48
Security & Compliance in the Cloud Standards, Security & Proactively Managing Governance, Risk & Compliance NORTH TEXAS CHAPTER DALLAS / FT.WORTH Friday, June 28 , 2013 FC Dallas Stadium 9200 World Cup Way , Suite 202, Frisco, TX Key Note Speaker - Chad M. Lawler, Ph.D. Director of Consulting, Cloud Computing Hitachi Consulting

Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

Embed Size (px)

DESCRIPTION

Security & Compliance in the Cloud - Standards, Security & Proactively Managing Governance, Risk & Compliance Key Note Address by Chad M. Lawler, Ph.D. Cloud Security Alliance - North Texas Chapter Friday, June 28, 2013

Citation preview

Page 1: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

Security & Compliance in the Cloud S t a n d a r d s , S e c u r i t y & P r o a c t i v e l y M a n a g i n g G o v e r n a n c e ,

R i s k & C o m p l i a n c e

NORTH TEXAS

CHAPTER

DALLAS / FT.WORTH

F r i d a y , J u n e 2 8 , 2 0 1 3

F C D a l l a s S t a d i u m 9 2 0 0 W o r l d C u p W a y ,

S u i t e 2 0 2 , F r i s c o , T X

K e y N o t e S p e a k e r -

C h a d M . L a w l e r, P h . D. D i r e c t o r o f C o n s u l t i n g ,

C l o u d C o m p u t i n g

H i t a c h i C o n s u l t i n g

Page 2: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

2

Goals & Overview of Today‟s Discussion Goals

Awareness

Encourage Focus on Security, Governance & Compliance

Create Broad Awareness & Provide Education

Focus on Best Practices

For Risk Security Mitigation, Regulatory Compliance & Governance

Overview of Cloud Security Alliance (CSA) & Research Areas

Overview

Cloud is Changing Business & IT - New IT Landscape

Cloud Security Alliance - Research & Standards

Panel Discussion

* Today’s Presentation Slides - http://www.slideshare.net/chadmlawler/

Page 3: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

Cloud is Changing Business & IT The New IT Landscape

Page 4: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

4

Cloud is Changing Business & IT

IT OPERATIONS + MULTI CLOUD

Legacy Coexistence with Cloud Migration and New Cloud Apps

Multiple Application Spread Across Environment Legacy & Cloud

Selective Outsourcing and Managed services

Private, Public and Hybrid Cloud Utilization

DATACENTER

Traditional Data Center

On-site Traditional Infrastructure

Dedicated with Limited

Virtualization

Internal Application Provisioning

PRIVATE CLOUD

Next Generation Datacenter On-site Private Cloud IaaS Utility

Dedicated On-Site Infrastructure

Internal Application Provisioning

PUBLIC CLOUD

Regional Datacenter 2 Regional Datacenter 1

Public Cloud Datacenter Off-site Utility

Pay-as-You -Go Consumption

External Application Provisioning

HYBRID CLOUD

Hybrid - Public/Private/Virtual Private

Enterprise Datacenter On-Site + Off-site Utility

Dedicated Infrastructure + Utility

Internal + External Provisioning

Next Generation Datacenter Transition

Enterprise Cloud Model - Multi-Source Hybrid Public/Private Mix

SAAS

IAAS & PAAS

T h e N e w I T L a n d s c a p e

Page 5: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

5

Cloud is Changing Business & IT

SaaS IaaS PaaS

Services

Providers

Your Business

Business and End

Users Circumventing IT

Increasing

Shadow IT

YOUR CENTRAL IT Cloud Ecosystem

T h e N e w I T L a n d s c a p e

Page 6: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

6

Cloud is Changing Business & IT

Enterprise Cloud Model - Multi-Source Hybrid Public/Private Mix

Focus on Cloud Supply Chain, Security & Governance

Mix of public-private cloud services from multiple, different cloud providers

With the cloud comes increased complexities, disruptive for both business and IT

Increased need for risk visibility, management, governance and security

Businesses already negotiating multiple cloud service contracts with different providers

Using multiple/different cloud services - more contracts, payments, providers to manage

Need for new best practices for security, cloud supply chain management and resource control

