SlideShare a Scribd company logo

Assessing a cloud based approach to cyber security

Aladdin Dandis
Aladdin Dandis

Aladdin Dandis Speak in GISEC 2017

Technology
1 of 21
Download to read offline
Assessing a Cloud Based Approach to Cyber Security Aladdin Dandis Souq.com
Typical Vs Cloud ● Typical ○ HW + SW ○ Data in storage, shared-folders, DBs and Servers ○ Security measures: Appliances, VMs, Servers, Agents
Typical Vs Cloud (cont.) ● Cloud ○ VMs/Instances + SW ○ Data in Volumes, Servers, Buckets, DBs, shared-folders, … ○ Security measures: Instances, APIs, 3rd party services, Cloud Provider services
Reality ...
Reality ... ?
5 Major Questions 1. Where is my Data? 2. How they are Accessed? 3. How do I protect my computing power? 4. How do I protect my service and performance? 5. Do I have visibility on my traffic (inbound/outbound)?
Security Solutions ● Open Source ● Commercial: ○ Traditional ○ Cloud Based ■ CP native ■ CSP
We can fulfill all your requirements …. !
Cloud Security Services (CSP) ● Scanners (SAST, DAST…) ● Identity Management/ Access/ SSO ● Security Analytics ● WAF ● Firewalls (network and database) ● DDoS Protection ● Malware Protection ● Email Protection ● CASB ● Encryption ● ….. Many much more …!
3 Operating Models 1. Proxy Mode ○ Screen/Proxy your traffic through my cloud 2. Install Mode ○ Install/Import my VM/Instance/Agent in your environment and let me manage it 3. API Mode ○ Let me access your cloud/application APIs
Proxy Mode
Pros and Cons ● Pros ○ Hide your resources from public ○ Apply controls before the fact ○ Immediate updates ● Cons ○ Performance issues ○ Availability issues ○ MitM…
Install Mode
Pros and Cons ● Pros ○ Limit access to certain resources ○ You have more control on the traffic... ● Cons ○ More complexity on permissions and supported systems ○ Open non-standard ports ○ Don’t forget! .. They are in your network!
APIs Mode
Pros and Cons ● Pros ○ Work independently from your production resources ○ More demand on CSP APIs ● Cons ○ More complexity on permissions and supported systems ○
Facts ● Security is Not the ultimate goal in your business ○ You don’t have unlimited or get what and when you need budget ○ Prioritize your security investments ● Not all CSPs can satisfy your requirements ○ You may need more than 1 Security CSPs to fulfill your requirements ● SLA and QoS are not the same ○ Be specific and do a thorough POC. ○ Ask those who used the service..
Selection Guide ● How you collect, process and store my data and findings? ○ Logs, reports, controls... ● Do you act as MITM? …. ○ Managing encryption, Performance impact and latency… ● Can I control your service? ○ Managed, I can put my policies and change my rules... ● How do you connect to me? ○ VPN, SFTP, APIs, … ● Is it end2end automated? ○ No human interaction, needs human verification, 3rd party involved...
Selection Guide (cont.) ● How do you license me? ○ Daily Traffic, Tenant based, Per server, Per user, Yearly...etc ○ Traffic and hosting ● What is the success criteria for your solution? ○ Cost effective, Immediate remediation, Performance friendly…. ● What do independent security and technology research firms say? ○ Check Gartner, Forrester and other global research firms for pros and cons
Thank You Souq.com
Architecture Approach ● Define Problem ● Define Stakeholders ● List all your Requirements ● Decompose your requirements to Business, Data, Apps and Tech ● Define your Architecture Building Blocks ABBs ● Define your Solution Building Blocks SBBs ● Search/Develop SBBs APPROPRIATE to your ABBs ● Build your Action Plan ● Implement and Govern ● Operate and manage Monitor

Recommended

Distributed Ledger Security in the Enterprise Environment
Distributed Ledger Security in the Enterprise EnvironmentDistributed Ledger Security in the Enterprise Environment
Distributed Ledger Security in the Enterprise EnvironmentEugene Aseev
 
How Privacy in the Cloud Affects End-Users
How Privacy in the Cloud Affects End-UsersHow Privacy in the Cloud Affects End-Users
How Privacy in the Cloud Affects End-UsersWSO2
 
