Cloud Security Discussion ISACA, Jacksonville Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

Cloud Security Discussion ISACA, Jacksonville Chapter

October 2017 Meeting

Craig GalleyInformation Security OfficerSANS Mentor

Intro and Bio

Jacksonville Resident 34 years

16 years involvement in Information Security

Information Security Officer for the City of Jacksonville

SANS Instructor

Former Biker, now full time Dance Dad

Searching for my next hobby (fishing?, crochet?, gardening?)

Why Cloud Services?

Lower Total Cost of Ownership

Reduce head count

Performance gains and higher Return on Investment

High Availability / Disaster Recovery

Transfer Risk

Security

Security?

Lost laptops are a billion dollar business problem. And potentially greater than the loss of an expensive piece of kit is the loss of the sensitive data inside it. Cloud computing gives you greater security when this happens. Because your data is stored in the cloud, you can access it no matter what happens to your machine. And you can even remotely wipe data from lost laptops so it doesnt get into the wrong hands.

ref - https://www.salesforce.com/uk/blog/2015/11/why-move-to-the-cloud-10-benefits-of-cloud-computing.html

http://www.salesforce.com/uk/blog/2015/11/why-move-to-the-cloud-10-benefits-of-cloud-computing.html

Cloud Service Provider (CSP)

Cloud Customer

Cloud Access Security Broker (CASB)

Public, Private, Community, and Hybrid

IaaS

PaaS

SaaS

Cloud Security Responsibility?

Cloud Customer!!!

Cannot transfer the risk of housing PII data in the Cloud

Ultimately responsible for ensuring that the Business Requirements are met when utilizing services in the Cloud

Security concerns evolve rapidly; the Cloud Customer must understand how this impacts the organization.

Initial Considerations

Reliability of the Cloud Service Provider

Location of Service and Data

Breach reports and history of the Cloud Service Provider

Auditors and Regulation

Resource considerations

Long Term Concerns

Retention Policies

What is the out strategy?

Data Remnants

Compliance

Crypto-shredding

SaaS Security Concerns

Cloud Provider

Platform, Infrastructure, Physical

Cloud Customer

GRC, Data

Shared Responsibilities

Application

PaaS Security Concerns

Cloud Provider

Physical, Infrastructure

Cloud Customer

GRC, Data, Application

Shared Responsibilities

Platform

IaaS Security Concerns

Cloud Provider

Physical

Cloud Customer

GRC, Data, Application, Platform

Shared Responsibilities

Infrastructure

Continuous Monitoring

Breach and Incident notifications

Centralized logging

Access to Cloud stored logs

Cloud Application Security

Not all applications are Cloud ready

CSA - The Treacherous 12

Data Breaches

Insufficient Identity, Credential and Access Management

Insecure Interfaces and APIs

System Vulnerabilities

Account Hijacking

Malicious Insiders

ref - https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

http://www.salesforce.com/uk/blog/2015/11/why-move-to-the-cloud-10-benefits-of-cloud-computing.html

CSA - The Treacherous 12 (cont.)

Advanced Persistent Threats

Data Loss

Insufficient Due Diligence

Abuse and Nefarious Use of Cloud Services

Denial of Service

Shared Technology issues

ref - https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

http://www.salesforce.com/uk/blog/2015/11/why-move-to-the-cloud-10-benefits-of-cloud-computing.html

At the end of the day.

Cloud Customer is always responsible for GRC and Data

Cloud Services offer many advertised cost benefits

Risk is present in many forms throughout Cloud models

Information Security Professionals must be involved to voice the risk

Senior Managers weigh the cost benefits vs the risk and make the decision based on risk appetite.

InfoSecJax

ISACA, Infragard, ISSA, (ISC)2

Tech Coast Conference

B-Sides Jacksonville

2600 Meetings

Hack@FSCJ

Craig Galleys SANS Schedule

MGT414: SANS Training Program for CISSP Certification

Not a bootcamp!

Next Class starts on January 23rd, 2018 runs through March 6th 2018

7 weeks

Each Tuesday from 6:00pm - 9:00pm

Location: TBD

Questions???

CISSP, CSSLP, GSLC, GSEC, GISP, Security+

galleyc@outlook.com

@bullpwr (Twitter) or LinkedIn