T h e N e w I T L a n d s c a p e

Page 7: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

7

Cloud + Mobile

Dispersal of applications

Dispersal of data

Dispersal of users

Dispersal of endpoint devices

Cloud Users

Notional

Organizational

Boundary

Public Clouds

Private

clouds

www.cloudsecurityalliance.org

Cloud is Changing Business & IT T h e N e w I T L a n d s c a p e

Copyright © 2013 Cloud Security Alliance

Page 8: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

8

Cloud is Changing Business & IT

Where IT is Going

Technology consumerization and its offspring

Cloud: Compute as a utility

Smart Mobility: Compute anywhere

Shifting balance of power to technology users

Organizational structure & business planning

Disrupting IT and IT security through agility

T h e N e w I T L a n d s c a p e

www.cloudsecurityalliance.org

Key Trust Issues

Transparency & visibility from providers

Compatible laws across jurisdictions

Data sovereignty

Incomplete standards

Multi-tenant technologies & architecture

Incomplete Identity Management

Consumer awareness & engagement

Is Challenging Our Assumptions About… Everything

Copyright © 2013 Cloud Security Alliance

Page 9: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

9

Cloud is Changing Business & IT

Governance Administration & Control of IT Assets

Measurement, Policy & Enforcement

Appropriate & Authorized Resource Use

Security & Risk Confidentiality, Integrity & Availability

Security Protection, Controls & Reporting

Incident Mitigation, Detection & Response

Compliance Legal & Regulatory

Policies, Standards & Procedures

Auditing & Reporting

PUBLIC CLOUD

PUBLIC CLOUD

PRIVATE CLOUD

DATACENTER

HYBRID CLOUD

T h e N e w I T L a n d s c a p e

Page 10: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

A Look at Today‟s Security Landscape Fac ing Modern Secur i t y Threa ts

Page 12: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

12

Examines billions of URLs Discovers 1000s of unsafe sites daily

Many are legitimate websites that have been compromised!

Sites that steal personal information or install software to take over computers

Google’s Safe Browsing - Increasing Security Threats

Source: Google - http://www.google.com/transparencyreport/safebrowsing/

Page 13: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

13

Google’s Safe Browsing - Increasing Security Threats

Page 14: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

14

Source: Websense - Http://www.websense.com/assets/webinars/2013-Threat-Report/EMEA-EN-2013-Threat-Report/index.htm

2013 Threat Report

Page 15: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

15

1. Yahoo Japan - the identity details of up to 22 million users may have been compromised when attackers hacked into its computer systems.

2. Washington State Court System - May 2013- Exposed 160,000 social security numbers from a cyber attack on servers operated by the Washington state court system

3. Federal Reserve - May 2013- Federal Reserve Security Breach of undisclosed information. Anonymous exploited a zero-day exploit in Adobe ColdFusion .

4. Alabama Criminal Justice Information Center - May 2013- Anonymous Hack posts 4,000 Bank Exec Credentials, login & contact info, & IP addresses

5. LivingSocial.com - April 2013 - Security breach that has exposed names, e-mail addresses and password data for up to 50 million of its users.

6. Twitter - February 2013 - 250,000 accounts hacked in security breach & hackers access usernames, email addresses and passwords in 'sophisticated' operation

7. US Army Corps of Engineers’ National Inventory of Dams (NID) - Cyber intrusion into sensitive information on vulnerabilities of 8,100 major dams in the US by Chinese cyber warriors

8. Wyndham Hotels - Announced in 2012, began in 2008- Over $10.6 million in credit card transactions made fraudulently. The most egregious security breach of 2012. Federal Trade

Commission brought a lawsuit against Wyndham Hotels.

9. Zappos – Jan 2012, - hackers compromise over 24 million records which included user names, phone numbers, email addresses, partial credit card numbers, and encrypted passwords.

10. LinkedIn/eHarmony - June 2012 - 8 Million Passwords Taken.

11. Last.fm - In mid-2012 - hackers had exploited lax security to make off with millions of user passwords.

12. Medicaid - March 30, 2012,, hackers broke into a Utah Department of Health, Medicaid server , exposing 280,000 residents' Social Security numbers & health data of 500,000 residents.

13. Sutter Physicians Services – 2011 - 3.3 million patients' medical details stolen- stored in encrypted format . Data from both Sutter Physicians Services and Sutter Medical Foundation was

breached in November - when a thief stole a desktop computer

14. Sony's PlayStation Network - Date: April 20, 2011 - Over 100 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month, faced

an ongoing customer relations fallout and class-action lawsuits over its failure to protect over 100 million user records.

15. ESTsoft - July-August 2011 - Personal information of 35 million South Koreans exposed after hackers breached the security of a popular software provider.

