SlideShare a Scribd company logo
1 of 27
Cloud Security
For financial sector
Moshe Ferber,
CCSK, CCSP
Onlinecloudsec.com
When the winds of change blow, some people
build walls and others build windmills.
- Chinese Proverb
#whoami
 Information security professional for over 20 years
 Founder, partner and investor at various cyber initiatives and startups
 Popular industry speaker & lecturer (DefCon, BlackHat, Infosec and more)
 Founding committee member for ISC2 CCSP certification.
 CCSK Certification lecturer for the Cloud Security Alliance.
 Member of the board at Macshava Tova – Narrowing societal gaps
 Chairman of the Board, Cloud Security Alliance, Israeli Chapter
About the Cloud Security Alliance
 Global, not-for-profit organization
 Building security best practices for next generation IT
 Research and Educational Programs
 Cloud providers & security professionals Certifications
 Awareness and Marketing
 The globally authoritative source for Trust in the Cloud
“To promote the use of best practices for providing security assurance
within Cloud Computing, and provide education on the uses of Cloud
Computing to help secure all other forms of computing”
CSA Israel:
Community of
security
professional
promoting
responsible
cloud adoption.
Cloud Computing
What the CIO think
about it?
How the CFO
see it?
How the End-User
feel regarding it?
And how the CISO
treat it?
Everyday Examples
“Moving to cloud will
expose our data to foreign
government”
“I got a virtualized
servers, so I already in the
cloud”
“I don’t trust the vendors”
“What about compliance?”
“Our regulator forbid
us from moving to the
cloud”
“Cloud lacks the visibility
we need”
“We use hosting, so
we are already in the
cloud.”
“We will loose control
over our assets”
“And What about the
NSA…?” “Cloud services are
not mature enough”
Cloud Services are very different in nature
SaaS
PaaS
IaaS
Private Hybrid Public
The shared responsibility model
Physical Security
Network & Data Center
Security
Hypervisors Security
Virtual Machines & OS
security
Data layer & development
platform
Application
Identity Management
DATA
Audit & Monitoring
IaaS PaaS SaaS
Consumer
responsibility
Provider
responsibility
Cloud
Focused
(Heavy use)
Cloud
Adopters
(2-3 apps in the cloud)
Cloud
Curious
(First projects)
Private
Cloud
(public Cloud avoiders)
National
Infrastructure
Cloud challenges varies depending on the market sector
Startups
Energy
SMB
Hi Tech
Government
Health
Military
Telecom
providers
Homeland &
Military industries
Utility
Retail
BanksFinancial
Services
Industry
The CISO Challenge
How to build secure
application
How to correctly
evaluate your provider
IaaS/PaaS SaaS
Step 1: Build your cloud security policy
Building a cloud strategy
Guidelines for
which
data/app can
migrate
Threats &
Risks to
consider
Evaluating
the provider
maturity and
operational
procedures.
Additional
controls that
should be
implemented
in the service.
Cloud Policy: what should move to cloud?
Public
Cloud
Integrity Availability
On
premise
Confidentiality
• Data exposed to public
• Applications that are currently neglected
• Test/Dev environments
• Mobile App backend
• Hardware/infrastructure intensive
application
Focus on how & where to move
Analyze the application
Identity
• Who are the
identities.
Number &
nature
Interfaces
• Are there
interfaces to
the
organization?
Data
• Laws &
regulations
• Sensitivity
level
Dealing with threats/risks
The most common threats
Data
breaches
Government
warrant
Malicious
insider
Unintentional
disclosure
Hacking
Account
hijacking
Loss of data
Unexpected
expanses
C, I, A
Reputation
Loss of
availability
Provider
outbreak
Communication
outbreak
Account
lockout/ Lock in
DDOS
Attack vectors
Cloud
Attack
Vectors
Provider
Administration
Management
Console
Multi tenancy &
Virtualization
Automation
& API
Chain of
supply
Side Channel
Attack
Insecure
Instances
The Challenge: Evaluating the providers
The Challenge: Evaluating the providers
• Could you do an audit?
• Should you do an audit?
In many cases you have to settle for 3rd party
attestation.
Compliance with BOI regulation
Encryption
• Encrypting data
at the cloud
provider (who
has the keys)?
Identity
Management
• Who control the
user store?
• Who is
responsible for
authentication?
Governance &
Audit
• Who does
what?
• Suspicious
events
detection
CASB - Cloud Access Security Brokers
Challenges - encryption
Data at motion:
• Usually users traffic is
encrypted. But what about
machine2machine interfaces?
Data at rest:
• Different encryption for
different purposes.
• Who got the key?
Storage encryption
OS Volume encryption
DB encryption (TDE)
File & Application level
Challenges – encryption (cont)
How to build in encryption
with your keys
Use of encryption
gateways
IaaS/PaaS SaaS
Challenges – identity management
Service
providerBank AD
• Identity federation is key
technology for controlling
user identities and
authentication.
• Federation is about use-
cases. Each use-case got
a matching federation
technology.
Challenges – Governance & Audit
Who does what?
Where my users
login from?
Who got public
files?
Who got credit
cards number in
their files
What kind of
cloud services
my users deploy?
Additional Challenges – portability
• In the cloud, sometimes the best control is to make
sure you are able to pack your data and go.
Questions?
To wrap Things Up
Join CSA Israel Facebook &
LinkedIn Forums in order
to stay updated regarding
latest technologies and
community meetups.
 Cloud can present an opportunity for the CISO.
 Trust your providers wisely. Make sure you are
monitoring them carefully and be prepare to move if
needed.
 Adopt different policies for IaaS / PaaS / SaaS
KEEP IN TOUCH
Cloud Security Course Schedule can be find at:
http://www.onlinecloudsec.com/course-schedule

More Related Content

What's hot

Cloud security what to expect (introduction to cloud security)
Cloud security   what to expect (introduction to cloud security)Cloud security   what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Moshe Ferber
 
Cloud keybank privacy and owner authorization
Cloud keybank  privacy and owner authorizationCloud keybank  privacy and owner authorization
Cloud keybank privacy and owner authorizationPvrtechnologies Nellore
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.Moshe Ferber
 
Cloud risk and business continuity v21
Cloud risk and business continuity v21Cloud risk and business continuity v21
Cloud risk and business continuity v21Jorge Sebastiao
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeHimani Singh
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Samrat Das
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
Cloud security privacy- org
Cloud security  privacy- orgCloud security  privacy- org
Cloud security privacy- orgDharmalingam S
 
Secaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidanceSecaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidancedrewz lin
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A ServiceMichael Davis
 
Security as a Service Model for Cloud Environment
Security as   a Service Model   for   Cloud   EnvironmentSecurity as   a Service Model   for   Cloud   Environment
Security as a Service Model for Cloud EnvironmentKaashivInfoTech Company
 

What's hot (19)

Cloud security what to expect (introduction to cloud security)
Cloud security   what to expect (introduction to cloud security)Cloud security   what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)
 
Cloud keybank privacy and owner authorization
Cloud keybank  privacy and owner authorizationCloud keybank  privacy and owner authorization
Cloud keybank privacy and owner authorization
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.
 
null Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Securitynull Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Security
 
Cloud risk and business continuity v21
Cloud risk and business continuity v21Cloud risk and business continuity v21
Cloud risk and business continuity v21
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption?
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Cloud security privacy- org
Cloud security  privacy- orgCloud security  privacy- org
Cloud security privacy- org
 
Secaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidanceSecaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidance
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A Service
 
Security as a Service Model for Cloud Environment
Security as   a Service Model   for   Cloud   EnvironmentSecurity as   a Service Model   for   Cloud   Environment
Security as a Service Model for Cloud Environment
 

Viewers also liked

Jeopardy Game
Jeopardy Game Jeopardy Game
Jeopardy Game Jack Frost
 
Ws presentation
Ws presentationWs presentation
Ws presentationmr_bug
 
Decomposing the Growth of Portugal: A Case for Increasing Demand, not austeri...
Decomposing the Growth of Portugal: A Case for Increasing Demand, not austeri...Decomposing the Growth of Portugal: A Case for Increasing Demand, not austeri...
Decomposing the Growth of Portugal: A Case for Increasing Demand, not austeri...Grupo de Economia Política IE-UFRJ
 
Security in Semantic Web Services
Security in Semantic Web ServicesSecurity in Semantic Web Services
Security in Semantic Web ServicesNima Dokoohaki
 
Letter of Credit (LC) Presentation
Letter of Credit (LC) PresentationLetter of Credit (LC) Presentation
Letter of Credit (LC) PresentationPuneet Harjani
 
Coponential analysis
Coponential analysisCoponential analysis
Coponential analysisFarooq Niazi
 
Indian Banking Sector
Indian Banking SectorIndian Banking Sector
Indian Banking SectorSiddhant Jain
 

Viewers also liked (9)

Jeopardy Game
Jeopardy Game Jeopardy Game
Jeopardy Game
 
Ws presentation
Ws presentationWs presentation
Ws presentation
 
Political Aspects of Unemployment: Brazil's Neoliberal U-Turn
Political Aspects of Unemployment: Brazil's Neoliberal U-TurnPolitical Aspects of Unemployment: Brazil's Neoliberal U-Turn
Political Aspects of Unemployment: Brazil's Neoliberal U-Turn
 
Decomposing the Growth of Portugal: A Case for Increasing Demand, not austeri...
Decomposing the Growth of Portugal: A Case for Increasing Demand, not austeri...Decomposing the Growth of Portugal: A Case for Increasing Demand, not austeri...
Decomposing the Growth of Portugal: A Case for Increasing Demand, not austeri...
 
Security in Semantic Web Services
Security in Semantic Web ServicesSecurity in Semantic Web Services
Security in Semantic Web Services
 
Letter of Credit (LC) Presentation
Letter of Credit (LC) PresentationLetter of Credit (LC) Presentation
Letter of Credit (LC) Presentation
 
Coponential analysis
Coponential analysisCoponential analysis
Coponential analysis
 
Indian Banking Sector
Indian Banking SectorIndian Banking Sector
Indian Banking Sector
 
Banking ppt
Banking pptBanking ppt
Banking ppt
 

Similar to Financial Sector Cloud Security Best Practices

Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial servicesMoshe Ferber
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxlior mazor
 
Fundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfFundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfChinatu Uzuegbu
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDSweta Kumari Barnwal
 
Security in cloud computing kashyap kunal
Security in cloud computing  kashyap kunalSecurity in cloud computing  kashyap kunal
Security in cloud computing kashyap kunalKashyap Kunal
 
Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...csandit
 
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...cscpconf
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxBabatundeAbioye2
 
What is the significance of cybersecurity in cloud.pptx
What is the significance of cybersecurity in cloud.pptxWhat is the significance of cybersecurity in cloud.pptx
What is the significance of cybersecurity in cloud.pptxinfosec train
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14L S Subramanian
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloudpatmisasi
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloudAzure Group
 

Similar to Financial Sector Cloud Security Best Practices (20)

Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Fundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfFundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdf
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
 
Security in cloud computing kashyap kunal
Security in cloud computing  kashyap kunalSecurity in cloud computing  kashyap kunal
Security in cloud computing kashyap kunal
 
Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...
 
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptx
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
What is the significance of cybersecurity in cloud.pptx
What is the significance of cybersecurity in cloud.pptxWhat is the significance of cybersecurity in cloud.pptx
What is the significance of cybersecurity in cloud.pptx
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14
 
Hogan Kusnadi - Cloud Computing Secutity
Hogan Kusnadi - Cloud Computing SecutityHogan Kusnadi - Cloud Computing Secutity
Hogan Kusnadi - Cloud Computing Secutity
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Presd1 10
Presd1 10Presd1 10
Presd1 10
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloud
 

Recently uploaded

Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Memoori
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Dublin_mulesoft_meetup_API_specifications.pptx
Dublin_mulesoft_meetup_API_specifications.pptxDublin_mulesoft_meetup_API_specifications.pptx
Dublin_mulesoft_meetup_API_specifications.pptxKunal Gupta
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerAnchore
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxmprakaash5
 
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdfHCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdfROWELL MARQUINA
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfwill854175
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MIRomil Mishra
 

Recently uploaded (20)

Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Dublin_mulesoft_meetup_API_specifications.pptx
Dublin_mulesoft_meetup_API_specifications.pptxDublin_mulesoft_meetup_API_specifications.pptx
Dublin_mulesoft_meetup_API_specifications.pptx
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey Hightower
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptx
 
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdfHCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdf
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MI
 

Financial Sector Cloud Security Best Practices

  • 1. Cloud Security For financial sector Moshe Ferber, CCSK, CCSP Onlinecloudsec.com When the winds of change blow, some people build walls and others build windmills. - Chinese Proverb
  • 2. #whoami  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DefCon, BlackHat, Infosec and more)  Founding committee member for ISC2 CCSP certification.  CCSK Certification lecturer for the Cloud Security Alliance.  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter
  • 3. About the Cloud Security Alliance  Global, not-for-profit organization  Building security best practices for next generation IT  Research and Educational Programs  Cloud providers & security professionals Certifications  Awareness and Marketing  The globally authoritative source for Trust in the Cloud “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing” CSA Israel: Community of security professional promoting responsible cloud adoption.
  • 4. Cloud Computing What the CIO think about it? How the CFO see it? How the End-User feel regarding it? And how the CISO treat it?
  • 5. Everyday Examples “Moving to cloud will expose our data to foreign government” “I got a virtualized servers, so I already in the cloud” “I don’t trust the vendors” “What about compliance?” “Our regulator forbid us from moving to the cloud” “Cloud lacks the visibility we need” “We use hosting, so we are already in the cloud.” “We will loose control over our assets” “And What about the NSA…?” “Cloud services are not mature enough”
  • 6. Cloud Services are very different in nature SaaS PaaS IaaS Private Hybrid Public
  • 7. The shared responsibility model Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility
  • 8. Cloud Focused (Heavy use) Cloud Adopters (2-3 apps in the cloud) Cloud Curious (First projects) Private Cloud (public Cloud avoiders) National Infrastructure Cloud challenges varies depending on the market sector Startups Energy SMB Hi Tech Government Health Military Telecom providers Homeland & Military industries Utility Retail BanksFinancial Services Industry
  • 9. The CISO Challenge How to build secure application How to correctly evaluate your provider IaaS/PaaS SaaS
  • 10. Step 1: Build your cloud security policy
  • 11. Building a cloud strategy Guidelines for which data/app can migrate Threats & Risks to consider Evaluating the provider maturity and operational procedures. Additional controls that should be implemented in the service.
  • 12. Cloud Policy: what should move to cloud? Public Cloud Integrity Availability On premise Confidentiality • Data exposed to public • Applications that are currently neglected • Test/Dev environments • Mobile App backend • Hardware/infrastructure intensive application Focus on how & where to move
  • 13. Analyze the application Identity • Who are the identities. Number & nature Interfaces • Are there interfaces to the organization? Data • Laws & regulations • Sensitivity level
  • 15. The most common threats Data breaches Government warrant Malicious insider Unintentional disclosure Hacking Account hijacking Loss of data Unexpected expanses C, I, A Reputation Loss of availability Provider outbreak Communication outbreak Account lockout/ Lock in DDOS
  • 16. Attack vectors Cloud Attack Vectors Provider Administration Management Console Multi tenancy & Virtualization Automation & API Chain of supply Side Channel Attack Insecure Instances
  • 17. The Challenge: Evaluating the providers
  • 18. The Challenge: Evaluating the providers • Could you do an audit? • Should you do an audit? In many cases you have to settle for 3rd party attestation.
  • 19. Compliance with BOI regulation Encryption • Encrypting data at the cloud provider (who has the keys)? Identity Management • Who control the user store? • Who is responsible for authentication? Governance & Audit • Who does what? • Suspicious events detection CASB - Cloud Access Security Brokers
  • 20. Challenges - encryption Data at motion: • Usually users traffic is encrypted. But what about machine2machine interfaces? Data at rest: • Different encryption for different purposes. • Who got the key? Storage encryption OS Volume encryption DB encryption (TDE) File & Application level
  • 21. Challenges – encryption (cont) How to build in encryption with your keys Use of encryption gateways IaaS/PaaS SaaS
  • 22. Challenges – identity management Service providerBank AD • Identity federation is key technology for controlling user identities and authentication. • Federation is about use- cases. Each use-case got a matching federation technology.
  • 23. Challenges – Governance & Audit Who does what? Where my users login from? Who got public files? Who got credit cards number in their files What kind of cloud services my users deploy?
  • 24. Additional Challenges – portability • In the cloud, sometimes the best control is to make sure you are able to pack your data and go.
  • 26. To wrap Things Up Join CSA Israel Facebook & LinkedIn Forums in order to stay updated regarding latest technologies and community meetups.  Cloud can present an opportunity for the CISO.  Trust your providers wisely. Make sure you are monitoring them carefully and be prepare to move if needed.  Adopt different policies for IaaS / PaaS / SaaS
  • 27. KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule