JH
Uploaded byJay Harrison
40 views

Cloud security evolution

A brief slidedeck on the the evolution of the cloud and the security approach to it

Embed presentation

Download to read offline
Cloud Security Evolution Jay Harrison Technical Operations Site Reliability Engineering Manager, EMEA
My credentials 22 years in the industry, a decade in the cloud Technical Operations & SRE at ● Okta - billion dollar cloud SaaS integrator ● Centrica Hive - IoT company - millions of devices ● EA Games, Playfish - social media games - over a billion players Previous talks on this topic at ● AWS London Summit 2018 ● Computing Cloud & Infrastructure Summit 2017 ● Cloud World Forum 2015 Who am I and why am I here Leading independent provider of identity for the enterprise - 2017 & 2018 Leader, Gartner Magic Quadrant for Access Management, Worldwide ● Built in the cloud, compatible with on-prem ● Over 6,000 pre-built applications and infrastructure provider integrations ● Over 6,100 customers, including 21st Century Fox, Experian, Adobe, Gatwick Airport, Western Union. ● Hundreds of millions of users & billions of authentications per month
Evolution of Cloud Services Amazon Web Services (AWS) in 2006 Google Cloud Platform (GCP) in 2008 Rackspace Cloud in 2009 Microsoft Azure & OpenStack in 2010 Oracle Cloud Infrastructure v2 in 2018 All started with compute and storage as MVP All have iterated towards full IaaS, SaaS, PaaS vendors Compliance is built in - SOC, PCI-DSS, FIPS, ISO, HIPAA Public cloud services accrued $175.8 billion in revenue in 2018 … we can be far more secure in the cloud and achieve a higher level of assurance at a much lower cost … - John Brady, FINRA, 2017
Evolution of Threats Phone Phreaks & Script Kiddies Organised Hacker groups Virus & Malware distributors Cyber Vandalism Phishers & Social Engineers Ransomware & Botnet collectives Nation State Actors Ever more sophisticated attacks With threat actors now able to access data owned by larger organisations through smaller businesses within the chain, it’s no longer enough for enterprises to understand just their own security set up. - Chris O’Brien, EclecticIQ, 2018
Distribution of Threats Victims ● 10% financial industry ● 15% healthcare organisations ● 16% public sector entities ● 43% small business Tactics ● 4% physical action ● 15% misuse by authorised users ● 21% caused by errors ● 28% malware ● 33% social attack component ● 52% hacking Actors ● 34% involved internal actors ● 69% involved outsiders ● 23% identified as nation-state or state-affiliated ● 39% organised criminal groups Commonalities ● 25% for strategic advantage gain (espionage) ● 29% use of stolen credentials ● 32% involved phishing ● 56% took months or longer to discover ● 71% financially motivated Verizon 2019 Data Breach Investigations Report
Evolution of the Responses Dedicated roles ● DevSecOps ● Offensive/Defensive Engineers (Red/Blue Teams) ● Security Data Scientist ● Security and Compliance Analyst ● Security Automation ● Security Architect ● CSO/CISO Dedicated products ● Security information and event management (SIEM) ● Intrusion Detection/Prevention ● Customer Identity and Access Management (CIAM) ● Penetration & DDOS protection ● Device Trust & Endpoint Protection ● External Audit & Compliance More and more security frameworks and regulations require a dedicated security officer, and it is a best practice in all but the smallest of organizations. - Derek Boczenowski, Compass Compliance, 2018
Evolution of Technology Cloud vendors know their services & have the closest integrations Cloud Vendor Solutions ● AWS Guardduty ● Azure Sentinel ● GCP Cloud Security Scanner Traditional tools & approaches rarely work ● Unable to cope with scale & pace of change ● Don’t account for new factors Security as Code ● Automated Policy Governance ● Security configuration under source control Enterprise Cloud Security is a big-data problem - Shannon Leitz, Intuit, 2015
Evolution of Security Models The network perimeter can no longer be the only line of defence Defence in Depth ● Physical Security ● Secure Hiring Practices ● Secure User Access with MFA ● Secure Local Environments ● Policy, Procedure & Awareness ● Defensive Programming ● Data Encryption at rest and on the wire ● Network Compartmentalisation ● Least Privilege for both users and software ● Vulnerability Management ● Secure OS ● Attack & Intrusion detection ● Monitoring & Alerting Thanks to the rise of cloud services and remote working … what matters now is how people access their resources, no matter where in the world they come from. - Yassir Abousselham, Okta, 2018
Evolution of the Perimeter Zero trust approach ● People, workloads, and devices are just as untrustworthy as network traffic ● 81% of data breaches involve stolen/weak credentials ● 91% of phishing attacks target credentials ● 73% of passwords are duplicates Authentication and Authorisation ● Pervasive ● Skeptical ● Adaptive ● Contextual ● Automated ● Centralised Identity is the new perimeter - John Hawley, CA Technologies, 2012
Security as a Keystone It’s not just the remit of Engineering, CSO/CISO, HR or Building Security Keys to success ● Detect and resolve issues quickly ● Use native security capabilities wherever possible ● Enlist and enable the entire organisation ● Educate progressively and in simple chunks ● Review policy, procedure and permissions regularly Security is everyone’s problem - Robert Reeves, Datical, 2016
Thank you Questions?

