what mitigation strategies can we implement that will increase our assurance in the cloud n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
What mitigation strategies can we implement that will increase our assurance in the cloud PowerPoint Presentation
Download Presentation
What mitigation strategies can we implement that will increase our assurance in the cloud

Loading in 2 Seconds...

play fullscreen
1 / 105

What mitigation strategies can we implement that will increase our assurance in the cloud - PowerPoint PPT Presentation


  • 134 Views
  • Uploaded on

What mitigation strategies can we implement that will increase our assurance in the cloud. Lauren Eckert and Matt Parson. Definitions. Definitions . Risk- a combination of the probability of an event occurring and its consequences Can be an opportunity Can be a threat

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'What mitigation strategies can we implement that will increase our assurance in the cloud' - pennie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what mitigation strategies can we implement that will increase our assurance in the cloud

What mitigation strategies can we implement that will increase our assurance in the cloud

Lauren Eckert

and

Matt Parson

definitions1
Definitions
  • Risk- a combination of the probability of an event occurring and its consequences
    • Can be an opportunity
    • Can be a threat
  • Risk Mitigation- a systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence
definitions continued
Definitions Continued
  • Service Level Agreement (SLA) – agreement between an end-user/customer and a service provider
  • Confidence – the expectation of a successful fulfillment of an SLA
optimized infrastructure services optimis
Optimized Infrastructure Services (OPTIMIS)
  • Project focused on enabling an open and dependable Cloud Service Ecosystem
  • Delivers adaptable, reliable, auditable and sustainable services
  • Three actors:
    • End-user
    • Service Provider
    • Infrastructure Provider
five optimus cloud use cases
Five OPTIMUS Cloud Use Cases
  • Private
  • Bursting
  • Multi-cloud
  • Federated
  • Brokerage
private cloud
Private Cloud
  • Service Provider and Infrastructure Provider
  • Within the same administrative domain
  • Provision resources for services using internal infrastructure
cloud bursting
Cloud Bursting
  • Infrastructure Provider initiates the SLA negotiation process with another Infrastructure Provider
  • Occurs when additional capacity is needed to manage increases in demand above that which its local infrastructure can accommodate.
mutli cloud
Mutli-Cloud
  • Infrastructure provider makes use of multiple Infrastructure providers
  • Functional and non-functional SLA requirements determine which IP is appropriate at the component level
federated cloud
Federated Cloud
  • Infrastructure Provider provides resources for a Service Provider on behalf of (and across) a collection of Infrastructure Providers working together
  • Mutual SLA between all involved members
cloud brokerage
Cloud Brokerage
  • Broker acts as an intermediary that facilitates the Cloud and adds value through maintaining a historic database of encounters with SPs and IPs
  • Gauge past performance of an actor and how it is able to adhere to an SLA
initial assessment1
Initial Assessment
  • Gather data over time
  • Use a scale of 1 to 10
  • There are sub-criteria, scale of 0 to 1
  • Allows end-user preferences
  • Able to handle missing data
  • Each provider is mapped onto a belief and plausibility interval
initial infrastructure provider assessment
Initial Infrastructure Provider Assessment
  • Assessment of an IP by an SP is based on
    • Past SLA Performance
    • Geography Information
    • Certifications and Standards Compliance
    • Business Stability
    • General Infrastructure Practice
    • General Security Practice
    • General Privacy Practice
initial service provider assessment
Initial Service Provider Assessment
  • Assessment of an SP by an IP is based on
    • Past SLA Performance
    • Business Stability
    • General Security Practice
risk inventory
Risk Inventory
  • Anticipate and manage risk
  • Positive and negative risks
  • Steps of determination:
    • Target use case (cloud scenario)
    • Stage in service (deployment, etc.)
    • Assets to be protected (agreements, hardware, data, etc.)
    • Risk items that may jeopardize the assets
    • Identify relationships between assets and risks
risk categories
Risk Categories
  • Technical
    • Hardware, VM failure
  • Policy
    • Data jurisdiction policies
  • General
    • Security, data applications or processes
  • Legal
    • SLA
risk models
Risk Models
  • Probabilistic
    • Compound probability and impact of occurrence
  • Possibilistic
    • Stochastic processes (Gamma)
  • Hybrid
    • Combination of the above two
third party service level agreement monitor
Third Party Service Level Agreement Monitor
  • Third-Party group
  • Monitors performance based on SLA
  • Two Assessment Modules
    • Reputation/Trust (pre-deployment)
    • Transactional (post-deployment)
transactional
Transactional
  • Performance & Financial risks
  • TP SLA monitor obtains run-time values to compare with thresholds and the determines the PoF
  • Convolution results in the Actual Resource Investment Curve
insurance model1
Insurance Model
  • Insurance is a legal agreement (or policy) with a company that provides for reimbursement in the case of “loss”
  • Idea is the same as car insurance
domain 2 governance and enterprise risk management

