Best IT Documents.com Blog


Technical and Security Challenges in Cloud Computing from the Industry (Providers)

Posted in Visio Samples - Stencils (457) by Guest on the October 22nd, 2017
Comments Off on Technical and Security Challenges in Cloud Computing from the Industry (Providers)

PCI DSS, SOX (CobiT) and HIPAA & HITECH simplified

Posted in Health Care HIPAA - HITECH - HITECH (98),Visio Samples - Stencils (457) by Guest on the October 22nd, 2017

PCI DSS SOX (CobiT)
HIPAA & HITECH
Penalties: Fines, loss of credit card processing and level 1 merchant requirements
Penalties: Fines up to $5M and
up to 10 years in prison
Penalties and fees
up to $1.5M for neglect
5.1.1  Monitor zero day attacks not covered by anti-virus

6.2 Identify newly discovered security vulnerabilities

11.2   Perform network vulnerability scans quarterly by an ASV

11.4   Maintain edge IDS and IPS’s to monitor and alert personnel; keep engines up to date
DS 5.9 Malicious Software Prevention, Detection and Correction “Put preventive, detection and corrective measures in place (especially up-to-date security patches and virus control) across the organization to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).”

DS 5.6 Security Incident Definition

“Clearly define and communicate the characteristics of potential security incidents so that they can be properly classified and treated by the incident and problem management process.”

164.308 (a)(1)(ii)(A)

Risk Analysis – Conduct Vulnerability Assessment

164.308 (a)(1)(ii)(B)

Risk Management — Implement security measures to reduce risk of security breaches

164.308 (a)(5)(ii)(B)

DS 5.10 Network Security

“Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.”

“Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.”
Protection from Malicious Software — Procedures to guard against malicious software host/network IPS

164.308 (a)(6)(iii)

Response & Reporting — Mitigate and document security incidents
10.2   Automated audit trails

10.6   Review logs at least daily

10.3   Capture audit trails
DS 5.5 Security Testing, Surveillance and Monitoring “… a logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.”
164.308 (a)(1)(ii)(D)

Information System Activity Review — Procedures to review system activity
10.5   Secure logs

10.7   Retain audit trail for at least one year

10.7   Maintain logs online for three months

164.308 (a)(6)(i)

Login Monitoring — Procedures and monitoring for login attempts on host IDS

164.312 (b) Audit Controls — Procedures and mechanisms for monitoring system activity
6.6 Address new threats and vulnerabilities on an ongoing basis by installing a web application firewall in front of public-facing web applications.
DS 5.10 Network Security

“Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks

AI3.2  Infrastructure resource protection and availability
164.308(a)(1)

Security Management Process — Implement policies and procedures to prevent, detect, contain and correct security violations.

164.308(a)(6)

Security Incident Procedures

Implement policies and procedures to address security incidents.

Comments Off on PCI DSS, SOX (CobiT) and HIPAA & HITECH simplified

Understanding Cloud Security Alliance – Cloud Security Domains

Posted in Security (1500),Virtual - VMWare (30),Visio Samples - Stencils (457) by Guest on the September 10th, 2017

Architecture

Establish guidance, direction, advisement, reference architectures, ensures alignment to business requirements.

 

Governance

Governance and Enterprise Risk Management

The ability of an organization to govern and measure enterprise risk introduced by Cloud computing. Items such as legal precedence for agreement breaches, ability of user organizations to adequately assess risk of a Cloud provider, responsibility to protect sensitive data when both user and provider may be at fault, and how international boundaries may affect these issues.

 

Legal issues; Contracts and Electronic Discovery

Potential legal issues when using Cloud computing. Issues touched on in this section include protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, international laws etc…

 

Compliance and Audit Management

Maintaining and proving compliance when using Cloud computing. Issues dealing with evaluating how Cloud computing affects compliance with Internal Security Policies, as well as various compliance requirements (regulatory, legislative and otherwise) discussed here. This domain includes some direction on proving compliance during an audit.

 

Data Governance

Governing data that is placed in the Cloud, items surrounding the identification and control of data in the Cloud, as well as compensating controls that can be used to deal with loss of physical control when moving data to the cloud, are discussed here. Other items, such as who is responsible for data confidentiality, integrity, and availability are mentioned.

