SlideShare a Scribd company logo
The Cloud & I,
CISO challenges with the cloud
Moshe Ferber
CCSK, CCSP
When the winds of change blow, some people
build walls and others build windmills.
- Chinese Proverb
About myself
 Information security professional for over 20 years
 Founder, partner and investor at various cyber initiatives and startups
 Popular industry speaker & lecturer (DefCon, BlackHat, Infosec and more)
 Founding committee member for ISC2 CCSP certification.
 CCSK Certification lecturer for the Cloud Security Alliance.
 Member of the board at Macshava Tova – Narrowing societal gaps
 Chairman of the Board, Cloud Security Alliance, Israeli Chapter
So, what is cloud?
Cloud Computing
What the CEO
think about it?
Cloud Computing
How the CFO
see it?
Cloud Computing
How the End-User
feel regarding it?
Cloud Computing
And how the CISO
Feels about it?
Everyday Examples
“Moving to cloud will
expose our data to foreign
government”
“I got a virtualized
servers, so I already in the
cloud”
“I don’t trust the vendors”
“What about compliance?”
“Our regulator forbid
us from moving to the
cloud”
“Cloud lacks the visibility
we need”
“We use hosting, so
we are already in the
cloud.”
“We will loose control
over our assets”
“And What about the
NSA…?” “Cloud services are
not mature enough”
AgilityAgility
What do you say… And how the CISO understand it
ScalabilityScalability
What do you say… And how the CISO understand it
ComplianceCompliance
What do you say… And how the CISO understand it
ManageabilityManageability
What do you say… And how the CISO understand it
ReliabilityReliability
What do you say… And how the CISO understand it
Multi tenancyMulti tenancy
What do you say… And how the CISO understand it
And of course, you can not avoid the big question…
Who is more secured? Cloud or on premise?
Can we define what is more secure?
> <=
Can we define which cloud service?
Cloud provider A Cloud provider B
Does it really matter?
Cloud Services are very different in nature
SaaS
PaaS
IaaS
Private Hybrid Public
The shared responsibility model
Physical Security
Network & Data Center
Security
Hypervisors Security
Virtual Machines & OS
security
Data layer & development
platform
Application
Identity Management
DATA
Audit & Monitoring
IaaS PaaS SaaS
Consumer
responsibility
Provider
responsibility
So, bottom line, is cloud security improving?
Providers are doing more to increase trust
Improvement with security standards & compliance
Security automation is improving, specially in IaaS/PaaS
Monitoring & auditing are improving
Legal eco-system is getting complicated
Technical
complexity
Legal
complexity
Configuration is still open by default, very easy to make mistakes
Legal
complexity
Increased chances for cloud provider lock-in
Legal
complexity
Government snooping is increasing
Legal
complexity
Cloud
Focused
(Heavy use)
Cloud
Adopters
(running apps in the
cloud)
Cloud
Curious
(First projects)
Cloud
Avoider
(Private Cloud adapters)
National
Infrastructure
Cloud challenges varies depending on the market sector
Startups
Energy
SMB
Hi Tech
Government
Health
Military
Telecom
providers
Homeland &
Military industries
Utility
Retail
Banks
Financial
Services
Industry
The Challenge: Private cloud still got the same attack vectors!
Cloud
Attack
Vectors
Provider
Administration
Management
Console
Multi tenancy &
Virtualization
Automation
& API
Chain of
supply
Side Channel
Attack
Insecure
Instances
Cloud
Avoiders
Cloud
Curious
Cloud
Adopters
Cloud
Focused
The Challenge: Build your Cloud strategy
Cloud
Curious
Cloud
Avoiders
Cloud
Adopters
Cloud
Focused
The challenge: Understand the share responsibility model
Cloud
Curious
Cloud
Avoiders
Cloud
Adopters
Cloud
Focused
The Challenge: Evaluating the providers
Cloud
Adopters
Cloud
Avoiders
Cloud
Curious
Cloud
Focused
Copyright © 2015 Cloud Security Alliance
Industry Standards used by Major Cloud Providers
ISO/IEC 27018:2014
Cloud
Adopters
Cloud
Avoiders
Cloud
Curious
Cloud
Focused
The Challenge: Look for those abundant applications that can
benefit from cloud computing
Cloud
Adopters
Cloud
Avoiders
Cloud
Curious
Cloud
Focused
Public
Cloud
Integrity Availability
On
premise
Confidentiality
Telecom Providers
The Challenge:
Building cloud services
Transparency
Certifications
Security operations
Cloud
Adopters
Cloud
Avoiders
Cloud
Curious
Cloud
Focused
The Challenge: managing multiple cloud applications
Governance
Encryption
Identity
management
Availability
Cloud
Focused
Cloud
Avoiders
Cloud
Curious
Cloud
Adopters
DLP
Startups
The Challenge:
Integrating security into your
software lifecycle & operations
Monitoring
Static & Dynamic
Analysis
Multi Tenancy
DEVOPS
Cloud
Focused
Cloud
Avoiders
Cloud
Curious
Cloud
Adopters
To wrap Things Up…
Join CSA Israel Facebook & LinkedIn Forums in order to stay
updated regarding latest technologies and community meetups.
Don’t let security hold you down
To wrap Things Up…
Join CSA Israel Facebook & LinkedIn Forums in order to stay
updated regarding latest technologies and community meetups.
Use the right tools
To wrap Things Up…
Perform responsible cloud adoption!
KEEP IN TOUCH
Cloud Security Course Schedule can be find at:
http://www.onlinecloudsec.com/course-schedule
Questions?

More Related Content

What's hot

Cloud keybank privacy and owner authorization
Cloud keybank  privacy and owner authorizationCloud keybank  privacy and owner authorization
Cloud keybank privacy and owner authorization
Pvrtechnologies Nellore
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
Shankar Subramaniyan
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
أحلام انصارى
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
Security as a Service Model for Cloud Environment
Security as   a Service Model   for   Cloud   EnvironmentSecurity as   a Service Model   for   Cloud   Environment
Security as a Service Model for Cloud Environment
KaashivInfoTech Company
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
Michael Torres
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
Porticor - The Cloud Security Experts
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
Amazon Web Services
 
Secaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidanceSecaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidance
drewz lin
 
Cloud security privacy- org
Cloud security  privacy- orgCloud security  privacy- org
Cloud security privacy- org
Dharmalingam S
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
George Fares
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
Raj Sarode
 
Cloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityCloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls Security
Hari Kumar
 
Strategy Cloud and Security as a Service
Strategy Cloud and Security as a ServiceStrategy Cloud and Security as a Service
Strategy Cloud and Security as a Service
Aberla
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Netskope
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
Vladimir Jirasek
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
Samrat Das
 

What's hot (20)

Cloud keybank privacy and owner authorization
Cloud keybank  privacy and owner authorizationCloud keybank  privacy and owner authorization
Cloud keybank privacy and owner authorization
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
 
Security as a Service Model for Cloud Environment
Security as   a Service Model   for   Cloud   EnvironmentSecurity as   a Service Model   for   Cloud   Environment
Security as a Service Model for Cloud Environment
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
 
Secaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidanceSecaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidance
 
Cloud security privacy- org
Cloud security  privacy- orgCloud security  privacy- org
Cloud security privacy- org
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
Cloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityCloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls Security
 
Strategy Cloud and Security as a Service
Strategy Cloud and Security as a ServiceStrategy Cloud and Security as a Service
Strategy Cloud and Security as a Service
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
 

Viewers also liked

Cloud Computing Certification
Cloud Computing CertificationCloud Computing Certification
Cloud Computing Certification
Vskills
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 
Security Trainingen 2015
Security Trainingen 2015Security Trainingen 2015
Security Trainingen 2015
Roderick Commerell
 
cloud computing
 cloud computing cloud computing
cloud computing
Tapesh Chalisgaonkar
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...
PRISMACLOUD Project
 
Embracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingEmbracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud Computing
PECB
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Arar Fahem
 
Key Challenges In CLOUD COMPUTING
Key Challenges In CLOUD COMPUTINGKey Challenges In CLOUD COMPUTING
Key Challenges In CLOUD COMPUTING
Atul Chounde
 
Slides cloud computing
Slides cloud computingSlides cloud computing
Slides cloud computing
Haslina
 
Cloud computing simple ppt
Cloud computing simple pptCloud computing simple ppt
Cloud computing simple ppt
Agarwaljay
 
The NEW Way to Win Friends & Influence People (social media in events)
The NEW Way to Win Friends & Influence People (social media in events)The NEW Way to Win Friends & Influence People (social media in events)
The NEW Way to Win Friends & Influence People (social media in events)
Lara McCulloch-Carter
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computing
Rkrishna Mishra
 

Viewers also liked (12)

Cloud Computing Certification
Cloud Computing CertificationCloud Computing Certification
Cloud Computing Certification
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Security Trainingen 2015
Security Trainingen 2015Security Trainingen 2015
Security Trainingen 2015
 
cloud computing
 cloud computing cloud computing
cloud computing
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...
 
Embracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingEmbracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud Computing
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Key Challenges In CLOUD COMPUTING
Key Challenges In CLOUD COMPUTINGKey Challenges In CLOUD COMPUTING
Key Challenges In CLOUD COMPUTING
 
Slides cloud computing
Slides cloud computingSlides cloud computing
Slides cloud computing
 
Cloud computing simple ppt
Cloud computing simple pptCloud computing simple ppt
Cloud computing simple ppt
 
The NEW Way to Win Friends & Influence People (social media in events)
The NEW Way to Win Friends & Influence People (social media in events)The NEW Way to Win Friends & Influence People (social media in events)
The NEW Way to Win Friends & Influence People (social media in events)
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computing
 

Similar to The Cloud & I, The CISO challenges with Cloud Computing

Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
Moshe Ferber
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloud
Azure Group
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
lior mazor
 
Predicting The Future: Security and Compliance in the Cloud Age
Predicting The Future: Security and Compliance in the Cloud AgePredicting The Future: Security and Compliance in the Cloud Age
Predicting The Future: Security and Compliance in the Cloud Age
Alert Logic
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Orange Business Services
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013
STO STRATEGY
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013
STO STRATEGY
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computing
Moshe Ferber
 
Cloud computing for SMBs
Cloud computing for SMBsCloud computing for SMBs
Cloud computing for SMBs
Krishnan Subramanian
 
Agenda EuroCloud dogodka 14.septembra
Agenda EuroCloud dogodka 14.septembraAgenda EuroCloud dogodka 14.septembra
Agenda EuroCloud dogodka 14.septembra
Zeleno d.o.o.
 
IEEE PHM Cloud Computing
IEEE PHM Cloud ComputingIEEE PHM Cloud Computing
IEEE PHM Cloud Computing
Joseph Williams
 
Presd1 10
Presd1 10Presd1 10
Presd1 10
Niels Groeneveld
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
East Midlands Cyber Security Forum
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013
STO STRATEGY
 
Cloud service brokerage explained
Cloud service brokerage explainedCloud service brokerage explained
Cloud service brokerage explained
Oleksandr Varlamov
 
Data Sovereignty, Security, and Performance Panacea: Why Mastercard Sets the ...
Data Sovereignty, Security, and Performance Panacea: Why Mastercard Sets the ...Data Sovereignty, Security, and Performance Panacea: Why Mastercard Sets the ...
Data Sovereignty, Security, and Performance Panacea: Why Mastercard Sets the ...
Dana Gardner
 
Windsor AWS UG - Introduction
Windsor AWS UG - IntroductionWindsor AWS UG - Introduction
Windsor AWS UG - Introduction
Goran Karmisevic
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013
STO STRATEGY
 
Security in cloud computing kashyap kunal
Security in cloud computing  kashyap kunalSecurity in cloud computing  kashyap kunal
Security in cloud computing kashyap kunal
Kashyap Kunal
 
The Cloud Is Rockin' and Rollin' In
The Cloud Is Rockin' and Rollin' InThe Cloud Is Rockin' and Rollin' In
The Cloud Is Rockin' and Rollin' In
Krishnan Subramanian
 

Similar to The Cloud & I, The CISO challenges with Cloud Computing (20)

Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloud
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Predicting The Future: Security and Compliance in the Cloud Age
Predicting The Future: Security and Compliance in the Cloud AgePredicting The Future: Security and Compliance in the Cloud Age
Predicting The Future: Security and Compliance in the Cloud Age
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computing
 
Cloud computing for SMBs
Cloud computing for SMBsCloud computing for SMBs
Cloud computing for SMBs
 
Agenda EuroCloud dogodka 14.septembra
Agenda EuroCloud dogodka 14.septembraAgenda EuroCloud dogodka 14.septembra
Agenda EuroCloud dogodka 14.septembra
 
IEEE PHM Cloud Computing
IEEE PHM Cloud ComputingIEEE PHM Cloud Computing
IEEE PHM Cloud Computing
 
Presd1 10
Presd1 10Presd1 10
Presd1 10
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013
 
Cloud service brokerage explained
Cloud service brokerage explainedCloud service brokerage explained
Cloud service brokerage explained
 
Data Sovereignty, Security, and Performance Panacea: Why Mastercard Sets the ...
Data Sovereignty, Security, and Performance Panacea: Why Mastercard Sets the ...Data Sovereignty, Security, and Performance Panacea: Why Mastercard Sets the ...
Data Sovereignty, Security, and Performance Panacea: Why Mastercard Sets the ...
 
Windsor AWS UG - Introduction
Windsor AWS UG - IntroductionWindsor AWS UG - Introduction
Windsor AWS UG - Introduction
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013
 
Security in cloud computing kashyap kunal
Security in cloud computing  kashyap kunalSecurity in cloud computing  kashyap kunal
Security in cloud computing kashyap kunal
 
The Cloud Is Rockin' and Rollin' In
The Cloud Is Rockin' and Rollin' InThe Cloud Is Rockin' and Rollin' In
The Cloud Is Rockin' and Rollin' In
 

More from Moshe Ferber

Cloud Security - the egregious 11 cloud security threats
Cloud Security - the egregious 11  cloud security threatsCloud Security - the egregious 11  cloud security threats
Cloud Security - the egregious 11 cloud security threats
Moshe Ferber
 
Understanding IaaS/PaaS attack vectors.pptx
Understanding IaaS/PaaS attack vectors.pptxUnderstanding IaaS/PaaS attack vectors.pptx
Understanding IaaS/PaaS attack vectors.pptx
Moshe Ferber
 
Foundations of cloud security monitoring
Foundations of cloud security monitoringFoundations of cloud security monitoring
Foundations of cloud security monitoring
Moshe Ferber
 
Cloud security certifications landscape
Cloud security certifications landscapeCloud security certifications landscape
Cloud security certifications landscape
Moshe Ferber
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23   from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23   from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Moshe Ferber
 

More from Moshe Ferber (6)

Cloud Security - the egregious 11 cloud security threats
Cloud Security - the egregious 11  cloud security threatsCloud Security - the egregious 11  cloud security threats
Cloud Security - the egregious 11 cloud security threats
 
Understanding IaaS/PaaS attack vectors.pptx
Understanding IaaS/PaaS attack vectors.pptxUnderstanding IaaS/PaaS attack vectors.pptx
Understanding IaaS/PaaS attack vectors.pptx
 
Foundations of cloud security monitoring
Foundations of cloud security monitoringFoundations of cloud security monitoring
Foundations of cloud security monitoring
 
Cloud security certifications landscape
Cloud security certifications landscapeCloud security certifications landscape
Cloud security certifications landscape
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23   from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23   from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
 

Recently uploaded

July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
Ivanti
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Mydbops
 
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionAdvanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Bert Blevins
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
chetankumar9855
 
The Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdfThe Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdf
paysquare consultancy
 
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAIApplying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
ssuserd4e0d2
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdfARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
Inglês no Mundo Digital
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 

Recently uploaded (20)

July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
 
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionAdvanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
 
The Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdfThe Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdf
 
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAIApplying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdfARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 

