Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing the Cloud by Matthew Rosenquist 2016


Published on

The Cloud is both compelling and alluring, offering benefits that entice many organizations into rapid adoption. But caution should be taken. Leveraging cloud technologies can offer tremendous opportunities, with the caveat of potentially introducing new security problems and business risks. Presented are strategic recommendations for cloud adoption to a community of application and infrastructure developers.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Securing the Cloud by Matthew Rosenquist 2016

  1. 1. Matthew Rosenquist Cybersecurity Strategist 2016
  3. 3. 4 Cloud architecture and services are powerful tools and can deliver great benefits for business owners.  Cost effectiveness – Utilization optimization – Extensibility for growth and change  Services closer to the customer  Resiliency and demand-flexibility  Capacity for data and transactions Benefits of Cloud
  4. 4. Risks of Cloud 5 The adoption and use of clouds have risks. Problems with security, privacy, and operational control can arise.  Confidentiality of information  Privacy of users and their data  Availability and control of the system  Unawareness of issues which arise  Complacency, assuming everything is fine
  5. 5. Cloud Security 6 Clouds are not secure by default. Protection is an important consideration. Planning, integration, maintenance, and oversight is required.  Security is a top concern for IT organizations moving to the cloud  Cloud providers are investing to greatly improve security and privacy  Balance the risks, usability, and costs  Consider the continually evolving threats
  6. 6. Attacks 8 Cloud environments get attacked. Threats target physical components, OS’s, VMM/VM’s, applications, interfaces, management tools, databases, networks, and users  Data breaches  System hijacking and denial-of-service  Data and transaction integrity  Attacks against end-customers  Privacy and confidentiality breaches
  7. 7. 9 1. Identity and Access Management (IAM) 2. Data Loss Prevention 3. Web Security 4. Email Security 5. Security assessments 5. Security Information and Event Management (SIEM) 6. Intrusion Management 7. Encryption 8. Network Security 9. Business Continuity and Disaster Recovery (BCDR) 10 Information Assurance Categories for Cloud* * Cloud Security Alliance (CSA)
  8. 8. Understand 11 It is important to understand the benefits and risks to adopting cloud solutions and architectures.  Policies and regulations  Integration and sustaining costs  Manageability impacts  Service flexibility needs  Ethical considerations
  9. 9. Plan 12 Choosing the architecture, defining the sensitivity of data, and documenting the security requirements and privacy expectations are key.  Build a Plan, with security in mind  Types of clouds (private, public, hybrid)  Data and transaction sensitivity  Mission criticality factors
  10. 10. Engage 13 Early engagement with security and privacy experts is needed. These resources can help you understand the policy, risks, and best practices  Privacy team – experts on regulations, compliance, and BKM’s  Risk assessments – identifying the vulnerabilities are focus areas  IT Security team – tech configuration and deployment policy experts  Integration group – deployment best- known-methods  Audit team – Validation measures
  11. 11. Boundaries 14 Establishing operational and business practices boundaries is critical to sustainable security and privacy.  Establish security and privacy policies  Review and adjust as necessary  Verify hosting security and privacy controls regularly  Define and compartmentalize roles of admins, hosting services, users, etc.  Document requirements, notifications, and response capabilities in SLA’s
  12. 12. Crisis Response 15 Bad things eventually happen. It is important and the duty of all service owners to have an appropriate plan. This includes preparing for security and privacy events.  Be prepared. Have response and recovery plans  Include Command, Control, and Communication functions in the plan  Audit and test procedures  Maintain backups and verify their integrity  Include DRBC as part of the planning stage
  13. 13. Accountability 16 Cloud environments are powerful tools but not immune to problems. They require responsible ownership and oversight.  Be accountable. Maintain ownership and transition as necessary  Operations due-care and diligence for security and privacy  Remain current on emerging threats  Alignment to corporate ethics  Protection across the lifecycle from creation to End-of-Life
  14. 14. Ask 17 Nobody knows it all. Leverage the community of experts.  Don’t hesitate in asking questions of experts and resources: – Cybersecurity – Privacy – Audit – Cloud Architecture – Regulatory compliance  Challenge the status-quo: – Threats and attacks constantly change – Cloud services expand, changing the risks
  15. 15. Conclusion 18 Cloud can be a tremendous opportunity or an equally miserable problem Engage security and privacy resources Take responsibility for ethical/policy adherence, and make good business choices Be aware, think ahead, and plan