Domain 2: Governance and Enterprise Risk Management

Items such as legal precedence for agreement breaches, ability of user organizations to adequately assess risk of a cloud provider, responsibility to protect sensitive data when both user and provider may be at fault, and how international boundaries may affect these issues.

recommendations
Recommendations
  • Reinvest savings into:
    • Scrutiny of security of the provider
    • Application of security controls
    • Ongoing detailed assessments and audits
  • Review security governance structure, processes, and specific security controls of prospective providers for:
    • Sufficiency
    • Maturity
    • Consistency
  • Identify and incorporate collaborative governance structures/processes
  • Engage security departments for Service Level Agreements (SLA’s)
  • Establish metrics and standards for performance
  • Identify and evaluate assets, threats and vulnerabilities
  • Jointly develop risk scenarios for the cloud service
requirements
Requirements
  • Provide transparency
  • Identify interdependency of risks
  • Account for inherited risks
domain 3 legal issues contracts and electronic discovery

Domain 3:Legal Issues: Contracts and Electronic Discovery

This section includes protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, and international laws.

domain 4 compliance and audit management

Domain 4:Compliance and Audit Management

Issues dealing with evaluating how cloud computing affects compliance with internal security policies, as well as various compliance requirements (regulatory, legislative, and otherwise). This domain includes some direction on proving compliance during an audit.

recommendations1
Recommendations
  • Involve the legal, procurement, and contracts teams
  • Consider compliance for regulations
  • Determine which and how cloud partners use data
  • Agree how to collect, store, and share compliance evidence
    • Prefer auditors that are "cloudaware"
    • Request cloud Provider’s SSAE 16 SOC2 or ISAE 3402 Type 2 report
    • Provide for third-party review of SLA metrics and compliance
requirements1
Requirements
  • Right to audit clause
  • Right to transparency clause
  • Review, update, and publish information security documents and GRC processes regularly
  • Select third-party auditors
  • Use a common certification assurance framework
domain 5 information management and data security

Domain 5:Information Management and Data Security

Items surrounding the identification and control of data in the cloud, as well as compensating controls that can be used to deal with the loss of physical control when moving data to the cloud.

recommendations2
Recommendations
  • Understand the cloud storage architecture
  • Choose storage with data dispersion
  • Use the Data Security Lifecycle
  • Monitor internal databases and file repositories
  • Consider using filtering to block unapproved activity
recommendations continued
Recommendations Continued
  • Encrypt all sensitive data
  • Use content discovery
  • Encryption keys stored externally
  • SLA should document data removal of:
    • User accounts
    • Primary/redundant storage
    • Transfer of keys
requirements2
Requirements
  • Data Security Lifecycle
  • Understand logical and physical locations of data.
  • Monitor employee Internet access
  • Encrypt all sensitive data
domain 6 interoperability and portability

Domain 6:Interoperability and Portability

The ability to move data/services from one provider to another, or bring it entirely back in-house as well as issues surrounding interoperability between providers.

recommendations3
Recommendations

Hardware – Physical Computer Hardware

  • Use virtualization
  • Ensure same or better security controls

Physical Network Devices

  • Network physical hardware and the network and security abstraction should be in a virtual domain

Virtualization

  • Use open virtualization formats
  • Document and understand the virtualization hooks
recommendations continued1
Recommendations Continued

Frameworks

  • Investigate the API’s to:
    • Determine where differences lie
    • Plan for necessary changes
  • Use open and published API’s
  • Determine how failure in one component will impact others

Storage

  • Store unstructured data in an established portable format
  • Assess the need for encryption for data in transit
  • Check for compatible database systems
recommendations continued2
Recommendations Continued

Security

  • Use SAML or WS-Security for authentication
  • Encrypt data before it is placed into the cloud
  • Investigate how and where keys are stored
  • Understand your responsibilities and liabilities should a compromise occur
  • Define log file information security
  • Delete all data, logs, etc. from the original systemwhen moving
recommendations continued3
Recommendations Continued

