Loading in 2 Seconds...
Loading in 2 Seconds...
What mitigation strategies can we implement that will increase our assurance in the cloud. Lauren Eckert and Matt Parson. Definitions. Definitions . Risk- a combination of the probability of an event occurring and its consequences Can be an opportunity Can be a threat
Items such as legal precedence for agreement breaches, ability of user organizations to adequately assess risk of a cloud provider, responsibility to protect sensitive data when both user and provider may be at fault, and how international boundaries may affect these issues.
This section includes protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, and international laws.
Issues dealing with evaluating how cloud computing affects compliance with internal security policies, as well as various compliance requirements (regulatory, legislative, and otherwise). This domain includes some direction on proving compliance during an audit.
Items surrounding the identification and control of data in the cloud, as well as compensating controls that can be used to deal with the loss of physical control when moving data to the cloud.
The ability to move data/services from one provider to another, or bring it entirely back in-house as well as issues surrounding interoperability between providers.
Hardware – Physical Computer Hardware
Physical Network Devices
Recommendations for Different Cloud Models
How cloud computing affects the operational processes and procedures currently used, examine possible risks of cloud computing, and identify where cloud computing may assist in diminishing certain security risks.
Disaster Recovery Recommendations
Focuses on evaluating data center architecture and helps users identify common data center characteristics.
Addresses items that should be in place at both provider and user levels to enable proper incident handling and forensics. Aids in understanding the complexities that the cloud brings to your current incident-handling program.
Whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS, PaaS, or IaaS).
Penetration Testing Applications on Cloud
Identifying proper encryption usage and scalable key management, whythis is needed, and identifies issues that arise in use.
Encryption within Databases
Focuses on issues encountered when extending an organization’s identity into the cloud and provides insight into assessing an organization’s readiness.
Provisioning and Governance
Authorization and Access
Identity Compliance & Auditing
Addresses risks associated with multi-tenancy, VM isolation, VM co-residence, hypervisor vulnerabilities, etc. Focuses on the security issues surrounding system/hardware virtualization.
Providing third party facilitated security assurance, incident management, compliance attestation, and identity and access oversight.
Identity as a Service
Data Loss Prevention SECaaS
Web Services SECaaS
Security Assessment SECaaS
Intrusion Detection SECaaS
Business Continuity and Disaster Recovery
Network Security SECaaS