staying secure when moving to the cloud - dave millier
TRANSCRIPT
DON’T LOSE SIGHT!
STAYING SECURE WHEN MOVING TO THE CLOUD
DAVE MILLIER, CEO UZADO, CSO QUICK INTELLIGENCE, CEO MIDAC SOLUTIONS
AUTHOR OF THE SECURITY NOVEL, “BREACHED!”
AGENDA FOR TODAY
• Quick intro to Dave
• Security Challenges Moving to the Cloud
• Visibility Today
• Maintaining Visibility In The Cloud
• Cloud Security Alliance Cloud Controls Matrix
• Call to Action (yes, this means you!)
• Serial Entrepreneur, bought and sold 10+ companies over past 20 years
• Currently owns 3 IT-related Companies: MIDAC, Qi, Uzado
• Sold InfoSec company in 2014 to Robert Herjavec from Shark Tank
• Involved in Networking & InfoSec/Cybersecurity for about 25 years
• Loves tech!
• Loves dirt biking, owns a dirt bike and ATV training school!
ABOUT DAVE
• A lot of people simply don’t understand what the cloud is (or isn’t!)
• More companies moving more services to the cloud every day
• Migration isn’t always done in a coordinated, well thought-out fashion
• Cloud is supposed to streamline things, but getting there isn’t always painless
SOME OF THE BIGGEST CHALLENGES
WHAT ARE THE SECURITY CONSIDERATIONS?
• Managing users access, permissions
• Protecting our data at rest
• Ensuring secure access to data (the right people at the right time)
• Knowing who is accessing what when
• Understanding where our data will reside (data residency issues)
VISIBILITY!!!
WHAT’S THE CORE FOR MANY OF THESE ITEMS?
“You can’t manage what you can’t measure.”
- Peter Drucker, known as the Founder of Modern Management
VISIBILITY TODAY
• Logs from our servers, network devices, security devices
• Logs from our authentication devices / vpn devices
• Real-time network monitoring from security tools on the wire
• Logs from our applications
• Vulnerability scan results from our assets
• Lack of visibility into what’s happening (can’t always get logs)
• Lack of control over users (corporate accounts and permissions don’t usually
carry over)
• Lack of understanding of what data is being stored where
• Data Residency
WHAT DO WE LOSE?
HERE’S ONE SOLUTION – BLOCK ACCESS
HOSTING PROVIDER VISIBILITY
• AWS and other providers give you access to a wealth of security and
operational information (AWS CloudTrail for example)
• Incorporate the information into your existing data sources
• Redesign your incident response process to use these data sources as part of
an investigation
• Figure out what information you have access to now, and map that to “new”
source(s) of information provided by the cloud provider
• Make them part of your incident response process!!!
SECURITY TOOLS VISIBILITY
• Virtual appliances (firewalls, IPS, WAF, etc.) - located elsewhere but use the
information they provide as you would if it was local
• If security is outsourced to hosting provider or to another 3rd party, ensure
they have comparable visibility into your new environment as they had before
• Providers like CloudCheckr have automated and streamlined the visibility into
AWS, leverage the heck out of them!
USER VISIBILITY
• Leverage federated identity management solutions where possible. Less
accounts for users, easier to migrate to cloud (assuming provider supports)
• Make sure that you maintain visibility into encrypted sessions (who’s logging in
from where when, what did they do?)
• Determine current levels of user behaviour visibility and try to maintain that
level of detail when you move the user workloads to the cloud
SERVER AND APPLICATION VISIBILITY
• Hosted servers still generate logs, collect them if at all possible
• Determine what you’re logging on local servers and configure hosted servers
the same
• Make sure your web apps have proper logging!
• Applications need to have proper auditing built in; even if you don’t see the
user activity you can recreate sessions with proper app logging
• Logging invalid activity just as important (don’t just log what was successful,
log what failed!)
CLOUD SECURITY ALLIANCE
• Cloud Controls Matrix
• Control framework based on 13 security and operational domains
• Foundation is mapped to industry recognized standards and frameworks such
as COBIT, ISO 27001/27002, PCI, NIST, NERC CIP, PIPEDA, HIPAA
• Tailors Information Security practices to the cloud
• Helps companies evaluate cloud vendor security
• Helps companies make decisions on their own cloud security requirements
USING THE CSA MATRIX
• Use the matrix to do a self-assessment against your organization, identifying
areas of criticality
• Use the matrix to perform an evaluation against a potential cloud vendor
• Compare results from cloud vendors against your areas of concern/focus
• Use gap analysis results to make educated informed decisions.
• May address findings by augmenting YOUR security, may choose a different
provider, may work with provider to identify potential shortcomings
DEFENSE IN DEPTH
• Don’t rely on a single security solution to protect your cloud deployment
• Many virtual firewalls/security devices have A/V and anti-malware scanners
built into them, use them! Along with host-based protection you now have
multiple controls in place complementing each other, so that even if one of
them fails another one can compensate
• Each layer of defense should support each other and provide an additional
level of protection (“Defense in Depth”)
WHAT DO YOU NEED TO DO NEXT?
• Go back to your office and ask questions
• What type of visibility do we have into our systems, our user activity, our security devices, and our
applications today? (same question whether locally hosted or already in the cloud)
• Have we used the CSA Cloud Controls Matrix to evaluate our vendors/partners?
• How do we ensure we keep the same level of visibility we have today in the cloud?
• How well do we understand our data, where it resides and what we are doing to protect it?
• There are a lot more questions that could be asked, but hopefully this helps get you
started!
FINAL THOUGHT
Secure it before you regret it!