Portability:

  • Service Level
  • Different architectures
  • Security integration
    • Authentication and identity mechanisms for user or process access
    • Encryption keys should be escrowed/maintained locally
    • Ensure copies of file metadata are securely removed
recommendations continued4
Recommendations Continued

Recommendations for Different Cloud Models

  • Plan for cloud provider substitution
  • Understand the size of data sets hosted at a cloud provider
  • Document security architecture and configuration of component security controls
domain 7 traditional security business continuity and disaster recovery

Domain 7:Traditional Security, Business Continuity, and Disaster Recovery

How cloud computing affects the operational processes and procedures currently used, examine possible risks of cloud computing, and identify where cloud computing may assist in diminishing certain security risks.

recommendations4
Recommendations

Policy

  • Set security baseline to the most stringent requirements of any customer
  • Target a set of users with lower security requirements
  • Implement:
    • Compartmentalization of job duties
    • Perform background checks
    • Enforce non-disclosure agreements
    • Share information on a need to know basis.
recommendations continued5
Recommendations Continued

Transparency

  • Perform inspections of the CSP
    • On-site visit
    • Team should have at least two specialists
    • Acquire business continuity planning & disaster recovery documentation

Human Resources

  • Determine if CSP deploys competent security personnel
  • Review reporting structure of the security manager
recommendations continued6
Recommendations Continued

Business Continuity

  • Review the contract of third party commitments
  • Review the third party Business Continuity processes and any particular certification
  • Conduct an onsite assessment of the CSP facility
  • Ensure confirmation received of any BCP/DR tests
recommendations continued7
Recommendations Continued

Disaster Recovery Recommendations

  • Have a disaster recovery plan in place
  • Have (IaaS providers) contractual agreements with multiple platform providers and tools to restore systems
  • Data validation should be automated
  • Incremental backups at intervals set by the user for each system
  • Full site, system, disk, and file recovery should be accessible via a user-driven, self-service portal
  • Implement fast SLA-based data recovery
  • Negotiate SLA up front
  • WAN optimization between the customer and the physical site
requirements3
Requirements
  • Ensure proper structural design
  • Respect the interdependency of deterrent, detective, and authentication solutions
  • Inspect, account for, fix, mitigate, and contain personnel risks
domain 8 data center operations

Domain 8:Data Center Operations

Focuses on evaluating data center architecture and helps users identify common data center characteristics.

recommendations5
Recommendations
  • Understand and react to technology
  • Service management processes and practices
  • Appropriate racking techniques
  • Understand what is running
  • Locations are important
  • Responsibility for meeting and assessing compliance
requirements4
Requirements
  • Fully understand requirements
  • Ensure availability, security, and asset delivery and management.
  • Audit against regulatory and security templates
domain 9 incident response

Domain 9:Incident Response

Addresses items that should be in place at both provider and user levels to enable proper incident handling and forensics. Aids in understanding the complexities that the cloud brings to your current incident-handling program.

recommendations6
Recommendations
  • Service Providers define:
    • Events of interest
    • Security incidents
    • Customer reporting
  • Establish communication paths
  • Incident support analysis
    • Customers should favor service providers that have access/roll-back to snapshots to virtual environments
    • Customers should favor service providers that leverage hardware assisted virtualization and hardened hypervisors with forensic analytic capabilities.
  • Customers should review a service provider’s incident response history for incident response.
requirements5
Requirements
  • Detecting/handling incidents involving resources at the provider.
  • Guarantee support for incident response.
  • Annual testing
domain 10 application security

Domain 10:Application Security

Whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS, PaaS, or IaaS).

recommendations7
Recommendations

Security Assurance

  • Define functional security, regulatory security, and privacy requirements
  • Detailed risk and mitigation strategies
  • Impact assessment
  • Prioritize security and privacy requirements

Risk Analysis

  • Build and maintain security and privacy threat models
  • Analyze development and deployment
  • Analyze attack vectors and impacts
  • Maintain traceability
recommendations continued8
Recommendations Continued

Architecture

  • Secure software architecture frameworks
  • Use patterns that mitigate threats
  • Use reusable building blocks
  • Use cloud-specific secure data architectures that address:
    • Monitoring of dynamic database servers
    • Understanding where the database is hosted
    • Central logging of all activity
    • Define where encryption must be used
    • Provide segregation of duties, data, and all privileged activities

