Upload
chad-lawler
View
2.150
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Security & Compliance in the Cloud - Standards, Security & Proactively Managing Governance, Risk & Compliance Key Note Address by Chad M. Lawler, Ph.D. Cloud Security Alliance - North Texas Chapter Friday, June 28, 2013
Citation preview
Security & Compliance in the Cloud S t a n d a r d s , S e c u r i t y & P r o a c t i v e l y M a n a g i n g G o v e r n a n c e ,
R i s k & C o m p l i a n c e
NORTH TEXAS
CHAPTER
DALLAS / FT.WORTH
F r i d a y , J u n e 2 8 , 2 0 1 3
F C D a l l a s S t a d i u m 9 2 0 0 W o r l d C u p W a y ,
S u i t e 2 0 2 , F r i s c o , T X
K e y N o t e S p e a k e r -
C h a d M . L a w l e r, P h . D. D i r e c t o r o f C o n s u l t i n g ,
C l o u d C o m p u t i n g
H i t a c h i C o n s u l t i n g
2
Goals & Overview of Today‟s Discussion Goals
Awareness
Encourage Focus on Security, Governance & Compliance
Create Broad Awareness & Provide Education
Focus on Best Practices
For Risk Security Mitigation, Regulatory Compliance & Governance
Overview of Cloud Security Alliance (CSA) & Research Areas
Overview
Cloud is Changing Business & IT - New IT Landscape
Cloud Security Alliance - Research & Standards
Panel Discussion
* Today’s Presentation Slides - http://www.slideshare.net/chadmlawler/
Cloud is Changing Business & IT The New IT Landscape
4
Cloud is Changing Business & IT
IT OPERATIONS + MULTI CLOUD
Legacy Coexistence with Cloud Migration and New Cloud Apps
Multiple Application Spread Across Environment Legacy & Cloud
Selective Outsourcing and Managed services
Private, Public and Hybrid Cloud Utilization
DATACENTER
Traditional Data Center
On-site Traditional Infrastructure
Dedicated with Limited
Virtualization
Internal Application Provisioning
PRIVATE CLOUD
Next Generation Datacenter On-site Private Cloud IaaS Utility
Dedicated On-Site Infrastructure
Internal Application Provisioning
PUBLIC CLOUD
Regional Datacenter 2 Regional Datacenter 1
Public Cloud Datacenter Off-site Utility
Pay-as-You -Go Consumption
External Application Provisioning
HYBRID CLOUD
Hybrid - Public/Private/Virtual Private
Enterprise Datacenter On-Site + Off-site Utility
Dedicated Infrastructure + Utility
Internal + External Provisioning
Next Generation Datacenter Transition
Enterprise Cloud Model - Multi-Source Hybrid Public/Private Mix
SAAS
IAAS & PAAS
T h e N e w I T L a n d s c a p e
5
Cloud is Changing Business & IT
SaaS IaaS PaaS
Services
Providers
Your Business
Business and End
Users Circumventing IT
Increasing
Shadow IT
YOUR CENTRAL IT Cloud Ecosystem
T h e N e w I T L a n d s c a p e
6
Cloud is Changing Business & IT
Enterprise Cloud Model - Multi-Source Hybrid Public/Private Mix
Focus on Cloud Supply Chain, Security & Governance
Mix of public-private cloud services from multiple, different cloud providers
With the cloud comes increased complexities, disruptive for both business and IT
Increased need for risk visibility, management, governance and security
Businesses already negotiating multiple cloud service contracts with different providers
Using multiple/different cloud services - more contracts, payments, providers to manage
Need for new best practices for security, cloud supply chain management and resource control
T h e N e w I T L a n d s c a p e
7
Cloud + Mobile
Dispersal of applications
Dispersal of data
Dispersal of users
Dispersal of endpoint devices
Cloud Users
Notional
Organizational
Boundary
Public Clouds
Private
clouds
www.cloudsecurityalliance.org
Cloud is Changing Business & IT T h e N e w I T L a n d s c a p e
Copyright © 2013 Cloud Security Alliance
8
Cloud is Changing Business & IT
Where IT is Going
Technology consumerization and its offspring
Cloud: Compute as a utility
Smart Mobility: Compute anywhere
Shifting balance of power to technology users
Organizational structure & business planning
Disrupting IT and IT security through agility
T h e N e w I T L a n d s c a p e
www.cloudsecurityalliance.org
Key Trust Issues
Transparency & visibility from providers