More Related Content

PDF
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
PDF
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
PDF
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
PDF
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
PDF
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
PPTX
Salting new ground one man ops from scratch
byJay Harrison
 
PPTX
Core DevOps at British Gas Connected Homes – Docs, Comms & Honesty
byJay Harrison
 
PPTX
Cloud World Expo 2016 - Scrum for DevOps? Tough!
byJay Harrison
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
Salting new ground one man ops from scratch
byJay Harrison
 
Core DevOps at British Gas Connected Homes – Docs, Comms & Honesty
byJay Harrison
 
Cloud World Expo 2016 - Scrum for DevOps? Tough!
byJay Harrison
 

Recently uploaded

PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
How to Prepare for the RWA Tokenization Trend
byrose mason
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Workflow and decision Automation with Flowable
bychakib ch
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
How to Prepare for the RWA Tokenization Trend
byrose mason
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 

Featured

PDF
Everything You Need To Know About ChatGPT
byExpeed Software
 
PDF
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
PDF
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
PDF
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
PDF
Skeleton Culture Code
bySkeleton Technologies
 
PDF
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
PDF
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
PPTX
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
PDF
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
PDF
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
PDF
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
PDF
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
PDF
Getting into the tech field. what next
byTessa Mero
 
PDF
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 
PDF
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 
PDF
Introduction to Data Science
byChristy Abraham Joy
 
PDF
Time Management & Productivity - Best Practices
byVit Horky
 
PDF
The six step guide to practical project management
byMindGenius
 
PDF
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
byRachelPearson36
 
PDF
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
byApplitools
 
Everything You Need To Know About ChatGPT
byExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
Skeleton Culture Code
bySkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
Getting into the tech field. what next
byTessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
byChristy Abraham Joy
 
Time Management & Productivity - Best Practices
byVit Horky
 
The six step guide to practical project management
byMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
byRachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
byApplitools
 