16. Tricare and SAIC – Sept 2011. 5.1 million people’s records breached. Backup tapes containing SAIC (Science Applications International Corporation) data were stolen from the car of a

Tricare employee. with data on current and retired members of the armed services and families. Led to a $4.9 billion lawsuit being filed.

17. Nasdaq – 2011 - attackers breached a cloud-based Nasdaq system designed to facilitate boardroom-level communications for 10,000 senior executives

18. Yahoo - 2011 - 450,000 user names and passwords stolen. Hackers broke into a Yahoo subdomain by sending commands through an inadequately secured URL and managed to steal files

from Yahoo’s Contributor Network. Shockingly, these files were not encrypted and were instead stored in plain text.

19. Epsilon - March 2011 - Exposed names and e-mails of millions of customers stored in more than 108 retail stores plus several huge financial firms

20. RSA Security - Date: March 2011 - 40 million employee records stolen. Breached the systems of EMC's RSA in April, stealing information relating to its SecurID system RSA ultimately traced

the attack to an unnamed nation state, and revealed that the exploit had relied on a very low-tech spear-phishing attack.

21. Stuxnet - Sometime in 2010, but origins date to 2007 - Attack Iran's nuclear power program, serves as a template for real-world intrusion and service disruption

22. VeriSign - Throughout 2010 - Impact: Undisclosed information stolen

23. Gawker Media - December 2010 - Compromised e-mail addresses and passwords of about 1.3 million users on popular blogs like Lifehacker, Gizmodo, and Jezebel, plus the theft of the

source code for Gawker's custom-built content management system.

24. Google/ Yahoo / Silicon Valley companies - Mid-2009 – Stolen intellectual property - In an act of industrial espionage, the Chinese government launched a massive and unprecedented

attack on Google, Yahoo, and dozens of other Silicon Valley companies.

25. US Military Networks - 2008 cyberattack “Worst breach of U.S. military computers in history" and "the most significant breach of U.S. military computers ever.” Pentagon spent 14

months cleaning military networks. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown

adversary,”- William J. Lynn 3d, Deputy Secretary of Defense. Led to creation of the US Cyber Command.

26. Heartland Payment Systems - March 2008 - Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.

Security Incidents Since 2008…? Too Many to List

Page 16: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

16

Texas Comptrollers 3.5 Million Record Breach

Source: Cyber Risk Remains a Serious Threat Facing Public Entities http://www.netdiligence.com/files/Public%20Entity%20Cyber%20Risk-061512.pdf

The state’s investigation

revealed that the data was

not encrypted, even though

Texas administrative rules

require encryption of data

files containing sensitive

information.

Page 17: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

17

Personally Identifiable Information Consumer Notifications

Source: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/vermont-security-breaches.php

Page 18: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

18

Increasing Security Threat for SMBs

Flags Rise in SMB Security Breaches SMBs can no longer afford to assume their small size will

keep them off the radar of cyber criminals and hackers -

PWC InfoSec 2013

Page 19: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

“Hacking at small businesses is a prolific

problem…It's going to get much worse

before it gets better."

D e a n K i n s m a n , S p e c i a l A g e n t

F B I ' s C y b e r D i v i s i o n

Page 20: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

20

Revealed: Operation Shady Rat

Operation Shady Rat - August 2011

Targeted intrusions into more than 70 global companies, governments and non-profit organizations over five years

Source: http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf

http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109

Page 22: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

“Targeted intrusion is a problem of

massive scale that affects nearly every

industry … and the only organizations

that are exempt from this threat are

those that don‟t have anything

valuable or interesting worth

stealing.”

D m i t r i A l p e r o v i t c h , V i c e P r e s i d e n t o f

T h r e a t R e s e a r c h , M c A f e e , 2 0 11

Page 23: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

23

Operation Red October

Operation Red October - January 11, 2013

Kaspersky Lab research report which identified a cyber-espionage campaign targeting diplomatic, governmental and scientific research organizations in several countries for at least five years.

Attackers gathered sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.

Source:http://www.kaspersky.com/about/news/virus/2013/Kaspersky_Lab_Identifies_Operation_Red_October_an_Adva

nced_Cyber_Espionage_Campaign_Targeting_Diplomatic_and_Government_Institutions_Worldwide

Page 24: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

“There is sensitive geopolitical information

being stolen, which is very valuable... Over

the course of the last five years, we

believe several terabytes of data

was stolen - it's massive.”

