Everything You Need to Know About Cloud Security (and then some)

Similar documents
Analytics in the Cloud Mandate or Option?

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

ISACA Phoenix Chapter Meeting

In this unit we are going to look at cloud computing. Cloud computing, also known as 'on-demand computing', is a kind of Internet-based computing,

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Protecting your Data in the Cloud. Cyber Security Awareness Month Seminar Series

Auditing the Cloud. Paul Engle CISA, CIA

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

Device Discovery for Vulnerability Assessment: Automating the Handoff

Data Security and Privacy Principles IBM Cloud Services

Building Trust in the Era of Cloud Computing

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Securing the Cloud Today: How do we get there?

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

Copyright 2011 EMC Corporation. All rights reserved.

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

The Business of Security in the Cloud

Cloud Computing Lectures. Cloud Security

How to ensure control and security when moving to SaaS/cloud applications

Data Security: Public Contracts and the Cloud

Building your Castle in the Cloud for Flash Memory

SUBJECT: REQUEST FOR PROPOSALS FOR HARBOR DEPARTMENT CLOUD COMPUTING SERVICES

Cloud Computing. An introduction using MS Office 365, Google, Amazon, & Dropbox.

Cloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm

Cloud Computing and Its Impact on Software Licensing

A Comedy of Errors: Assessing and Managing the Human Element of Cyber Risk

How to avoid storms in the cloud. The Australian experience and global trends

Computing as a Service

10 Considerations for a Cloud Procurement. March 2017

Module 6. Campaign Layering

Reviewing Nist Cloud Computing Definition

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

The Oracle Trust Fabric Securing the Cloud Journey

Best Practices in Securing a Multicloud World

Endpoint Security Can Be Much More Effective and Less Costly. Here s How

Driving Cloud Governance and Avoiding Cloud Chaos

Introduction to Cloud Computing. [thoughtsoncloud.com] 1

Building a Resilient Security Posture for Effective Breach Prevention

Community Clouds And why you should care about them

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cloud Computing. Presentation to AGA April 20, Mike Teller Steve Wilson

Secure & Unified Identity

Thinking Outside the Box on Disaster Recovery

Fundamental Concepts and Models

How to Establish Security & Privacy Due Diligence in the Cloud

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Introduction To Cloud Computing

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

On Demand Cryptographic Resources for Your Virtual Data Center and the Cloud: Introducing SafeNet s Crypto Hypervisor

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

Cloud Computing, SaaS and Outsourcing

Securing Data in the Cloud: Point of View

Geneva, 6-7 December 2010 Addressing security challenges on a global scale

Version 1/2018. GDPR Processor Security Controls

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Business Technology Briefing: Fear of Flying, And How You Can Overcome It

Cover Slide. Third Party Risk and the Role of the Cyber Security/IT Risk Officer. Robert Satchmo Anderson

A guide for IT professionals. implementing the hybrid cloud

The Next Generation of Cloud Security. Joe Chan Vice Chairman Programs & Research Cloud Security Alliance Hong Kong & Macau Chapter

Security Models for Cloud

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

THALES DATA THREAT REPORT

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Managing SaaS risks for cloud customers

Flash in a Hybrid Cloud World. How Cloud Shift will affect flash in the Data Center Steve Knipple: Cloud Shift Advisors

Security

Network Implications of Cloud Computing Presentation to Internet2 Meeting November 4, 2010

Securing Your Cloud Introduction Presentation

The Challenge of Cloud Security

10 Hidden IT Risks That Might Threaten Your Business

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

Privacy hacking & Data Theft

Privacy and Security in the Age of Meaningful Use

PCI DSS Compliance and the Cloud

Hardening the Cloud: Assuring Agile Security in High-Growth Environments (Moving from span ports to virtual appliances)

SoftLayer Security and Compliance:

Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

2017 THALES DATA THREAT REPORT

Aspirin as a Service: Using the Cloud to Cure Security Headaches

Security, compliance and GDPR and Google Cloud

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cloud Mobile Computing

CLOUD COMPUTING. Rajesh Kumar. DevOps Architect.

Osynlig infrastruktur i datacentret med inbyggd säkerhet och resursoptimering.

