The document presents insights from Moshe Ferber on pitching cloud services to security professionals, emphasizing the importance of understanding the perspectives of various stakeholders such as CIOs, CFOs, and CISOs. Key points include the shared responsibility of security in the cloud, the need for transparency and competency in communication, and the alignment of security practices with customer sectors. Additionally, it stresses proactive security measures, understanding cloud threats, and the significance of integrating security throughout the software lifecycle.

1. Pitching cloud services
to security folks
Moshe Ferber, CCSK
 Onlinecloudsec.com
Surviving the Lion’s den…

2. About
 Information security professional for over 20 years
 Working on cloud strategy with the world largest software vendors
 Founded Cloud7, Managed Security Services provider (currently
2bsecure cloud services)
 Partner at Clarisite – Your customer’s eye view
 Partner at FortyCloud – Make your public cloud private
 Member of the board at Macshava Tova – Narrowing societal gaps
 Certified CCSK instructor for the Cloud Security Alliance.
 Co-Chairman of the Board, Cloud Security Alliance, Israeli Chapter

3. Cloud Computing
How the CIO see it?

4. Cloud Computing
How the End-user see it?

5. Cloud Computing
How the CFO see it?

6. Cloud Computing
And how the CISO see it?

7. Mistakes Cloud provider do #1

8. Mistakes Cloud provider do #2

9. Mistakes Cloud provider do #3

10. Mistakes Cloud provider do #4

11. What else ciso’s don’t like

12. AgilityAgility
What do you say… And how the CISO understand it

13. ScalabilityScalability
What do you say… And how the CISO understand it

14. ComplianceCompliance
What you say? How the CISO understand it

15. ManageabilityManageability
What do you say… And how the CISO understand it

16. ReliabilityReliability
What do you say… And how the CISO understand it

17. So what is the ciso looking for?

18. So, how do we create trust?
1.
Transparency
2.
Competency

19. Transparency

20. Transparency #1 takeout
Security in the cloud is a shared
responsibility
Source: Trend Micro Blog

21. Transparency #2 Security Policy
Security Policy is mandatory, it should contain all
aspects of how you protect your customers data.

22. Transparency #3 Audits
Don’t run away from security audits

23. Competency
Skill Design Governance

24. Skill
• Make sure your sales / pre-sales
understand cloud security.
• Understand the standards and
regulation relevant to your sector.

25. Skill #2
• Make your security building block
tangible to the customers.
Monitoring and
Incident management
Application Security
Data Security
Infrastructure Security
Data Center Security

26. Understand Cloud threats & Risks
Threat RISK
Losing
Money
Theft Unsecure
Door
Attack
Vector

27. Cloud Attack vectors
Cloud
attack
vectors
Provider
administration
Management
console
Multi
tenancy &
virtualization
Automation
&
API
Chain of
supply
Side channel
attack
Insecure
instances

28. Understanding controls
Preventive
• Firewall
(Security
Groups)
• Authentication
• Anti Virus
• Guards
Detective
• IDS
• System
monitoring
• Motion
detector
Corrective
• Upgrades &
Patches
• Vulnerability
scanning
Compensatory
• DRP & Backup
• Firewall logs
• Reviews
• Audit &
reconciliation

29. Design
Threat Security Service
Spoofing Authentication
Tampering Digital Signature, Hash
Repudiation Audit Logging
Information
Disclosure
Encryption
Denial of Service Availability
Elevation of
privilege
Authorization
• Integrate security to your
software lifecycle.
• Account for cloud specific
threats.
• Think about separation of
tenants.
• Explore encryption at all layers.
• Think about 3rd party access.

30. Governance
• Most security companies simply
don’t know how to do ongoing
operational security.
• If you are guarding banks data,
you need Banks operational
capabilities.

31. Questions?

32. To wrap things up
Speak your customers lingo
Use good building blocks
Don’t hesitate to be
transparent on your security
controls.
Cloud Security is very much about your
customers market sector.
Be proactive in your security, think
ahead of your customers.

33. Moshe Ferber

 www.onlinecloudsec.com
http://il.linkedin.com/in/MosheFerber
KEEP IN TOUCH
Cloud Security Course Schedule can be find at:
http://www.onlinecloudsec.com/course-schedule