Khazret Sapenov, profile picture
Uploaded byKhazret Sapenov
594 views

Rethink cloud security to get ahead of the risk curve by kurt johnson, vice president of strategy and corporate development courion corporation

This document discusses managing access security risks in the cloud. It notes that security is a major concern for organizations moving to the cloud. The top internal and external audit findings relate to identity and access management. The document advocates adopting a risk-driven identity and access management model to ensure the right people have the right access to the right resources. It acknowledges that while security technologies are important, managing risk should be the focus. An architecture for access intelligence is proposed that uses analytics and monitoring to detect threats and risks in real-time and enable contextual remediation.

Embed presentation

Rethink Managing Access Security Risk in the Cloud Dave Fowler Chief Operating Officer Courion Corporation CONFIDENTIAL
How Secure is my Cloud? CONFIDENTIAL
Security a Major Concern CONFIDENTIAL
CONFIDENTIAL
Top Internal/External Audit Findings Source: 2010 Deloitte Global Security Survey, Financial Services CONFIDENTIAL
Identity and Access Management Model Have the Right Ensure the To the Right Access Right People Resources Data Policy-Driven Access Information Systems Resources Assets and are doing the Right Things. CONFIDENTIAL
Security in a Virtual World CONFIDENTIAL
Security in a Virtual World CONFIDENTIAL
IAM Technologies  Provisioning (Granting Access)  Federation (Consolidating 174 million breaches* Identities)  Single Sign On (SSO)  Authentication/Authorization  Privilege Access Management (PAM)  Governance (Compliance with policy/regulations) 2009 2010 2011 CONFIDENTIAL
The Complexity of Securing Information 10s of Thousands of Identities 1000’s of people 1000’s of applications 100’s of millions+ of relationships & resources 100’s of policies & Millions of regulations actions CONFIDENTIAL
Bad Guys -> Fast… Good Guys -> Slow. Source: Verizon 2012 Data Breach Investigations Report CONFIDENTIAL
Is the Cloud the Issue? We are often asked whether “the Cloud” factors into many of the breaches we investigate. The easy answer is “No—not really.” It’s more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to the Cloud. Source: Verizon 2012 Data Breach Investigations Report CONFIDENTIAL
Need a different approach. CONFIDENTIAL
Risk Driven Model  Risk = Impact X Likelihood  What are the most important assets? • Key Applications? • File Shares? • Identity/Security Information?  Who has access to them?  What kind of access do they have?  How do I know if it is at risk? • Real Time Analysis • Policy • Behavior CONFIDENTIAL
CONFIDENTIAL
Architecture for IAM Risk Dashboard & Reporting I&A Intelligence  Threat Detection  Forensics  Analyst Workbench Policy/Rules Engine Notification Service Remediation Service Analytics Engine Identity & Access Warehouse ACCESS INTELLIGENCE ENGINE Identity Rights Policy Resources Activity CONFIDENTIAL
Security is Great BUT Risk Matters CONFIDENTIAL
Managing Risk: Access Intelligence  Risk as a metric for managing Security  Analytics and Intelligence to monitor in real time  Notification  Contextual Remediation CONFIDENTIAL
Questions? Dave Fowler Chief Operating Officer info@courion.com Courion Corporation CONFIDENTIAL

More Related Content

PDF
Security Intelligence
byIBMGovernmentCA
 
PPTX
Six Irrefutable Laws of Information Security
byIT@Intel
 
PPTX
Best Practice For Public Sector Information Security And Compliance
byOracle
 
PPTX
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
PPTX
Incident response cloud
byBrian Honan
 
PPTX
Can Information Security Survive
byIT@Intel
 
PDF
Actiance Presentation - BDI 2/9/11 Financial Services Social Communications L...
byBusiness Development Institute
 
PDF
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
byMartin Ruubel
 
Security Intelligence
byIBMGovernmentCA
 
Six Irrefutable Laws of Information Security
byIT@Intel
 
Best Practice For Public Sector Information Security And Compliance
byOracle
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
Incident response cloud
byBrian Honan
 
Can Information Security Survive
byIT@Intel
 
Actiance Presentation - BDI 2/9/11 Financial Services Social Communications L...
byBusiness Development Institute
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
byMartin Ruubel
 

What's hot

PDF
100+ Cyber Security Interview Questions and Answers in 2022
byTemok IT Services
 
PPTX
Balancing User Experience with Secure Access Control in Healthcare
bySecureAuth
 
