SlideShare ist ein Scribd-Unternehmen logo
1 von 48
Downloaden Sie, um offline zu lesen
Security & Compliance in the Cloud
S t a n d a r d s , S e c u r i t y & P r o a c t i v e l y M a n a g i n g G o v e r n a n c e ,
R i s k & C o m p l i a n c e
NORTH TEXAS
CHAPTER
DALLAS / FT.WORTH
F r i d a y , J u n e 2 8 , 2 0 1 3
F C D a l l a s S t a d i u m
9 2 0 0 W o r l d C u p W a y ,
S u i t e 2 0 2 , F r i s c o , T X
K e y N o t e S p e a k e r -
C h a d M . L a w l e r, P h . D.
D i r e c t o r o f C o n s u l t i n g ,
C l o u d C o m p u t i n g
H i t a c h i C o n s u l t i n g
2
Goals & Overview of Today‟s Discussion
Goals
Awareness
Encourage Focus on Security, Governance & Compliance
Creating Broad Awareness – Providing Education & Focus on Standards
Focus on Best Practices
For Risk Security Mitigation, Regulatory Compliance & Governance
Overview of Cloud Security Alliance (CSA) & Research Areas
Overview
Cloud is Changing Business & IT - New IT Landscape
Cloud Security Alliance - Research & Standards
Conclusion & Panel Discussion
Today’s Presentation Slides - http://www.slideshare.net/chadmlawler/
Cloud is Changing Business & IT
The New IT Landscape
4
Cloud is Changing Business & IT
IT OPERATIONS + MULTI CLOUD
 Legacy Coexistence with Cloud Migration and New Cloud Apps
 Multiple Application Spread Across Environment Legacy & Cloud
 Selective Outsourcing and Managed services
 Private, Public and Hybrid Cloud Utilization
DATACENTER
Traditional Data Center
 On-site Traditional Infrastructure
 Dedicated with Limited
Virtualization
 Internal Application Provisioning
PRIVATE CLOUD
Next Generation Datacenter
 On-site Private Cloud IaaS Utility
 Dedicated On-Site Infrastructure
 Internal Application Provisioning
PUBLIC CLOUD
Regional Datacenter 2Regional Datacenter 1
Public Cloud Datacenter
 Off-site Utility
 Pay-as-You -Go Consumption
 External Application Provisioning
HYBRID CLOUD
Hybrid - Public/Private/Virtual Private
Enterprise Datacenter
 On-Site + Off-site Utility
 Dedicated Infrastructure + Utility
 Internal + External Provisioning
Next Generation
Datacenter Transition
Enterprise Cloud Model - Multi-Source Hybrid Public/Private Mix
SAAS
IAAS & PAAS
Th e New IT Lan dscape
5
Cloud is Changing Business & IT
SaaSIaaS PaaS
Services
Providers
Your Business
Business and End
Users Circumventing IT
Increasing
Shadow IT
YOUR CENTRAL IT
Cloud Ecosystem
Th e New IT Lan dscape
6
Cloud is Changing Business & IT
Enterprise Cloud Model - Multi-Source Hybrid Public/Private Mix
Focus on Cloud Supply Chain, Security & Governance
Mix of public-private cloud services from multiple, different cloud providers
With the cloud comes increased complexities, disruptive for both business and IT
Increased need for risk visibility, management, governance and security
Businesses already negotiating multiple cloud service contracts with different providers
Using multiple/different cloud services - more contracts, payments, providers to manage
Need for new best practices for security, cloud supply chain management and resource control
Th e New IT Lan dscape
7
Cloud + Mobile
Dispersal of applications
Dispersal of data
Dispersal of users
Dispersal of endpoint devices
Cloud Users
Notional
Organizational
Boundary
Public Clouds
Private
clouds
www.cloudsecurityalliance.org
Cloud is Changing Business & IT
Th e New IT Lan dscape
Copyright © 2013 Cloud Security Alliance
8
Cloud is Changing Business & IT
Where IT is Going
Technology consumerization and its offspring
Cloud: Compute as a utility
Smart Mobility: Compute anywhere
Shifting balance of power to technology users
Organizational structure & business planning
Disrupting IT and IT security through agility
Th e New IT Lan dscape
www.cloudsecurityalliance.org
Key Trust Issues
Transparency & visibility from providers
Compatible laws across jurisdictions
Data sovereignty
Incomplete standards
Multi-tenant technologies & architecture
Incomplete Identity Management
Consumer awareness & engagement
Is Challenging Our Assumptions About… Everything
Copyright © 2013 Cloud Security Alliance
9
Cloud is Changing Business & IT
Governance
Administration & Control of IT Assets
Measurement, Policy & Enforcement
Appropriate & Authorized Resource Use
Security & Risk
Confidentiality, Integrity & Availability
Security Protection, Controls & Reporting
Incident Mitigation, Detection & Response
Compliance
Legal & Regulatory
Policies, Standards & Procedures
Auditing & Reporting
PUBLIC CLOUD
PUBLIC CLOUD
PRIVATE CLOUD
DATACENTER
HYBRID CLOUD
Th e New IT Lan dscape
A Look at Today‟s Security Landscape
Facing Modern Security Threats
11
The State of Information Security
The Global State of Information Security Survey 2013
Source: The Global State of Information Security Survey 2013 - http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
12
Texas Comptrollers 3.5 Million Record Breach
Source: Cyber Risk Remains a Serious Threat Facing Public Entities http://www.netdiligence.com/files/Public%20Entity%20Cyber%20Risk-061512.pdf
The state’s investigation
revealed that the data was
not encrypted, even though
Texas administrative rules
require encryption of data
files containing sensitive
information.
13
Personally Identifiable Information Consumer Notifications
Source: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/vermont-security-breaches.php
14
1. Yahoo Japan - the identity details of up to 22 million users may have been compromised when attackers hacked into its computer systems.
2. Washington State Court System - May 2013- Exposed 160,000 social security numbers from a cyber attack on servers operated by the Washington state court system
3. Federal Reserve - May 2013- Federal Reserve Security Breach of undisclosed information. Anonymous exploited a zero-day exploit in Adobe ColdFusion .
4. Alabama Criminal Justice Information Center - May 2013- Anonymous Hack posts 4,000 Bank Exec Credentials, login & contact info, & IP addresses
5. LivingSocial.com - April 2013 - Security breach that has exposed names, e-mail addresses and password data for up to 50 million of its users.
6. Twitter - February 2013 - 250,000 accounts hacked in security breach & hackers access usernames, email addresses and passwords in 'sophisticated' operation
7. US Army Corps of Engineers’ National Inventory of Dams (NID) - Cyber intrusion into sensitive information on vulnerabilities of 8,100 major dams in the US by Chinese cyber warriors
8. Wyndham Hotels - Announced in 2012, began in 2008- Over $10.6 million in credit card transactions made fraudulently. The most egregious security breach of 2012. Federal Trade
Commission brought a lawsuit against Wyndham Hotels.
9. Zappos – Jan 2012, - hackers compromise over 24 million records which included user names, phone numbers, email addresses, partial credit card numbers, and encrypted passwords.
10. LinkedIn/eHarmony - June 2012 - 8 Million Passwords Taken.
11. Last.fm - In mid-2012 - hackers had exploited lax security to make off with millions of user passwords.
12. Medicaid - March 30, 2012,, hackers broke into a Utah Department of Health, Medicaid server , exposing 280,000 residents' Social Security numbers & health data of 500,000 residents.
13. Sutter Physicians Services – 2011 - 3.3 million patients' medical details stolen- stored in encrypted format . Data from both Sutter Physicians Services and Sutter Medical Foundation was
breached in November - when a thief stole a desktop computer
14. Sony's PlayStation Network - Date: April 20, 2011 - Over 100 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month, faced
an ongoing customer relations fallout and class-action lawsuits over its failure to protect over 100 million user records.
15. ESTsoft - July-August 2011 - Personal information of 35 million South Koreans exposed after hackers breached the security of a popular software provider.
16. Tricare and SAIC – Sept 2011. 5.1 million people’s records breached. Backup tapes containing SAIC (Science Applications International Corporation) data were stolen from the car of a
Tricare employee. with data on current and retired members of the armed services and families. Led to a $4.9 billion lawsuit being filed.
17. Nasdaq – 2011 - attackers breached a cloud-based Nasdaq system designed to facilitate boardroom-level communications for 10,000 senior executives
18. Yahoo - 2011 - 450,000 user names and passwords stolen. Hackers broke into a Yahoo subdomain by sending commands through an inadequately secured URL and managed to steal files
from Yahoo’s Contributor Network. Shockingly, these files were not encrypted and were instead stored in plain text.
19. Epsilon - March 2011 - Exposed names and e-mails of millions of customers stored in more than 108 retail stores plus several huge financial firms
20. RSA Security - Date: March 2011 - 40 million employee records stolen. Breached the systems of EMC's RSA in April, stealing information relating to its SecurID system RSA ultimately traced
the attack to an unnamed nation state, and revealed that the exploit had relied on a very low-tech spear-phishing attack.
21. Stuxnet - Sometime in 2010, but origins date to 2007 - Attack Iran's nuclear power program, serves as a template for real-world intrusion and service disruption
22. VeriSign - Throughout 2010 - Impact: Undisclosed information stolen
23. Gawker Media - December 2010 - Compromised e-mail addresses and passwords of about 1.3 million users on popular blogs like Lifehacker, Gizmodo, and Jezebel, plus the theft of the
source code for Gawker's custom-built content management system.
24. Google/ Yahoo / Silicon Valley companies - Mid-2009 – Stolen intellectual property - In an act of industrial espionage, the Chinese government launched a massive and unprecedented
attack on Google, Yahoo, and dozens of other Silicon Valley companies.
25. US Military Networks - 2008 cyberattack “Worst breach of U.S. military computers in history" and "the most significant breach of U.S. military computers ever.” Pentagon spent 14
months cleaning military networks. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown
adversary,”- William J. Lynn 3d, Deputy Secretary of Defense. Led to creation of the US Cyber Command.
26. Heartland Payment Systems - March 2008 - Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.
Notable Security Incidents Since 2008
15
Increasing Security Threat for SMBs
Flags Rise in SMB Security Breaches
SMBs can no longer afford to assume their small size will
keep them off the radar of cyber criminals and hackers -
PWC InfoSec 2013
“Hacking at small businesses is a prolific
problem…It's going to get much worse
before it gets better."
D e a n K i n s m a n , S p e c i a l A g e n t
F B I ' s C y b e r D i v i s i o n
17
Revealed: Operation Shady Rat
Operation Shady Rat - August 2011
Targeted intrusions into more than 70 global
companies, governments and non-profit
organizations over five years
Source: http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109
18
Revealed: Operation Shady Rat
Source: http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
“Targeted intrusion is a problem of
massive scale that affects nearly every
industry … and the only organizations
that are exempt from this threat are
those that don‟t have anything
valuable or interesting worth
stealing.”
D m i t r i Al p e r o v i t c h , Vi c e P r e s i d e n t o f
T h r e a t R e s e a r c h , M c A f e e , 2 0 11
20
Operation Red October
Operation Red October - January 11, 2013
 Kaspersky Lab research report which identified a cyber-
espionage campaign targeting diplomatic, governmental
and scientific research organizations in several countries
for at least five years.
 Attackers gathered sensitive documents from the
compromised organizations, which included geopolitical
intelligence, credentials to access classified computer
systems, and data from personal mobile devices and
network equipment.
Source:http://www.kaspersky.com/about/news/virus/2013/Kaspersky_Lab_Identifies_Operation_Red_October_an_Adva
nced_Cyber_Espionage_Campaign_Targeting_Diplomatic_and_Government_Institutions_Worldwide
“There is sensitive geopolitical information
being stolen, which is very valuable... Over
the course of the last five years, we
believe several terabytes of data
was stolen - it's massive.”
Vi t a l y K a m l u k , C h i e f M a l wa r e E x p e r t
a t K a s p e r s k y L a b , 2 0 1 3
22
DoD Networks Completely Compromised by Foreign Spies
“We‟ve got the wrong model here.
…this model for cyber that says,
„We‟re going to develop a system
where we‟re not attacked… I think
we have to go to a model where
we assume that the adversary is in
our networks. It‟s on our
machines, and we‟ve got to
operate anyway. We have to
protect the data anyway."
J a m e s P e e r y , D i r e c t o r o f S a n d i a
N a t i o n a l L a b s ‟ I n f o r m a t i o n S y s t e m s
A n a l y s i s C e n t e r
http://blogs.cio.com/security/16923/dod-networks-completely-compromised-experts-say#
23
U.S. Weapons Systems Compromised by Chinese Cyberspies
http://www.washingtonpost.com/world/national-security/confidential-report-lists-us-weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/
 Designs for many of the nation’s most sensitive
advanced weapons systems have been stolen and
compromised by Chinese hackers.
 Designs Stolen:
 Patriot missile system, known as PAC-3;
 an Army system for shooting down ballistic missiles,
known as the Terminal High Altitude Area Defense, or
THAAD
 The Navy's Aegis ballistic-missile defense system
 F/A-18 fighter jet,
 The V-22 Osprey, the Black Hawk helicopter
 The Navy’s new Littoral Combat Ship
 The most expensive weapons system ever built - the F-
35 Joint Strike Fighter, on track to cost about $1.4
trillion, stolen by Chinese Cyberhackers in 2007.
 Drone video systems, nanotechnology, tactical data links
and electronic warfare systems also compromised.
 Defense Contractors include: Boeing, Lockheed
Martin, Raytheon and Northrop Grumman.
“In many cases, they (DoD Contractors) don‟t
know they‟ve been hacked until the FBI
comes knocking on their door. This is billions
of dollars of combat advantage for China.
They‟ve just saved themselves 25 years
of research and development.
It‟s nuts.”
S e n i o r M i l i t a r y O ff i c i a l , o n C o m p r o m i s e
o f U S We a p o n s S y s t e m s D e s i g n s
Proactively Managing Governance,
Risk & Compliance
Educate, Build A Framework, Layer
Protection, Implement Incrementally
“No single product will stop spear-phishing,
protect sensitive data, thwart malware, or put
an end to malicious insiders… Instead there
are several solutions across endpoint, network,
data security and security management
that can and should be used in a
connected framework to enrich
each other and thus mitigate risk…”
M c A f e e - B u i l d i n g a B e t t e r S h a d y R AT Tr a p
27
Elevate Security Importance - Build a Governance Framework
 CSA Governance, Risk Management and Compliance (GRC) Stack
• https://cloudsecurityalliance.org/research/projects/grc-stack/
 Integrated Cloud Framework: Security, Governance, Compliance
• http://www.slideshare.net/chadmlawler/
28
Build Incremental Security Layers
 Integrate Complete Security Solutions in Cloud Environments
• Deep Code-Level Security Vulnerability Reviews on All Cloud Applications
• Security Services Security Services Single Sign On (SSO) & PKI & Certificate Management
• Identity Management & Vulnerability Scanning & PII Detection & Continuous Auditing
• SIEM with Root Cause Analysis & Risk Assessment, Patch & Log Management System
• AntiVirus & AntiMalware System & IPS/IDS Event Management & Data Loss Prevention
• Data Encryption for Data at Rest, SSL/HTTPS for Data in Transit
“If you can't stop attacks (spear-phishing), you can at least
know when they occur if you have a properly tuned Security
Incident & Event Management (SIEM) system in place. You
need all the key components feeding data into it including:
• Proactive, organized response procedures for security incidents
• A Security Operations Center (SOC) & monitoring system
• Intrusion Detection & Prevention System (IDS/IPS)
• Security logs with monitoring and analysis
• Data Loss Prevention (DLP) & Encryption
• Host-based anti-malware & antivirus “
J e r o m m e L a wl e r, C I S S P, C R I S C ,
S e c u r i t y A r c h i t e c t , A s Te c h C o n s u l t i n g , 2 0 1 3
30
 SysAdmin, Audit, Networking and Security (SANS) Top 20 Critical Controls for Effective Cyber Defense
 SANS News Letters - http://www.sans.org/newsletters/
 Open Web Application Security Project (OWASP) Top 10 Most Critical Web Application Security Risks
 Open Web Application Security Project (OWASP) Top 10 Mobile Risks
 Open Web Application Security Project (OWASP) Cheat Sheets
 Australian Department of Defense (DOD) Top 35 Mitigation Strategies
 National Institute of Standards and Technology (NIST) Special Publications 800 Series
 European Network and Information Security Agency (ENISA) Threat Landscape
 International Organization for Standardization (ISO) 27000 Series
 Information Systems Audit and Control Association (ISACA) COBIT Framework
Top Security Resources
31
Understand that Security in the Cloud Must be Managed
Implement a Policy that Calculates & Quantifies Cloud Application Risk
Evaluate Application & Data Security Requirements
Plan & Budget for Implementing Security Services
Leverage a Framework Which Covers all Key Risk, Liability Areas
 Implement & Adhere to Your Framework as a Roadmap to Reduce Risks
Proactively Managing Governance, Risk & Compliance
Be Proactive in Working to Mitigate Liabilities & Risks
CSA - Research & Standards
Resources, Education & Best Practices
www.cloudsecurityalliance.org
About the Cloud Security Alliance
• Global, not-for-profit organization
• Over 33,000 individual members, 150 corporate members, 60 chapters
• Building best practices and a trusted cloud ecosystem
• Research
• Education
• Certification
• Advocacy of prudent public policy
• Innovation, Transparency, GRC, Identity
“To promote the use of best practices for providing security assurance within Cloud Computing, and
provide education on the uses of Cloud Computing to help secure all other forms of computing.”
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
Global Efforts
• Europe
• Proposed EU Data Privacy Regulation
• EC European Cloud Partnership
• US Federal government
• NIST
• FedRAMP
• APAC
• Standards bodies
• ISO SC 27
• ITU-T FG 17
• DMTF, PCI Standards Council
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
CSA Contributions - Research Projects -
“Security Guidance For Critical Areas of Focus”
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
OperatingintheCloud
GoverningtheCloud
Security as a Service
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
CSA GRC Stack
Control Requirements
Provider Assertions
Private,
Community &
Public Clouds
• Family of 4 Research Projects
• Cloud Controls Matrix
• Consensus Assessments Initiative
• Cloud Audit
• Cloud Trust Protocol
• Tools
• Tools for governance, risk and
compliance management
• Enabling automation and
continuous monitoring of GRC
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
CSA STAR Registry
• CSA STAR (Security, Trust and Assurance Registry)
• Public Registry of Cloud Provider self assessments
• Based on Consensus Assessments Initiative Questionnaire
• Provider may substitute documented Cloud Controls Matrix compliance
• Voluntary industry action promoting transparency
• Security as a market differentiator
• www.cloudsecurityalliance.org/star
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
CCSK - Certificate of Cloud Security Knowledge
• Benchmark of cloud security competency
• Measures mastery of CSA guidance and ENISA cloud risks
whitepaper
• Understand cloud issues
• Look for the CCSKs at cloud providers, consulting partners
• Online web-based examination
• www.cloudsecurityalliance.org/certifyme
• www.cloudsecurityalliance.org/training
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
CSA Resources & Activities
• Resources
 Research: www.cloudsecurityalliance.org/research/
 CCSK Certification: www.cloudsecurityalliance.org/certifyme
 Chapters: www.cloudsecurityalliance.org/chapters
 National Email: info@cloudsecurityalliance.org
 National LinkedIn Group: www.linkedin.com/groups?gid=1864210
 Twitter: @cloudsa
• Local DFW CSA North Texas Resources & Activities
 CSA North Texas LinkedIn Group: http://www.linkedin.com/groups?gid=3856567
 CSA North Texas Meetup: http://www.meetup.com/CSANTX/
 CSA North Texas Email: Norm Smith norm@csa-nt.org
 CSA North Texas Industry Days & Local University CSA Academic Days
 CSA North Texas Town Hall Meetings & Monthly Luncheons
40
Lessons to Walk Away With from Today’s Discussion
The New IT Landscape - All About Cloud, Mobile & Security
Educate, Build Framework, Layer Protection, Implement Incrementally
The Future of IT Is Cloud & Mobile - With Increasing Control in the Hands of End Users
Security is More Important than Ever - Risks & Liabilities from Security Threats are Substantial
You Must Take a Proactive Approach to Security
Security Must Be a Major Investment for All Organizations & Begins with Education
Addressing Security Risks and Liabilities Starts with Education and Information
Build A Framework of Policies, Procedures & Security Technologies to Reduce Risks/Liabilities
Start Today! - CSA Can Help with an Array of Free Valuable Guides & Resources
41
 Revealed: Operation Shady Rat - McAfee
http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
 Operation Red October - Kapersky Labs
http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies
http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation
 DoD Defense Science Board Task Force Report: Resilient Military Systems and the Advanced Cyber Threat
http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf
 Cyber-Security: The vexed question of global rules - Security & Defense Agenda (SDA)
http://www.mcafee.com/us/resources/reports/rp-sda-cyber-security.pdf
 The Global State of Information Security Survey 2013
http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
 McAfee 2013 Threats Predictions - http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2013.pdf
 McAfee State of Security whitepaper - http://www.mcafee.com/us/resources/white-papers/wp-state-of-security.pdf
 TrustWave2013 Global Security Report - http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf
 The 2013 Data Breach Investigations Report - Verizon - http://www.verizonenterprise.com/DBIR/2013/
 2013 Information Security Breaches Survey: Technical Report - PWC
https://www.gov.uk/government/publications/information-security-breaches-survey-2013-technical-report
 Government Internet Security Threat Report, Volume 18 - Symantec - http://www.symantec.com/page.jsp?id=gov-threat-report
 Internet Security Threat Report (ISTR), Volume 18 - Symantec -
http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
 The Secret War - Wired Magazine - http://www.wired.com/threatlevel/2013/06/general-keith-alexander-cyberwar/all/
Recommended Reading
42
Thank You & Contact Information
Chad M. Lawler, Ph.D.
Director of Consulting Services
Cloud Computing
14643 Dallas Parkway, Suite 800, Dallas, Texas 75254
Office: 469.221.2894
Email: chad.lawler@hitachiconsulting.com
www.hitachiconsulting.com/cloud/
Connect with Me:
 http://www.linkedin.com/in/chadmlawler/
 https://twitter.com/chad_lawler
 http://www.slideshare.net/chadmlawler
Security & Compliance in the Cloud
Panel Discussion
NORTH TEXAS
CHAPTER
DALLAS / FT.WORTH
Chad M Lawler, Ph.D.
Director of Cloud
Computing, Hitachi
Consulting
Nathaniel Kummerfeld, J.D.
Assistant United States Attorney
United States Attorney's Office
Eastern District of Texas
Scot Miller
Director, Security
Architecture at Health
Management Systems
Tom Large
Director Corporate
Information Security at
Alliance Data
Tony Scott, CISSP
Senior Security and
Compliance Executive
GTR Medical Group
Security & Compliance in the Cloud
S t a n d a r d s , S e c u r i t y & P r o a c t i v e l y M a n a g i n g G o v e r n a n c e ,
R i s k & C o m p l i a n c e
NORTH TEXAS
CHAPTER
DALLAS / FT.WORTH
F r i d a y , J u n e 2 8 , 2 0 1 3
F C D a l l a s S t a d i u m
9 2 0 0 W o r l d C u p W a y ,
S u i t e 2 0 2 , F r i s c o , T X
K e y N o t e S p e a k e r -
C h a d M . L a w l e r, P h . D.
D i r e c t o r o f C o n s u l t i n g ,
C l o u d C o m p u t i n g
H i t a c h i C o n s u l t i n g
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

