The rapid evolution of cloud based computing is often used to illustrate a possible paradigm shift in computing. The centralized processing and storing of data allows the development of new architectural approaches as well as completely new usage experiences. As fast as the technological development enables new usage scenarios, as fast arise adoption issues from a security point of view.
This workshop enables IT security practitioners to respond to corresponding adoption challenges by presenting new security models which address the changed information security requirements and threat models of cloud computing. These approaches are developed based on ERNW security models, risk and trust metrics, case studies from real-world projects, and war stories from security evaluations of cloud environments. The workshop enables the participants to make founded decisions about requests for cloud usage, decide whether the requested usage can be realized in compliance with the company’s security objectives, and what to respond to their CEO/CIO/business units once they come up with the idea to “move to the cloud”.
Target Audience:
- Information Security Officiers
- IT managers
*Project Security Officiers
- Auditors
Auditing the Cloud Agenda
Cloud Computing Basics
- Founding technologies & Corresponding security implications
- Introduction to main cloud providers and standards
- Live demos
- Buzzwords explained (e.g. actual impact of “as a Service”, “Scalability”, “Pay as you go”)
Threats
- Known attack vectors (which already have been exploited)
- War stories from performed security assessments
- Detailed illustration of the changed threat landscape
- Conclusion in form of a detailed cloud attack surface
Main Resulting Risks, based on:
- Risk assessments
- Frameworks (e.g. Cloud Security Alliance)
- Recently performed projects
Trust and Audit Metrics
- Implications of “Black box cloud environments”
- Application of the ERNW trust model to cloud environments
- How to address security concerns: The system operation lifecycle
- Discussion of typical cloud certifications (e.g. ISO27000, SSAE16/SAS70)
- Sample cloud audit questionnaires
Cloud Security
- Security as a Service explained
- Actual security functionality of cloud environments mapped to real world security requirements
- Case studies
- Preventing/Prohibiting cloud usage
Guidance and Governance
- Preventing/Prohibiting cloud usage
- A Critical Review of the CSA’s ‘Security Guidance’ document
Compliance
- Discussion of compliance requirements in cloud environments
- Impact on Data Protection laws, PCI, SOX
- Compliant Cloud Service Providers
Matthias Luft is a security researcher and heads the German security research company ERNW Research. He is interested in a broad range of topics (such as DLP, virtualization, and network security) while keeping up with the daily consulting and assessment work.