Elastica Inc., profile picture
Uploaded byElastica Inc.
PPTX, PDF2,165 views

Reasoning About Enterprise Application Security in a Cloudy World

This document discusses security challenges with enterprise applications in cloud environments. It notes that traditional security controls are lost with different cloud layers and that visibility and understanding risks are important. The document outlines the threat lifecycle and how the landscape is changing. It argues that establishing baselines, choosing compensating controls, and incident detection and response are needed. Specific challenges with encryption, single sign-on, and application monitoring in cloud are discussed. The key takeaways are that cloud security problems are multifaceted and that visibility and action are important pillars across the threat lifecycle.

Embed presentation

Downloaded 43 times
Reasoning About Enterprise Application Security in a Cloudy World @Zulfikar_Ramzan / CTO / www.elastica.net
THREAT LIFECYCLE Firewalls, NGFW IDS/IPS, AV, AMP Forensics, IR Tools Rethinking Security: Being Threat Centric BEFORE Controls DURING Identification AFTER Response
Key Cybersecurity Hurdles Proliferation of New Technologies Evolution of Threat Landscape Increase of Complexity
GRC: What Matters? Compliance: Highly complex, one-size fits all, dynamic. What do you ultimately care about: Visibility. Have to understand risks we are trying to mitigate.
Traditional Security Operation Center (SOC)
Outside the Visibility of Existing SOC Unmonitored activities Outside SOC reach
Key Enterprise SaaS Security Challenges Make it work vs. Approval No Visibility App / Action No Events for SEIM to Consume
Application Security Over Time OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New) 2010-A1 – Injection 2013-A1 – Injection 2010-A2 – Cross Site Scripting (XSS) 2013-A2 – Broken Authentication and Session Management 2010-A3 – Broken Authentication and Session Management 2013-A3 – Cross Site Scripting (XSS) 2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References 2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration 2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure 2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control 2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF) 2010-A9 – Insufficient Transport Layer Protection 2013-A9 – Using Known Vulnerable Components (NEW) 2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards 3 Primary Changes:  Merged: 2010-A7 and 2010-A9 -> 2013-A6  Added New 2013-A9: Using Known Vulnerable Components  2010-A8 broadened to 2013-A7
Where Controls are Lost 9 Layer On Prem IaaS PaaS SaaS App/Data Middleware OS Virtual Physical
ESTABLISH SECURITY BASELINE CHOOSE AND APPLY COMPENSTATING CONTROLS Gartner Public Cloud Management Lifecycle INCIDENT DETECTION INCIDENT RESPONSE MANAGEMENT
Establish a Security Baseline Baseline: Need to understand where you are right now Basic Discovery: Table stakes (any Firewall / NGFW can do it) Interesting challenge: Audit (what’s enterprise ready for you specifically?) ADMINISTRATIVE INFORMATIONAL BUSINESS ACCESS DATA SERVICE COMPLIANCE
Choose and Apply Compensating Controls 12 VISIBILITY ACTION User Service ObjectAction ACTION VISIBILITY
Incident Detection 13 Policies and controls identify specific tangible behaviors. But what about sophisticated threats that fall outside their scope? SIGNATURES HEURISTICS BEHAVIOR- BASED ANALYSIS ANOMALY DETECTION
Incident Response Management 14 Attackers are constantly evolving and adapting. Threats will eventually get through. The question is no longer “What if?”, but “What now?” INFORMATION ASYMMETRY FAVORS ATTACKERS PRE-THINK RESPONSE; HARD TO DO AFTER THE FACT INTEGRATE; DON’T BOLT ON
The SaaS Security Landscape ENCRYPTION SINGLE SIGN ON SAAS APPLICATION MONITORING AND CONTROL
ENCRYPTION: PROBLEM OR PANACEA? ENCRYPTION ENCRYPT IN TRANSIT ENCRYPT AT REST ENCRYPT IN USE (?) We don’t leverage SaaS Apps only for STORAGE Crypto is a GREAT TOOL; but great tools can be greatly MISUSED
SINGLE SIGN-ON: PANACEA? PHISHING MALWARE DATA BREACH MALICIOUS INSIDER WELL MEANING INSIDER EASE OF MANAGEMENT CONTROL THE FRONT DOOR
Cloud Services Security Problem 18 Visibility Security Compliance Risk Governance
Thank you TAKEAWAYS SaaS Security and GRC Problem Multifaceted Consider full threat lifecycle: Before, During, After Visibility and Action are Key Pillars @zulfikar_ramzan @ElasticaInc

More Related Content

PPTX
Shadow Data Exposed
byElastica Inc.
 
PPTX
Protecting your Data in Google Apps
byElastica Inc.
 