Penetration Testing Applications on Cloud

  • Regular Web Application Penetration Testing
  • Categorize vulnerabilities
  • Manual tests to validate privileges and data segregation
  • Security assessment
domain 11 encryption and key management

Domain 11:Encryption and Key Management

Identifying proper encryption usage and scalable key management, whythis is needed, and identifies issues that arise in use.

recommendations8
Recommendations

General

  • Use best-practice key management
  • Use off-the-shelf technology
  • Maintain your own keys
  • Maintain key scoping at individual or group level
  • Manage group access with off-the-shelf technology

Encryption within Databases

  • Use standard algorithms
  • Avoid old insecure encryption standards
  • Use object security
  • Do not encrypt primary keys
  • Use a columnar approach to encryption
requirements6
Requirements
  • Manage keys internally
  • Use key storage technology and hardware security modules
  • Registration for enterprise users
  • Use binding cryptographic operations
  • Use E-DRM or similar
domain 12 identity entitlement and access management

Domain 12:Identity, Entitlement, and Access Management

Focuses on issues encountered when extending an organization’s identity into the cloud and provides insight into assessing an organization’s readiness.

recommendations9
Recommendations

Federation

  • Define existing trust relationships
  • Use open standards
  • Understand that public Identity providers offer no guarantees that they will not federate

Provisioning and Governance

  • Close sourcing of attributes
  • Cloud service/application should not be the master source for Identity
  • Cloud service/application should be master of attributes directly controlled
  • All Attributes have a known level of trust
  • All Attributes linked to an Identity
  • Identifier of Entity should sign all Attributes
  • Each Attribute should have a lifecycle
  • Each Identity should have a lifecycle
recommendations continued9
Recommendations Continued

Entitlement

  • Designated responsibilities for approval
  • Define change management processes
  • Define auditing triggers/frequency
  • Use principle of least privilege
  • Minimize exposure of Identity
  • Real-time attribute checking
  • Define/ensure bi-directional trust
  • Include delegation of access
  • Include the seizing of access
  • Identity and Attribute must match level of trust
  • All sources of Identity/Attributes provide organizational Identity
  • Validate Attributes at master/source
recommendations continued10
Recommendations Continued

Authorization and Access

  • Ensure services have an import and/or export function into standards
  • Ensure existing services can interface
  • Consider use of “policy-as-a-service” as the policy server

Architecture

  • Ensure authorization management Policy End Points/Policy Decision Point’s can be configured with entitlement rules
  • Ensure that all components of the IdEA work together
  • Implementers should ensure that PEP’s/PDP’s use standard protocols
  • Capability to consume authentication
  • Import/export function into standards
  • Ensure service interface with PEP/PDPs
  • Using standard logging format
recommendations continued11
Recommendations Continued

Provisioning

  • Follow the rule of least privilege for accounts
  • Provisioning/de-provisioning not limited to user identities
  • Provisioning/de-provisioning in real time
  • Maintain Identity and Attributes

Identity Compliance & Auditing

  • Entitlement rules/authorization log availability
  • Integrate logs into a wider system
  • Use Attribute derivation for logging Personal Identifiable Information or Sensitive Personal Information
recommendations continued12
Recommendations Continued

Application Design

  • Use ITU X.805 / 3-layer definition
  • Minimize Identity and Attributes in application design
  • Consume Identity and Attributes from external sources
  • Support standard SSO federation formats
  • Use Identity and Attributes across system layers
  • Use mutual authentication at all levels
recommendations continued13
Recommendations Continued

Data Protection

  • Minimize the use and storage of PII/SPI
  • Use technologies to minimize exposure of PII/SPI:
    • Encryption
    • Tokenization
    • Homomorphic Encryption
  • Use best practice approaches to protect SPI
  • Know how to restrict/stop administrator access to PII and SPI
  • Reduce PII/SPI stored
  • Maintain PII/SPI in a timely manner
recommendations continued14
Recommendations Continued

Identity Implementation

  • Reuse Identity before enrolling new users/devices
  • Understand what Attributes can be asserted to a sufficient level of trust
  • Allow low risk transactions to take place with low grade level of authentication
  • Provide a critical assessment of the Identity and Attributes
  • Understand what technologies can increase assurance levels
  • Understand management of consumer devices
requirements7
Requirements
  • Independent service layer design
  • All participants must respect supply chain integrity and Identity Access Management practices
domain 13 virtualization