Compatible laws across jurisdictions
Data sovereignty
Incomplete standards
Multi-tenant technologies & architecture
Incomplete Identity Management
Consumer awareness & engagement
Is Challenging Our Assumptions About… Everything
Copyright © 2013 Cloud Security Alliance
9
Cloud is Changing Business & IT
Governance Administration & Control of IT Assets
Measurement, Policy & Enforcement
Appropriate & Authorized Resource Use
Security & Risk Confidentiality, Integrity & Availability
Security Protection, Controls & Reporting
Incident Mitigation, Detection & Response
Compliance Legal & Regulatory
Policies, Standards & Procedures
Auditing & Reporting
PUBLIC CLOUD
PUBLIC CLOUD
PRIVATE CLOUD
DATACENTER
HYBRID CLOUD
T h e N e w I T L a n d s c a p e
A Look at Today‟s Security Landscape Fac ing Modern Secur i t y Threa ts
11
The State of Information Security
The Global State of Information Security Survey 2013
Source: The Global State of Information Security Survey 2013 - http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
12
Examines billions of URLs Discovers 1000s of unsafe sites daily
Many are legitimate websites that have been compromised!
Sites that steal personal information or install software to take over computers
Google’s Safe Browsing - Increasing Security Threats
Source: Google - http://www.google.com/transparencyreport/safebrowsing/
13
Google’s Safe Browsing - Increasing Security Threats
14
Source: Websense - Http://www.websense.com/assets/webinars/2013-Threat-Report/EMEA-EN-2013-Threat-Report/index.htm
2013 Threat Report
15
1. Yahoo Japan - the identity details of up to 22 million users may have been compromised when attackers hacked into its computer systems.
2. Washington State Court System - May 2013- Exposed 160,000 social security numbers from a cyber attack on servers operated by the Washington state court system
3. Federal Reserve - May 2013- Federal Reserve Security Breach of undisclosed information. Anonymous exploited a zero-day exploit in Adobe ColdFusion .
4. Alabama Criminal Justice Information Center - May 2013- Anonymous Hack posts 4,000 Bank Exec Credentials, login & contact info, & IP addresses
5. LivingSocial.com - April 2013 - Security breach that has exposed names, e-mail addresses and password data for up to 50 million of its users.
6. Twitter - February 2013 - 250,000 accounts hacked in security breach & hackers access usernames, email addresses and passwords in 'sophisticated' operation
7. US Army Corps of Engineers’ National Inventory of Dams (NID) - Cyber intrusion into sensitive information on vulnerabilities of 8,100 major dams in the US by Chinese cyber warriors
8. Wyndham Hotels - Announced in 2012, began in 2008- Over $10.6 million in credit card transactions made fraudulently. The most egregious security breach of 2012. Federal Trade
Commission brought a lawsuit against Wyndham Hotels.
9. Zappos – Jan 2012, - hackers compromise over 24 million records which included user names, phone numbers, email addresses, partial credit card numbers, and encrypted passwords.
10. LinkedIn/eHarmony - June 2012 - 8 Million Passwords Taken.
11. Last.fm - In mid-2012 - hackers had exploited lax security to make off with millions of user passwords.
12. Medicaid - March 30, 2012,, hackers broke into a Utah Department of Health, Medicaid server , exposing 280,000 residents' Social Security numbers & health data of 500,000 residents.
13. Sutter Physicians Services – 2011 - 3.3 million patients' medical details stolen- stored in encrypted format . Data from both Sutter Physicians Services and Sutter Medical Foundation was
breached in November - when a thief stole a desktop computer
14. Sony's PlayStation Network - Date: April 20, 2011 - Over 100 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month, faced
an ongoing customer relations fallout and class-action lawsuits over its failure to protect over 100 million user records.
15. ESTsoft - July-August 2011 - Personal information of 35 million South Koreans exposed after hackers breached the security of a popular software provider.
