Staying Secure When Moving to the Cloud - Dave Millier
0 likes•427 views
The document outlines the security challenges and considerations companies face when migrating to the cloud, emphasizing the importance of maintaining visibility and managing user access and permissions. It discusses practical steps to enhance security, such as utilizing cloud provider information, logging activities, and employing the Cloud Security Alliance's controls matrix for vendor evaluations. The author calls for organizations to assess their current visibility and security practices to ensure robust protection during and after the transition to cloud services.
Staying Secure When Moving to the Cloud - Dave Millier
- 1. DON’T LOSE SIGHT! STAYING SECURE WHEN MOVING TO THE CLOUD DAVE MILLIER, CEO UZADO, CSO QUICK INTELLIGENCE, CEO MIDAC SOLUTIONS AUTHOR OF THE SECURITY NOVEL, “BREACHED!”
- 2. AGENDA FOR TODAY • Quick intro to Dave • Security Challenges Moving to the Cloud • Visibility Today • Maintaining Visibility In The Cloud • Cloud Security Alliance Cloud Controls Matrix • Call to Action (yes, this means you!)
- 5. • Serial Entrepreneur, bought and sold 10+ companies over past 20 years • Currently owns 3 IT-related Companies: MIDAC, Qi, Uzado • Sold InfoSec company in 2014 to Robert Herjavec from Shark Tank • Involved in Networking & InfoSec/Cybersecurity for about 25 years • Loves tech! • Loves dirt biking, owns a dirt bike and ATV training school! ABOUT DAVE
- 7. • A lot of people simply don’t understand what the cloud is (or isn’t!) • More companies moving more services to the cloud every day • Migration isn’t always done in a coordinated, well thought-out fashion • Cloud is supposed to streamline things, but getting there isn’t always painless SOME OF THE BIGGEST CHALLENGES
- 8. WHAT ARE THE SECURITY CONSIDERATIONS? • Managing users access, permissions • Protecting our data at rest • Ensuring secure access to data (the right people at the right time) • Knowing who is accessing what when • Understanding where our data will reside (data residency issues)
- 9. VISIBILITY!!! WHAT’S THE CORE FOR MANY OF THESE ITEMS?
- 10. “You can’t manage what you can’t measure.” - Peter Drucker, known as the Founder of Modern Management
- 11. VISIBILITY TODAY • Logs from our servers, network devices, security devices • Logs from our authentication devices / vpn devices • Real-time network monitoring from security tools on the wire • Logs from our applications • Vulnerability scan results from our assets
- 12. • Lack of visibility into what’s happening (can’t always get logs) • Lack of control over users (corporate accounts and permissions don’t usually carry over) • Lack of understanding of what data is being stored where • Data Residency WHAT DO WE LOSE?
- 13. HERE’S ONE SOLUTION – BLOCK ACCESS
- 14. HOSTING PROVIDER VISIBILITY • AWS and other providers give you access to a wealth of security and operational information (AWS CloudTrail for example) • Incorporate the information into your existing data sources • Redesign your incident response process to use these data sources as part of an investigation • Figure out what information you have access to now, and map that to “new” source(s) of information provided by the cloud provider • Make them part of your incident response process!!!
- 15. SECURITY TOOLS VISIBILITY • Virtual appliances (firewalls, IPS, WAF, etc.) - located elsewhere but use the information they provide as you would if it was local • If security is outsourced to hosting provider or to another 3rd party, ensure they have comparable visibility into your new environment as they had before • Providers like CloudCheckr have automated and streamlined the visibility into AWS, leverage the heck out of them!
- 16. USER VISIBILITY • Leverage federated identity management solutions where possible. Less accounts for users, easier to migrate to cloud (assuming provider supports) • Make sure that you maintain visibility into encrypted sessions (who’s logging in from where when, what did they do?) • Determine current levels of user behaviour visibility and try to maintain that level of detail when you move the user workloads to the cloud
- 17. SERVER AND APPLICATION VISIBILITY • Hosted servers still generate logs, collect them if at all possible • Determine what you’re logging on local servers and configure hosted servers the same • Make sure your web apps have proper logging! • Applications need to have proper auditing built in; even if you don’t see the user activity you can recreate sessions with proper app logging • Logging invalid activity just as important (don’t just log what was successful, log what failed!)
- 18. CLOUD SECURITY ALLIANCE • Cloud Controls Matrix • Control framework based on 13 security and operational domains • Foundation is mapped to industry recognized standards and frameworks such as COBIT, ISO 27001/27002, PCI, NIST, NERC CIP, PIPEDA, HIPAA • Tailors Information Security practices to the cloud • Helps companies evaluate cloud vendor security • Helps companies make decisions on their own cloud security requirements
- 19. USING THE CSA MATRIX • Use the matrix to do a self-assessment against your organization, identifying areas of criticality • Use the matrix to perform an evaluation against a potential cloud vendor • Compare results from cloud vendors against your areas of concern/focus • Use gap analysis results to make educated informed decisions. • May address findings by augmenting YOUR security, may choose a different provider, may work with provider to identify potential shortcomings
- 20. DEFENSE IN DEPTH • Don’t rely on a single security solution to protect your cloud deployment • Many virtual firewalls/security devices have A/V and anti-malware scanners built into them, use them! Along with host-based protection you now have multiple controls in place complementing each other, so that even if one of them fails another one can compensate • Each layer of defense should support each other and provide an additional level of protection (“Defense in Depth”)
- 21. WHAT DO YOU NEED TO DO NEXT? • Go back to your office and ask questions • What type of visibility do we have into our systems, our user activity, our security devices, and our applications today? (same question whether locally hosted or already in the cloud) • Have we used the CSA Cloud Controls Matrix to evaluate our vendors/partners? • How do we ensure we keep the same level of visibility we have today in the cloud? • How well do we understand our data, where it resides and what we are doing to protect it? • There are a lot more questions that could be asked, but hopefully this helps get you started!
- 22. FINAL THOUGHT Secure it before you regret it!