PPT
Managing IT security and Business Ethics
byRahul Sharma
 
DOCX
The CIA Triad - Assurance on Information Security
byBharath Rao
 
PPTX
Internet Security Threat Report (ISTR) Vol. 16
bySymantec APJ
 
PPTX
Information Security By Design
byNalneesh Gaur
 
PDF
2 21677 splunk_big_data_futureofsecurity
bySvetlana Belyaeva
 
PDF
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...
byMicrosoft Private Cloud
 
PDF
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
byIJERD Editor
 
PDF
Combating the enemy within – an elegant mathematical approach to insider thre...
byMartin Ruubel
 
PPTX
Information security group presentation ppt
byvaishalshah01
 
PDF
Security and Privacy challenges of the Internet of Things (IoT) | Sysfore
bySysfore Technologies
 
DOCX
IT security : a five-legged sheep
byITrust - Cybersecurity as a Service
 
PDF
SecureMAG Vol 3
byChin Wan Lim
 
PDF
Cloud Insecurity and True Accountability - Guardtime Whitepaper
byMartin Ruubel
 
PDF
Attributable Networks - Guardtime Whitepaper
byMartin Ruubel
 
PDF
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
byMartin Ruubel
 
PPT
Mod7 Lab Kohne
byguestc6d29da4
 
PDF
Synopsis & toc sectoral capsule on cyber security market in india
byGyan Research And Analytics
 
PPTX
Digital security
byCBWIGG01
 
100+ Cyber Security Interview Questions and Answers in 2022
byTemok IT Services
 
Balancing User Experience with Secure Access Control in Healthcare
bySecureAuth
 
Managing IT security and Business Ethics
byRahul Sharma
 
The CIA Triad - Assurance on Information Security
byBharath Rao
 
Internet Security Threat Report (ISTR) Vol. 16
bySymantec APJ
 
Information Security By Design
byNalneesh Gaur
 
2 21677 splunk_big_data_futureofsecurity
bySvetlana Belyaeva
 
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...
byMicrosoft Private Cloud
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
byIJERD Editor
 
Combating the enemy within – an elegant mathematical approach to insider thre...
byMartin Ruubel
 
Information security group presentation ppt
byvaishalshah01
 
Security and Privacy challenges of the Internet of Things (IoT) | Sysfore
bySysfore Technologies
 
IT security : a five-legged sheep
byITrust - Cybersecurity as a Service
 
SecureMAG Vol 3
byChin Wan Lim
 
Cloud Insecurity and True Accountability - Guardtime Whitepaper
byMartin Ruubel
 
Attributable Networks - Guardtime Whitepaper
byMartin Ruubel
 
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
byMartin Ruubel
 
Mod7 Lab Kohne
byguestc6d29da4
 
Synopsis & toc sectoral capsule on cyber security market in india
byGyan Research And Analytics
 
Digital security
byCBWIGG01
 

Viewers also liked

PDF
IBM Security Identity & Access Manager
byIBM Sverige
 
PDF
Oracle Cloud Reference Architecture
byBob Rhubart
 
PDF
PCI Compliance and Cloud Reference Architecture
byHyTrust
 
PDF
Security Building Blocks of the IBM Cloud Computing Reference Architecture
byStefaan Van daele
 
PDF
Extending Active Directory to Box for Seamless IT Management
byOkta-Inc
 
PPTX
NIST Cloud Computing Reference Architecture
byThanakrit Lersmethasakul
 
PDF
Open icf (open identity connector framework) @ forgerock deutsch
byHanns Nolan
 
PDF
Mobile security-reference-architecture
byVishal Sharma
 
PPTX
Reference Architecture for Data Loss Prevention in the Cloud
byNetskope
 
PDF
The Enterprise Reference Architecture and Tools
bySoftware Park Thailand
 
PDF
The F5 DDoS Protection Reference Architecture (Technical White Paper)
byF5 Networks
 
PPT
Identity and Access Management Reference Architecture for Cloud Computing
byJohn Bauer
 
PPTX
AWS Security Architecture - Overview
bySai Kesavamatham
 
PPTX
Identity Management with the ForgeRock Identity Platform - So What’s New?
byForgeRock
 
