SlideShare ist ein Scribd-Unternehmen logo

Governance and Security in Cloud and Mobile Apps

Michael Scheidell
Michael Scheidell

Presented by Michael Scheidell, CISO Security Privateers at the PMI South Florida Day of Excellence. Common Risks in Desktop, Server, Web, Cloud and Mobile. Platform Specific Issues Governance Cloud Types: Shared, Private, Hybrid Services to Protect: Authentication, Storage, Processing

BusinessTechnologie
1 von 19
Governance and Security in Cloud and Mobile Apps http://privateers.in/9f Security Michael Scheidell, CISO Priva(eers™
Bring Your AGENDA Own Policy Sub headline Michael Scheidell, CISO Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com • • • • Corporate InfoSec Consultant Certified CISO Senior Member, IEEE Founded Three South Florida Tech Companies © 2013 All Rights Reserved • Privacy Expert • Member ISSA, IAPP, ISACA, IEEE, FBI InfraGard, PMI, SFTA, CSA • Patents in Network Security • Finalist EE Times ACE Innovator of the year Security Priva(eers
AGENDA Sub headline • Common Risks Desktop, Server, Cloud, Mobile • Platform Specific Issues Android, iPhone • Governance Privacy: Beyond regulations • Partly Cloudy with a chance of all hail Any Device, Anywhere • Select Cloud Types Shared, Private, Hybrid • Services to Protect Authentication, Storage, Processing © 2013 All Rights Reserved Security Priva(eers
Spacely Sprockets We make our Clients go NUTS(tm) STOCKS ALLOCATED CLOSE TO CUSTOMER SHORT DELIVERY TIME ON LINE HELP SERVICE CONSULTANS CALL CENTER CUSTOMER SUPPORT SUPPLY CHAIN FREE UPGRADE NEW FEATURES NICE DESIGN BETTER PRODUCTS VIRAL MARKETING/USERS TIP EACH OTHER SALES & MARKETING THINK GREEN IN THE WHOLE VALUE CHAIN ATTRACT THE BEST SALES PEOPLE SUSTAINABLE PRICE BE C02 NEUTRAL CHEAP? LUXARY? AVERAGE? BUILD RELATIONHIPS ON LINE ON AIR ON TV PRINT
We are NUTS(tm) •Daily Scrum •Daily Work Sprint Planning meeting PREPARATION •Business case & funding •Contractual agreement •Vision •Initial productbacklog •Initial release plan •Stakeholderbuy-in •Assemble team Update product backlog Daily Cycle SCRUM PROCESS Product increment RELEASE Sprint retrospective Sprint review Product Management • Security / Privacy • Compliance • Legal QA -> Production • Beta Test • Web App Test • Source Code Review
Top 10 Vulnerabilities, Top 10 - 2013 AGENDA Sub headline Open Web Application Security Project (OWASP) Common Vulnerabilities, Web, Mobile, Cloud 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. SQL Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities (dependencies?) Unvalidated Redirects and Forwards © 2013 All Rights Reserved, portions © OWASP https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Security Priva(eers
AGENDA New Platform, Old Mistakes Sub headline Keep doing the same thing hoping for different results Found in web, cloud and mobile • SQL Injection • Lack of Encryption – Data at Rest, Data in Motion • Least Access Privilege – Authentication – Permissions © 2013 All Rights Reserved Security Priva(eers
New Platform, Old Mistakes AGENDA Sub headline Keep doing the same thing hoping for different results Web, Cloud, Mobile Mistakes • Data Storage – DB (SQL[ite]) or flat files? – Encrypt or not? – Least Access Privilege • Source Files – Java – Configuration Files © 2013 All Rights Reserved Security Priva(eers
New Problems AGENDA Sub headline You didn’t learn this at FIU or Nova Android Application Permissions 1 Each application lists the API’s they want to use, • “camera”, (scan, flashlight) • Fine Location (GPS), flashlight! Use Android ‘Intent’ instead (if you want to take a picture) Rooted / Jailbroken Phones 2 Application permissions mean nothing. Full Read/Write permissions, read passwords Platform or User Backups 3 Google backup uses reversible encryption, backs up your Wifi, application data. Dropbox uses reversible encryption. © 2013 All Rights Reserved Security Priva(eers
