Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Executives guide to cloud security TierPoint


Published on

TierPoint provides an update on the latest cloud adoption trends and security threats, helps you define what cloud infrastructures exist today and a framework for guiding your cloud security strategy.

Published in: Technology
  • Be the first to comment

Executives guide to cloud security TierPoint

  2. 2. WHAT YOU WILL FIND IN THIS SlideShare: • An update on the latest cloud adoption trends and security threats • A few important terms to know • A framework for guiding your cloud security strategy WHAT YOU WON’T FIND IN THIS SlideShare: When it comes to cloud security, beware of guides that claim to be “all you’ll ever need.” Cloud security is a deep topic and an ever-moving target as technologies advance and cyber threats evolve. This guide will help you start a discussion around cloud security with your IT team, not take the place of one.
  3. 3. A FEW CLOUD TERMS YOU NEED TO KNOW On-premises private clouds — A cloud infrastructure a company hosts at their privately-owned data center. Resources, such as data, storage and applications, are dedicated to a single company and are owned by that company. Synonyms: internal cloud, corporate cloud. Hosted private clouds — Similar to a private cloud except the resources are owned by a cloud services provider who manages the dedicated infrastructure at their facility. In many commercial scenarios, these are actually “multi-tenant private clouds” in that some of the infrastructure, e.g., compute resources, is shared by the customers served by the cloud provider. Public clouds — A hyperscaler cloud environment with shared resources, all available over the internet. Hybrid clouds — Not actually a type of cloud in itself, a hybrid cloud refers to a corporate infrastructure that leverages several different types of clouds.
  4. 4. Why do we need to talk about cloud computing? Won’t we be more secure if we keep everything on-premises? QUESTION:
  5. 5. THE TREMENDOUS ADVANTAGES OF THE CLOUD Moving CapEx to OpEx will remain a top priority for many midmarket companies in 2017. From TierPoint’s View
  6. 6. Experiment 21% Non-Critical Use 38% Full Production 33% Transformed IT 8% CLOUD ADOPTION DISTRIBUTION of companies surveyed are beyond the experimental stage of utilizing the Cloud. COMPETITIVE LANDSCAPE 79% If you’re on-premises-only, you may be losing ground to your competitors
  7. 7. Most cloud decisions are not (and should not be) about completely shutting down data centers and moving everything to the cloud…Look at cloud decisions on a workload-by-workload basis, rather than taking an “all or nothing” approach. GOOD ADVICE:
  8. 8. 0 10 20 30 40 50 60 70 Email Business productivity CRM Analytics/BI Finanical Mgmt. HR Mgmt. Help Desk ERP Call Center Cloud On-premises WHICH APPLICATIONS ARE COMPANIES MOVING TO THE CLOUD?
  9. 9. • Sensitivity of data • Performance requirements • Integration with other applications • Application “fitness” for the cloud • Internal skill set • Current infrastructure investments • Industry regulations • Compliance requirements • Reliability of local Internet connectivity TIP: The answers to these questions can also help you determine which type of cloud is right for each workload. THERE ARE SEVERAL FACTORS TO CONSIDER
  10. 10. 53% of executives surveyed in 2016 cited general security concerns as a barrier to cloud adoption. That’s up 8% from 2015. SECURITY IS OFTEN CITED AS A KEY CONCERN
  11. 11. MYTH: FACT: Cloud computing is less secure than using on-premises resources. Most data breaches involve on-premises data centers or privately managed clouds. (offsite data centers owned and managed by the organization breached.)
  12. 12. STAFFING Cyber security talent is expensive, and few midmarket companies can afford to cover all areas with internal, full-time talent. Because our utilization rate is higher, we can afford to hire the best. FOCUS Internal IT staff is often required to wear multiple hats. Our security personnel are focused on cyber-security and keeping our clients systems and data safe 24X7. EXPERIENCE Companies often get blindsided by attacks they “never saw coming.” Because our staff lives and breathes cyber security, we are some of the first to know about the latest threats and techniques. TOOLS We always have the latest tools at our disposal whether we develop them in house or have access to them because of our partnership with leading cloud providers such as Microsoft and Amazon. WHY IS THE CLOUD OFTEN MORE SECURE?
