Hugo Rodrigues, profile picture
Uploaded byHugo Rodrigues
PPTX, PDF132 views

Evolution security controls towards Cloud Services

Evolution of Security Controls Towards Cloud Services discusses security controls for cloud services. It summarizes the Cloud Security Alliance's Security Trust Assurance and Risk framework for guiding cloud vendors and assessing cloud security risks. It also discusses the Cloud Controls Matrix version 3.0 which provides guidance on implementing security controls in cloud environments based on 16 security domains. Managing uncertainty is key when using cloud services, and formal verification methods can help ensure security. Continuous monitoring of cloud environments helps gain visibility and detect security issues.

Embed presentation

Download to read offline
Evolution of Security Controls Towards Cloud Services Hugo Rodrigues
2© 2019 Hugo Rodrigues. All rights reserved. Where to start? Where to look? What’s relevant? What to do? How to do it? Security Controls Cloud Services
3© 2019 Hugo Rodrigues. All rights reserved. CSA - Security Trust Assurance and Risk (STAR) Security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider Assurance, Education, Research, Community Example topics: What are the base-level security controls required for an IoT system? What are the top threats to cloud computing? How will we protect networks and data in the era of quantum computing? https://cloudsecurityalliance.org/star/ Source: Cloud Security Alliance
4© 2019 Hugo Rodrigues. All rights reserved. Tool for the systematic assessment of a cloud implementation, to provide guidance on which security controls should be implemented by which actor within the cloud supply chain • Control framework for cloud computing • 16 domains covering all key aspects of the cloud technology • Map to Standards, Regulations & Controls Frameworks • .. CCM v3.0.1 is available as a free download to help companies evaluate cloud providers and guide security efforts
5© 2019 Hugo Rodrigues. All rights reserved. Uncertainty with cloud Security matters at every layer of modern computing systems, but especially at the level of distributed systems and networks Modern computing systems and modern applications are typically distributed systems, with data storage and computation happening at different nodes in the distributed system The formal protection mechanisms are enough? e.g. patents, trademarks, industry designs, utility models and copyright,…
6© 2019 Hugo Rodrigues. All rights reserved. Formal protection in distributed systems Amazon Web Services have used programmatic formal methods including formal verification and model checking to verify the correctness of their widely used Simple Storage System (S3) Facebook Infer static analyzer is used to identify null pointer access and resource leaks in Java programs. It builds on the key technology of separation logic, which enables precise but scalable reasoning about program code that performs complex heap manipulation. This system has been released as open source Formal protection at the technology level is key for cloud services
7© 2019 Hugo Rodrigues. All rights reserved. Source: Pooyan Jamshidi, Cloud Architecture Model with Layers SaaS, PaaS, and IaaS Multidimensional decision points - under uncertainty
8© 2019 Hugo Rodrigues. All rights reserved. Manage uncertainty Cloud applications are software systems with layered, distributed architectures that utilize layer-specific resources provided through services Focus on decision points from the intersection between services with technologies Set specific goals to measure the need for change vs lift and shift Prepare the environment to an abstraction level suitable to enterprise maturity in working with distributed systems Due to the uncertainty that prevails in the cloud, using change patterns at the core of models and rules has helped to map uncertain situations into manageable ones
9© 2019 Hugo Rodrigues. All rights reserved. Gain visibility over cloud services Set compliance controls and Set operational controls Data collected from operational controls supports threads being discovered from pattern mismatch analysis
10© 2019 Hugo Rodrigues. All rights reserved. Pay attention to data behavior Source: Zhenguo Chen, Trust evaluation model of cloud user based on behavior data Example:
11© 2019 Hugo Rodrigues. All rights reserved. Manage your data “As with any function or application, weak data leads to weak results. In cybersecurity, that means too many false positives for overburdened security analysts, higher risk of successful breaches, and greater losses from each breach.” - Stu Bradley, SAS
12© 2019 Hugo Rodrigues. All rights reserved. Source: Nathan Sanders, HDSR MIT Turn data into gold Prediction: Given a new measurement, you want to use an existing data set to build a model that reliably chooses the correct identifier from a set of outcomes Complement vendors’ standard with own signatures
13© 2019 Hugo Rodrigues. All rights reserved. Cloud services increase security events? • Perimeter evaporated and cloud environment shifts rapidly • Former on-prem services now in the cloud • External logs may have reliability / availability issues • EDR deployment complicated by volume and velocity • Containment is hampered by volatility and lack of access • Convergence and new connectivity requirements Source: RSA Conference 2019
14© 2019 Hugo Rodrigues. All rights reserved. Respond To Security Event - cloud services Anticipation is key for compliance - Follow the CCM to the maximum extent Proactivity is key for operations – Use analytics and insights Response is needed for everything else Build a Cloud-Specific Incident Response Plan: A well-defined plan allows to effectively identify, minimize the damage, and reduce the cost of an attack, while finding and fixing the cause to prevent future attacks Mitigation of control gaps is never sufficient, infrastructure will always have gaps and zero day vulnerabilities The Three Elements: Plan, Team, and Tools
15© 2019 Hugo Rodrigues. All rights reserved. Impact analysis to measure financials Risk itself can be a qualitative measure, but the impact around an incident (the cost of a downed asset associated with lost revenue, recovery, etc.) can be quantitative. Consider a Risk Management Framework even before you move systems Source: Journal of risk and Financial management
16© 2019 Hugo Rodrigues. All rights reserved. Financial health You can’t own a problem if you don’t measure it Quantifying the impact of security incidents is a great way to mature beyond “our risk is yellow” Analytics, Intelligence & Response: apply investigative and analytic techniques to anticipate and resolve incidents The Human & Process Security: navigate management issues such as operational risk strategies, as well as people-related issues such as social engineering
Q&A Hugo Rodrigues hugosrodrigues
Thank you!

More Related Content

PPT
IBM Security Strategy Intelligence,
byInformation Security Awareness Group
 
PDF
From Cybersecurity to Cyber Resilience
byaccenture
 
PPTX
Understanding cyber resilience
byChristophe Foulon, CISSP
 
PPTX
Intelligence soc as a service
bynairshyam
 
PDF
New technologies - Amer Haza'a
byFahmi Albaheth
 
PPTX
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
byTrish McGinity, CCSK
 
PDF
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
byIBM Security
 
PPTX
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
byTripwire
 
IBM Security Strategy Intelligence,
byInformation Security Awareness Group
 
From Cybersecurity to Cyber Resilience
byaccenture
 
Understanding cyber resilience
byChristophe Foulon, CISSP
 
Intelligence soc as a service
bynairshyam
 
New technologies - Amer Haza'a
byFahmi Albaheth
 
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
byTrish McGinity, CCSK
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
byIBM Security
 
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
byTripwire
 

What's hot

PPTX
Automation: Embracing the Future of SecOps
byIBM Security
 
PDF
Threat Life Cycle Management
byFujitsu Middle East
 
PPTX
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
byJohn D. Johnson
 
PPTX
Cybersecurity Risks for Businesses
byAlex Rudie
 
PDF
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
byKnowledge Group
 
PDF
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
byIBM Security
 
PDF
Optimize IT Infrastructure
byScalar Decisions
 
PPTX
cybersecurity strategy planning in the banking sector
byOlivier Busolini
 
PPTX
What is cyber resilience?
byAaron Clark-Ginsberg
 
PDF
What has changed in Corporate Cybersecurity?
byNixu Corporation
 
PDF
Securing the Cloud by Matthew Rosenquist 2016
byMatthew Rosenquist
 
PPTX
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
byPuneet Kukreja
 
PDF
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
byNetworkCollaborators
 
PDF
Cybersecurity solution-guide
byAdilsonSuende
 
PPTX
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
bySirius
 
PDF
Duncan hine input1_irm_and_outsourcing
byE-Government Center Moldova
 
PDF
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
byFujitsu Middle East
 
PPTX
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
byForcepoint LLC
 
PDF
"Thinking diffrent" about your information security strategy
byJason Clark
 
PDF
Next generation security analytics
byChristian Have
 
Automation: Embracing the Future of SecOps
byIBM Security
 
Threat Life Cycle Management
byFujitsu Middle East
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
byJohn D. Johnson
 
Cybersecurity Risks for Businesses
byAlex Rudie
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
byKnowledge Group
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
byIBM Security
 
Optimize IT Infrastructure
byScalar Decisions
 
cybersecurity strategy planning in the banking sector
byOlivier Busolini
 
What is cyber resilience?
byAaron Clark-Ginsberg
 
What has changed in Corporate Cybersecurity?
byNixu Corporation
 
Securing the Cloud by Matthew Rosenquist 2016
byMatthew Rosenquist
 
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
byPuneet Kukreja
 
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
byNetworkCollaborators
 
Cybersecurity solution-guide
byAdilsonSuende
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
bySirius
 