New Problems AGENDA Sub headline You didn’t learn this at FIU or Nova Encrypt Data in Motion 4 17% of applications that use SSL are flawed and susceptible to MIM attacks. AMX, Diners Club, Paypal, Twitter, Google, Yahoo, Microsoft Live ID • Use Mallowdroid to check implementations Source Code Review 5 • Design In Security: • Whitelisting vs Blacklisting • Automated Code Review (CheckMarx.com) Privacy Statements 6 Write a privacy statement, approved by Legal, endorsed by Management. Follow it! © 2013 All Rights Reserved Security Priva(eers
Compliance AGENDA / Regulations Sub headline HIPAA/HITECH/GLBA/SOX/FISMA/FFIEC/FERPA/NIST/ABC/123 Build in Compliance, Written Policies 1 Information Sensitivity Policy 2 Password Policy 3 Remote Access Policy 4 Software Development Policy 5 Licensing: GPL, aGPL, LGPL © 2013 All Rights Reserved Security Priva(eers
It’s getting Cloudy now • SaaS (Applications) • Office365 • Salesforce • Google • Microsoft Azure instances • PaaS (Windows/LAMP) • Amazon EC2 • Azure Platforms • IaaS (Firewalls, Networks, Storage) • Amazon • Azure What is the Cloud? Where is the Cloud? The cloud is many things to many people There is no cloud Someone else’s mainframe and NAS Where is your Data Stored? Where is your Processing Done? Where is the Data Flow? Private, Public, Hybrid
It’s getting Cloudy now • Public Cloud: SaaS • Non regulated Data • Standardized application • Lots of users • Incremental capacity • PaaS: Software development • Private Cloud: PaaS • Regulated Data • Strict Security and Control • Large Company • Non Standard/Custom Applications • Hybrid Clouds: SaaS+PaaS • PaaS for storage • VPN to SaaS What is the Cloud? Where is the Cloud? The cloud is many things to many people. There is no cloud. Someone else’s mainframe and NAS Where is your Data Stored? Where is your Processing Done? Where is the Data Flow? Private, Public, Hybrid
It’s getting Cloudy now • • • • • • • • Any Device, Anywhere Storage Authentication Services Platform rollout Geographic Redundancy Development and Test Disaster Recovery Web and Mobile Apps What is the Cloud? Where is the Cloud? Why is the Cloud The cloud is many things to many people. There is no cloud. Someone else’s mainframe and NAS Where is your Data Stored? Where is your Processing Done? Where is the Data Flow? What will you use the Cloud for?
Security AGENDAGuidance for Critical Areas of Focus in Cloud Computing V3.0 Sub headline Cloud Security Alliance Risk Analysis • Identify the Asset • Data • Applications • Functions • Processes • Evaluate the Asset Liability • Asset became widely public • Cloud Provider Accessed Asset • Process manipulated by outsider • Function provided wrong results • Data changed • Denial of Service © 2013 All Rights Reserved Security Priva(eers
Compliance AGENDA and Governance Sub headline We can keep you out of jail cheaper than break you out of jail Governing in the Cloud 1 Enterprise Risk Management 2 Legal Issues: Contracts and E-Discovery 3 Compliance and Audit Management 4 Information Management and Data Security 5 Interoperability and Portability © 2013 All Rights Reserved Security Priva(eers
Compliance AGENDA and Governance Sub headline We can keep you out of jail cheaper than break you out of jail Operating in the Cloud 1 Traditional IS, BCP, DR 2 Application Security 3 Encryption and Key Management 4 Identity and Access Management 5 Security as a Service © 2013 All Rights Reserved Security Priva(eers
New Platform, Old Mistakes AGENDA Sub headline Keep doing the same thing hoping for different results • • • • • • Join ISSA http://www.sfissa.org/ Join CSA https://cloudsecurityalliance.org/ Join Infragard https://www.infragard.org/ Join OWASP https://www.owasp.org Code Review http://checkmarx.com Training / Conferences / Presentations © 2013 All Rights Reserved Security Priva(eers
Governance and Security in Cloud and Mobile Applications AGENDA Sub headline Where to get Help Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com Call to set up an appointment for initial review Policy Gap Analysis Review current policies, compare against best practices and current government regulations. © 2013 All Rights Reserved • • • • • OWASP Training Web App Assessment SDLC Review Cloud Security Consulting Mobile Application testing Security Priva(eers