Weitere ähnliche Inhalte

Was ist angesagt?

Secure and Smart IoT using Blockchain and AI
Secure and Smart  IoT using Blockchain and AISecure and Smart  IoT using Blockchain and AI
Secure and Smart IoT using Blockchain and AIAhmed Banafa
 
David shrier, weige wu, alex pentland mit blockchain
David shrier, weige wu, alex pentland mit blockchainDavid shrier, weige wu, alex pentland mit blockchain
David shrier, weige wu, alex pentland mit blockchainIT Strategy Group
 
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...Floyd DCosta
 
Decentralization in blockchain
Decentralization in blockchainDecentralization in blockchain
Decentralization in blockchainSaravanan T.M
 
The Blockchain Wave in 2019 and Beyond
The Blockchain Wave in 2019 and BeyondThe Blockchain Wave in 2019 and Beyond
The Blockchain Wave in 2019 and BeyondAhmed Banafa
 
Second line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainSecond line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainAhmed Banafa
 
Blockchain and IOT and the GxP Lab Slides
Blockchain and IOT and the GxP Lab SlidesBlockchain and IOT and the GxP Lab Slides
Blockchain and IOT and the GxP Lab SlidesPistoia Alliance
 
Huashan chen, marcus pendleton, laurent njilla, and shouhuai xu
Huashan chen, marcus pendleton, laurent njilla, and shouhuai xuHuashan chen, marcus pendleton, laurent njilla, and shouhuai xu
Huashan chen, marcus pendleton, laurent njilla, and shouhuai xuIT Strategy Group
 
Blockchain in 2018 : Beyond the Hype
Blockchain in 2018 : Beyond the HypeBlockchain in 2018 : Beyond the Hype
Blockchain in 2018 : Beyond the HypeAhmed Banafa
 
IRJET - Healthcare Data Storage using Blockchain
IRJET - Healthcare Data Storage using BlockchainIRJET - Healthcare Data Storage using Blockchain
IRJET - Healthcare Data Storage using BlockchainIRJET Journal
 
Rui zhang and rui xue, georgia tech
Rui zhang and rui xue, georgia techRui zhang and rui xue, georgia tech
Rui zhang and rui xue, georgia techIT Strategy Group
 
A Secure Model of IoT Using Blockchain
A Secure Model of IoT Using BlockchainA Secure Model of IoT Using Blockchain
A Secure Model of IoT Using BlockchainAltoros
 
IRJET- Photogroup: Decentralized Web Application using Ethereum Blockchain
IRJET- Photogroup: Decentralized Web Application using Ethereum BlockchainIRJET- Photogroup: Decentralized Web Application using Ethereum Blockchain
IRJET- Photogroup: Decentralized Web Application using Ethereum BlockchainIRJET Journal
 
Delloite custodian whitepaper
Delloite custodian whitepaperDelloite custodian whitepaper
Delloite custodian whitepaperIT Strategy Group
 
Blockchain based Security Architectures - A Review
Blockchain based Security Architectures - A ReviewBlockchain based Security Architectures - A Review
Blockchain based Security Architectures - A ReviewGokul Alex
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchainUlf Mattsson
 
Bat38 aouini bogosalvarado_zk-snark_blockchain
Bat38 aouini bogosalvarado_zk-snark_blockchainBat38 aouini bogosalvarado_zk-snark_blockchain
Bat38 aouini bogosalvarado_zk-snark_blockchainBATbern
 
Research Paper Digital Forensics on Google Cloud Platform
Research Paper Digital Forensics on Google Cloud PlatformResearch Paper Digital Forensics on Google Cloud Platform
Research Paper Digital Forensics on Google Cloud PlatformSamuel Borthwick
 
Legal ethics & cloud computing
Legal ethics & cloud computingLegal ethics & cloud computing
Legal ethics & cloud computingPatrick Fowler
 

Was ist angesagt? (20)

Secure and Smart IoT using Blockchain and AI
Secure and Smart  IoT using Blockchain and AISecure and Smart  IoT using Blockchain and AI
Secure and Smart IoT using Blockchain and AI
 
David shrier, weige wu, alex pentland mit blockchain
David shrier, weige wu, alex pentland mit blockchainDavid shrier, weige wu, alex pentland mit blockchain
David shrier, weige wu, alex pentland mit blockchain
 
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
 
Decentralization in blockchain
Decentralization in blockchainDecentralization in blockchain
Decentralization in blockchain
 
The Blockchain Wave in 2019 and Beyond
The Blockchain Wave in 2019 and BeyondThe Blockchain Wave in 2019 and Beyond
The Blockchain Wave in 2019 and Beyond
 
Second line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainSecond line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : Blockchain
 
Blockchain and IOT and the GxP Lab Slides
Blockchain and IOT and the GxP Lab SlidesBlockchain and IOT and the GxP Lab Slides
Blockchain and IOT and the GxP Lab Slides
 
Huashan chen, marcus pendleton, laurent njilla, and shouhuai xu
Huashan chen, marcus pendleton, laurent njilla, and shouhuai xuHuashan chen, marcus pendleton, laurent njilla, and shouhuai xu
Huashan chen, marcus pendleton, laurent njilla, and shouhuai xu
 
Blockchain in 2018 : Beyond the Hype
Blockchain in 2018 : Beyond the HypeBlockchain in 2018 : Beyond the Hype
Blockchain in 2018 : Beyond the Hype
 
Jae hyung lee mit
Jae hyung lee mitJae hyung lee mit
Jae hyung lee mit
 
IRJET - Healthcare Data Storage using Blockchain
IRJET - Healthcare Data Storage using BlockchainIRJET - Healthcare Data Storage using Blockchain
IRJET - Healthcare Data Storage using Blockchain
 
Rui zhang and rui xue, georgia tech
Rui zhang and rui xue, georgia techRui zhang and rui xue, georgia tech
Rui zhang and rui xue, georgia tech
 
A Secure Model of IoT Using Blockchain
A Secure Model of IoT Using BlockchainA Secure Model of IoT Using Blockchain
A Secure Model of IoT Using Blockchain
 
IRJET- Photogroup: Decentralized Web Application using Ethereum Blockchain
IRJET- Photogroup: Decentralized Web Application using Ethereum BlockchainIRJET- Photogroup: Decentralized Web Application using Ethereum Blockchain
IRJET- Photogroup: Decentralized Web Application using Ethereum Blockchain
 
Delloite custodian whitepaper
Delloite custodian whitepaperDelloite custodian whitepaper
Delloite custodian whitepaper
 
Blockchain based Security Architectures - A Review
Blockchain based Security Architectures - A ReviewBlockchain based Security Architectures - A Review
Blockchain based Security Architectures - A Review
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchain
 
Bat38 aouini bogosalvarado_zk-snark_blockchain
Bat38 aouini bogosalvarado_zk-snark_blockchainBat38 aouini bogosalvarado_zk-snark_blockchain
Bat38 aouini bogosalvarado_zk-snark_blockchain
 
Research Paper Digital Forensics on Google Cloud Platform
Research Paper Digital Forensics on Google Cloud PlatformResearch Paper Digital Forensics on Google Cloud Platform
Research Paper Digital Forensics on Google Cloud Platform
 
Legal ethics & cloud computing
Legal ethics & cloud computingLegal ethics & cloud computing
Legal ethics & cloud computing
 

Andere mochten auch

Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Chad Lawler
 
Security & Governance for the Cloud: a Savvis Case Study (Presented at Cloud ...
Security & Governance for the Cloud: a Savvis Case Study (Presented at Cloud ...Security & Governance for the Cloud: a Savvis Case Study (Presented at Cloud ...
Security & Governance for the Cloud: a Savvis Case Study (Presented at Cloud ...CA API Management
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?Jody Keyser
 
Cloud Services Brokerage Demystified
Cloud Services Brokerage DemystifiedCloud Services Brokerage Demystified
Cloud Services Brokerage DemystifiedZach Gardner
 
The Executive View on Cloud Service Brokers – Cloud Computing Association Con...
The Executive View on Cloud Service Brokers – Cloud Computing Association Con...The Executive View on Cloud Service Brokers – Cloud Computing Association Con...
The Executive View on Cloud Service Brokers – Cloud Computing Association Con...Chad Lawler
 
cloudSME The European hpc cloud platform for simulation
cloudSME The European hpc cloud platform for simulationcloudSME The European hpc cloud platform for simulation
cloudSME The European hpc cloud platform for simulationAndreas Ocklenburg
 
10 security concerns cloud computing
10 security concerns cloud computing10 security concerns cloud computing
10 security concerns cloud computingHossam Zein
 
2014.06.13 - Cloud Brokerage, Pourquoi, Comment ? - IBM #CloudAccelerate - L...
2014.06.13 -  Cloud Brokerage, Pourquoi, Comment ? - IBM #CloudAccelerate - L...2014.06.13 -  Cloud Brokerage, Pourquoi, Comment ? - IBM #CloudAccelerate - L...
2014.06.13 - Cloud Brokerage, Pourquoi, Comment ? - IBM #CloudAccelerate - L...PartnerWin - #SocialSelling StarterPacks
 
Open Source and Cloud: Change Through Collaboration
Open Source and Cloud: Change Through CollaborationOpen Source and Cloud: Change Through Collaboration
Open Source and Cloud: Change Through CollaborationOPNFV
 
Cloud service brokerage explained
Cloud service brokerage explainedCloud service brokerage explained
Cloud service brokerage explainedOleksandr Varlamov
 
The Executive View on Big Data Platform Hosting - Evaluating Hosting Services...
The Executive View on Big Data Platform Hosting - Evaluating Hosting Services...The Executive View on Big Data Platform Hosting - Evaluating Hosting Services...
The Executive View on Big Data Platform Hosting - Evaluating Hosting Services...Chad Lawler
 
Warrantly - Cloud Warranty Management Platform
Warrantly - Cloud Warranty Management PlatformWarrantly - Cloud Warranty Management Platform
Warrantly - Cloud Warranty Management PlatformStartupYard
 
Cloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational PerspectivesCloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational PerspectivesMegan Eskey
 
Cloud Application Rationalization- The Cloud, the Enterprise, and Making the ...
Cloud Application Rationalization- The Cloud, the Enterprise, and Making the ...Cloud Application Rationalization- The Cloud, the Enterprise, and Making the ...
Cloud Application Rationalization- The Cloud, the Enterprise, and Making the ...Chad Lawler
 
Financial impact of Cloud Computing
Financial impact of Cloud ComputingFinancial impact of Cloud Computing
Financial impact of Cloud Computingkrisbliesner
 
Operational Best Practices in the Cloud
Operational Best Practices in the CloudOperational Best Practices in the Cloud
Operational Best Practices in the CloudRightScale
 
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...Compliance LLC
 

Andere mochten auch (20)

Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
 
Security & Governance for the Cloud: a Savvis Case Study (Presented at Cloud ...
Security & Governance for the Cloud: a Savvis Case Study (Presented at Cloud ...Security & Governance for the Cloud: a Savvis Case Study (Presented at Cloud ...
Security & Governance for the Cloud: a Savvis Case Study (Presented at Cloud ...
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?
 
Cloud Services Brokerage Demystified
Cloud Services Brokerage DemystifiedCloud Services Brokerage Demystified
Cloud Services Brokerage Demystified
 
The Executive View on Cloud Service Brokers – Cloud Computing Association Con...
The Executive View on Cloud Service Brokers – Cloud Computing Association Con...The Executive View on Cloud Service Brokers – Cloud Computing Association Con...
The Executive View on Cloud Service Brokers – Cloud Computing Association Con...
 
cloudSME The European hpc cloud platform for simulation
cloudSME The European hpc cloud platform for simulationcloudSME The European hpc cloud platform for simulation
cloudSME The European hpc cloud platform for simulation
 
Podoactiva
PodoactivaPodoactiva
Podoactiva
 
10 security concerns cloud computing
10 security concerns cloud computing10 security concerns cloud computing
10 security concerns cloud computing
 
2014.06.13 - Cloud Brokerage, Pourquoi, Comment ? - IBM #CloudAccelerate - L...
2014.06.13 -  Cloud Brokerage, Pourquoi, Comment ? - IBM #CloudAccelerate - L...2014.06.13 -  Cloud Brokerage, Pourquoi, Comment ? - IBM #CloudAccelerate - L...
2014.06.13 - Cloud Brokerage, Pourquoi, Comment ? - IBM #CloudAccelerate - L...
 
eXp Explained - The Agent-Owned Cloud Brokerage
eXp Explained - The Agent-Owned Cloud Brokerage eXp Explained - The Agent-Owned Cloud Brokerage
eXp Explained - The Agent-Owned Cloud Brokerage
 
Open Source and Cloud: Change Through Collaboration
Open Source and Cloud: Change Through CollaborationOpen Source and Cloud: Change Through Collaboration
Open Source and Cloud: Change Through Collaboration
 
Cloud service brokerage explained
Cloud service brokerage explainedCloud service brokerage explained
Cloud service brokerage explained
 
The Executive View on Big Data Platform Hosting - Evaluating Hosting Services...
The Executive View on Big Data Platform Hosting - Evaluating Hosting Services...The Executive View on Big Data Platform Hosting - Evaluating Hosting Services...
The Executive View on Big Data Platform Hosting - Evaluating Hosting Services...
 
Warrantly - Cloud Warranty Management Platform
Warrantly - Cloud Warranty Management PlatformWarrantly - Cloud Warranty Management Platform
Warrantly - Cloud Warranty Management Platform
 
Cloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational PerspectivesCloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational Perspectives
 
Cloud Application Rationalization- The Cloud, the Enterprise, and Making the ...
Cloud Application Rationalization- The Cloud, the Enterprise, and Making the ...Cloud Application Rationalization- The Cloud, the Enterprise, and Making the ...
Cloud Application Rationalization- The Cloud, the Enterprise, and Making the ...
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
Financial impact of Cloud Computing
Financial impact of Cloud ComputingFinancial impact of Cloud Computing
Financial impact of Cloud Computing
 
Operational Best Practices in the Cloud
Operational Best Practices in the CloudOperational Best Practices in the Cloud
Operational Best Practices in the Cloud
 
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
 

Ähnlich wie Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Alisha Deboer
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1newbie2019
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfINFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfEarlvonDeiparine1
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™
 
A History of IIoT Cyber-Attacks & Checklist for Implementing Security [Infogr...
A History of IIoT Cyber-Attacks & Checklist for Implementing Security [Infogr...A History of IIoT Cyber-Attacks & Checklist for Implementing Security [Infogr...
A History of IIoT Cyber-Attacks & Checklist for Implementing Security [Infogr...GlobalSign
 
festival ICT 2013: L’evoluzione della sicurezza verso la nuova era della Smar...
festival ICT 2013: L’evoluzione della sicurezza verso la nuova era della Smar...festival ICT 2013: L’evoluzione della sicurezza verso la nuova era della Smar...
festival ICT 2013: L’evoluzione della sicurezza verso la nuova era della Smar...festival ICT 2016
 
Colombo White Hat Security 3rd Meetup - Recent Trends & Attacks in Cyberspace
Colombo White Hat Security 3rd Meetup - Recent Trends & Attacks in CyberspaceColombo White Hat Security 3rd Meetup - Recent Trends & Attacks in Cyberspace
Colombo White Hat Security 3rd Meetup - Recent Trends & Attacks in CyberspaceDulanja Liyanage
 
A Case Study On Security Incidences
A Case Study On Security IncidencesA Case Study On Security Incidences
A Case Study On Security IncidencesLorie Harris
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical HackingIRJET Journal
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Rise of cyber security v0.1
Rise of cyber security v0.1Rise of cyber security v0.1
Rise of cyber security v0.1Sohail Gohir
 
C7 defending the cloud with monitoring and auditing
C7   defending the cloud with monitoring and auditingC7   defending the cloud with monitoring and auditing
C7 defending the cloud with monitoring and auditingDr. Wilfred Lin (Ph.D.)
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Mukesh Chinta
 
Top 5 Ways You Can Protect Your Privacy On Web
Top 5 Ways You Can Protect Your Privacy On WebTop 5 Ways You Can Protect Your Privacy On Web
Top 5 Ways You Can Protect Your Privacy On WebSheila Guy
 
Securing the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and BeyondSecuring the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and BeyondPraveen Nair
 

Ähnlich wie Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance (20)

Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfINFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdf
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
 
A History of IIoT Cyber-Attacks & Checklist for Implementing Security [Infogr...
A History of IIoT Cyber-Attacks & Checklist for Implementing Security [Infogr...A History of IIoT Cyber-Attacks & Checklist for Implementing Security [Infogr...
A History of IIoT Cyber-Attacks & Checklist for Implementing Security [Infogr...
 
festival ICT 2013: L’evoluzione della sicurezza verso la nuova era della Smar...
festival ICT 2013: L’evoluzione della sicurezza verso la nuova era della Smar...festival ICT 2013: L’evoluzione della sicurezza verso la nuova era della Smar...
festival ICT 2013: L’evoluzione della sicurezza verso la nuova era della Smar...
 
Colombo White Hat Security 3rd Meetup - Recent Trends & Attacks in Cyberspace
Colombo White Hat Security 3rd Meetup - Recent Trends & Attacks in CyberspaceColombo White Hat Security 3rd Meetup - Recent Trends & Attacks in Cyberspace
Colombo White Hat Security 3rd Meetup - Recent Trends & Attacks in Cyberspace
 
A Case Study On Security Incidences
A Case Study On Security IncidencesA Case Study On Security Incidences
A Case Study On Security Incidences
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical Hacking
 
Data trawling and security strategies
Data trawling and security strategiesData trawling and security strategies
Data trawling and security strategies
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
Rise of cyber security v0.1
Rise of cyber security v0.1Rise of cyber security v0.1
Rise of cyber security v0.1
 
C7 defending the cloud with monitoring and auditing
C7   defending the cloud with monitoring and auditingC7   defending the cloud with monitoring and auditing
C7 defending the cloud with monitoring and auditing
 
unit-1-is1.pptx
unit-1-is1.pptxunit-1-is1.pptx
unit-1-is1.pptx
 
Essay About Tft2
Essay About Tft2Essay About Tft2
Essay About Tft2
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1
 
Top 5 Ways You Can Protect Your Privacy On Web
Top 5 Ways You Can Protect Your Privacy On WebTop 5 Ways You Can Protect Your Privacy On Web
Top 5 Ways You Can Protect Your Privacy On Web
 
Securing the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and BeyondSecuring the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and Beyond
 
Practical Security for the Cloud
Practical Security for the CloudPractical Security for the Cloud
Practical Security for the Cloud
 

Kürzlich hochgeladen

Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and stepobaje godwin sunday
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxMYDA ANGELICA SUAN
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...Nguyen Thanh Tu Collection
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...CaraSkikne1
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesCeline George
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17Celine George
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxraviapr7
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxheathfieldcps1
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptxraviapr7
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.EnglishCEIPdeSigeiro
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice documentXsasf Sfdfasd
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxSaurabhParmar42
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 

Kürzlich hochgeladen (20)

Prelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quizPrelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quiz
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and step
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptx
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 Sales
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptx
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptx
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice document
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptx
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 

Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

  • 1. Security & Compliance in the Cloud S t a n d a r d s , S e c u r i t y & P r o a c t i v e l y M a n a g i n g G o v e r n a n c e , R i s k & C o m p l i a n c e NORTH TEXAS CHAPTER DALLAS / FT.WORTH F r i d a y , J u n e 2 8 , 2 0 1 3 F C D a l l a s S t a d i u m 9 2 0 0 W o r l d C u p W a y , S u i t e 2 0 2 , F r i s c o , T X K e y N o t e S p e a k e r - C h a d M . L a w l e r, P h . D. D i r e c t o r o f C o n s u l t i n g , C l o u d C o m p u t i n g H i t a c h i C o n s u l t i n g
  • 2. 2 Goals & Overview of Today‟s Discussion Goals Awareness Encourage Focus on Security, Governance & Compliance Creating Broad Awareness – Providing Education & Focus on Standards Focus on Best Practices For Risk Security Mitigation, Regulatory Compliance & Governance Overview of Cloud Security Alliance (CSA) & Research Areas Overview Cloud is Changing Business & IT - New IT Landscape Cloud Security Alliance - Research & Standards Conclusion & Panel Discussion Today’s Presentation Slides - http://www.slideshare.net/chadmlawler/
  • 3. Cloud is Changing Business & IT The New IT Landscape
  • 4. 4 Cloud is Changing Business & IT IT OPERATIONS + MULTI CLOUD  Legacy Coexistence with Cloud Migration and New Cloud Apps  Multiple Application Spread Across Environment Legacy & Cloud  Selective Outsourcing and Managed services  Private, Public and Hybrid Cloud Utilization DATACENTER Traditional Data Center  On-site Traditional Infrastructure  Dedicated with Limited Virtualization  Internal Application Provisioning PRIVATE CLOUD Next Generation Datacenter  On-site Private Cloud IaaS Utility  Dedicated On-Site Infrastructure  Internal Application Provisioning PUBLIC CLOUD Regional Datacenter 2Regional Datacenter 1 Public Cloud Datacenter  Off-site Utility  Pay-as-You -Go Consumption  External Application Provisioning HYBRID CLOUD Hybrid - Public/Private/Virtual Private Enterprise Datacenter  On-Site + Off-site Utility  Dedicated Infrastructure + Utility  Internal + External Provisioning Next Generation Datacenter Transition Enterprise Cloud Model - Multi-Source Hybrid Public/Private Mix SAAS IAAS & PAAS Th e New IT Lan dscape
  • 5. 5 Cloud is Changing Business & IT SaaSIaaS PaaS Services Providers Your Business Business and End Users Circumventing IT Increasing Shadow IT YOUR CENTRAL IT Cloud Ecosystem Th e New IT Lan dscape
  • 6. 6 Cloud is Changing Business & IT Enterprise Cloud Model - Multi-Source Hybrid Public/Private Mix Focus on Cloud Supply Chain, Security & Governance Mix of public-private cloud services from multiple, different cloud providers With the cloud comes increased complexities, disruptive for both business and IT Increased need for risk visibility, management, governance and security Businesses already negotiating multiple cloud service contracts with different providers Using multiple/different cloud services - more contracts, payments, providers to manage Need for new best practices for security, cloud supply chain management and resource control Th e New IT Lan dscape
  • 7. 7 Cloud + Mobile Dispersal of applications Dispersal of data Dispersal of users Dispersal of endpoint devices Cloud Users Notional Organizational Boundary Public Clouds Private clouds www.cloudsecurityalliance.org Cloud is Changing Business & IT Th e New IT Lan dscape Copyright © 2013 Cloud Security Alliance
  • 8. 8 Cloud is Changing Business & IT Where IT is Going Technology consumerization and its offspring Cloud: Compute as a utility Smart Mobility: Compute anywhere Shifting balance of power to technology users Organizational structure & business planning Disrupting IT and IT security through agility Th e New IT Lan dscape www.cloudsecurityalliance.org Key Trust Issues Transparency & visibility from providers Compatible laws across jurisdictions Data sovereignty Incomplete standards Multi-tenant technologies & architecture Incomplete Identity Management Consumer awareness & engagement Is Challenging Our Assumptions About… Everything Copyright © 2013 Cloud Security Alliance
  • 9. 9 Cloud is Changing Business & IT Governance Administration & Control of IT Assets Measurement, Policy & Enforcement Appropriate & Authorized Resource Use Security & Risk Confidentiality, Integrity & Availability Security Protection, Controls & Reporting Incident Mitigation, Detection & Response Compliance Legal & Regulatory Policies, Standards & Procedures Auditing & Reporting PUBLIC CLOUD PUBLIC CLOUD PRIVATE CLOUD DATACENTER HYBRID CLOUD Th e New IT Lan dscape
  • 10. A Look at Today‟s Security Landscape Facing Modern Security Threats
  • 11. 11 The State of Information Security The Global State of Information Security Survey 2013 Source: The Global State of Information Security Survey 2013 - http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
  • 12. 12 Texas Comptrollers 3.5 Million Record Breach Source: Cyber Risk Remains a Serious Threat Facing Public Entities http://www.netdiligence.com/files/Public%20Entity%20Cyber%20Risk-061512.pdf The state’s investigation revealed that the data was not encrypted, even though Texas administrative rules require encryption of data files containing sensitive information.
  • 13. 13 Personally Identifiable Information Consumer Notifications Source: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/vermont-security-breaches.php
  • 14. 14 1. Yahoo Japan - the identity details of up to 22 million users may have been compromised when attackers hacked into its computer systems. 2. Washington State Court System - May 2013- Exposed 160,000 social security numbers from a cyber attack on servers operated by the Washington state court system 3. Federal Reserve - May 2013- Federal Reserve Security Breach of undisclosed information. Anonymous exploited a zero-day exploit in Adobe ColdFusion . 4. Alabama Criminal Justice Information Center - May 2013- Anonymous Hack posts 4,000 Bank Exec Credentials, login & contact info, & IP addresses 5. LivingSocial.com - April 2013 - Security breach that has exposed names, e-mail addresses and password data for up to 50 million of its users. 6. Twitter - February 2013 - 250,000 accounts hacked in security breach & hackers access usernames, email addresses and passwords in 'sophisticated' operation 7. US Army Corps of Engineers’ National Inventory of Dams (NID) - Cyber intrusion into sensitive information on vulnerabilities of 8,100 major dams in the US by Chinese cyber warriors 8. Wyndham Hotels - Announced in 2012, began in 2008- Over $10.6 million in credit card transactions made fraudulently. The most egregious security breach of 2012. Federal Trade Commission brought a lawsuit against Wyndham Hotels. 9. Zappos – Jan 2012, - hackers compromise over 24 million records which included user names, phone numbers, email addresses, partial credit card numbers, and encrypted passwords. 10. LinkedIn/eHarmony - June 2012 - 8 Million Passwords Taken. 11. Last.fm - In mid-2012 - hackers had exploited lax security to make off with millions of user passwords. 12. Medicaid - March 30, 2012,, hackers broke into a Utah Department of Health, Medicaid server , exposing 280,000 residents' Social Security numbers & health data of 500,000 residents. 13. Sutter Physicians Services – 2011 - 3.3 million patients' medical details stolen- stored in encrypted format . Data from both Sutter Physicians Services and Sutter Medical Foundation was breached in November - when a thief stole a desktop computer 14. Sony's PlayStation Network - Date: April 20, 2011 - Over 100 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month, faced an ongoing customer relations fallout and class-action lawsuits over its failure to protect over 100 million user records. 15. ESTsoft - July-August 2011 - Personal information of 35 million South Koreans exposed after hackers breached the security of a popular software provider. 16. Tricare and SAIC – Sept 2011. 5.1 million people’s records breached. Backup tapes containing SAIC (Science Applications International Corporation) data were stolen from the car of a Tricare employee. with data on current and retired members of the armed services and families. Led to a $4.9 billion lawsuit being filed. 17. Nasdaq – 2011 - attackers breached a cloud-based Nasdaq system designed to facilitate boardroom-level communications for 10,000 senior executives 18. Yahoo - 2011 - 450,000 user names and passwords stolen. Hackers broke into a Yahoo subdomain by sending commands through an inadequately secured URL and managed to steal files from Yahoo’s Contributor Network. Shockingly, these files were not encrypted and were instead stored in plain text. 19. Epsilon - March 2011 - Exposed names and e-mails of millions of customers stored in more than 108 retail stores plus several huge financial firms 20. RSA Security - Date: March 2011 - 40 million employee records stolen. Breached the systems of EMC's RSA in April, stealing information relating to its SecurID system RSA ultimately traced the attack to an unnamed nation state, and revealed that the exploit had relied on a very low-tech spear-phishing attack. 21. Stuxnet - Sometime in 2010, but origins date to 2007 - Attack Iran's nuclear power program, serves as a template for real-world intrusion and service disruption 22. VeriSign - Throughout 2010 - Impact: Undisclosed information stolen 23. Gawker Media - December 2010 - Compromised e-mail addresses and passwords of about 1.3 million users on popular blogs like Lifehacker, Gizmodo, and Jezebel, plus the theft of the source code for Gawker's custom-built content management system. 24. Google/ Yahoo / Silicon Valley companies - Mid-2009 – Stolen intellectual property - In an act of industrial espionage, the Chinese government launched a massive and unprecedented attack on Google, Yahoo, and dozens of other Silicon Valley companies. 25. US Military Networks - 2008 cyberattack “Worst breach of U.S. military computers in history" and "the most significant breach of U.S. military computers ever.” Pentagon spent 14 months cleaning military networks. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,”- William J. Lynn 3d, Deputy Secretary of Defense. Led to creation of the US Cyber Command. 26. Heartland Payment Systems - March 2008 - Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems. Notable Security Incidents Since 2008
  • 15. 15 Increasing Security Threat for SMBs Flags Rise in SMB Security Breaches SMBs can no longer afford to assume their small size will keep them off the radar of cyber criminals and hackers - PWC InfoSec 2013
  • 16. “Hacking at small businesses is a prolific problem…It's going to get much worse before it gets better." D e a n K i n s m a n , S p e c i a l A g e n t F B I ' s C y b e r D i v i s i o n
  • 17. 17 Revealed: Operation Shady Rat Operation Shady Rat - August 2011 Targeted intrusions into more than 70 global companies, governments and non-profit organizations over five years Source: http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109
  • 18. 18 Revealed: Operation Shady Rat Source: http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
  • 19. “Targeted intrusion is a problem of massive scale that affects nearly every industry … and the only organizations that are exempt from this threat are those that don‟t have anything valuable or interesting worth stealing.” D m i t r i Al p e r o v i t c h , Vi c e P r e s i d e n t o f T h r e a t R e s e a r c h , M c A f e e , 2 0 11
  • 20. 20 Operation Red October Operation Red October - January 11, 2013  Kaspersky Lab research report which identified a cyber- espionage campaign targeting diplomatic, governmental and scientific research organizations in several countries for at least five years.  Attackers gathered sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment. Source:http://www.kaspersky.com/about/news/virus/2013/Kaspersky_Lab_Identifies_Operation_Red_October_an_Adva nced_Cyber_Espionage_Campaign_Targeting_Diplomatic_and_Government_Institutions_Worldwide
  • 21. “There is sensitive geopolitical information being stolen, which is very valuable... Over the course of the last five years, we believe several terabytes of data was stolen - it's massive.” Vi t a l y K a m l u k , C h i e f M a l wa r e E x p e r t a t K a s p e r s k y L a b , 2 0 1 3
  • 22. 22 DoD Networks Completely Compromised by Foreign Spies “We‟ve got the wrong model here. …this model for cyber that says, „We‟re going to develop a system where we‟re not attacked… I think we have to go to a model where we assume that the adversary is in our networks. It‟s on our machines, and we‟ve got to operate anyway. We have to protect the data anyway." J a m e s P e e r y , D i r e c t o r o f S a n d i a N a t i o n a l L a b s ‟ I n f o r m a t i o n S y s t e m s A n a l y s i s C e n t e r http://blogs.cio.com/security/16923/dod-networks-completely-compromised-experts-say#
  • 23. 23 U.S. Weapons Systems Compromised by Chinese Cyberspies http://www.washingtonpost.com/world/national-security/confidential-report-lists-us-weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/  Designs for many of the nation’s most sensitive advanced weapons systems have been stolen and compromised by Chinese hackers.  Designs Stolen:  Patriot missile system, known as PAC-3;  an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD  The Navy's Aegis ballistic-missile defense system  F/A-18 fighter jet,  The V-22 Osprey, the Black Hawk helicopter  The Navy’s new Littoral Combat Ship  The most expensive weapons system ever built - the F- 35 Joint Strike Fighter, on track to cost about $1.4 trillion, stolen by Chinese Cyberhackers in 2007.  Drone video systems, nanotechnology, tactical data links and electronic warfare systems also compromised.  Defense Contractors include: Boeing, Lockheed Martin, Raytheon and Northrop Grumman.
  • 24. “In many cases, they (DoD Contractors) don‟t know they‟ve been hacked until the FBI comes knocking on their door. This is billions of dollars of combat advantage for China. They‟ve just saved themselves 25 years of research and development. It‟s nuts.” S e n i o r M i l i t a r y O ff i c i a l , o n C o m p r o m i s e o f U S We a p o n s S y s t e m s D e s i g n s
  • 25. Proactively Managing Governance, Risk & Compliance Educate, Build A Framework, Layer Protection, Implement Incrementally
  • 26. “No single product will stop spear-phishing, protect sensitive data, thwart malware, or put an end to malicious insiders… Instead there are several solutions across endpoint, network, data security and security management that can and should be used in a connected framework to enrich each other and thus mitigate risk…” M c A f e e - B u i l d i n g a B e t t e r S h a d y R AT Tr a p
  • 27. 27 Elevate Security Importance - Build a Governance Framework  CSA Governance, Risk Management and Compliance (GRC) Stack • https://cloudsecurityalliance.org/research/projects/grc-stack/  Integrated Cloud Framework: Security, Governance, Compliance • http://www.slideshare.net/chadmlawler/
  • 28. 28 Build Incremental Security Layers  Integrate Complete Security Solutions in Cloud Environments • Deep Code-Level Security Vulnerability Reviews on All Cloud Applications • Security Services Security Services Single Sign On (SSO) & PKI & Certificate Management • Identity Management & Vulnerability Scanning & PII Detection & Continuous Auditing • SIEM with Root Cause Analysis & Risk Assessment, Patch & Log Management System • AntiVirus & AntiMalware System & IPS/IDS Event Management & Data Loss Prevention • Data Encryption for Data at Rest, SSL/HTTPS for Data in Transit
  • 29. “If you can't stop attacks (spear-phishing), you can at least know when they occur if you have a properly tuned Security Incident & Event Management (SIEM) system in place. You need all the key components feeding data into it including: • Proactive, organized response procedures for security incidents • A Security Operations Center (SOC) & monitoring system • Intrusion Detection & Prevention System (IDS/IPS) • Security logs with monitoring and analysis • Data Loss Prevention (DLP) & Encryption • Host-based anti-malware & antivirus “ J e r o m m e L a wl e r, C I S S P, C R I S C , S e c u r i t y A r c h i t e c t , A s Te c h C o n s u l t i n g , 2 0 1 3
  • 30. 30  SysAdmin, Audit, Networking and Security (SANS) Top 20 Critical Controls for Effective Cyber Defense  SANS News Letters - http://www.sans.org/newsletters/  Open Web Application Security Project (OWASP) Top 10 Most Critical Web Application Security Risks  Open Web Application Security Project (OWASP) Top 10 Mobile Risks  Open Web Application Security Project (OWASP) Cheat Sheets  Australian Department of Defense (DOD) Top 35 Mitigation Strategies  National Institute of Standards and Technology (NIST) Special Publications 800 Series  European Network and Information Security Agency (ENISA) Threat Landscape  International Organization for Standardization (ISO) 27000 Series  Information Systems Audit and Control Association (ISACA) COBIT Framework Top Security Resources
  • 31. 31 Understand that Security in the Cloud Must be Managed Implement a Policy that Calculates & Quantifies Cloud Application Risk Evaluate Application & Data Security Requirements Plan & Budget for Implementing Security Services Leverage a Framework Which Covers all Key Risk, Liability Areas  Implement & Adhere to Your Framework as a Roadmap to Reduce Risks Proactively Managing Governance, Risk & Compliance Be Proactive in Working to Mitigate Liabilities & Risks
  • 32. CSA - Research & Standards Resources, Education & Best Practices
  • 33. www.cloudsecurityalliance.org About the Cloud Security Alliance • Global, not-for-profit organization • Over 33,000 individual members, 150 corporate members, 60 chapters • Building best practices and a trusted cloud ecosystem • Research • Education • Certification • Advocacy of prudent public policy • Innovation, Transparency, GRC, Identity “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” Copyright © 2013 Cloud Security Alliance
  • 34. www.cloudsecurityalliance.org Global Efforts • Europe • Proposed EU Data Privacy Regulation • EC European Cloud Partnership • US Federal government • NIST • FedRAMP • APAC • Standards bodies • ISO SC 27 • ITU-T FG 17 • DMTF, PCI Standards Council Copyright © 2013 Cloud Security Alliance
  • 35. www.cloudsecurityalliance.org CSA Contributions - Research Projects - “Security Guidance For Critical Areas of Focus” Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture OperatingintheCloud GoverningtheCloud Security as a Service Copyright © 2013 Cloud Security Alliance
  • 36. www.cloudsecurityalliance.org CSA GRC Stack Control Requirements Provider Assertions Private, Community & Public Clouds • Family of 4 Research Projects • Cloud Controls Matrix • Consensus Assessments Initiative • Cloud Audit • Cloud Trust Protocol • Tools • Tools for governance, risk and compliance management • Enabling automation and continuous monitoring of GRC Copyright © 2013 Cloud Security Alliance
  • 37. www.cloudsecurityalliance.org CSA STAR Registry • CSA STAR (Security, Trust and Assurance Registry) • Public Registry of Cloud Provider self assessments • Based on Consensus Assessments Initiative Questionnaire • Provider may substitute documented Cloud Controls Matrix compliance • Voluntary industry action promoting transparency • Security as a market differentiator • www.cloudsecurityalliance.org/star Copyright © 2013 Cloud Security Alliance
  • 38. www.cloudsecurityalliance.org CCSK - Certificate of Cloud Security Knowledge • Benchmark of cloud security competency • Measures mastery of CSA guidance and ENISA cloud risks whitepaper • Understand cloud issues • Look for the CCSKs at cloud providers, consulting partners • Online web-based examination • www.cloudsecurityalliance.org/certifyme • www.cloudsecurityalliance.org/training Copyright © 2013 Cloud Security Alliance
  • 39. www.cloudsecurityalliance.org CSA Resources & Activities • Resources  Research: www.cloudsecurityalliance.org/research/  CCSK Certification: www.cloudsecurityalliance.org/certifyme  Chapters: www.cloudsecurityalliance.org/chapters  National Email: info@cloudsecurityalliance.org  National LinkedIn Group: www.linkedin.com/groups?gid=1864210  Twitter: @cloudsa • Local DFW CSA North Texas Resources & Activities  CSA North Texas LinkedIn Group: http://www.linkedin.com/groups?gid=3856567  CSA North Texas Meetup: http://www.meetup.com/CSANTX/  CSA North Texas Email: Norm Smith norm@csa-nt.org  CSA North Texas Industry Days & Local University CSA Academic Days  CSA North Texas Town Hall Meetings & Monthly Luncheons
  • 40. 40 Lessons to Walk Away With from Today’s Discussion The New IT Landscape - All About Cloud, Mobile & Security Educate, Build Framework, Layer Protection, Implement Incrementally The Future of IT Is Cloud & Mobile - With Increasing Control in the Hands of End Users Security is More Important than Ever - Risks & Liabilities from Security Threats are Substantial You Must Take a Proactive Approach to Security Security Must Be a Major Investment for All Organizations & Begins with Education Addressing Security Risks and Liabilities Starts with Education and Information Build A Framework of Policies, Procedures & Security Technologies to Reduce Risks/Liabilities Start Today! - CSA Can Help with an Array of Free Valuable Guides & Resources
  • 41. 41  Revealed: Operation Shady Rat - McAfee http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf  Operation Red October - Kapersky Labs http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation  DoD Defense Science Board Task Force Report: Resilient Military Systems and the Advanced Cyber Threat http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf  Cyber-Security: The vexed question of global rules - Security & Defense Agenda (SDA) http://www.mcafee.com/us/resources/reports/rp-sda-cyber-security.pdf  The Global State of Information Security Survey 2013 http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml  McAfee 2013 Threats Predictions - http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2013.pdf  McAfee State of Security whitepaper - http://www.mcafee.com/us/resources/white-papers/wp-state-of-security.pdf  TrustWave2013 Global Security Report - http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf  The 2013 Data Breach Investigations Report - Verizon - http://www.verizonenterprise.com/DBIR/2013/  2013 Information Security Breaches Survey: Technical Report - PWC https://www.gov.uk/government/publications/information-security-breaches-survey-2013-technical-report  Government Internet Security Threat Report, Volume 18 - Symantec - http://www.symantec.com/page.jsp?id=gov-threat-report  Internet Security Threat Report (ISTR), Volume 18 - Symantec - http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf  The Secret War - Wired Magazine - http://www.wired.com/threatlevel/2013/06/general-keith-alexander-cyberwar/all/ Recommended Reading
  • 42. 42 Thank You & Contact Information Chad M. Lawler, Ph.D. Director of Consulting Services Cloud Computing 14643 Dallas Parkway, Suite 800, Dallas, Texas 75254 Office: 469.221.2894 Email: chad.lawler@hitachiconsulting.com www.hitachiconsulting.com/cloud/ Connect with Me:  http://www.linkedin.com/in/chadmlawler/  https://twitter.com/chad_lawler  http://www.slideshare.net/chadmlawler
  • 43. Security & Compliance in the Cloud Panel Discussion NORTH TEXAS CHAPTER DALLAS / FT.WORTH Chad M Lawler, Ph.D. Director of Cloud Computing, Hitachi Consulting Nathaniel Kummerfeld, J.D. Assistant United States Attorney United States Attorney's Office Eastern District of Texas Scot Miller Director, Security Architecture at Health Management Systems Tom Large Director Corporate Information Security at Alliance Data Tony Scott, CISSP Senior Security and Compliance Executive GTR Medical Group
  • 44. Security & Compliance in the Cloud S t a n d a r d s , S e c u r i t y & P r o a c t i v e l y M a n a g i n g G o v e r n a n c e , R i s k & C o m p l i a n c e NORTH TEXAS CHAPTER DALLAS / FT.WORTH F r i d a y , J u n e 2 8 , 2 0 1 3 F C D a l l a s S t a d i u m 9 2 0 0 W o r l d C u p W a y , S u i t e 2 0 2 , F r i s c o , T X K e y N o t e S p e a k e r - C h a d M . L a w l e r, P h . D. D i r e c t o r o f C o n s u l t i n g , C l o u d C o m p u t i n g H i t a c h i C o n s u l t i n g