Tudor Damian, profile picture
Uploaded byTudor Damian
144 views

Security & Compliance in the Cloud [2019]

The document outlines key trends and strategies for cloud security and compliance, emphasizing the importance of a solid transition strategy for digital transformation. It highlights challenges companies face during cloud migration and provides insights into governance, risk management, and compliance (GRC) as critical components for success in the cloud environment. Additionally, the document features a case study of Avaelgo and illustrates the role of tools like Microsoft Azure in achieving effective cloud management.

Embed presentation

Download to read offline
Security & Compliance in the Cloud DefCamp 2019 Bucharest, November 7th, 2019
• Managing Partner & CIO @ Avaelgo • Offering Peace of Mind as-a-Service • IT Advisory, Cloud Strategy, Managed Services, IT Security, Training • Co-founder @ ITCamp & ITCamp Community • Cloud and Datacenter Management MVP (Microsoft) • Certified Ethical Hacker (EC-Council) • Certified Security Professional (CQURE) • Contact: tudor.damian@avaelgo.ro / tudy.tel Tudor Damian
• Why the Cloud? • Digital Transformation & Current Cloud adoption trends • How to get there? • Defining a strategy to move to the Cloud • I’m there, now what? • Security & Compliance in the Cloud • What’s next? • Key takeaways & next steps • Case Study: • Example: Microsoft Azure • Our approach (Avaelgo) Objectives
(The mirage of) Digital Transformation
• A recent survey found that Digital Transformation (DT) is the #1 concern in 2019 for directors, CEOs and senior executives (WSJ) • Yet, nearly 70% of all DT initiatives do not reach their goals – in 2018, out of $1.3 trillion spent, $900 billion went to waste (Forbes) • Most digital technologies provide possibilities for efficiency gains • If people lack the right mindset to change and if current organizational practices are flawed, DT will only magnify those flaws The pitfalls of Digital Transformation https://blogs.wsj.com/riskandcompliance/2018/12/05/businesses-predict-digital-transformation-to-be-biggest-risk-factors-in-2019/ https://www.forbes.com/sites/forbestechcouncil/2018/03/13/why-digital-transformations-fail-closing-the-900-billion-hole-in-enterprise-strategy/#4f74e9207b8b Failed 69% Successful 31% Digital Transformation initiatives (2018)
• Figure out your business strategy before you invest in anything • Figure out what’s important – speed, innovation, digitalization, production lead times, increased time-to-market, improved use of data, enhanced supply chain, etc. • Leverage insiders • Don’t just rely on outside consultants, use staff with intimate knowledge about what works and what doesn’t • Design customer experience from the outside in • Ask your customer for feedback, have them describe your strengths and weaknesses • Recognize employees’ fear of being replaced • People may unconsciously resist change if they feel their job is at stake • Learn from the start-up culture • Agile decision making, rapid prototyping, flat structures, fail fast What is there to do?
Open LDAP New PCs bought ad-hoc PCs refreshed when dead Employees using personal mobile devices IT purchasing decisions made “on the spot” What does today look like for you? “Good enough” platforms No technology strategy Legacy back office Fragmented end-point solutions
Increasingly complex demands Multiple tech products Tougher competitive environment Custom solutions required for interoperability Cross-platform device management requirements Race to the bottom pricing impacts deal profitability Multiple technology vendors servicing single client Greater effort to maintain customer base Increased implementation and management complexity Difficulty differentiating brand Increased security exposure Need to source best of breed solutions What does today look like for you?
So, why the Cloud?
Cloud migration will continue to grow C o m p a n i e s a r e a l r e a d y i n t h e C l o u d
• Cost control: Utility services cost less even though they cost more • Higher cost per unit time than leasing or upfront purchase • Zero cost when not used • Efficiency & scalability: on-demand is better than prediction • Forecasting is estimative, often wrong, sometimes impossible • Better to be able to scale up or down “immediately” depending on demand • Workloads: address odd workload patterns • On-and-off, growing fast, unpredictable bursting, predictable bursting • Innovation: access to technology not available on-premises • Making use of some Cloud-native solutions (e.g. AI, ML, DBs, storage) • Consolidating platforms, technologies, expertise • Starting up: new company, startup, spinoff, new market, etc. • Security & compliance: GDPR, data protection, data classification, etc. Why the Cloud? (examples)
