Successfully reported this slideshow.

Aligning Risk with Growth - Cloud Security for startups

5

Share

1 of 17
1 of 17

Aligning Risk with Growth - Cloud Security for startups

5

Share

Every young company discovers that installing security in place can be expensive. So they need to manage the priorities. In the presentation we discuss the various phases in start-up life cycle and which security controls should be placed on each phase.

Every young company discovers that installing security in place can be expensive. So they need to manage the priorities. In the presentation we discuss the various phases in start-up life cycle and which security controls should be placed on each phase.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Aligning Risk with Growth - Cloud Security for startups

  1. 1. Moshe Ferber, CCSK Onlinecloudsec.com Cloud Security For Startups Aligning Risk with Growth
  2. 2. About:  Moshe Ferber, 39, lives in Modiin (+2).  Information security professional for over 20 years.  Popular industry speaker and lecturer.  Founded Cloud7, Managed Security Services provider (currently owned by Matrix).  Shareholder at Clarisite – Your customer’s eye view  Shareholder at FortyCloud – Make your public cloud private  Member of the board at MacshavaTova – Narrowing societal gaps  Co-Chairman of the Board, Cloud Security Alliance, Israeli Chapter. 2
  3. 3. The benefits of cloud computing are clear, What are the risks?
  4. 4. Cloud attack vectors Provider Administration Wide Dashboard Multi tenancy & Virtualization Automation & API Chain of supply Side Channel attack Insecure Instances
  5. 5. Cyber attacks trends for cloud computingCloud services ransom malwares Bitcoin API Attacks Supply chain Attacks
  6. 6. So, how to build your security? Infrastructure security Application Security Operational security
  7. 7. Good Security is based on controls… Preventive • Firewall (Security Groups) • Authentication • AntiVirus • Guards Detective • IDS • System monitoring • Motion detector Corrective • Upgrades & Patches • Vulnerability scanning Compensatory • DRP & Backup • Firewall logs • Reviews • Audit & reconciliation Based on http://www.sans.edu/research/security- laboratory/article/security-controls
  8. 8. The security phases of startup Phase 1 – Building blocks • From Seed to the first customers Phase 2 – Maturing • Growing and adding customers. Phase 3 – Build trust • Maturing your services.
  9. 9. Phase 1 – Make sure you got the right building blocks  Plan your architecture: logical and physical segmentation.  Understand your data lifecycle.  Laws and regulations to consider.  Choose your partners: software, IT, backend.  Start your SSDLC building block – threat modeling. Architecture.  Implement IaaS best practices: • Identity & Access. • Compensating controls
  10. 10. Build your dashboard with permissions Users & resources RolesGroups
  11. 11. Best practices for IAM Don’t use master account Delete root access key Enable MFA for critical users Apply good password policy Rotate credential periodically Safeguard your host & access keys Create individual users with specific roles
  12. 12. Compensating controls Activate billing alerts API & Dashboards logs Cold Backup Active Secondary site External & Multi Cloud Backups: Encrypt data in transit
  13. 13. Phase 2  Production environment is now maturing. Its time for roles separation at production.  Authentication mechanism should be mature by now.  Security in Software Development life cycle (SSDLC) should take more focus. vulnerability scan & penetration tests Identity Federation Services Encryption of data at rest Security training for R&D
  14. 14. Phase 3  operational security begins to matter.  More detective controls should be placed.  Incident management procedures should mature.  Transparency will be an advantage. DR, BC and active secondary location Log management & Event correlation. Patch & change management Automation of configuration Ongoing security awareness program
  15. 15. Questions?
  16. 16.  Cloud security is maturing fast (it took us over 20 years to secure the PC…)  Security is expensive, but with the right building blocks you can integrate with the grow of business.  Make sure you do the basics from the first day, it will be hard to add them later. To wrap things up… Don’t be the next CodeSpaces
  17. 17. Keep in Touch  Moshe Ferber  moshe@onlinecloudsec.com  www.onlinecloudsec.com  http://il.linkedin.com/in/MosheFerber Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule

×