We will talk about how people do perceive cloud computing and how to link it with a cybersecurity plan. Is cybersecurity compatible with public clouds?
Main points that will be covered:
• Examples of cybersecurity techniques/ technologies
• What is cloud computing – different types of cloud
• Measure to take care of when working with Cloud Computing
• Examples of technologies adapted to “secure the cloud”
Presenter:
Eric Fourn is a security and virtualization / cloud professional with more than 12 years of experience. He holds certifications in virtualization and security. Also he is certified instructor for virtualization technologies and a PECB trainer. He wrote a book on VMware vSphere 5 (editions ENI).
Link of the recorded session published on YouTube: https://youtu.be/Dp6YF7BagQc
2. Eric Fourn
Virtualization architect, trainer
Virtualization and security geek since more than 10 years.
IT architect, trainer (VMware Certified Instructor, former Citrix Certified
Instructor, PECB certified trainer)
.
Contact Information
+33660494592
Efourn@engineering-fabrics.fr
linkedin.com/in/eric-fourn-vci
twitter.com/efourn
3. 3
Embracing security on the cloud
Agenda
What is cybersecurity?
What is cloud computing?
IT infrastructure of the cloud
Cloud services
How do people perceive public
clouds?
Link public clouds and cybersecurity
plan
Certifications, safeguards for a cloud
provider
ISO standards, frameworks
Q & A
4. 4
Embracing cybersecurity on the cloud
What is cybersecurity?
A subset of Information
security
Concerns digital information
Data created, managed and
carried with computers,
smartphones, tablets
“Carriers” connect to unsecure
networks
5. 5
Embracing cybersecurity on the cloud
What is “cloud” (computing) ?
NOT technology
Consumption model : IT as a
service
Internal / External
Private (in-house) / Public
(elsewhere) / Hybrid (both)
7. 7
Embracing cybersecurity on the cloud
Cloud services : heading to the right type
IaaS
PaaS
SaaS
DaaS
MSaaS
8. 8
Embracing cybersecurity on the cloud
How do people perceive public clouds?
For SaaS (storage and file
sharing, email, social
networking, document editing)
Not secure (data on the
internet)
For personal use (facebook,
icloud, gmail, mega)
9. 9
Embracing cybersecurity on the cloud
Link public cloud and cybersecurity plan - A
Strong training and
awareness plan is required
Consider cloud infrastructure
as outsourcing
Responsibilities / perimeters
are to be set
Consider securing data
transfer and data encryption
10. 10
Embracing cybersecurity on the cloud
Link public cloud and cybersecurity plan - B
Consider data that can/cannot
be on the cloud
Remain the one who use the
cloud (not the other way
around)
Know the Cloud
The Cloud/Internet know us
(usually more than we think)
11. 11
Embracing cybersecurity on the cloud
Certifications, safeguards for a cloud provider
Look for :
ISO standards (up to date)
Frameworks used (accurate)
Certifications (accredited)
References (same or close to your business)
Stability (financial, management)
12. 12
Embracing cybersecurity on the cloud
ISO standards, frameworks - A
Look for :
NIST guide to information technology security services
ISO/IEC 27001 – Information security management
ISO/IEC 27017 – IT – security techniques – code of
practices for information security controls based on
ISO/IEC 27002 for cloud services
ISO/IEC 27018 – IT – security techniques – code of
practice for protection of personally identifiable
information (PII) in public clouds acting as PII processors
13. 13
Embracing cybersecurity on the cloud
ISO standards, frameworks - B
ISO/IEC 27032:2012 :
Is a guidance for improving the state of Cybersecurity
covers the baseline security practices for stakeholders in
the Cyberspace
Is for individuals – organizations cannot be certified
against ISO/IEC 27032
Links technical and security management system
14. IT Security Training Courses
ISO/IEC 27032 Lead Cybersecurity Manager
5 Day Course
ISO/IEC 27034 Application Security Foundation
2 Days Course
ISO/IEC 27034 Application Security Lead Implementer
5 Days Course
ISO/IEC 27034 Application Security Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://www.pecb.com/it-security | www.pecb.com/events
Is cloud computing « computers in the cloud » or computers we are using without knowing where they reside? yes but it is « computing » not « computers ». This is important as it is all about services we consume, not the object that enable the service, as the computers. This may be a good start to define the cloud : services - not servers.
It is not technology but technology serves the purpose (bring It as a service)
Internal and external is about where infrastructure providing the services we use sits – internal : in the company’s datacenter / external : in others datacenter
Private : owned by the company
Public : the company uses services provided from cloud providers
Hybrid : the company uses both : interconnections are the key. For example production environment in-house (private) and test environments rented from providers
IT resources and services that are abstracted from the underlying infrastructure and provided “on-demand” and “at scale” in a multitenant environment.The Cisco definition of cloud computing is general; however, three key attributes of the definition include:
● “On-demand” means that resources can be provisioned immediately when needed, released when no longer required, and billed only when used.