• Identity & Data • Data Classification & Labeling, Data Protection • Monitoring & Response • Geography • Multi-geo deployments & GDPR • Latency • Financials • OPEX vs CAPEX • Understand PAYG vs CSP vs EA vs MCA • Understand constants and variables in Cloud consumption • Apply relevant tools for cost visualization, control and budgeting • Governance • Cloud subscriptions will get very messy very quickly without proper governance • Locks, Groups, Tags, Policies, Auditing & Monitoring – it all has little value unless properly understood and employed • Process • This is not a walk in the park, it’s a lengthy and rather complex project Common Cloud challenges
The Cloud migration journey
Types of Migrations (The R’s of Migration) Rehost: i.e. redeploy applications to a different (newer) hardware environment. Rehosting an application without making changes to its architecture can provide a fast cloud migration solution. Revise: i.e. modify or extend the existing code base to support modernization requirements, then use rehost or refactor options to deploy to cloud. Rebuild: i.e. rearchitect the solution. Discard code of existing application/solution and leverage newer and innovative cloud services (like PaaS). Replace: i.e. discard an existing application (or set of applications) and use commercial software delivered as a service (SaaS) Refactor: i.e. run applications on a cloud provider’s infrastructure. Applications/workloads may need to be modified slightly to run on the cloud provider’s platform. Retire/Retain: i.e. discard completely or do not move. Some applications may not be used by anyone or others may be simply impossible to move!
Responsibility zones in the Cloud E x a m p l e Data classification, governance, accountability & rights management Client endpoint protection Account access & management Identity & directory infrastructure Application-level controls Network controls Virtual OS controls Physical hosts Physical network Physical datacenter PaaSIaaS SaaS On- prem Always retained by customer Varies by service type Transfers to Cloud Provider
Migration triggers
• Is the app modern or legacy? • Topology • Transient faults • Latency, performance • Security and compliance • Maintainability • DevOps • Degree of technology lock-in • Multi-tenancy • Cloud perception • New features, possible only in the Cloud • Application architecture guidance PaaS migrations are even more fun ☺
The Security & Compliance talk
Understanding cloud security controls W h a t d o e s t h e C l o u d d o f o r m e ? W h a t d o I s t i l l n e e d t o d o ? On-premises IaaS PaaS SaaS 1. Security Strategy, Governance, and Operationalization: Provide clear vision, standards and guidance for the company 2. Administrative Control: Defend against loss of control of your Cloud services and on-premises systems 3. Data: Identify and protect your most important information assets 4. User Identity and Device Security: Strengthen protection for accounts and devices 5. Application Security: Ensure application code is resilient to attacks 6. Network: Ensure connectivity, isolation, and visibility into anomalous attacks 7. OS and Middleware: Protect integrity of (virtual) hosts 8. On-prem / private environments: Secure the foundation
• Governance, risk management & compliance (GRC) are three facets that help to ensure that an organization meets its objectives • Goals: • Keeping risk at acceptable levels • Maintaining availability to systems and services • Complying with relevant laws and regulations • Protecting customer and internal data GRC – are you doing it today? G o v e r n a n c e , R i s k m a n a g e m e n t & C o m p l i a n c e
• Regulatory compliance (e.g. PCI-DSS, HIPAA, CDSA, MPAA, etc.) • Data governance (e.g. DLP, encrypting PII, geo location, etc.) • Financial governance (e.g. CAPEX vs OPEX, prediction, cost centers, etc.) • Change management (e.g. DevOps, user & organization readiness, etc.) • ITIL, COBIT & the Cloud • Strategy, Design, Transition, Operation & Improvement • Ensure clear ownership & responsibilities • Better manage IT investments • Identify & handle IT risk GRC – items in focus G o v e r n a n c e , R i s k m a n a g e m e n t & C o m p l i a n c e
Traditional approach needs rethinking Development IT Governance Speed Control
Built-in Cloud-native governance Speed Control Example: Azure Governance Development Cloud Custodian Templates Policies RBAC Blueprints Management Groups Cost Management Resource Graph
Sacrifice Speed for Control Traditional approach Developers Operations Cloud Custodian / Engineers responsible for Cloud environment
Speed and Control Cloud-native governance Developers Built-in controls through policy instead of workflow Operations Cloud Custodian Team
• 3rd and 4th party risk • Customers: responsible for implementing security in the cloud application • SaaS providers: responsible for the security in the cloud • Cloud service providers: responsible for the security of the cloud • Analyze costs and benefits of Cloud migration • Operational consistency • Information visibility • Advanced threats Cloud security & compliance challenges