Cloud security evolution

  • 1.
    Cloud Security Evolution JayHarrison Technical Operations Site Reliability Engineering Manager, EMEA
  • 2.
    My credentials 22 yearsin the industry, a decade in the cloud Technical Operations & SRE at ● Okta - billion dollar cloud SaaS integrator ● Centrica Hive - IoT company - millions of devices ● EA Games, Playfish - social media games - over a billion players Previous talks on this topic at ● AWS London Summit 2018 ● Computing Cloud & Infrastructure Summit 2017 ● Cloud World Forum 2015 Who am I and why am I here Leading independent provider of identity for the enterprise - 2017 & 2018 Leader, Gartner Magic Quadrant for Access Management, Worldwide ● Built in the cloud, compatible with on-prem ● Over 6,000 pre-built applications and infrastructure provider integrations ● Over 6,100 customers, including 21st Century Fox, Experian, Adobe, Gatwick Airport, Western Union. ● Hundreds of millions of users & billions of authentications per month
  • 3.
    Evolution of Cloud Services AmazonWeb Services (AWS) in 2006 Google Cloud Platform (GCP) in 2008 Rackspace Cloud in 2009 Microsoft Azure & OpenStack in 2010 Oracle Cloud Infrastructure v2 in 2018 All started with compute and storage as MVP All have iterated towards full IaaS, SaaS, PaaS vendors Compliance is built in - SOC, PCI-DSS, FIPS, ISO, HIPAA Public cloud services accrued $175.8 billion in revenue in 2018 … we can be far more secure in the cloud and achieve a higher level of assurance at a much lower cost … - John Brady, FINRA, 2017
  • 4.
    Evolution of Threats Phone Phreaks& Script Kiddies Organised Hacker groups Virus & Malware distributors Cyber Vandalism Phishers & Social Engineers Ransomware & Botnet collectives Nation State Actors Ever more sophisticated attacks With threat actors now able to access data owned by larger organisations through smaller businesses within the chain, it’s no longer enough for enterprises to understand just their own security set up. - Chris O’Brien, EclecticIQ, 2018
  • 5.
    Distribution of Threats Victims ●10% financial industry ● 15% healthcare organisations ● 16% public sector entities ● 43% small business Tactics ● 4% physical action ● 15% misuse by authorised users ● 21% caused by errors ● 28% malware ● 33% social attack component ● 52% hacking Actors ● 34% involved internal actors ● 69% involved outsiders ● 23% identified as nation-state or state-affiliated ● 39% organised criminal groups Commonalities ● 25% for strategic advantage gain (espionage) ● 29% use of stolen credentials ● 32% involved phishing ● 56% took months or longer to discover ● 71% financially motivated Verizon 2019 Data Breach Investigations Report
  • 6.
    Evolution of the Responses Dedicatedroles ● DevSecOps ● Offensive/Defensive Engineers (Red/Blue Teams) ● Security Data Scientist ● Security and Compliance Analyst ● Security Automation ● Security Architect ● CSO/CISO Dedicated products ● Security information and event management (SIEM) ● Intrusion Detection/Prevention ● Customer Identity and Access Management (CIAM) ● Penetration & DDOS protection ● Device Trust & Endpoint Protection ● External Audit & Compliance More and more security frameworks and regulations require a dedicated security officer, and it is a best practice in all but the smallest of organizations. - Derek Boczenowski, Compass Compliance, 2018
  • 7.
    Evolution of Technology Cloud vendorsknow their services & have the closest integrations Cloud Vendor Solutions ● AWS Guardduty ● Azure Sentinel ● GCP Cloud Security Scanner Traditional tools & approaches rarely work ● Unable to cope with scale & pace of change ● Don’t account for new factors Security as Code ● Automated Policy Governance ● Security configuration under source control Enterprise Cloud Security is a big-data problem - Shannon Leitz, Intuit, 2015
  • 8.
    Evolution of Security Models Thenetwork perimeter can no longer be the only line of defence Defence in Depth ● Physical Security ● Secure Hiring Practices ● Secure User Access with MFA ● Secure Local Environments ● Policy, Procedure & Awareness ● Defensive Programming ● Data Encryption at rest and on the wire ● Network Compartmentalisation ● Least Privilege for both users and software ● Vulnerability Management ● Secure OS ● Attack & Intrusion detection ● Monitoring & Alerting Thanks to the rise of cloud services and remote working … what matters now is how people access their resources, no matter where in the world they come from. - Yassir Abousselham, Okta, 2018
  • 9.
    Evolution of the Perimeter Zerotrust approach ● People, workloads, and devices are just as untrustworthy as network traffic ● 81% of data breaches involve stolen/weak credentials ● 91% of phishing attacks target credentials ● 73% of passwords are duplicates Authentication and Authorisation ● Pervasive ● Skeptical ● Adaptive ● Contextual ● Automated ● Centralised Identity is the new perimeter - John Hawley, CA Technologies, 2012
  • 10.
    Security as a Keystone It’snot just the remit of Engineering, CSO/CISO, HR or Building Security Keys to success ● Detect and resolve issues quickly ● Use native security capabilities wherever possible ● Enlist and enable the entire organisation ● Educate progressively and in simple chunks ● Review policy, procedure and permissions regularly Security is everyone’s problem - Robert Reeves, Datical, 2016
  • 11.