc_cd=175916   Survey Says… (Gartner)
Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   5!
Security & Compliance Conundrum " Having to address the New and Old Challenges   New and multiplying attack vectors   Authentication still an! unresolved issue   Security & compliance silos, fragmented tools & data   Lack of enterprise/ agency wide visibility and policy enforcement! COMPANY  CONFIDENTIAL   6! Private Clouds SaaS PaaS/ IaaS Regulations, Industry Standards, Internal Policies PCI HIPAA SOX FISMA NERC FFIEC
Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   7!
What is the Cloud? Definition 8 Defini1on:     “The  cloud  is  a  model  for  enabling  convenient,   on-­‐demand  network  access  to  a  shared  pool  of   configurable  compuPng  resources  (e.g.,   networks,  servers,  storage,  applicaPons,  and   services)  that  can  be  rapidly  provisioned  and   released  with  minimal  management  effort  or   service  provider  interacPon”     –  NIST  Informa,on  Technology  Laboratory    
What is the Cloud? Essentials 9 Five Essential Characteristics:! 1.  On-demand, self-service – Ability to unilaterally provision computing capabilities 2.  Broad network access – Available over the network and accessed through standard mechanisms that promote heterogonous thin or thick client platforms 3.  Resource pooling – Resources are pooled to serve multiple consumers using a multi tenant model (location independence) 4.  Rapid elasticity – capabilities can be rapidly and elastically provisioned 5.  Measured service – Resource usage can be monitored, controlled and reported
What is the Cloud? Service Models Three Service Models 1.  Software As A Service (SaaS) – Managed application/service where customers consume application resources as needed, without impact to internal computing resources. Security provided by cloud vendor 2.  Platform as a Service (PaaS) - Developers build and manage their own custom applications on top of platform provided by the cloud vendor. Application and data security managed by cloud customer. 3.  Infrastructure as a Service (IaaS) - Cloud vendor provides storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications. Cloud vendor protects infrastructure, but operating systems, applications, and content is managed and secured by the cloud consumer. 10 Key Takeaway - The lower down the stack the cloud service provider goes, the more security capabilities and management enterprises are responsible for.
What is the Cloud? Deployment Models Four Deployment Models 1.  Public: Made available to the general public or large industry group and is owned by an organization selling cloud services. 2.  Private: Operated solely for a single or group of organizations isolated among peers. May be managed by the organization or a third party and may exist on- premise or off-premise. 3.  Community: Shared by several organizations and supports a specific community that has shared concerns. May be managed by the organization or a third party and may exist on-premise or off-premise. 4.  Hybrid: Composed of two or more clouds (Private, Community, or Public) that remain unique, but are bound together standardized or proprietary technology that enables data and application portability (cloud bursting for load balancing between clouds). 11
What is the Cloud? Visual Definition
Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   13!
Cloud Questions   New technology combined with un-proven vendors / service providers   Innovative technology in the hands of the users   Data leaving the perimeter   Growing number of third parties requiring connectivity   Control validation changes to trust   Transparency limited to what you know   Challenging to report Risk back to the business
Critical Challenges for Security Professionals Security  Program   Ques1onnaires   On-­‐Site  Review   Third  Party   15! Security   Budgets   Staffing/   Resources   Reduce   Confusion  
Audit Activities and Costs  Up to 5 man days of work to complete  Hotel  Transportation  Any Corrective Actions  Hidden costs (e.g., require pen test, out of office work, regulatory)  What would the average cost be
