Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Surviving the lions den

356 views

Published on

Passing through the Lion’s den – How to sell cloud services to security guys:
Pitching your SaaS offering is usually fun, until the security guys walks into the room as anyone who try to promote cloud services to organizations probably knows. On the other hand, for the CISO, sometimes cloud vendors represent the sum of all their greatest fears.

So, how can providers of cloud based software do better job in satisfying those gate keepers? Learn to speak their language and understand their terminology and way of thinking. In this presentation we will walk through the do’s and don’ts when pitching to information security professionals, and try to better understand their motivation and how to address their concerns.

This presentation is an introduction to a workshop providing better tools for cloud based companies to overcome challenges when selling their offering.

Published in: Software
  • Be the first to comment

Surviving the lions den

  1. 1. Pitching cloud services to security folks Moshe Ferber, CCSK  Onlinecloudsec.com Surviving the Lion’s den…
  2. 2. About  Information security professional for over 20 years  Working on cloud strategy with the world largest software vendors  Founded Cloud7, Managed Security Services provider (currently 2bsecure cloud services)  Partner at Clarisite – Your customer’s eye view  Partner at FortyCloud – Make your public cloud private  Member of the board at Macshava Tova – Narrowing societal gaps  Certified CCSK instructor for the Cloud Security Alliance.  Co-Chairman of the Board, Cloud Security Alliance, Israeli Chapter
  3. 3. Cloud Computing How the CIO see it?
  4. 4. Cloud Computing How the End-user see it?
  5. 5. Cloud Computing How the CFO see it?
  6. 6. Cloud Computing And how the CISO see it?
  7. 7. Mistakes Cloud provider do #1
  8. 8. Mistakes Cloud provider do #2
  9. 9. Mistakes Cloud provider do #3
  10. 10. Mistakes Cloud provider do #4
  11. 11. What else ciso’s don’t like
  12. 12. AgilityAgility What do you say… And how the CISO understand it
  13. 13. ScalabilityScalability What do you say… And how the CISO understand it
  14. 14. ComplianceCompliance What you say? How the CISO understand it
  15. 15. ManageabilityManageability What do you say… And how the CISO understand it
  16. 16. ReliabilityReliability What do you say… And how the CISO understand it
  17. 17. So what is the ciso looking for?
  18. 18. So, how do we create trust? 1. Transparency 2. Competency
  19. 19. Transparency
  20. 20. Transparency #1 takeout Security in the cloud is a shared responsibility Source: Trend Micro Blog
  21. 21. Transparency #2 Security Policy Security Policy is mandatory, it should contain all aspects of how you protect your customers data.
  22. 22. Transparency #3 Audits Don’t run away from security audits
  23. 23. Competency Skill Design Governance
  24. 24. Skill • Make sure your sales / pre-sales understand cloud security. • Understand the standards and regulation relevant to your sector.
  25. 25. Skill #2 • Make your security building block tangible to the customers. Monitoring and Incident management Application Security Data Security Infrastructure Security Data Center Security
  26. 26. Understand Cloud threats & Risks Threat RISK Losing Money Theft Unsecure Door Attack Vector
  27. 27. Cloud Attack vectors Cloud attack vectors Provider administration Management console Multi tenancy & virtualization Automation & API Chain of supply Side channel attack Insecure instances
  28. 28. Understanding controls Preventive • Firewall (Security Groups) • Authentication • Anti Virus • Guards Detective • IDS • System monitoring • Motion detector Corrective • Upgrades & Patches • Vulnerability scanning Compensatory • DRP & Backup • Firewall logs • Reviews • Audit & reconciliation
  29. 29. Design Threat Security Service Spoofing Authentication Tampering Digital Signature, Hash Repudiation Audit Logging Information Disclosure Encryption Denial of Service Availability Elevation of privilege Authorization • Integrate security to your software lifecycle. • Account for cloud specific threats. • Think about separation of tenants. • Explore encryption at all layers. • Think about 3rd party access.
  30. 30. Governance • Most security companies simply don’t know how to do ongoing operational security. • If you are guarding banks data, you need Banks operational capabilities.
  31. 31. Questions?
  32. 32. To wrap things up Speak your customers lingo Use good building blocks Don’t hesitate to be transparent on your security controls. Cloud Security is very much about your customers market sector. Be proactive in your security, think ahead of your customers.
  33. 33. Moshe Ferber   www.onlinecloudsec.com http://il.linkedin.com/in/MosheFerber KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule

×