V i t a l y K a m l u k , C h i e f M a l w a r e E x p e r t

a t K a s p e r s k y L a b , 2 0 1 3

Page 25: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

25

DoD Networks Completely Compromised by Foreign Spies

“We‟ve got the wrong model here.

…this model for cyber that says,

„We‟re going to develop a system

where we‟re not attacked… I think

we have to go to a model where

we assume that the adversary is in

our networks. It‟s on our

machines, and we‟ve got to

operate anyway. We have to

protect the data anyway." J a m e s P e e r y , D i r e c t o r o f S a n d i a

N a t i o n a l L a b s ‟ I n f o r m a t i o n S y s t e m s

A n a l y s i s C e n t e r

http://blogs.cio.com/security/16923/dod-networks-completely-compromised-experts-say#

Page 26: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

26

U.S. Weapons Systems Compromised by Chinese Cyberspies

http://www.washingtonpost.com/world/national-security/confidential-report-lists-us-weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/

Designs for many of the nation’s most sensitive advanced weapons systems have been stolen and compromised by Chinese hackers.

Designs Stolen:

Patriot missile system, known as PAC-3;

an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD

The Navy's Aegis ballistic-missile defense system

F/A-18 fighter jet,

The V-22 Osprey, the Black Hawk helicopter

The Navy’s new Littoral Combat Ship

The most expensive weapons system ever built - the F-35 Joint Strike Fighter, on track to cost about $1.4 trillion, stolen by Chinese Cyberhackers in 2007.

Drone video systems, nanotechnology, tactical data links and electronic warfare systems also compromised.

Defense Contractors include: Boeing, Lockheed Martin, Raytheon and Northrop Grumman.

Page 27: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

“In many cases, they (DoD Contractors) don‟t

know they‟ve been hacked until the FBI

comes knocking on their door. This is billions

of dollars of combat advantage for China.

They‟ve just saved themselves 25 years

of research and development.

It‟s nuts.”

S e n i o r M i l i t a r y O f f i c i a l , o n C o m p r o m i s e

o f U S W e a p o n s S y s t e m s D e s i g n s

Page 28: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

28

ONCIX Report to Congress: Foreign Economic Collection &

Industrial Espionage, 2009-2011

Source: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011 - http://www.ncix.gov/publications/reports/fecie_all/

Office of the National Counterintelligence Executive

http://www.ncix.gov/publications/reports/fecie_all

Page 29: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

Proactively Managing Governance,

Risk & Compliance

Educate , Bu i ld A Framework , Layer

Pro tec t ion , Imp lement Inc rementa l l y

Page 30: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

“No single product will stop spear-phishing,

protect sensitive data, thwart malware, or put

an end to malicious insiders… Instead there

are several solutions across endpoint, network,

data security and security management

that can and should be used in a

connected framework to enrich

each other and thus mitigate risk…” M c A f e e - B u i l d i n g a B e t t e r S h a d y R AT Tr a p

Page 31: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

31

Elevate Security Importance - Build a Governance Framework

CSA Governance, Risk Management and Compliance (GRC) Stack

• https://cloudsecurityalliance.org/research/projects/grc-stack/

Integrated Cloud Framework: Security, Governance, Compliance

• http://www.slideshare.net/chadmlawler/

Page 32: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

32

Build Incremental Security Layers

Integrate Complete Security Solutions in Cloud Environments

• Deep Code-Level Security Vulnerability Reviews on All Cloud Applications

• Security Services Security Services Single Sign On (SSO) & PKI & Certificate Management

• Identity Management & Vulnerability Scanning & PII Detection & Continuous Auditing

• SIEM with Root Cause Analysis & Risk Assessment, Patch & Log Management System

• AntiVirus & AntiMalware System & IPS/IDS Event Management & Data Loss Prevention

• Data Encryption for Data at Rest, SSL/HTTPS for Data in Transit

Page 33: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

If you can't stop attacks (spear-phishing), you can at least

know when they occur if you have a properly tuned Security

Incident & Event Management (SIEM) system in place. You

need all the key components feeding data into it including:

• Proactive, organized response procedures for security incidents

• A Security Operations Center (SOC) & monitoring system

• Intrusion Detection & Prevention System (IDS/IPS)

