How To Protect Your Cloud From Attack

Similar documents
Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Assessing Risks in the Cloud

Secure Cloud Computing

Global Efforts to Secure Cloud Computing. Jason Witty President, Cloud Security Alliance Chicago

Cloud Security. DLT Solutions LLC June #DLTCloud

Cloud Security Alliance: Industry Efforts to Secure Cloud Computing

Security Issues in Cloud Computing

Cloud Security Certification

GRC Stack Research Sponsorship

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

White Paper How Noah Mobile uses Microsoft Azure Core Services

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Cloud Security Introduction and Overview

Security of Cloud Computing for the Power Grid

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Emerging Approaches in a Cloud-Connected Enterprise: Containers and Microservices

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

The Netskope Active Platform

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Seeing Though the Clouds

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Close-Up on Cloud Security Audit

The Cloud App Visibility Blindspot

Executive s Guide to Cloud Access Security Brokers

Building an Effective

State of Security Monitoring of Public Cloud

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

How to ensure control and security when moving to SaaS/cloud applications

Visibility and Control for Sanctioned & Unsanctioned Cloud Apps

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Rethinking IT and IT Security Strategies in an Era of Advanced Attacks, Cloud and Consumerization

Covering my IaaS: Security and Extending the Datacenter. Brian Bourne Tadd Axon

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

Cloud Computing Governance & Security. Security Risks in the Cloud

Security Virtual Infrastructure - Cloud

Think like an MBA not a CISSP

Data Risk Management: ISM Ground to Cloud Summit. accelerate your ambition 1

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Cloud Essentials for Architects using OpenStack

Compliance and Cloud Computing

Open Certification Framework. Vision Statement

Secure your cloud applications by building solid foundations with enterprise (security ) architecture

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors

Managing Cloud Computing Risk

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Compliance in the Age of Cloud

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

John Essner, CISO Office of Information Technology State of New Jersey

Cloud Computing and Data Center Consolidation

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Securing Smart City Platforms IoT, M2M, Cloud and Big Data

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Protecting Data and Privacy in the Cloud

hyperguard Defining a dwaf to secure cloud applications By Alexander Meisel, CTO and Co-Founder

Security Practices, Architecture and Technologies

PROTECTED CLOUDS: Symantec solutions for consuming, building, or extending into the cloud

Improving the Microsoft enterprise. network for public cloud connectivity

Why are Companies in the EU Adopting More and More Cloud-Based Security Solutions? François GRATIOLET, Qualys Inc., CSO EMEA

Federal Aviation Administration. efast. Cloud Computing Services. 25 October Federal Aviation Administration

Consumption IT. Michael Shepherd Business Development Manager. Cisco Public Sector May 1 st 2014

WHITE PAPER. Five Steps to Better Application Monitoring and Troubleshooting

Cloud Computing Business, Technology & Security. Subra Kumaraswamy Director, Security Architecture, ebay

Microsoft Azure. Microsoft Azure Security, Privacy, & Compliance

PREVENTIA. Skyhigh Best Practices and Use cases. Table of Contents

GoodData Corporation Security White Paper

Enhancing Operational Capacities and Capabilities through Cloud Technologies

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

MicroStrategy Cloud Enterprise User Guide Version 2

Safeguarding the cloud with IBM Dynamic Cloud Security

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

Don't outsource IT! Bring your own Cloud with SDN

Information Security for the Rest of Us

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Software Defined Perimeter: Securing the Cloud to the Internet of Things

Auditing Cloud Computing and Outsourced Operations

Securing the Physical, Virtual, Cloud Continuum

Dell Cloud Services. Services

Transcription:

SESSION ID: CDS-R03 Security Lessons Learned: Enterprise Adoption of Cloud Computing Jim Reavis Chief Executive Officer Cloud Security Alliance @cloudsa

Agenda What we are going to cover The current & future state of cloud computing adoption Security best practices learned by enterprise users of cloud The security perspective of the cloud providers Cloud security trends changing the market How to apply the lessons learned to your own cloud computing security strategy 2

Cloud in the Enterprise 2015 Awareness: Capturing data on current cloud usage within organization Opportunistic: Identifying strong cloud adoption opportunities Strategic: Building cloud adoption program - architecture, frameworks & business alignment Data security is a board level issue in over 60% of enterprises (CSA/SkyHigh Networks survey 2015) Leveraging hybrid clouds: public and private Supporting multiple assurance requirements 3

What are leading edge organizations doing? Implementing cloud security intermediaries such as CASB: Cloud Access Security Broker Applying security to DevOps and DevOps to security Container technologies: Docker, Rocket Security analytics Integration of Internet of Things Creating new native cloud security strategies 4

Cloud of the Future Cloud 2020 Leading edge enterprises will be all cloud (and more successful) Mainstream enterprises will be majority cloud (Cloud First) Majority of endpoints will be outside corporate control (e.g. BYOD, Cloud Managed) Majority of cloud connected devices are Internet of Things Vendor-neutral Virtual Private Clouds compete with Private Clouds Mastering cloud security by 2020 requires advancement in people, process and technology Understand the power One line of code can create a datacenter! 5

Cloud Lessons Misunderstanding different types of Clouds and your Role Unrealistic expectations of customized services from providers Forcing legacy tools & architectures on cloud security problems Heavy-handed blocking of cloud services backfires on infosec Using compliance as a pretext for inaction Key role of intermediaries CSA Cloud Reference Model 6