Multiple Reviews Cloud   User   SaaS   SP  1   IaaS   SP   SaaS   SP  2   PaaS   SP     SaaS   SP  3   SaaS   SP  4    No standard  Scalability  After the fact  Custom Reviews
S-P-I Framework IaaS   Infrastructure  as  a  Service   You  build   security  in   You  “RFP”   security  in   PaaS   Plajorm  as  a  Service   SaaS   Soaware  as  a  Service   Source:  hSp://www.cloudsecurityalliance.org  
Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   19!
Existing Frameworks in Use  Security Questionnaires  OnSite Review  ISO 27002  SAS-70 Type II  SysTrust  PCI  Third Party Penetration Test
Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   21!
Available Resources for Cloud Users – NIST & ENISA  NIST − Cloud Definition − SCAP – Security Content Automation Protocol! http://scap.nist.gov − Continuous Monitoring!  ENISA − Report: “Cloud Computing: Benefits,! Risks and Recommendations for ! Information Security” −  http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
Available Resources (cont’d)" - Cloud Security Alliance (CSA)  Cloud Security Alliance − CSA Guide − Research Papers!  Initiatives in Progress/Released − CSA Guidance V2.1 – Released Dec 2009! http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf − CSA Top Threats Research – Released March 2010 − CSA Cloud Controls Matrix – Released April 2010 − Trusted Cloud Initiative – Release Q4 2010 − CSA Cloud Metrics Working Group − Consensus Assessment Initiative
Available Resources (cont’d) " - CSA Guidance Research Guidance  >  100k  downloads:  cloudsecurityalliance.org/guidance   Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture OperatingintheCloud Governingthe Cloud
Available Resources (cont’d) " – CSA Cloud Controls Matrix Tool   Controls derived from guidance   Rated as applicable to S-P-I   Customer vs Provider role   Mapped to ISO 27001, COBIT, PCI, HIPAA   Help bridge the gap for IT & IT auditors between existing controls and cloud controls www.cloudsecurityalliance.org/cm.html      
Available Resources (cont’d) – CAMM, Shared Assessments  Common Assurance Maturity Model (CAMM)!  Shared Assessments − Target Data Tracker − Self Information Gathering (SIG) – Level I, Level II − AUP – Agreed upon Procedures − Business Continuity Questions, Privacy Questions, Other tools − Mapped to ISO 27002:2005, COBIT 4.0 / 4.1, PCI 1.1 / 1.2, FFIEC
Available Resources (cont’d) – Jericho Forum Cloud Cube Model
Available Resources (cont’d) – Jericho Forum Self-Assessment
29   Proprietary,  Blended   Approach   PCI   CoBIT   ISO-­‐27001   CAMM   ENISA   CSA   Recommendation: Use a Proprietary, Blended Approach  One size does not fit all  Same if not stronger controls  Reliance on periodic audits
Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   30!
Moving Forward  Collaborative effort amongst associations required  Joint Paper with CSA, CloudAudit/A6, ISACA, and ISF  Hope to include NIST, PCI and BITS  Cloud Users will continue to use available resources for assessments
Assessing Cloud Security: References   Cloud Audit / A6 (Automated Audit, Assertion, Assessment, and Assurance API) – Now a project of CSA −  http://www.cloudaudit.org   Cloud Security Alliance - CSA −  http://www.cloudsecurityalliance.org/   Common Assurance Maturity Model −  http://common-assurance.com/   JERICHO Forum −  http://www.opengroup.org/jericho/   Shared Assessments −  http://www.sharedassessments.org/   Qualys −  http://www.qualys.com/efficient_ciso - Strategies for the Efficient CISO −  http://www.qualys.com/products/qg_suite/malware_detection/ - Free Tool −  http://www.qualys.com/aurora - Research by iSec Partners
QualysGuard Freemium Services" More than just “free” services – leverage the cloud www.qualys.com/stopmalware www.ssllabs.com https://browsercheck.qualys.com Other Freemium services in the making: Malware Research Portal HoneyNet Research Portal Automated Generation of IDS Signatures COMPANY  CONFIDENTIAL   33! https://community.qualys.com/docs/DOC-1351
Thank You Thanks! Q&A? Jason Falciola, GCIH, GAWN jfalciola AT qualys.com +1 973-464-5659 http://www.qualys.com

