Cloud Security. Are you on the train or the tracks? ISSA CISO Executive Forum April 18, 2015. Brian Grayek CISSP, CCSK, ITILv3

Similar documents
Private Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

WHITEPAPER. One Cloud For All Your Critical Business Applications.

xstream Datasheet The Enterprise-Class Cloud

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

BMC s Security Strategy for ITSM in the SaaS Environment

VMware for your hosting services

Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com

Security Overview Enterprise-Class Secure Mobile File Sharing

xstream 2.0 Datasheet

Accelerate with Ampleflex Cloud! Highly adoptable and dependable platform for deploying services and applications into the Cloud.

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

SOLUTIONS. Secure Infrastructure as a Service for Production Workloads

Buyer s Guide. Buyer s Guide to Secure Cloud. thebunker.net Phone: Fax: info@thebunker.net

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

Simplified Private Cloud Management

APPLICATION-CENTRIC SOLUTIONS FOR A CLOUD-EMPOWERED ENTERPRISE

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Cloud Security. DLT Solutions LLC June #DLTCloud

VMware vcloud Air Security TECHNICAL WHITE PAPER

PCI Requirements Coverage Summary Table

Cloud models and compliance requirements which is right for you?

Secure Cloud-Ready Data Centers Juniper Networks

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

HEC Security & Compliance

THE BLUENOSE SECURITY FRAMEWORK

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

EMC Forum 2012 Bussum 11 th September Hans Reinhart Business Development

Securing the Physical, Virtual, Cloud Continuum

VMware vcloud Service Definition for a Public Cloud. Version 1.6

Expand Your Infrastructure with the Elastic Cloud. Mark Ryland Chief Solutions Architect Jenn Steele Product Marketing Manager

Enterprise Architecture Review Checklist

All the benefits of Public Cloud on Private, Dedicated Infrastructure. Benefits. Enterprise-Level Security. High Performance. Compliant and Audited

How To Get A Cloud Security System To Work For You

Infrastructure, application services, and managed services - all in a single, integrated platform CENTURYLINK S END-TO-END MANAGEMENT SOLUTIONS:

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

CONTENT OUTLINE. Background... 3 Cloud Security Instance Isolation: SecureGRC Application Security... 5

C a r l G o e t h a l s T e r r e m a r k E u r o p e. C a r l. g o e t h a l t e r r e m a r k. c o m

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Application Security Best Practices. Matt Tavis Principal Solutions Architect

Building Energy Security Framework

How to Achieve Operational Assurance in Your Private Cloud

Storm Clouds Security Issues in the Cloud and How to Address Them

Effective End-to-End Cloud Security

Journey to the Private Cloud. Key Enabling Technologies

MANAGED MICROSOFT AZURE SERVICES

Business Values of Network and Security Virtualization

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

PICO Compliance Audit - A Quick Guide to Virtualization

Security in the Software Defined Data Center

PCI Requirements Coverage Summary Table

Dell World Software User Forum 2013

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Cloud Security. Securing what you can t touch. Presentation to Malaysia Government Cloud Computing Forum HUAWEI TECHNOLOGIES CO., LTD.

CLOUD SERVICES FOR EMS

Remote Voting Conference

RE Cloud from Richardson Eyres

Securing the Service Desk in the Cloud

WHAT MAKES A SECURE CLOUD? Security Overview of Verizon Cloud

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Secure networks are crucial for IT systems and their

VMware vcloud Networking and Security

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Cloud IaaS: Security Considerations

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Security Trust Cisco to Protect Your Data

Intel IT Cloud 2013 and Beyond. Name Title Month, Day 2013

VMware vcloud Powered Services

Running Mission-Critical Enterprise Applications in Private and Hybrid Cloud Environments

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud and Data Center Security

CA Cloud Overview Benefits of the Hyper-V Cloud

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Security in the Cloud: Embracing the Technology While Minimizing Risk. For Conference Purposes Only

Assessing Risks in the Cloud

Microsoft Azure. Microsoft Azure Security, Privacy, & Compliance

Compliance for the Road Ahead

Cloud Security and Managing Use Risks

SaaS Security for the Confirmit CustomerSat Software

Securing the Journey to the Private Cloud. Dominique Dessy RSA, the Security Division of EMC

WHAT MAKES A SECURE CLOUD? Security Overview of Verizon Cloud

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Agenda. - Introduction to Amazon s Cloud - How ArcGIS users adopt Amazon s Cloud - Why ArcGIS users adopt Amazon s Cloud - Examples

Layered Tech Cloud Data Center Service Guide

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

Cloud Computing. Mike Bourgeois Platform as a Service Point of View September 17, 2015

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Infrastructure Virtualization for Hybrid Cloud

From Secure Virtualization to Secure Private Clouds

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

APAC OF POSSIBILITIES: TIPS FOR INCREASING CLOUD SECURITY AND ADOPTION

Virtualization Security and Best Practices. Rob Randell, CISSP Senior Security Specialist SE

Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations

ServerCentral Cloud Services Reliable. Adaptable. Robust.