How to secure your business on the cloud? practical approach from strategy to...
How to secure your business on the cloud? practical approach from strategy to...How to secure your business on the cloud? practical approach from strategy to...
How to secure your business on the cloud? practical approach from strategy to...Aladdin Dandis
 
Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dwolla
 
Making a SOC Analyst
Making a SOC AnalystMaking a SOC Analyst
Making a SOC AnalystPaulAronhalt
 
access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2jemtallon
 
Unified Operations Vision
Unified Operations VisionUnified Operations Vision
Unified Operations VisionSteve Mushero
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups Marc Gallardo
 

Recommended

Distributed Ledger Security in the Enterprise Environment
Distributed Ledger Security in the Enterprise EnvironmentDistributed Ledger Security in the Enterprise Environment
Distributed Ledger Security in the Enterprise EnvironmentEugene Aseev
 
How Privacy in the Cloud Affects End-Users
How Privacy in the Cloud Affects End-UsersHow Privacy in the Cloud Affects End-Users
How Privacy in the Cloud Affects End-UsersWSO2
 
How to secure your business on the cloud? practical approach from strategy to...
How to secure your business on the cloud? practical approach from strategy to...How to secure your business on the cloud? practical approach from strategy to...
How to secure your business on the cloud? practical approach from strategy to...Aladdin Dandis
 
Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dwolla
 
Making a SOC Analyst
Making a SOC AnalystMaking a SOC Analyst
Making a SOC AnalystPaulAronhalt
 
access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2jemtallon
 
Unified Operations Vision
Unified Operations VisionUnified Operations Vision
Unified Operations VisionSteve Mushero
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups Marc Gallardo
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays
 
Being a Data Science Product Manager
Being a Data Science Product ManagerBeing a Data Science Product Manager
Being a Data Science Product ManagerRam Narayan Subudhi
 
Swiss Data Bank, the first data management bank
Swiss Data Bank, the first data management bankSwiss Data Bank, the first data management bank
Swiss Data Bank, the first data management banknlecocq
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
The Cloud for SMEs
The Cloud for SMEsThe Cloud for SMEs
The Cloud for SMEsChris Knowles
 
IT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowIT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowRochester Software Associates
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022lior mazor
 
SaaS startups - Software Engineering Challenges
SaaS startups - Software Engineering ChallengesSaaS startups - Software Engineering Challenges
SaaS startups - Software Engineering ChallengesMalinda Kapuruge
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
 
Building Security Teams
Building Security TeamsBuilding Security Teams
Building Security TeamsAstera Esther Schneeweisz
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)apidays
 
Adversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection TechniquesAdversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection TechniquesJustin Berman
 
Don't Diligence Information Security for Lawyers
Don't Diligence Information Security for LawyersDon't Diligence Information Security for Lawyers
Don't Diligence Information Security for Lawyersdarrentthurston
 
IEEE Standards Impact in IoT and 5G, Day 1, Session 1 - Introduction & Overview
IEEE Standards Impact in IoT and 5G, Day 1, Session 1 - Introduction & OverviewIEEE Standards Impact in IoT and 5G, Day 1, Session 1 - Introduction & Overview
IEEE Standards Impact in IoT and 5G, Day 1, Session 1 - Introduction & OverviewPeter Waher
 
Information Security
Information SecurityInformation Security
Information SecurityUmangThakkar26
 
Machine Learning: What Assurance Professionals Need to Know
Machine Learning: What Assurance Professionals Need to Know Machine Learning: What Assurance Professionals Need to Know
Machine Learning: What Assurance Professionals Need to Know Andrew Clark
 
Leveraging Graph Analytics for Fraud Detection in PaySim Data
Leveraging Graph Analytics for Fraud Detection in PaySim DataLeveraging Graph Analytics for Fraud Detection in PaySim Data
Leveraging Graph Analytics for Fraud Detection in PaySim DataNeo4j
 
Security Ops for large and small companies
Security Ops for large and small companiesSecurity Ops for large and small companies
Security Ops for large and small companiesMona Arkhipova
 
Ciqur24 BP presentation for office .pptx
Ciqur24 BP presentation for office .pptxCiqur24 BP presentation for office .pptx
Ciqur24 BP presentation for office .pptxPragyaChakraborty8
 
Ethical Hacker Training.pdf
Ethical Hacker Training.pdfEthical Hacker Training.pdf
Ethical Hacker Training.pdfSpiritsoftsTraining
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...Aladdin Dandis
 
Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Aladdin Dandis
 

More Related Content

Similar to Assessing a cloud based approach to cyber security

apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays
 
Being a Data Science Product Manager
Being a Data Science Product ManagerBeing a Data Science Product Manager
Being a Data Science Product ManagerRam Narayan Subudhi
 
Swiss Data Bank, the first data management bank
Swiss Data Bank, the first data management bankSwiss Data Bank, the first data management bank
Swiss Data Bank, the first data management banknlecocq
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
IT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowIT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowRochester Software Associates
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022lior mazor
 
SaaS startups - Software Engineering Challenges
SaaS startups - Software Engineering ChallengesSaaS startups - Software Engineering Challenges
SaaS startups - Software Engineering ChallengesMalinda Kapuruge
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)apidays
 
Adversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection TechniquesAdversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection TechniquesJustin Berman
 
Don't Diligence Information Security for Lawyers
Don't Diligence Information Security for LawyersDon't Diligence Information Security for Lawyers
Don't Diligence Information Security for Lawyersdarrentthurston
 
IEEE Standards Impact in IoT and 5G, Day 1, Session 1 - Introduction & Overview
IEEE Standards Impact in IoT and 5G, Day 1, Session 1 - Introduction & OverviewIEEE Standards Impact in IoT and 5G, Day 1, Session 1 - Introduction & Overview
IEEE Standards Impact in IoT and 5G, Day 1, Session 1 - Introduction & OverviewPeter Waher
 
Machine Learning: What Assurance Professionals Need to Know
Machine Learning: What Assurance Professionals Need to Know Machine Learning: What Assurance Professionals Need to Know
Machine Learning: What Assurance Professionals Need to Know Andrew Clark
 
Leveraging Graph Analytics for Fraud Detection in PaySim Data
Leveraging Graph Analytics for Fraud Detection in PaySim DataLeveraging Graph Analytics for Fraud Detection in PaySim Data
Leveraging Graph Analytics for Fraud Detection in PaySim DataNeo4j
 
Security Ops for large and small companies
Security Ops for large and small companiesSecurity Ops for large and small companies
Security Ops for large and small companiesMona Arkhipova
 
Ciqur24 BP presentation for office .pptx
Ciqur24 BP presentation for office .pptxCiqur24 BP presentation for office .pptx
Ciqur24 BP presentation for office .pptxPragyaChakraborty8
 

Similar to Assessing a cloud based approach to cyber security (20)

apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
 
Being a Data Science Product Manager
Being a Data Science Product ManagerBeing a Data Science Product Manager
Being a Data Science Product Manager
 
Swiss Data Bank, the first data management bank
Swiss Data Bank, the first data management bankSwiss Data Bank, the first data management bank
Swiss Data Bank, the first data management bank
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
The Cloud for SMEs
The Cloud for SMEsThe Cloud for SMEs
The Cloud for SMEs
 
IT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowIT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to Know
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
SaaS startups - Software Engineering Challenges
SaaS startups - Software Engineering ChallengesSaaS startups - Software Engineering Challenges
SaaS startups - Software Engineering Challenges
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
Building Security Teams
Building Security TeamsBuilding Security Teams
Building Security Teams
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
 
Adversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection TechniquesAdversary Playbook Tactical Assessment of Protection Techniques
Adversary Playbook Tactical Assessment of Protection Techniques
 
Don't Diligence Information Security for Lawyers
Don't Diligence Information Security for LawyersDon't Diligence Information Security for Lawyers
Don't Diligence Information Security for Lawyers
 
IEEE Standards Impact in IoT and 5G, Day 1, Session 1 - Introduction & Overview
IEEE Standards Impact in IoT and 5G, Day 1, Session 1 - Introduction & OverviewIEEE Standards Impact in IoT and 5G, Day 1, Session 1 - Introduction & Overview
IEEE Standards Impact in IoT and 5G, Day 1, Session 1 - Introduction & Overview
 
Information Security
Information SecurityInformation Security
Information Security
 
Machine Learning: What Assurance Professionals Need to Know
Machine Learning: What Assurance Professionals Need to Know Machine Learning: What Assurance Professionals Need to Know
Machine Learning: What Assurance Professionals Need to Know
 