16. Tricare and SAIC – Sept 2011. 5.1 million people’s records breached. Backup tapes containing SAIC (Science Applications International Corporation) data were stolen from the car of a
Tricare employee. with data on current and retired members of the armed services and families. Led to a $4.9 billion lawsuit being filed.
17. Nasdaq – 2011 - attackers breached a cloud-based Nasdaq system designed to facilitate boardroom-level communications for 10,000 senior executives
18. Yahoo - 2011 - 450,000 user names and passwords stolen. Hackers broke into a Yahoo subdomain by sending commands through an inadequately secured URL and managed to steal files
from Yahoo’s Contributor Network. Shockingly, these files were not encrypted and were instead stored in plain text.
19. Epsilon - March 2011 - Exposed names and e-mails of millions of customers stored in more than 108 retail stores plus several huge financial firms
20. RSA Security - Date: March 2011 - 40 million employee records stolen. Breached the systems of EMC's RSA in April, stealing information relating to its SecurID system RSA ultimately traced
the attack to an unnamed nation state, and revealed that the exploit had relied on a very low-tech spear-phishing attack.
21. Stuxnet - Sometime in 2010, but origins date to 2007 - Attack Iran's nuclear power program, serves as a template for real-world intrusion and service disruption
22. VeriSign - Throughout 2010 - Impact: Undisclosed information stolen
23. Gawker Media - December 2010 - Compromised e-mail addresses and passwords of about 1.3 million users on popular blogs like Lifehacker, Gizmodo, and Jezebel, plus the theft of the
source code for Gawker's custom-built content management system.
24. Google/ Yahoo / Silicon Valley companies - Mid-2009 – Stolen intellectual property - In an act of industrial espionage, the Chinese government launched a massive and unprecedented
attack on Google, Yahoo, and dozens of other Silicon Valley companies.
25. US Military Networks - 2008 cyberattack “Worst breach of U.S. military computers in history" and "the most significant breach of U.S. military computers ever.” Pentagon spent 14
months cleaning military networks. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown
adversary,”- William J. Lynn 3d, Deputy Secretary of Defense. Led to creation of the US Cyber Command.
26. Heartland Payment Systems - March 2008 - Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.
Security Incidents Since 2008…? Too Many to List
16
Texas Comptrollers 3.5 Million Record Breach
Source: Cyber Risk Remains a Serious Threat Facing Public Entities http://www.netdiligence.com/files/Public%20Entity%20Cyber%20Risk-061512.pdf
The state’s investigation
revealed that the data was
not encrypted, even though
Texas administrative rules
require encryption of data
files containing sensitive
information.
17
Personally Identifiable Information Consumer Notifications
Source: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/vermont-security-breaches.php
18
Increasing Security Threat for SMBs
Flags Rise in SMB Security Breaches SMBs can no longer afford to assume their small size will
keep them off the radar of cyber criminals and hackers -
PWC InfoSec 2013
“Hacking at small businesses is a prolific
problem…It's going to get much worse
before it gets better."
D e a n K i n s m a n , S p e c i a l A g e n t
F B I ' s C y b e r D i v i s i o n
20
Revealed: Operation Shady Rat
Operation Shady Rat - August 2011
Targeted intrusions into more than 70 global companies, governments and non-profit organizations over five years
Source: http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109
21
Revealed: Operation Shady Rat
Source: http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
“Targeted intrusion is a problem of
massive scale that affects nearly every
industry … and the only organizations
that are exempt from this threat are
those that don‟t have anything
valuable or interesting worth
stealing.”
D m i t r i A l p e r o v i t c h , V i c e P r e s i d e n t o f
T h r e a t R e s e a r c h , M c A f e e , 2 0 11
23
Operation Red October
Operation Red October - January 11, 2013
Kaspersky Lab research report which identified a cyber-espionage campaign targeting diplomatic, governmental and scientific research organizations in several countries for at least five years.
Attackers gathered sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.
Source:http://www.kaspersky.com/about/news/virus/2013/Kaspersky_Lab_Identifies_Operation_Red_October_an_Adva
nced_Cyber_Espionage_Campaign_Targeting_Diplomatic_and_Government_Institutions_Worldwide
“There is sensitive geopolitical information
being stolen, which is very valuable... Over
the course of the last five years, we
believe several terabytes of data
was stolen - it's massive.”