 

 

Operations

Manage Plan and Business Continuity

Securing the management plan and administrative interfaces used when accessing the Cloud, including both web consoles and API’s. Ensuring business continuity for Cloud deployments.

 

Infrastructure Security

Core Cloud infrastructure security, including networking, workload security and hybrid Cloud considerations. This domain also includes security fundamentals for private Clouds.

 

Virtualization and Containers

Security for hypervisors, containers and software defined networks.

 

Incident Response Notification and Remediation

Proper and adequate incident detection, response, notification and remediation. This attempts to address items that should be in place at both provider and user levels to enable proper incident handling and forensics. This domain will help you understand the complexities the Cloud brings to your current incident handling program.

 

Application Security

Securing application software that is running on or being developed in the cloud. This includes items such as whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of Cloud platform is most appropriate (SaaS, PaaS, IaaS).

 

Data Security and Encryption

Implementing data security and encryption, and ensuring scalable key management.

Identity, entitlement, and Access Management

Managing identities and leveraging directory services to provide access control. The focus is on issues encountered when extending an organization identity into the Cloud. This section provides insight into assessing an organization’s readiness to conduct Cloud-based identity, entitlement, and Access Management (IDM).

 

Security as a Service

Providing third party facilitated security assurance, incident management, compliance attestation, and Identity and Access oversight.

 

Related Technologies

Established and emerging technologies with a close relationship to Cloud computing, including Big Data, Internet of things, and mobile computing.

Comments Off on Understanding Cloud Security Alliance – Cloud Security Domains

Cloud – External Third Party Review and Processes

Posted in Visio Samples - Stencils (457) by Guest on the September 5th, 2017

Problem

Currently corporate has many cloud / external third party review and processes

The Cloud security group has identified risks in the areas of:

  • Software as a Service (SaaS) – Lack of governance, visibility, and controls in the SaaS site usage.
  • Risk introduction when deploying cloud technologies and practices.
  • Corporate application re-platforming – Lack of service cloud models for public and hybrid platform implementations.
  • Secure application migration – numerous security requirements from multiple IT departments create confusion for application managers.

 

Affects

  • Lines of Business (LOB) are driven by time to market to implement before there is a strategy in place and before there is communication about the technology.
  • Consequently, each cloud public / external third party or hybrid cloud deployment may be unique with varied controls and corporate policies, procedures and approvals may not cover the services being deployed.

 

The impact of which is

  • Risk exposure to corporate in the following areas.
  • Increased attack surface by allowing other companies and infrastructure to be handlers of customer data, IP and Corporate data.
  • Less control and visibility because these services reside outside of our corporate network.

 

A successful solution would

  • Reduce risk to corporate by
    • Extending the development of Cloud Security Strategy to cover public and hybrid cloud technologies and practices.
    • Developing and implementing control procedures and processes for public and hybrid cloud technologies and practices.
    • Ensure consistent execution of Cloud Security controls.
    • Developing and implementing SaaS application security validation and remediation processes.

 

Scope

Provide processes and resources to guide IT security teams in the evaluation and deployment of cloud platforms and strategies (hybrid and public).

 

Develop a program approach to support remediation of SaaS sites using a CASB / CASM Tool for reporting analytics.

 

Build and provide an internal information base of research on cloud technologies and practices (hybrid and public).

Comments Off on Cloud – External Third Party Review and Processes

In the Cloud – The Need for Trust

Posted in Security (1500),Virtual - VMWare (30),Visio Samples - Stencils (457) by Guest on the August 25th, 2017

All people, processes, and technology must have declared and transparent levels of trust for any transaction to take place.

  • Trust in this context is establishing understanding between contracting parties to conduct a transaction, and the obligations this assigns on each party involved.
  • Trust models should encompass people and  organizations and devices and infrastructure.
  • Trust level may vary by location, transaction type, user role, and transactional risk.
  • Mutual trust assurance levels must be determinable.
  • Devices and users must be capable of appropriate levels of (mutual) authentication for accessing systems and data.
  • Authentication and authorization frameworks must support the trust model.

