25-cloud cybersecurity cheat sheet-v0
TRANSCRIPT
Cloud Computing
Continue reading on next page >
CRAIG PETERSØN.COM
CLO
UD
CY
BER
SECU
RIT
Y C
HEA
T S
HEE
T25
1
© 2019 Craig Peterson. All Rights Reserved.
Technically, it refers to the use of networkedinfrastructure software and capacity to provideresources to users in an on-demandenvironment. With cloud computing, informationis stored in centralized servers and cachedtemporarily on clients that can include desktopcomputers, notebooks, handhelds and otherdevices.
Cloud computing is just anew term for "Usingsomeone else's computer."It sure sounds good &easy. But ready on...
CLOUDCYBERSECURITY
CHEAT SHEET
Determine whether controls aresufficient and appropriate and if
they provide adequate protectionagainst anticipated threats along
with a plan for risk mitigation...
3
Business Challenges
including office applications and sales-and-marketing software etc. in use atenterprises. Popularity of cloud- basedapplications, platform and infrastructurestem from the following businessrequirements:
Quick Adoption: Business units lookingfor quick adoption of new applicationsas well as quickly change from oneapplication provider to another.Cost Benefit: Short term cost-effectivelicensingEffective Collaboration: Business groupslooking to collaborate with partners andcustomers, suppliers, subsidiaries andacquisitionsBring your own cloud (BYOC) -Employees are not waiting for IT; they’rebringing cloud services to work.
As a result, business groups andemployees, external partners andcustomers require IT organizations tosupport a diverse set of cloud-based SaaSapplications.
Public cloud-basedsoftware as a service(SaaS) has become acommon delivery modelfor business applications, i
2
Balance Risk vs Productivity
You must focus on making security measures easyto use, implement and maintain can balance
security and productivity. Security controlsshouldn’t be viewed just as a static configuration,
but rather with a scalable design – one where anyinstance of the service that is invoked provides the
same risk posture and such that when avulnerability is discovered, appropriate action can
be taken to fix the design..
CRAIG PETERSØN.COM
(CONTINUED)CLOUDCYBERSECURITY CHEAT SHEET
Continue reading on next page >© 2019 Craig Peterson. All Rights Reserved.
Increased utilization – By sharingcomputing power between multiple clients,
cloud computing can increase utilizationrates, further reducing IT infrastructure costs.
5Cloud Benefits
Improved end-user productivity – Withcloud computing, users can access systems,
regardless of their location or what device theyare using (e.g., PCs, laptops, etc.).
Improve reliability – Cloud computing can cost-effectively provide multiple redundant sites,facilitating business continuity and disaster
recovery scenarios.Increased security – Due to centralization of
data and increased security-focused resourcesfrom cloud computing providers, cloud
computing can enhance data security. Cloudcomputing can also relieve an IT organization
from routine tasks, including backup andrecovery. External cloud service providers
typically have more infrastructure to handledata security than the average small to midsize
business.Gain access to more sophisticatedapplications – External clouds can offer CRM
and other advanced tools that were previouslyout of reach for many businesses with smaller
IT budgets.Downsized IT department – By moving
applications out to a cloud, IT departments canreduce the number of application
administrators needed for deployment,maintenance and updates. It departments can
then reassign key IT personnel to morestrategic tasks.
Save energy – Going “green” is a key focus formany enterprises. Clouds help IT organizationsreduce power, cooling and space usage to help
the enterprise create environmentallyresponsible datacenters.
2. Development clouds – Sometimes referred to asPlatform-as-a-Service, cloud developmentplatforms enable application authoring and provideruntime environments without hardwareinvestment.3. Infrastructure clouds – Also referred to asInfrastructure-as-a-Service, this type of cloudenables IT infrastructure to be deployed and usedvia remote access and made available on an elasticbasis.
1. Application and Informationclouds – Sometimes referred to asSoftware-as-a-Service, this typeof cloud is referring to a business-level service...
Public Cloud Services4
Expand scalability – By utilizingcloud computing, IT staff canquickly meet changing userloads without having toengineer for peak loads.
5 Cloud Benefits
Lower infrastructure costs – With externalclouds, customers do not own theinfrastructure. This enables enterprises toeliminate capital expenditures and consumeresources as a service, paying only for whatthey use. Clouds enable IT departments tosave on application implementation,maintenance and security costs, whilebenefiting from the economies of scale a cloudcan offer compared to even a large companynetwork.
A lack of interoperability – Theabsence of standardizationacross cloud computingplatforms creates unnecessarycomplexity and results in highswitching costs. Each cloud
6
accessible only through well-definedinterfaces. As a result, internal compute
clouds may be a better solution for someapplications that must meet stringentcompliance requirements.Inadequate
security – By design, cloud vendors typicallysupport multi-tenancy compute
environments. IT managers must look for abalance between the security of an
internal, dedicated infrastructure versusthe improved economics of a shared cloud
environment. Security can be a key inhibitor to adoption
of cloud computing.
6Cloud Challenges (con't)
Cloud Challenges
vendor has a different application model, manyof which are proprietary, vertically integratedstacks that limit platform choice. Customersdon’t want to be locked into a single providerand are often reluctant to relinquish control oftheir mission-critical applications to hostingservice providers.Application Compatibility – Most of the existingpublic compute clouds are not interoperablewith existing applications and they limit theaddressable market to those willing to writenew applications from scratch.Difficulty inmeeting compliance regulations – Regulatorycompliance requirements may limit the use ofthe shared infrastructure and utility model ofexternal cloud computing for someenvironments. Achieving compliance often requires completetransparency of the underlying ITinfrastructure that supports business-criticalapplications, while cloud computing by designplaces IT infrastructure into a ‘black box."
CLOUDCYBERSECURITY CHEAT SHEET
CRAIG PETERSØN.COM
(CONTINUED)
© 2019 Craig Peterson. All Rights Reserved.
The information and content in this document is provided for informational purposes only and is provided “as is”with no warranty of any kind, either express or implied, including but not limited to the implied warranties of
merchantability, fitness for a particular purpose, and non-infringement. We are not liable for any damages,including any consequential damages, of any kind that may result from the use of this document. The informationis obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of thedata provided, we make no claim, promise or guarantee about the completeness, accuracy, recency or adequacy ofinformation and is not responsible for misprints, out-of-date information, or errors. We make no warranty, express
or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any informationcontained in this document.
If you believe there are any factual errors in this document, please contact us and we will review your concerns assoon as practical.
CRAIG PETERSØN.COM
(CONTINUED)
CLOUDCYBERSECURITY CHEAT SHEET
© 2019 Craig Peterson. All Rights Reserved.
When moving to the cloudtake the time to review yoursecurity posture and whatchanges and controls need tobe implemented to operatesecurely. You want a cloud
7 Cloud Computing Security
platform that offers a wide variety of securityservices to address various requirements andby doing so you benefit from all the newfeatures as they become available. Cloudsecurity involves maintaining adequatepreventative protections so you:
Know that the data and systems are safe.Can see the current state of security.Know immediately if anything unusualhappens.Can trace and respond to unexpectedevents.
Security has a lot to do with access. Traditionalenvironments usually control access using aperimeter security model. Cloud environments are highly connected,making it easier for traffic to bypass traditionalperimeter defenses. Insecure applicationprogramming interfaces (APIs), weak identityand credentials management, account hijacks,and malicious insiders may pose threats to thesystem and data.
Preventing unauthorized access in the cloudrequires shifting to a data-centric approach.Encrypt the data. Strengthen the authorization process. Require strong passwords and 2 factorauthentication. Build security into every level.
Security Risks
their terms and conditions claimingownership of the data that you uploaded
to them.2. Compliance violations and regulatory
actions - Most companies today operateunder some sort of regulatory control of
their information,Under these mandates, companies must
know where their data is, who is able toaccess it, and how it is being protected. Ifnot configured properly cloud computing
services are often in violation of theserequirements, putting the organization in a
state of non-compliance, which can haveserious repercussions.
3. Loss of control over end user actions -Companies may be in the dark about
employees who are using cloud services,without their knowledge—until it’s too late.
4. Malware infections that unleash atargeted attack -Cloud services can beused as a vector of data exfiltration of
sensitive data.5. Contractual breaches with customers or
business partners - Contracts amongbusiness parties often restrict how data is
used and who is authorized to access it. WIf employees move restricted data into thecloud without authorization, the business
contracts may be violated and legal actioncould ensue. Some cloud services.
81. Loss or theft of intellectual
property - When cloud servicesis breached the cybercriminalsget access your sensitive data.
Additionally with certainservices you face risks from
8 Security Risks (con't.)maintain.the right to share all data uploaded tothe service with third parties in its terms andconditions, resulting in a breach of aconfidentiality agreement the company madewith a business partner.6. Diminished customer trust - Data breachesinevitably result in diminished trust bycustomers leading to a loss of business for thecompany, which ultimately impacted thecompany’s revenue. 7. Data breach requiring disclosure andnotification to victims - If sensitive or regulateddata is put in the cloud and a breach occurs,the company may be required to disclose thebreach and send notifications to potentialvictims. By Following legally-mandated breachdisclosures, regulators can levy fines against acompany and it’s not uncommon forconsumers whose data was compromised tofile lawsuits.8. Increased customer churn - If customerseven suspect that their data is not fullyprotected by enterprise-grade securitycontrols, they may take their businesselsewhere to a company they can trust. Thereare a number of critics warning consumers toavoid cloud companies who do not protectcustomer privacy.9. Revenue losses - This is a reason that manyare now calling for increased oversight by theboard of directors over cyber securityprograms.
CRAIG PETERSØN.COM
(CONTINUED)
CLOUDCYBERSECURITY CHEAT SHEET
9Concluding ThoughtsIn order to reduce the risks of unmanagedcloud usage, companies first need visibility intothe cloud services they choose and those inuse by their employees. They need tounderstand what data is being uploaded towhich cloud services and by whom. Their ITteams must assure that they are enforcingcorporate data security, compliance, andgovernance policies to protect corporate datain the cloud. The cloud is here to stay, andcompanies must balance the risks of cloudservices with the clear benefits they bring.