Embed Size (px)
Citation preview
Matthew RosenquistCybersecurity Strategist2016
CLOUDSECURITY
privacyTRUST
SERVICES
CAPABILITY
COST
FLEXIBILITY
4
Cloud architecture and services are powerful tools and can deliver great benefits for business owners.
Cost effectiveness
– Utilization optimization
– Extensibility for growth and change
Services closer to the customer
Resiliency and demand-flexibility
Capacity for data and transactions
Benefits of Cloud
Risks of Cloud
5
The adoption and use of clouds have risks. Problems with security, privacy, and operational control can arise.
Confidentiality of information
Privacy of users and their data
Availability and control of the system
Unawareness of issues which arise
Complacency, assuming everything is fine
Cloud Security
6
Clouds are not secure by default. Protection is an important consideration. Planning, integration, maintenance, and oversight is required.
Security is a top concern for IT organizations moving to the cloud
Cloud providers are investing to greatly improve security and privacy
Balance the risks, usability, and costs
Consider the continually evolving threats
Attacks
8
Cloud environments get attacked.
Threats target physical components, OS’s, VMM/VM’s, applications, interfaces, management tools, databases, networks, and users
Data breaches
System hijacking and denial-of-service
Data and transaction integrity
Attacks against end-customers
Privacy and confidentiality breaches
9
1. Identity and Access Management (IAM)
2. Data Loss Prevention
3. Web Security
4. Email Security
5. Security assessments
5. Security Information and Event Management (SIEM)
6. Intrusion Management
7. Encryption
8. Network Security
9. Business Continuity and Disaster Recovery (BCDR)
10 Information Assurance Categories for Cloud*
* Cloud Security Alliance (CSA)
Understand
11
It is important to understand the benefits and risks to adopting cloud solutions and architectures.
Policies and regulations
Integration and sustaining costs
Manageability impacts
Service flexibility needs
Ethical considerations
Plan
12
Choosing the architecture, defining the sensitivity of data, and documenting the security requirements and privacy expectations are key.
Build a Plan, with security in mind
Types of clouds (private, public, hybrid)
Data and transaction sensitivity
Mission criticality factors
Engage
13
Early engagement with security and privacy experts is needed. These resources can help you understand the policy, risks, and best practices
Privacy team – experts on regulations, compliance, and BKM’s
Risk assessments – identifying the vulnerabilities are focus areas
IT Security team – tech configuration and deployment policy experts
Integration group – deployment best-known-methods
Audit team – Validation measures
Boundaries
14
Establishing operational and business practices boundaries is critical to sustainable security and privacy.
Establish security and privacy policies
Review and adjust as necessary
Verify hosting security and privacy controls regularly
Define and compartmentalize roles of admins, hosting services, users, etc.
Document requirements, notifications, and response capabilities in SLA’s
Crisis Response
15
Bad things eventually happen. It is important and the duty of all service owners to have an appropriate plan. This includes preparing for security and privacy events.
Be prepared. Have response and recovery plans
Include Command, Control, and Communication functions in the plan
Audit and test procedures
Maintain backups and verify their integrity
Include DRBC as part of the planning stage
Accountability
16
Cloud environments are powerful tools but not immune to problems. They require responsible ownership and oversight.
Be accountable. Maintain ownership and transition as necessary
Operations due-care and diligence for security and privacy
Remain current on emerging threats
Alignment to corporate ethics
Protection across the lifecycle from creation to End-of-Life
Ask
17
Nobody knows it all. Leverage the community of experts.
Don’t hesitate in asking questions of experts and resources:
– Cybersecurity
– Privacy
– Audit
– Cloud Architecture
– Regulatory compliance
Challenge the status-quo:
– Threats and attacks constantly change
– Cloud services expand, changing the risks
Conclusion
18
Cloud can be a tremendous opportunity or an equally miserable problem
Engage security and privacy resources
Take responsibility for ethical/policy adherence, and make good business choices
Be aware, think ahead, and plan