Recommandé

DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?Activo Consulting
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 
Cloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav ChablaniCloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav ChablaniOWASP Delhi
 
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...white paper
 
Cloud Perspectives - Ottawa Seminar - Oct 6
Cloud Perspectives - Ottawa Seminar - Oct 6Cloud Perspectives - Ottawa Seminar - Oct 6
Cloud Perspectives - Ottawa Seminar - Oct 6Scalar Decisions
 
Open Digital Framework from TMFORUM
Open Digital Framework from TMFORUMOpen Digital Framework from TMFORUM
Open Digital Framework from TMFORUMMaganathin Veeraragaloo
 
Cloud Services: Types of Cloud
Cloud Services: Types of CloudCloud Services: Types of Cloud
Cloud Services: Types of CloudDr. Sunil Kr. Pandey
 
Global Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingGlobal Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingCloudSecurityAllianceAustralia
 

Recommandé

DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?Activo Consulting
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 
Cloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav ChablaniCloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav ChablaniOWASP Delhi
 
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...white paper
 
Cloud Perspectives - Ottawa Seminar - Oct 6
Cloud Perspectives - Ottawa Seminar - Oct 6Cloud Perspectives - Ottawa Seminar - Oct 6
Cloud Perspectives - Ottawa Seminar - Oct 6Scalar Decisions
 
Open Digital Framework from TMFORUM
Open Digital Framework from TMFORUMOpen Digital Framework from TMFORUM
Open Digital Framework from TMFORUMMaganathin Veeraragaloo
 
Cloud Services: Types of Cloud
Cloud Services: Types of CloudCloud Services: Types of Cloud
Cloud Services: Types of CloudDr. Sunil Kr. Pandey
 
Global Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingGlobal Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingCloudSecurityAllianceAustralia
 
CSA & GRC Stack
CSA & GRC StackCSA & GRC Stack
CSA & GRC StackCloudSecurityAllianceAustralia
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Brian K. Dickard
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and managementShamsundar Machale (CISSP, CEH)
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaWise Pacific Venture
 
Security issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwariSecurity issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwaribhanu krishna
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Brian K. Dickard
 
Why CSA Australia
Why CSA AustraliaWhy CSA Australia
Why CSA AustraliaCloudSecurityAllianceAustralia
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Decisions
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationGetting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationITpreneurs
 
Rob kloots auditoutsourcedit
Rob kloots auditoutsourceditRob kloots auditoutsourcedit
Rob kloots auditoutsourceditRobert Kloots
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
 
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...F5 Networks
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Vladimir Jirasek
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Rochester Security Summit
 
2009 Chart Ro Ioption1
2009 Chart Ro Ioption12009 Chart Ro Ioption1
2009 Chart Ro Ioption1pyros11
 
Viaje a otavalo
Viaje a otavaloViaje a otavalo
Viaje a otavalojunqui
 

Contenu connexe

Tendances

CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Brian K. Dickard
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and managementShamsundar Machale (CISSP, CEH)
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaWise Pacific Venture
 
Security issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwariSecurity issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwaribhanu krishna
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Brian K. Dickard
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Decisions
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationGetting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationITpreneurs
 
Rob kloots auditoutsourcedit
Rob kloots auditoutsourceditRob kloots auditoutsourcedit
Rob kloots auditoutsourceditRobert Kloots
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
 
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...F5 Networks
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Vladimir Jirasek
 

Tendances (19)

CSA & GRC Stack
CSA & GRC StackCSA & GRC Stack
CSA & GRC Stack
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overview
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and management
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
 
Security issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwariSecurity issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwari
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
 
Why CSA Australia
Why CSA AustraliaWhy CSA Australia
Why CSA Australia
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationGetting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
 
Rob kloots auditoutsourcedit
Rob kloots auditoutsourceditRob kloots auditoutsourcedit
Rob kloots auditoutsourcedit
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
 
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 

En vedette

Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Rochester Security Summit
 
2009 Chart Ro Ioption1
2009 Chart Ro Ioption12009 Chart Ro Ioption1
2009 Chart Ro Ioption1pyros11
 
Viaje a otavalo
Viaje a otavaloViaje a otavalo
Viaje a otavalojunqui
 
Swat team pie day relay for life
Swat team pie day relay for lifeSwat team pie day relay for life
Swat team pie day relay for lifebfgunter
 
78 fh sreunion2
78 fh sreunion278 fh sreunion2
78 fh sreunion2pamcarrier
 
78 fh sreunion1
78 fh sreunion178 fh sreunion1
78 fh sreunion1pamcarrier
 
Effective Human Detection & Tracking Security Using Machine Vision
Effective Human Detection & Tracking Security Using Machine VisionEffective Human Detection & Tracking Security Using Machine Vision
Effective Human Detection & Tracking Security Using Machine Visionmarshallbutler
 

