This slideshow is a brief introduction to a complex topic which is evolving constantly. It is not meant for security professionals but built for those people discovering public cloud.
2. Hello!
I am Olivier Schmitt
I am here because I love to share knowledge.
Check my linkedin profile.
3. Disclaimer !
This slideshow is a brief introduction to a complex topic which is
evolving constantly. It is not meant for security professionals but built
for those people discovering public cloud.
Despite the fact I aimed to be honest and fair, some pieces of
information presented here might be incorrect or biased.
Please do you own research and always do your homework.
5. State of the Cloud report
RightScale found in « State of the Cloud
report » that security is a major concern
for 25% of the respondents.
Security, while not the highest concern
here, as it was previously, remains in the
top 3.
6. Some specific concerns
✘ How does the provider comply consistently to security standards ?
✘ Can the provider access my data ?
✘ How is my data segregated from the access of other customers?
✘ Could the provider share my data with a foreign authority ?
✘ How to enforce SLAs ?
✘ Who is responsible or accountable for what ?
7. The strategy of providers
How does the pros tackle the issue ?
2.
8. The race to compliance
✘ Cloud providers are competing in the game « Who complies to
anything ?»
✘ Giants are leading the race : AWS, Azure, Google Cloud and, far
behind the growing competition.
9. The race to compliance - certifications
Source : Olivier Schmitt, Q4 2017
10. The race to compliance – laws, regulations, privacy
Source : Olivier Schmitt, Q4 2017
11. Bring in the best people
« Cloud computing is often far more secure than traditional
computing, because companies like Google and Amazon can
attract and retain cyber-security personnel of a higher quality
than many governmental agencies »
Vivek Kundra, Executive Vice President, Industries, Salesforce.com
13. How the leader leads ?
AWS owns almost 40% of the
market share and is bigger than
Azure, IBM and Google combined.
14. A clean model of responsibility
✘ AWS is responsible for protecting the infrastructure that runs all
AWS services offered in the AWS Cloud
✘ The customer is reponsible for the resources and services he
manages or builds on top of AWS.
16. From the provider perspective
✘ Robust deployment topology : regions (somewhere on earth) and
availability zones (≥ 2 active datacenters per region)
✘ Physical and environmental security : fire detection and suppression,
power, climate and temperature
✘ Business continuity management : availability, incidence response,
company-wide executive review, communication
✘ Network security : secure network architecture, secure access points,
transmission protection, Amazon coporate segregation, fault tolerant
design
✘ Compliance to standards : SOC, ISO, PCI, ...
18. From the provider perspective – a proven expertise
✘ A huge customer portfolio : 1 million clients in 190 countries (NASA, CIA,
Netflix, General Electric,...)
✘ Amazon.com is build on top of AWS : one of the biggest and most
sensitive online services
✘ A proven experience in infrastructure and cloud service developments :
●
44 datacenters in 16 regions worldwide, 17 new datacenters in project
stage
●
110+ cloud services : from storage to chat bots, from online gaming to data
warehouse
19. Eat your own dog food
amazon.com brings the scale and the challenge to push AWS toward excellence,
that’s merely a unique position in the market
20. From the customer perspective – AWS and my data
✘ ISO 27018 : some AWS services are certified
✘ European Union’s General Data Protection Regulation : the GDPR
framework helps cloud infrastructure providers comply and so avoid
penalties while also offering a framework to help customers and end users
to select cloud providers and trust their services. AWS services will comply
with the GDPR when it becomes enforceable on May 25, 2018.
21. From the customer perspective – dedicated security services
✘ AWS offers a wide variety of security services : AWS Artifact, AWS
Certificate Manager, Amazon Cloud Directory, AWS CloudHSM, AWS
Directory Service, AWS Identity and Access Management, Amazon
Inspector, AWS Key Management Service, AWS Organizations, AWS
Shield, AWS WAF … click here.
✘ A rich and easily accessible documentation : white papers, tutorials,
technical papers, …click here.
22. From the customer perspective – savy services
✘ Most services offer options related to security
●
Data replication between regions
●
Configuration management
●
Rich encryption features
✘ Services that can support a security policy
●
Monitoring
●
Logging
●
Deep learning to dig and find sensitive data for you
●
Deep integration with Identity and Access Management
23. Let’s review some concepts
Public cloud providers’ efforts
They made a huge effort to comply
with security best practices and
standards.
AWS leads
Microsoft made huge progress.
Private datacenter at stake
Securing a private datacenter is
harder and harder since hackers
are becoming more sophisticated.
See stories like EQUIFAX,
Yahoo,British Airline, ...
Clean responsibility model
A public cloud provider needs to
provide clean and coherent RACIs,
then each party knows what to do.
Customer must play his
partition
Customers must implement security
policies and should not rely on the
provider solely.
Logging and monitoring
Trust is based on accountability.
Customers and providers need to
know what’s going on.
25. Special thanks to all the people who made and released these awesome
resources for free:
✘ Presentation template by SlidesCarnival
✘ To Wade from Italki
Credits