Launching a Highly-regulated Startup in the Cloud

Similar documents
Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Cloud security 2.0: Joko nyt pilveen voi luottaa?

Title: Planning AWS Platform Security Assessment?

AWS Well Architected Framework

Enroll Now to Take online Course Contact: Demo video By Chandra sir

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

Information Security Policy

OptiSol FinTech Platforms

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

AWS Solution Architect Associate

Cloud Security Whitepaper

Cloud Computing /AWS Course Content

Training on Amazon AWS Cloud Computing. Course Content

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

Getting Started with AWS Security

Architecting for Greater Security in AWS

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Simple Security for Startups. Mark Bate, AWS Solutions Architect

Deep Freeze Cloud. Architecture and Security Overview

PCI DSS Compliance. White Paper Parallels Remote Application Server

Security and Compliance at Mavenlink

The Common Controls Framework BY ADOBE

AWS 101. Patrick Pierson, IonChannel

Security Principles for Stratos. Part no. 667/UE/31701/004

AWS Security. Stephen E. Schmidt, Directeur de la Sécurité

Network Security & Access Control in AWS

Introduction to Cloud Computing

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

Amazon Web Services Training. Training Topics:

Magento Commerce Architecture and Security Model Last updated: Aug 2017

University of Pittsburgh Security Assessment Questionnaire (v1.7)

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Accelerating the HCLS Industry Through Cloud Computing

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

LINUX, WINDOWS(MCSE),

Managing Microsoft 365 Identity and Access

Amazon Web Services (AWS) Training Course Content

SignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer

Minfy MS Workloads Use Case

Cyber Essentials Questionnaire Guidance

Mapping traditional security technologies to AWS Dave Walker Specialised Solutions Architect Security and Compliance Amazon Web Services UK Ltd

Altius IT Policy Collection

Minfy MS Workloads Use Case

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Architecting Microsoft Azure Solutions (proposed exam 535)

Sophos Mobile. server deployment guide. product version: 9

Understanding Perimeter Security

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Cybersecurity Session IIA Conference 2018

WELCOME ISO/IEC 27001:2017 Information Briefing

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

Information Security Policy

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

CAN MICROSOFT HELP MEET THE GDPR

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

SECURITY & PRIVACY DOCUMENTATION

Juniper Vendor Security Requirements

RA-GRS, 130 replication support, ZRS, 130

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

We are ready to serve Latest IT Trends, Are you ready to learn? New Batches Info

Twilio cloud communications SECURITY

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

SAA-C01. AWS Solutions Architect Associate. Exam Summary Syllabus Questions

Hackproof Your Cloud Responding to 2016 Threats

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Security Camp 2016 Cloud Security. August 18, 2016

One Hospital s Cybersecurity Journey

Cloud Customer Architecture for Securing Workloads on Cloud Services

Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Google Cloud & the General Data Protection Regulation (GDPR)

Security+ SY0-501 Study Guide Table of Contents

25 Best Practice Tips for architecting Amazon VPC

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

The erosion of the perimeter in higher education. Why IAM is becoming your first line of defence.

General Data Protection Regulation

Payment Card Industry (PCI) Data Security Standard

Standardized Architecture for PCI DSS on the AWS Cloud

Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for the US Government

ARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

ASD CERTIFICATION REPORT

Securing Microservices Containerized Security in AWS

Automating the Top 20 CIS Critical Security Controls

The Freedom to Choose

Cloud Transformation Program Cloud Change Champions June 20, 2018

Serverless Computing. Redefining the Cloud. Roger S. Barga, Ph.D. General Manager Amazon Web Services

Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

ISO27001 Preparing your business with Snare

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

Google Cloud Platform: Customer Responsibility Matrix. April 2017

NGF0502 AWS Student Slides

CLOUD AND AWS TECHNICAL ESSENTIALS PLUS

Microsoft Security Management

CPM. Quick Start Guide V2.4.0

CogniFit Technical Security Details

Transcription:

Launching a Highly-regulated Startup in the Cloud Poornaprajna Udupi (@poornaudupi) 1

Starting in the 86%by 2020 Cloud Cisco Global Cloud Index: Forecast and Methodology, 2015 2020 2

Building blocks, Cost, Scalability Compute Networking Storage Database Monitoring Alarm Notifications Deployments Access Key Control Management Data Pipeline Search User Management Device Farm Gaming IoT Machine Learning 3