• Security logs with monitoring and analysis

• Data Loss Prevention (DLP) & Encryption

• Host-based anti-malware & antivirus “

Page 34: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

34

Understand that Security in the Cloud Must be Managed

Implement a Policy that Calculates & Quantifies Cloud Application Risk

Evaluate Application & Data Security Requirements

Plan & Budget for Implementing Security Services

Leverage a Framework Which Covers all Key Risk, Liability Areas

Implement & Adhere to Your Framework as a Roadmap to Reduce Risks

Proactively Managing Governance, Risk & Compliance

Be Proactive in Working to Mitigate Liabilities & Risks

Page 35: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

CSA - Research & Standards Resources , Educa t ion & Bes t Prac t i ces

Page 36: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

www.cloudsecurityalliance.org

About the Cloud Security Alliance

• Global, not-for-profit organization

• Over 33,000 individual members, 150 corporate members, 60 chapters

• Building best practices and a trusted cloud ecosystem • Research

• Education

• Certification

• Advocacy of prudent public policy

• Innovation, Transparency, GRC, Identity

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

Copyright © 2013 Cloud Security Alliance

Page 37: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

www.cloudsecurityalliance.org

Global Efforts

• Europe

• Proposed EU Data Privacy Regulation

• EC European Cloud Partnership

• US Federal government

• NIST

• FedRAMP

• APAC

• Standards bodies

• ISO SC 27

• ITU-T FG 17

• DMTF, PCI Standards Council

Copyright © 2013 Cloud Security Alliance

Page 38: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

www.cloudsecurityalliance.org

CSA Contributions - Research Projects -

“Security Guidance For Critical Areas of Focus”

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud Architecture

Op

era

tin

g in

th

e C

lou

d

Go

vern

ing

the C

lou

d

Security as a Service

Copyright © 2013 Cloud Security Alliance

Page 39: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

www.cloudsecurityalliance.org

CSA GRC Stack

Control Requirements

Provider Assertions

Private,

Community &

Public Clouds

• Family of 4 Research Projects

• Cloud Controls Matrix

• Consensus Assessments Initiative

• Cloud Audit

• Cloud Trust Protocol

• Tools

• Tools for governance, risk and

compliance management

• Enabling automation and

continuous monitoring of GRC

Copyright © 2013 Cloud Security Alliance

Page 40: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

www.cloudsecurityalliance.org

CSA STAR Registry

• CSA STAR (Security, Trust and Assurance Registry)

• Public Registry of Cloud Provider self assessments

• Based on Consensus Assessments Initiative Questionnaire

• Provider may substitute documented Cloud Controls Matrix compliance

• Voluntary industry action promoting transparency

• Security as a market differentiator

• www.cloudsecurityalliance.org/star

Copyright © 2013 Cloud Security Alliance

Page 41: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

www.cloudsecurityalliance.org

CCSK - Certificate of Cloud Security Knowledge

• Benchmark of cloud security competency

• Measures mastery of CSA guidance and ENISA cloud risks whitepaper

• Understand cloud issues

• Look for the CCSKs at cloud providers, consulting partners

• Online web-based examination

• www.cloudsecurityalliance.org/certifyme

• www.cloudsecurityalliance.org/training

Copyright © 2013 Cloud Security Alliance

Page 42: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

www.cloudsecurityalliance.org

CSA Resources & Activities • Resources

Research: www.cloudsecurityalliance.org/research/

CCSK Certification: www.cloudsecurityalliance.org/certifyme

Chapters: www.cloudsecurityalliance.org/chapters

National Email: [email protected]

National LinkedIn Group: www.linkedin.com/groups?gid=1864210

Twitter: @cloudsa

• Local DFW CSA North Texas Resources & Activities

CSA North Texas LinkedIn Group: http://www.linkedin.com/groups?gid=3856567

CSA North Texas Meetup: http://www.meetup.com/CSANTX/

CSA North Texas Email: Norm Smith [email protected]

CSA North Texas Industry Days & Local University CSA Academic Days

CSA North Texas Town Hall Meetings & Monthly Luncheons

Page 43: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

43

Lessons to Walk Away With from Today’s Discussion

The New IT Landscape - All About Cloud, Mobile & Security

Educate, Build Framework, Layer Protection, Implement Incrementally

The Future of IT Is Cloud & Mobile - With Increasing Control in the Hands of End Users

Security is More Important than Ever - Risks & Liabilities from Security Threats are Substantial

You Must Take a Proactive Approach to Security

Security Must Be a Major Investment for All Organizations & Begins with Education

Build A Framework of Policies, Procedures & Security Technologies to Reduce Risks/Liabilities