V i t a l y K a m l u k , C h i e f M a l w a r e E x p e r t
a t K a s p e r s k y L a b , 2 0 1 3
25
DoD Networks Completely Compromised by Foreign Spies
“We‟ve got the wrong model here.
…this model for cyber that says,
„We‟re going to develop a system
where we‟re not attacked… I think
we have to go to a model where
we assume that the adversary is in
our networks. It‟s on our
machines, and we‟ve got to
operate anyway. We have to
protect the data anyway." J a m e s P e e r y , D i r e c t o r o f S a n d i a
N a t i o n a l L a b s ‟ I n f o r m a t i o n S y s t e m s
A n a l y s i s C e n t e r
http://blogs.cio.com/security/16923/dod-networks-completely-compromised-experts-say#
26
U.S. Weapons Systems Compromised by Chinese Cyberspies
http://www.washingtonpost.com/world/national-security/confidential-report-lists-us-weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/
Designs for many of the nation’s most sensitive advanced weapons systems have been stolen and compromised by Chinese hackers.
Designs Stolen:
Patriot missile system, known as PAC-3;
an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD
The Navy's Aegis ballistic-missile defense system
F/A-18 fighter jet,
The V-22 Osprey, the Black Hawk helicopter
The Navy’s new Littoral Combat Ship
The most expensive weapons system ever built - the F-35 Joint Strike Fighter, on track to cost about $1.4 trillion, stolen by Chinese Cyberhackers in 2007.
Drone video systems, nanotechnology, tactical data links and electronic warfare systems also compromised.
Defense Contractors include: Boeing, Lockheed Martin, Raytheon and Northrop Grumman.
“In many cases, they (DoD Contractors) don‟t
know they‟ve been hacked until the FBI
comes knocking on their door. This is billions
of dollars of combat advantage for China.
They‟ve just saved themselves 25 years
of research and development.
It‟s nuts.”
S e n i o r M i l i t a r y O f f i c i a l , o n C o m p r o m i s e
o f U S W e a p o n s S y s t e m s D e s i g n s
28
ONCIX Report to Congress: Foreign Economic Collection &
Industrial Espionage, 2009-2011
Source: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011 - http://www.ncix.gov/publications/reports/fecie_all/
Office of the National Counterintelligence Executive
http://www.ncix.gov/publications/reports/fecie_all
Proactively Managing Governance,
Risk & Compliance
Educate , Bu i ld A Framework , Layer
Pro tec t ion , Imp lement Inc rementa l l y
“No single product will stop spear-phishing,
protect sensitive data, thwart malware, or put
an end to malicious insiders… Instead there
are several solutions across endpoint, network,
data security and security management
that can and should be used in a
connected framework to enrich
each other and thus mitigate risk…” M c A f e e - B u i l d i n g a B e t t e r S h a d y R AT Tr a p
31
Elevate Security Importance - Build a Governance Framework
CSA Governance, Risk Management and Compliance (GRC) Stack
• https://cloudsecurityalliance.org/research/projects/grc-stack/
Integrated Cloud Framework: Security, Governance, Compliance
• http://www.slideshare.net/chadmlawler/
32
Build Incremental Security Layers
Integrate Complete Security Solutions in Cloud Environments
• Deep Code-Level Security Vulnerability Reviews on All Cloud Applications
• Security Services Security Services Single Sign On (SSO) & PKI & Certificate Management
• Identity Management & Vulnerability Scanning & PII Detection & Continuous Auditing
• SIEM with Root Cause Analysis & Risk Assessment, Patch & Log Management System
• AntiVirus & AntiMalware System & IPS/IDS Event Management & Data Loss Prevention
• Data Encryption for Data at Rest, SSL/HTTPS for Data in Transit
If you can't stop attacks (spear-phishing), you can at least
know when they occur if you have a properly tuned Security
Incident & Event Management (SIEM) system in place. You
need all the key components feeding data into it including:
• Proactive, organized response procedures for security incidents
• A Security Operations Center (SOC) & monitoring system
• Intrusion Detection & Prevention System (IDS/IPS)
• Security logs with monitoring and analysis
