Security as a Service – Category and Threat Definitions

We are currently in phase one of producing the Security as a Service guidance documentation;

–          Agreeing and documenting categories of service and their definitions

–          Agreeing and documenting categories of threats and their definitions

So far the top five categories of service are;

    1. IAM
    2. DLP
    3. Secure Web Gateway
    4. Vulnerability Assessments
    5. Pen Testing
    6. Intrusion Detection
    7. Encryption
    8. Log Management

With several further categories in the mix.  We will be looking to consolidate the above categories and the others identified into sensible easy to understand groupings.   For example it is likely that ‘vulnerability assessment’ and ‘pen testing’ will be a single category.

The top categories of threat identified are currently;

    1. Data Loss Leakage
    2. Traffic Hijacking
    3. Unauthorized Access
    4. Denial of Service
    5. Application Vulnerabilities

With about forty further ideas being assessed in the same way as for categories of service.

Should you have any ideas please do let me know either by posting a comment on this blog or by mailing me on LinkedIn, any assistance is greatly welcomed!

K

 

Cloud Security Alliance – Security as a Service

For those interested in cloud security options, I am currently on the steering committee for the Security as a Service (SecaaS) working group.  In this instance I mean how cloud computing can be used to secure everything, including cloud and non cloud based IT, rather than how to secure cloud computing (paraphrased from Jim Reavis).

If you are not familiar with the Cloud Security Alliance I suggest you check out their site, it is a great resource for all things cloud security related and can be found here;

http://www.cloudsecurityalliance.org/

The purpose of the specific SecaaS working group is to;

 – Identify consensus definitions of what security as a Service means

 – Categorise the different types of Security as a Service

 – Provide guidance to organisations on reasonable implementation practices

The site specific to the SecaaS work can be found here;

http://www.cloudsecurityalliance.org/secaas.html

Proposed timelines for the work we produce are for;

 – Categories of service to be defined by late April.

 – Draft SecaaS Guidance, mid-May.

 – SME Guide, mid-July.

 – Final Draft SecaaS Guidance, mid-September.

This should be a great piece of work so I will keep you updated with our progress.

K