cloud privacy and security (Risk Assessment)

Sangeeth08

ITC568_201860_Wk1_CloudSecurityEcosystem.pptx

Home >Computer Science homework help >cloud privacy and security (Risk Assessment)

ITC568 Cloud Privacy and Security

The Cloud Security Ecosystem

Week 1

Dr. Peter White

Course Administration

Introduction

The Cloud Security Ecosystem

Cybercrime in the Cloud

Agenda

Contact Lecturer:

Email [email protected] (put ITC568in the subject line)

Course Administration

Assignment 1 – due 11 August2017 (10%)

Privacy and security reflection

Assignment 2 – due 25 Aug 2017 (25%)

Team assignment

Risk assessment based on a case study

Assignment 3 – due 22 Sep 2017 (30%)

Team assignment

Develop privacy and data protection strategies based on an updated case study

Assignment 4 – due 09 Oct 2017 (35%)

Team assignment

Develop PII privacy and data protection strategy

Assignments

Online Session

There will be an online lecture and tutorial session each Thursday evening commencing at 19:00. These sessions will be recorded.

The recordings will be uploaded to the ITC568 Resources site so that you can either download or stream them.

ITC568

This subject will require you to conduct a reasonable amount of research both on your own and as part of your governance team

The online sessions will be more of a guide followed by a discussion. You should not rely on just the session notes to give you enough information to successfully complete the subject.

ITC568 Online session format

It is highly recommended that you use a reference manager to manage your references:

Mendeley - https://www.mendeley.com /

Zotero - https://www.zotero.org /

EndNote (CSU provided) - http:// libguides.csu.edu.au/c.php?g=482066&p=3296596

A reference manager will help you to correctly cite your sources and build a reference list at the end of the assignment

You will be required to provide references in APA 6th edition format in all ITC568 assignments.

Download one and start to use it TODAY!

ITC568 Reference Managers

Most governance work in industry or government is usually conducted in small teams.

We will be using governance teams for most of our assignments. These usually prove to be quite helpful as you can:

Share ideas,

Learn from and with each other, and

Develop a really good governance framework quickly by working cooperatively.

Governance Teams

Introduction

What is Information Security? The user view

What is Information Security? The ICT view

Information Security

We can define InfoSec very simply as:

“The protection of data against unauthorised access” (Griffiths, D. 2010)

But a more complete definition would be:

“preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved” (ISO/IEC 27001:2005(E), 2005)

This second definition provides a more accurate view of InfoSec

It is a view that looks to some of the particular needs of business, but it can also be used to view our personal security requirements as well

Information Security Goals

C.I.A.

Integrity

Confidentiality

Availability

Confidentiality

Confidentiality is the avoidance of the unauthorized disclosure of information.

confidentiality involves the protection of data, providing access for those who are allowed to see it while disallowing others from learning anything about its content.

Integrity

Integrity: the property that information has not be altered in an unauthorized way.

Achieving Integrity:

Backups: the periodic archiving of data.

Checksums: the computation of a function that maps the contents of a file to a numerical value. A checksum function depends on the entire contents of a file and is designed in a way that even a small change to the input file (such as flipping a single bit) is highly likely to result in a different output value.

Data correcting codes: methods for storing data in such a way that small changes can be easily detected and automatically corrected.

Availability

Availability: the property that information is accessible and modifiable in a timely fashion by those authorized to do so.

Achieving Availability:

Physical protections: infrastructure meant to keep information available even in the event of physical challenges.

Computational redundancies: computers and storage devices that serve as fallbacks in the case of failures.

The Layered Approach to Security

Don’t rely on a single aspect to protect you, like castle walls

Add additional security measures like moats, narrow bridges, strong imposing gates, portcullis, boiling oil, etc

Only allow entry through a controlled chokepoint – a gate

Keep a good lookout from an elevated position to see threats from afar

Chokepoints

Chokepoints are used to control and monitor access

Chokepoints allow an organisation to concentrate resources on a known point of security interest.

This point can then be controlled and monitored.

This increases the level of security as the organisation can now focus on these areas of real concern.

The identification and use of chokepoints will also reduce the chance of exposure as a result of configuration errors.

This is a more effective solution than trying to enforce many security controls in many different areas simultaneously.

The use of chokepoints also helps to reduces security costs, while increasing security effectiveness.

Top 12 threats to cloud services in 2016:

Data breaches

Insufficient Identity, Credential and Access Management

Insecure interfaces & APIs

System Vulnerabilities

Account hijacking

Malicious Insiders

Advanced Persistent Threats

Data Loss

Insufficient Due Diligence

Abuse and nefarious use of Cloud Services

Denial of Service

Shared Technology Issues

Threats and Issues

Cloud Security Alliance. (2016). The Treacherous 12. Cloud Computing Top Threats in 2016. Retrieved from https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

The Australian Signals Directorate has produced a number of publications for both consumers and providers of cloud services

The cloud computing security considerations document looks at:

Maintaining availability & functionality

Protecting data from unauthorised access by:

Third parties

Other cloud consumers

Rogue provider employees

Handling security incidents

These documents also give some non-exhaustive & detailed security considerations at http:// www.asd.gov.au/publications/protect/Cloud_Computing_Security_Considerations.pdf

https:// www.asd.gov.au/publications/protect/essential-eight-explained.htm

Threats and Issues

The Deming Cycle

Plan

What are the threats faced?

What are the risks faced?

What are the organisation’s requirements?

Cloud Security

Privacy of your data

Check

Incident response

Forensics

Act

Governance

Auditing

Managing Cloud Security

Download and install a reference manager

Start looking at assignment 1. It requires you to:

Read Chapter 2 of the text

Start thinking about how you will answer the questions

Start looking for information about these case studies to ensure that you have all the information you need – make sure that you record the references!

Essential tasks

Essential reading:

Ko, R., Choo, K. (2015). Cloud security ecosystem. In Ko, R., & Choo, K.(Eds.). (2015). The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues. Waltham, MA: Syngress.

Lau, Y. (2015). Cybercrime in cloud: Risks and responses in Hong Kong, Singapore. In Ko, R., & Choo, K.(Eds.). (2015). The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues. Waltham, MA: Syngress.

Cloud Security Alliance. (2016). The Treacherous 12. Cloud Computing Top Threats in 2016. Retrieved from https:// downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

Research task:

What is the McCumber Cube? How does this cube help you to assess information security?

Don’t forget to store the references you find!

Tasks