Cloud Security: A Business-Centric Approach in 12 Steps


Published on

The move to the cloud is being driven by the business (not IT), yet we continue to take an IT-centric (applications, servers, CPUs, etc.) approach to cloud security. We propose a way forward to address this incongruence, a recipe based on interactions with CIOs, CSOs and business leaders all over the world

Published in: Technology, Business
  • @marklane0913, you are correct - this model does not work for every situation.
    Are you sure you want to  Yes  No
    Your message goes here
  • nice work but I think perhpas missing some aspects, in other words, this one size model and does not work effectively in mid to large corporations. You have the service delivery models identified corectly but not the usage patters from the perspective of single user (use of the cloud) vs. team/group (use of the cloud) vs. Operations or Enterprise --- in other words, the 12 step does not work for a single person who is requesting Skype or the like
    Are you sure you want to  Yes  No
    Your message goes here
  • @Jaroslaw, i have a separate deck where i define these three terms. Here are the definitions in a nutshell:
    CoIT: Users exerting influence on their corporate IT departments and expecting them to become more user-centric
    DoIT: Organization with limited resources now have access to the enterprise class IT capabilities that previously were the realm of the largest enterprises and govts (leveling of IT playing field)
    LoI: information being available, accessible, produce-able, consume-able and share-able anywhere by anyone on any device at anytime
    Are you sure you want to  Yes  No
    Your message goes here
  • Very interesting presentation but I need some definition:
    1. Democratization of IT
    2. Cunsumerization of IT
    3. Liberation of Information
    I think that in slide No 3 User and Data can be named 'Data as a Service'

    Best regards
    Jaroslaw Stawiany
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Each of these trends is working to liberate information in one way or anotherWhich of these trends is relevant to your customer…and how can you help them solve these requirementsTop Biz Tech Trends taken from Vz press release on 11/15/2011
  • [Source: IBM]1 Quintillion = 1 million terabytesIt is here to stayAnywhere vs. everywhere?
  • Data is what the business cares about and it’s ownership (unlike that of network, compute, platform, applications) can’t be outsourced. It is the common denominator. The (perceived) data owner is always responsible from a compliance and reputation standpoint4-methylimidazole, Coca Cola
  • How much is the data worth protecting?Who has access to the data?What business processes do the data power?What controls are in place?Do the clouds have sufficient implementable controls and sufficient visibility?Can compliance be demonstrated?
  • 7
  • 8
  • Standard -> Feasible -> Implemented
  • This is perhaps the most important step in becoming comfortable w/ the notion of moving sensitive data into the cloud. If we use parents as a metaphor for a CIO, then parents’ most important asset is their children;the CIO’s is data. When parents make the decision to move their most important asset to a third party location (e.g.: day care) they may do it for similar reasons as the CIO moves data to the cloud: economic, agility, etc. A parent feels much more comfortable leaving their child in a daycare facility if they know they can see their child at anytime during the day by going online and looking at the live webcam footage. The idea behind #12 is to provide the CIO an equivalent level of visibility to a parent remotely watching their child – so they can rest assured that their most valuable asset is being well taken of. What does this visibility look like: audits, vuln scans, application logs, user access info, IDS / FW incidents, deep packet capture, etc.
  • For the latest version, please contact Omar KhawajaCREST approved penetration testerActively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortia
  • DBIR Video: DBIR Sales
  • Solutions = MgdSvcs + Intelligence + ConsultingThis is the ONE slide that describes our security story and portfolioData-centric is stepping stone to business-centric
  • Cloud Security: A Business-Centric Approach in 12 Steps