• Understanding your business challenge • Data-centric threat defense • Proactive risk management • Continuous security & compliance • Resolving your business challenge • Secure the Data, not the Cloud • Manage risk proactively, including doing an initial assessment • Implement foundational security, with compliance as a by-product Building a Cloud-ready Security strategy
Microsoft Azure C l o u d S e c u r i t y & C o m p l i a n c e e x a m p l e
Example: Azure Compliance offering S o u r c e : h t t p s : / / a z u r e . m i c r o s o f t . c o m / e n - u s / o v e r v i e w / t r u s t e d - c l o u d / c o m p l i a n c e / HIPAA / HITECH Act FERPA GxP 21 CFR Part 11 Singapore MTCS UK G-Cloud Australia IRAP/CCSL FISC Japan New Zealand GCIO China GB 18030 EU Model Clauses ENISA IAF Argentina PDPA Japan CS Mark Gold CDSA Shared Assessments Japan My Number Act FACT UK GLBA Spain ENS PCI DSS Level 1 MARS-E FFIEC China TRUCS Canada Privacy Laws MPAA Privacy Shield India MeitY Germany IT Grundschutz workbook Spain DPA HITRUST IG Toolkit UK China DJCP ITAR Section 508 VPAT SP 800-171 FIPS 140-2 High JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO GLOBALUSGOVINDUSTRYREGIONAL ISO 27001 SOC 1 Type 2ISO 27018 CSA STAR Self-AssessmentISO 27017 SOC 2 Type 2 SOC 3ISO 22301 CSA STAR Certification CSA STAR AttestationISO 9001
Physical Datacenter Security M i c r o s o f t A z u r e Two-factor authentication with biometrics Employee & contractor vetting Metal detectors Video coverage rack front & back Inability to identify location of specific customer data Secure destruction bins Ongoing roaming patrols Video coverage Ongoing roaming patrols Front entrance gate 1 defined access point Video coverage Perimeter fencing Two-factor authentication with biometrics Video coverage No building signage 24x7x365 security operations Verified single person entry Ongoing roaming patrols Background check System check Access approval Perimeter Building Server environment
• Data & network segregation • Custom-built security hardware • Integrated security attestation • Endpoint restrictions • DDoS mitigation • Wargame exercises • Continuous monitoring • No standing access to production servers • Incident response team Infrastructure Security M i c r o s o f t A z u r e
• Virtual network isolation • Network Security Groups • User-Defined Routing • VPN configuration • Web Application Firewall • Network Firewall • DDoS Protection • ExpressRoute Network Security M i c r o s o f t A z u r e
• Single sign-on (AAD Connect) • Azure RBAC & conditional access policies • Multi-Factor Authentication • Privileged Identity Management • Azure Identity Protection • Storage Service & Disk Encryption • SQL TDE/Always Encrypted • Key management system (Key Vault) • Workload Protection (application whitelisting, JiT access) • Azure Sentinel (SIEM) Data Security M i c r o s o f t A z u r e
Securing Privileged Access Office 365 Security Rapid Cyberattacks (Wannacrypt/Petya) https://aka.ms/MCRA Video Recording Strategies Office 365 Dynamics 365 +Monitor Azure Sentinel – Cloud Native SIEM and SOAR (Preview) SQL Encryption & Data Masking Data Loss Protection Data Governance eDiscovery
Securing Privileged Access Office 365 Security Rapid Cyberattacks (Wannacrypt/Petya) https://aka.ms/MCRA Video Recording Strategies Office 365 Dynamics 365 +Monitor Azure Sentinel – Cloud Native SIEM and SOAR (Preview) SQL Encryption & Data Masking Data Loss Protection Data Governance eDiscovery
So, how do we do it? C a s e s t u d y : A v a e l g o
Cloud Optimize • Proactive Support • Governance & Security • Budgeting & Cost Control • Monitoring & Alerts • DevOps & Automation • Usage Optimizations • Best Practices Cloud Support • Operational Baseline • 24/7 SLA-based Support • Root-Cause Analysis • Critical Issue Escalation • Config Management • Business Continuity • Disaster Recovery Cloud Empower • Power Platform Apps o PowerApps & Flow o PowerBI • Avaelgo Pre-built Apps • Technology Onboarding • Custom Software Dev o Cloud-ready o AI & ML Envision, Readiness & Cloud Onboarding Example: Avaelgo 365 A v a e l g o C l o u d M a n a g e d S e r v i c e s F r a m e w o r k Peace of Mind as-a-Service Growth & Innovation Cloud Migrate • Rehost (Lift & Shift) • Refactor (PaaS) • Revise (Re-architect) • Rebuild (Cloud-native) • Replace (SaaS) • CI & CD (DevOps) Cloud Strategy • Incubation Workshop • Learn-Try-Adopt o Hands-on training o Implementing POCs • Define Cloud Strategy o Planning & Roadmap Ongoing Advisory & Training Designed for:
Wrapping up
• So, we’ve (briefly) discussed: • Why, when and how to move to the Cloud? • Cloud migration, security & governance concerns • Example: Microsoft Azure • Case-study: Avaelgo • First steps: • Ensure you have a clear Cloud Strategy (including Security & Governance) • Discover what you’ve got and where you’re starting from • Don’t forget, you’re mostly just extending your practices to the Cloud • Consider the details – identity, geography, financials, monitoring, operations Summary
Q & A
PEACE OF MIND AS-A-SERVICE CLOUD STRATEGY | MANAGED SERVICES | IT SECURITY | TRAINING

