Cloud Security: Constant Innovation without constant capital expenditure Presented by Richard Brown Wednesday 19 July 2017 CIO Summit Gold Coast, Australia
How do we combat evolving threats? Traditional way is not ideal Technology is moving at a rapid rate How do we keep up with innovation? How do I keep my capital costs from blowing out?
Abstract As a Service model is delivering: Better and constant innovation Ability to adopt new technologies faster Lowering cost (especially up front capital costs) Less vendor lock-in (in some cases) No waiting for an upgrade cycle Lowering your configuration and change management burden
Agenda Rapidly changing face of cyber security As a Service Model Addressing Security in the Cloud Case Study 1: AWS Case Study 2: Microsoft Office 365 Case Study 3: New Zealand Government Telecommunications as a Service model (TaaS) Case Study 4: Jellyfish (IdMaaS)
Historically Traditional data protection: the castle defence strategy Strong protection of the border involved: Restricted entry based on entry points (ports) Then came SPI, DLP etc On compromise only options were: Further restrict entry points Restrict access methods (eg VPN) Still have a host of vulnerabilities. Large capital expenditure Some of these are still all relevant, but
Today Rapidly changing landscape We need ever more flexible access Threats often don t use the front door The trusted insider threat Bring Your Own Device Systems are no longer just on premises but in the cloud too More of the enterprise is accessible via the internet. Access is by not just employees, but now also contractors, customers and partners Accessed any time from anywhere in the world Once your inside the network most organisations have very few restrictions.
The challenge Usability versus security Business now expects high levels of connectivity between applications, devices and individuals. Security must adapt to this. Security needs to: See past one box or solution. A layered approach gives greater assurance Authentication and encryption are essential components. Adapt to internet scale rather than enterprise scale. The boundary is still important
The internet of threats Gartner prediction of 25 billion connected things by 2020 Need to make them more useful Better relationships: Individual to individual, individual to device and device to device. Delegation with accountability (eg UMA) Improved security through Contextually aware dynamic decision making Improvement of Behavioral analytics Sharing while maintaining control More automation but still need the ability to have approval workflow and handle exceptions.
The future
The New Look Castle Next Generation Firewalls Boundary Protection still plays a role New and improved guards at the entrance: Heuristic techniques Content identification Rules based on user identification Decryption and inspection of secure packets Filtering and checking based on daily updates (eg URL and AV) *Image courtesy of Palo Alto Networks
Identity is KEY An entity may be: a person a device a third party Entities include users from outside the organisation and may represent a group or role. Organisations now need to gain an understanding of the relationships it has with identities. You need to get it right from the start and to the end Provisioning, update and de-provisioning are key
Access Control Seamless access to users to authorised systems Know who and what is accessing your data Provisioning rules Allow automated and supervisor approvals of special access
Authentication Go beyond passwords to: Ensure better level of authentication Hackers can t access data once past firewall Systems authenticate (not just users): Share data ONLY with other known and trusted systems Not with a hacker or foreign system
Multi Factor Authentication One of the most effective measures to prevent a cyberintruder MFA is the provision of multiple pieces of information Enables tasks such as system authentication. Edward Snowden proves why this can be so effective.
Encryption A compromise of your boarder will occur at some point. Protect your data using encryption Virtual Machines, Databases, Storage Devices, Files and folders, Applications (Office 365, Gmail, etc) On premises, in the cloud or hybrid solutions Encrypt TROPHY systems Protect the keys used for encryption from compromise and loss. Make sure you change keys regularly.
Keys Keys to the kingdom stay in control of the castle owner This is true for data kept: On-premise Cloud Hybrid Keeping the keys still means: The trusted cloud service providers host the data, but have no access to the information. On-premises administrators don t need to see the data to perform their roles Castle owner decides who has access to the information
Costs Sounds great, but sounds expensive: Huge capital outlay Large time to implement Have to evolve with the threats, so capital outlay is potentially every year and whenever a new threat is identified. So I need a massive budget that I can t determine in advance? Are you crazy?
All this can be accessed as a Service As a Service Model brings substantial benefits an Organisation It also keeps providers on their toes It s a WIN-WIN
Benefits for YOUR organisation Cost is less and has one way to go. Down! Keep up with latest security innovation Ease of transition Best protection available at a fraction of capital outlay Multiple security providers can be combined and replaced as need to maintain best of breed Business service management vs patch and upgrade management.
The Providers Easing the transition to another provider is no or low capital costs. This means: More not less competitors and choice over time Need to keep innovating and investing to stay relevant Need to keep costs low Need to offer more over time Capital costs amortised across subscribers Agility to evolve quickly: Maintain a service not patch level Only one version of product to maintain New features deployed centrally
Case Study 1: AWS Amazon Web Services Benefits Cost No capex Pay only for what you use No lock in. Reduce cost again by turning things off Ability to provision quickly Ability to quickly scale Elastic growth Easy to set up load balancing Multiple geographic locations
AWS keeps data safe The AWS infrastructure puts strong safeguards in place to protect customer privacy. All data is stored in highly secured AWS data centres You retain control and ownership over the region in which your data is physically located, making it easy to meet regional compliance and data residency requirements.
AWS Challenges Data sovereignty Security Privacy Industry specific compliance requirements for above Legal (subpoenas) Location of datacentres to meet data sovereignty retention laws or customer requirements. Insider threats
Further Securing AWS Automated provisioning and deprovisioning Single Sign On (SSO) Encrypted data stores Encrypted Virtual Machines Encrypted DB components Protect Apps
Case Study 2: Office 365 Office 365 Benefits Cost: Reduced Capex Pay only for what you use Bundled licences for end user tools included as part of subscription Access to familiar tools in the cloud 99.9% uptime guarantee
Office 365 keep data safe Trusted cloud security More control over your data security and compliance with built-in privacy, transparency and refined user controls Conforms to ISO/IEC 27018 which prohibits use of personal data for marketing Keeps data secure and protected both in transit and at rest. Multiple levels of approval and just-in time access with limited and time-bound authorisation
Office 365 Challenges Data sovereignty Security Privacy Industry specific compliance requirements for above Legal (subpoenas) Location of datacentres to meet data sovereignty retention laws or customer requirements. Insider threats
Further Securing Office 365 Trusted cloud security Email encryption Onedrive, Sharepoint encryption SSO to avoid password use by users MFA
Problems Systems not talking to one another: Legacy and new systems/applications No linkages/workflow Costly ad-hoc approach Allows gaps in security No one talks about the cloud providers trusted insider Jellyfish R can solve these problems
The Benefits Works with existing/future systems Improve end user productivity Do more with less Reduce capex/opex costs Automate Modular
Enhanced Security and Control Cross system workflow and communications Systems can: Share data seamlessly Make dynamic decisions Example is Logical talking to Physical: Provision/De-provision from either affects other Event on one affects another
CASB Capability Matrix
Thank You Thanks for listening. Please direct any further questions to: Richard Brown CEO, Cogito Group sales@cogitogroup.com.au www.cogitogroup.com.au cogitogroup Cogito Group Pty Ltd @CogitoGroup1