THE DATA CENTER AS A COMPUTER

Building a More Secure Cloud Architecture

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Cloud Computing Overview. The Business and Technology Impact. October 2013

ECSA Assessment Report

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

Migration to Cloud Computing: Roadmap for Success

CloudTrust Protocol Orientation and Status

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Spotlight Report. Information Security. Presented by. Group Partner

WHITEPAPER. Lookout Mobile Endpoint Security for App Risks

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

1/10/2011. Topics. What is the Cloud? Cloud Computing

Transcription:

Everything You Need to Know About Cloud Security (and then some) Mike Rothman Securosis, L.L.C.

About Securosis

A long time ago... You know, 2008

In a galaxy far far away You know, the Internet (Where all the porn is)

These guys...

Said, Hey, we need the next big thing.

So this guy

Said...

Hey, you know all those complicated diagram thingies customers are showing us?

Like this?

Notice something?

They all have one of these

And I ve never seen a customer with one, so let s sell them *that*!

And thus THE CLOUD was born.

And there was much rejoicing.

Unless, of course, you were in IT security.

And your developers told you they moved everything to the cloud.

Last week.

In which case, it was more like this...

Why the cloud is a problem for security Poor understanding of cloud taxonomies and definitions. A generic term, frequently misused to refer to anything on the Internet. Lack of visibility into cloud deployments IT by credit card - Anyone can buy a cloud

Cloud Essential Characteristics Broad Network Access Rapid Elasticity Measured Service On-Demand Self-Service Resource Pooling

Three Delivery Models

SPI Mix and Match Amazon'EC2' Salesforce.com'CRM' SaaS' Microso6'Azure' Database.com' Why?' PaaS' Wordpress.com' DropBox' IaaS'

Security Implications Variable control. Variable visibility. Variable simplicity. Variable resources.

Control, visibility, resources Simplicity, manageability

Different Security Accountability SaaS PaaS IaaS Security Responsibility Provider Customer

But is the cloud more or less secure than we are now?

It depends

SaaS Most constrained. Most security managed by your provider. Least flexible.

PaaS Less constrained. Security varies tremendously based on provider and application- shared responsibility. Security responsibility

IaaS Most flexible. Most security managed by your developers and operations folks.

Specific issues Spillage and data security. Reliability/availability/Survivability. Relevance of traditional security controls in a dynamic environment. Lack of visibility into cloud usage. Changing development patterns/cycles.

For example, where do you stick the WAF?

Is vulnerability scanning your cloud legal?

How do you use your static and dynamic analysis testing tools in the cloud?

What is your DR/BC plan when the cloud fails?

More Risky Business... Data outside of your control Legal jurisdictions Service level definitions Monitoring/Visibility Incident response challenges

How most organizations secure their clouds today...

Your Top 2 Cloud Security Defenses Service Level Agreements Security Understanding

Understand Your SLAs Are there security-specific SLAs? Can you audit against those SLAs? Are there contractual penalties for noncompliance? Do your SLAs meet your risk tolerance requirements?

Suggested SLAs Availability. Security audits- including third party. Data security/encryption. Personnel security. Security controls (depend based on service). User account management. Infrastructure changes.

Understand Your Cloud What security controls are in your cloud? How can you manage and integrate with the controls? What security documentation is available? What contingency plans are available?

Cloud Security Controls to Look For Data encryption/security (key management). Perimeter defenses. Auditing/logging. Authentication Segregation. Compliance/Audits.

Don t Trust SAS70 Audits. Documentation without verification. Non-contractual SLAs. Anything not in writing, with penalties for non-compliance. Anything you don t understand.

Resources Cloud Security Alliance NIST ENISA

What to Do Educate yourself. Engage with developers. Develop cloud security requirements. Understand risk/controls tradeoffs. Document and engage management.

The 5 Stages of Cloud Computing Grief Denial: There is no cloud. Anger: Why the f&*k is this sales guy trying to sell me a cloud? Bargaining: Can you please just tell me what the f&^k your cloud is? Depression: The sales guy found my CIO. Now I have to by a cloud. Acceptance: There is no cloud.

Read our stuff Blog: http://securosis.com/blog Content available via email Primary research http://securosis.com/research We publish (almost) everything for free Contribute. Make it better.

Mike Rothman Securosis LLC mrothman@securosis.com http://securosis.com Twitter: @securityincite

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback