Aligning Risk with Growth - Cloud Security for startups

Moshe Ferber
Moshe FerberInformation Security and Cloud Computing, entrepreneur, investor and lecturer.
Moshe Ferber, CCSK Onlinecloudsec.com Cloud Security For Startups Aligning Risk with Growth
About:  Moshe Ferber, 39, lives in Modiin (+2).  Information security professional for over 20 years.  Popular industry speaker and lecturer.  Founded Cloud7, Managed Security Services provider (currently owned by Matrix).  Shareholder at Clarisite – Your customer’s eye view  Shareholder at FortyCloud – Make your public cloud private  Member of the board at MacshavaTova – Narrowing societal gaps  Co-Chairman of the Board, Cloud Security Alliance, Israeli Chapter. 2
The benefits of cloud computing are clear, What are the risks?
Cloud attack vectors Provider Administration Wide Dashboard Multi tenancy & Virtualization Automation & API Chain of supply Side Channel attack Insecure Instances
Cyber attacks trends for cloud computingCloud services ransom malwares Bitcoin API Attacks Supply chain Attacks
So, how to build your security? Infrastructure security Application Security Operational security
Good Security is based on controls… Preventive • Firewall (Security Groups) • Authentication • AntiVirus • Guards Detective • IDS • System monitoring • Motion detector Corrective • Upgrades & Patches • Vulnerability scanning Compensatory • DRP & Backup • Firewall logs • Reviews • Audit & reconciliation Based on http://www.sans.edu/research/security- laboratory/article/security-controls
The security phases of startup Phase 1 – Building blocks • From Seed to the first customers Phase 2 – Maturing • Growing and adding customers. Phase 3 – Build trust • Maturing your services.
Phase 1 – Make sure you got the right building blocks  Plan your architecture: logical and physical segmentation.  Understand your data lifecycle.  Laws and regulations to consider.  Choose your partners: software, IT, backend.  Start your SSDLC building block – threat modeling. Architecture.  Implement IaaS best practices: • Identity & Access. • Compensating controls
Build your dashboard with permissions Users & resources RolesGroups
Best practices for IAM Don’t use master account Delete root access key Enable MFA for critical users Apply good password policy Rotate credential periodically Safeguard your host & access keys Create individual users with specific roles
Compensating controls Activate billing alerts API & Dashboards logs Cold Backup Active Secondary site External & Multi Cloud Backups: Encrypt data in transit
Phase 2  Production environment is now maturing. Its time for roles separation at production.  Authentication mechanism should be mature by now.  Security in Software Development life cycle (SSDLC) should take more focus. vulnerability scan & penetration tests Identity Federation Services Encryption of data at rest Security training for R&D
Phase 3  operational security begins to matter.  More detective controls should be placed.  Incident management procedures should mature.  Transparency will be an advantage. DR, BC and active secondary location Log management & Event correlation. Patch & change management Automation of configuration Ongoing security awareness program
Questions?
 Cloud security is maturing fast (it took us over 20 years to secure the PC…)  Security is expensive, but with the right building blocks you can integrate with the grow of business.  Make sure you do the basics from the first day, it will be hard to add them later. To wrap things up… Don’t be the next CodeSpaces
Keep in Touch  Moshe Ferber  moshe@onlinecloudsec.com  www.onlinecloudsec.com  http://il.linkedin.com/in/MosheFerber Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule
1 of 17

Aligning Risk with Growth - Cloud Security for startups

Software

Every young company discovers that installing security in place can be expensive. So they need to manage the priorities. In the presentation we discuss the various phases in start-up life cycle and which security controls should be placed on each phase.

Moshe Ferber
Moshe FerberInformation Security and Cloud Computing, entrepreneur, investor and lecturer.

Recommended

Cloud security innovation - Cloud Security Alliance East Europe Congress 2013 by
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Moshe Ferber
1.5K views29 slides
Surviving the lions den - how to sell SaaS services to security oriented cust... by
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Moshe Ferber
687 views33 slides
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose by
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseMoshe Ferber
1.9K views21 slides
Cloud security what to expect (introduction to cloud security) by
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Moshe Ferber
1.5K views24 slides
Cloud security for banks - the central bank of Israel regulations for cloud s... by
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
1.1K views27 slides
The Cloud & I, The CISO challenges with Cloud Computing by
The Cloud & I, The CISO challenges with Cloud Computing The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing Moshe Ferber
1K views44 slides

More Related Content

What's hot

Cloud keybank privacy and owner authorization by
Cloud keybank privacy and owner authorizationCloud keybank privacy and owner authorization
Cloud keybank privacy and owner authorizationPvrtechnologies Nellore
514 views10 slides
Architect secure cloud services. by
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.Moshe Ferber
852 views36 slides
What the auditor need to know about cloud computing by
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computingMoshe Ferber
219 views31 slides
Cloud security by
Cloud securityCloud security
Cloud securityBikashPokharel3
435 views14 slides
cloud security ppt by
cloud security ppt cloud security ppt
cloud security ppt Devyani Vaidya
2.8K views25 slides
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ... by
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
3.5K views17 slides

What's hot(19)

Cloud keybank privacy and owner authorization by Pvrtechnologies Nellore
Cloud keybank privacy and owner authorizationCloud keybank privacy and owner authorization
Cloud keybank privacy and owner authorization
Pvrtechnologies Nellore514 views
Architect secure cloud services. by Moshe Ferber
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.
Moshe Ferber852 views
What the auditor need to know about cloud computing by Moshe Ferber
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computing
Moshe Ferber219 views
Cloud security by BikashPokharel3
Cloud securityCloud security
Cloud security
BikashPokharel3435 views
cloud security ppt by Devyani Vaidya
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya2.8K views
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ... by Amazon Web Services
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
Amazon Web Services3.5K views
Cloud Security & Cloud Encryption Explained by Porticor - The Cloud Security Experts
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
Porticor - The Cloud Security Experts1.1K views
Cloud Security Demystified by Michael Torres
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
Michael Torres970 views
The Top Cloud Security Issues by HTS Hosting
The Top Cloud Security IssuesThe Top Cloud Security Issues
The Top Cloud Security Issues
HTS Hosting151 views
Cloud Security - Kloudlearn by KloudLearn
Cloud Security - KloudlearnCloud Security - Kloudlearn
Cloud Security - Kloudlearn
KloudLearn95 views
Cyber Security and Cloud Computing by Keet Sugathadasa
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
Keet Sugathadasa2K views
Introduction to Cloud Security by Susanne Tedrick
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud Security
Susanne Tedrick195 views
Cloud risk and business continuity v21 by Jorge Sebastiao
Cloud risk and business continuity v21Cloud risk and business continuity v21
Cloud risk and business continuity v21
Jorge Sebastiao1.2K views
Cloud security by Tushar Kayande
Cloud securityCloud security
Cloud security
Tushar Kayande882 views
Strategy Cloud and Security as a Service by Aberla
Strategy Cloud and Security as a ServiceStrategy Cloud and Security as a Service
Strategy Cloud and Security as a Service
Aberla948 views
SaaS (Software-as-a-Service) as-a-secure-service by Tayyaba Farhat
SaaS (Software-as-a-Service) as-a-secure-serviceSaaS (Software-as-a-Service) as-a-secure-service
SaaS (Software-as-a-Service) as-a-secure-service
Tayyaba Farhat1.1K views
Cloud Computing Security - Cloud Controls Security by Hari Kumar
Cloud Computing Security - Cloud Controls SecurityCloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls Security
Hari Kumar174 views
CASB — Your new best friend for safe cloud adoption? by Digital Transformation EXPO Event Series
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption?
Digital Transformation EXPO Event Series205 views
Stop Hackers with Integrated CASB & IDaaS Security by OneLogin
Stop Hackers with Integrated CASB & IDaaS SecurityStop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS Security
OneLogin3.6K views

Similar to Aligning Risk with Growth - Cloud Security for startups

Cloud security for financial services by
Cloud security for financial servicesCloud security for financial services
Cloud security for financial servicesMoshe Ferber
299 views27 slides
Crush Cloud Complexity, Simplify Security - Shield X by
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
160 views29 slides
Securing Your Public Cloud Infrastructure by
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
4.4K views41 slides
CSS17: Houston - Introduction to Security in the Cloud by
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
775 views31 slides
Csa about-threats-june-2010-ibm by
Csa about-threats-june-2010-ibmCsa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibmSergio Loureiro
1.1K views23 slides
Daniel Grabski | Microsofts cybersecurity story by
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyMicrosoft Österreich
227 views26 slides

Similar to Aligning Risk with Growth - Cloud Security for startups(20)

Cloud security for financial services by Moshe Ferber
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
Moshe Ferber299 views
Crush Cloud Complexity, Simplify Security - Shield X by Prime Infoserv
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield X
Prime Infoserv160 views
Securing Your Public Cloud Infrastructure by Qualys
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
Qualys4.4K views
CSS17: Houston - Introduction to Security in the Cloud by Alert Logic
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
Alert Logic 775 views
Csa about-threats-june-2010-ibm by Sergio Loureiro
Csa about-threats-june-2010-ibmCsa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibm
Sergio Loureiro1.1K views
Daniel Grabski | Microsofts cybersecurity story by Microsoft Österreich
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
Microsoft Österreich227 views
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al by Alert Logic
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Alert Logic 107 views
2012-01 How to Secure a Cloud Identity Roadmap by Raleigh ISSA
2012-01 How to Secure a Cloud Identity Roadmap2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity Roadmap
Raleigh ISSA640 views
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe... by Amazon Web Services
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Amazon Web Services751 views
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro by Amazon Web Services
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
Amazon Web Services702 views
Cloud Security_ Unit 4 by Integral university, India
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
Integral university, India252 views
Fundamentals of Microsoft 365 Security , Identity and Compliance by Vignesh Ganesan I Microsoft MVP
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP535 views
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders by James Strong
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong140 views
Data security in cloud by Interop
Data security in cloudData security in cloud
Data security in cloud
Interop291 views
Webinar Mastering Microsoft Security von Baggenstos by JenniferMete1
Webinar Mastering Microsoft Security von BaggenstosWebinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von Baggenstos
JenniferMete1246 views
Chap 6 cloud security by Raj Sarode
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
Raj Sarode5.5K views
CompTIA Security+ SY0-601 Domain 2 by ShivamSharma909
CompTIA Security+ SY0-601 Domain 2CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2
ShivamSharma909394 views
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0 by Happiest Minds Technologies
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
Happiest Minds Technologies95 views
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 by sucesuminas
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
sucesuminas1.3K views
Securing Your Cloud Applications by IBM Security
Securing Your Cloud ApplicationsSecuring Your Cloud Applications
Securing Your Cloud Applications
IBM Security3.1K views

Recently uploaded

Agile 101 by
Agile 101Agile 101
Agile 101John Valentino
7 views20 slides
Sprint 226 by
Sprint 226Sprint 226
Sprint 226ManageIQ
5 views18 slides
Quality Engineer: A Day in the Life by
Quality Engineer: A Day in the LifeQuality Engineer: A Day in the Life
Quality Engineer: A Day in the LifeJohn Valentino
6 views18 slides
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action by
Gen Apps on Google Cloud PaLM2 and Codey APIs in ActionGen Apps on Google Cloud PaLM2 and Codey APIs in Action
Gen Apps on Google Cloud PaLM2 and Codey APIs in ActionMárton Kodok
5 views55 slides
360 graden fabriek by
360 graden fabriek360 graden fabriek
360 graden fabriekinfo33492
38 views25 slides
Short_Story_PPT.pdf by
Short_Story_PPT.pdfShort_Story_PPT.pdf
Short_Story_PPT.pdfutkarshsatishkumarsh
5 views16 slides

Recently uploaded(20)

Agile 101 by John Valentino
Agile 101Agile 101
Agile 101
John Valentino7 views
Sprint 226 by ManageIQ
Sprint 226Sprint 226
Sprint 226
ManageIQ5 views
Quality Engineer: A Day in the Life by John Valentino
Quality Engineer: A Day in the LifeQuality Engineer: A Day in the Life
Quality Engineer: A Day in the Life
John Valentino6 views
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action by Márton Kodok
Gen Apps on Google Cloud PaLM2 and Codey APIs in ActionGen Apps on Google Cloud PaLM2 and Codey APIs in Action
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action
Márton Kodok5 views
360 graden fabriek by info33492
360 graden fabriek360 graden fabriek
360 graden fabriek
info3349238 views
Short_Story_PPT.pdf by utkarshsatishkumarsh
Short_Story_PPT.pdfShort_Story_PPT.pdf
Short_Story_PPT.pdf
utkarshsatishkumarsh5 views
Keep by Geniusee
KeepKeep
Keep
Geniusee75 views
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium... by Lisi Hocke
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Lisi Hocke30 views
DSD-INT 2023 Salt intrusion Modelling of the Lauwersmeer, towards a measureme... by Deltares
DSD-INT 2023 Salt intrusion Modelling of the Lauwersmeer, towards a measureme...DSD-INT 2023 Salt intrusion Modelling of the Lauwersmeer, towards a measureme...
DSD-INT 2023 Salt intrusion Modelling of the Lauwersmeer, towards a measureme...
Deltares5 views
FIMA 2023 Neo4j & FS - Entity Resolution.pptx by Neo4j
FIMA 2023 Neo4j & FS - Entity Resolution.pptxFIMA 2023 Neo4j & FS - Entity Resolution.pptx
FIMA 2023 Neo4j & FS - Entity Resolution.pptx
Neo4j7 views
Unleash The Monkeys by Jacob Duijzer
Unleash The MonkeysUnleash The Monkeys
Unleash The Monkeys
Jacob Duijzer7 views
Copilot Prompting Toolkit_All Resources.pdf by Riccardo Zamana
Copilot Prompting Toolkit_All Resources.pdfCopilot Prompting Toolkit_All Resources.pdf
Copilot Prompting Toolkit_All Resources.pdf
Riccardo Zamana8 views
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI... by Marc Müller
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...
Marc Müller37 views
Headless JS UG Presentation.pptx by Jack Spektor
Headless JS UG Presentation.pptxHeadless JS UG Presentation.pptx
Headless JS UG Presentation.pptx
Jack Spektor7 views
Programming Field by thehardtechnology
Programming FieldProgramming Field
Programming Field
thehardtechnology5 views
BushraDBR: An Automatic Approach to Retrieving Duplicate Bug Reports by Ra'Fat Al-Msie'deen
BushraDBR: An Automatic Approach to Retrieving Duplicate Bug ReportsBushraDBR: An Automatic Approach to Retrieving Duplicate Bug Reports
BushraDBR: An Automatic Approach to Retrieving Duplicate Bug Reports
Ra'Fat Al-Msie'deen8 views
Advanced API Mocking Techniques by Dimpy Adhikary
Advanced API Mocking TechniquesAdvanced API Mocking Techniques
Advanced API Mocking Techniques
Dimpy Adhikary19 views
Fleet Management Software in India by Fleetable
Fleet Management Software in India Fleet Management Software in India
Fleet Management Software in India
Fleetable11 views
WebAssembly by Jens Siebert
WebAssemblyWebAssembly
WebAssembly
Jens Siebert48 views
DSD-INT 2023 Leveraging the results of a 3D hydrodynamic model to improve the... by Deltares
DSD-INT 2023 Leveraging the results of a 3D hydrodynamic model to improve the...DSD-INT 2023 Leveraging the results of a 3D hydrodynamic model to improve the...
DSD-INT 2023 Leveraging the results of a 3D hydrodynamic model to improve the...
Deltares6 views