Start Today! - CSA Can Help with an Array of Free Valuable Guides & Resources

Page 44: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

44

Revealed: Operation Shady Rat - McAfee http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf

Operation Red October - Kapersky Labs http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies

http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation

DoD Defense Science Board Task Force Report: Resilient Military Systems and the Advanced Cyber Threat http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf

Cyber-Security: The vexed question of global rules - Security & Defense Agenda (SDA) http://www.mcafee.com/us/resources/reports/rp-sda-cyber-security.pdf

The Global State of Information Security Survey 2013 http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml

McAfee 2013 Threats Predictions - http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2013.pdf

McAfee State of Security whitepaper - http://www.mcafee.com/us/resources/white-papers/wp-state-of-security.pdf

TrustWave2013 Global Security Report - http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf

The 2013 Data Breach Investigations Report - Verizon - http://www.verizonenterprise.com/DBIR/2013/

2013 Information Security Breaches Survey: Technical Report - PWC https://www.gov.uk/government/publications/information-security-breaches-survey-2013-technical-report

The Secret War - Wired Magazine - http://www.wired.com/threatlevel/2013/06/general-keith-alexander-cyberwar/all/

Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011 - http://www.ncix.gov/publications/reports/fecie_all/

Government Internet Security Threat Report, Volume 18 - Symantec - http://www.symantec.com/page.jsp?id=gov-threat-report

Internet Security Threat Report (ISTR), Volume 18 - Symantec - http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf

Websense 2013 Threat Report - http://www.websense.com/assets/reports/websense-2013-threat-report.pdf

http://www.websense.com/assets/webinars/2013-Threat-Report/EMEA-EN-2013-Threat-Report/index.htm

Recommended Reading

Page 45: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

45

SysAdmin, Audit, Networking and Security (SANS) Top 20 Critical Controls for Effective Cyber Defense

SANS News Letters - http://www.sans.org/newsletters/

Open Web Application Security Project (OWASP) Top 10 Most Critical Web Application Security Risks

Open Web Application Security Project (OWASP) Top 10 Mobile Risks

Open Web Application Security Project (OWASP) Cheat Sheets

Australian Department of Defense (DOD) Top 35 Mitigation Strategies

National Institute of Standards and Technology (NIST) Special Publications 800 Series

European Network and Information Security Agency (ENISA) Threat Landscape

International Organization for Standardization (ISO) 27000 Series

Information Systems Audit and Control Association (ISACA) COBIT Framework

Chris Hoff’s “Sh*t My Cloud Evangelist Says” - http://www.rationalsurvivability.com/blog/

Additional Security Resources

Page 46: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

46

Thank You & Contact Information

Chad M. Lawler, Ph.D. Director of Consulting Services

Cloud Computing

14643 Dallas Parkway, Suite 800, Dallas, Texas 75254

Office: 469.221.2894

Email: [email protected]

www.hitachiconsulting.com/cloud/

Connect with Me:

My CardCloud - www.cardcloud.com/chadlawler

Connect - www.linkedin.com/in/chadmlawler/

Twitter Cloud News - https://twitter.com/chad_lawler

Presentations - www.slideshare.net/chadmlawler

Page 47: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

Security & Compliance in the Cloud Pane l D iscuss ion

NORTH TEXAS

CHAPTER

DALLAS / FT.WORTH

Chad M Lawler, Ph.D. Director of Cloud

Computing, Hitachi

Consulting

Nathaniel Kummerfeld, J.D. Assistant United States Attorney

United States Attorney's Office

Eastern District of Texas

Scot Miller Director, Security

Architecture at Health

Management Systems

Tom Large Director Corporate

Information Security at

Alliance Data

Tony Scott, CISSP Senior Security and

Compliance Executive

GTR Medical Group

Page 48: Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance

Security & Compliance in the Cloud S t a n d a r d s , S e c u r i t y & P r o a c t i v e l y M a n a g i n g G o v e r n a n c e ,

R i s k & C o m p l i a n c e

NORTH TEXAS

CHAPTER

DALLAS / FT.WORTH

F r i d a y , J u n e 2 8 , 2 0 1 3

F C D a l l a s S t a d i u m 9 2 0 0 W o r l d C u p W a y ,

S u i t e 2 0 2 , F r i s c o , T X

K e y N o t e S p e a k e r -

C h a d M . L a w l e r, P h . D. D i r e c t o r o f C o n s u l t i n g ,

C l o u d C o m p u t i n g

H i t a c h i C o n s u l t i n g