PPTX
Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...
byStuart Charlton
 
PPTX
F5 Application Services Reference Architecture (Audio)
byF5 Networks
 
PPTX
Cloud reference architecture as per nist
bygaurav jain
 
PDF
Take It to the Cloud: The Evolution of Security Architecture
byPriyanka Aash
 
PDF
Intro to Cloud Computing in the Federal Government
byIntel Corporation
 
PDF
Simple cloud reference architecture
byDaeMyung Kang
 
IBM Security Identity & Access Manager
byIBM Sverige
 
Oracle Cloud Reference Architecture
byBob Rhubart
 
PCI Compliance and Cloud Reference Architecture
byHyTrust
 
Security Building Blocks of the IBM Cloud Computing Reference Architecture
byStefaan Van daele
 
Extending Active Directory to Box for Seamless IT Management
byOkta-Inc
 
NIST Cloud Computing Reference Architecture
byThanakrit Lersmethasakul
 
Open icf (open identity connector framework) @ forgerock deutsch
byHanns Nolan
 
Mobile security-reference-architecture
byVishal Sharma
 
Reference Architecture for Data Loss Prevention in the Cloud
byNetskope
 
The Enterprise Reference Architecture and Tools
bySoftware Park Thailand
 
The F5 DDoS Protection Reference Architecture (Technical White Paper)
byF5 Networks
 
Identity and Access Management Reference Architecture for Cloud Computing
byJohn Bauer
 
AWS Security Architecture - Overview
bySai Kesavamatham
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
byForgeRock
 
Cloud Computing and the Next-Generation of Enterprise Architecture - Cloud Co...
byStuart Charlton
 
F5 Application Services Reference Architecture (Audio)
byF5 Networks
 
Cloud reference architecture as per nist
bygaurav jain
 
Take It to the Cloud: The Evolution of Security Architecture
byPriyanka Aash
 
Intro to Cloud Computing in the Federal Government
byIntel Corporation
 
Simple cloud reference architecture
byDaeMyung Kang
 

Similar to Rethink cloud security to get ahead of the risk curve by kurt johnson, vice president of strategy and corporate development courion corporation

PPT
Building an Effective Identity Management Strategy
byNetIQ
 
PDF
Security Awareness Training
byDaniel P Wallace
 
PDF
Optimizing Identity and Access Management (IAM) Frameworks
byArab Federation for Digital Economy
 
PPTX
Combating "Smash and Grab" Hacking with Tripwire Cybercrime Controls
byTripwire
 
PPTX
Sw keynote
bygueste69f645
 
PPTX
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
bySymantec APJ
 
PPTX
Gainful Information Security 2012 services
byCade Zvavanjanja
 
PPTX
2012-01 How to Secure a Cloud Identity Roadmap
byRaleigh ISSA
 
PDF
Oracle tech fmw-05-idm-neum-16.04.2010
byOracle BH
 
PPT
PCTY 2012, IBM Security and Strategy v. Fabio Panada
byIBM Danmark
 
PDF
Keynote oracle entitlement-driven idm
byNormand Sauve
 
PDF
Od webcast-cloud-fraud final
byOracleIDM
 
PDF
Enterprise Strategy for Cloud Security
byBob Rhubart
 
PPTX
Extending security in the cloud network box - v4
byValencell, Inc.
 
PPTX
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
byResilient Systems
 
PPTX
Leveraging Identity to Manage Change and Complexity
byNetIQ
 
PPTX
Information Systems Policy
byAli Sadhik Shaik
 
PDF
Identity and Access Intelligence
byTim Bell
 
PPTX
People are the biggest risk
byEvan Francen
 
PPTX
Why physical security just isn’t enough, Sending the heavies into virtualized...
byGlobal Business Events - the Heart of your Network.
 
Building an Effective Identity Management Strategy
byNetIQ
 
Security Awareness Training
byDaniel P Wallace
 
Optimizing Identity and Access Management (IAM) Frameworks
byArab Federation for Digital Economy
 
Combating "Smash and Grab" Hacking with Tripwire Cybercrime Controls
byTripwire
 
Sw keynote
bygueste69f645
 
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
bySymantec APJ
 
Gainful Information Security 2012 services
byCade Zvavanjanja
 
2012-01 How to Secure a Cloud Identity Roadmap
byRaleigh ISSA
 
Oracle tech fmw-05-idm-neum-16.04.2010
byOracle BH
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
byIBM Danmark
 
Keynote oracle entitlement-driven idm
byNormand Sauve
 
Od webcast-cloud-fraud final
byOracleIDM
 
Enterprise Strategy for Cloud Security
byBob Rhubart
 
Extending security in the cloud network box - v4
byValencell, Inc.
 