The Cloud & I, The CISO challenges with Cloud Computing

  • 1. The Cloud & I, CISO challenges with the cloud Moshe Ferber CCSK, CCSP When the winds of change blow, some people build walls and others build windmills. - Chinese Proverb
  • 2. About myself  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DefCon, BlackHat, Infosec and more)  Founding committee member for ISC2 CCSP certification.  CCSK Certification lecturer for the Cloud Security Alliance.  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter
  • 3. So, what is cloud?
  • 4. Cloud Computing What the CEO think about it?
  • 6. Cloud Computing How the End-User feel regarding it?
  • 7. Cloud Computing And how the CISO Feels about it?
  • 8. Everyday Examples “Moving to cloud will expose our data to foreign government” “I got a virtualized servers, so I already in the cloud” “I don’t trust the vendors” “What about compliance?” “Our regulator forbid us from moving to the cloud” “Cloud lacks the visibility we need” “We use hosting, so we are already in the cloud.” “We will loose control over our assets” “And What about the NSA…?” “Cloud services are not mature enough”
  • 9. AgilityAgility What do you say… And how the CISO understand it
  • 10. ScalabilityScalability What do you say… And how the CISO understand it
  • 11. ComplianceCompliance What do you say… And how the CISO understand it
  • 12. ManageabilityManageability What do you say… And how the CISO understand it
  • 13. ReliabilityReliability What do you say… And how the CISO understand it
  • 14. Multi tenancyMulti tenancy What do you say… And how the CISO understand it
  • 15. And of course, you can not avoid the big question… Who is more secured? Cloud or on premise?
  • 16. Can we define what is more secure? > <=
  • 17. Can we define which cloud service? Cloud provider A Cloud provider B
  • 18. Does it really matter?
  • 19. Cloud Services are very different in nature SaaS PaaS IaaS Private Hybrid Public
  • 20. The shared responsibility model Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility
  • 21. So, bottom line, is cloud security improving?
  • 22. Providers are doing more to increase trust
  • 23. Improvement with security standards & compliance
  • 24. Security automation is improving, specially in IaaS/PaaS
  • 25. Monitoring & auditing are improving
  • 26. Legal eco-system is getting complicated Technical complexity Legal complexity
  • 27. Configuration is still open by default, very easy to make mistakes Legal complexity
  • 28. Increased chances for cloud provider lock-in Legal complexity
  • 29. Government snooping is increasing Legal complexity
  • 30. Cloud Focused (Heavy use) Cloud Adopters (running apps in the cloud) Cloud Curious (First projects) Cloud Avoider (Private Cloud adapters) National Infrastructure Cloud challenges varies depending on the market sector Startups Energy SMB Hi Tech Government Health Military Telecom providers Homeland & Military industries Utility Retail Banks Financial Services Industry
  • 31. The Challenge: Private cloud still got the same attack vectors! Cloud Attack Vectors Provider Administration Management Console Multi tenancy & Virtualization Automation & API Chain of supply Side Channel Attack Insecure Instances Cloud Avoiders Cloud Curious Cloud Adopters Cloud Focused
  • 32. The Challenge: Build your Cloud strategy Cloud Curious Cloud Avoiders Cloud Adopters Cloud Focused
  • 33. The challenge: Understand the share responsibility model Cloud Curious Cloud Avoiders Cloud Adopters Cloud Focused
  • 34. The Challenge: Evaluating the providers Cloud Adopters Cloud Avoiders Cloud Curious Cloud Focused
  • 35. Copyright © 2015 Cloud Security Alliance Industry Standards used by Major Cloud Providers ISO/IEC 27018:2014 Cloud Adopters Cloud Avoiders Cloud Curious Cloud Focused
  • 36. The Challenge: Look for those abundant applications that can benefit from cloud computing Cloud Adopters Cloud Avoiders Cloud Curious Cloud Focused Public Cloud Integrity Availability On premise Confidentiality
  • 37. Telecom Providers The Challenge: Building cloud services Transparency Certifications Security operations Cloud Adopters Cloud Avoiders Cloud Curious Cloud Focused
  • 38. The Challenge: managing multiple cloud applications Governance Encryption Identity management Availability Cloud Focused Cloud Avoiders Cloud Curious Cloud Adopters DLP
  • 39. Startups The Challenge: Integrating security into your software lifecycle & operations Monitoring Static & Dynamic Analysis Multi Tenancy DEVOPS Cloud Focused Cloud Avoiders Cloud Curious Cloud Adopters
  • 40. To wrap Things Up… Join CSA Israel Facebook & LinkedIn Forums in order to stay updated regarding latest technologies and community meetups. Don’t let security hold you down
  • 41. To wrap Things Up… Join CSA Israel Facebook & LinkedIn Forums in order to stay updated regarding latest technologies and community meetups. Use the right tools
  • 42. To wrap Things Up… Perform responsible cloud adoption!
  • 43. KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule

Editor's Notes

  1. The cloud providers AWS and Azure provide a number of compliance certifications. These certifications save time and resources if customers can rely on 3rd party audits by the bodies awarding these certifications (due diligence should be carried out where required). This is not an exhaustive list..There may be more. CCM has been adopted by both Amazon and Microsoft for their IaaS and PaaS services. Microsoft have it for some of their SaaS products such as Office 365 and CRM Dynamics as mentioned earlier. Source https://aws.amazon.com/compliance/ https://azure.microsoft.com/en-us/support/trust-center/compliance/