SlideShare a Scribd company logo

Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Francesco Cipollone

Download as PPTX, PDF
Cloud Security Alliance, UK chapter
Cloud Security Alliance, UK chapter

Francesco Cipollone Presents CSA AGM The talk will take the audience on a journey on the cloud evolution, the recent hacks and the need to make security everyone's responsibility. The talk will explore major challenges in cloud transformation from an organization and security prospective with top 8 solutions to address them. The solution will explore: the shared responsibility model Foundation architecture Cloud pattern available Design security and security by design Gamification and the use of EoP in everything security Shift left and bringing security at the beginning of development Security testing and automation DEV-SEC ops and the integration of Security and Business/Architecture Audience Take Away: When starting a cloud security journey or by being already into one what shall you do and consider. Key security element to consider from day 1 to delivery automation and why is so vital to automate security vulnerability

Engineering
1 of 31
Is the Cloud Secure? CSA AGM 2019 - HSBC (London) @FrankSEC42 It’s easy if you do it smart https://uk.linkedin.com/in/fracipo
@FrankSEC42https://uk.linkedin.com/in/fracipo
Is the Cloud Secure? CSA AGM 2019 - HSBC (London) @FrankSEC42 It’s easy if you do it smart https://uk.linkedin.com/in/fracipo
Disclaimer: the pictures and the format in this presentation are under license to NSC42 Ltd Agenda About the author Conclusions & Take Away Q&A Solution to reach there The problem and ideal world How things have changed Context @FrankSEC42 CSA Conference & Awards
www.nsc42.co.uk About the Francesco 5 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Public Speaker, Researcher and Director of Events of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks FC-LinkedIn E-Mail Website Articles NSC42 LinkedIn Security is everybody’s job @FrankSEC42 @FrankSEC42https://uk.linkedin.com/in/fracipo Security is challenging, we have to know inch deep and miles wide
www.nsc42.co.uk How Things Have Changed 6 How did we evolve to reach here? What is the impact on the security? @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Cloud Evolution 7 2005 2006 Datacentre Land 2007 2008 2013 2010 2011 2012 2014 Cloud Adoption @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Challenges 8 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42https://uk.linkedin.com/in/fracipo Security Challenges in cloud transformations?
www.nsc42.co.uk Major Breaches 9 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why security is everybody’s responsibility? Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … Because we all get affected by it… @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Major Breaches 10@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Challenges 11 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42https://uk.linkedin.com/in/fracipo Security Challenges in cloud transformations?
www.nsc42.co.uk Ideal cybersecurity world 12 In an ideal cybersecurity world we would have infinite time, infinite resource to do things right, and all the boring chores would be automated @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Solutions 13 1. Cloud Responsibility Matrix 2. Cloud Foundation 3. Cloud Patterns 4. Design Security 5. Security by Design 6. Dev shift left 7. Security Testing 8. DEV-SEC-OPS + BIZ/ARCH Security by design = everyone participate in security @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 1 - Cloud Responsibilities 14 Customer Application & Content Network Security Identity & Access Control Operating System/ Platform Data Encryption The Customer Customer Defines controls security IN Cloud Customer takes care of the security OF Cloud Physical Infrastructure Network Infrastructure Virtualization Layer Cloud platform “Understand Shared Responsibility model Delegation and you’ll master cloud” Consider what are you are getting yourself into in a cloud migration. Cloud is not natively secure or insecure @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 1 - Cloud Pizza 15 IaaS, PaaS, SaaS, … Who cares give me pizza! @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 2 – Foundation 16 How do you build a solid house? You don’t skip the foundation! How do you build a solid cloud? You don’t skip the foundation! @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 2 – Foundation 17 1. Management Support 2. Disruption and strategy 3. Security as part of the cloud journey 4. Skills shortages 5. Architecture patterns & Re-use How do you build a solid cloud (security) foundation? Cultural, Management support and skills @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 2 – Foundation 18 What Tools do you use for the solid cloud (Security) Foundation? @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 3 – Cloud Patterns 19 - Account Isolation - Controls Traditional vs cloud - Logging and monitoring - Identity and access management - Key Management “There is no such a thing as free lunch… but leverage on patterns as starting point” @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 4 – Design Security 20 “How would expand the security team without expanding the team?” Train Software Engineers on security and you’ll have ‘extended security team’” @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 5 – Security by Design 21 “So what would the software engineer do with the security hat on?” “gamification…remember to have fun when doing your job” How do we make threat security fun?” @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 6 – Shift left in DEV 22 “Security as early as possible: Integrate security in the software development pipeline” Keep Threat or fraud model exercise concise and fun! Don’t overcomplicate @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 7 – Security in Test 23 “Security (Testing) as early as possible” Security testing as bug bounty program! Make it fun and rewarding @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 8 - DEV–SEC–OPS(BIZ) 24 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ) Security is everybody responsibility. @FrankSEC42https://uk.linkedin.com/in/fracipo Reward security effort with -> Low cost High Impact Integrating Security
www.nsc42.co.uk The Future 25 “Cybersecurity due diligence will remain the same regardless of the technology chosen” @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Conclusions 26 - Evolution & Challenges - Ideal world and step to reach it - What’s in the future Security in the journey to the Cloud not at destination Security is everybody’s job @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Mentoring Research Events Networking Twitter: @csaukchapter LinkedIn: https://www.linkedin.com/groups/3745837/ CSA-UK - We need you 27@FrankSEC42https://uk.linkedin.com/in/fracipo Join!
Every Fortnight 1.30 PM UK Time #MentoringMonday Call @FraSEC42
Cyber Security Awards 2019 Cloud Security Influencer of the Year Submission – 10 of May 2019 Ceremony 4 July 2019 #CYSECAWARDS19https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info:
www.nsc42.co.uk Q&A 30@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Contacts 31 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42 @FrankSEC42https://uk.linkedin.com/in/fracipo

Recommended

Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
NSC42 Ltd
 
Nsc42 - is the cloud secure - is easy if you do it smart UNICOM
Nsc42 - is the cloud secure - is easy if you do it smart UNICOMNsc42 - is the cloud secure - is easy if you do it smart UNICOM
Nsc42 - is the cloud secure - is easy if you do it smart UNICOM
NSC42 Ltd
 
Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...
Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...
Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...
Codemotion
 
ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ? ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ?
Jakub Kałużny
 
Fowa2010 progressive-enhancement
Fowa2010 progressive-enhancementFowa2010 progressive-enhancement
Fowa2010 progressive-enhancement
Christian Heilmann
 
Why conquering complexity is a critical component of an effective security pr...
Why conquering complexity is a critical component of an effective security pr...Why conquering complexity is a critical component of an effective security pr...
Why conquering complexity is a critical component of an effective security pr...
Dominic Vogel
 
A New Zero-Day Vulnerability Discovered Every Week in 2015
A New Zero-Day Vulnerability Discovered Every Week in 2015A New Zero-Day Vulnerability Discovered Every Week in 2015
A New Zero-Day Vulnerability Discovered Every Week in 2015
RapidSSLOnline.com
 
Ab cs of software security
Ab cs of software securityAb cs of software security
Ab cs of software securityDavid Klassen
 

Recommended

Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
NSC42 Ltd
 
Nsc42 - is the cloud secure - is easy if you do it smart UNICOM
Nsc42 - is the cloud secure - is easy if you do it smart UNICOMNsc42 - is the cloud secure - is easy if you do it smart UNICOM
Nsc42 - is the cloud secure - is easy if you do it smart UNICOM
NSC42 Ltd
 
Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...
Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...
Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...
Codemotion
 
ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ? ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ?
Jakub Kałużny
 
Fowa2010 progressive-enhancement
Fowa2010 progressive-enhancementFowa2010 progressive-enhancement
Fowa2010 progressive-enhancement
Christian Heilmann
 
Why conquering complexity is a critical component of an effective security pr...
Why conquering complexity is a critical component of an effective security pr...Why conquering complexity is a critical component of an effective security pr...
Why conquering complexity is a critical component of an effective security pr...
Dominic Vogel
 
A New Zero-Day Vulnerability Discovered Every Week in 2015
A New Zero-Day Vulnerability Discovered Every Week in 2015A New Zero-Day Vulnerability Discovered Every Week in 2015
A New Zero-Day Vulnerability Discovered Every Week in 2015
RapidSSLOnline.com
 
Ab cs of software security
Ab cs of software securityAb cs of software security
Ab cs of software securityDavid Klassen
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
NSC42 Ltd
 
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
NSC42 Ltd
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
NSC42 Ltd
 
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
NSC42 Ltd
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenix
NSC42 Ltd
 
Identity and Access Management At Mozilla
Identity and Access Management At MozillaIdentity and Access Management At Mozilla
Identity and Access Management At Mozilla
Michael Van Kleeck
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015
skantos
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
NSC42 Ltd
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
Cyber Security Alliance
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
Mighty Guides, Inc.
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Mighty Guides, Inc.
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
devopsdaysaustin
 
The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)
Erik Trautman
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
DevOps Indonesia
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
Codemotion
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
Mighty Guides, Inc.
 
Dimitry presentation - Challenges of Cloud Transformation
Dimitry presentation - Challenges of Cloud TransformationDimitry presentation - Challenges of Cloud Transformation
Dimitry presentation - Challenges of Cloud Transformation
Cloud Security Alliance, UK chapter
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dw
Cloud Security Alliance, UK chapter
 

More Related Content

Similar to Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Francesco Cipollone

Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
NSC42 Ltd
 
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
NSC42 Ltd
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
NSC42 Ltd
 
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
NSC42 Ltd
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenix
NSC42 Ltd
 
Identity and Access Management At Mozilla
Identity and Access Management At MozillaIdentity and Access Management At Mozilla
Identity and Access Management At Mozilla
Michael Van Kleeck
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015
skantos
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
NSC42 Ltd
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
Cyber Security Alliance
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
Mighty Guides, Inc.
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Mighty Guides, Inc.
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
devopsdaysaustin
 
The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)
Erik Trautman
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
DevOps Indonesia
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
Codemotion
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
Mighty Guides, Inc.
 

Similar to Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Francesco Cipollone (20)

Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
 
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenix
 
Identity and Access Management At Mozilla
Identity and Access Management At MozillaIdentity and Access Management At Mozilla
Identity and Access Management At Mozilla
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 

More from Cloud Security Alliance, UK chapter

Dimitry presentation - Challenges of Cloud Transformation
Dimitry presentation - Challenges of Cloud TransformationDimitry presentation - Challenges of Cloud Transformation
Dimitry presentation - Challenges of Cloud Transformation
Cloud Security Alliance, UK chapter
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dw
Cloud Security Alliance, UK chapter
 
Csa UK agm 2019 - Chris J Hodson - Visibility in the cloud
Csa UK agm 2019 - Chris J Hodson - Visibility in the cloudCsa UK agm 2019 - Chris J Hodson - Visibility in the cloud
Csa UK agm 2019 - Chris J Hodson - Visibility in the cloud
Cloud Security Alliance, UK chapter
 
Csa UK agm 2019 - Justin Campbell, Xabi Errotabehere - Looking at public clou...
Csa UK agm 2019 - Justin Campbell, Xabi Errotabehere - Looking at public clou...Csa UK agm 2019 - Justin Campbell, Xabi Errotabehere - Looking at public clou...
Csa UK agm 2019 - Justin Campbell, Xabi Errotabehere - Looking at public clou...
Cloud Security Alliance, UK chapter
 
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCsa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Cloud Security Alliance, UK chapter
 
Csa UK agm 2019 - Csa agm research
Csa UK agm 2019 - Csa agm researchCsa UK agm 2019 - Csa agm research
Csa UK agm 2019 - Csa agm research
Cloud Security Alliance, UK chapter
 
