Embed Size (px)
Citation preview
Adam Ely
CISO, Heroku at salesforce.com
Founder & COO, Bluebox
www.bluebox.com
Twitter: @adamely
Managing Security in The Cloud
Why you’re listening to me
• CISO of Heroku BU at salesforce.com I know cloud security
• Security leadership roles at Heroku/salesforce.com TiVo, and Walt Disney
I feel your pain
• Been around for ASP, OSP, HSP, SaaS, IaaS and PaaS I know more acronyms than you :P
• CISSP, CISA, MBA, and some other stuff like that I have more acronyms than you :(
Defining “cloud”• IaaS - Infrastructure as as service
EC2, Rackspace
• PaaS - Platform as a service Heroku
• SaaS - Software as a service salesforce.com, box, workday
• Combining Service Types AWS EC2 + AWS SQS + Heroku Postgres + Rackspace
Areas of risk• IaaS
Physical Personnel Internal operations/InfoSec
• PaaS Platform (OS, services, configurations)
• SaaS Web application security
We must think differently• Not all vendors are the same
One-size-fits-all checklists are dead, don’t be that guy
• Rationalize the risks If the service is not interacting with card holder data, don’t
demand it must be PCI compliant. Focus on the risks present.
• Accept transfer of responsibilities You’re not going to manage the security of the vendor, be thankful
for less work. Stop being a control freak.
• Innovate, adapt, and improve Focus on the real risks, what you can do to ensure protections,
and move to continuous assessment, not checklist auditing
Step 1: Know thy self• Develop a security baseline
You do have a data classification and handling guide, right? Define your critical assets, define controls, build a minimum baseline for vendors (intent not implementation)
• Understand the types of services How can you know the risks if you don’t know what it does?
• What concerns us about each service? Determine the potential risk based on the service and develop
assessments against the relevant guideline
• Accept transfer of responsibilities You’re not going to manage the security of the vendor, be thankful
for less work. Stop being a control freak.
Step 2: Start Dating• Work with the provider
Ask them about their security, see what they provide, maybe that’ll be enough, or maybe you’ll think of new things
• Tailor your assessment Tailor your approach to the type of service, how your org will use
it, and the risks present
• Don’t expect everything for $8/month Enough said.
• Communicate intent, not implementation Work with the vendor to meet intent and understand their
implementation
Step 3: Use Protection• Encryption = data condom
Really concerned about the data? Wrap it up!
• Audit Backhaul logs, monitor, alert, and react
• Continuous Audit Use vendor APIs to continuously audit settings, users,
permissions, data, unicorns, whatever
• Communicate intent, not implementation Work with the vendor to meet intent and understand their
implementation
Where to look?• Is customer data co-mingled?
• Does the vendor perform security assessments? Always ask about scope and status of remediation What kind and frequency
• Encryption Data storage, external & internal transmission, queueing systems,
backups, and in 3rd party services used by the vendor How are keys protected? Same key for all data/customers?
• Architecture Architecture review, determine what has access to your assets
including 3rd party services If a SQLi vulnerability is exploited is your data at risk?
Working with providers• Know every provider is different
• Accept responsibility for risk management
• Understand what’s in place, make decisions based on risk
• Use vendors based on acceptable risk levels
• Help vendors achieve more, let them learn from you