Leveraging Graph Analytics for Fraud Detection in PaySim Data
Leveraging Graph Analytics for Fraud Detection in PaySim DataLeveraging Graph Analytics for Fraud Detection in PaySim Data
Leveraging Graph Analytics for Fraud Detection in PaySim Data
 
Security Ops for large and small companies
Security Ops for large and small companiesSecurity Ops for large and small companies
Security Ops for large and small companies
 
Ciqur24 BP presentation for office .pptx
Ciqur24 BP presentation for office .pptxCiqur24 BP presentation for office .pptx
Ciqur24 BP presentation for office .pptx
 
Ethical Hacker Training.pdf
Ethical Hacker Training.pdfEthical Hacker Training.pdf
Ethical Hacker Training.pdf
 

More from Aladdin Dandis

The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...Aladdin Dandis
 
Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Aladdin Dandis
 
What is still missed for security real life facts
What is still missed for security real life factsWhat is still missed for security real life facts
What is still missed for security real life factsAladdin Dandis
 
A practical approach to secure your business on the cloud using aws from str...
A practical approach to secure your business on the cloud using aws from str...A practical approach to secure your business on the cloud using aws from str...
A practical approach to secure your business on the cloud using aws from str...Aladdin Dandis
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
The importance of information systems security amid risks posed by accelerate...
The importance of information systems security amid risks posed by accelerate...The importance of information systems security amid risks posed by accelerate...
The importance of information systems security amid risks posed by accelerate...Aladdin Dandis
 
Sice2011 cdam by aladdin dandis (final)
Sice2011 cdam by aladdin dandis (final)Sice2011 cdam by aladdin dandis (final)
Sice2011 cdam by aladdin dandis (final)Aladdin Dandis
 
Pki (2nd e transactions forum) v 1.0
Pki (2nd e transactions forum) v 1.0Pki (2nd e transactions forum) v 1.0
Pki (2nd e transactions forum) v 1.0Aladdin Dandis
 
Building trust attributes in e transactions (final) ver 3.0
Building trust attributes in e transactions (final) ver 3.0Building trust attributes in e transactions (final) ver 3.0
Building trust attributes in e transactions (final) ver 3.0Aladdin Dandis
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Aladdin Dandis
 
Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Aladdin Dandis
 
Module 1 bc and dr fundamentals student slides ver 1.0
Module 1 bc and dr fundamentals student slides ver 1.0Module 1 bc and dr fundamentals student slides ver 1.0
Module 1 bc and dr fundamentals student slides ver 1.0Aladdin Dandis
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 

More from Aladdin Dandis (20)

The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
 
Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace
 
What is still missed for security real life facts
What is still missed for security real life factsWhat is still missed for security real life facts
What is still missed for security real life facts
 
A practical approach to secure your business on the cloud using aws from str...
A practical approach to secure your business on the cloud using aws from str...A practical approach to secure your business on the cloud using aws from str...
A practical approach to secure your business on the cloud using aws from str...
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
 
The importance of information systems security amid risks posed by accelerate...
The importance of information systems security amid risks posed by accelerate...The importance of information systems security amid risks posed by accelerate...
The importance of information systems security amid risks posed by accelerate...
 
Sice2011 cdam by aladdin dandis (final)
Sice2011 cdam by aladdin dandis (final)Sice2011 cdam by aladdin dandis (final)
Sice2011 cdam by aladdin dandis (final)
 
Pki (2nd e transactions forum) v 1.0
Pki (2nd e transactions forum) v 1.0Pki (2nd e transactions forum) v 1.0
Pki (2nd e transactions forum) v 1.0
 
Building trust attributes in e transactions (final) ver 3.0
Building trust attributes in e transactions (final) ver 3.0Building trust attributes in e transactions (final) ver 3.0
Building trust attributes in e transactions (final) ver 3.0
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
 
Ch2 cism 2014
Ch2 cism 2014Ch2 cism 2014
Ch2 cism 2014
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0
 
Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0
 
Module 1 bc and dr fundamentals student slides ver 1.0
Module 1 bc and dr fundamentals student slides ver 1.0Module 1 bc and dr fundamentals student slides ver 1.0
Module 1 bc and dr fundamentals student slides ver 1.0
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0
 