Empfohlen

Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Michael Scheidell
 
IoT End-to-End Security Overview
IoT End-to-End Security OverviewIoT End-to-End Security Overview
IoT End-to-End Security OverviewAmazon Web Services
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedPorticor - The Cloud Security Experts
 
Zscaler ThreatLabz dissects the latest SSL security attacks
Zscaler ThreatLabz dissects the latest SSL security attacksZscaler ThreatLabz dissects the latest SSL security attacks
Zscaler ThreatLabz dissects the latest SSL security attacksZscaler
 
Guy Alfassi - CSA Conference Highlights
Guy Alfassi - CSA Conference HighlightsGuy Alfassi - CSA Conference Highlights
Guy Alfassi - CSA Conference HighlightsCSAIsrael
 
CIO's Guide to Enterprise Cloud Adoption
CIO's Guide to Enterprise Cloud AdoptionCIO's Guide to Enterprise Cloud Adoption
CIO's Guide to Enterprise Cloud AdoptionCipherCloud
 

Weitere ähnliche Inhalte

Was ist angesagt?

Dissecting ssl threats
Dissecting ssl threatsDissecting ssl threats
Dissecting ssl threatsZscaler
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Securescoopnewsgroup
 
SOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsSOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsHarry McLaren
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
Understanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarUnderstanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarCipherCloud
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
Rethinking Cybersecurity for the Digital Transformation Era
Rethinking Cybersecurity for the Digital Transformation EraRethinking Cybersecurity for the Digital Transformation Era
Rethinking Cybersecurity for the Digital Transformation EraZscaler
 
Virtualized Firewall: Is it the panacea to secure distributed enterprises?
Virtualized Firewall: Is it the panacea to secure distributed enterprises?Virtualized Firewall: Is it the panacea to secure distributed enterprises?
Virtualized Firewall: Is it the panacea to secure distributed enterprises?Zscaler
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Harry McLaren
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 
Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Zscaler
 
Maximize your cloud app control with Microsoft MCAS and Zscaler
Maximize your cloud app control with Microsoft MCAS and ZscalerMaximize your cloud app control with Microsoft MCAS and Zscaler
Maximize your cloud app control with Microsoft MCAS and ZscalerAnkit Dua
 
Webinar: Enable ServiceNow with Data Security, Visibility, and Compliance
Webinar: Enable ServiceNow with Data Security, Visibility, and ComplianceWebinar: Enable ServiceNow with Data Security, Visibility, and Compliance
Webinar: Enable ServiceNow with Data Security, Visibility, and ComplianceCipherCloud
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerZscaler
 
(SACON) Vandana Verma - Living In A World of Zero Trust
(SACON) Vandana Verma - Living In A World of Zero Trust(SACON) Vandana Verma - Living In A World of Zero Trust
(SACON) Vandana Verma - Living In A World of Zero TrustPriyanka Aash
 

Was ist angesagt? (20)

Dissecting ssl threats
Dissecting ssl threatsDissecting ssl threats
Dissecting ssl threats
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
 
SOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsSOC Fundamental Roles & Skills
SOC Fundamental Roles & Skills
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 
Understanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarUnderstanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: Webinar
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
Rethinking Cybersecurity for the Digital Transformation Era
Rethinking Cybersecurity for the Digital Transformation EraRethinking Cybersecurity for the Digital Transformation Era
Rethinking Cybersecurity for the Digital Transformation Era
 
Virtualized Firewall: Is it the panacea to secure distributed enterprises?
Virtualized Firewall: Is it the panacea to secure distributed enterprises?Virtualized Firewall: Is it the panacea to secure distributed enterprises?
Virtualized Firewall: Is it the panacea to secure distributed enterprises?
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
 
Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 
Maximize your cloud app control with Microsoft MCAS and Zscaler
Maximize your cloud app control with Microsoft MCAS and ZscalerMaximize your cloud app control with Microsoft MCAS and Zscaler
Maximize your cloud app control with Microsoft MCAS and Zscaler
 