● “At-scale” means the service provides the illusion of infinite resource availability in order to meet whatever demands are made of it.
● “Multitenant environment” means that the resources are provided to many consumers from a single implementation, saving the provider significant costs.In the Cisco point of view, all three attributes are required to be considered as a cloud service.
Infrastructure as a service : you get machines and networks – basically you install and configure all your applications / services (Amazon web services - EC2 [instances])
Plaform as a service : OS and middleware are provided on top of (virtual) machines – Amazon web services DynamoDB or RDS – relational database services
Software as a service : using of a software without handling any of : installation, configuration, maintenance, Business continuity – Salesforce
Desktop as a service : a desktop accessible for a limited time or subscription based : with some applications like MS Office, Photoshop … not very used (at least in France)
MSaaS : letting security specialists partners manage part of the company security such as web and email security – secure scanning – strong authentication
Concept of MSaaS (managed security – in french)
http://www.journaldunet.com/solutions/expert/42929/msaas--ou-le-concept-d-externalisation-de-la-securite-informatique.shtml
Amazon web services database services
https://aws.amazon.com/fr/free/databases-free-tier/?sc_channel=PS&sc_campaign=acquisition_FR&sc_publisher=google&sc_medium=english_database_generic_b&sc_content=database_bmm&sc_detail=%2Bamazon%20%2Bdb&sc_category=database_generic&sc_segment=141646657434&sc_matchtype=b&sc_country=FR&s_kwcid=AL!4422!3!141646657434!b!!g!!%2Bamazon%20%2Bdb&ef_id=WA02HgAAAV6oXw9V:20161030205748:s
Basic services we use every day – dropbox, mega, gdrive and google docs, linkedin)
Data go over the internet – database hacked, information cannot be deleted on the cloud
Not professionnal
We use it but we wouldn’t for an entire company – see Netflix / Dropbox – Cloud could be an advantage
For people to know how they can do or not with cloud resource and service – how do they manage data from and to public cloud, what data can reside on which cloud
Outsourcing and cloud computing contracts must be treated the same
responsibilities, duties of each provider and the customer must be clear
Important : how do you leave the cloud should the case appears. (schedule, who do what, format of the retrieved information, service)
Securing data is ok – but when using clouds don’t forget to secure transfers
Consider these :
Some data cannot reside on the cloud : it depends on the nature of data, the location of datacenters (some data must stay in the originating country).
Cloud infrastructure is intended to be used as you need it. Destroy if you don’t need anymore - that’s the right way to use cloud infrastructure. Do not let data on the cloud or use service because of best practices, advices. Only business and security requirements should lead the way a company use cloud services.
Know the cloud – the architecture of services you use, RPO, RTO for BC and backup/restore services (this is intended for managers as of course technical people must know how to use it)
Identify and classify information you can provide on the cloud. PII should be handled carefully – Data is not easily deleted from the Internet. People let information from all service they use. Beware of Shadow IT (using services in company without IT department approval) – this lower the security level of the company. For instance you send by email confidential information to your personal account. You see this information on your smartphone while in public transport and someone is using his to zoom and take photos of your screen.
These cases must be handled beforehand to avoid data leakage.
Iso standards are often the first thing you see but you should check credential and the release of the ISO standard the provider is certified against. Certifications evolve as the standard linked.
Framework should be up to date to but accurate and linked to what a company expects. If this is about security : NIST is a good example.
Certifications should be accredited (when this is about ISO standards) – beware : technical certifications are usually not accredited (because it is from commercial companies, not accreditation bodies like Cofrac for France or UKAS for UK)
The more the customer is close to your business, the more the reference could be seen as relevant.
A provider should be here to stay. Besides financial data, frequent changes in management are not good sign of stability. Care is advised when choosing one or several providers.
Separation of duties could be applied here (some services rented from different specialists – do not add too much overhead for administration, support, billing…)
NIST
http://csrc.nist.gov/publications/nistpubs/800-35/NIST-SP800-35.pdf
https://www.nist.gov/programs-projects/federal-information-security-management-act-fisma-implementation-project
ISO/IEC 27001
http://www.iso.org/iso/home/standards/management-standards/iso27001.htm?=
ISO/IEC 27002
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=54533
ISO/IEC 27017
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43757
ISO/IEC 27018
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=61498
Amazon Web services ISO 27018 certification :
AWS ISO 27018 certification : https://d0.awsstatic.com/certifications/iso_27018_certification.pdf
Amazon Web Services ISO 27017 certification
https://d0.awsstatic.com/certifications/iso_27017_certification.pdf