Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Nsc42-CSA AGM is the cloud secure - is easy if you do it smart

83 views

Published on

The talk will take the audience on a journey on the cloud evolution, the recent hacks and the need to make security everyone's responsibility.
The talk will explore major challenges in cloud transformation from an organization and security perspective with top 8 solutions to address them.
The solution will explore:
the shared responsibility model
Foundation architecture
Cloud pattern available
Design security and security by design
Gamification and the use of EoP in everything security
Shift left and bringing security at the beginning of the development
Security testing and automation
DEV-SEC ops and the integration of Security and Business/Architecture
If time is available the talk will explore the top 5 key cloud patterns (Account isolation, Firewall and access control, Logging and cascade pattern, Identity and access management, Key/secret management)
Audience Take Away:
When starting a cloud security journey or by being already into one what shall you do and consider.
Key security element to consider from day 1 to delivery
automation and why is so vital to automate security vulnerability

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Nsc42-CSA AGM is the cloud secure - is easy if you do it smart

  1. 1. Is the Cloud Secure? CSA AGM 2019 - HSBC (London) @FrankSEC42 It’s easy if you do it smart https://uk.linkedin.com/in/fracipo
  2. 2. @FrankSEC42https://uk.linkedin.com/in/fracipo
  3. 3. Is the Cloud Secure? CSA AGM 2019 - HSBC (London) @FrankSEC42 It’s easy if you do it smart https://uk.linkedin.com/in/fracipo
  4. 4. Disclaimer: the pictures and the format in this presentation are under license to NSC42 Ltd Agenda About the author Conclusions & Take Away Q&A Solution to reach there The problem and ideal world How things have changed Context @FrankSEC42 CSA Conference & Awards
  5. 5. www.nsc42.co.uk About the Francesco 5 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Public Speaker, Researcher and Director of Events of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks FC-LinkedIn E-Mail Website Articles NSC42 LinkedIn Security is everybody’s job @FrankSEC42 @FrankSEC42https://uk.linkedin.com/in/fracipo Security is challenging, we have to know inch deep and miles wide
  6. 6. www.nsc42.co.uk How Things Have Changed 6 How did we evolve to reach here? What is the impact on the security? @FrankSEC42https://uk.linkedin.com/in/fracipo
  7. 7. www.nsc42.co.uk Cloud Evolution 7 2005 2006 Datacentre Land 2007 2008 2013 2010 2011 2012 2014 Cloud Adoption @FrankSEC42https://uk.linkedin.com/in/fracipo
  8. 8. www.nsc42.co.uk Challenges 8 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42https://uk.linkedin.com/in/fracipo Security Challenges in cloud transformations?
  9. 9. www.nsc42.co.uk Major Breaches 9 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why security is everybody’s responsibility? Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … Because we all get affected by it… @FrankSEC42https://uk.linkedin.com/in/fracipo
  10. 10. www.nsc42.co.uk Major Breaches 10@FrankSEC42https://uk.linkedin.com/in/fracipo
  11. 11. www.nsc42.co.uk Challenges 11 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42https://uk.linkedin.com/in/fracipo Security Challenges in cloud transformations?
  12. 12. www.nsc42.co.uk Ideal cybersecurity world 12 In an ideal cybersecurity world we would have infinite time, infinite resource to do things right, and all the boring chores would be automated @FrankSEC42https://uk.linkedin.com/in/fracipo
  13. 13. www.nsc42.co.uk Solutions 13 1. Cloud Responsibility Matrix 2. Cloud Foundation 3. Cloud Patterns 4. Design Security 5. Security by Design 6. Dev shift left 7. Security Testing 8. DEV-SEC-OPS + BIZ/ARCH Security by design = everyone participate in security @FrankSEC42https://uk.linkedin.com/in/fracipo