Presd1 10
Presd1 10Presd1 10
Presd1 10
 
Webinar: Enable ServiceNow with Data Security, Visibility, and Compliance
Webinar: Enable ServiceNow with Data Security, Visibility, and ComplianceWebinar: Enable ServiceNow with Data Security, Visibility, and Compliance
Webinar: Enable ServiceNow with Data Security, Visibility, and Compliance
 
Security Challenges in Cloud
Security Challenges in CloudSecurity Challenges in Cloud
Security Challenges in Cloud
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscaler
 
(SACON) Vandana Verma - Living In A World of Zero Trust
(SACON) Vandana Verma - Living In A World of Zero Trust(SACON) Vandana Verma - Living In A World of Zero Trust
(SACON) Vandana Verma - Living In A World of Zero Trust
 

Ähnlich wie Governance and Security in Cloud and Mobile Apps

Shedding Light on Shadow IT for File Sharing
Shedding Light on Shadow IT for File SharingShedding Light on Shadow IT for File Sharing
Shedding Light on Shadow IT for File SharingCipherCloud
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoopNiel Dunnage
 
Cloud expo 10 myths rex wang oracle ss
Cloud expo 10 myths rex wang oracle ssCloud expo 10 myths rex wang oracle ss
Cloud expo 10 myths rex wang oracle ssRex Wang
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubDataWorks Summit
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014Cloudera, Inc.
 
Redrawing the Cyber Defense Frontier
Redrawing the Cyber Defense FrontierRedrawing the Cyber Defense Frontier
Redrawing the Cyber Defense FrontierJoe Hage
 
Cloud Types and Security- Which one is right for you?
Cloud Types and Security- Which one is right for you?Cloud Types and Security- Which one is right for you?
Cloud Types and Security- Which one is right for you?Fuji Xerox Asia Pacific
 
CipherCloud for Any App
CipherCloud for Any AppCipherCloud for Any App
CipherCloud for Any AppCipherCloud
 
Oracle presentation at Tech Summit PR 2014
Oracle presentation at Tech Summit PR 2014Oracle presentation at Tech Summit PR 2014
Oracle presentation at Tech Summit PR 2014Tech Summit PR 2014
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud IBM Security
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera Technologies
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Cloud Visibility & Cloud Data Loss Prevention Approaches
Cloud Visibility & Cloud Data Loss Prevention Approaches Cloud Visibility & Cloud Data Loss Prevention Approaches
Cloud Visibility & Cloud Data Loss Prevention ApproachesCipherCloud
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityJisc
 
Managing Microsoft Applications with Vistara
Managing Microsoft Applications with VistaraManaging Microsoft Applications with Vistara
Managing Microsoft Applications with VistaraVistara
 
How to Build Multi-disciplinary Analytics Applications on a Shared Data Platform
How to Build Multi-disciplinary Analytics Applications on a Shared Data PlatformHow to Build Multi-disciplinary Analytics Applications on a Shared Data Platform
How to Build Multi-disciplinary Analytics Applications on a Shared Data PlatformCloudera, Inc.
 
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Cloudera, Inc.
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itHentsū
 

Ähnlich wie Governance and Security in Cloud and Mobile Apps (20)

Shedding Light on Shadow IT for File Sharing
Shedding Light on Shadow IT for File SharingShedding Light on Shadow IT for File Sharing
Shedding Light on Shadow IT for File Sharing
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
 
Cloud expo 10 myths rex wang oracle ss
Cloud expo 10 myths rex wang oracle ssCloud expo 10 myths rex wang oracle ss
Cloud expo 10 myths rex wang oracle ss
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
 
itsMERocks Pitch Deck
itsMERocks Pitch DeckitsMERocks Pitch Deck
itsMERocks Pitch Deck
 
Redrawing the Cyber Defense Frontier
Redrawing the Cyber Defense FrontierRedrawing the Cyber Defense Frontier
Redrawing the Cyber Defense Frontier
 
Cloud Types and Security- Which one is right for you?
Cloud Types and Security- Which one is right for you?Cloud Types and Security- Which one is right for you?
Cloud Types and Security- Which one is right for you?
 