Different types of clouds Cloud as a layered model (eg OSI) SaaS has implicit IaaS layers Market impacts architecture Businesses occupy individual layers (e.g. cloud brokers) Layers of abstraction emerge Innovation/optimization in layers Everything becomes virtualized CSA Cloud Reference Model 7

Customer role in different clouds In all clouds it is a shared responsibility IaaS is a greater responsibility for the customer to harden the service Provider is responsible for implementing security in SaaS Customer has the ultimate responsibility for security assurance 8

Why isn t my cloud experience customized? Managing a standardized environment is simpler, lowers costs and increases availability Software feature requests must be desired by a large percentage of the customer base Physical datacenter audits are rare (and usually pointless when possible) Customer doesn t get complete access to full technology stack Highly customized systems carry high TCO 9

The legacy security problem Security professionals bring an existing mindset to cloud security AV, IDS, Patch management, Forensics must be done differently in cloud Traditional datacenters are relatively static Clouds change constantly Network security solutions assume an appliance access to traffic Cloud traffic traverses hypervisors, SDN Security operations centers (SOCs) assume ability to instrument IT systems Cloud solutions may not have an agent or logfile access for your SIEM 10

Compliance Regulations and standards are almost all pre-cloud Many regulations assume customer controls full technology stack Many industries & gov ts want in-country data processing Virtually all regulations have flexibility to allow for reasonable interpretation to address spirit of law Demonstrating compliance in cloud to auditors is another shared responsibility between customers and providers 11

The provider perspective Huge variety in the types of cloud providers, their security credentials and ability to execute on a security strategy Good providers understand good security is a matter of corporate life or death Good providers invest far more in security than an enterprise Providers feel redundant compliance and customer audit requirements is detrimental to their security efforts Providers often reluctant to embrace transparency about their security practices 12

Key role of intermediaries Cloud providers too diverse to hope for uniform security capabilities Enterprises lack resources to drive requirements into provider environments Enterprises in a transitional phase in security strategy, architecture and tools to meet the cloud challenge Intermediaries Reduce multi-cloud complexity from a customer point of view Create layers of abstraction Provide security augmentation to native cloud feature sets Source: NIST 13

Cloud Security Trends

CASB: Cloud Access Security Broker Gartner: Cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. 15

CASB: Cloud Access Security Broker Varied deployments Perimeter Reverse Proxy Cloud Provider API integration Functions Needs Decision support Context-based policy enforcement Opportunistic encryption Identity federation Standards for providers and customers to interface and integrate Common policy language, compliance and risk metrics 16

Unique native cloud features benefitting security Disposable Infrastructure Dynamic scaling of physical resources Unlimited provisionable bandwidth Per-resource security controls On-demand virtual datacenters Real-time stream processing Unlimited storage (both blob and warehoused) Programmatic Key Management DDoS Avoidance (elasticity) and more! Awesome list courtesy of Tim Prendergast www.evident.io 17

Understanding how to leverage cloud to do security better Scale out over DDoS Attacks rather than block them Destroy compromised servers, retaining image for later forensics High-risk operations can be containerized and single-use Programmatic changes in response to attack patterns/behaviors Short-lived resources have minimal impact when compromised API-centric services are not vulnerable to traditional network attacks Think about security as DevSecOps Awesome list courtesy of Tim Prendergast www.evident.io 18

Making cloud providers accountable: CSA Security, Trust and Assurance Registry (STAR) Based upon Cloud Controls Matrix meta-framework World s largest cloud assurance registry 19

Cloud Controls Matrix backbone of STAR Controls derived from CSA guidance organized into a meta-framework of 16 domains Foundation for all cloud assurance programs Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP mappings growing virally Rated as applicable to S-P-I Customer vs Provider role CAIQ Questionnaire format 20

Applying the knowledge to your enterprise

Apply the knowledge (1/3) baseline & foundation Use egress monitoring, CASB or similar to gain visibility and build a report of your cloud usage Survey your staff s cloud experience Hands on experience with at least 2 IaaS, at least 1 PaaS and Security as a Service? Do you have any CCSKs on staff (Certificate of Cloud Security Knowledge)? Build your cloud security framework Cloud Controls Matrix (CCM) is a good start Assign a team member to map CCM to your own Information Security Management System (ISMS) 22

Apply the knowledge (2/3) gentle policing of cloud usage Gain visibility into the use and risk of cloud services Educate employees to use low risk services leveraging existing infrastructure Integrate anomaly detection with SOC for investigation and remediation Identify sensitive data stored in sanctioned services (e.g. Box, Salesforce, Office365) Secure data in sanctioned services with encryption, DLP and access control policies Encourage/require providers to list in CSA STAR or minimally fill out CCM/CAIQ for you Awesome list courtesy of Jim Routh, Aetna and SkyHigh Networks 23

Apply the knowledge (3/3) build your future cloud strategy Educate security team that cloud requires greater agility Shorter risk assessment cycles, constant state of change is the new norm Identify bottleneck processes that don t scale to cloud speeds and fix them Build new, cloud-native security strategies New approaches for anti-ddos, forensics, patch mgt, malware, etc. Identity federation dialtone Audit security architecture for physical dependencies Leverage Security as a Service to secure *aas Research new technologies before business adopts, e.g. containers Demand transparency from the cloud provider industry 24

Security at the speed of cloud is scary and necessary Culture change ahead But, the real security Achilles Heel for enterprises is legacy IT 25

SESSION ID: CDS-R03 THANK YOU! Security Lessons Learned: Enterprise Adoption of Cloud Computing Jim Reavis Chief Executive Officer Cloud Security Alliance @cloudsa

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information