Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference


Published on

Whitehall media conference on cloud computing. Francesco Cipollone representing the Cloud Security Alliance provides an overview of the cloud transformation challenges

Published in: Engineering
  • Login to see the comments

  • Be the first to like this

Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference

  1. 1. Is the Cloud Secure? ECC - Enterprise Cloud Computing (London) @FrankSEC42 It’s easy if you do it smart
  2. 2. Disclaimer: the pictures and the format in this presentation are under license to NSC42 Ltd Agenda About the author Conclusions & Take Away Q&A Solution to reach there The problem and ideal world How things have changed Context @FrankSEC42 CSA Conference & Awards
  3. 3. About the Francesco 3 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Public Speaker, Researcher and Director of Events of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks FC-LinkedIn E-Mail Website Articles NSC42 LinkedIn Security is everybody’s job @FrankSEC42 @FrankSEC42 Security is challenging, we have to know inch deep and miles wide
  4. 4. How Things Have Changed 4 How did we evolve to reach here? What is the impact on the security? @FrankSEC42
  5. 5. Setting the Context 5 What is the Cloud? How do we make sure cloud is ‘secure’ ? Security is everybody’s responsibility @FrankSEC42
  6. 6. Cloud Evolution 6 2005 2006 Datacentre Land 2007 2008 2013 2010 2011 2012 2014 Cloud Adoption @FrankSEC42
  7. 7. Why security 7 Why do we need security in all this cloud? Security is everybody’s responsibility @FrankSEC42
  8. 8. Challenges 8 What challenges faces the cloud security professional? @FrankSEC42
  9. 9. Challenges 9 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42 Security Challenges in cloud transformations?
  10. 10. Major Breaches 10 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why security is everybody’s responsibility? Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … Because we all get affected by it… @FrankSEC42
  11. 11. Major Breaches 11@FrankSEC42
  12. 12. Breaches numbers 12 • Cost of cybercrime will reach $2 trillion by 2019 3x increase from 2015 ($500 billion) • Cybercrime will create over $1.5 trillion in profits in 2018 • In UK Over 4 in 10 business (43%) had a cyber security breach in 2018 • ¾ of business (74%) cyber security is a high priority • 90% of remote code execution attacks are associated with cryptomining. @FrankSEC42
  13. 13. Challenges - Recap 13 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42 So can you remember the security challenges?
  14. 14. Ideal cybersecurity world 14 In an ideal cybersecurity world we would have infinite time, infinite resource to do things right, and all the boring chores would be automated @FrankSEC42
  15. 15. Solutions 15 How Do we get to the ideal world? Let me introduce to few solutions @FrankSEC42
  16. 16. Solutions 16 1. Cloud Responsibility Matrix 2. Cloud Foundation 3. Cloud Patterns 4. Design Security 5. Security by Design 6. Dev shift left 7. Security Testing 8. DEV-SEC-OPS + BIZ/ARCH Security by design = everyone participate in security @FrankSEC42
  17. 17. Step 1 - Cloud Responsibilities 17 Customer Application & Content Network Security Identity & Access Control Operating System/ Platform Data Encryption The Customer Customer Defines controls security IN Cloud Customer takes care of the security OF Cloud Physical Infrastructure Network Infrastructure Virtualization Layer Cloud platform “Understand Shared Responsibility model Delegation and you’ll master cloud” Consider what are you are getting yourself into in a cloud migration. Cloud is not natively secure or insecure @FrankSEC42
  18. 18. Step 1 - Cloud Pizza 18 IaaS, PaaS, SaaS, … Who cares give me pizza! @FrankSEC42
  19. 19. Step 2 – Foundation 19 How do you build a solid house? You don’t skip the foundation! How do you build a solid cloud? You don’t skip the foundation! @FrankSEC42
  20. 20. Step 2 – Foundation 20 1. Management Support 2. Disruption and strategy 3. Security as part of the cloud journey 4. Skills shortages 5. Architecture patterns & Re-use How do you build a solid cloud (security) foundation? Cultural, Management support and skills @FrankSEC42
  21. 21. Step 2 – Foundation 21 What Tools do you use for the solid cloud (Security) Foundation? @FrankSEC42
  22. 22. Step 3 – Cloud Patterns 22 - Account Isolation - Traditional vs cloud controls - Logging and monitoring - Identity and access management - Key Management “There is no such a thing as free lunch… but leverage on patterns as starting point” @FrankSEC42
  23. 23. Step 4 – Design Security 23 “How would expand the security team without expanding the team?” Train Software Engineers on security and you’ll have ‘extended security team’” @FrankSEC42
  24. 24. Step 5 – Security by Design 24 “So what would the software engineer do with the security hat on?” “gamification…remember to have fun when doing your job” How do we make threat security fun?” @FrankSEC42
  25. 25. Step 6 – Shift left in DEV 25 “Security as early as possible: Integrate security in the software development pipeline” Keep Threat or fraud model exercise concise and fun! Don’t overcomplicate @FrankSEC42
  26. 26. Step 7 – Security in Test 26 “Security (Testing) as early as possible” Security testing as bug bounty program! Make it fun and rewarding @FrankSEC42
  27. 27. Step 8 - DEV–SEC–OPS(BIZ) 27 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ) Security is everybody responsibility. @FrankSEC42 Reward security effort with -> Low cost High Impact Integrating Security
  28. 28. The Future 28 “Cybersecurity due diligence will remain the same regardless of the technology chosen” @FrankSEC42
  29. 29. Take Away 29 - Responsibility & Contracts - Strategy & Vision - Foundation (Security) - Security by Design - Patterns & Native Controls - Shift Left, Gamification, Automation @FrankSEC42 Key Take away from today
  30. 30. Conclusions 30 - Evolution & Challenges - Ideal world and step to reach it - What’s in the future Security in the journey to the Cloud not at destination Security is everybody’s job @FrankSEC42
  31. 31. CSA-UK - We need you 31 “To take the best of the Global CSA guidance and make it relevant and practical for a UK audience, encouraging the growth of local cloud security talent.” Mentoring Research Events Networking Twitter: @csaukchapter LinkedIn: @FrankSEC42
  32. 32. CSA UK AGM – 2019: Annual Conference #CSAUKAGM19 18 JUNE 2019 – HSBC Meridian Room HSBC - 8 Canada Square E14 5HQtps:// ecurity-alliance-agm-2019-tickets- 0900030631 @ csaukchapter Event Sponsors
  33. 33. Every Fortnight 1.30 PM UK Time #MentoringMonday Call @FraSEC42
  34. 34. Cyber Security Awards 2019 Cloud Security Influencer of the Year Submission – 10 of May 2019 Ceremony 4 July 2019 #CYSECAWARDS19 Submit: Info:
  35. 35. Q&A 35@FrankSEC42
  36. 36. Contacts 36 Get in touch: Francesco.cipollone (at) Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42 @FrankSEC42