cloud security: accelerating cloud adoption
Post on 16-Jan-2017
Embed Size (px)
MT 37 Cloud SecurityAccelerating Cloud Adoption
Heres How It Sometimes Goes
Someone says Hey! Cloud is faster. Cloud is less expensive. Cloud is easier. Lets do cloud! And what they mean is usually public cloud
So a cloud initiative is created
The security function, if they are consulted at all, has to catch up as this is often a done deal longbefore security is considered
Another Way It Sometimes Goes Someone says
Hey! Cloud is faster. Cloud is less expensive. Cloud is easier. Lets do cloud!
But someone else says Wait! What about security!Do we really want to put our in someone elses data center?
And the security function gets blamed for sayingno and standing in the way of business processinnovation.
Or the security function says no, everybody pauses,and then says Lets do it anyway!
Yet Another Way It Sometimes Goes
CEO or CFO suddenly notices public cloud spend
o Gets a bill from a provider
o Sees a number of expenses from same place
Says Wow! Why are we spending so much on cloud?
o Then comes a phase where the company creates an intentional strategy about using cloud
Again, the security function mustcatch up to what has happened
Either Way, You Are Not Alone
Security is one of the biggest challenges in the transition into cloudo Added on as an afterthought
o Or treated as a roadblock
This presentation:o Talks about how clients adopt cloud
Five phases of adoption
Things to consider at each phase
When youre too big for cloud
o Discusses the shared security responsibility model
o How you should manage your cloud security Do it yourself
The Five Stages of Cloud Adoption
Virtualized datacenters, but no active plan for 3rd-party cloud
Recognition of need for plan, but not there yet. Plan in development
Active projects to move individual workstreams to cloud, often for new internally-developed applications. No formal security architecture yet
Design for cloud as primary or exclusive datacenter. Accompanied by a thought-out security strategy
Cloud does not offer cost savings at massive scale
Likelihood of Shadow IT
Hey, were spending a lot on cloud already we should have a plan.
Hey, this cloud really delivers a lot of advantages. We should have a plan.
Hey, were spending so much on cloud and were not really seeing the savings we expected. Maybe we should bring this back in house?
Relatively few organizations will get here.
Things to Think About At Each Phase
Plan Create a security reference architecture for your cloud presence
Select multiple cloud providers and evaluate their security approaches & their terms
Create a governance model for what data is allowed in the cloud and what is not
Transition Reconsider the architecture of your applications (forklift v. redesign)
Test your applications once theyre in cloud (pen test, red team)
Extend your security operations model (scanning, patching) to include cloud
Dept/Dev You generally care about the same security controls in cloud as in traditional data center
Consider how your security model needs to change in response to cloud (pets v. cattle)
Consider incident response planning and/or retainer
All-In Your security operational model must be fully implemented in this phase
Forensics readiness is very important will you know what to do if theres an incident
Too Big Security for pets v. Security for cattle
Incident Response and Threat Intelligence become even more critical here
Shared Security Responsibility Model
What This Means
Cloud Providers generally have excellent cloud infrastructure security
o It is designed to protect THEM; it is NOT DESIGNED to protect YOU
Security of YOUR application and YOUR data in the cloud is YOUR responsibility
If you put an unpatched Windows server on a public IP address in a well-defended public cloud, it will be compromised in seconds
How to Manage Your Cloud Security Option A
Public cloud security infrastructure MUST be managed and monitored just like anything else.
You can certainly do it yourself
10 things to consider:
Security in Public Clouds: 10 Things To Consider
1. Make sure you understand where your provider's responsibilities end and yours begin. Understand
how your service provide is willing to work with you. Understand the role they play in your operational
security. Understand their security & limits on their liability.
2. Make sure you have the right to audit your environment.
3. Make sure your data and applications are mobile and not locked into a proprietary format.
4. Make sure you have a method for retrieving/removing your application(s) and data.
5. Encrypt your data where possible. Encrypt your data where impossible. Ensure your cloud provider
does not have keys.
6. Monitor everything -- server activity, user activity, device activity, data in motion.
7. Make sure your identity and access management solution is robust and cloud-aware. Tie it into your
existing systems for increased user adoption and lower management costs.
8. Back up your data and applications regularly when its gone in cloud, its gone forever.
9. Ensure you have incident response plan and adequate forensics data. Forensics in cloud can be
10. Ensure that you budget for your security infrastructure. Dont get surprised by unexpected compute,
storage, or network transfer costs associated with your security infrastructure.
How to Manage Your Cloud Security Option B
Incident ManagementManaged Security Security and Risk Consulting
& Web App Scanning
Managed Network IPS
Security Design &
Strategy & Risk
WASA for Cloud
Web API Testing
Remote Red Team
PCI, HIPAA, GLBA,
Server Group Logs
ResourcesBrowse: dell.com/security powermore.dell.com Secureworks.com
Watch:Dell YouTube Channel