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
byResilient Systems
 
Leveraging Identity to Manage Change and Complexity
byNetIQ
 
Information Systems Policy
byAli Sadhik Shaik
 
Identity and Access Intelligence
byTim Bell
 
People are the biggest risk
byEvan Francen
 
Why physical security just isn’t enough, Sending the heavies into virtualized...
byGlobal Business Events - the Heart of your Network.
 

More from Khazret Sapenov

PDF
Regulatory compliant cloud computing rethinking web application architectures...
byKhazret Sapenov
 
PPTX
Up 2012 wally mac dermid - final
byKhazret Sapenov
 
PPTX
Future of cloud up presentation m_dawson
byKhazret Sapenov
 
PPTX
Taking control of bring your own device byod with desktops as a service (daa ...
byKhazret Sapenov
 
PPTX
Glenn solomon up presso d 3.pptx
byKhazret Sapenov
 
PDF
Up 2012 smart cloud presentation_final
byKhazret Sapenov
 
PPTX
Efrat ip up con 2012 presentation
byKhazret Sapenov
 
PPTX
Up2012edit daniel chalef
byKhazret Sapenov
 
PDF
Managing application performance for cloud apps bmc
byKhazret Sapenov
 
PDF
Virtual sharp cloud aware bc dr up 2012 cloud
byKhazret Sapenov
 
PPTX
The elephantintheroom bigdataanalyticsinthecloud
byKhazret Sapenov
 
PDF
Decentralized cloud an industrial reality with higher resilience by jean-pa...
byKhazret Sapenov
 
PPTX
V mware evolutionary cloud 12 2012
byKhazret Sapenov
 
PDF
Up 2012 dave jilk - multi-tenancy in paa s (distribution version)
byKhazret Sapenov
 
PDF
Transforming cloud infrastructure to support big data storage and workflows b...
byKhazret Sapenov
 
PPT
Transverse up cloud 2012 - final
byKhazret Sapenov
 
PPTX
Up2012 scaling my sql in the cloud by moshe shadmon, founder, cto scaledb
byKhazret Sapenov
 
PDF
Memsql product overview_2013
byKhazret Sapenov
 
PDF
Green qloud up-con
byKhazret Sapenov
 
PPTX
Making case up
byKhazret Sapenov
 
Regulatory compliant cloud computing rethinking web application architectures...
byKhazret Sapenov
 
Up 2012 wally mac dermid - final
byKhazret Sapenov
 
Future of cloud up presentation m_dawson
byKhazret Sapenov
 
Taking control of bring your own device byod with desktops as a service (daa ...
byKhazret Sapenov
 
Glenn solomon up presso d 3.pptx
byKhazret Sapenov
 
Up 2012 smart cloud presentation_final
byKhazret Sapenov
 
Efrat ip up con 2012 presentation
byKhazret Sapenov
 
Up2012edit daniel chalef
byKhazret Sapenov
 
Managing application performance for cloud apps bmc
byKhazret Sapenov
 
Virtual sharp cloud aware bc dr up 2012 cloud
byKhazret Sapenov
 
The elephantintheroom bigdataanalyticsinthecloud
byKhazret Sapenov
 
Decentralized cloud an industrial reality with higher resilience by jean-pa...
byKhazret Sapenov
 
V mware evolutionary cloud 12 2012
byKhazret Sapenov
 
Up 2012 dave jilk - multi-tenancy in paa s (distribution version)
byKhazret Sapenov
 
Transforming cloud infrastructure to support big data storage and workflows b...
byKhazret Sapenov
 
Transverse up cloud 2012 - final
byKhazret Sapenov
 
Up2012 scaling my sql in the cloud by moshe shadmon, founder, cto scaledb
byKhazret Sapenov
 
Memsql product overview_2013
byKhazret Sapenov
 
Green qloud up-con
byKhazret Sapenov
 
Making case up
byKhazret Sapenov
 

Rethink cloud security to get ahead of the risk curve by kurt johnson, vice president of strategy and corporate development courion corporation

