DON’T LOSE SIGHT!
STAYING SECURE WHEN MOVING TO THE CLOUD
DAVE MILLIER, CEO UZADO, CSO QUICK INTELLIGENCE, CEO MIDAC SOLUTIONS
AUTHOR OF THE SECURITY NOVEL, “BREACHED!”
AGENDA FOR TODAY
• Quick intro to Dave
• Security Challenges Moving to the Cloud
• Visibility Today
• Maintaining Visibility In The Cloud
• Cloud Security Alliance Cloud Controls Matrix
• Call to Action (yes, this means you!)
• Serial Entrepreneur, bought and sold 10+ companies over past 20 years
• Currently owns 3 IT-related Companies: MIDAC, Qi, Uzado
• Sold InfoSec company in 2014 to Robert Herjavec from Shark Tank
• Involved in Networking & InfoSec/Cybersecurity for about 25 years
• Loves tech!
• Loves dirt biking, owns a dirt bike and ATV training school!
ABOUT DAVE
• A lot of people simply don’t understand what the cloud is (or isn’t!)
• More companies moving more services to the cloud every day
• Migration isn’t always done in a coordinated, well thought-out fashion
• Cloud is supposed to streamline things, but getting there isn’t always painless
SOME OF THE BIGGEST CHALLENGES
WHAT ARE THE SECURITY CONSIDERATIONS?
• Managing users access, permissions
• Protecting our data at rest
• Ensuring secure access to data (the right people at the right time)
• Knowing who is accessing what when
• Understanding where our data will reside (data residency issues)
VISIBILITY!!!
WHAT’S THE CORE FOR MANY OF THESE ITEMS?
“You can’t manage what you can’t measure.”
- Peter Drucker, known as the Founder of Modern Management
VISIBILITY TODAY
• Logs from our servers, network devices, security devices
• Logs from our authentication devices / vpn devices
• Real-time network monitoring from security tools on the wire
• Logs from our applications
• Vulnerability scan results from our assets
• Lack of visibility into what’s happening (can’t always get logs)
• Lack of control over users (corporate accounts and permissions don’t usually
carry over)
• Lack of understanding of what data is being stored where
• Data Residency
WHAT DO WE LOSE?
HERE’S ONE SOLUTION – BLOCK ACCESS
HOSTING PROVIDER VISIBILITY
• AWS and other providers give you access to a wealth of security and
operational information (AWS CloudTrail for example)
• Incorporate the information into your existing data sources
• Redesign your incident response process to use these data sources as part of
an investigation
• Figure out what information you have access to now, and map that to “new”
source(s) of information provided by the cloud provider
• Make them part of your incident response process!!!
SECURITY TOOLS VISIBILITY
• Virtual appliances (firewalls, IPS, WAF, etc.) - located elsewhere but use the
information they provide as you would if it was local
• If security is outsourced to hosting provider or to another 3rd party, ensure
they have comparable visibility into your new environment as they had before
• Providers like CloudCheckr have automated and streamlined the visibility into
AWS, leverage the heck out of them!
USER VISIBILITY
• Leverage federated identity management solutions where possible. Less
accounts for users, easier to migrate to cloud (assuming provider supports)
• Make sure that you maintain visibility into encrypted sessions (who’s logging in
from where when, what did they do?)
• Determine current levels of user behaviour visibility and try to maintain that
level of detail when you move the user workloads to the cloud
SERVER AND APPLICATION VISIBILITY
• Hosted servers still generate logs, collect them if at all possible
• Determine what you’re logging on local servers and configure hosted servers
the same
• Make sure your web apps have proper logging!
• Applications need to have proper auditing built in; even if you don’t see the
user activity you can recreate sessions with proper app logging
• Logging invalid activity just as important (don’t just log what was successful,
log what failed!)
CLOUD SECURITY ALLIANCE
• Cloud Controls Matrix
• Control framework based on 13 security and operational domains
• Foundation is mapped to industry recognized standards and frameworks such
as COBIT, ISO 27001/27002, PCI, NIST, NERC CIP, PIPEDA, HIPAA
• Tailors Information Security practices to the cloud
• Helps companies evaluate cloud vendor security
• Helps companies make decisions on their own cloud security requirements
USING THE CSA MATRIX
• Use the matrix to do a self-assessment against your organization, identifying
areas of criticality
• Use the matrix to perform an evaluation against a potential cloud vendor
• Compare results from cloud vendors against your areas of concern/focus
• Use gap analysis results to make educated informed decisions.
• May address findings by augmenting YOUR security, may choose a different
provider, may work with provider to identify potential shortcomings
DEFENSE IN DEPTH
• Don’t rely on a single security solution to protect your cloud deployment
• Many virtual firewalls/security devices have A/V and anti-malware scanners
built into them, use them! Along with host-based protection you now have
multiple controls in place complementing each other, so that even if one of
them fails another one can compensate
• Each layer of defense should support each other and provide an additional
level of protection (“Defense in Depth”)
WHAT DO YOU NEED TO DO NEXT?
• Go back to your office and ask questions
• What type of visibility do we have into our systems, our user activity, our security devices, and our
applications today? (same question whether locally hosted or already in the cloud)
• Have we used the CSA Cloud Controls Matrix to evaluate our vendors/partners?
• How do we ensure we keep the same level of visibility we have today in the cloud?
• How well do we understand our data, where it resides and what we are doing to protect it?
• There are a lot more questions that could be asked, but hopefully this helps get you
started!
FINAL THOUGHT
Secure it before you regret it!