PPTX
Enabling Dropbox for Business
byElastica Inc.
 
PPTX
Protecting Your Data In Office 365
byElastica Inc.
 
PPTX
Ciso Platform Webcast: Shadow Data Exposed
byElastica Inc.
 
PPTX
How to Extend Security and Compliance Within Box
byElastica Inc.
 
PDF
Brochure forcepoint dlp_en
bySeenee Permal, CISA, CISM
 
PDF
Forcepoint Dynamic Data Protection
byMarketingArrowECS_CZ
 
Shadow Data Exposed
byElastica Inc.
 
Protecting your Data in Google Apps
byElastica Inc.
 
Enabling Dropbox for Business
byElastica Inc.
 
Protecting Your Data In Office 365
byElastica Inc.
 
Ciso Platform Webcast: Shadow Data Exposed
byElastica Inc.
 
How to Extend Security and Compliance Within Box
byElastica Inc.
 
Brochure forcepoint dlp_en
bySeenee Permal, CISA, CISM
 
Forcepoint Dynamic Data Protection
byMarketingArrowECS_CZ
 

What's hot

PPTX
Making Cloud Security Part of Your DNA Webinar Slides
byNetskope
 
PPTX
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
byForcepoint LLC
 
PPTX
Should You Be Automating
bySiemplify
 
DOCX
“Verify and never trust”: The Zero Trust Model of information security
byAhmed Banafa
 
PPTX
Bitglass Webinar - A Primer on CASBs and Cloud Security
byBitglass
 
PPTX
A Smarter, More Secure Internet of Things
byNetIQ
 
PPTX
SANS Critical Security Controls Summit London 2013
byWolfgang Kandek
 
PPTX
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
byRaffa Learning Community
 
PPTX
Two Peas in a Pod: Cloud Security and Mobile Security
byOmar Khawaja
 
PDF
RSA ASIA 2014 - Internet of Things
byWolfgang Kandek
 
PPTX
Stop Hackers with Integrated CASB & IDaaS Security
byOneLogin
 
PDF
Data loss prevention by using MRSH-v2 algorithm
byIJECEIAES
 
PDF
Introduction to Cloud Security
bySusanne Tedrick
 
PPTX
Tripwire Energy Working Group: TIV Demo
byTripwire
 
PDF
Debunked: 5 Myths About Zero Trust Security
byCentrify Corporation
 
PPSX
Thread Legal and Microsoft 365 Security
byThread Legal
 
PDF
Cybersecurity frameworks globally and saudi arabia
byFaysal Ghauri
 
PDF
INFOGRAPHIC▶ Protecting Corporate Information In the Cloud
bySymantec
 
PDF
Practice case legal for data professional
byNovita Sari
 
PPTX
Bitglass Webinar - Top 6 CASB Use Cases
byBitglass
 
Making Cloud Security Part of Your DNA Webinar Slides
byNetskope
 
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
byForcepoint LLC
 
Should You Be Automating
bySiemplify
 
“Verify and never trust”: The Zero Trust Model of information security
byAhmed Banafa
 
Bitglass Webinar - A Primer on CASBs and Cloud Security
byBitglass
 
A Smarter, More Secure Internet of Things
byNetIQ
 
SANS Critical Security Controls Summit London 2013
byWolfgang Kandek
 
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
byRaffa Learning Community
 
Two Peas in a Pod: Cloud Security and Mobile Security
byOmar Khawaja
 
RSA ASIA 2014 - Internet of Things
byWolfgang Kandek
 
Stop Hackers with Integrated CASB & IDaaS Security
byOneLogin
 
Data loss prevention by using MRSH-v2 algorithm
byIJECEIAES
 
Introduction to Cloud Security
bySusanne Tedrick
 
Tripwire Energy Working Group: TIV Demo
byTripwire
 
Debunked: 5 Myths About Zero Trust Security
byCentrify Corporation
 
Thread Legal and Microsoft 365 Security
byThread Legal
 
Cybersecurity frameworks globally and saudi arabia
byFaysal Ghauri
 
INFOGRAPHIC▶ Protecting Corporate Information In the Cloud
bySymantec
 
Practice case legal for data professional
byNovita Sari
 
Bitglass Webinar - Top 6 CASB Use Cases
byBitglass
 

Similar to Reasoning About Enterprise Application Security in a Cloudy World

PDF
Journey to the Cloud: Securing Your AWS Applications - April 2015
byAlert Logic
 