En vedette (7)

Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)
 
2009 Chart Ro Ioption1
2009 Chart Ro Ioption12009 Chart Ro Ioption1
2009 Chart Ro Ioption1
 
Viaje a otavalo
Viaje a otavaloViaje a otavalo
Viaje a otavalo
 
Swat team pie day relay for life
Swat team pie day relay for lifeSwat team pie day relay for life
Swat team pie day relay for life
 
78 fh sreunion2
78 fh sreunion278 fh sreunion2
78 fh sreunion2
 
78 fh sreunion1
78 fh sreunion178 fh sreunion1
78 fh sreunion1
 
Effective Human Detection & Tracking Security Using Machine Vision
Effective Human Detection & Tracking Security Using Machine VisionEffective Human Detection & Tracking Security Using Machine Vision
Effective Human Detection & Tracking Security Using Machine Vision
 

Similaire à How to Gain Comfort Using Cloud Services

Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloudpatmisasi
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2jeffirby
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...ijcnes
 
Richard Knight: Real world stories from the frontline of enterprise Cloud
Richard Knight: Real world stories from the frontline of enterprise CloudRichard Knight: Real world stories from the frontline of enterprise Cloud
Richard Knight: Real world stories from the frontline of enterprise CloudDe Novo
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 
QuickView #5 - Cloud
QuickView #5 - CloudQuickView #5 - Cloud
QuickView #5 - CloudSonovate
 
Cloud computing and_saas
Cloud computing and_saasCloud computing and_saas
Cloud computing and_saasRahul Parmar
 
Cloud computing and_saas
Cloud computing and_saasCloud computing and_saas
Cloud computing and_saasRahul Parmar
 
Cloud computing and_saas
Cloud computing and_saasCloud computing and_saas
Cloud computing and_saaskavinalli
 
7 Essential Steps to Cloud Adoption.pdf
7 Essential Steps to Cloud Adoption.pdf7 Essential Steps to Cloud Adoption.pdf
7 Essential Steps to Cloud Adoption.pdfAnil
 
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...IJERA Editor
 
2011 Digital Summit - Not So Cloudy - Agcaoili
2011 Digital Summit - Not So Cloudy - Agcaoili2011 Digital Summit - Not So Cloudy - Agcaoili
2011 Digital Summit - Not So Cloudy - AgcaoiliPhil Agcaoili
 
A proficient 5 c approach to boost the security in the saas model's technical...
A proficient 5 c approach to boost the security in the saas model's technical...A proficient 5 c approach to boost the security in the saas model's technical...
A proficient 5 c approach to boost the security in the saas model's technical...ijccsa
 
Cloud cpmputing and busness processes
Cloud cpmputing and busness processesCloud cpmputing and busness processes
Cloud cpmputing and busness processesMinka Fudulova
 
Tech equity - Cloud presentation
Tech equity - Cloud presentationTech equity - Cloud presentation
Tech equity - Cloud presentationAdrian Hall
 

Similaire à How to Gain Comfort Using Cloud Services (20)

Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
 
Hogan Kusnadi - Cloud Computing Secutity
Hogan Kusnadi - Cloud Computing SecutityHogan Kusnadi - Cloud Computing Secutity
Hogan Kusnadi - Cloud Computing Secutity
 
Richard Knight: Real world stories from the frontline of enterprise Cloud
Richard Knight: Real world stories from the frontline of enterprise CloudRichard Knight: Real world stories from the frontline of enterprise Cloud
Richard Knight: Real world stories from the frontline of enterprise Cloud
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 
QuickView #5 - Cloud
QuickView #5 - CloudQuickView #5 - Cloud
QuickView #5 - Cloud
 
Cloud computing and_saas
Cloud computing and_saasCloud computing and_saas
Cloud computing and_saas
 
Cloud computing and_saas
Cloud computing and_saasCloud computing and_saas
Cloud computing and_saas
 