  13. 13. • 82% of tech executives said they lacked the necessary skills internally to keep their systems and data secure. • There are currently 209,000 US cybersecurity jobs without candidates and demand for cybersecurity professionals is expected to grow 53% through 2018. • 62% of tech executives said that current IT talent shortage would prevent them from keeping pace with technology changes. TALENT SHORTAGE + HIGH SALARIES = TROUBLE FOR U.S. COMPANIES AVERAGE CYBER-SECURITY SALARIES (not adjusted for cost of living) • Minneapolis $131, 302 • San Francisco $149,744 • Denver $123,222 • Boston $99, 274
  14. 14. We were just audited for PCI, HIPAA, etc… Do I still need to worry about cyber security? QUESTION:
  15. 15. MYTH: FACT: Because cloud security and compliance are the same thing, If I focus on one, I’ll have them both covered. The most notable breaches happened at companies that had been audited and deemed compliant.
  16. 16. I’ve got malware and virus protection on our systems. What else do I need to worry about? QUESTION:
  17. 17. PERCEPTION REALITY • “Hacktivist” groups who want to punish a corporation or country, usually for political reasons • Hostile governments and terrorist groups • Criminal organizations perpetrated 72.4% of all cyber-attacks in August 2016 TIP: Security professionals sometimes prefer “threat actor” to the term “hacker” since it is more all-encompassing. WHAT IS A HACKER? • Sole individual with no motive • Teenager living in parents basement • A “hacker” just causing trouble
  18. 18. • Bots generate about 50% of website traffic • 30% of this traffic is malicious, e.g.: • DDoS • Site Scraping • Comment Spam • SEO Spam • Business logic attacks SAD FACT: If you want to bring down a website but don’t have the skills, you can rent a botnet for about $6 a month. BAD BOT!
  19. 19. • SITE SCRAPING – Bots figure out how your database is organized and use that info to steal price lists, customer lists, and other proprietary information. • DENIAL OF SERVICE ATTACK (DOS) – Bots disable your network by flooding it with useless traffic. • BOTNET – A network of internet connected devices that are infected and controlled together. • DISTRIBUTED DENIAL OF SERVICE ATTACK – Bots take over multiple systems (see Botnet) and use them to gang up on their core target. A FEW BOT-RELATED TERMS YOU (UNFORTUNATELY) NEED TO KNOW:
  20. 20. A FEW MORE TERMS: • PHISHING – Posing as a legitimate company to gain access to a user’s credentials or systems. • SPEAR-PHISHING – An email that appears to be from an individual or company you know but contains malware or other attempts to gather personal information. • SOCIAL ENGINEERING – Psychologically manipulating people into providing personal information. e.g., “I’m from the IRS…” • RANSOMWARE – Software designed to block access or encrypt files until a ransom is paid.
  21. 21. • Hacker’s are using smokescreens to divert attention from their real target. DoS and DDoS are particularly useful. • In 2011, hackers used denial of service attacks to distract Sony’s IT team while they stole account information from millions of customers. • The FFIEC (Federal Financial Institutions Examination Council) has issued statements warning banks about the use of DDoS as a diversionary tactic. Is it a DDOS or something else? MULTI-VECTOR ATTACKS:
  22. 22. 300% increase in attacks this year. 4,000 attacks a day in 2016. Something must be working (for the criminals). RANSOMWARE HOW IT WORKS: 1. Your systems are infected, often through a malicious email, but even legit websites can contain malware. 2. The malware encrypts your files or blocks access to your systems. 3. Attackers demand payment (usually in bitcoin) to receive a decryption key. 4. If ransom is paid, decryption key sometimes works.
  23. 23. Can you bring it all together for me? I need a framework so I can ensure we have all our bases covered. QUESTION:
  24. 24. A FIVE-STEP SECURITY FRAMEWORK #1 IDENTIFY Determine which workloads are most vulnerable #2 PROTECT Protect these assets from attack #3 DETECT Detect incoming attacks and threats #4 RESPOND When an attack occurs (and it will), defend these assets #5 RECOVER Restore damaged capabilities and services
  25. 25. • Mission critical to the business • Highest value to cyber thieves, e.g., financial data • Covered by regulations, e.g., PCI and HIPPA STEP #1: IDENTIFY VULNERABLE WORKLOADS