Domain 13:Virtualization

Addresses risks associated with multi-tenancy, VM isolation, VM co-residence, hypervisor vulnerabilities, etc. Focuses on the security issues surrounding system/hardware virtualization.

recommendations10
Recommendations
  • Identify types of virtualization cloud provider uses,if any
  • Zoned approach between different environments and highly sensitive data/workloads
  • Consider performance when installing security tools
  • Evaluate, negotiate, and refine the licensing agreements with major vendors in virtualized environments
  • Secure each virtualized OS
  • Virtualized OSs should be augmented by built-in security measures
  • Secure by default configurations follow or exceed available industry baselines
  • Encrypt virtual machine images when not in use
  • Make sure that the security vulnerability assessment tools or services cover the virtualization technologies used
  • Patch virtual machine images before use or while not in use
  • Understand security controls in place external to the VM
requirements8
Requirements
  • Utilize VM-specific security mechanisms embedded in hypervisor APIs
  • Update the security policy to reflect the new coming security challenges
  • Encrypt data accessed by virtual machines
  • Be aware of multi-tenancy situations with your VM where regulatory concerns may warrant segregation
  • Validate integrity of any VM image or template originating from any third party, or better yet, create your own VM instances
  • Virtualized operating systems must include firewall (inbound/outbound), Host Intrusion Prevention System (HIPS), Network Intrusion Prevention System (NIPS), web application protection, antivirus, file integrity monitoring, and log monitoring, etc. Security countermeasures can be delivered via software in each guest virtual instance or by using an inline virtual machine combined with hypervisor-based API’s.
  • Clean any backup and failover systems when deleting and wiping the VM images
  • Have a reporting mechanism in place that provides evidence of isolation and raises alerts if there is a breach of isolation
domain 14 security as a service

Domain 14:Security as a Service

Providing third party facilitated security assurance, incident management, compliance attestation, and identity and access oversight.

recommendations11
Recommendations
  • Secure communication channels
  • Automated secure and continuous notifications
  • Supply secured logging of internal operations
  • Consumers should request addition of third party audit and SLA mediation services.
  • All parties should enable Continuous Monitoring of all interfaces through standardized security interfaces such as SCAP (NIST), CYBEX (ITU-T), or RID & IODEF (IETF).
requirements9
Requirements

Identity as a Service

  • Account management for cloud customers
  • Adequate authentication
  • Directory services
  • Federated and web single sign-on
  • Privileged session monitoring
  • Granular access management
  • Tamper-proof storage of audit records
  • Policy management
  • Authorization token management and provisioning
  • Profile and entitlement management
requirements continued
Requirements continued
  • Support for policy and regulatory compliance monitoring and/or reporting.
  • Federated provisioning of cloud applications
  • Role-Based Access Control
  • Optional support of DLP (Data Loss Prevention) integration
  • Segregation of duties based on identity entitlement.
  • Compliance-centric reporting.
  • Centralized policy management
  • Management interfaces
  • Unified access control & audit
  • Interoperability and heterogeneity among various providers.
requirements continued1
Requirements continued

Data Loss Prevention SECaaS

  • Data labeling and classification.
  • Identification of Sensitive Data.
  • Predefined policies for major regulatory statues.
  • Context detection heuristics.
  • Structured data matching (data-at-rest).
  • SQL regular expression detection.
  • Traffic spanning (data-in-motion) detection.
  • Real Time User Awareness.
  • Security level assignment.
  • Custom attribute lookup.
  • Automated incident response.
  • Signing of data.
  • Cryptographic data protection and access control.
  • Machine-readable policy language.
requirements continued2
Requirements continued

Web Services SECaaS

  • Web monitoring and filtering
  • Malware, Spyware, and Bot Network analyzer and blocking
  • Phishing site blocker
  • Instant messaging scanning
  • Email security
  • Bandwidth management / traffic control
  • Data Loss Prevention
  • Fraud prevention
  • Web Access Control
  • Backup
  • SSL (decryption / hand off)
  • Usage policy enforcement
  • Vulnerability management
  • Web intelligence reporting
requirements continued3
Requirements continued