CipherCloud for Any App
CipherCloud for Any AppCipherCloud for Any App
CipherCloud for Any App
 
Oracle presentation at Tech Summit PR 2014
Oracle presentation at Tech Summit PR 2014Oracle presentation at Tech Summit PR 2014
Oracle presentation at Tech Summit PR 2014
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Cloud Visibility & Cloud Data Loss Prevention Approaches
Cloud Visibility & Cloud Data Loss Prevention Approaches Cloud Visibility & Cloud Data Loss Prevention Approaches
Cloud Visibility & Cloud Data Loss Prevention Approaches
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
 
Managing Microsoft Applications with Vistara
Managing Microsoft Applications with VistaraManaging Microsoft Applications with Vistara
Managing Microsoft Applications with Vistara
 
How to Build Multi-disciplinary Analytics Applications on a Shared Data Platform
How to Build Multi-disciplinary Analytics Applications on a Shared Data PlatformHow to Build Multi-disciplinary Analytics Applications on a Shared Data Platform
How to Build Multi-disciplinary Analytics Applications on a Shared Data Platform
 
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving it
 

Kürzlich hochgeladen

Implementing Exponential Accelerators.pptx
Implementing Exponential Accelerators.pptxImplementing Exponential Accelerators.pptx
Implementing Exponential Accelerators.pptxRich Reba
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdfMintel Group
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsIndiaMART InterMESH Limited
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerAggregage
 
Pitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deckPitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deckHajeJanKamps
 
Rakhi sets symbolizing the bond of love.pptx
Rakhi sets symbolizing the bond of love.pptxRakhi sets symbolizing the bond of love.pptx
Rakhi sets symbolizing the bond of love.pptxRakhi Bazaar
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers referencessuser2c065e
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsKnowledgeSeed
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOne Monitar
 
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdfSherl Simon
 
Neha Jhalani Hiranandani: A Guide to Her Life and Career
Neha Jhalani Hiranandani: A Guide to Her Life and CareerNeha Jhalani Hiranandani: A Guide to Her Life and Career
Neha Jhalani Hiranandani: A Guide to Her Life and Careerr98588472
 
Interoperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseInteroperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseSiemens
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersPeter Horsten
 
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...PRnews2
 
Paul Turovsky - Real Estate Professional
Paul Turovsky - Real Estate ProfessionalPaul Turovsky - Real Estate Professional
Paul Turovsky - Real Estate ProfessionalPaul Turovsky
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfDanny Diep To
 
Simplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business LoansSimplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business LoansNugget Global
 

Kürzlich hochgeladen (20)

Implementing Exponential Accelerators.pptx
Implementing Exponential Accelerators.pptxImplementing Exponential Accelerators.pptx
Implementing Exponential Accelerators.pptx
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon Harmer
 
Pitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deckPitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deck
 
Rakhi sets symbolizing the bond of love.pptx
Rakhi sets symbolizing the bond of love.pptxRakhi sets symbolizing the bond of love.pptx
Rakhi sets symbolizing the bond of love.pptx
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers reference
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applications
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
 
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
 
Neha Jhalani Hiranandani: A Guide to Her Life and Career
Neha Jhalani Hiranandani: A Guide to Her Life and CareerNeha Jhalani Hiranandani: A Guide to Her Life and Career
Neha Jhalani Hiranandani: A Guide to Her Life and Career
 
Interoperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseInteroperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverse
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exporters
 
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
 
Toyota and Seven Parts Storage Techniques
Toyota and Seven Parts Storage TechniquesToyota and Seven Parts Storage Techniques
Toyota and Seven Parts Storage Techniques
 
Paul Turovsky - Real Estate Professional
Paul Turovsky - Real Estate ProfessionalPaul Turovsky - Real Estate Professional
Paul Turovsky - Real Estate Professional
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
 
Simplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business LoansSimplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business Loans
 
Authentically Social - presented by Corey Perlman
Authentically Social - presented by Corey PerlmanAuthentically Social - presented by Corey Perlman
Authentically Social - presented by Corey Perlman
 