  • 1.
    Rethink Managing AccessSecurity Risk in the Cloud Dave Fowler Chief Operating Officer Courion Corporation CONFIDENTIAL
  • 2.
    How Secure ismy Cloud? CONFIDENTIAL
  • 3.
    Security a MajorConcern CONFIDENTIAL
  • 4.
  • 5.
    Top Internal/External AuditFindings Source: 2010 Deloitte Global Security Survey, Financial Services CONFIDENTIAL
  • 6.
    Identity and AccessManagement Model Have the Right Ensure the To the Right Access Right People Resources Data Policy-Driven Access Information Systems Resources Assets and are doing the Right Things. CONFIDENTIAL
  • 7.
    Security in aVirtual World CONFIDENTIAL
  • 8.
    Security in aVirtual World CONFIDENTIAL
  • 9.
    IAM Technologies  Provisioning(Granting Access)  Federation (Consolidating 174 million breaches* Identities)  Single Sign On (SSO)  Authentication/Authorization  Privilege Access Management (PAM)  Governance (Compliance with policy/regulations) 2009 2010 2011 CONFIDENTIAL
  • 10.
    The Complexity ofSecuring Information 10s of Thousands of Identities 1000’s of people 1000’s of applications 100’s of millions+ of relationships & resources 100’s of policies & Millions of regulations actions CONFIDENTIAL
  • 11.
    Bad Guys ->Fast… Good Guys -> Slow. Source: Verizon 2012 Data Breach Investigations Report CONFIDENTIAL
  • 12.
    Is the Cloudthe Issue? We are often asked whether “the Cloud” factors into many of the breaches we investigate. The easy answer is “No—not really.” It’s more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to the Cloud. Source: Verizon 2012 Data Breach Investigations Report CONFIDENTIAL
  • 13.
    Need a differentapproach. CONFIDENTIAL
  • 14.
    Risk Driven Model Risk = Impact X Likelihood  What are the most important assets? • Key Applications? • File Shares? • Identity/Security Information?  Who has access to them?  What kind of access do they have?  How do I know if it is at risk? • Real Time Analysis • Policy • Behavior CONFIDENTIAL
  • 15.
  • 16.
    Architecture for IAMRisk Dashboard & Reporting I&A Intelligence  Threat Detection  Forensics  Analyst Workbench Policy/Rules Engine Notification Service Remediation Service Analytics Engine Identity & Access Warehouse ACCESS INTELLIGENCE ENGINE Identity Rights Policy Resources Activity CONFIDENTIAL
  • 17.
    Security is GreatBUT Risk Matters CONFIDENTIAL
  • 18.
    Managing Risk: AccessIntelligence  Risk as a metric for managing Security  Analytics and Intelligence to monitor in real time  Notification  Contextual Remediation CONFIDENTIAL
  • 19.
    Questions? Dave Fowler Chief Operating Officer info@courion.com Courion Corporation CONFIDENTIAL

Editor's Notes

  • #5 We’re all familiar with the headlines about data breaches
  • #6 Deloitte survey results highlight the need to manage access rights across the enterprise Enforce policy Track user activity Ensure controls are in place
  • #7 What is Access Risk Management? By ensuring that the right people have the right access to the right resources and are doing the right things based on policy, organizations can manage access risk By managing access risk, companies can increase security, demonstrate compliance, improve efficiency and minimize risk to the business Access risk management encompasses traditional IAM (password mgmt, user provisioning) and access governance (role management, compliance mgmt, access certification.)
  • #11 The challenge organizations face is the volume of identities and access requirements that need to be managed An organization with thousands of employees is going to have tens of thousands of identities (aka multiple identities for each individual) These identities are going to have access to hundreds or thousands of apps in the enterprise (and in the cloud) Organizations will have tens of thousands of file shares that present access challenges All of these identity and access requirements equate to millions of relationships that need to be managed – none of which are static and will change constantly.
  • #12 And when the door is open the bad guys are much faster in exploiting it than we tend to be recognizing it.2012 Data Breach Investigations ReportIt’s a busy slide but it shows the direct and inverse correlation betweenThe rapid speed in which the bad guys can compromise our layered defenses and exfiltrate valuable information or compromise key processes ANDThis is measured in minutes and hrsThe glacial speed in which we realize what’s happening and do something about it.This is measure in weeks and months to never.
  • #13 There are other ways to get access to information. Case of the stolen information based on breaching the physical building with a tie.But the cloud opens up more assets being managed and accessed by more people in multiple locations. Which opens up more opportunities for information to be compromised either on purpose or accidently.
  • #19 How much performance?Deloitte’s Kelly Bissell said nothing will support their custom applications with 47M relationships.We are managing 800M in real time.