Trust < Cloud < Trust

Transcription

1 Trust < Cloud < Trust Martin Vliem National Security Officer CCSP, CISSP, CISA

2 Digital Transformation expectations? "The Americans have need of the telephone, but we do not. We have plenty of messenger boys." 1878, Sir William Preece Chief Engineer, British Post Office "Nuclear-powered vacuum cleaners will probably be a reality in 10 years. 1955, Alex Lewyt President of vacuum cleaner company Lewyt Corp. "There is no reason anyone would want a computer in their home." 1977, Ken Olson President, chairman and founder of Digital Equipment Corp. "A rocket will never be able to leave the Earth's atmosphere." 1936, New York Times "X-rays will prove to be a hoax. 1883, Lord Kelvin President of the Royal Society "When the Paris Exhibition [of 1878] closes, electric light will close with it and no more will be heard of it. 1878, Erasmus Wilson Oxford professor "By the turn of the century, we will live in a paperless society." 1986, Roger Smith Chairman of General Motors "Rail travel at high speed is not possible because passengers, unable to breathe, would die of asphyxia. Dr Dionysys Larder ( ) Professor of Natural Philosophy and Astronomy, University College London.

3 Digital Transformation incoming traffic AMS-IX TB Mei TB Juli 2001 Third parties are allowed to use the AMS-IX statistics that are published on the website. Upon doing so, please make sure to mention that AMS-IX holds copyright on this information and to accompany the figures with a link directing to the figures on our website.

4 Digital Transformation Supported through technology & cloud

5 Trust concerns Satya Nadella CEO Microsoft Can I control my data? Is my data secured? What happens with my data? Am I compliant? Will my data remain available?

6 Fear is a poor advisor Dutch expression 6

7 Zipf s law Rel. Frequency 1st 2nd 3rd Order

8 Opportunity versus risk Agility Cost Transformation Modernization Data loss Down time Privacy Malware attacks Information security & risk management guidelines Frameworks & standards & baselines (ISO 27002, NIST r4, CSA CCM) Risk templates (ISO27001, NIST , NIST CSF)

9 The CSA Treacherous 12 Top Cloud threats Data Breaches 2. Weak Identity, Credential and Access Mgmt 3. Insecure APIs 4. System and Application Vulnerabilities 5. Account Hijacking 6. Malicious Insiders 7. Advanced Persistent Threats (APTs) 8. Data Loss 9. Insufficient Due Diligence 10. Abuse and Nefarious Use of Cloud Services 11. Denial of Service 12. Shared Technology Issues Notorious nine Data breaches 2. Data loss 3. Account or service traffic hijacking 4. Insecure interfaces and APIs 5. Denial of service 6. Malicious insiders 7. Abuse of cloud services 8. Insufficient due diligence 9. Shared technology vulnerabilities

10 Cloud Services Due Diligence checklist based on ISO19086

11 Cloud assurance CUSTOMER OR EMPLOYEE OF CLOUD CONSUMER AS DATA SUBJECT 1 Information security, privacy, compliance, legal, policy requirements MITIGATING CONTROLS 3 Customer requests assurances from Cloud vendor 2 Continuous assessment cycle GOVERNANCE, RISK & COMPLIANCE CONTRACTING 4 Cloud provider provides assurance RISKS MITIGATING CONTROLS INDEPENDENTLY VERIFIED CLOUD PROVIDER CLAIMS ADDITIONAL CONTROLS & PROCESSES DESCRIPTIVE INFORMATION 5 Evaluates claims and add additional controls INTERACTIVE INFORMATION & CONTROLS OPTIONAL CONTROLS & SERVICES 6 Demonstrate compliance / control risk CLOUD PROVIDER (processor) CLOUD CONSUMER (controller)

12 A Partnership Cloud service provider responsibility Tenant responsibility Responsibility SaaS PaaS IaaS On-prem Data governance & rights management Client endpoints ALWAYS RETAINED BY CUSTOMER Account & access management Identity & directory infrastructure Application Network controls VARIES BY SERVICE TYPE Operating system Physical hosts Physical network TRANSFERS TO CLOUD PROVIDER Physical datacenter Microsoft Customer

13 SECURING THE PLATFORM - Ser vice Integrated Controls- EMPOWERING YOU - Customer Security Considerations - A TRUST DIALOGUE

14 Transparency

15 Threats prevented by a cloud platform

16 SECURING THE PLATFORM - Ser vice Integrated Controls- EMPOWERING YOU - Customer Security Considerations - A TRUST DIALOGUE

17 Customer controlled responsibilities Software as a Service Office SaaS Platform as a Service Azure - PaaS Infrastructure as a Service Azure - IaaS On Premises Security Dependencies 1. Security strategy, governance, and operationalization: Provide clear vision, standards, and guidance for your organization 2. Administrative control: Defend against the loss of control of your cloud services and on-premises systems 3. Data: Identify and protect your most important information assets 4. User identity and device security: Strengthen protection for accounts and devices 5. Application security: Ensure application code is resilient to attacks 6. Network: Ensure connectivity, isolation, and visibility into anomalous behavior 7. Operating system and middleware: Protect integrity of hosts 8. Private or on-premises environments: Secure the foundation

18 Cloud: trust but verify Sharing responsibilities ONPREMISES APPROACH CLOUD-ENABLED PROCESSING

19 Summary key aproach and activities 1. Cloud security, privacy & compliance is a partnership, governance is key Business case and Risk management is foundational Implement flexible goverance processes Design security requirements & policies 2. Request cloud provider assurances on integrated security capabilities Many operational & security responsibilities can be transferred to the service provider. 3. Additional customer controls & requirements, empowered by cloud platforms: discover, manage, protect, report Administrative Privilege Management Identity Systems and Identity Management Security Management & Threat Awareness Information protection Protection

20 References 1. Descriptive: Microsoft trustcenter: 2. Independently verified: Microsoft Service Trust portal: 3. Contractual: Microsoft online service terms & SLA: Microsoft Cloud IT Architecture resources: Cloud Services Due Diligence Checklist (ISO based): SAFE Handbook: Microsoft Cyber Trust Blog: Microsoft Secure: A Data driven security defense: Enterprise Cloud strategy e-book: Microsoft Security Intelligence Report:

21

22 The content of the information provided by Microsoft, if any (the Content ) is provided for information purposes only. It does not under any circumstance constitute a legally binding offer or acceptance of Microsoft Ireland Operations Limited or any other Microsoft Group affiliate. This Content shall not be construed as (i) any commitment from Microsoft Ireland Operations Limited or any other Microsoft Group affiliate and/or (ii) supplementing or amending the terms of any existing agreement with Microsoft Ireland Operations Limited or any other Microsoft Group affiliate. In case of any discrepancies between the Content and this disclaimer, the terms of the latter shall prevail. Microsoft, all rights reserved.