PPTX
Interesting Times: Will Business Survive?
byBen Tomhave
 
PDF
Presd1 10
byNiels Groeneveld
 
PPTX
SAP Concur’s Cloud Journey
bySBWebinars
 
PPTX
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
byPatrick Sklodowski
 
PDF
Azure 101: Shared responsibility in the Azure Cloud
byPaulo Renato
 
PDF
Application security for the modern web - ISSA South Texas Houston DevOps
byPhillip Maddux
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PPTX
Web security – everything we know is wrong cloud version
byEoin Keary
 
PPTX
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
PPTX
Securing your Cloud Deployment
byHrusostomos Vicatos
 
PPTX
Azure Security Compass v1.1 - Presentation.pptx
byZaheerEbrahim5
 
PPTX
Unc charlotte prezo2016
bySanjay R. Gupta
 
PPTX
Chapter-3 Information assurance security.pptx
byCherryMayeEscalante
 
PDF
The Share Responsibility Model of Cloud Computing - ILTA NYC
byPatrick Sklodowski
 
PPT
Cloud Computing Security Needs & Problems Alon Refaeli
byrefaeli
 
PPTX
What affects security program confidence? - may2014 - bill burns
byBill Burns
 
PDF
Sonic WALL Secure Wireless Network Integrated Solutions Guide 1st Edition Joe...
bykolindmryl
 
PDF
Take It to the Cloud: The Evolution of Security Architecture
byPriyanka Aash
 
PDF
Security On The Cloud
byTu Pham
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
byAlert Logic
 
Interesting Times: Will Business Survive?
byBen Tomhave
 
Presd1 10
byNiels Groeneveld
 
SAP Concur’s Cloud Journey
bySBWebinars
 
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
byPatrick Sklodowski
 
Azure 101: Shared responsibility in the Azure Cloud
byPaulo Renato
 
Application security for the modern web - ISSA South Texas Houston DevOps
byPhillip Maddux
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
Web security – everything we know is wrong cloud version
byEoin Keary
 
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
Securing your Cloud Deployment
byHrusostomos Vicatos
 
Azure Security Compass v1.1 - Presentation.pptx
byZaheerEbrahim5
 
Unc charlotte prezo2016
bySanjay R. Gupta
 
Chapter-3 Information assurance security.pptx
byCherryMayeEscalante
 
The Share Responsibility Model of Cloud Computing - ILTA NYC
byPatrick Sklodowski
 
Cloud Computing Security Needs & Problems Alon Refaeli
byrefaeli
 
What affects security program confidence? - may2014 - bill burns
byBill Burns
 
Sonic WALL Secure Wireless Network Integrated Solutions Guide 1st Edition Joe...
bykolindmryl
 
Take It to the Cloud: The Evolution of Security Architecture
byPriyanka Aash
 
Security On The Cloud
byTu Pham
 

Recently uploaded

PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PPTX
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
PDF
Why I Volunteer at FOSDEM and You Should Too
byImma Valls Bernaus
 
PDF
apidays Amsterdam 2025 | APIs with a Purpose
byapidays
 
PPTX
BUSY Software Business Management Solution.pptx
byMoving Cloud
 
PDF
Project Tracking in Software Project Management
bySahanaBarveen1
 
PPTX
Recent Data Breaches in Cyber World.pptx
byyoshuaImmanuel1
 
PDF
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
PPTX
HackYourBrain_JFokusConference_03022026.pptx
bySimonedeGijt
 
PDF
Build a Scalable On-Demand Courier Service App
byV3CUBE TECHNOLABS
 
PDF
Track Phone Location Android (2026)_ What Actually Works, What’s New, and the...
byRachel Green
 
PDF
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
PDF
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
PDF
Figma systems development services
bydavidjohansen1597
 
PPTX
Edison MuleSoft Meetup : Vibe Coding | MuleSoft Meetups
bySravan Lingam
 
PDF
apidays Australia 2025 | Orchestrator vs. Choreography
byapidays
 
PDF
Animated Safety Induction: A Smarter Way to Onboard for Workplace Safety
byTECH EHS Solution
 
PDF
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
PDF
On Demand Grocery Delivery App Development
byV3CUBE TECHNOLABS
 
PDF
software architecture for busy developers
byMuhammadAwaisQaisran
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
Why I Volunteer at FOSDEM and You Should Too
byImma Valls Bernaus
 
apidays Amsterdam 2025 | APIs with a Purpose
byapidays
 
BUSY Software Business Management Solution.pptx
byMoving Cloud
 
Project Tracking in Software Project Management
bySahanaBarveen1
 
Recent Data Breaches in Cyber World.pptx
byyoshuaImmanuel1
 
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
HackYourBrain_JFokusConference_03022026.pptx
bySimonedeGijt
 