More Related Content

PDF
Data Movement, Management and Governance In The Cloud: DocuSign Case Study
byDell World
 
PDF
The Keys To A Successful Identity And Access Management Program: How Does You...
byDell World
 
PDF
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
byTudor Damian
 
PDF
Make A Stress Free Move To The Cloud: Application Modernization and Managemen...
byDell World
 
PDF
Prescriptive Cloud Services for the Future Ready Enterprise
byDell World
 
PDF
Extensibility: The Key To Managing Your Entire Cloud Portfolio
byDell World
 
PDF
December 2014 Webinar - Planning Your 2015 Cloud Strategy
byRapidScale
 
PDF
Cloud: To Build or Buy - Can You Justify On-Premises IT?
byDell World
 
Data Movement, Management and Governance In The Cloud: DocuSign Case Study
byDell World
 
The Keys To A Successful Identity And Access Management Program: How Does You...
byDell World
 
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
byTudor Damian
 
Make A Stress Free Move To The Cloud: Application Modernization and Managemen...
byDell World
 
Prescriptive Cloud Services for the Future Ready Enterprise
byDell World
 
Extensibility: The Key To Managing Your Entire Cloud Portfolio
byDell World
 
December 2014 Webinar - Planning Your 2015 Cloud Strategy
byRapidScale
 
Cloud: To Build or Buy - Can You Justify On-Premises IT?
byDell World
 

What's hot

PPTX
Future of Making Things
byJC Davis
 
PPTX
Cloud Governance Presentation Dreamforce 2012
byBluewolf
 
PDF
110307 cloud security requirements gourley
byGovCloud Network
 
PDF
Adapting to a Hybrid World [Webinar on Demand]
byServerCentral
 
PDF
Client solutions for the modern workforce
byDell World
 
PPT
IBM Security Strategy Intelligence,
byInformation Security Awareness Group
 
PDF
ISACA Cloud Computing Risks
byMarc Vael
 
PDF
Cloud capability for startups
byCloud and analytics Lab
 
PPTX
Cloud Computing Overview
byDoug Allen
 
PDF
Cloud Security Summit - InfoSec World 2014
byBill Burns
 
PDF
CFO Summit Series - Cloud Computing
byTGO Consulting
 
PDF
[Webinar Slides] Work Where Your Content Really Lives: The Ideal Hybrid ECM E...
byAIIM International
 
PDF
Cloud security: Accelerating cloud adoption
byDell World
 
PDF
If You Are Not Embedding Analytics Into Your Day To Day Processes, You Are Do...
byDell World
 
PDF
MT50 Data is the new currency: Protect it!
byDell EMC World
 
PPTX
Benefits of Transforming to a Hybrid Infrastructure - HPE
byMarcoTechnologies
 
PDF
Executing on the promise of the Internet of Things (IoT)
byDell World
 
PDF
Deploying Unified Communications with Lync on the easiest, most secure platform
byDell World
 
PDF
Client Security Strategies To Defeat Advanced Threats
byDell World
 
PDF
Empowering the evolving workforce with virtual workspaces
byDell World
 
Future of Making Things
byJC Davis
 
Cloud Governance Presentation Dreamforce 2012
byBluewolf
 
110307 cloud security requirements gourley
byGovCloud Network
 
Adapting to a Hybrid World [Webinar on Demand]
byServerCentral
 
Client solutions for the modern workforce
byDell World
 
IBM Security Strategy Intelligence,
byInformation Security Awareness Group
 
ISACA Cloud Computing Risks
byMarc Vael
 
Cloud capability for startups
byCloud and analytics Lab
 
Cloud Computing Overview
byDoug Allen
 
Cloud Security Summit - InfoSec World 2014
byBill Burns
 
CFO Summit Series - Cloud Computing
byTGO Consulting
 
[Webinar Slides] Work Where Your Content Really Lives: The Ideal Hybrid ECM E...
byAIIM International
 
Cloud security: Accelerating cloud adoption
byDell World
 
If You Are Not Embedding Analytics Into Your Day To Day Processes, You Are Do...
byDell World
 
MT50 Data is the new currency: Protect it!
byDell EMC World
 
Benefits of Transforming to a Hybrid Infrastructure - HPE
byMarcoTechnologies
 
Executing on the promise of the Internet of Things (IoT)
byDell World
 
Deploying Unified Communications with Lync on the easiest, most secure platform
byDell World
 
Client Security Strategies To Defeat Advanced Threats
byDell World
 
Empowering the evolving workforce with virtual workspaces
byDell World
 

Similar to Security & Compliance in the Cloud [2019]

PDF
AWS Services 7 Transformation Media
byPressmart Media Limited
 
PPTX
Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar
byTimothy McAliley
 
PDF
Cloud Computing and Data Governance
byTrillium Software
 
PPTX
Re-Platforming Applications for the Cloud
byCarter Wickstrom
 
PDF
Cloud Migration Cookbook: A Guide To Moving Your Apps To The Cloud
byNew Relic
 
PDF
Selling Cloud Services To Earn More Revenue PowerPoint Presentation Slides
bySlideTeam
 
PPTX
Enterprise Cloud Strategy & Adoption
byAndrew Alaniz
 
PPTX
Isaca cloud security presentation duncan unwin 16 jul13
byDuncan Unwin
 
PDF
97 Things Every Cloud Engineer Should Know.pdf
byمنیزہ ہاشمی
 
PDF
Moving your IT to the Cloud with an Enterprise Cloud Strategy
bymstockwell
 
PPTX
security and compliance in the cloud
byAjay Rathi
 
PDF
7 Essential Steps to Cloud Adoption.pdf
byAnil
 
PPTX
Cloud is not an option, but is security?
byJody Keyser
 
PPTX
Moving Enterprise Applications to the Cloud
byVISI
 
PPTX
IEEE PHM Cloud Computing
byJoseph Williams
 
PPTX
Implementing governance in the cloud era
bySynergetics Learning and Cloud Consulting
 
PDF
RightScale Webinar: The Five Critical Steps to Develop a Cloud Strategy
byRightScale
 
PDF
Key considerations when adopting cloud: expectations vs hurdles
byScalr
 
PDF
Resetting Your Security Thinking for the Public Cloud
byMighty Guides, Inc.
 