 

Identity, Management, and Federation

Authentication, authorization, and accountability must interoperate / exchange outside of your locus / area of control.

  • People / systems must be able to manage permissions of resources and rights of users they don’t control.
  • There must be capability of trusting an organization, which can authenticate individuals or groups, thus eliminating the need to create separate identities.
  • In principle, only one instance of person / system / identity may exist, but privacy necessitates the support for multiple instances, or one instance with multiple facets.
  • Systems must be able to pass on security credentials / assertions.
  • Multiple locations (areas) of control must be supported.

Access to Data

Access to data should be controlled by security attributes of the data itself.

  • Attributes can be held within the data (DRM / metadata) or could be a separate system.
  • Access / security could be implemented by encryption.
  • Some data may have “public, non-confidential” attributes.
  • Access and access rights have a temporal component. Data privacy (and security of any asset of sufficiently high value) requires a segregation of duties / privileges.
  • Permissions, keys, privileges, etc. must ultimately fall under independent control, or there will always be a weakest link at the top of the chain of trust.
  • Administrator access must also be subject to these controls. By default, data must be appropriately secured when stored, in transit, and in use.
  • Removing the default must be a conscious act.
  • High security should not be enforced for everything; “appropriate” implies varying levels with potentially some data not secured at all.
Comments Off on In the Cloud – The Need for Trust

Cloud Security & Compliance – Standards and Guidelines

Posted in Virtual - VMWare (30),Visio Samples - Stencils (457) by Guest on the August 22nd, 2017

Cloud computing is a rapidly growing field and due to various breaches and companies penalized due to them, there are many standards and institutions that have quickly developed charters and standards for Cloud Security. Standards are based on security, system development, financial reporting etc.

 

These are the dossiers providing NIST guidelines on cloud security:

❖ NIST Cloud Computing Public Security Working Group

❖ NIST SP 500-292, NIST Cloud Computing Reference Architecture

❖ NIST SP 500-293, US Government Cloud Computing Technology Roadmap. Volume 1, 2, & 3.

❖ NIST SP 500-299, NIST Cloud Computing Security Reference Architecture

❖ NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing

❖ NIST SP 800-145, The NIST Definition of Cloud Computing

❖ NIST SP 800-146, Cloud Computing Synopsis and Recommendations

 

For Cloud Compliance and Assurance one can ask the cloud provider to obtain certifications attesting to compliance and security standards such as:

SSAE 16, ISAE 3402, SOC1, SOC2, SOC3. For financial data clients they can ask for American Institute of Certified Public Accountants (AICPA) certified audit reports. The other international one is ISO 2700 International Organization for Standardization).

 

Other references:

Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR)

U.S. Health Insurance Portability and Accountability Act (HIPAA) – used mostly for hospitals, medical institutes, heath insurance etc.

Payment Card Industry (PCI) Data Security Standard (DSS) Level 1 service provider – mostly used in finance industry, retail outlets, wherever credit cards are used.

Motion Picture Association of America (MPAA)

SOX / GLBA Sarbanes Oxley Compliance base on NIST 404.

Other ISO standards:

ISO/IEC 27001:2013

Information Security Management System (ISMS)

If you are doing business with US Govt. then you have to abide by FedRAMP. (Federal Risk and Authorization Management Program). They have specialized requirements for secure cloud services.

Civilian and DOD organizations have to comply with IST 800-37 and DOD Information Assurance Certification and Accreditation Process (DIACAP) and Federal Information Security Management Act (FISMA). Some agencies may ask to comply with ITAR (US International Traffic in Arms Regulations).

Federal customers also need to have FIPS 140-2 security systems running in cloud.

The OMB needs FedRAMP, FISMA, NIST 800-53 Rev3. JAB (Joint Authorization Board) was created to approve cloud services and monitor it by FedRAMP.

CSA (Cloud Security Alliance) mentioned before is a US Federal 501(c)6 non-profit organization. Its mission is to “promote the best use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to secure all other forms of computing” It created “security Guidance for Critical Areas of Focus in Cloud Computing document. Current version is 3.0.

Comments Off on Cloud Security & Compliance – Standards and Guidelines
Next Page »