Click to edit Master title style. How To Choose The Right MSSP

Security of Payment Card Data on Cloud-Based Mobile Payment Platforms

Transcription:

Cloud Security Are you on the train or the tracks? ISSA CISO Executive Forum April 18, 2015 Brian Grayek CISSP, CCSK, ITILv3 1

Agenda: Facts Opinions (based on experience) A little humor Some gold nuggets 2

Great quotes from CISOs I know No Cloud here. We re more secure than any Cloud I ll NEVER allow Cloud here! We ve never been hit with any intrusion. I ll never trust my data in the Cloud. 3

Cloud Computing is the Train It s coming no matter what you think or do 4

Cloud Computing = Utility Just like electricity of the 1920-30s You plug in and use as much as you need Pay for what you use Use less or more, based on the day 5

Always some people that think it s a fad and it won t last 6

My Analogy the way business sees it Cloud Users CISO Either get on the train or off the tracks. 7

The Cloud is nothing new We ve had the cloud since the mainframe and we can handle it the same way. 8

The Root of Cloud Velocity Priority Now - A recent survey of CIOs identified cloud computing as their #2 priority for 2015 *1 Security still a concern 35% of the CIOs surveyed cited security as their primary reason for keeping data on premise *1 Interesting this is driving more CIOs to PRIVATE and Hybrid Clouds Efficiency Isn't Optional - 46% of IT Leaders believe improving IT efficiency is #1 priority in 2015 *2 Faster Delivery of New Apps - 26% of all new apps being built on Public Cloud *2 A Procurement Revolution - 55% of all cloud transactions are shadow IT spending (off the books and completed using a credit card) *3 *1 - http://www.securityweek.com/sometimes-it-takes-crisis-security-budgets-rise *2 - http://www.appdynamics.com/press-release/it-leaders-identify-efficiency-cloud-and-analytics-as-top-2015-priorities/ *3 - https://www.cisco.com/web/about/ac79/docs/re/impact-of-cloud-it_consumption-models_study-report.pdf 9

What is the fundamental difference that makes the Cloud different? Scalability?? Elasticity?? On-demand self-service?? Reliability?? Multi-tenancy?? 10

What is the fundamental difference that makes the Cloud different? My choice 11

Everything is NOT ready for the Cloud Quick Winners for Cloud: Applications that are Public, Web-enabled / IPaware Workloads for Dev/Test/QA Environments Workloads that are Audit-prone or Highly Regulated Applications that Require Scaling or Elasticity Applications where Service Level is key Require Deeper Consideration: Home-grown, Legacy Applications Static / non-ip-aware 12

..and Not All Cloud vendors are alike Lots of various Cloud vendors Different technologies Different niches Different levels of security 13

Top Security Concerns with the Cloud Physical Security guns, guards, and dogs Multi-tenancy Inability to audit Lack of visibility into physical infrastructure Security of the data preventing data loss who has access to my data encryption to meet GRC & Standards what happens to the data when I leave Vulnerability review of systems, applications, etc. 14

Critical Security Areas Architecture some based on VMware, others on Citrix Xen, others???? a key criteria to security and how it can be secured 15

Critical Security Areas Security You can t add-on security 16

Critical Security Areas Location where is my data? 17

11 Key Characteristics of a Secure Cloud Architecture 1. Isolation RAM, Processor, & Storage are logically separated 2. Dedicated Resources The resources provided to the client are dedicated and no one may interfere or affect another s performance 3. VLAN and segmentation Private VLANs segregate customer networks, DMZ, and INT 4. IP Addresses Dedicated IP Addresses for both Public and Private 5. NAT Support of NAT to RFC1918 non-routable IP Address space 6. Secure VPN Connection Access to the VMs through VPN 18

11 Key Characteristics of a Secure Cloud Architecture cont d 7. Administrative Access Access to OS instances maintained by client 8. Authentication Two-factor authentication with even more robust available 9. Role-Based Access RBAC and granular control of logging, turn up/down of OS s, and auditor read-only access 10. Secure Web Console Access console portal encrypted in transit via SSL or greater 11. VM Administration Virtual Machines are managed by the client 19

Governance & Compliance Governance: Are changes logged? Reporting on roles, separation of duties? Security monitoring of the cloud environment and incidents? Patch management? Compliance: PCI DSS Level I SAS-70 Type II (SSAE-16) FIPS FISMA Safe Harbor ISO 27001 20

Look at Additional / Available Security Services Integrated Multi-Factor Authentication Log Aggregation Security Information and Event Monitoring (SIEM) Intrusion Detection (IDS) Secure OS Builds Database Access Monitoring Application Log Monitoring and Management VPN Solutions Professional Security Services GRC audit and assessment SOC / NOC Vulnerabilities Forensics 21

Cloud..MORE secure than a private datacenter? Private DC Cloud 1 customer 1,000 customers 1, maybe 2, carriers pays all the overhead pays 100% of security Intrusion = a disruption 10-200 carriers divide cost / 1,000 1,000 x Security = end of business 22

Security Support Ask if Support is available and at what costs? 24x7 phone support available? Support can run 10-20% of usage and much of the time is geared toward technically knowledgeable, expert users 23

My Recommendations to You Cloud is here and it won t go away Determine how you want to use Cloud Establish clear, Security policies for the use of Cloud and enforce them Establish strong SLAs Don t be afraid of working with more than one, Cloud company Start out slow, move ahead based on success 24

Brian Grayek Brian.Grayek@Verizon.com https://www.linkedin.com/in/briangrayek

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information