PPTX
Technical Webinar with AWS - Everything You Need to Measure in Your Migration
byNew Relic
 
AWS Services 7 Transformation Media
byPressmart Media Limited
 
Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar
byTimothy McAliley
 
Cloud Computing and Data Governance
byTrillium Software
 
Re-Platforming Applications for the Cloud
byCarter Wickstrom
 
Cloud Migration Cookbook: A Guide To Moving Your Apps To The Cloud
byNew Relic
 
Selling Cloud Services To Earn More Revenue PowerPoint Presentation Slides
bySlideTeam
 
Enterprise Cloud Strategy & Adoption
byAndrew Alaniz
 
Isaca cloud security presentation duncan unwin 16 jul13
byDuncan Unwin
 
97 Things Every Cloud Engineer Should Know.pdf
byمنیزہ ہاشمی
 
Moving your IT to the Cloud with an Enterprise Cloud Strategy
bymstockwell
 
security and compliance in the cloud
byAjay Rathi
 
7 Essential Steps to Cloud Adoption.pdf
byAnil
 
Cloud is not an option, but is security?
byJody Keyser
 
Moving Enterprise Applications to the Cloud
byVISI
 
IEEE PHM Cloud Computing
byJoseph Williams
 
Implementing governance in the cloud era
bySynergetics Learning and Cloud Consulting
 
RightScale Webinar: The Five Critical Steps to Develop a Cloud Strategy
byRightScale
 
Key considerations when adopting cloud: expectations vs hurdles
byScalr
 
Resetting Your Security Thinking for the Public Cloud
byMighty Guides, Inc.
 
Technical Webinar with AWS - Everything You Need to Measure in Your Migration
byNew Relic
 

More from Tudor Damian

PPTX
2016, A new era of OS and Cloud Security
byTudor Damian
 
PDF
Microsoft Azure Stack
byTudor Damian
 
PDF
IT Risk Management
byTudor Damian
 
PDF
IDS Evasion Techniques
byTudor Damian
 
PDF
Social Engineering, or hacking people
byTudor Damian
 
PDF
Hyper-V 3.0 Overview
byTudor Damian
 
PDF
Linux on Hyper-V
byTudor Damian
 
PDF
Linux sub Hyper-V R2
byTudor Damian
 
PDF
The state of web applications (in)security @ ITDays 2016
byTudor Damian
 
PPTX
Modern cybersecurity threats, and shiny new tools to help deal with them
byTudor Damian
 
PDF
Azure Site Recovery and System Center
byTudor Damian
 
PDF
BOI 2011 - Be what's next
byTudor Damian
 
PDF
Comparing MS Cloud with VMware Cloud
byTudor Damian
 
PDF
Private cloud, the Good, the Bad and the Ugly
byTudor Damian
 
PDF
What's new in Hyper-V 2012 R2
byTudor Damian
 
PDF
Upgrading your Private Cloud to Windows Server 2012 R2
byTudor Damian
 
PDF
What's new in Windows 8
byTudor Damian
 
PDF
Hosting your virtual private cloud
byTudor Damian
 
PDF
White Hat Hacking #1
byTudor Damian
 
PDF
White Hat Hacking #3
byTudor Damian
 
2016, A new era of OS and Cloud Security
byTudor Damian
 
Microsoft Azure Stack
byTudor Damian
 
IT Risk Management
byTudor Damian
 
IDS Evasion Techniques
byTudor Damian
 
Social Engineering, or hacking people
byTudor Damian
 
Hyper-V 3.0 Overview
byTudor Damian
 
Linux on Hyper-V
byTudor Damian
 
Linux sub Hyper-V R2
byTudor Damian
 
The state of web applications (in)security @ ITDays 2016
byTudor Damian
 
Modern cybersecurity threats, and shiny new tools to help deal with them
byTudor Damian
 
Azure Site Recovery and System Center
byTudor Damian
 
BOI 2011 - Be what's next
byTudor Damian
 
Comparing MS Cloud with VMware Cloud
byTudor Damian
 
Private cloud, the Good, the Bad and the Ugly
byTudor Damian
 
What's new in Hyper-V 2012 R2
byTudor Damian
 
Upgrading your Private Cloud to Windows Server 2012 R2
byTudor Damian
 
What's new in Windows 8
byTudor Damian
 
Hosting your virtual private cloud
byTudor Damian
 
White Hat Hacking #1
byTudor Damian
 
White Hat Hacking #3
byTudor Damian
 

Recently uploaded

PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
December Patch Tuesday
byIvanti
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
The year in review - MarvelClient in 2025
bypanagenda
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
December Patch Tuesday
byIvanti
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 

Security & Compliance in the Cloud [2019]

  • 1.
    Security & Compliancein the Cloud DefCamp 2019 Bucharest, November 7th, 2019
  • 2.
    • Managing Partner& CIO @ Avaelgo • Offering Peace of Mind as-a-Service • IT Advisory, Cloud Strategy, Managed Services, IT Security, Training • Co-founder @ ITCamp & ITCamp Community • Cloud and Datacenter Management MVP (Microsoft) • Certified Ethical Hacker (EC-Council) • Certified Security Professional (CQURE) • Contact: tudor.damian@avaelgo.ro / tudy.tel Tudor Damian
  • 3.
    • Why theCloud? • Digital Transformation & Current Cloud adoption trends • How to get there? • Defining a strategy to move to the Cloud • I’m there, now what? • Security & Compliance in the Cloud • What’s next? • Key takeaways & next steps • Case Study: • Example: Microsoft Azure • Our approach (Avaelgo) Objectives
  • 4.
    (The mirage of)Digital Transformation
  • 5.
    • A recentsurvey found that Digital Transformation (DT) is the #1 concern in 2019 for directors, CEOs and senior executives (WSJ) • Yet, nearly 70% of all DT initiatives do not reach their goals – in 2018, out of $1.3 trillion spent, $900 billion went to waste (Forbes) • Most digital technologies provide possibilities for efficiency gains • If people lack the right mindset to change and if current organizational practices are flawed, DT will only magnify those flaws The pitfalls of Digital Transformation https://blogs.wsj.com/riskandcompliance/2018/12/05/businesses-predict-digital-transformation-to-be-biggest-risk-factors-in-2019/ https://www.forbes.com/sites/forbestechcouncil/2018/03/13/why-digital-transformations-fail-closing-the-900-billion-hole-in-enterprise-strategy/#4f74e9207b8b Failed 69% Successful 31% Digital Transformation initiatives (2018)
  • 6.
    • Figure outyour business strategy before you invest in anything • Figure out what’s important – speed, innovation, digitalization, production lead times, increased time-to-market, improved use of data, enhanced supply chain, etc. • Leverage insiders • Don’t just rely on outside consultants, use staff with intimate knowledge about what works and what doesn’t • Design customer experience from the outside in • Ask your customer for feedback, have them describe your strengths and weaknesses • Recognize employees’ fear of being replaced • People may unconsciously resist change if they feel their job is at stake • Learn from the start-up culture • Agile decision making, rapid prototyping, flat structures, fail fast What is there to do?
  • 7.
    Open LDAP New PCs boughtad-hoc PCs refreshed when dead Employees using personal mobile devices IT purchasing decisions made “on the spot” What does today look like for you? “Good enough” platforms No technology strategy Legacy back office Fragmented end-point solutions
  • 8.
    Increasingly complex demands Multiple tech products Tougher competitive environment Custom solutions requiredfor interoperability Cross-platform device management requirements Race to the bottom pricing impacts deal profitability Multiple technology vendors servicing single client Greater effort to maintain customer base Increased implementation and management complexity Difficulty differentiating brand Increased security exposure Need to source best of breed solutions What does today look like for you?
  • 9.
  • 10.
    Cloud migration willcontinue to grow C o m p a n i e s a r e a l r e a d y i n t h e C l o u d
  • 11.
    • Cost control:Utility services cost less even though they cost more • Higher cost per unit time than leasing or upfront purchase • Zero cost when not used • Efficiency & scalability: on-demand is better than prediction • Forecasting is estimative, often wrong, sometimes impossible • Better to be able to scale up or down “immediately” depending on demand • Workloads: address odd workload patterns • On-and-off, growing fast, unpredictable bursting, predictable bursting • Innovation: access to technology not available on-premises • Making use of some Cloud-native solutions (e.g. AI, ML, DBs, storage) • Consolidating platforms, technologies, expertise • Starting up: new company, startup, spinoff, new market, etc. • Security & compliance: GDPR, data protection, data classification, etc. Why the Cloud? (examples)
  • 12.
    • Identity &Data • Data Classification & Labeling, Data Protection • Monitoring & Response • Geography • Multi-geo deployments & GDPR • Latency • Financials • OPEX vs CAPEX • Understand PAYG vs CSP vs EA vs MCA • Understand constants and variables in Cloud consumption • Apply relevant tools for cost visualization, control and budgeting • Governance • Cloud subscriptions will get very messy very quickly without proper governance • Locks, Groups, Tags, Policies, Auditing & Monitoring – it all has little value unless properly understood and employed • Process • This is not a walk in the park, it’s a lengthy and rather complex project Common Cloud challenges
  • 13.
  • 14.
    Types of Migrations(The R’s of Migration) Rehost: i.e. redeploy applications to a different (newer) hardware environment. Rehosting an application without making changes to its architecture can provide a fast cloud migration solution. Revise: i.e. modify or extend the existing code base to support modernization requirements, then use rehost or refactor options to deploy to cloud. Rebuild: i.e. rearchitect the solution. Discard code of existing application/solution and leverage newer and innovative cloud services (like PaaS). Replace: i.e. discard an existing application (or set of applications) and use commercial software delivered as a service (SaaS) Refactor: i.e. run applications on a cloud provider’s infrastructure. Applications/workloads may need to be modified slightly to run on the cloud provider’s platform. Retire/Retain: i.e. discard completely or do not move. Some applications may not be used by anyone or others may be simply impossible to move!
  • 15.
    Responsibility zones inthe Cloud E x a m p l e Data classification, governance, accountability & rights management Client endpoint protection Account access & management Identity & directory infrastructure Application-level controls Network controls Virtual OS controls Physical hosts Physical network Physical datacenter PaaSIaaS SaaS On- prem Always retained by customer Varies by service type Transfers to Cloud Provider
  • 16.
  • 17.
    • Is theapp modern or legacy? • Topology • Transient faults • Latency, performance • Security and compliance • Maintainability • DevOps • Degree of technology lock-in • Multi-tenancy • Cloud perception • New features, possible only in the Cloud • Application architecture guidance PaaS migrations are even more fun ☺
  • 18.
    The Security &Compliance talk
  • 19.
    Understanding cloud securitycontrols W h a t d o e s t h e C l o u d d o f o r m e ? W h a t d o I s t i l l n e e d t o d o ? On-premises IaaS PaaS SaaS 1. Security Strategy, Governance, and Operationalization: Provide clear vision, standards and guidance for the company 2. Administrative Control: Defend against loss of control of your Cloud services and on-premises systems 3. Data: Identify and protect your most important information assets 4. User Identity and Device Security: Strengthen protection for accounts and devices 5. Application Security: Ensure application code is resilient to attacks 6. Network: Ensure connectivity, isolation, and visibility into anomalous attacks 7. OS and Middleware: Protect integrity of (virtual) hosts 8. On-prem / private environments: Secure the foundation
  • 20.
    • Governance, riskmanagement & compliance (GRC) are three facets that help to ensure that an organization meets its objectives • Goals: • Keeping risk at acceptable levels • Maintaining availability to systems and services • Complying with relevant laws and regulations • Protecting customer and internal data GRC – are you doing it today? G o v e r n a n c e , R i s k m a n a g e m e n t & C o m p l i a n c e
  • 21.
    • Regulatory compliance(e.g. PCI-DSS, HIPAA, CDSA, MPAA, etc.) • Data governance (e.g. DLP, encrypting PII, geo location, etc.) • Financial governance (e.g. CAPEX vs OPEX, prediction, cost centers, etc.) • Change management (e.g. DevOps, user & organization readiness, etc.) • ITIL, COBIT & the Cloud • Strategy, Design, Transition, Operation & Improvement • Ensure clear ownership & responsibilities • Better manage IT investments • Identify & handle IT risk GRC – items in focus G o v e r n a n c e , R i s k m a n a g e m e n t & C o m p l i a n c e
  • 22.
    Traditional approach needsrethinking Development IT Governance Speed Control
  • 23.
    Built-in Cloud-native governance SpeedControl Example: Azure Governance Development Cloud Custodian Templates Policies RBAC Blueprints Management Groups Cost Management Resource Graph
  • 24.
    Sacrifice Speed forControl Traditional approach Developers Operations Cloud Custodian / Engineers responsible for Cloud environment
  • 25.
    Speed and Control Cloud-nativegovernance Developers Built-in controls through policy instead of workflow Operations Cloud Custodian Team
  • 26.
    • 3rd and4th party risk • Customers: responsible for implementing security in the cloud application • SaaS providers: responsible for the security in the cloud • Cloud service providers: responsible for the security of the cloud • Analyze costs and benefits of Cloud migration • Operational consistency • Information visibility • Advanced threats Cloud security & compliance challenges
  • 27.
    • Understanding yourbusiness challenge • Data-centric threat defense • Proactive risk management • Continuous security & compliance • Resolving your business challenge • Secure the Data, not the Cloud • Manage risk proactively, including doing an initial assessment • Implement foundational security, with compliance as a by-product Building a Cloud-ready Security strategy
  • 28.
    Microsoft Azure C lo u d S e c u r i t y & C o m p l i a n c e e x a m p l e
  • 29.
    Example: Azure Complianceoffering S o u r c e : h t t p s : / / a z u r e . m i c r o s o f t . c o m / e n - u s / o v e r v i e w / t r u s t e d - c l o u d / c o m p l i a n c e / HIPAA / HITECH Act FERPA GxP 21 CFR Part 11 Singapore MTCS UK G-Cloud Australia IRAP/CCSL FISC Japan New Zealand GCIO China GB 18030 EU Model Clauses ENISA IAF Argentina PDPA Japan CS Mark Gold CDSA Shared Assessments Japan My Number Act FACT UK GLBA Spain ENS PCI DSS Level 1 MARS-E FFIEC China TRUCS Canada Privacy Laws MPAA Privacy Shield India MeitY Germany IT Grundschutz workbook Spain DPA HITRUST IG Toolkit UK China DJCP ITAR Section 508 VPAT SP 800-171 FIPS 140-2 High JAB P-ATO CJIS DoD DISA SRG Level 2 DoD DISA SRG Level 4 IRS 1075 DoD DISA SRG Level 5 Moderate JAB P-ATO GLOBALUSGOVINDUSTRYREGIONAL ISO 27001 SOC 1 Type 2ISO 27018 CSA STAR Self-AssessmentISO 27017 SOC 2 Type 2 SOC 3ISO 22301 CSA STAR Certification CSA STAR AttestationISO 9001
  • 30.
    Physical Datacenter Security Mi c r o s o f t A z u r e Two-factor authentication with biometrics Employee & contractor vetting Metal detectors Video coverage rack front & back Inability to identify location of specific customer data Secure destruction bins Ongoing roaming patrols Video coverage Ongoing roaming patrols Front entrance gate 1 defined access point Video coverage Perimeter fencing Two-factor authentication with biometrics Video coverage No building signage 24x7x365 security operations Verified single person entry Ongoing roaming patrols Background check System check Access approval Perimeter Building Server environment
  • 31.
    • Data &network segregation • Custom-built security hardware • Integrated security attestation • Endpoint restrictions • DDoS mitigation • Wargame exercises • Continuous monitoring • No standing access to production servers • Incident response team Infrastructure Security M i c r o s o f t A z u r e
  • 32.
    • Virtual networkisolation • Network Security Groups • User-Defined Routing • VPN configuration • Web Application Firewall • Network Firewall • DDoS Protection • ExpressRoute Network Security M i c r o s o f t A z u r e
  • 33.
    • Single sign-on(AAD Connect) • Azure RBAC & conditional access policies • Multi-Factor Authentication • Privileged Identity Management • Azure Identity Protection • Storage Service & Disk Encryption • SQL TDE/Always Encrypted • Key management system (Key Vault) • Workload Protection (application whitelisting, JiT access) • Azure Sentinel (SIEM) Data Security M i c r o s o f t A z u r e
  • 34.
    Securing Privileged Access Office365 Security Rapid Cyberattacks (Wannacrypt/Petya) https://aka.ms/MCRA Video Recording Strategies Office 365 Dynamics 365 +Monitor Azure Sentinel – Cloud Native SIEM and SOAR (Preview) SQL Encryption & Data Masking Data Loss Protection Data Governance eDiscovery
  • 35.
    Securing Privileged Access Office365 Security Rapid Cyberattacks (Wannacrypt/Petya) https://aka.ms/MCRA Video Recording Strategies Office 365 Dynamics 365 +Monitor Azure Sentinel – Cloud Native SIEM and SOAR (Preview) SQL Encryption & Data Masking Data Loss Protection Data Governance eDiscovery
  • 36.
    So, how dowe do it? C a s e s t u d y : A v a e l g o
  • 37.
    Cloud Optimize • Proactive Support •Governance & Security • Budgeting & Cost Control • Monitoring & Alerts • DevOps & Automation • Usage Optimizations • Best Practices Cloud Support • Operational Baseline • 24/7 SLA-based Support • Root-Cause Analysis • Critical Issue Escalation • Config Management • Business Continuity • Disaster Recovery Cloud Empower • Power Platform Apps o PowerApps & Flow o PowerBI • Avaelgo Pre-built Apps • Technology Onboarding • Custom Software Dev o Cloud-ready o AI & ML Envision, Readiness & Cloud Onboarding Example: Avaelgo 365 A v a e l g o C l o u d M a n a g e d S e r v i c e s F r a m e w o r k Peace of Mind as-a-Service Growth & Innovation Cloud Migrate • Rehost (Lift & Shift) • Refactor (PaaS) • Revise (Re-architect) • Rebuild (Cloud-native) • Replace (SaaS) • CI & CD (DevOps) Cloud Strategy • Incubation Workshop • Learn-Try-Adopt o Hands-on training o Implementing POCs • Define Cloud Strategy o Planning & Roadmap Ongoing Advisory & Training Designed for:
  • 38.
  • 39.
    • So, we’ve(briefly) discussed: • Why, when and how to move to the Cloud? • Cloud migration, security & governance concerns • Example: Microsoft Azure • Case-study: Avaelgo • First steps: • Ensure you have a clear Cloud Strategy (including Security & Governance) • Discover what you’ve got and where you’re starting from • Don’t forget, you’re mostly just extending your practices to the Cloud • Consider the details – identity, geography, financials, monitoring, operations Summary
  • 40.
  • 41.
    PEACE OF MIND AS-A-SERVICE CLOUDSTRATEGY | MANAGED SERVICES | IT SECURITY | TRAINING