  14. 14. www.nsc42.co.uk Step 1 - Cloud Responsibilities 14 Customer Application & Content Network Security Identity & Access Control Operating System/ Platform Data Encryption The Customer Customer Defines controls security IN Cloud Customer takes care of the security OF Cloud Physical Infrastructure Network Infrastructure Virtualization Layer Cloud platform “Understand Shared Responsibility model Delegation and you’ll master cloud” Consider what are you are getting yourself into in a cloud migration. Cloud is not natively secure or insecure @FrankSEC42https://uk.linkedin.com/in/fracipo
  15. 15. www.nsc42.co.uk Step 1 - Cloud Pizza 15 IaaS, PaaS, SaaS, … Who cares give me pizza! @FrankSEC42https://uk.linkedin.com/in/fracipo
  16. 16. www.nsc42.co.uk Step 2 – Foundation 16 How do you build a solid house? You don’t skip the foundation! How do you build a solid cloud? You don’t skip the foundation! @FrankSEC42https://uk.linkedin.com/in/fracipo
  17. 17. www.nsc42.co.uk Step 2 – Foundation 17 1. Management Support 2. Disruption and strategy 3. Security as part of the cloud journey 4. Skills shortages 5. Architecture patterns & Re-use How do you build a solid cloud (security) foundation? Cultural, Management support and skills @FrankSEC42https://uk.linkedin.com/in/fracipo
  18. 18. www.nsc42.co.uk Step 2 – Foundation 18 What Tools do you use for the solid cloud (Security) Foundation? @FrankSEC42https://uk.linkedin.com/in/fracipo
  19. 19. www.nsc42.co.uk Step 3 – Cloud Patterns 19 - Account Isolation - Controls Traditional vs cloud - Logging and monitoring - Identity and access management - Key Management “There is no such a thing as free lunch… but leverage on patterns as starting point” @FrankSEC42https://uk.linkedin.com/in/fracipo
  20. 20. www.nsc42.co.uk Step 4 – Design Security 20 “How would expand the security team without expanding the team?” Train Software Engineers on security and you’ll have ‘extended security team’” @FrankSEC42https://uk.linkedin.com/in/fracipo
  21. 21. www.nsc42.co.uk Step 5 – Security by Design 21 “So what would the software engineer do with the security hat on?” “gamification…remember to have fun when doing your job” How do we make threat security fun?” @FrankSEC42https://uk.linkedin.com/in/fracipo
  22. 22. www.nsc42.co.uk Step 6 – Shift left in DEV 22 “Security as early as possible: Integrate security in the software development pipeline” Keep Threat or fraud model exercise concise and fun! Don’t overcomplicate @FrankSEC42https://uk.linkedin.com/in/fracipo
  23. 23. www.nsc42.co.uk Step 7 – Security in Test 23 “Security (Testing) as early as possible” Security testing as bug bounty program! Make it fun and rewarding @FrankSEC42https://uk.linkedin.com/in/fracipo
  24. 24. www.nsc42.co.uk Step 8 - DEV–SEC–OPS(BIZ) 24 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ) Security is everybody responsibility. @FrankSEC42https://uk.linkedin.com/in/fracipo Reward security effort with -> Low cost High Impact Integrating Security
  25. 25. www.nsc42.co.uk The Future 25 “Cybersecurity due diligence will remain the same regardless of the technology chosen” @FrankSEC42https://uk.linkedin.com/in/fracipo
  26. 26. www.nsc42.co.uk Conclusions 26 - Evolution & Challenges - Ideal world and step to reach it - What’s in the future Security in the journey to the Cloud not at destination Security is everybody’s job @FrankSEC42https://uk.linkedin.com/in/fracipo
  27. 27. www.nsc42.co.uk Mentoring Research Events Networking Twitter: @csaukchapter LinkedIn: https://www.linkedin.com/groups/3745837/ CSA-UK - We need you 27@FrankSEC42https://uk.linkedin.com/in/fracipo Join!
  28. 28. Every Fortnight 1.30 PM UK Time #MentoringMonday Call @FraSEC42
  29. 29. Cyber Security Awards 2019 Cloud Security Influencer of the Year Submission – 10 of May 2019 Ceremony 4 July 2019 #CYSECAWARDS19https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info:
  30. 30. www.nsc42.co.uk Q&A 30@FrankSEC42https://uk.linkedin.com/in/fracipo
  31. 31. www.nsc42.co.uk Contacts 31 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42 @FrankSEC42https://uk.linkedin.com/in/fracipo

×