Cloud security: Accelerating cloud adoption

Download Cloud security: Accelerating cloud adoption

Post on 16-Jan-2017




2 download

Embed Size (px)


<ul><li><p>MT 37 Cloud SecurityAccelerating Cloud Adoption</p></li><li><p>Heres How It Sometimes Goes</p><p> Someone says Hey! Cloud is faster. Cloud is less expensive. Cloud is easier. Lets do cloud! And what they mean is usually public cloud</p><p> So a cloud initiative is created</p><p> The security function, if they are consulted at all, has to catch up as this is often a done deal longbefore security is considered</p></li><li><p>Another Way It Sometimes Goes Someone says </p><p>Hey! Cloud is faster. Cloud is less expensive. Cloud is easier. Lets do cloud!</p><p> But someone else says Wait! What about security!Do we really want to put our in someone elses data center?</p><p> And the security function gets blamed for sayingno and standing in the way of business processinnovation.</p><p> Or the security function says no, everybody pauses,and then says Lets do it anyway!</p></li><li><p>Yet Another Way It Sometimes Goes</p><p> CEO or CFO suddenly notices public cloud spend</p><p>o Gets a bill from a provider</p><p>o Sees a number of expenses from same place</p><p> Says Wow! Why are we spending so much on cloud?</p><p>o Then comes a phase where the company creates an intentional strategy about using cloud</p><p> Again, the security function mustcatch up to what has happened</p></li><li><p>Either Way, You Are Not Alone</p><p> Security is one of the biggest challenges in the transition into cloudo Added on as an afterthought</p><p>o Or treated as a roadblock</p><p> This presentation:o Talks about how clients adopt cloud</p><p> Five phases of adoption</p><p> Things to consider at each phase</p><p> When youre too big for cloud</p><p>o Discusses the shared security responsibility model</p><p>o How you should manage your cloud security Do it yourself</p><p> Get help</p></li><li><p>The Five Stages of Cloud Adoption </p><p>Virtualized datacenters, but no active plan for 3rd-party cloud</p><p>Recognition of need for plan, but not there yet. Plan in development</p><p>Active projects to move individual workstreams to cloud, often for new internally-developed applications. No formal security architecture yet</p><p>Design for cloud as primary or exclusive datacenter. Accompanied by a thought-out security strategy</p><p>Cloud does not offer cost savings at massive scale</p><p>Likelihood of Shadow IT</p></li><li><p>Two Epiphanies</p><p>1</p><p>2</p><p> Hey, were spending a lot on cloud already we should have a plan.</p><p> Hey, this cloud really delivers a lot of advantages. We should have a plan.</p><p> Hey, were spending so much on cloud and were not really seeing the savings we expected. Maybe we should bring this back in house? </p><p> Relatively few organizations will get here.</p></li><li><p>Things to Think About At Each Phase</p><p>Plan Create a security reference architecture for your cloud presence</p><p> Select multiple cloud providers and evaluate their security approaches &amp; their terms</p><p> Create a governance model for what data is allowed in the cloud and what is not</p><p>Transition Reconsider the architecture of your applications (forklift v. redesign)</p><p> Test your applications once theyre in cloud (pen test, red team)</p><p> Extend your security operations model (scanning, patching) to include cloud</p><p>Dept/Dev You generally care about the same security controls in cloud as in traditional data center</p><p> Consider how your security model needs to change in response to cloud (pets v. cattle)</p><p> Consider incident response planning and/or retainer</p><p>All-In Your security operational model must be fully implemented in this phase</p><p> Forensics readiness is very important will you know what to do if theres an incident</p><p>Too Big Security for pets v. Security for cattle</p><p> Incident Response and Threat Intelligence become even more critical here</p></li><li><p>Shared Security Responsibility Model</p></li><li><p>What This Means</p><p> Cloud Providers generally have excellent cloud infrastructure security</p><p>o It is designed to protect THEM; it is NOT DESIGNED to protect YOU</p><p> Security of YOUR application and YOUR data in the cloud is YOUR responsibility</p><p> If you put an unpatched Windows server on a public IP address in a well-defended public cloud, it will be compromised in seconds</p></li><li><p>How to Manage Your Cloud Security Option A</p><p> Public cloud security infrastructure MUST be managed and monitored just like anything else.</p><p> You can certainly do it yourself</p><p> 10 things to consider:</p></li><li><p>Security in Public Clouds: 10 Things To Consider</p><p>1. Make sure you understand where your provider's responsibilities end and yours begin. Understand </p><p>how your service provide is willing to work with you. Understand the role they play in your operational </p><p>security. Understand their security &amp; limits on their liability.</p><p>2. Make sure you have the right to audit your environment.</p><p>3. Make sure your data and applications are mobile and not locked into a proprietary format. </p><p>4. Make sure you have a method for retrieving/removing your application(s) and data.</p><p>5. Encrypt your data where possible. Encrypt your data where impossible. Ensure your cloud provider </p><p>does not have keys.</p><p>6. Monitor everything -- server activity, user activity, device activity, data in motion.</p><p>7. Make sure your identity and access management solution is robust and cloud-aware. Tie it into your </p><p>existing systems for increased user adoption and lower management costs.</p><p>8. Back up your data and applications regularly when its gone in cloud, its gone forever.</p><p>9. Ensure you have incident response plan and adequate forensics data. Forensics in cloud can be </p><p>harder.</p><p>10. Ensure that you budget for your security infrastructure. Dont get surprised by unexpected compute, </p><p>storage, or network transfer costs associated with your security infrastructure.</p></li><li><p>How to Manage Your Cloud Security Option B</p><p>Incident ManagementManaged Security Security and Risk Consulting</p><p>Managed Vulnerability </p><p>&amp; Web App Scanning</p><p>Managed Network IPS</p><p>Security Design &amp; </p><p>Architecture Service</p><p>Cloud Security </p><p>Strategy &amp; Risk </p><p>Assessment</p><p>Incident Management </p><p>Retainer</p><p>Penetration Tests</p><p>WASA for Cloud</p><p>Web API Testing</p><p>Cloud Vendor </p><p>Security Assessment</p><p>Advanced Penetration </p><p>Tests</p><p>Remote Red Team</p><p>PCI, HIPAA, GLBA, </p><p>FISMA, EI3PA </p><p>Emergency Incident </p><p>Response</p><p>Monitored Firewall</p><p>Monitored WAF</p><p>Monitored Elastic </p><p>Server Group Logs</p></li><li><p>ResourcesBrowse:</p><p>Watch:Dell YouTube Channel</p><p>Interact:@DellSecurity@DellSecureWorks</p></li><li><p>Thanks!</p></li></ul>


View more >