Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Moshe Ferber, CCSK
Onlinecloudsec.com
Cloud Security
For Startups
Aligning Risk with Growth
About:
 Moshe Ferber, 39, lives in Modiin (+2).
 Information security professional for over 20 years.
 Popular industry...
The benefits of cloud computing are
clear, What are the risks?
Cloud
attack
vectors
Provider
Administration
Wide
Dashboard
Multi tenancy
&
Virtualization
Automation &
API
Chain of suppl...
Cyber attacks trends for
cloud computingCloud services
ransom malwares
Bitcoin
API
Attacks
Supply chain
Attacks
So, how to build your security?
Infrastructure security
Application Security
Operational security
Good Security is based on controls…
Preventive
• Firewall
(Security
Groups)
• Authentication
• AntiVirus
• Guards
Detectiv...
The security phases of startup
Phase 1 –
Building blocks
• From Seed to
the first
customers
Phase 2 –
Maturing
• Growing a...
Phase 1 – Make sure you got the right
building blocks
 Plan your architecture: logical and physical segmentation.
 Under...
Build your dashboard with permissions
Users &
resources
RolesGroups
Best practices for IAM
Don’t use master
account
Delete root access key
Enable MFA for critical
users
Apply good password
p...
Compensating controls
Activate billing
alerts
API & Dashboards
logs
Cold
Backup
Active
Secondary
site
External & Multi Clo...
Phase 2
 Production environment is now maturing. Its time for roles
separation at production.
 Authentication mechanism ...
Phase 3
 operational security begins to matter.
 More detective controls should be placed.
 Incident management procedu...
Questions?
 Cloud security is maturing fast (it took us over 20 years to
secure the PC…)
 Security is expensive, but with the right...
Keep in Touch
 Moshe Ferber
 moshe@onlinecloudsec.com
 www.onlinecloudsec.com
 http://il.linkedin.com/in/MosheFerber
C...
Upcoming SlideShare
Loading in …5
×

Aligning Risk with Growth - Cloud Security for startups

702 views

Published on

Every young company discovers that installing security in place can be expensive. So they need to manage the priorities. In the presentation we discuss the various phases in start-up life cycle and which security controls should be placed on each phase.

Published in: Software
  • Be the first to comment

Aligning Risk with Growth - Cloud Security for startups

  1. 1. Moshe Ferber, CCSK Onlinecloudsec.com Cloud Security For Startups Aligning Risk with Growth
  2. 2. About:  Moshe Ferber, 39, lives in Modiin (+2).  Information security professional for over 20 years.  Popular industry speaker and lecturer.  Founded Cloud7, Managed Security Services provider (currently owned by Matrix).  Shareholder at Clarisite – Your customer’s eye view  Shareholder at FortyCloud – Make your public cloud private  Member of the board at MacshavaTova – Narrowing societal gaps  Co-Chairman of the Board, Cloud Security Alliance, Israeli Chapter. 2
  3. 3. The benefits of cloud computing are clear, What are the risks?
  4. 4. Cloud attack vectors Provider Administration Wide Dashboard Multi tenancy & Virtualization Automation & API Chain of supply Side Channel attack Insecure Instances
  5. 5. Cyber attacks trends for cloud computingCloud services ransom malwares Bitcoin API Attacks Supply chain Attacks
  6. 6. So, how to build your security? Infrastructure security Application Security Operational security
  7. 7. Good Security is based on controls… Preventive • Firewall (Security Groups) • Authentication • AntiVirus • Guards Detective • IDS • System monitoring • Motion detector Corrective • Upgrades & Patches • Vulnerability scanning Compensatory • DRP & Backup • Firewall logs • Reviews • Audit & reconciliation Based on http://www.sans.edu/research/security- laboratory/article/security-controls
  8. 8. The security phases of startup Phase 1 – Building blocks • From Seed to the first customers Phase 2 – Maturing • Growing and adding customers. Phase 3 – Build trust • Maturing your services.
  9. 9. Phase 1 – Make sure you got the right building blocks  Plan your architecture: logical and physical segmentation.  Understand your data lifecycle.  Laws and regulations to consider.  Choose your partners: software, IT, backend.  Start your SSDLC building block – threat modeling. Architecture.  Implement IaaS best practices: • Identity & Access. • Compensating controls
  10. 10. Build your dashboard with permissions Users & resources RolesGroups
  11. 11. Best practices for IAM Don’t use master account Delete root access key Enable MFA for critical users Apply good password policy Rotate credential periodically Safeguard your host & access keys Create individual users with specific roles
  12. 12. Compensating controls Activate billing alerts API & Dashboards logs Cold Backup Active Secondary site External & Multi Cloud Backups: Encrypt data in transit
  13. 13. Phase 2  Production environment is now maturing. Its time for roles separation at production.  Authentication mechanism should be mature by now.  Security in Software Development life cycle (SSDLC) should take more focus. vulnerability scan & penetration tests Identity Federation Services Encryption of data at rest Security training for R&D
  14. 14. Phase 3  operational security begins to matter.  More detective controls should be placed.  Incident management procedures should mature.  Transparency will be an advantage. DR, BC and active secondary location Log management & Event correlation. Patch & change management Automation of configuration Ongoing security awareness program
  15. 15. Questions?
  16. 16.  Cloud security is maturing fast (it took us over 20 years to secure the PC…)  Security is expensive, but with the right building blocks you can integrate with the grow of business.  Make sure you do the basics from the first day, it will be hard to add them later. To wrap things up… Don’t be the next CodeSpaces
  17. 17. Keep in Touch  Moshe Ferber  moshe@onlinecloudsec.com  www.onlinecloudsec.com  http://il.linkedin.com/in/MosheFerber Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule

×