Embracing Cybersecurity on Cloud Computing
•
3 likes•599 views
We will talk about how people do perceive cloud computing and how to link it with a cybersecurity plan. Is cybersecurity compatible with public clouds? Main points that will be covered: • Examples of cybersecurity techniques/ technologies • What is cloud computing – different types of cloud • Measure to take care of when working with Cloud Computing • Examples of technologies adapted to “secure the cloud” Presenter: Eric Fourn is a security and virtualization / cloud professional with more than 12 years of experience. He holds certifications in virtualization and security. Also he is certified instructor for virtualization technologies and a PECB trainer. He wrote a book on VMware vSphere 5 (editions ENI). Link of the recorded session published on YouTube: https://youtu.be/Dp6YF7BagQc
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (19)
Similar to Embracing Cybersecurity on Cloud Computing
Similar to Embracing Cybersecurity on Cloud Computing (20)
More from PECB
More from PECB (20)
Recently uploaded
Recently uploaded (20)
Embracing Cybersecurity on Cloud Computing
- 1. Embracing Cybersecurity on the cloud November 1st, 2016
- 2. Eric Fourn Virtualization architect, trainer Virtualization and security geek since more than 10 years. IT architect, trainer (VMware Certified Instructor, former Citrix Certified Instructor, PECB certified trainer) . Contact Information +33660494592 Efourn@engineering-fabrics.fr linkedin.com/in/eric-fourn-vci twitter.com/efourn
- 3. 3 Embracing security on the cloud Agenda What is cybersecurity? What is cloud computing? IT infrastructure of the cloud Cloud services How do people perceive public clouds? Link public clouds and cybersecurity plan Certifications, safeguards for a cloud provider ISO standards, frameworks Q & A
- 4. 4 Embracing cybersecurity on the cloud What is cybersecurity? A subset of Information security Concerns digital information Data created, managed and carried with computers, smartphones, tablets “Carriers” connect to unsecure networks
- 5. 5 Embracing cybersecurity on the cloud What is “cloud” (computing) ? NOT technology Consumption model : IT as a service Internal / External Private (in-house) / Public (elsewhere) / Hybrid (both)
- 6. 6 Embracing cybersecurity on the cloud IT infrastructure of the cloud On demand At scale Multitenant
- 7. 7 Embracing cybersecurity on the cloud Cloud services : heading to the right type IaaS PaaS SaaS DaaS MSaaS
- 8. 8 Embracing cybersecurity on the cloud How do people perceive public clouds? For SaaS (storage and file sharing, email, social networking, document editing) Not secure (data on the internet) For personal use (facebook, icloud, gmail, mega)
- 9. 9 Embracing cybersecurity on the cloud Link public cloud and cybersecurity plan - A Strong training and awareness plan is required Consider cloud infrastructure as outsourcing Responsibilities / perimeters are to be set Consider securing data transfer and data encryption
- 10. 10 Embracing cybersecurity on the cloud Link public cloud and cybersecurity plan - B Consider data that can/cannot be on the cloud Remain the one who use the cloud (not the other way around) Know the Cloud The Cloud/Internet know us (usually more than we think)
- 11. 11 Embracing cybersecurity on the cloud Certifications, safeguards for a cloud provider Look for : ISO standards (up to date) Frameworks used (accurate) Certifications (accredited) References (same or close to your business) Stability (financial, management)
- 12. 12 Embracing cybersecurity on the cloud ISO standards, frameworks - A Look for : NIST guide to information technology security services ISO/IEC 27001 – Information security management ISO/IEC 27017 – IT – security techniques – code of practices for information security controls based on ISO/IEC 27002 for cloud services ISO/IEC 27018 – IT – security techniques – code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- 13. 13 Embracing cybersecurity on the cloud ISO standards, frameworks - B ISO/IEC 27032:2012 : Is a guidance for improving the state of Cybersecurity covers the baseline security practices for stakeholders in the Cyberspace Is for individuals – organizations cannot be certified against ISO/IEC 27032 Links technical and security management system
- 14. IT Security Training Courses ISO/IEC 27032 Lead Cybersecurity Manager 5 Day Course ISO/IEC 27034 Application Security Foundation 2 Days Course ISO/IEC 27034 Application Security Lead Implementer 5 Days Course ISO/IEC 27034 Application Security Lead Auditor 5 Days Course Exam and certification fees are included in the training price. https://www.pecb.com/it-security | www.pecb.com/events
Editor's Notes
- Is cloud computing « computers in the cloud » or computers we are using without knowing where they reside? yes but it is « computing » not « computers ». This is important as it is all about services we consume, not the object that enable the service, as the computers. This may be a good start to define the cloud : services - not servers. It is not technology but technology serves the purpose (bring It as a service) Internal and external is about where infrastructure providing the services we use sits – internal : in the company’s datacenter / external : in others datacenter Private : owned by the company Public : the company uses services provided from cloud providers Hybrid : the company uses both : interconnections are the key. For example production environment in-house (private) and test environments rented from providers
- IT resources and services that are abstracted from the underlying infrastructure and provided “on-demand” and “at scale” in a multitenant environment.The Cisco definition of cloud computing is general; however, three key attributes of the definition include: ● “On-demand” means that resources can be provisioned immediately when needed, released when no longer required, and billed only when used. ● “At-scale” means the service provides the illusion of infinite resource availability in order to meet whatever demands are made of it. ● “Multitenant environment” means that the resources are provided to many consumers from a single implementation, saving the provider significant costs.In the Cisco point of view, all three attributes are required to be considered as a cloud service.
