Cloud Security is YOUR responsibility, not just your service provider! Understand the shared responsibilities of Cloud Computing from the public cloud to application as a service.
Includes a few updates from the Philadelphia session!
2. Presenters
2
John LaVigne, a Systems Engineer for Fortinet, has over
15 years of experience in the network field. His focus today
is on network security solutions for customers. John has
previously worked in a number of project delivery roles in
networking, security and messaging.
Nick Sandone is a System Architect with Square10
Solutions. His areas of expertise include network design
and optimization, advanced threat protection, enterprise
monitoring, and securing cloud and hybrid networks. Nick
has diverse experience having worked in industries ranging
from legal, engineering and healthcare to cloud-based
supply chain management.
Patrick Sklodowski, a Principal with Square10 Solutions,
is a proven technology professional with over two decades
of expertise. He works with clients to provide solutions
focused on strategic delivery and the alignment of
technology with business requirements. His areas of
specialty include system architecture, delivery of cloud
solutions, messaging, technical project management,
disaster recovery and complex migrations.
3. Cloud Security = Shared Responsibility
3
• Know Your Role and Responsibilities!
• Responsibility dependent on:
• Type of service
• Delivery model
• Service provider
Courtesy of AWS
6. Host Infrastructure
6
• Secure the virtual device like it’s
“within your walls”
• AV & threat protection
• Patching
• Application updates
• Host encryption
7. Network Controls
7
• What can we expect from CSP?
• Provide the infrastructure
• Protect their infrastructure
• Basic built-in tools for customer
8. Network Controls
8
• CSP Provides
• Virtual Networking
• Load Balancing
• DNS
• Gateway
• VPN
• Network Security Groups (group of ACLs)
• Basic NAT or PAT
• Basic port open port closed
• Logical Network Segmentation
9. Network Controls
9
• Customer Responsibility
• Next Generation Firewall (NGFW)
• Web Application Firewall (WAF)
• Route all traffic through NGFW
• Access Management
• Consider 2FA
• Interrogate/Inspect traffic
• AV/Malware/IPS/DLP
• Log and monitor traffic
• Encrypt traffic
10. Application Level Controls
10
• Infrastructure as a Service (IaaS)
• We install the applications, we must
security them!
• Platform as a Service (PaaS)
• SQL
• Web Services
• PaaS protection through
• Application level “firewall” settings
• Identity management
• SAML
• Azure Active Directory
“Because you’re building systems on top of the AWS
cloud infrastructure, the security responsibilities will
be shared: AWS manages the underlying
infrastructure, and you secure anything you put on
the infrastructure or connect to the infrastructure.”
- Amazon Web Services
“Sharing the Security Services”
11. Identity & Access Management
11
• Access and authorization
• Identity protection
• Service management through user access
• Tools
• Multi Factor Authentication
• Same sign on / Single sign on
• Identity providers / SAML
• Roles
• Auditing and alerting
• Conditional access
12. Single Sign On and Identity Management
12
• More password = less secure passwords
• Identity providers – OKTA, Duo,
Microsoft, OneLogin
• Regardless of Identity Solution
• Every business needs to be setup in
Microsoft Azure Active Directory
• Most businesses should be federated
with Azure Active Directory
• Enables
• Windows Store for Business
• Identity management
• Keeps users away from consumer
accounts!
13. Client & End-point Protection
13
• End-points are always our responsibility
• How end point connects determines risk
• PaaS is probably connected to my network
• IaaS same risks as on-prem
• SaaS more likely app or browser based
devices won’t directly access systems
• Device has access to data flowing through it!
• Advanced threat protection
• Microsoft Defender and Intune
• Cylance
• Carbon Black
14. Data Classification & Accountability
14
• Compliance obligations
• Distinguish - and potentially secure - sensitive
data
• SaaS - capabilities aren’t meaningful without
classification – Digital Loss Prevention
• PaaS & IaaS – Data management fully your
responsibility
• Backups
• Encryption
15. Resources
15
• Data Classification for Cloud Computing
• http://aka.ms/dataclassificationforcloud
• The ABC’s of the Share Responsibility Model
• https://www.trendmicro.com/aws/aws-shared-security-model/
• Microsoft Incident Response and shared responsibility for cloud computing
• https://azure.microsoft.com/en-us/blog/microsoft-incident-response-and-shared-responsibility-for-cloud-computing/
• What Does Shared Responsibility in the Cloud Mean
• https://blogs.msdn.microsoft.com/azuresecurity/2016/04/18/what-does-shared-responsibility-in-the-cloud-mean/
• Shared Responsibility Model
• https://aws.amazon.com/compliance/shared-responsibility-model/
• Everything you need to know about Microsoft Azure security
• https://channel9.msdn.com/Events/Ignite/Microsoft-Ignite-Orlando-2017/BRK2210