Governance and Security in Cloud and Mobile Apps

  • 1. Governance and Security in Cloud and Mobile Apps http://privateers.in/9f Security Michael Scheidell, CISO Priva(eers™
  • 2. Bring Your AGENDA Own Policy Sub headline Michael Scheidell, CISO Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com • • • • Corporate InfoSec Consultant Certified CISO Senior Member, IEEE Founded Three South Florida Tech Companies © 2013 All Rights Reserved • Privacy Expert • Member ISSA, IAPP, ISACA, IEEE, FBI InfraGard, PMI, SFTA, CSA • Patents in Network Security • Finalist EE Times ACE Innovator of the year Security Priva(eers
  • 3. AGENDA Sub headline • Common Risks Desktop, Server, Cloud, Mobile • Platform Specific Issues Android, iPhone • Governance Privacy: Beyond regulations • Partly Cloudy with a chance of all hail Any Device, Anywhere • Select Cloud Types Shared, Private, Hybrid • Services to Protect Authentication, Storage, Processing © 2013 All Rights Reserved Security Priva(eers
  • 4. Spacely Sprockets We make our Clients go NUTS(tm) STOCKS ALLOCATED CLOSE TO CUSTOMER SHORT DELIVERY TIME ON LINE HELP SERVICE CONSULTANS CALL CENTER CUSTOMER SUPPORT SUPPLY CHAIN FREE UPGRADE NEW FEATURES NICE DESIGN BETTER PRODUCTS VIRAL MARKETING/USERS TIP EACH OTHER SALES & MARKETING THINK GREEN IN THE WHOLE VALUE CHAIN ATTRACT THE BEST SALES PEOPLE SUSTAINABLE PRICE BE C02 NEUTRAL CHEAP? LUXARY? AVERAGE? BUILD RELATIONHIPS ON LINE ON AIR ON TV PRINT
  • 5. We are NUTS(tm) •Daily Scrum •Daily Work Sprint Planning meeting PREPARATION •Business case & funding •Contractual agreement •Vision •Initial productbacklog •Initial release plan •Stakeholderbuy-in •Assemble team Update product backlog Daily Cycle SCRUM PROCESS Product increment RELEASE Sprint retrospective Sprint review Product Management • Security / Privacy • Compliance • Legal QA -> Production • Beta Test • Web App Test • Source Code Review
  • 6. Top 10 Vulnerabilities, Top 10 - 2013 AGENDA Sub headline Open Web Application Security Project (OWASP) Common Vulnerabilities, Web, Mobile, Cloud 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. SQL Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities (dependencies?) Unvalidated Redirects and Forwards © 2013 All Rights Reserved, portions © OWASP https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Security Priva(eers
  • 7. AGENDA New Platform, Old Mistakes Sub headline Keep doing the same thing hoping for different results Found in web, cloud and mobile • SQL Injection • Lack of Encryption – Data at Rest, Data in Motion • Least Access Privilege – Authentication – Permissions © 2013 All Rights Reserved Security Priva(eers
  • 8. New Platform, Old Mistakes AGENDA Sub headline Keep doing the same thing hoping for different results Web, Cloud, Mobile Mistakes • Data Storage – DB (SQL[ite]) or flat files? – Encrypt or not? – Least Access Privilege • Source Files – Java – Configuration Files © 2013 All Rights Reserved Security Priva(eers
  • 9. New Problems AGENDA Sub headline You didn’t learn this at FIU or Nova Android Application Permissions 1 Each application lists the API’s they want to use, • “camera”, (scan, flashlight) • Fine Location (GPS), flashlight! Use Android ‘Intent’ instead (if you want to take a picture) Rooted / Jailbroken Phones 2 Application permissions mean nothing. Full Read/Write permissions, read passwords Platform or User Backups 3 Google backup uses reversible encryption, backs up your Wifi, application data. Dropbox uses reversible encryption. © 2013 All Rights Reserved Security Priva(eers
  • 10. New Problems AGENDA Sub headline You didn’t learn this at FIU or Nova Encrypt Data in Motion 4 17% of applications that use SSL are flawed and susceptible to MIM attacks. AMX, Diners Club, Paypal, Twitter, Google, Yahoo, Microsoft Live ID • Use Mallowdroid to check implementations Source Code Review 5 • Design In Security: • Whitelisting vs Blacklisting • Automated Code Review (CheckMarx.com) Privacy Statements 6 Write a privacy statement, approved by Legal, endorsed by Management. Follow it! © 2013 All Rights Reserved Security Priva(eers