• Data Loss Prevention (DLP) & Encryption
• Host-based anti-malware & antivirus “
34
Understand that Security in the Cloud Must be Managed
Implement a Policy that Calculates & Quantifies Cloud Application Risk
Evaluate Application & Data Security Requirements
Plan & Budget for Implementing Security Services
Leverage a Framework Which Covers all Key Risk, Liability Areas
Implement & Adhere to Your Framework as a Roadmap to Reduce Risks
Proactively Managing Governance, Risk & Compliance
Be Proactive in Working to Mitigate Liabilities & Risks
CSA - Research & Standards Resources , Educa t ion & Bes t Prac t i ces
www.cloudsecurityalliance.org
About the Cloud Security Alliance
• Global, not-for-profit organization
• Over 33,000 individual members, 150 corporate members, 60 chapters
• Building best practices and a trusted cloud ecosystem • Research
• Education
• Certification
• Advocacy of prudent public policy
• Innovation, Transparency, GRC, Identity
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
Global Efforts
• Europe
• Proposed EU Data Privacy Regulation
• EC European Cloud Partnership
• US Federal government
• NIST
• FedRAMP
• APAC
• Standards bodies
• ISO SC 27
• ITU-T FG 17
• DMTF, PCI Standards Council
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
CSA Contributions - Research Projects -
“Security Guidance For Critical Areas of Focus”
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g in
th
e C
lou
d
Go
vern
ing
the C
lou
d
Security as a Service
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
CSA GRC Stack
Control Requirements
Provider Assertions
Private,
Community &
Public Clouds
• Family of 4 Research Projects
• Cloud Controls Matrix
• Consensus Assessments Initiative
• Cloud Audit
• Cloud Trust Protocol
• Tools
• Tools for governance, risk and
compliance management
• Enabling automation and
continuous monitoring of GRC
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
CSA STAR Registry
• CSA STAR (Security, Trust and Assurance Registry)
• Public Registry of Cloud Provider self assessments
• Based on Consensus Assessments Initiative Questionnaire
• Provider may substitute documented Cloud Controls Matrix compliance
• Voluntary industry action promoting transparency
• Security as a market differentiator
• www.cloudsecurityalliance.org/star
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
CCSK - Certificate of Cloud Security Knowledge
• Benchmark of cloud security competency
• Measures mastery of CSA guidance and ENISA cloud risks whitepaper
• Understand cloud issues
• Look for the CCSKs at cloud providers, consulting partners
• Online web-based examination
• www.cloudsecurityalliance.org/certifyme
• www.cloudsecurityalliance.org/training
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
CSA Resources & Activities • Resources
Research: www.cloudsecurityalliance.org/research/
CCSK Certification: www.cloudsecurityalliance.org/certifyme
Chapters: www.cloudsecurityalliance.org/chapters
National Email: [email protected]
National LinkedIn Group: www.linkedin.com/groups?gid=1864210
Twitter: @cloudsa
• Local DFW CSA North Texas Resources & Activities
CSA North Texas LinkedIn Group: http://www.linkedin.com/groups?gid=3856567
CSA North Texas Meetup: http://www.meetup.com/CSANTX/
CSA North Texas Email: Norm Smith [email protected]
CSA North Texas Industry Days & Local University CSA Academic Days
CSA North Texas Town Hall Meetings & Monthly Luncheons
43
Lessons to Walk Away With from Today’s Discussion
The New IT Landscape - All About Cloud, Mobile & Security
Educate, Build Framework, Layer Protection, Implement Incrementally
The Future of IT Is Cloud & Mobile - With Increasing Control in the Hands of End Users
Security is More Important than Ever - Risks & Liabilities from Security Threats are Substantial
You Must Take a Proactive Approach to Security
Security Must Be a Major Investment for All Organizations & Begins with Education
Build A Framework of Policies, Procedures & Security Technologies to Reduce Risks/Liabilities
Start Today! - CSA Can Help with an Array of Free Valuable Guides & Resources
44
Revealed: Operation Shady Rat - McAfee http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
