The Cloud & I, The CISO challenges with Cloud Computing
Report
Moshe FerberFollow
May. 6, 2015•0 likes•1,000 views
2 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
The Cloud & I, The CISO challenges with Cloud Computing
May. 6, 2015•0 likes•1,000 views
2 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Report
Technology
The Cloud is a challenge for the Security professional, but also creates opportunities. In this presentation we will overview the different cloud challenges according to each market sector.
Moshe FerberFollow
Recommended
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
Surviving the lions den - how to sell SaaS services to security oriented cust...Moshe Ferber
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose 2014Moshe Ferber
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Moshe Ferber
Transforming cloud security into an advantageMoshe Ferber
Aligning Risk with Growth - Cloud Security for startupsMoshe Ferber
The Cloud & I, The CISO challenges with Cloud Computing
- The Cloud & I, CISO challenges with the cloud Moshe Ferber CCSK, CCSP When the winds of change blow, some people build walls and others build windmills. - Chinese Proverb
- About myself Information security professional for over 20 years Founder, partner and investor at various cyber initiatives and startups Popular industry speaker & lecturer (DefCon, BlackHat, Infosec and more) Founding committee member for ISC2 CCSP certification. CCSK Certification lecturer for the Cloud Security Alliance. Member of the board at Macshava Tova – Narrowing societal gaps Chairman of the Board, Cloud Security Alliance, Israeli Chapter
- So, what is cloud?
- Cloud Computing What the CEO think about it?
- Cloud Computing How the CFO see it?
- Cloud Computing How the End-User feel regarding it?
- Cloud Computing And how the CISO Feels about it?
- Everyday Examples “Moving to cloud will expose our data to foreign government” “I got a virtualized servers, so I already in the cloud” “I don’t trust the vendors” “What about compliance?” “Our regulator forbid us from moving to the cloud” “Cloud lacks the visibility we need” “We use hosting, so we are already in the cloud.” “We will loose control over our assets” “And What about the NSA…?” “Cloud services are not mature enough”
- AgilityAgility What do you say… And how the CISO understand it
- ScalabilityScalability What do you say… And how the CISO understand it
- ComplianceCompliance What do you say… And how the CISO understand it
- ManageabilityManageability What do you say… And how the CISO understand it
- ReliabilityReliability What do you say… And how the CISO understand it
- Multi tenancyMulti tenancy What do you say… And how the CISO understand it
- And of course, you can not avoid the big question… Who is more secured? Cloud or on premise?
- Can we define what is more secure? > <=
- Can we define which cloud service? Cloud provider A Cloud provider B
- Does it really matter?
- Cloud Services are very different in nature SaaS PaaS IaaS Private Hybrid Public
- The shared responsibility model Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility
- So, bottom line, is cloud security improving?
- Providers are doing more to increase trust
- Improvement with security standards & compliance
- Security automation is improving, specially in IaaS/PaaS
- Monitoring & auditing are improving
- Legal eco-system is getting complicated Technical complexity Legal complexity
- Configuration is still open by default, very easy to make mistakes Legal complexity
- Increased chances for cloud provider lock-in Legal complexity
- Government snooping is increasing Legal complexity
- Cloud Focused (Heavy use) Cloud Adopters (running apps in the cloud) Cloud Curious (First projects) Cloud Avoider (Private Cloud adapters) National Infrastructure Cloud challenges varies depending on the market sector Startups Energy SMB Hi Tech Government Health Military Telecom providers Homeland & Military industries Utility Retail Banks Financial Services Industry
- The Challenge: Private cloud still got the same attack vectors! Cloud Attack Vectors Provider Administration Management Console Multi tenancy & Virtualization Automation & API Chain of supply Side Channel Attack Insecure Instances Cloud Avoiders Cloud Curious Cloud Adopters Cloud Focused
- The Challenge: Build your Cloud strategy Cloud Curious Cloud Avoiders Cloud Adopters Cloud Focused
- The challenge: Understand the share responsibility model Cloud Curious Cloud Avoiders Cloud Adopters Cloud Focused
- The Challenge: Evaluating the providers Cloud Adopters Cloud Avoiders Cloud Curious Cloud Focused
- Copyright © 2015 Cloud Security Alliance Industry Standards used by Major Cloud Providers ISO/IEC 27018:2014 Cloud Adopters Cloud Avoiders Cloud Curious Cloud Focused
- The Challenge: Look for those abundant applications that can benefit from cloud computing Cloud Adopters Cloud Avoiders Cloud Curious Cloud Focused Public Cloud Integrity Availability On premise Confidentiality
- Telecom Providers The Challenge: Building cloud services Transparency Certifications Security operations Cloud Adopters Cloud Avoiders Cloud Curious Cloud Focused
- The Challenge: managing multiple cloud applications Governance Encryption Identity management Availability Cloud Focused Cloud Avoiders Cloud Curious Cloud Adopters DLP
- Startups The Challenge: Integrating security into your software lifecycle & operations Monitoring Static & Dynamic Analysis Multi Tenancy DEVOPS Cloud Focused Cloud Avoiders Cloud Curious Cloud Adopters
- To wrap Things Up… Join CSA Israel Facebook & LinkedIn Forums in order to stay updated regarding latest technologies and community meetups. Don’t let security hold you down
- To wrap Things Up… Join CSA Israel Facebook & LinkedIn Forums in order to stay updated regarding latest technologies and community meetups. Use the right tools
- To wrap Things Up… Perform responsible cloud adoption!
- KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule
- Questions?
Editor's Notes
- The cloud providers AWS and Azure provide a number of compliance certifications. These certifications save time and resources if customers can rely on 3rd party audits by the bodies awarding these certifications (due diligence should be carried out where required). This is not an exhaustive list..There may be more. CCM has been adopted by both Amazon and Microsoft for their IaaS and PaaS services. Microsoft have it for some of their SaaS products such as Office 365 and CRM Dynamics as mentioned earlier. Source https://aws.amazon.com/compliance/ https://azure.microsoft.com/en-us/support/trust-center/compliance/