cloud security: accelerating cloud adoption

Download Cloud security: Accelerating cloud adoption

Post on 16-Jan-2017




2 download

Embed Size (px)


  • MT 37 Cloud SecurityAccelerating Cloud Adoption

  • Heres How It Sometimes Goes

    Someone says Hey! Cloud is faster. Cloud is less expensive. Cloud is easier. Lets do cloud! And what they mean is usually public cloud

    So a cloud initiative is created

    The security function, if they are consulted at all, has to catch up as this is often a done deal longbefore security is considered

  • Another Way It Sometimes Goes Someone says

    Hey! Cloud is faster. Cloud is less expensive. Cloud is easier. Lets do cloud!

    But someone else says Wait! What about security!Do we really want to put our in someone elses data center?

    And the security function gets blamed for sayingno and standing in the way of business processinnovation.

    Or the security function says no, everybody pauses,and then says Lets do it anyway!

  • Yet Another Way It Sometimes Goes

    CEO or CFO suddenly notices public cloud spend

    o Gets a bill from a provider

    o Sees a number of expenses from same place

    Says Wow! Why are we spending so much on cloud?

    o Then comes a phase where the company creates an intentional strategy about using cloud

    Again, the security function mustcatch up to what has happened

  • Either Way, You Are Not Alone

    Security is one of the biggest challenges in the transition into cloudo Added on as an afterthought

    o Or treated as a roadblock

    This presentation:o Talks about how clients adopt cloud

    Five phases of adoption

    Things to consider at each phase

    When youre too big for cloud

    o Discusses the shared security responsibility model

    o How you should manage your cloud security Do it yourself

    Get help

  • The Five Stages of Cloud Adoption

    Virtualized datacenters, but no active plan for 3rd-party cloud

    Recognition of need for plan, but not there yet. Plan in development

    Active projects to move individual workstreams to cloud, often for new internally-developed applications. No formal security architecture yet

    Design for cloud as primary or exclusive datacenter. Accompanied by a thought-out security strategy

    Cloud does not offer cost savings at massive scale

    Likelihood of Shadow IT

  • Two Epiphanies



    Hey, were spending a lot on cloud already we should have a plan.

    Hey, this cloud really delivers a lot of advantages. We should have a plan.

    Hey, were spending so much on cloud and were not really seeing the savings we expected. Maybe we should bring this back in house?

    Relatively few organizations will get here.

  • Things to Think About At Each Phase

    Plan Create a security reference architecture for your cloud presence

    Select multiple cloud providers and evaluate their security approaches & their terms

    Create a governance model for what data is allowed in the cloud and what is not

    Transition Reconsider the architecture of your applications (forklift v. redesign)

    Test your applications once theyre in cloud (pen test, red team)

    Extend your security operations model (scanning, patching) to include cloud

    Dept/Dev You generally care about the same security controls in cloud as in traditional data center

    Consider how your security model needs to change in response to cloud (pets v. cattle)

    Consider incident response planning and/or retainer

    All-In Your security operational model must be fully implemented in this phase

    Forensics readiness is very important will you know what to do if theres an incident

    Too Big Security for pets v. Security for cattle

    Incident Response and Threat Intelligence become even more critical here

  • Shared Security Responsibility Model

  • What This Means

    Cloud Providers generally have excellent cloud infrastructure security

    o It is designed to protect THEM; it is NOT DESIGNED to protect YOU

    Security of YOUR application and YOUR data in the cloud is YOUR responsibility

    If you put an unpatched Windows server on a public IP address in a well-defended public cloud, it will be compromised in seconds

  • How to Manage Your Cloud Security Option A

    Public cloud security infrastructure MUST be managed and monitored just like anything else.

    You can certainly do it yourself

    10 things to consider:

  • Security in Public Clouds: 10 Things To Consider

    1. Make sure you understand where your provider's responsibilities end and yours begin. Understand

    how your service provide is willing to work with you. Understand the role they play in your operational

    security. Understand their security & limits on their liability.

    2. Make sure you have the right to audit your environment.

    3. Make sure your data and applications are mobile and not locked into a proprietary format.

    4. Make sure you have a method for retrieving/removing your application(s) and data.

    5. Encrypt your data where possible. Encrypt your data where impossible. Ensure your cloud provider

    does not have keys.

    6. Monitor everything -- server activity, user activity, device activity, data in motion.

    7. Make sure your identity and access management solution is robust and cloud-aware. Tie it into your

    existing systems for increased user adoption and lower management costs.

    8. Back up your data and applications regularly when its gone in cloud, its gone forever.

    9. Ensure you have incident response plan and adequate forensics data. Forensics in cloud can be


    10. Ensure that you budget for your security infrastructure. Dont get surprised by unexpected compute,

    storage, or network transfer costs associated with your security infrastructure.

  • How to Manage Your Cloud Security Option B

    Incident ManagementManaged Security Security and Risk Consulting

    Managed Vulnerability

    & Web App Scanning

    Managed Network IPS

    Security Design &

    Architecture Service

    Cloud Security

    Strategy & Risk


    Incident Management


    Penetration Tests

    WASA for Cloud

    Web API Testing

    Cloud Vendor

    Security Assessment

    Advanced Penetration


    Remote Red Team



    Emergency Incident


    Monitored Firewall

    Monitored WAF

    Monitored Elastic

    Server Group Logs

  • ResourcesBrowse:

    Watch:Dell YouTube Channel


  • Thanks!