Duncan hine input1_irm_and_outsourcing
byE-Government Center Moldova
 
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
byFujitsu Middle East
 
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
byForcepoint LLC
 
"Thinking diffrent" about your information security strategy
byJason Clark
 
Next generation security analytics
byChristian Have
 

Similar to Evolution security controls towards Cloud Services

PDF
Cc unit 4 updated version
byDr. Radhey Shyam
 
PPTX
Chapter_5_Security_CC.pptx
byLokNathRegmi1
 
PDF
Risk and Security in Cloud Computing.pdf
byAmol Gaikwad
 
DOCX
Cloud computing risk assesment report
byAhmad El Tawil
 
PPTX
Cloud-Computing-Risk-Management g4[1].pptx
byrockybaiiiii143
 
PPTX
I am sharing 'Unit-2' with youuuuuu.PPTX
bypadhaipadhai639
 
PPTX
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
PPTX
Cloud computing Risk management
byPadma Jella
 
PDF
Cloud Security - Emerging Facets and Frontiers
byGokul Alex
 
ODP
Securing The Cloud
bygeorge.james
 
PPTX
Isaca cloud security presentation duncan unwin 16 jul13
byDuncan Unwin
 
PPTX
AWS Cloud Security
byAWS Riyadh User Group
 
PDF
WP_ Five Reasons Why_Jan_2023.pdf
byChristopher Doman
 
PPTX
9 Things You Need to Know Before Moving to the Cloud
bykairostech
 
PDF
Biznesa infrastruktūras un datu drošības juridiskie aspekti
byebuc
 
PDF
Frans van Leuven - The security aspects of Cloud Services
byVNU Exhibitions Europe
 
PPTX
Extending security in the cloud network box - v4
byValencell, Inc.
 
PDF
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
byHector Del Castillo, CPM, CPMM
 
PPT
Anya-Kim-Bhargava-MCCWorkshop.ppt
byTaskinKhaleque
 
PPT
Security issue in cloud by himanshu tiwari
bybhanu krishna
 
Cc unit 4 updated version
byDr. Radhey Shyam
 
Chapter_5_Security_CC.pptx
byLokNathRegmi1
 
Risk and Security in Cloud Computing.pdf
byAmol Gaikwad
 
Cloud computing risk assesment report
byAhmad El Tawil
 
Cloud-Computing-Risk-Management g4[1].pptx
byrockybaiiiii143
 
I am sharing 'Unit-2' with youuuuuu.PPTX
bypadhaipadhai639
 
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
Cloud computing Risk management
byPadma Jella
 
Cloud Security - Emerging Facets and Frontiers
byGokul Alex
 
Securing The Cloud
bygeorge.james
 
Isaca cloud security presentation duncan unwin 16 jul13
byDuncan Unwin
 
AWS Cloud Security
byAWS Riyadh User Group
 
WP_ Five Reasons Why_Jan_2023.pdf
byChristopher Doman
 
9 Things You Need to Know Before Moving to the Cloud
bykairostech
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
byebuc
 
Frans van Leuven - The security aspects of Cloud Services
byVNU Exhibitions Europe
 
Extending security in the cloud network box - v4
byValencell, Inc.
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
byHector Del Castillo, CPM, CPMM
 
Anya-Kim-Bhargava-MCCWorkshop.ppt
byTaskinKhaleque
 
Security issue in cloud by himanshu tiwari
bybhanu krishna
 

More from Hugo Rodrigues

PDF
Paper: Crypto Currency Mining
byHugo Rodrigues
 
PDF
Projeto de Controlo de Silo para Parqueamento
byHugo Rodrigues
 
PDF
Alibaba goes India
byHugo Rodrigues
 
PPTX
Blockchain and Bitcoin
byHugo Rodrigues
 
PDF
Modelo de segmentação de Clientes
byHugo Rodrigues
 
PDF
TAEG: nominal - real- efectiva
byHugo Rodrigues
 
PPTX
Apresentação Produtividade e Desempenho
byHugo Rodrigues
 
PDF
Soluções Sector Financeiro
byHugo Rodrigues
 
DOCX
SOA - Service Oriented Architecture
byHugo Rodrigues
 
PPTX
Service Oriented Architecture
byHugo Rodrigues
 
PDF
RISE AND FALL ON CORPORATE UNCERTAINTY
byHugo Rodrigues
 
PDF
Relatório candidatura QREN
byHugo Rodrigues
 
PPTX
Rede Social // Social Network for Kids #Concept
byHugo Rodrigues
 
PDF
Investigação Operacional // How to raise up to 80% gross margin based in effi...
byHugo Rodrigues
 