Email SECaaS

  • Accurate filtering to block spam and phishing.
  • Deep protection against viruses and spyware before they enter the enterprise perimeter.
  • Flexible policies to define granular mail flow and encryption.
  • Rich, interactive reports and correlate real-time reporting.
  • Deep content scanning to enforce policies.
  • Option to encrypt some / all emails based on policy.
  • Integration capability to various email server solutions.
requirements continued4
Requirements continued

Security Assessment SECaaS

  • Detailed governance processes and metrics (Implementers should define and document and process by which policies are set and decision making is executed).
  • Implement an automated solution for notifying members of their immediate supply chain in the event of breach or security incident.
  • Proper risk management (Implementers should define and document and process for ensuring that important business processes and behaviors remain within the tolerances associated with those policies and decisions).
  • Details of compliance (Implementers should define and document process-of-adherence to policies and decisions).
  • Policies that can be derived from internal directives, procedures, and requirements or external laws, regulations, standards and agreements.
requirements continued5
Requirements continued
  • Technical compliance audits (automated auditing of configuration settings in devices, operating systems, databases, and applications).
  • application security assessments (automated auditing of custom applications).
  • Vulnerability assessments—automated probing of network devices, computers, and applications for known vulnerabilities and configuration issues.
  • Penetration testing (exploitation of vulnerabilities and configuration issues to gain access to an environment, network or computer, typically requiring manual assistance)
  • Asecurity rating.
requirements continued6
Requirements continued

Intrusion Detection SECaaS

  • Identification of intrusions and policy violations.
  • Automatic or manual remediation actions.
  • Coverage for Workloads, Virtualization Layer (VMM/Hypervisor) Management Plane
  • Deep packet inspection using one or more of the following techniques: statistical, behavioral, signature, heuristic.
  • System call monitoring.
  • System/application log inspection.
  • Integrity monitoring OS (files, registry, ports, processes, installed software, etc.)
  • Integrity monitoring VMM/Hypervisor.
  • VM Image Repository Monitoring.
requirements continued7
Requirements continued

SIEM SECaaS

  • Real time log /event collection, de-duplication, normalization, aggregation and visualization.
  • Forensics support.
  • Compliance reporting and support.
  • IR support.
  • Anomaly detection not limited to email.
  • Detailed reporting.
  • Flexible data retention periods and flexible policy management
requirements continued8
Requirements continued

Encryption SECaaS

  • Protection of data in transit.
  • Protection of data at rest.
  • Key and policy management.
  • Protection of cached data.
requirements continued9
Requirements continued

Business Continuity and Disaster Recovery

  • Flexible infrastructure.
  • Secure backup.
  • Monitored operations.
  • Third party service connectivity.
  • Replicated infrastructure component.
  • Replicated data (core / critical systems).
  • Data and/or application recovery.
  • Alternate sites of operation.
  • Tested and measured processes and operations to ensure operational resiliency.
  • Geographically distributed data centers / infrastructure.
  • Network survivability.
requirements continued10
Requirements continued

Network Security SECaaS

  • Details of data threats.
  • Details of access control threats.
  • Access and authentication controls.
  • Security gateways (firewalls, WAF, SOA/API).
  • Security products (IDS/IPS, Server Tier Firewall, File Integrity Monitoring, DLP, Anti-Virus, Anti-Spam).
  • Security monitoring and incident response.
  • DoSprotection/mitigation.
  • Secure “base services” like DNSSEC, NTP, OAuth, SNMP, management network segmentation, and security.
  • Traffic / netflow monitoring.
  • Hypervisor layer.
conclusions
Conclusions
  • Emphasis changes with company size
  • Cloud type changes security assurance practices
confidentiality risk assessment and comparison crac methods
Confidentiality Risk Assessment and Comparison (CRAC++) methods
  • Assess confidentiality risk in IT outsourcing
  • Satisfies six confidentiality criteria:
    • Specified confidentiality level is not based on percentages of data loss
    • Assessment is not based on monitoring incidents
    • No disclosure of confidential information is required to a provider
    • Ease of use
    • Repeatable
    • Increase client understanding of risks
computing utility model
Computing Utility Model
  • Proposes 4 essential objectives
    • Manage wait time for SLA acceptance
    • Meet SLA requests
    • Ensure reliability of accepted SLA
    • Attain profitability
quantitative risk and impact assessment framework quirc
Quantitative Risk and Impact Assessment Framework (QUIRC)
  • Assess security risks associated with objectives
    • Confidentiality
    • Integrity
    • Auditability
    • Multi-party trust
    • Mutual auditability
    • Usability