  26. 26. • Credit card data is only $5 – $30 in the U.S. • Login credentials for a bank account worth $2,000 per bank account will bring in roughly $190. • Login credentials to online payment services like PayPal can bring in $20 – $300 depending on the balance. • Credentials to an online auction account can go for as much as $1,200. HOWEVER… • Data for a single patient can net from $500 – $1,800 depending on the age of the person and their insurance coverage. TIP: Think about the value of your data in hacker’s terms
  27. 27. • Firewalls • Web Application Firewall • Encryption at rest • Data Loss Prevention (DLP) • Intrusion Prevention • Threat Management • Web Content Filtering • Penetration Testing • Vulnerability Scanning • Multi-Factor Authentication • Virtual Private Networking • Spam Filtering/Email Protection • System Hardening Just a few of the tools in the toolbox… STEP #2: PROTECT
  28. 28. Many [operating systems and applications] have autoupdate mechanisms, but administrators and users often disable or ignore autoupdate routines to avoid service interruptions or other unintended consequences. ~ Why patching is still a problem – and how to fix it, InfoWorld, January 2016. • 5,000 – 6,000 security vulnerabilities uncovered each year. ~ 15 a day. • These are not “bugs,” but “weaknesses” discovered by hackers (or the vendors). • Some of these represent significant holes in your security defenses. Application and OS Management services ensure these patches get installed with minimal disruption to your operations. EVER WONDER…? Why you get so many updates from your application and OS vendors?
  29. 29. Gartner predicts: • 20.8 billion objects connected to the Internet by 2020. • By 2020, autonomous software agents will participate in 5% of all economic transactions. • By 2018, more than 3 million workers globally will be supervised by a “robo-boss.” ~ SmarterWith Gartner, October 6, 2015 Don’t turn your back on your devices! THE IoT AND SECURITY These are the “things” botnets are designed to take over and that they use to execute DDOS attacks.
  30. 30. STEP #3: DETECT DETECTION TOOLS: • Intrusion Detection • Antivirus Protection (Server, Network, and Endpoint) • File Integrity Monitoring • Log Management 85 percent of firms with fewer than 1,000 employees indicate their systems have been successfully penetrated, compared to about 60 percent of larger companies. —, June 2015 Preventing a security event is only the first step. Companies must assume they have been breached and work to discover and respond to those intrusions. — Paul Mazzucco
  31. 31. DETECTION: A MAJOR ISSUE FULL REMEDIATION DETECTIONINTRUSION 146 DAYS Most damage occurs between intrusion and detection when malicious attackers have free reign over systems and access to data. DETECTION TOOLS: • Intrusion Detection • Antivirus Protection (Server, Network, and Endpoint) • File Integrity Monitoring • Log Management
  32. 32. STEP #4: RESPOND First-things-first: Plug the hole and adhere to any compliance reporting requirements.
  33. 33. RESPONDING TO RANSOMWARE TIPS FROM THE FBI • Back up data regularly and test backups. • Secure all backups, including cloud backups, so they are inaccessible to a spreading ransomware virus. • Conduct annual vulnerability and penetration testing.
  34. 34. FULL REMEDIATION GOALS: • Minimize financial impact to the business • Repair lost consumer and market confidence • Conduct post mortem to strengthen security STEP #5: RECOVER DETECTIONINTRUSION RECOVERY PHASE TIP: Disaster Recovery and Business Continuity Planning is about more than data backups and recovery. Include elements such as crisis communication procedures.
  35. 35. • The more you have in the cloud the more you rely on/benefit from your provider’s security capabilities. • Security as a Service offers additional services such as DDOS mitigation, log monitoring, and vulnerability and penetration testing. CLOUD SECURITY SHARED RESPONSIBILITY MODEL RESPONSIBILITY ON- PREMISE IaaS PaaS SaaS Data classification & accountability Client & end-point protection Identity & access management Application level controls Network controls Host infrastructure Physical Security Cloud Customer Cloud Provider
  36. 36. WANT TO LEARN MORE? DOWNLOAD THESE RESOURCES ARTICLE: Multi-layered attacks require more sophisticated IT security TierPoint ARTICLE: Incidents of ransomware on the rise FBI GUIDE: Ransomware prevention and response for for CISOs FBI ARTICLE: Ransomware prevention and response for for CISOs FBI On-Demand Webinar: Multi-layered online attacks: IT security strategies to protect your company TierPoint and Imperva
  38. 38. 844.267.3687 CONTACT US TODAY