Cisa 2013 ch3
Cisa 2013 ch3Cisa 2013 ch3
Cisa 2013 ch3
 
Cisa 2013 ch2
Cisa 2013 ch2Cisa 2013 ch2
Cisa 2013 ch2
 
Cisa 2013 ch4
Cisa 2013 ch4Cisa 2013 ch4
Cisa 2013 ch4
 
Cisa 2013 ch5
Cisa 2013 ch5Cisa 2013 ch5
Cisa 2013 ch5
 

Recently uploaded

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 

Recently uploaded (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

Assessing a cloud based approach to cyber security

  • 1. Assessing a Cloud Based Approach to Cyber Security Aladdin Dandis Souq.com
  • 2. Typical Vs Cloud ● Typical ○ HW + SW ○ Data in storage, shared-folders, DBs and Servers ○ Security measures: Appliances, VMs, Servers, Agents
  • 3. Typical Vs Cloud (cont.) ● Cloud ○ VMs/Instances + SW ○ Data in Volumes, Servers, Buckets, DBs, shared-folders, … ○ Security measures: Instances, APIs, 3rd party services, Cloud Provider services
  • 6. 5 Major Questions 1. Where is my Data? 2. How they are Accessed? 3. How do I protect my computing power? 4. How do I protect my service and performance? 5. Do I have visibility on my traffic (inbound/outbound)?
  • 7. Security Solutions ● Open Source ● Commercial: ○ Traditional ○ Cloud Based ■ CP native ■ CSP
  • 8. We can fulfill all your requirements …. !
  • 9. Cloud Security Services (CSP) ● Scanners (SAST, DAST…) ● Identity Management/ Access/ SSO ● Security Analytics ● WAF ● Firewalls (network and database) ● DDoS Protection ● Malware Protection ● Email Protection ● CASB ● Encryption ● ….. Many much more …!
  • 10. 3 Operating Models 1. Proxy Mode ○ Screen/Proxy your traffic through my cloud 2. Install Mode ○ Install/Import my VM/Instance/Agent in your environment and let me manage it 3. API Mode ○ Let me access your cloud/application APIs
  • 12. Pros and Cons ● Pros ○ Hide your resources from public ○ Apply controls before the fact ○ Immediate updates ● Cons ○ Performance issues ○ Availability issues ○ MitM…
  • 14. Pros and Cons ● Pros ○ Limit access to certain resources ○ You have more control on the traffic... ● Cons ○ More complexity on permissions and supported systems ○ Open non-standard ports ○ Don’t forget! .. They are in your network!
  • 16. Pros and Cons ● Pros ○ Work independently from your production resources ○ More demand on CSP APIs ● Cons ○ More complexity on permissions and supported systems ○
  • 17. Facts ● Security is Not the ultimate goal in your business ○ You don’t have unlimited or get what and when you need budget ○ Prioritize your security investments ● Not all CSPs can satisfy your requirements ○ You may need more than 1 Security CSPs to fulfill your requirements ● SLA and QoS are not the same ○ Be specific and do a thorough POC. ○ Ask those who used the service..
  • 18. Selection Guide ● How you collect, process and store my data and findings? ○ Logs, reports, controls... ● Do you act as MITM? …. ○ Managing encryption, Performance impact and latency… ● Can I control your service? ○ Managed, I can put my policies and change my rules... ● How do you connect to me? ○ VPN, SFTP, APIs, … ● Is it end2end automated? ○ No human interaction, needs human verification, 3rd party involved...
  • 19. Selection Guide (cont.) ● How do you license me? ○ Daily Traffic, Tenant based, Per server, Per user, Yearly...etc ○ Traffic and hosting ● What is the success criteria for your solution? ○ Cost effective, Immediate remediation, Performance friendly…. ● What do independent security and technology research firms say? ○ Check Gartner, Forrester and other global research firms for pros and cons
  • 21. Architecture Approach ● Define Problem ● Define Stakeholders ● List all your Requirements ● Decompose your requirements to Business, Data, Apps and Tech ● Define your Architecture Building Blocks ABBs ● Define your Solution Building Blocks SBBs ● Search/Develop SBBs APPROPRIATE to your ABBs ● Build your Action Plan ● Implement and Govern ● Operate and manage Monitor