Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Camelot - Manyhats club meetup 23 10 18


Published on

Security architecture Presentation from Francesco Cipollone and David Boda in meetup 23-10-18.
The presentation is aimed to novice and security professional in the journey of cloud transformation.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Camelot - Manyhats club meetup 23 10 18

  1. 1. I’m a security architect with my head in the cloud Oct 2018 Francesco Cipollone David Boda Public
  2. 2. Intro to the talk Public
  3. 3. Agenda • Security architecture – traditional vs cloud • Cloud – what’s different? • Intro to Camelot and our AWS journey • How to sell cloud security architecture to the business • What worked for us and what did not work so well • Key Take aways Our Agenda Public
  4. 4. Intro Francesco Cipollone Cloud Security Architect @ Camelot Francesco is a security Consultant focused on Cloud problems working as Security Architect in Camelot @FraSEC42 David Boda Head of Information security @ Camelot David Boda is the Head of information security at Camelot Public
  5. 5. Intro to Security Architecture • What is a security architect? • What’s the architect role in the strategy? • What is the role of a security architect in this modern word ? • What is the added value? Public
  6. 6. What is this cloud and can I have a piece of it • Cloud: Just someone else’s computer • Comes in different flavours and acronyms: IaaS, PaaS, SaaS, IDaaS… • Scalable and ‘rapid’ • Different models: Cloud provider or specific service providers Public
  7. 7. Challenges of a Security Architect • Traditional challenge of a security architect • Cloud challenges plus a bag of classical security issues • Tech Stack constant changing
  8. 8. Bringing it all together • Why is the cloud different? • Note – we will be focusing on AWS • Due diligence on SaaS and PaaS Public
  9. 9. Security @ Camelot APPs interfaces code Terminals Datacentre Physical/Cloud Payment Interfaces Infrastructure Cloud solution (SaaS) accounts well as supporting our sister business and it’s customers VSATs Retailers Draws Offices Staff 800+ High tier prize payments / yr 5000 investigations / yr Public
  10. 10. Journey to AWS Public
  11. 11. How to sell security architecture to the business? • How do we do it in Camelot? • What has worked and what has not worked? Public
  12. 12. Security Architecture – Selling Point • Security by design – avoid delays • Minimal incremental security improvements • Effective and efficient controls • Strategy and vision built in each project
  13. 13. Cloud Architecture – Is it just blueprint right? • Architecting in cloud is different Technology • Leveraging on blueprints • Looking forward and thinking strategically is challenging • Everyone thinks is an architect in the cloud • Challenges for Security as anyone spins services Public
  14. 14. Traditional vs Cloud Security Architecture • Traditional vs cloud • Different Technology • Different patterns • Some similarities (e.g. IaaS traditional) Public
  15. 15. Cloud Architecture – Examples – where it did work Where it did work: • Cloud transformation supported by strategy • Strong Foundation • Use of native controls • Monitoring and alerting • Make use of automation • Train and plan hiring Public
  16. 16. Cloud Architecture – Examples – where it didn't work Where it didn’t work: • Weak Foundation • No management involved/strategy • Weak Processes • No monitoring/Alerting • No plan in hiring Public
  17. 17. Cloud Security Incidents management in the cloud • You can’t pull cables in the cloud • Incident management and detecting can be harder • Monitor and alerting on billing and your resources • Education on the various services…is not just another VM in the Datacentre • Prevention of spinning up expensive service with policies Public
  18. 18. Key Take Away Cloud transformations can be a treacherous journey especially for security professionals: - Cloud is different than traditional - Do your due diligence up front - Start early create a solid foundation - Automate where possible - Native cloud controls! Use them - Decisions based on risk - Skill shortage: be prepared to learn Public
  19. 19. Why do we do all this - Video Public
  20. 20. Q&A Public
  21. 21. Get in touch Get in touch: FC-LinkedIn Camelot Careers Thank you @FraSEC42 DB-LinkedIn Public