    1. 1. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.PID#Cloud SecurityAligning it to the business in 12 stepsOmar KhawajaJune 2013
    2. 2. @smallersecurityLOICm-
    3. 3. @smallersecurityWhat’s the common theme?Top BusinessTechnology TrendsHigh-IQ NetworksEnterprise CloudsBig DataSocial EnterpriseVideoPersonalization of ServiceConsumerization of ITM2M2PComplianceEnergy Efficiency…make iteasier totransportdata…storedata indisparateplacesTMI …make iteasierproduce /share dataData isworth morethan everbeforeHumansdon’t havemonopolyon data…mandatesprotectionof certaindata ???
    4. 4. @smallersecurityIs liberation of information good?Mobility and Cloud2 sides of the same coinCloud MobilityDemocratizationof ITConsumerizationof ITLiberationofInformation
    5. 5. .Setting the stage…
    6. 6. @smallersecurityRisk Management in the CloudWhat Matters?UsersDataApplicationsCompute / StorageNetworkPhysicalPlatforms???SaaSPaaSIaaS
    7. 7. .Implementing data-centric security in thecloud
    8. 8. @smallersecurityData-Centric Security for CloudKey IngredientsData UsersBusinessProcessesClouds Controls Compliance
    9. 9. @smallersecurity1. Define business relevance of each data set being moved to the cloud2. Classify each data set based on business impact3. Inventory data4. Destroy (or archive offline) any unnecessary data5. Inventory users6. Associate data access with business processes, users, roles7. Determine standard control requirements for each data set8. Determine feasible controls for each cloud environment9. For each data set, identify acceptable cloud environments10. Ensure only users that need access to data have appropriate access to it11. Identify and implement appropriate controls across each cloud environment12. Validate and monitor control effectivenessData-Centric Security for CloudA Recipe…AppSecurityAnti-XConfigMgmtDLP Encryption IAM, NACPatchingPolicyMgmtThreatMgmtVPNVuln.Mgmt…RiskAssessmentSecurityPolicyOrganizationof InfoSecurityAssetManagementHumanResourcesManagementPhysical&EnvironmentSecurityComms&OpsMgmtAccessControlInfo SystemsAcquisition,Dev, & Maint.Info SecurityIncidentManagementBusinessContinuityManagementCompliance
    10. 10. @smallersecurityOne Caveat…• Variations exist– SaaS vs. PaaS vs. IaaS– Public vs. Private vs. Hybrid– Geography-Specific– …
    11. 11. @smallersecurityData Set 1Business Processes•ABC•GHIData Set 1Data Set 2 Data Set 2Business Processes•DEF•GHIData Set 3Business Processes•ABC•JKLData Set 31. Define Business Relevance of EachData Set Being Moved to the Cloud
    12. 12. @smallersecurityData Set 1Business Processes•ABC•GHIData Set 1Data Set 2 Data Set 2Business Processes•DEF•GHIData Set 3Business Processes•ABC•JKLData Set 3LOWHIGHMEDIUM2. Classify Each Data Set Based onBusiness Impact
    13. 13. @smallersecurity3. Inventory Data (Technical &Consultative)
    14. 14. @smallersecurity4. Destroy (or Archive Offline) anyUnnecessary Data
    15. 15. @smallersecurityUser Role1User Role3User Role25. Inventory Users
    16. 16. @smallersecurityData Set 1Business Processes•ABC•GHIData Set 2Business Processes•DEF•GHIData Set 3Business Processes•ABC•JKLLOWHIGHMEDIUM6. Associate Data Access w/ BusinessProcesses, Users, RolesUser Role1User Role3User Role2
    17. 17. @smallersecurityData Set 1Business Processes•ABC•GHIData Set 2Business Processes•DEF•GHIData Set 3Business Processes•ABC•JKLLOWHIGHMEDIUMStandard ControlRequirements 1Standard ControlRequirements 2Standard ControlRequirements 37. Determine Standard ControlRequirements for Each Data Set
    18. 18. @smallersecurityFeasibleControls 3Cloud 1Cloud 2Cloud 3FeasibleControls 1FeasibleControls 28. Determine Feasible Controls for EachCloud Environment
    19. 19. @smallersecurity9. For Each Data Set, Identify AcceptablePlatforms
    20. 20. @smallersecurity10. Ensure Only Users that Need Accessto Data Have Appropriate Access to itData Set 1Business Processes•ABC•GHIData Set 2Business Processes•DEF•GHIData Set 3Business Processes•ABC•JKLLOWHIGHMEDIUM
    21. 21. @smallersecurityImplementedControlsImplementedControlsImplementedControls11. Identify & Implement AppropriateControls Across Each Cloud Environment
    22. 22. @smallersecurity12. Validate and Monitor ControlEffectiveness
    23. 23. @smallersecurityFinally…• Start with the businesscontext, not the securitycontrols• Classify based on thebusiness value, not the ITvalue• Controls have to bestandard, feasible,implemented and monitoredData* and Userscan’t beoutsourced!*Ownership of data
    24. 24. @smallersecuritySecurity LeadershipWhy Verizon?Industry Recognition Largest & highly rated MSSP (Frost & Sullivan, Gartner, Forrester) Founding and Executive Member of Open Identity Exchange Security Consulting practice recognized as a Strong Performer (Forrester) ICSA Labs is the industry standard for certifying security products (started in 1991)Credentials More PCI auditors (140+ QSAs) than any other firm in the world HITRUST Qualified CSF Assessor Actively participate in 30+ standards / certification bodies, professionalorganizations and vertical specific consortia Personnel hold 40+ unique industry, technology and vendor certificationsGlobal Reach 550+ dedicated security consultants in 28 countries speak 28 languages Investigated breaches in 36 countries in 2011 7 SOCs on 4 continents manage security devices in 45+ countries Serve 77% of Forbes Global 2000Experience Verizon’s SMP is the oldest security certification program in the industry Analyzed 2500+ breaches involving 1+ Billion records Manage identities in 50+ countries and for 25+ national governments Delivered 5000+ security consulting engagements in the past 3 yearsISO 9001ISO 17025
    25. 25. @smallersecurityAn unparalleled perspective on IT security threats• 84% of initial compromises took hours or less.• 76% exploited weak or stolen credentials.• 78% of intrusions required little or no specialistskills or resources.Some highlightsFind out more at DBIRof breaches lieundiscovered for monthsof breaches are detectedby 3rd party• 47,000+ security incidents analyzed.• 621 confirmed data breaches investigated.• 19 international contributors.– Including law enforcement, government agenciesand other private companies.• 6th consecutive year.
    26. 26. @smallersecurityGlobal CapabilitiesCountries where Verizon currently has clients
    27. 27. @smallersecurityVerizon’s Security PortfolioProtecting what the business cares about6 security solution areas:– Data Protection– Governance, Risk & Compliance– Identity & Access Mgmt– Investigative Response– Threat Mgmt (MSS)– Vulnerability Mgmt