  • 11. Compliance AGENDA / Regulations Sub headline HIPAA/HITECH/GLBA/SOX/FISMA/FFIEC/FERPA/NIST/ABC/123 Build in Compliance, Written Policies 1 Information Sensitivity Policy 2 Password Policy 3 Remote Access Policy 4 Software Development Policy 5 Licensing: GPL, aGPL, LGPL © 2013 All Rights Reserved Security Priva(eers
  • 12. It’s getting Cloudy now • SaaS (Applications) • Office365 • Salesforce • Google • Microsoft Azure instances • PaaS (Windows/LAMP) • Amazon EC2 • Azure Platforms • IaaS (Firewalls, Networks, Storage) • Amazon • Azure What is the Cloud? Where is the Cloud? The cloud is many things to many people There is no cloud Someone else’s mainframe and NAS Where is your Data Stored? Where is your Processing Done? Where is the Data Flow? Private, Public, Hybrid
  • 13. It’s getting Cloudy now • Public Cloud: SaaS • Non regulated Data • Standardized application • Lots of users • Incremental capacity • PaaS: Software development • Private Cloud: PaaS • Regulated Data • Strict Security and Control • Large Company • Non Standard/Custom Applications • Hybrid Clouds: SaaS+PaaS • PaaS for storage • VPN to SaaS What is the Cloud? Where is the Cloud? The cloud is many things to many people. There is no cloud. Someone else’s mainframe and NAS Where is your Data Stored? Where is your Processing Done? Where is the Data Flow? Private, Public, Hybrid
  • 14. It’s getting Cloudy now • • • • • • • • Any Device, Anywhere Storage Authentication Services Platform rollout Geographic Redundancy Development and Test Disaster Recovery Web and Mobile Apps What is the Cloud? Where is the Cloud? Why is the Cloud The cloud is many things to many people. There is no cloud. Someone else’s mainframe and NAS Where is your Data Stored? Where is your Processing Done? Where is the Data Flow? What will you use the Cloud for?
  • 15. Security AGENDAGuidance for Critical Areas of Focus in Cloud Computing V3.0 Sub headline Cloud Security Alliance Risk Analysis • Identify the Asset • Data • Applications • Functions • Processes • Evaluate the Asset Liability • Asset became widely public • Cloud Provider Accessed Asset • Process manipulated by outsider • Function provided wrong results • Data changed • Denial of Service © 2013 All Rights Reserved Security Priva(eers
  • 16. Compliance AGENDA and Governance Sub headline We can keep you out of jail cheaper than break you out of jail Governing in the Cloud 1 Enterprise Risk Management 2 Legal Issues: Contracts and E-Discovery 3 Compliance and Audit Management 4 Information Management and Data Security 5 Interoperability and Portability © 2013 All Rights Reserved Security Priva(eers
  • 17. Compliance AGENDA and Governance Sub headline We can keep you out of jail cheaper than break you out of jail Operating in the Cloud 1 Traditional IS, BCP, DR 2 Application Security 3 Encryption and Key Management 4 Identity and Access Management 5 Security as a Service © 2013 All Rights Reserved Security Priva(eers
  • 18. New Platform, Old Mistakes AGENDA Sub headline Keep doing the same thing hoping for different results • • • • • • Join ISSA http://www.sfissa.org/ Join CSA https://cloudsecurityalliance.org/ Join Infragard https://www.infragard.org/ Join OWASP https://www.owasp.org Code Review http://checkmarx.com Training / Conferences / Presentations © 2013 All Rights Reserved Security Priva(eers
  • 19. Governance and Security in Cloud and Mobile Applications AGENDA Sub headline Where to get Help Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com Call to set up an appointment for initial review Policy Gap Analysis Review current policies, compare against best practices and current government regulations. © 2013 All Rights Reserved • • • • • OWASP Training Web App Assessment SDLC Review Cloud Security Consulting Mobile Application testing Security Priva(eers