Lean, Agile, Scrappy Disruptor Experiment Iterate MVP Growth 4

Security Questionnaire 5

Heard on the field... Compliance Report: Incident Management: Disaster Recovery: We use HTTPS We use AWS Military-grade encryption Here is AWS SOC2 report Never happened so far, Yet to experience a security incident 99.95% uptime - from EC2 SLA, Enterprise-grade SLA Vulnerability Management: We use Sophos Anti Virus Risk Assessment: Free Qualys Scan Report 6

Coming of Age Security whitepaper Self Assessment Client Assessment 7

Compliance 8

Security Guidelines Standardized Assessments Compliance 9

Security Guidelines Compliance http://smartfaststartup.com/2011/09/20/how-to-become-a-must-have/ 10

11

Designed by Freepik 12

Production Development Staging Corporate Sales Marketing 13

Production Development Staging Corporate Sales Marketing 14

Data Protection Data Classification Encryption Scope Sensitivity AWS Tags Storage Application (multi tenant) Amazon KMS, Azure Key Vault Confidant (by Lyft) https://azure.microsoft.com/en-us/services/sql-database/ Backup & Recovery Periodic snapshots Periodic backups Server snapshots AWS RDS, AWS AMI snapshots, Azure SQL Database Data Loss Prevention Alerts Monitoring AWS CloudWatch, Google Compute StackDriver Monitoring 15

Production Development Staging Corporate Sales Marketing 16

Network Access Segregation Based on data classification AWS Virtual Private Cloud, Azure Virtual Network Microservice Access Subnets NAT Gateway Security Groups Role based access Application Access Allow port 443 only AWS Security Groups, AWS Certificate Manager, Azure Network Security Groups, AWS Web Application Firewall Employee Access Virtual Private Network (VPN) Tunnel only SSH required WiFi, Network requirements 17

Production Development Staging Corporate Sales Marketing 18

Endpoints Mobile Device Management Installed applications Accessible data Disk encryption, Firewall Best practices (screen lock, password) JAMF Cloud for Apple Macs, iphones, ipads, Microsoft Intune for PCs, Windows mobile, Google MDM for Androids Removable Media Forbid. By Exception. Allow auditable transmission of data only. Anti Virus, Anti Malware 19

Production Development Staging Corporate Sales Marketing 20

Minimum Necessary, Least Privilege Administrators Cross-account access Role-based access Groups Access Control AWS Security Policies, AWS Identity and Access Manager, Azure Active Directory, Google Cloud IAM Bless (by Netflix) 21

Audit, Logging & Monitoring System Activities (create, read, update, delete) and Admin activities Application Servers Database Network Report, Monitor and Audit periodically AWS CloudTrail, AWS CloudWatch, AWS VPC Flow Logs, Azure Application Insights, Azure Operational Insights, Google StackDriver Monitoring Security Monkey (by Netflix), ElastAlert (by Yelp), ElasticSearch (by Elastic) 22

Production Development Staging Corporate Sales Marketing 23

Configure for best practices Password Management Single Sign On Multi-factor Strength Reuse AWS IAM, Google Cloud IAM, Azure Active Directory Real time guidance on security, performance, cost, fault tolerance AWS Trusted Advisor, AWS Config Security Monkey (by Netflix), DbDat (by foospidy) Managed updates Vulnerability management Patching level Time Red/black AWS ElasticBeanstalk, Azure CloudServices, Azure Websites and Apps, Google App Engine 24

Organizational Maturity Physical and Environmental Security Lean on the clouds No local data storage & processing Visitor logs and system Changes Network access requirements Vulnerability Management Up to date inventory of assets: servers, workstations, portable devices, software Up to date with vendor software Handling zero-day vulnerabilities AWS Config, JAMF, Google MDM, Microsoft Intune Third-Party Risk Assessment Contractual guarantees Xfer compliance requirements Minimum required data sets, access Monitor SLAs Incident Response Up to date procedures for handling incidents Organizational Structure for handlers and communicators 25

Organizational Maturity Disaster Recovery & Business Continuity Up to date procedure to start from scratch Organizational Structure for handlers Recovery Time Objective Recovery Point Objective Secure SDLC Secure coding practices Code reviews, OWASP Top 10 Issue tracking, Change Management findbugs, find-sec-bugs Risk Management Know the risks and manage them Likelihood and Impact analysis Outsourcing (e.g. Business Associate Agreement) Education, Training and Awareness US-CERT SANS Newsletters Training Cybrary, Coursera, Udemy 26

Launching a Highly-regulated Startup in the Cloud Poornaprajna Udupi (@poornaudupi) 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback