Organisations are spending large amounts of resources to bring advanced IT controls (mostly preventative) to protect against advanced attacks. However, many organisations neglect basics, such as ensuring systems and applications are not vulnerable which would help reduce the attack surface.
The session will look how to establish a patch policy and governance structures and processes.
Furthermore we will show the best practices, acquired through years of designing and operating QualysGuard Enterprise, to use Qualys services to discover vulnerabilities in systems, manage the patch management process, and harden systems with secure configuration settings.
Strategies for Landing an Oracle DBA Job as a Fresher
Cloud governance is not hard
1. Jirasek Consulting Services
Classification: Public 1
Supporting Business Agility
Cloud governance: Examples
from trenches
Cloud and Mobile Compliance Summit
Vladimir Jirasek
Jirasek Consulting Services
&
Research Director, Cloud Security Alliance, UK chapter
3. Jirasek Consulting Services
Classification: Public 3
Governance is:
• … the act of governing. It relates to
decisions that define expectations, grant
power, or verify performance. It consists of
either a separate process or part of
decision-making or leadership processes
SOURCE: Wikipedia
http://en.wikipedia.org/wiki/Governance
4. Jirasek Consulting Services
Classification: Public 4
Applied to Cloud
• Setting company policy for Cloud
computing
• Risk based decision which Cloud provider,
if any, to engage
• Assigning responsibilities for enforcing
and monitoring of the policy compliance
• Set corrective actions for non-compliance
5. Jirasek Consulting Services
Classification: Public 5
Cloud governance::Policy
• Cloud adopted typically by
a) IT directors – managed relatively consistently and
mostly [I|P]aaS
b) Business managers – less governance; typically
SaaS
• Policy should state: It is a policy of …. to manage
the usage of external Cloud computing services,
taking into account risks to business processes,
legal and regulatory compliance when using
external services Cloud services. CIO is
responsible for creating and communicating
external Cloud computing strategy and
standards.
6. Jirasek Consulting Services
Classification: Public 6
Cloud standard structure
• General statements
– Governance requirements for Cloud
– Enterprise architecture to be ready for Cloud and Cloud services to plug-in (IAM, SIEM, Data architecture, Forensic)
– Discovery of Cloud service use
• Before Cloud project
– Cloud service to comply with data classification
– Encrypting all sensitive data in Cloud
– Identity and Access management (AAA) link to Cloud service
• During Cloud project
– Due diligence to be performed
– Do not forget “right to audit”
– Know locations of PII
– Assess availability (SLA and DR) of Cloud provider
– Assess Cloud provider security controls
– Assess potential for forensic investigation by company’s team
• Running a Cloud service
– Limit use of live data for development and testing
– Monitor cloud provider’s security controls
– Link Company’s SIEM with Cloud provider and monitor for incidents
• Moving out of Cloud
– Data cleansing
– Data portability
8. Jirasek Consulting Services
Classification: Public 8
Trust and do not verify
• Large manufacturer and very Large software
company
• SaaS
• No change to legal terms and conditions
allowed -> increased risk of non compliance
• Decision to go ahead anyway
• Tip: The bigger the provider the less flexibility
on contracts. Shopping around is not always
possible.
9. Jirasek Consulting Services
Classification: Public 9
Did you erase my data?
• Large media company “outsourced” CRM to
SA company
• Standard contract conditions
• Little assurance that the data has been
deleted when the contract ends -> security
expert spent a week in SA “assessing”
• Tip: Negotiate “exit” before signing contract.
Seek details on how the data is erased.
10. Jirasek Consulting Services
Classification: Public 10
I have 1TB of CSV files, now what?
• Customer uses well know CRM in Cloud
• SaaS designed to immerse clients into well
defined, bespoke CRM
• No known data mode
• Export of data in CSV.
• Tip: Portability is key in SaaS applications.
Think about leaving the Cloud provider
upfront. How will you take your data?
11. Jirasek Consulting Services
Classification: Public 11
I take this rack “please”!
• Law enforcement has been slower to adapt to
principles of Cloud computing
• Small cloud providers more vulnerable to
seizing HW rather then using clever
imaging/forensic techniques.
• SaaS generally more affected.
• Tip: Use reputable and strong cloud providers
who have developed good relationship with
law enforcement (ask upfront).
13. Jirasek Consulting Services
Classification: Public 13
Scaling up/down development
• Large manufacture and service company
• Requirement to support development
needs with seasonal demands – ideal
case for [I|P]aaS
• Security team approached up-front to
perform review
• “Live” data not uploaded to the provider
before on-site sanitising
14. Jirasek Consulting Services
Classification: Public 14
Summary
• Have a Cloud policy/standard and update risk
management classification
• Engage with Procurement and Finance team –
gatekeepers for any contracts an credit card
spends
• Discover usage of Cloud services
• Prepare you enterprise architecture to plug Cloud
services in IAM, SIEM, Key management
• Think about Cloud exit upfront
• Do not fear Cloud – another form of outsourcing!!
15. Jirasek Consulting Services
Classification: Public 15
Contact
• Vladimir Jirasek
• vladimir@jirasekconsulting.com
• www.jirasekconsulting.com
• @vjirasek
• About.me/Jirasek