- Infrastructure as a service : you get machines and networks – basically you install and configure all your applications / services (Amazon web services - EC2 [instances]) Plaform as a service : OS and middleware are provided on top of (virtual) machines – Amazon web services DynamoDB or RDS – relational database services Software as a service : using of a software without handling any of : installation, configuration, maintenance, Business continuity – Salesforce Desktop as a service : a desktop accessible for a limited time or subscription based : with some applications like MS Office, Photoshop … not very used (at least in France) MSaaS : letting security specialists partners manage part of the company security such as web and email security – secure scanning – strong authentication Concept of MSaaS (managed security – in french) http://www.journaldunet.com/solutions/expert/42929/msaas--ou-le-concept-d-externalisation-de-la-securite-informatique.shtml Amazon web services database services https://aws.amazon.com/fr/free/databases-free-tier/?sc_channel=PS&sc_campaign=acquisition_FR&sc_publisher=google&sc_medium=english_database_generic_b&sc_content=database_bmm&sc_detail=%2Bamazon%20%2Bdb&sc_category=database_generic&sc_segment=141646657434&sc_matchtype=b&sc_country=FR&s_kwcid=AL!4422!3!141646657434!b!!g!!%2Bamazon%20%2Bdb&ef_id=WA02HgAAAV6oXw9V:20161030205748:s
- Basic services we use every day – dropbox, mega, gdrive and google docs, linkedin) Data go over the internet – database hacked, information cannot be deleted on the cloud Not professionnal We use it but we wouldn’t for an entire company – see Netflix / Dropbox – Cloud could be an advantage
- For people to know how they can do or not with cloud resource and service – how do they manage data from and to public cloud, what data can reside on which cloud Outsourcing and cloud computing contracts must be treated the same responsibilities, duties of each provider and the customer must be clear Important : how do you leave the cloud should the case appears. (schedule, who do what, format of the retrieved information, service) Securing data is ok – but when using clouds don’t forget to secure transfers
- Consider these : Some data cannot reside on the cloud : it depends on the nature of data, the location of datacenters (some data must stay in the originating country). Cloud infrastructure is intended to be used as you need it. Destroy if you don’t need anymore - that’s the right way to use cloud infrastructure. Do not let data on the cloud or use service because of best practices, advices. Only business and security requirements should lead the way a company use cloud services. Know the cloud – the architecture of services you use, RPO, RTO for BC and backup/restore services (this is intended for managers as of course technical people must know how to use it) Identify and classify information you can provide on the cloud. PII should be handled carefully – Data is not easily deleted from the Internet. People let information from all service they use. Beware of Shadow IT (using services in company without IT department approval) – this lower the security level of the company. For instance you send by email confidential information to your personal account. You see this information on your smartphone while in public transport and someone is using his to zoom and take photos of your screen. These cases must be handled beforehand to avoid data leakage.
- Iso standards are often the first thing you see but you should check credential and the release of the ISO standard the provider is certified against. Certifications evolve as the standard linked. Framework should be up to date to but accurate and linked to what a company expects. If this is about security : NIST is a good example. Certifications should be accredited (when this is about ISO standards) – beware : technical certifications are usually not accredited (because it is from commercial companies, not accreditation bodies like Cofrac for France or UKAS for UK) The more the customer is close to your business, the more the reference could be seen as relevant. A provider should be here to stay. Besides financial data, frequent changes in management are not good sign of stability. Care is advised when choosing one or several providers. Separation of duties could be applied here (some services rented from different specialists – do not add too much overhead for administration, support, billing…)
- NIST http://csrc.nist.gov/publications/nistpubs/800-35/NIST-SP800-35.pdf https://www.nist.gov/programs-projects/federal-information-security-management-act-fisma-implementation-project ISO/IEC 27001 http://www.iso.org/iso/home/standards/management-standards/iso27001.htm?= ISO/IEC 27002 http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=54533 ISO/IEC 27017 http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43757 ISO/IEC 27018 http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=61498 Amazon Web services ISO 27018 certification : AWS ISO 27018 certification : https://d0.awsstatic.com/certifications/iso_27018_certification.pdf Amazon Web Services ISO 27017 certification https://d0.awsstatic.com/certifications/iso_27017_certification.pdf
- ISO/IEC 27032 http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=44375