cloud security discussion isaca, jacksonville … security discussion isaca, jacksonville chapter...

20
Cloud Security Discussion ISACA, Jacksonville Chapter October 2017 Meeting Craig Galley Information Security Officer SANS Mentor

Upload: vuongnhu

Post on 28-Apr-2018

219 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

Cloud Security Discussion ISACA, Jacksonville Chapter

October 2017 Meeting

Craig GalleyInformation Security OfficerSANS Mentor

Page 2: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

Intro and Bio

❖ Jacksonville Resident 34 years

❖ 16 years involvement in Information Security

❖ Information Security Officer for the City of Jacksonville

❖ SANS Instructor

❖ Former “Biker”, now full time “Dance Dad”

❖ Searching for my next hobby (fishing?, crochet?, gardening?)

Page 3: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

Why Cloud Services?

❖ Lower Total Cost of Ownership

❖ Reduce head count

❖ Performance gains and higher Return on Investment

❖ High Availability / Disaster Recovery

❖ Transfer Risk

❖ Security

Page 4: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

Security?

“Lost laptops are a billion dollar business problem. And potentially greater than the loss of an expensive piece of kit is the loss of the sensitive data inside it. Cloud computing gives you greater security when this happens. Because your data is stored in the cloud, you can access it no matter what happens to your machine. And you can even remotely wipe data from lost laptops so it doesn’t get into the wrong hands.”

ref - https://www.salesforce.com/uk/blog/2015/11/why-move-to-the-cloud-10-benefits-of-cloud-computing.html

Page 5: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

❖ Cloud Service Provider (CSP)

❖ Cloud Customer

❖ Cloud Access Security Broker (CASB)

❖ Public, Private, Community, and Hybrid

❖ IaaS

❖ PaaS

❖ SaaS

Page 6: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

Cloud Security Responsibility?

❖ Cloud Customer!!!

❖ Cannot transfer the risk of housing PII data in the Cloud

❖ Ultimately responsible for ensuring that the Business Requirements are met when utilizing services in the Cloud

❖ Security concerns evolve rapidly; the Cloud Customer must understand how this impacts the organization.

Page 7: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

Initial Considerations

❖ Reliability of the Cloud Service Provider

❖ Location of Service and Data

❖ Breach reports and history of the Cloud Service Provider

❖ Auditors and Regulation

❖ Resource considerations

Page 8: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

Long Term Concerns

❖ Retention Policies

❖ What is the out strategy?

❖ Data Remnants

❖ Compliance

❖ Crypto-shredding

Page 9: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

SaaS Security Concerns

❖ Cloud Provider

❖ Platform, Infrastructure, Physical

❖ Cloud Customer

❖ GRC, Data

❖ Shared Responsibilities

❖ Application

Page 10: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

PaaS Security Concerns

❖ Cloud Provider

❖ Physical, Infrastructure

❖ Cloud Customer

❖ GRC, Data, Application

❖ Shared Responsibilities

❖ Platform

Page 11: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

IaaS Security Concerns

❖ Cloud Provider

❖ Physical

❖ Cloud Customer

❖ GRC, Data, Application, Platform

❖ Shared Responsibilities

❖ Infrastructure

Page 12: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

Continuous Monitoring

❖ Breach and Incident notifications

❖ Centralized logging

❖ Access to Cloud stored logs

Page 13: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

Cloud Application Security

❖ Not all applications are Cloud ready

Page 14: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

CSA - The Treacherous 12

❖ Data Breaches

❖ Insufficient Identity, Credential and Access Management

❖ Insecure Interfaces and APIs

❖ System Vulnerabilities

❖ Account Hijacking

❖ Malicious Insiders

ref - https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

Page 15: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

CSA - The Treacherous 12 (cont.)

❖ Advanced Persistent Threats

❖ Data Loss

❖ Insufficient Due Diligence

❖ Abuse and Nefarious Use of Cloud Services

❖ Denial of Service

❖ Shared Technology issues

ref - https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

Page 16: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

“At the end of the day….”

❖ Cloud Customer is always responsible for GRC and Data

❖ Cloud Services offer many advertised cost benefits

❖ Risk is present in many forms throughout Cloud models

❖ Information Security Professionals must be involved to voice the risk

❖ Senior Managers weigh the cost benefits vs the risk and make the decision based on risk appetite.

Page 17: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

InfoSecJax

❖ ISACA, Infragard, ISSA, (ISC)2

❖ Tech Coast Conference

❖ B-Sides Jacksonville

❖ 2600 Meetings

❖ Hack@FSCJ

Page 18: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

Craig Galley’s SANS Schedule

❖ MGT414: SANS Training Program for CISSP® Certification

❖ Not a bootcamp!

❖ Next Class starts on January 23rd, 2018 runs through March 6th 2018

❖ 7 weeks

❖ Each Tuesday from 6:00pm - 9:00pm

❖ Location: TBD

Page 19: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider
Page 20: Cloud Security Discussion ISACA, Jacksonville … Security Discussion ISACA, Jacksonville Chapter ... into the wrong hands. ... SaaS Security Concerns Cloud Provider

Questions???

❖ CISSP, CSSLP, GSLC, GSEC, GISP, Security+

[email protected]

❖ @bullpwr (Twitter) or LinkedIn