The rapid evolution of cloud based computing is often used to illustrate a possible paradigm shift in computing. The centralized processing and storing of data allows the development of new architectural approaches as well as completely new usage experiences. As fast as the technological development enables new usage scenarios, as fast arise adoption issues from a security point of view.

This workshop enables IT security practitioners to respond to corresponding adoption challenges by presenting new security models which address the changed information security requirements and threat models of cloud computing. These approaches are developed based on ERNW security models, risk and trust metrics, case studies from real-world projects, and war stories from security evaluations of cloud environments. The workshop enables the participants to make founded decisions about requests for cloud usage, decide whether the requested usage can be realized in compliance with the company’s security objectives, and what to respond to their CEO/CIO/business units once they come up with the idea to “move to the cloud”.

Target Audience:

  • Information Security Officiers
  • IT managers
  • Project Security Officiers
  • Auditors

Auditing the Cloud Agenda

Cloud Computing Basics

  • Founding technologies & Corresponding security implications
  • Introduction to main cloud providers and standards
  • Live demos
  • Buzzwords explained (e.g. actual impact of “as a Service”, “Scalability”, “Pay as you go”)

Threats

  • Known attack vectors (which already have been exploited)
  • War stories from performed security assessments
  • Detailed illustration of the changed threat landscape
  • Conclusion in form of a detailed cloud attack surface

Main Resulting Risks, based on:

  • Risk assessments
  • Frameworks (e.g. Cloud Security Alliance)
  • Recently performed projects

Trust and Audit Metrics

  • Implications of “Black box cloud environments”
  • Application of the ERNW trust model to cloud environments
  • How to address security concerns: The system operation lifecycle
  • Discussion of typical cloud certifications (e.g. ISO27000, SSAE16/SAS70)
  • Sample cloud audit questionnaires

Cloud Security

  • Security as a Service explained
  • Actual security functionality of cloud environments mapped to real world security requirements
  • Case studies
  • Preventing/Prohibiting cloud usage

Guidance and Governance

  • Preventing/Prohibiting cloud usage
  • A Critical Review of the CSA’s ‘Security Guidance’ document

Compliance

  • Discussion of compliance requirements in cloud environments
  • Impact on Data Protection laws, PCI, SOX
  • Compliant Cloud Service Providers

Many additional topics can be covered on request and are provided in appendices of the core course material.

This workshop is held by Matthias Luft, a long-serving cloud security expert at ERNW.

We are looking forward to an interesting workshop with you!
The ERNW / TROOPERS Team