Aligning Risk with Growth - Cloud Security for startups

  • 1. Moshe Ferber, CCSK Onlinecloudsec.com Cloud Security For Startups Aligning Risk with Growth
  • 2. About:  Moshe Ferber, 39, lives in Modiin (+2).  Information security professional for over 20 years.  Popular industry speaker and lecturer.  Founded Cloud7, Managed Security Services provider (currently owned by Matrix).  Shareholder at Clarisite – Your customer’s eye view  Shareholder at FortyCloud – Make your public cloud private  Member of the board at MacshavaTova – Narrowing societal gaps  Co-Chairman of the Board, Cloud Security Alliance, Israeli Chapter. 2
  • 3. The benefits of cloud computing are clear, What are the risks?
  • 5. Cyber attacks trends for cloud computingCloud services ransom malwares Bitcoin API Attacks Supply chain Attacks
  • 6. So, how to build your security? Infrastructure security Application Security Operational security
  • 7. Good Security is based on controls… Preventive • Firewall (Security Groups) • Authentication • AntiVirus • Guards Detective • IDS • System monitoring • Motion detector Corrective • Upgrades & Patches • Vulnerability scanning Compensatory • DRP & Backup • Firewall logs • Reviews • Audit & reconciliation Based on http://www.sans.edu/research/security- laboratory/article/security-controls
  • 8. The security phases of startup Phase 1 – Building blocks • From Seed to the first customers Phase 2 – Maturing • Growing and adding customers. Phase 3 – Build trust • Maturing your services.
  • 9. Phase 1 – Make sure you got the right building blocks  Plan your architecture: logical and physical segmentation.  Understand your data lifecycle.  Laws and regulations to consider.  Choose your partners: software, IT, backend.  Start your SSDLC building block – threat modeling. Architecture.  Implement IaaS best practices: • Identity & Access. • Compensating controls
  • 10. Build your dashboard with permissions Users & resources RolesGroups
  • 11. Best practices for IAM Don’t use master account Delete root access key Enable MFA for critical users Apply good password policy Rotate credential periodically Safeguard your host & access keys Create individual users with specific roles
  • 12. Compensating controls Activate billing alerts API & Dashboards logs Cold Backup Active Secondary site External & Multi Cloud Backups: Encrypt data in transit
  • 13. Phase 2  Production environment is now maturing. Its time for roles separation at production.  Authentication mechanism should be mature by now.  Security in Software Development life cycle (SSDLC) should take more focus. vulnerability scan & penetration tests Identity Federation Services Encryption of data at rest Security training for R&D
  • 14. Phase 3  operational security begins to matter.  More detective controls should be placed.  Incident management procedures should mature.  Transparency will be an advantage. DR, BC and active secondary location Log management & Event correlation. Patch & change management Automation of configuration Ongoing security awareness program
  • 16.  Cloud security is maturing fast (it took us over 20 years to secure the PC…)  Security is expensive, but with the right building blocks you can integrate with the grow of business.  Make sure you do the basics from the first day, it will be hard to add them later. To wrap things up… Don’t be the next CodeSpaces
  • 17. Keep in Touch  Moshe Ferber  moshe@onlinecloudsec.com  www.onlinecloudsec.com  http://il.linkedin.com/in/MosheFerber Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule