Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Cloud & I, The CISO challenges with Cloud Computing

749 views

Published on

The Cloud is a challenge for the Security professional, but also creates opportunities. In this presentation we will overview the different cloud challenges according to each market sector.

Published in: Technology
  • Be the first to comment

The Cloud & I, The CISO challenges with Cloud Computing

  1. 1. The Cloud & I, CISO challenges with the cloud Moshe Ferber CCSK, CCSP When the winds of change blow, some people build walls and others build windmills. - Chinese Proverb
  2. 2. About myself  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DefCon, BlackHat, Infosec and more)  Founding committee member for ISC2 CCSP certification.  CCSK Certification lecturer for the Cloud Security Alliance.  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter
  3. 3. So, what is cloud?
  4. 4. Cloud Computing What the CEO think about it?
  5. 5. Cloud Computing How the CFO see it?
  6. 6. Cloud Computing How the End-User feel regarding it?
  7. 7. Cloud Computing And how the CISO Feels about it?
  8. 8. Everyday Examples “Moving to cloud will expose our data to foreign government” “I got a virtualized servers, so I already in the cloud” “I don’t trust the vendors” “What about compliance?” “Our regulator forbid us from moving to the cloud” “Cloud lacks the visibility we need” “We use hosting, so we are already in the cloud.” “We will loose control over our assets” “And What about the NSA…?” “Cloud services are not mature enough”
  9. 9. AgilityAgility What do you say… And how the CISO understand it
  10. 10. ScalabilityScalability What do you say… And how the CISO understand it
  11. 11. ComplianceCompliance What do you say… And how the CISO understand it
  12. 12. ManageabilityManageability What do you say… And how the CISO understand it
  13. 13. ReliabilityReliability What do you say… And how the CISO understand it
  14. 14. Multi tenancyMulti tenancy What do you say… And how the CISO understand it
  15. 15. And of course, you can not avoid the big question… Who is more secured? Cloud or on premise?
  16. 16. Can we define what is more secure? > <=
  17. 17. Can we define which cloud service? Cloud provider A Cloud provider B
  18. 18. Does it really matter?
  19. 19. Cloud Services are very different in nature SaaS PaaS IaaS Private Hybrid Public
  20. 20. The shared responsibility model Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility
  21. 21. So, bottom line, is cloud security improving?
  22. 22. Providers are doing more to increase trust
  23. 23. Improvement with security standards & compliance
  24. 24. Security automation is improving, specially in IaaS/PaaS
  25. 25. Monitoring & auditing are improving
  26. 26. Legal eco-system is getting complicated Technical complexity Legal complexity
  27. 27. Configuration is still open by default, very easy to make mistakes Legal complexity
  28. 28. Increased chances for cloud provider lock-in Legal complexity
  29. 29. Government snooping is increasing Legal complexity
  30. 30. Cloud Focused (Heavy use) Cloud Adopters (running apps in the cloud) Cloud Curious (First projects) Cloud Avoider (Private Cloud adapters) National Infrastructure Cloud challenges varies depending on the market sector Startups Energy SMB Hi Tech Government Health Military Telecom providers Homeland & Military industries Utility Retail Banks Financial Services Industry
  31. 31. The Challenge: Private cloud still got the same attack vectors! Cloud Attack Vectors Provider Administration Management Console Multi tenancy & Virtualization Automation & API Chain of supply Side Channel Attack Insecure Instances Cloud Avoiders Cloud Curious Cloud Adopters Cloud Focused
  32. 32. The Challenge: Build your Cloud strategy Cloud Curious Cloud Avoiders Cloud Adopters Cloud Focused
  33. 33. The challenge: Understand the share responsibility model Cloud Curious Cloud Avoiders Cloud Adopters Cloud Focused
  34. 34. The Challenge: Evaluating the providers Cloud Adopters Cloud Avoiders Cloud Curious Cloud Focused
  35. 35. Copyright © 2015 Cloud Security Alliance Industry Standards used by Major Cloud Providers ISO/IEC 27018:2014 Cloud Adopters Cloud Avoiders Cloud Curious Cloud Focused
  36. 36. The Challenge: Look for those abundant applications that can benefit from cloud computing Cloud Adopters Cloud Avoiders Cloud Curious Cloud Focused Public Cloud Integrity Availability On premise Confidentiality
  37. 37. Telecom Providers The Challenge: Building cloud services Transparency Certifications Security operations Cloud Adopters Cloud Avoiders Cloud Curious Cloud Focused
  38. 38. The Challenge: managing multiple cloud applications Governance Encryption Identity management Availability Cloud Focused Cloud Avoiders Cloud Curious Cloud Adopters DLP
  39. 39. Startups The Challenge: Integrating security into your software lifecycle & operations Monitoring Static & Dynamic Analysis Multi Tenancy DEVOPS Cloud Focused Cloud Avoiders Cloud Curious Cloud Adopters
  40. 40. To wrap Things Up… Join CSA Israel Facebook & LinkedIn Forums in order to stay updated regarding latest technologies and community meetups. Don’t let security hold you down
  41. 41. To wrap Things Up… Join CSA Israel Facebook & LinkedIn Forums in order to stay updated regarding latest technologies and community meetups. Use the right tools
  42. 42. To wrap Things Up… Perform responsible cloud adoption!
  43. 43. KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule
  44. 44. Questions?

×