DOCX
Análise Organizacional Zack
byHugo Rodrigues
 
Paper: Crypto Currency Mining
byHugo Rodrigues
 
Projeto de Controlo de Silo para Parqueamento
byHugo Rodrigues
 
Alibaba goes India
byHugo Rodrigues
 
Blockchain and Bitcoin
byHugo Rodrigues
 
Modelo de segmentação de Clientes
byHugo Rodrigues
 
TAEG: nominal - real- efectiva
byHugo Rodrigues
 
Apresentação Produtividade e Desempenho
byHugo Rodrigues
 
Soluções Sector Financeiro
byHugo Rodrigues
 
SOA - Service Oriented Architecture
byHugo Rodrigues
 
Service Oriented Architecture
byHugo Rodrigues
 
RISE AND FALL ON CORPORATE UNCERTAINTY
byHugo Rodrigues
 
Relatório candidatura QREN
byHugo Rodrigues
 
Rede Social // Social Network for Kids #Concept
byHugo Rodrigues
 
Investigação Operacional // How to raise up to 80% gross margin based in effi...
byHugo Rodrigues
 
Análise Organizacional Zack
byHugo Rodrigues
 

Recently uploaded

PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
December Patch Tuesday
byIvanti
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
December Patch Tuesday
byIvanti
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
The year in review - MarvelClient in 2025
bypanagenda
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 

