Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SEE the Cloud: Hans Rattink - Is uw security net zo secure als de cloud zelf?


Published on

De stap naar de cloud levert sommige organisaties een boel kopzorgen: is de cloud wel te vertrouwen qua privacy en security? Maar die vraag is net zo makkelijk om te draaien: hoe verantwoord is het om níet naar de cloud te gaan? Zelf voor security zorgen is niet gratis en al helemaal niet zonder risico. De juiste inschatting van (mogelijke) kosten maakt dit eigenlijk een economisch vraagstuk.

Voor Hans Rattink is het vertrouwen van de cloud geen issue meer, zolang je maar de juiste stappen zet. In deze presentatie deelt hij zijn successen en de aanpak waarmee hij die bereikte. En hij maakt u bewust van de no-brainers in het uitgebreide aanbod van cloud services.

Published in: Business
  • Be the first to comment

  • Be the first to like this

SEE the Cloud: Hans Rattink - Is uw security net zo secure als de cloud zelf?

  1. 1. Classification: //SecureWorks/Public Use:
  2. 2. Classification: //SecureWorks/Public Use: #SEETHECLOUD Is uw security net zo secure als de cloud zelf? Hans Rattink, Secureworks
  3. 3. #SEETHECLOUD Hans Rattink Security Architect, Secureworks
  4. 4. Classification: //SecureWorks/Public Use: 4 About me • Hans Rattink • Senior Security Architect @ • Region: Central EU • Active in IT for over 17 years, Security over 12 years •
  5. 5. Classification: //SecureWorks/Public Use: 5 Is the cloud secure? What are my responsibilities? What should I do next?
  6. 6. Classification: //SecureWorks/Public Use: 6 State of the art Data Centres Foundation of Cloud Service Providers Ref.:
  7. 7. Classification: //SecureWorks/Public Use: 7 Can it get any better?
  8. 8. Classification: //SecureWorks/Public Use: 8 Through 2020, public cloud infrastructure as a service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centres. - Gartner, Inc.
  9. 9. Classification: //SecureWorks/Public Use: 9 Are we good?
  10. 10. Classification: //SecureWorks/Public Use: 10 Are we?
  11. 11. Classification: //SecureWorks/Public Use: 11 By 2020, 95 percent of cloud security failures will be the customer’s fault Gartner, Clouds Are Secure: Are You Using Them Securely?, 21 July 2016 - Gartner, Inc.
  12. 12. Classification: //SecureWorks/Public Use: 12 What did we see this year so far?
  13. 13. Classification: //SecureWorks/Public Use: 13 • A third-party vendor working with Verizon left the data of as many as 14 million US customers exposed • The data was contained on a misconfigured Amazon S3 data repository owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon, according to a July 12 blog post • “This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest.” Verizon – July 2017
  14. 14. Classification: //SecureWorks/Public Use: 15 • The perpetrators may have had access to the server back to October or November 2016 • Deloitte acknowledged that an attacker “accessed data from an email platform.”. Which Deloitte used to store also usernames, passwords, IP addresses, architectural diagrams, health information, and sensitive security and design details. • The adversary accessed the Azure cloud service by compromising an administrator's account with unrestricted access to content. The account did not have “two-step” verification set up. • To make matters worse, it appears that no one at Deloitte noticed suspicious account activity for months Deloitte – September 2017
  15. 15. Classification: //SecureWorks/Public Use: 16 • The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties • On Wednesday (8th Nov.), a BBC correspondent logged in to Huddle to access a shared diary that his team kept on the platform. He was instead logged in to a KPMG account, with a directory of private documents and invoices, and an address book. • According to Huddle, if two people arrived on the same login server within 20 milliseconds of one another, they would both be issued the same authorisation code. • Huddle has now changed its system so that every time it is invoked, it generates a new authorisation code. This ensures no two people are ever simultaneously issued the same code. Huddle – November 2017
  16. 16. Classification: //SecureWorks/Public Use: 17
  17. 17. Classification: //SecureWorks/Public Use: 18
  18. 18. Classification: //SecureWorks/Public Use: 19 Results from 1 year Data Breach Notification law • 5,500 notifications of data breaches • 4,000 notifications investigated • 100’s of organisations been warned • 10’s of organisations involved in deeper investigations Numbers from the Dutch Authority Personal Data (AP) Source: meldingen-datalekken-eerste-kwartaal-2017#subtopic-5247 GDPR Fines for data breaches can have a maximum of 4% of the yearly gross turnover or €20 Million  whatever is largest
  19. 19. Classification: //SecureWorks/Public Use: 20 What are my responsibilities?
  20. 20. Classification: //SecureWorks/Public Use: 21 Cloud models Cloud Consumer Cloud Provider Infrastructure as a Service Software as a Service Platform as a Service
  21. 21. Classification: //SecureWorks/Public Use: 22 Key responsibilities for Cloud models
  22. 22. Classification: //SecureWorks/Public Use: 23 Clarify and document your responsibilities Vendor management is key • Know where your responsibilities end and the provider’s begin • Patching, encryption, software licenses, data retention • Make sure there is documented responsibility for each layer in the Cloud stack • Agree the responsibilities with the Cloud provider and ensure contracts are in place reflecting responsibilities • Ensure as a Cloud Consumer you have the ability to assess/audit the Cloud Provider’s security and privacy controls
  23. 23. Classification: //SecureWorks/Public Use: 24 What should I do?
  24. 24. Classification: //SecureWorks/Public Use: 25 By 2018, the 60% of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures. - Gartner, Inc.
  25. 25. Classification: //SecureWorks/Public Use: 26 1 Assess and Plan • Security Maturity Assessment • Identify security gaps • Understand risks to (personal) data • Develop risk based Security Programme that includes best practices Increase visibility2 • Implement (threat intel based) Security analytics • Use a 24x7 SOC for incident analysis • Apply a Vulnerability Scanning & Management program • Improve Security Awareness 3 Implement controls • Implement governance controls • Add controls for detection and protection • Create runbooks and incident response plans Test, operate & manageTarget • Govern Security Programme • Test security controls, programme and employees • Evaluate and improve Security roadmap
  26. 26. Classification: //SecureWorks/Public Use: 27 Build your security program Cloud Security Strategy • Holistic view of implications of cloud computing • Full evaluation of threats and risks • Identification and implementation of mitigating controls against assets and cloud providers • Understand their security control framework • What information do they provide you, what is documented? • What options do they give you to ensure security? Check your cloud provider • Where is your data now and in the future? • Are you monitoring the security controls in place? • What happens to your data if your cloud provider ceases service? • Are you GDPR compliant and prepared for a security breach? Understand the implications • What are your responsibilities in keeping the data secure? • Do you know what services you use and who has access to your critical data in the cloud? • Can you successfully respond to security incidents? Assess your existing controls
  27. 27. Classification: //SecureWorks/Public Use: 28 Increase visibility Security monitoring results
  28. 28. Classification: //SecureWorks/Public Use: 29 Implement controls Cloud Security Configuration Management
  29. 29. Classification: //SecureWorks/Public Use: 30 About SecureWorks
  30. 30. Classification: //SecureWorks/Public Use: 31 Intelligence-driven information security solutions… 2,400+ employees Recognized as an industry leader ~4,500 clients across 61 countries 18Years of threat intelligence data 240B Security events processed daily 2B+ Threat indicators 300+Expert security analysts 700+IR engagements last year
  31. 31. Classification: //SecureWorks/Public Use: 32 Acknowledged leader
  32. 32. Classification: //SecureWorks/Public Use: 33 Secureworks Cloud Portfolio ✓ Security Design and Architecture ✓ Cloud Strategy Development and Assessment ✓ Managed Vulnerability Scanning ✓ Managed Web Application Scanning ✓ Monitored Firewall ✓ Vulnerability Assessment ✓ Advanced Penetration Tests ✓ Web App Security Assessment ✓ Penetration Tests ✓ Remote Red Team ✓ API Assessments ✓ Cloud Vendor Assessment ✓ Cloud Strategy Assessment ✓ Security Framework Assessments ✓ Vulnerability Scanning ✓ PCI, HIPAA, GLBA, FISMA, EI3PA ✓ Penetration Testing ✓ Emergency Incident Response ✓ Incident Management Retainer Strategize and Architect Secure Applications and Data Test Your Cloud Security Assess Your Deployment Meet Compliance Respond to a Breach ✓ Monitored Web Application Firewall ✓ Monitored Elastic Server Groups ✓ Advanced Endpoint Threat Detection - Red Cloak Multiple cloud platforms supported Amazon Web Services supported Cloud Security & Risk Consulting Cloud Managed Security Services & SaaS Cloud Incident Response
  33. 33. Classification: //SecureWorks/Public Use: 34 Is the cloud secure?  What are my responsibilities  What should I do next?
  34. 34. Classification: //SecureWorks/Public Use: 35 Questions? • • @hrattink • Hans Rattink, CISSP CISM Senior Security Architect SecureWorks | Central Europe Phone: +31 6 250 93 872
  35. 35. Classification: //SecureWorks/Public Use: Thanks for your time! #SEETHECLOUD
  36. 36. Classification: //SecureWorks/Public Use: 37 Colophon Author: Hans Rattink Modified: November 2017 Revision history 0.4: Initial version for See2017