Operation Red October - Kapersky Labs http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies
http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation
DoD Defense Science Board Task Force Report: Resilient Military Systems and the Advanced Cyber Threat http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf
Cyber-Security: The vexed question of global rules - Security & Defense Agenda (SDA) http://www.mcafee.com/us/resources/reports/rp-sda-cyber-security.pdf
The Global State of Information Security Survey 2013 http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
McAfee 2013 Threats Predictions - http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2013.pdf
McAfee State of Security whitepaper - http://www.mcafee.com/us/resources/white-papers/wp-state-of-security.pdf
TrustWave2013 Global Security Report - http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf
The 2013 Data Breach Investigations Report - Verizon - http://www.verizonenterprise.com/DBIR/2013/
2013 Information Security Breaches Survey: Technical Report - PWC https://www.gov.uk/government/publications/information-security-breaches-survey-2013-technical-report
The Secret War - Wired Magazine - http://www.wired.com/threatlevel/2013/06/general-keith-alexander-cyberwar/all/
Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011 - http://www.ncix.gov/publications/reports/fecie_all/
Government Internet Security Threat Report, Volume 18 - Symantec - http://www.symantec.com/page.jsp?id=gov-threat-report
Internet Security Threat Report (ISTR), Volume 18 - Symantec - http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
Websense 2013 Threat Report - http://www.websense.com/assets/reports/websense-2013-threat-report.pdf
http://www.websense.com/assets/webinars/2013-Threat-Report/EMEA-EN-2013-Threat-Report/index.htm
Recommended Reading
45
SysAdmin, Audit, Networking and Security (SANS) Top 20 Critical Controls for Effective Cyber Defense
SANS News Letters - http://www.sans.org/newsletters/
Open Web Application Security Project (OWASP) Top 10 Most Critical Web Application Security Risks
Open Web Application Security Project (OWASP) Top 10 Mobile Risks
Open Web Application Security Project (OWASP) Cheat Sheets
Australian Department of Defense (DOD) Top 35 Mitigation Strategies
National Institute of Standards and Technology (NIST) Special Publications 800 Series
European Network and Information Security Agency (ENISA) Threat Landscape
International Organization for Standardization (ISO) 27000 Series
Information Systems Audit and Control Association (ISACA) COBIT Framework
Chris Hoff’s “Sh*t My Cloud Evangelist Says” - http://www.rationalsurvivability.com/blog/
Additional Security Resources
46
Thank You & Contact Information
Chad M. Lawler, Ph.D. Director of Consulting Services
Cloud Computing
14643 Dallas Parkway, Suite 800, Dallas, Texas 75254
Office: 469.221.2894
Email: [email protected]
www.hitachiconsulting.com/cloud/
Connect with Me:
My CardCloud - www.cardcloud.com/chadlawler
Connect - www.linkedin.com/in/chadmlawler/
Twitter Cloud News - https://twitter.com/chad_lawler
Presentations - www.slideshare.net/chadmlawler
Security & Compliance in the Cloud Pane l D iscuss ion
NORTH TEXAS
CHAPTER
DALLAS / FT.WORTH
Chad M Lawler, Ph.D. Director of Cloud
Computing, Hitachi
Consulting
Nathaniel Kummerfeld, J.D. Assistant United States Attorney
United States Attorney's Office
Eastern District of Texas
Scot Miller Director, Security
Architecture at Health
Management Systems
Tom Large Director Corporate
Information Security at
Alliance Data
Tony Scott, CISSP Senior Security and
Compliance Executive
GTR Medical Group
Security & Compliance in the Cloud S t a n d a r d s , S e c u r i t y & P r o a c t i v e l y M a n a g i n g G o v e r n a n c e ,
R i s k & C o m p l i a n c e
NORTH TEXAS
CHAPTER
DALLAS / FT.WORTH
F r i d a y , J u n e 2 8 , 2 0 1 3
F C D a l l a s S t a d i u m 9 2 0 0 W o r l d C u p W a y ,
S u i t e 2 0 2 , F r i s c o , T X
K e y N o t e S p e a k e r -
C h a d M . L a w l e r, P h . D. D i r e c t o r o f C o n s u l t i n g ,
C l o u d C o m p u t i n g
H i t a c h i C o n s u l t i n g