cloud security: accelerating cloud adoption

15
MT 37 Cloud Security Accelerating Cloud Adoption

Upload: dell-world

Post on 16-Jan-2017

303 views

Category:

Technology


2 download

TRANSCRIPT

Page 1: Cloud security: Accelerating cloud adoption

MT 37 Cloud SecurityAccelerating Cloud Adoption

Page 2: Cloud security: Accelerating cloud adoption

Here’s How It Sometimes Goes

• Someone says “Hey! Cloud is faster. Cloud is less expensive. Cloud is easier. Let’s do cloud!”– And what they mean is usually public cloud

• So a cloud initiative is created

• The security function, if they are consulted at all, has to catch up as this is often a done deal longbefore security is considered

Page 3: Cloud security: Accelerating cloud adoption

Another Way It Sometimes Goes• Someone says

“Hey! Cloud is faster. Cloud is less expensive. Cloud is easier. Let’s do cloud!”

• But someone else says “Wait! What about security!Do we really want to put our <important appsand data> in someone else’s data center?”

• And the security function gets blamed for saying“no” and standing in the way of “business processinnovation”.

– Or the security function says “no”, everybody pauses,and then says “Let’s do it anyway!”

Page 4: Cloud security: Accelerating cloud adoption

Yet Another Way It Sometimes Goes

• CEO or CFO suddenly “notices” public cloud spend

o Gets a bill from a provider

o Sees a number of expenses from same place

• Says “Wow! Why are we spending so much on cloud?”

o Then comes a phase where the company creates an intentional strategy about using cloud

• Again, the security function mustcatch up to what has happened

Page 5: Cloud security: Accelerating cloud adoption

Either Way, You Are Not Alone

• Security is one of the biggest challenges in the transition into cloudo Added on as an afterthought

o Or treated as a roadblock

• This presentation:o Talks about how clients adopt cloud

– Five phases of adoption

– Things to consider at each phase

– When you’re too big for cloud

o Discusses the shared security responsibility model

o How you should manage your cloud security– Do it yourself

– Get help

Page 6: Cloud security: Accelerating cloud adoption

The Five Stages of Cloud Adoption

Virtualized datacenters, but no active plan for 3rd-party cloud

Recognition of need for plan, but not there yet. Plan in development

Active projects to move individual workstreams to cloud, often for new internally-developed applications. No formal security architecture yet

Design for cloud as primary or exclusive datacenter. Accompanied by a thought-out security strategy

Cloud does not offer cost savings at massive scale

Likelihood of Shadow IT

Page 7: Cloud security: Accelerating cloud adoption

Two Epiphanies

1

2

• “Hey, we’re spending a lot on cloud already – we should have a plan.”

• “Hey, this cloud really delivers a lot of advantages. We should have a plan.”

• “Hey, we’re spending so much on cloud and we’re not really seeing the savings we expected. Maybe we should bring this back in house?”

• Relatively few organizations will get here.

Page 8: Cloud security: Accelerating cloud adoption

Things to Think About At Each Phase

Plan• Create a security reference architecture for your cloud presence

• Select multiple cloud providers and evaluate their security approaches & their terms

• Create a governance model for what data is allowed in the cloud and what is not

Transition• Reconsider the architecture of your applications (forklift v. redesign)

• Test your applications once they’re in cloud (pen test, red team)

• Extend your security operations model (scanning, patching) to include cloud

Dept/Dev• You generally care about the same security controls in cloud as in traditional data center

• Consider how your security model needs to change in response to cloud (pets v. cattle)

• Consider incident response planning and/or retainer

All-In• Your security operational model must be fully implemented in this phase

• Forensics readiness is very important – will you know what to do if there’s an incident

Too Big• Security for pets v. Security for cattle

• Incident Response and Threat Intelligence become even more critical here

Page 9: Cloud security: Accelerating cloud adoption

Shared Security Responsibility Model

Page 10: Cloud security: Accelerating cloud adoption

What This Means

• Cloud Providers generally have excellent cloud infrastructure security

o It is designed to protect THEM; it is NOT DESIGNED to protect YOU

• Security of YOUR application and YOUR data in the cloud is YOUR responsibility

• If you put an unpatched Windows server on a public IP address in a well-defended public cloud, it will be compromised in seconds

Page 11: Cloud security: Accelerating cloud adoption

How to Manage Your Cloud Security – Option A

• Public cloud security infrastructure MUST be managed and monitored just like anything else.

• You can certainly do it yourself

• 10 things to consider:…

Page 12: Cloud security: Accelerating cloud adoption

Security in Public Clouds: 10 Things To Consider

1. Make sure you understand where your provider's responsibilities end and yours begin. Understand

how your service provide is willing to work with you. Understand the role they play in your operational

security. Understand their security & limits on their liability.

2. Make sure you have the right to audit your environment.

3. Make sure your data and applications are mobile and not locked into a proprietary format.

4. Make sure you have a method for retrieving/removing your application(s) and data.

5. Encrypt your data where possible. Encrypt your data where impossible. Ensure your cloud provider

does not have keys.

6. Monitor everything -- server activity, user activity, device activity, data in motion.

7. Make sure your identity and access management solution is robust and cloud-aware. Tie it into your

existing systems for increased user adoption and lower management costs.

8. Back up your data and applications regularly – when it’s gone in cloud, it’s gone forever.

9. Ensure you have incident response plan and adequate forensics data. Forensics in cloud can be

harder.

10. Ensure that you budget for your security infrastructure. Don’t get surprised by unexpected compute,

storage, or network transfer costs associated with your security infrastructure.

Page 13: Cloud security: Accelerating cloud adoption

How to Manage Your Cloud Security – Option B

Incident ManagementManaged Security Security and Risk Consulting

Managed Vulnerability

& Web App Scanning

Managed Network IPS

Security Design &

Architecture Service

Cloud Security

Strategy & Risk

Assessment

Incident Management

Retainer

Penetration Tests

WASA for Cloud

Web API Testing

Cloud Vendor

Security Assessment

Advanced Penetration

Tests

Remote Red Team

PCI, HIPAA, GLBA,

FISMA, EI3PA

Emergency Incident

Response

Monitored Firewall

Monitored WAF

Monitored Elastic

Server Group Logs

Page 14: Cloud security: Accelerating cloud adoption

ResourcesBrowse:• dell.com/security• powermore.dell.com • Secureworks.com

Watch:Dell YouTube Channel

Interact:@DellSecurity@DellSecureWorks

Page 15: Cloud security: Accelerating cloud adoption

Thanks!