Best IT Documents.com Blog


Sample – Disaster Recovery System Sequences

Posted in Sample - IT Spreadsheets - PowerPoints (251),Security (1500) by Guest on the September 28th, 2017
Comments Off on Sample – Disaster Recovery System Sequences

Sample – Classified Systems Recovery Requirements Matrix

Posted in Sample - IT Spreadsheets - PowerPoints (251),Security (1500) by Guest on the September 12th, 2017
Comments Off on Sample – Classified Systems Recovery Requirements Matrix

Understanding Cloud Security Alliance – Cloud Security Domains

Posted in Security (1500),Virtual - VMWare (30),Visio Samples - Stencils (457) by Guest on the September 10th, 2017

Architecture

Establish guidance, direction, advisement, reference architectures, ensures alignment to business requirements.

 

Governance

Governance and Enterprise Risk Management

The ability of an organization to govern and measure enterprise risk introduced by Cloud computing. Items such as legal precedence for agreement breaches, ability of user organizations to adequately assess risk of a Cloud provider, responsibility to protect sensitive data when both user and provider may be at fault, and how international boundaries may affect these issues.

 

Legal issues; Contracts and Electronic Discovery

Potential legal issues when using Cloud computing. Issues touched on in this section include protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, international laws etc…

 

Compliance and Audit Management

Maintaining and proving compliance when using Cloud computing. Issues dealing with evaluating how Cloud computing affects compliance with Internal Security Policies, as well as various compliance requirements (regulatory, legislative and otherwise) discussed here. This domain includes some direction on proving compliance during an audit.

 

Data Governance

Governing data that is placed in the Cloud, items surrounding the identification and control of data in the Cloud, as well as compensating controls that can be used to deal with loss of physical control when moving data to the cloud, are discussed here. Other items, such as who is responsible for data confidentiality, integrity, and availability are mentioned.

 

 

Operations

Manage Plan and Business Continuity

Securing the management plan and administrative interfaces used when accessing the Cloud, including both web consoles and API’s. Ensuring business continuity for Cloud deployments.

 

Infrastructure Security

Core Cloud infrastructure security, including networking, workload security and hybrid Cloud considerations. This domain also includes security fundamentals for private Clouds.

 

Virtualization and Containers

Security for hypervisors, containers and software defined networks.

 

Incident Response Notification and Remediation

Proper and adequate incident detection, response, notification and remediation. This attempts to address items that should be in place at both provider and user levels to enable proper incident handling and forensics. This domain will help you understand the complexities the Cloud brings to your current incident handling program.

 

Application Security

Securing application software that is running on or being developed in the cloud. This includes items such as whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of Cloud platform is most appropriate (SaaS, PaaS, IaaS).

 

Data Security and Encryption

Implementing data security and encryption, and ensuring scalable key management.

Identity, entitlement, and Access Management

Managing identities and leveraging directory services to provide access control. The focus is on issues encountered when extending an organization identity into the Cloud. This section provides insight into assessing an organization’s readiness to conduct Cloud-based identity, entitlement, and Access Management (IDM).

 

Security as a Service

Providing third party facilitated security assurance, incident management, compliance attestation, and Identity and Access oversight.

 

Related Technologies

Established and emerging technologies with a close relationship to Cloud computing, including Big Data, Internet of things, and mobile computing.

Comments Off on Understanding Cloud Security Alliance – Cloud Security Domains

Cloud – External Third Party Review and Processes

Posted in Visio Samples - Stencils (457) by Guest on the September 5th, 2017

Problem

Currently corporate has many cloud / external third party review and processes

The Cloud security group has identified risks in the areas of:

  • Software as a Service (SaaS) – Lack of governance, visibility, and controls in the SaaS site usage.
  • Risk introduction when deploying cloud technologies and practices.
  • Corporate application re-platforming – Lack of service cloud models for public and hybrid platform implementations.
  • Secure application migration – numerous security requirements from multiple IT departments create confusion for application managers.

 

Affects

  • Lines of Business (LOB) are driven by time to market to implement before there is a strategy in place and before there is communication about the technology.
  • Consequently, each cloud public / external third party or hybrid cloud deployment may be unique with varied controls and corporate policies, procedures and approvals may not cover the services being deployed.

 

The impact of which is

  • Risk exposure to corporate in the following areas.
  • Increased attack surface by allowing other companies and infrastructure to be handlers of customer data, IP and Corporate data.
  • Less control and visibility because these services reside outside of our corporate network.

 

A successful solution would

  • Reduce risk to corporate by
    • Extending the development of Cloud Security Strategy to cover public and hybrid cloud technologies and practices.
    • Developing and implementing control procedures and processes for public and hybrid cloud technologies and practices.
    • Ensure consistent execution of Cloud Security controls.
    • Developing and implementing SaaS application security validation and remediation processes.

 

Scope

Provide processes and resources to guide IT security teams in the evaluation and deployment of cloud platforms and strategies (hybrid and public).

 

Develop a program approach to support remediation of SaaS sites using a CASB / CASM Tool for reporting analytics.

 

Build and provide an internal information base of research on cloud technologies and practices (hybrid and public).

Comments Off on Cloud – External Third Party Review and Processes