Csa UK agm 2019 - Daniel Card - Hacking myelsf first
Csa UK agm 2019 - Daniel Card - Hacking myelsf firstCsa UK agm 2019 - Daniel Card - Hacking myelsf first
Csa UK agm 2019 - Daniel Card - Hacking myelsf first
Cloud Security Alliance, UK chapter
 
Csa UK agm 2019 - Chapter Presentation
Csa UK agm 2019 - Chapter Presentation Csa UK agm 2019 - Chapter Presentation
Csa UK agm 2019 - Chapter Presentation
Cloud Security Alliance, UK chapter
 
Csa UK agm 2019 - Craig Savage - safe as clouds the journey from legacy to cl...
Csa UK agm 2019 - Craig Savage - safe as clouds the journey from legacy to cl...Csa UK agm 2019 - Craig Savage - safe as clouds the journey from legacy to cl...
Csa UK agm 2019 - Craig Savage - safe as clouds the journey from legacy to cl...
Cloud Security Alliance, UK chapter
 
Csa UK agm 2019 - Cloud Conformity - Looking at public cloud through a new lens
Csa UK agm 2019 - Cloud Conformity - Looking at public cloud through a new lensCsa UK agm 2019 - Cloud Conformity - Looking at public cloud through a new lens
Csa UK agm 2019 - Cloud Conformity - Looking at public cloud through a new lens
Cloud Security Alliance, UK chapter
 
C-Level tools for Cloud strategy decisions
C-Level tools for Cloud strategy decisionsC-Level tools for Cloud strategy decisions
C-Level tools for Cloud strategy decisions
Cloud Security Alliance, UK chapter
 

More from Cloud Security Alliance, UK chapter (11)

Dimitry presentation - Challenges of Cloud Transformation
Dimitry presentation - Challenges of Cloud TransformationDimitry presentation - Challenges of Cloud Transformation
Dimitry presentation - Challenges of Cloud Transformation
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dw
 
Csa UK agm 2019 - Chris J Hodson - Visibility in the cloud
Csa UK agm 2019 - Chris J Hodson - Visibility in the cloudCsa UK agm 2019 - Chris J Hodson - Visibility in the cloud
Csa UK agm 2019 - Chris J Hodson - Visibility in the cloud
 
Csa UK agm 2019 - Justin Campbell, Xabi Errotabehere - Looking at public clou...
Csa UK agm 2019 - Justin Campbell, Xabi Errotabehere - Looking at public clou...Csa UK agm 2019 - Justin Campbell, Xabi Errotabehere - Looking at public clou...
Csa UK agm 2019 - Justin Campbell, Xabi Errotabehere - Looking at public clou...
 
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCsa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
 
Csa UK agm 2019 - Csa agm research
Csa UK agm 2019 - Csa agm researchCsa UK agm 2019 - Csa agm research
Csa UK agm 2019 - Csa agm research
 
Csa UK agm 2019 - Daniel Card - Hacking myelsf first
Csa UK agm 2019 - Daniel Card - Hacking myelsf firstCsa UK agm 2019 - Daniel Card - Hacking myelsf first
Csa UK agm 2019 - Daniel Card - Hacking myelsf first
 
Csa UK agm 2019 - Chapter Presentation
Csa UK agm 2019 - Chapter Presentation Csa UK agm 2019 - Chapter Presentation
Csa UK agm 2019 - Chapter Presentation
 
Csa UK agm 2019 - Craig Savage - safe as clouds the journey from legacy to cl...
Csa UK agm 2019 - Craig Savage - safe as clouds the journey from legacy to cl...Csa UK agm 2019 - Craig Savage - safe as clouds the journey from legacy to cl...
Csa UK agm 2019 - Craig Savage - safe as clouds the journey from legacy to cl...
 
Csa UK agm 2019 - Cloud Conformity - Looking at public cloud through a new lens
Csa UK agm 2019 - Cloud Conformity - Looking at public cloud through a new lensCsa UK agm 2019 - Cloud Conformity - Looking at public cloud through a new lens
Csa UK agm 2019 - Cloud Conformity - Looking at public cloud through a new lens
 
C-Level tools for Cloud strategy decisions
C-Level tools for Cloud strategy decisionsC-Level tools for Cloud strategy decisions
C-Level tools for Cloud strategy decisions
 

Recently uploaded

AP LAB PPT.pdf ap lab ppt no title specific
AP LAB PPT.pdf ap lab ppt no title specificAP LAB PPT.pdf ap lab ppt no title specific
AP LAB PPT.pdf ap lab ppt no title specific
BrazilAccount1
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
VENKATESHvenky89705
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
ydteq
 
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
Amil Baba Dawood bangali
 
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
thanhdowork
 
Basic Industrial Engineering terms for apparel
Basic Industrial Engineering terms for apparelBasic Industrial Engineering terms for apparel
Basic Industrial Engineering terms for apparel
top1002
 
Final project report on grocery store management system..pdf
Final project report on grocery store management system..pdfFinal project report on grocery store management system..pdf
Final project report on grocery store management system..pdf
Kamal Acharya
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
MdTanvirMahtab2
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
TeeVichai
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
Osamah Alsalih
 
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptxFundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
manasideore6
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
BrazilAccount1
 
Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024
Massimo Talia
 
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
obonagu
 
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdfGoverning Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
WENKENLI1
 
Unbalanced Three Phase Systems and circuits.pptx
Unbalanced Three Phase Systems and circuits.pptxUnbalanced Three Phase Systems and circuits.pptx
Unbalanced Three Phase Systems and circuits.pptx
ChristineTorrepenida1
 
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdfTop 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Teleport Manpower Consultant
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
Pratik Pawar
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
Intella Parts
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
fxintegritypublishin
 

Recently uploaded (20)

AP LAB PPT.pdf ap lab ppt no title specific
AP LAB PPT.pdf ap lab ppt no title specificAP LAB PPT.pdf ap lab ppt no title specific
AP LAB PPT.pdf ap lab ppt no title specific
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
 
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
 
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
 
Basic Industrial Engineering terms for apparel
Basic Industrial Engineering terms for apparelBasic Industrial Engineering terms for apparel
Basic Industrial Engineering terms for apparel
 
Final project report on grocery store management system..pdf
Final project report on grocery store management system..pdfFinal project report on grocery store management system..pdf
Final project report on grocery store management system..pdf
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
 
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptxFundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
 
Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024
 
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
 
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdfGoverning Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
 
Unbalanced Three Phase Systems and circuits.pptx
Unbalanced Three Phase Systems and circuits.pptxUnbalanced Three Phase Systems and circuits.pptx
Unbalanced Three Phase Systems and circuits.pptx
 
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdfTop 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
 

Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Francesco Cipollone

  • 1. Is the Cloud Secure? CSA AGM 2019 - HSBC (London) @FrankSEC42 It’s easy if you do it smart https://uk.linkedin.com/in/fracipo
  • 3. Is the Cloud Secure? CSA AGM 2019 - HSBC (London) @FrankSEC42 It’s easy if you do it smart https://uk.linkedin.com/in/fracipo
  • 4. Disclaimer: the pictures and the format in this presentation are under license to NSC42 Ltd Agenda About the author Conclusions & Take Away Q&A Solution to reach there The problem and ideal world How things have changed Context @FrankSEC42 CSA Conference & Awards
  • 5. www.nsc42.co.uk About the Francesco 5 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Public Speaker, Researcher and Director of Events of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks FC-LinkedIn E-Mail Website Articles NSC42 LinkedIn Security is everybody’s job @FrankSEC42 @FrankSEC42https://uk.linkedin.com/in/fracipo Security is challenging, we have to know inch deep and miles wide
  • 6. www.nsc42.co.uk How Things Have Changed 6 How did we evolve to reach here? What is the impact on the security? @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 8. www.nsc42.co.uk Challenges 8 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42https://uk.linkedin.com/in/fracipo Security Challenges in cloud transformations?
  • 9. www.nsc42.co.uk Major Breaches 9 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why security is everybody’s responsibility? Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … Because we all get affected by it… @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 11. www.nsc42.co.uk Challenges 11 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42https://uk.linkedin.com/in/fracipo Security Challenges in cloud transformations?
  • 12. www.nsc42.co.uk Ideal cybersecurity world 12 In an ideal cybersecurity world we would have infinite time, infinite resource to do things right, and all the boring chores would be automated @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 13. www.nsc42.co.uk Solutions 13 1. Cloud Responsibility Matrix 2. Cloud Foundation 3. Cloud Patterns 4. Design Security 5. Security by Design 6. Dev shift left 7. Security Testing 8. DEV-SEC-OPS + BIZ/ARCH Security by design = everyone participate in security @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 14. www.nsc42.co.uk Step 1 - Cloud Responsibilities 14 Customer Application & Content Network Security Identity & Access Control Operating System/ Platform Data Encryption The Customer Customer Defines controls security IN Cloud Customer takes care of the security OF Cloud Physical Infrastructure Network Infrastructure Virtualization Layer Cloud platform “Understand Shared Responsibility model Delegation and you’ll master cloud” Consider what are you are getting yourself into in a cloud migration. Cloud is not natively secure or insecure @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 15. www.nsc42.co.uk Step 1 - Cloud Pizza 15 IaaS, PaaS, SaaS, … Who cares give me pizza! @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 16. www.nsc42.co.uk Step 2 – Foundation 16 How do you build a solid house? You don’t skip the foundation! How do you build a solid cloud? You don’t skip the foundation! @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 17. www.nsc42.co.uk Step 2 – Foundation 17 1. Management Support 2. Disruption and strategy 3. Security as part of the cloud journey 4. Skills shortages 5. Architecture patterns & Re-use How do you build a solid cloud (security) foundation? Cultural, Management support and skills @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 18. www.nsc42.co.uk Step 2 – Foundation 18 What Tools do you use for the solid cloud (Security) Foundation? @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 19. www.nsc42.co.uk Step 3 – Cloud Patterns 19 - Account Isolation - Controls Traditional vs cloud - Logging and monitoring - Identity and access management - Key Management “There is no such a thing as free lunch… but leverage on patterns as starting point” @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 20. www.nsc42.co.uk Step 4 – Design Security 20 “How would expand the security team without expanding the team?” Train Software Engineers on security and you’ll have ‘extended security team’” @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 21. www.nsc42.co.uk Step 5 – Security by Design 21 “So what would the software engineer do with the security hat on?” “gamification…remember to have fun when doing your job” How do we make threat security fun?” @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 22. www.nsc42.co.uk Step 6 – Shift left in DEV 22 “Security as early as possible: Integrate security in the software development pipeline” Keep Threat or fraud model exercise concise and fun! Don’t overcomplicate @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 23. www.nsc42.co.uk Step 7 – Security in Test 23 “Security (Testing) as early as possible” Security testing as bug bounty program! Make it fun and rewarding @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 24. www.nsc42.co.uk Step 8 - DEV–SEC–OPS(BIZ) 24 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ) Security is everybody responsibility. @FrankSEC42https://uk.linkedin.com/in/fracipo Reward security effort with -> Low cost High Impact Integrating Security
  • 25. www.nsc42.co.uk The Future 25 “Cybersecurity due diligence will remain the same regardless of the technology chosen” @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 26. www.nsc42.co.uk Conclusions 26 - Evolution & Challenges - Ideal world and step to reach it - What’s in the future Security in the journey to the Cloud not at destination Security is everybody’s job @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 28. Every Fortnight 1.30 PM UK Time #MentoringMonday Call @FraSEC42
  • 29. Cyber Security Awards 2019 Cloud Security Influencer of the Year Submission – 10 of May 2019 Ceremony 4 July 2019 #CYSECAWARDS19https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info:
  • 31. www.nsc42.co.uk Contacts 31 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42 @FrankSEC42https://uk.linkedin.com/in/fracipo

Editor's Notes

  1. Q&A
  2. Q&A