Security, Compliance and Trust in Cloud

Keywords: Security, Trust, Cloud Computing
Authors: Dennis R. Moreau, Ph.D., CTO and Founder of Configuresoft, Inc.
Abstract:
While cloud computing promises major agility, hosting and implementation advantages for an innovative class of applications and services, it also introduces some new complexities in the areas of validating security posture, assessing regulatory/statutory compliance, establishing coherent trust levels across the service stack and modeling risk across more coupled assets and service composition.

Cloud infrastructures leverage IT infrastructure that leverage the asset isolation, resource leveraging and provisioning dynamics of virtualization technology. Isolation limits the visibility of security configuration across layers of complex technology, each with emerging vulnerabilities and consequent control and remediation requirements. Intimate resource sharing creates a degree of coupling of both security posture and operational behavior of co-hosted assets. The flexible nature of workloads distribution over dynamically provisioned assets, places new demands on both configuration visibility and security policy orchestration.

Evolving regulatory controls for effective service isolation and inconsistent international privacy control requirements elevate the need for better situation awareness and more flexible provisioning control, than in traditional computing environments. Multi-tenancy and application composition, elevate the need for better infrastructure health, security posture and compliance visibility across cooperating participants.

Each of the issues described above complicate efforts comprehensively understand risk, support effective governance decisions and implement appropriate control objectives.

This session will establish the technical basis for these concerns and the informational /methodological basis for effectively addressing them in the cloud.

Bio Sketch:
As a Founder and the Chief Technology Officer for Configuresoft, Dennis Moreau is specialist in the application of leading edge technologies to the solution of complex problems in the Information Technology management domain. His primary focus is in developing enterprise scale solutions to improve IT efficiency and effectiveness for systems management, security compliance and configuration optimization. He works actively with the National Institute of Standards and Technology (NIST) and Mitre on the development of security configuration policy compliance standards.

Dennis has over than 20 years of experience in evaluating, designing and managing complex software systems. Prior to founding Configuresoft, he was the Associate Vice President and Chief Technology Officer for Baylor College of Medicine (BCM). He holds a doctorate in Computer Science and speaks regularly at IT management and security conferences.

Recent Speaking Engagements:

· “Emerging Security Issues in Cloud, Grid and Virtualization Environments”, Office of Naval Research, Richmond, VA, January 16, 2009.
· “Endpoint Virtualization and Enterprise Security”, BrightTalk Desktop Virtualization Summit Webcast, December 10, 2008.
· “Virtualization Security Solutions”, Computer Security Institute CSI 2008: Virtualization Security Summit , November 15-21, 2008, National Harbor, MD.
https://www.cmpevents.com/CSI35/a.asp?option=C&V=11&SessID=7524
· “Virtualization for Improved Security”, Computer Security Institute CSI 2008: Virtualization Security Summit , November 15-21, 2008, National Harbor, MD.
https://www.cmpevents.com/CSI35/a.asp?option=C&V=11&SessID=7524
· Expert Panel with Brad Smith: “The Fate of the secure Operating System”, Computer Security Institute CSI 2008, November 15-21, 2008, National Harbor, MD.
https://www.cmpevents.com/CSI35/a.asp?option=C&V=11&SessID=7542
· “Security Across the Virtualization Stack” Configuresoft Webinar, November 6, 2008.
· “Virtualization and Enterprise Security”, Network and Systems Professionals Association (NASPA) Webcast, November 4, 2008.
http://naspa.brighttalk.com/node/569
· “Virtualization Security”, Cyber Information Security Conference – CISCON 2008, October 21-24 2008, Helena, MT.
http://www.cyberinfosec.com/
· “Virtualization Security Enabler or Threat” Computer Security Institute Webinar Series: Seven Emerging Technologies for Highly Secure Organizations with Sara Peters, October 16, 2008.
http://online.cmptechresource.com/cgi-bin4/DM/y/eBMUu0OfvNN0XxM0GuEj0Ed
· Panel: Achieving Regulatory Compliance in Virtualized Environments, VMworld 2008, September 15-18, 2008, Las Vegas, NV.
http://www.vmworld.com/conferences/2008/
· “Virtualization: Resource Coupling and Security across the Stack”, 2008 CERIAS Security Seminar, September 10, 2008, Purdue University, West Lafayette, IN.
http://www.cerias.purdue.edu/news_and_events/events/security_seminar/
· “Security Information Standards: Current Status and Future Directions”, ISACA Security Conference 2008, September 9, 2008, Las Vegas, NV.
http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManageme...
Expert Panel: “Securing Virtual Environments”, SANS Virtual Security Summit 2008, August 7, 2008, Washington, DC
· “XEN and the Art of Virtualization Security Policy Compliance”, Linux World 2008, August 4-7 2008, San Francisco, CA
http://www.linuxworldexpo.com/live/12/
· “Virtualization and Security”, Computer Security Institute – Security Exchange, Las Vegas, April 27-May 2, 2008.
· “Security Information Standards: Current Status and Future Directions” ISACA’s 38th Annual North America Computer Audit, Control and Security Conference, 27 April-1 May 2008, Las Vegas, Nevada, April 27-May 2, 2008.
· “Virtualization and Security”, University of Wisconsin – Madison E-Business Consortium: Virtual Server Threats and Countermeasures, Madison, WI, April 23, 2008.
· “Securing Virtualization: CIS Consensus Benchmark”, with Chris Farrow and Dave Shackleford, RSA 2008, San Francisco, April 4-7, 2008.
· Panelist: “Securely Virtual or Virtually Secure?”, IX CERIAS 2008 Information Security Symposium, March 18, 2008, Purdue University, West Lafayette, IN.
· “Virtualization and Enterprise Security” Computer Security Institute Interview with Robert Richardson, Executive Director, Computer Security Institute.
· “Virtualization and Security Configuration Policy Compliance”, Core Competencies for Compliance and Data Protection, ISACA e-symposium , November 27, 2007.
· “Virtualization and Security”, CSI 2007, Computer Security Institute, Washington DC, November 5-8, 2007.
· “Virtualization and Security: Security Configuration Policy Compliance”, 2nd Annual IT Security Conference for the Oil & Natural Gas Industry”, American Petroleum Institute, Houston, Texas, November 6-7, 2007.
· “System Configuration Management: Security and Auditing Challenges”, MISTI 27th Annual Conference on IT Audit and Controls, Washington, DC, October 22, 2007
· “Virtualization and Enterprise Security”, VMworld 2007, San Francisco, CA, September 11-13, 2007.
· “Virtualization and Security Configuration policy Compliance”, ISACA North America CACS, Grapevine, Texas, April 22-26, 2007.
· “Security Configuration Compliance and Emerging Information Standards”, ISACA North America CACS, Grapevine, Texas, April 22-26, 2007.