Evolution security controls towards Cloud Services

  • 1.
    Evolution of SecurityControls Towards Cloud Services Hugo Rodrigues
  • 2.
    2© 2019 HugoRodrigues. All rights reserved. Where to start? Where to look? What’s relevant? What to do? How to do it? Security Controls Cloud Services
  • 3.
    3© 2019 HugoRodrigues. All rights reserved. CSA - Security Trust Assurance and Risk (STAR) Security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider Assurance, Education, Research, Community Example topics: What are the base-level security controls required for an IoT system? What are the top threats to cloud computing? How will we protect networks and data in the era of quantum computing? https://cloudsecurityalliance.org/star/ Source: Cloud Security Alliance
  • 4.
    4© 2019 HugoRodrigues. All rights reserved. Tool for the systematic assessment of a cloud implementation, to provide guidance on which security controls should be implemented by which actor within the cloud supply chain • Control framework for cloud computing • 16 domains covering all key aspects of the cloud technology • Map to Standards, Regulations & Controls Frameworks • .. CCM v3.0.1 is available as a free download to help companies evaluate cloud providers and guide security efforts
  • 5.
    5© 2019 HugoRodrigues. All rights reserved. Uncertainty with cloud Security matters at every layer of modern computing systems, but especially at the level of distributed systems and networks Modern computing systems and modern applications are typically distributed systems, with data storage and computation happening at different nodes in the distributed system The formal protection mechanisms are enough? e.g. patents, trademarks, industry designs, utility models and copyright,…
  • 6.
    6© 2019 HugoRodrigues. All rights reserved. Formal protection in distributed systems Amazon Web Services have used programmatic formal methods including formal verification and model checking to verify the correctness of their widely used Simple Storage System (S3) Facebook Infer static analyzer is used to identify null pointer access and resource leaks in Java programs. It builds on the key technology of separation logic, which enables precise but scalable reasoning about program code that performs complex heap manipulation. This system has been released as open source Formal protection at the technology level is key for cloud services
  • 7.
    7© 2019 HugoRodrigues. All rights reserved. Source: Pooyan Jamshidi, Cloud Architecture Model with Layers SaaS, PaaS, and IaaS Multidimensional decision points - under uncertainty
  • 8.
    8© 2019 HugoRodrigues. All rights reserved. Manage uncertainty Cloud applications are software systems with layered, distributed architectures that utilize layer-specific resources provided through services Focus on decision points from the intersection between services with technologies Set specific goals to measure the need for change vs lift and shift Prepare the environment to an abstraction level suitable to enterprise maturity in working with distributed systems Due to the uncertainty that prevails in the cloud, using change patterns at the core of models and rules has helped to map uncertain situations into manageable ones
  • 9.
    9© 2019 HugoRodrigues. All rights reserved. Gain visibility over cloud services Set compliance controls and Set operational controls Data collected from operational controls supports threads being discovered from pattern mismatch analysis
  • 10.
    10© 2019 HugoRodrigues. All rights reserved. Pay attention to data behavior Source: Zhenguo Chen, Trust evaluation model of cloud user based on behavior data Example:
  • 11.
    11© 2019 HugoRodrigues. All rights reserved. Manage your data “As with any function or application, weak data leads to weak results. In cybersecurity, that means too many false positives for overburdened security analysts, higher risk of successful breaches, and greater losses from each breach.” - Stu Bradley, SAS
  • 12.
    12© 2019 HugoRodrigues. All rights reserved. Source: Nathan Sanders, HDSR MIT Turn data into gold Prediction: Given a new measurement, you want to use an existing data set to build a model that reliably chooses the correct identifier from a set of outcomes Complement vendors’ standard with own signatures
  • 13.
    13© 2019 HugoRodrigues. All rights reserved. Cloud services increase security events? • Perimeter evaporated and cloud environment shifts rapidly • Former on-prem services now in the cloud • External logs may have reliability / availability issues • EDR deployment complicated by volume and velocity • Containment is hampered by volatility and lack of access • Convergence and new connectivity requirements Source: RSA Conference 2019
  • 14.
    14© 2019 HugoRodrigues. All rights reserved. Respond To Security Event - cloud services Anticipation is key for compliance - Follow the CCM to the maximum extent Proactivity is key for operations – Use analytics and insights Response is needed for everything else Build a Cloud-Specific Incident Response Plan: A well-defined plan allows to effectively identify, minimize the damage, and reduce the cost of an attack, while finding and fixing the cause to prevent future attacks Mitigation of control gaps is never sufficient, infrastructure will always have gaps and zero day vulnerabilities The Three Elements: Plan, Team, and Tools
  • 15.
    15© 2019 HugoRodrigues. All rights reserved. Impact analysis to measure financials Risk itself can be a qualitative measure, but the impact around an incident (the cost of a downed asset associated with lost revenue, recovery, etc.) can be quantitative. Consider a Risk Management Framework even before you move systems Source: Journal of risk and Financial management
  • 16.
    16© 2019 HugoRodrigues. All rights reserved. Financial health You can’t own a problem if you don’t measure it Quantifying the impact of security incidents is a great way to mature beyond “our risk is yellow” Analytics, Intelligence & Response: apply investigative and analytic techniques to anticipate and resolve incidents The Human & Process Security: navigate management issues such as operational risk strategies, as well as people-related issues such as social engineering
  • 17.
  • 18.

Editor's Notes

  • #5 Download: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v3-0-1/
  • #8 the cloud as a multi-stakeholder and heterogeneous environment requires a multi-dimensional approach to selecting a suitable evolution process, here done through a variability model driving a staged evolution based on migration patterns. To deal with adaptation, the uncertainty is mastered through statistical and logical approaches Pahl, Claus & Jamshidi, Pooyan & Weyns, Danny. (2017). Cloud architecture continuity: Change models and change rules for sustainable cloud software architectures. Journal of Software: Evolution and Process. 29. e1849. 10.1002/smr.1849.
  • #11 In the process of using the cloud platform, how to ensure the safety of users is a matter we must concern. The user authentication can provide a certain degree of security, but when the user information was leaked, this method will not be effective. Therefore, this article proposes a trust evaluation model based on user behavior data. https://www.researchgate.net/publication/325242412_Trust_evaluation_model_of_cloud_user_based_on_behavior_data
  • #12 Increasing the number of devices, compliance requirement, business needs to capture the data for events are necessary for all types of business. Analyzing logs can give you real insights into what’s happening within your IT environment. Some of the real-time examples: Capacity planning Early problem detection
  • #13 https://hdsr.mitpress.mit.edu/pub/a7gxkn0a
  • #14  community emergency response team (CERT), computer security incident response team (CSIRT), and security operations center (SOC)
  • #16 Start by quantifying before you move into cloud services https://www.mdpi.com/1911-8074/10/2/10/pdf