Build a Scalable On-Demand Courier Service App
byV3CUBE TECHNOLABS
 
Track Phone Location Android (2026)_ What Actually Works, What’s New, and the...
byRachel Green
 
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
Figma systems development services
bydavidjohansen1597
 
Edison MuleSoft Meetup : Vibe Coding | MuleSoft Meetups
bySravan Lingam
 
apidays Australia 2025 | Orchestrator vs. Choreography
byapidays
 
Animated Safety Induction: A Smarter Way to Onboard for Workplace Safety
byTECH EHS Solution
 
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
On Demand Grocery Delivery App Development
byV3CUBE TECHNOLABS
 
software architecture for busy developers
byMuhammadAwaisQaisran
 

Reasoning About Enterprise Application Security in a Cloudy World

  • 1.
    Reasoning About EnterpriseApplication Security in a Cloudy World @Zulfikar_Ramzan / CTO / www.elastica.net
  • 2.
    THREAT LIFECYCLE Firewalls, NGFWIDS/IPS, AV, AMP Forensics, IR Tools Rethinking Security: Being Threat Centric BEFORE Controls DURING Identification AFTER Response
  • 3.
    Key Cybersecurity Hurdles Proliferation ofNew Technologies Evolution of Threat Landscape Increase of Complexity
  • 4.
    GRC: What Matters? Compliance:Highly complex, one-size fits all, dynamic. What do you ultimately care about: Visibility. Have to understand risks we are trying to mitigate.
  • 5.
  • 6.
    Outside the Visibilityof Existing SOC Unmonitored activities Outside SOC reach
  • 7.
    Key Enterprise SaaSSecurity Challenges Make it work vs. Approval No Visibility App / Action No Events for SEIM to Consume
  • 8.
    Application Security OverTime OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New) 2010-A1 – Injection 2013-A1 – Injection 2010-A2 – Cross Site Scripting (XSS) 2013-A2 – Broken Authentication and Session Management 2010-A3 – Broken Authentication and Session Management 2013-A3 – Cross Site Scripting (XSS) 2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References 2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration 2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure 2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control 2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF) 2010-A9 – Insufficient Transport Layer Protection 2013-A9 – Using Known Vulnerable Components (NEW) 2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards 3 Primary Changes:  Merged: 2010-A7 and 2010-A9 -> 2013-A6  Added New 2013-A9: Using Known Vulnerable Components  2010-A8 broadened to 2013-A7
  • 9.
    Where Controls areLost 9 Layer On Prem IaaS PaaS SaaS App/Data Middleware OS Virtual Physical
  • 10.
    ESTABLISH SECURITY BASELINE CHOOSEAND APPLY COMPENSTATING CONTROLS Gartner Public Cloud Management Lifecycle INCIDENT DETECTION INCIDENT RESPONSE MANAGEMENT
  • 11.
    Establish a SecurityBaseline Baseline: Need to understand where you are right now Basic Discovery: Table stakes (any Firewall / NGFW can do it) Interesting challenge: Audit (what’s enterprise ready for you specifically?) ADMINISTRATIVE INFORMATIONAL BUSINESS ACCESS DATA SERVICE COMPLIANCE
  • 12.
    Choose and ApplyCompensating Controls 12 VISIBILITY ACTION User Service ObjectAction ACTION VISIBILITY
  • 13.
    Incident Detection 13 Policies andcontrols identify specific tangible behaviors. But what about sophisticated threats that fall outside their scope? SIGNATURES HEURISTICS BEHAVIOR- BASED ANALYSIS ANOMALY DETECTION
  • 14.
    Incident Response Management 14 Attackersare constantly evolving and adapting. Threats will eventually get through. The question is no longer “What if?”, but “What now?” INFORMATION ASYMMETRY FAVORS ATTACKERS PRE-THINK RESPONSE; HARD TO DO AFTER THE FACT INTEGRATE; DON’T BOLT ON
  • 15.
    The SaaS SecurityLandscape ENCRYPTION SINGLE SIGN ON SAAS APPLICATION MONITORING AND CONTROL
  • 16.
    ENCRYPTION: PROBLEM ORPANACEA? ENCRYPTION ENCRYPT IN TRANSIT ENCRYPT AT REST ENCRYPT IN USE (?) We don’t leverage SaaS Apps only for STORAGE Crypto is a GREAT TOOL; but great tools can be greatly MISUSED
  • 17.
  • 18.
    Cloud Services SecurityProblem 18 Visibility Security Compliance Risk Governance
  • 19.
    Thank you TAKEAWAYS SaaS Securityand GRC Problem Multifaceted Consider full threat lifecycle: Before, During, After Visibility and Action are Key Pillars @zulfikar_ramzan @ElasticaInc