Cloud computing and_saas
Cloud computing and_saasCloud computing and_saas
Cloud computing and_saas
 
J3602068071
J3602068071J3602068071
J3602068071
 
7 Essential Steps to Cloud Adoption.pdf
7 Essential Steps to Cloud Adoption.pdf7 Essential Steps to Cloud Adoption.pdf
7 Essential Steps to Cloud Adoption.pdf
 
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
 
2011 Digital Summit - Not So Cloudy - Agcaoili
2011 Digital Summit - Not So Cloudy - Agcaoili2011 Digital Summit - Not So Cloudy - Agcaoili
2011 Digital Summit - Not So Cloudy - Agcaoili
 
A proficient 5 c approach to boost the security in the saas model's technical...
A proficient 5 c approach to boost the security in the saas model's technical...A proficient 5 c approach to boost the security in the saas model's technical...
A proficient 5 c approach to boost the security in the saas model's technical...
 
Cloud cpmputing and busness processes
Cloud cpmputing and busness processesCloud cpmputing and busness processes
Cloud cpmputing and busness processes
 
Tech equity - Cloud presentation
Tech equity - Cloud presentationTech equity - Cloud presentation
Tech equity - Cloud presentation
 
Epaper
EpaperEpaper
Epaper
 

Plus de Rochester Security Summit

Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudRochester Security Summit
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltRochester Security Summit
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetRochester Security Summit
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Rochester Security Summit
 

Plus de Rochester Security Summit (15)

IPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be IgnoredIPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be Ignored
 
Radio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration TestingRadio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration Testing
 
Real Business Threats!
Real Business Threats!Real Business Threats!
Real Business Threats!
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101 Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
 
Finding Patterns in Data Breaches
Finding Patterns in Data BreachesFinding Patterns in Data Breaches
Finding Patterns in Data Breaches
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
 
It's All About the Data!
It's All About the Data!It's All About the Data!
It's All About the Data!
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT Budget
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
 
Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Firewall Defense against Covert Channels
Firewall Defense against Covert Channels
 

Dernier

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 

Dernier (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 

How to Gain Comfort Using Cloud Services

  • 1. How to Gain Comfort in Using the Cloud by Jason Falciola, GCIH, GAWN! Technical Account Manager, Northeast October 20th 2010
  • 2. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   1!
  • 3. Private Clouds" SaaS" PaaS
 IaaS" Internet" COMPANY  CONFIDENTIAL   2! Technology and Market Trends" Cloud Computing a disruptive technology    Accelerated Industry " Consolidation  Moving toward thin clients and a Data Center centric model  Security moving into the " Infrastructure and toward " Cloud Services QualysGuard 
 Service"
  • 4.  “In  our  February  2010  survey  of  518   business  technology  pros,  security   concerns  again  led  the  list  of  reasons  not   to  use  cloud  services,  while  on  the  roster   of  drivers,  77%  cited  cost  savings.”       -­‐-­‐  InformaPon  Week   hSp://www.informaPonweek.com/news/security/management/showArPcle.jhtml?arPcleID=224202319   Survey Says… (Information Week)
  • 5. Key  Findings:   • Sixty  percent  (60%)  more  survey  respondents  are  willing  to  use  soaware  as  a  service  (SaaS)  for   sensiPve  data  than  are  willing  to  use  tradiPonal  outsourcing.   • The  quesPonnaire  is  the  most  common  form  of  external  party  risk  assessment,  with  half  of  the   quesPonnaires  based  on  industry-­‐standard  frameworks  and  the  other  half  being  organizaPonally   unique.   Recommenda1ons:   • Develop  internal  experPse  on  external  risk  assessment,  and  on  the  contractual  clauses  that   address  security,  privacy,  regulatory  compliance,  conPnuity  and  disaster  recovery.   • Take  an  organized  approach  to  SaaS  and  public  cloud  purchases,  and  build  a  team  and  processes   to  work  with  the  business  to  address  all  security,  compliance,  integraPon  and  contractual  needs   so  that  a  decision  can  be  made  on  whether  a  potenPal  seller  can  meet  those  requirements.          -­‐-­‐  Gartner  “Assessment  Prac1ces  for  Cloud,  SaaS  and  Partner  Risks”,  April  2010   hSp://www.gartner.com/DisplayDocument?doc_cd=175916   Survey Says… (Gartner)
  • 6. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   5!
  • 7. Security & Compliance Conundrum " Having to address the New and Old Challenges   New and multiplying attack vectors   Authentication still an! unresolved issue   Security & compliance silos, fragmented tools & data   Lack of enterprise/ agency wide visibility and policy enforcement! COMPANY  CONFIDENTIAL   6! Private Clouds SaaS PaaS/ IaaS Regulations, Industry Standards, Internal Policies PCI HIPAA SOX FISMA NERC FFIEC
  • 8. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   7!
  • 9. What is the Cloud? Definition 8 Defini1on:     “The  cloud  is  a  model  for  enabling  convenient,   on-­‐demand  network  access  to  a  shared  pool  of   configurable  compuPng  resources  (e.g.,   networks,  servers,  storage,  applicaPons,  and   services)  that  can  be  rapidly  provisioned  and   released  with  minimal  management  effort  or   service  provider  interacPon”     –  NIST  Informa,on  Technology  Laboratory    
  • 10. What is the Cloud? Essentials 9 Five Essential Characteristics:! 1.  On-demand, self-service – Ability to unilaterally provision computing capabilities 2.  Broad network access – Available over the network and accessed through standard mechanisms that promote heterogonous thin or thick client platforms 3.  Resource pooling – Resources are pooled to serve multiple consumers using a multi tenant model (location independence) 4.  Rapid elasticity – capabilities can be rapidly and elastically provisioned 5.  Measured service – Resource usage can be monitored, controlled and reported
  • 11. What is the Cloud? Service Models Three Service Models 1.  Software As A Service (SaaS) – Managed application/service where customers consume application resources as needed, without impact to internal computing resources. Security provided by cloud vendor 2.  Platform as a Service (PaaS) - Developers build and manage their own custom applications on top of platform provided by the cloud vendor. Application and data security managed by cloud customer. 3.  Infrastructure as a Service (IaaS) - Cloud vendor provides storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications. Cloud vendor protects infrastructure, but operating systems, applications, and content is managed and secured by the cloud consumer. 10 Key Takeaway - The lower down the stack the cloud service provider goes, the more security capabilities and management enterprises are responsible for.
  • 12. What is the Cloud? Deployment Models Four Deployment Models 1.  Public: Made available to the general public or large industry group and is owned by an organization selling cloud services. 2.  Private: Operated solely for a single or group of organizations isolated among peers. May be managed by the organization or a third party and may exist on- premise or off-premise. 3.  Community: Shared by several organizations and supports a specific community that has shared concerns. May be managed by the organization or a third party and may exist on-premise or off-premise. 4.  Hybrid: Composed of two or more clouds (Private, Community, or Public) that remain unique, but are bound together standardized or proprietary technology that enables data and application portability (cloud bursting for load balancing between clouds). 11
  • 13. What is the Cloud? Visual Definition
  • 14. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   13!
  • 15. Cloud Questions   New technology combined with un-proven vendors / service providers   Innovative technology in the hands of the users   Data leaving the perimeter   Growing number of third parties requiring connectivity   Control validation changes to trust   Transparency limited to what you know   Challenging to report Risk back to the business
  • 16. Critical Challenges for Security Professionals Security  Program   Ques1onnaires   On-­‐Site  Review   Third  Party   15! Security   Budgets   Staffing/   Resources   Reduce   Confusion  
  • 17. Audit Activities and Costs  Up to 5 man days of work to complete  Hotel  Transportation  Any Corrective Actions  Hidden costs (e.g., require pen test, out of office work, regulatory)  What would the average cost be
  • 18. Multiple Reviews Cloud   User   SaaS   SP  1   IaaS   SP   SaaS   SP  2   PaaS   SP     SaaS   SP  3   SaaS   SP  4    No standard  Scalability  After the fact  Custom Reviews
  • 19. S-P-I Framework IaaS   Infrastructure  as  a  Service   You  build   security  in   You  “RFP”   security  in   PaaS   Plajorm  as  a  Service   SaaS   Soaware  as  a  Service   Source:  hSp://www.cloudsecurityalliance.org  
  • 20. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   19!
  • 21. Existing Frameworks in Use  Security Questionnaires  OnSite Review  ISO 27002  SAS-70 Type II  SysTrust  PCI  Third Party Penetration Test
  • 22. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   21!
  • 23. Available Resources for Cloud Users – NIST & ENISA  NIST − Cloud Definition − SCAP – Security Content Automation Protocol! http://scap.nist.gov − Continuous Monitoring!  ENISA − Report: “Cloud Computing: Benefits,! Risks and Recommendations for ! Information Security” −  http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
  • 24. Available Resources (cont’d)" - Cloud Security Alliance (CSA)  Cloud Security Alliance − CSA Guide − Research Papers!  Initiatives in Progress/Released − CSA Guidance V2.1 – Released Dec 2009! http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf − CSA Top Threats Research – Released March 2010 − CSA Cloud Controls Matrix – Released April 2010 − Trusted Cloud Initiative – Release Q4 2010 − CSA Cloud Metrics Working Group − Consensus Assessment Initiative
  • 25. Available Resources (cont’d) " - CSA Guidance Research Guidance  >  100k  downloads:  cloudsecurityalliance.org/guidance   Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture OperatingintheCloud Governingthe Cloud
  • 26. Available Resources (cont’d) " – CSA Cloud Controls Matrix Tool   Controls derived from guidance   Rated as applicable to S-P-I   Customer vs Provider role   Mapped to ISO 27001, COBIT, PCI, HIPAA   Help bridge the gap for IT & IT auditors between existing controls and cloud controls www.cloudsecurityalliance.org/cm.html      
  • 27. Available Resources (cont’d) – CAMM, Shared Assessments  Common Assurance Maturity Model (CAMM)!  Shared Assessments − Target Data Tracker − Self Information Gathering (SIG) – Level I, Level II − AUP – Agreed upon Procedures − Business Continuity Questions, Privacy Questions, Other tools − Mapped to ISO 27002:2005, COBIT 4.0 / 4.1, PCI 1.1 / 1.2, FFIEC
  • 28. Available Resources (cont’d) – Jericho Forum Cloud Cube Model
  • 29. Available Resources (cont’d) – Jericho Forum Self-Assessment
  • 30. 29   Proprietary,  Blended   Approach   PCI   CoBIT   ISO-­‐27001   CAMM   ENISA   CSA   Recommendation: Use a Proprietary, Blended Approach  One size does not fit all  Same if not stronger controls  Reliance on periodic audits
  • 31. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   30!
  • 32. Moving Forward  Collaborative effort amongst associations required  Joint Paper with CSA, CloudAudit/A6, ISACA, and ISF  Hope to include NIST, PCI and BITS  Cloud Users will continue to use available resources for assessments
  • 33. Assessing Cloud Security: References   Cloud Audit / A6 (Automated Audit, Assertion, Assessment, and Assurance API) – Now a project of CSA −  http://www.cloudaudit.org   Cloud Security Alliance - CSA −  http://www.cloudsecurityalliance.org/   Common Assurance Maturity Model −  http://common-assurance.com/   JERICHO Forum −  http://www.opengroup.org/jericho/   Shared Assessments −  http://www.sharedassessments.org/   Qualys −  http://www.qualys.com/efficient_ciso - Strategies for the Efficient CISO −  http://www.qualys.com/products/qg_suite/malware_detection/ - Free Tool −  http://www.qualys.com/aurora - Research by iSec Partners
  • 34. QualysGuard Freemium Services" More than just “free” services – leverage the cloud www.qualys.com/stopmalware www.ssllabs.com https://browsercheck.qualys.com Other Freemium services in the making: Malware Research Portal HoneyNet Research Portal Automated Generation of IDS Signatures COMPANY  CONFIDENTIAL   33! https://community.qualys.com/docs/DOC-1351
  • 35. Thank You Thanks! Q&A? Jason Falciola, GCIH, GAWN jfalciola AT qualys.com +1 973-464-5659 http://www.qualys.com