cloud security: accelerating cloud adoption
TRANSCRIPT
MT 37 Cloud SecurityAccelerating Cloud Adoption
Here’s How It Sometimes Goes
• Someone says “Hey! Cloud is faster. Cloud is less expensive. Cloud is easier. Let’s do cloud!”– And what they mean is usually public cloud
• So a cloud initiative is created
• The security function, if they are consulted at all, has to catch up as this is often a done deal longbefore security is considered
Another Way It Sometimes Goes• Someone says
“Hey! Cloud is faster. Cloud is less expensive. Cloud is easier. Let’s do cloud!”
• But someone else says “Wait! What about security!Do we really want to put our <important appsand data> in someone else’s data center?”
• And the security function gets blamed for saying“no” and standing in the way of “business processinnovation”.
– Or the security function says “no”, everybody pauses,and then says “Let’s do it anyway!”
Yet Another Way It Sometimes Goes
• CEO or CFO suddenly “notices” public cloud spend
o Gets a bill from a provider
o Sees a number of expenses from same place
• Says “Wow! Why are we spending so much on cloud?”
o Then comes a phase where the company creates an intentional strategy about using cloud
• Again, the security function mustcatch up to what has happened
Either Way, You Are Not Alone
• Security is one of the biggest challenges in the transition into cloudo Added on as an afterthought
o Or treated as a roadblock
• This presentation:o Talks about how clients adopt cloud
– Five phases of adoption
– Things to consider at each phase
– When you’re too big for cloud
o Discusses the shared security responsibility model
o How you should manage your cloud security– Do it yourself
– Get help
The Five Stages of Cloud Adoption
Virtualized datacenters, but no active plan for 3rd-party cloud
Recognition of need for plan, but not there yet. Plan in development
Active projects to move individual workstreams to cloud, often for new internally-developed applications. No formal security architecture yet
Design for cloud as primary or exclusive datacenter. Accompanied by a thought-out security strategy
Cloud does not offer cost savings at massive scale
Likelihood of Shadow IT
Two Epiphanies
1
2
• “Hey, we’re spending a lot on cloud already – we should have a plan.”
• “Hey, this cloud really delivers a lot of advantages. We should have a plan.”
• “Hey, we’re spending so much on cloud and we’re not really seeing the savings we expected. Maybe we should bring this back in house?”
• Relatively few organizations will get here.
Things to Think About At Each Phase
Plan• Create a security reference architecture for your cloud presence
• Select multiple cloud providers and evaluate their security approaches & their terms
• Create a governance model for what data is allowed in the cloud and what is not
Transition• Reconsider the architecture of your applications (forklift v. redesign)
• Test your applications once they’re in cloud (pen test, red team)
• Extend your security operations model (scanning, patching) to include cloud
Dept/Dev• You generally care about the same security controls in cloud as in traditional data center
• Consider how your security model needs to change in response to cloud (pets v. cattle)
• Consider incident response planning and/or retainer
All-In• Your security operational model must be fully implemented in this phase
• Forensics readiness is very important – will you know what to do if there’s an incident
Too Big• Security for pets v. Security for cattle
• Incident Response and Threat Intelligence become even more critical here
Shared Security Responsibility Model
What This Means
• Cloud Providers generally have excellent cloud infrastructure security
o It is designed to protect THEM; it is NOT DESIGNED to protect YOU
• Security of YOUR application and YOUR data in the cloud is YOUR responsibility
• If you put an unpatched Windows server on a public IP address in a well-defended public cloud, it will be compromised in seconds
How to Manage Your Cloud Security – Option A
• Public cloud security infrastructure MUST be managed and monitored just like anything else.
• You can certainly do it yourself
• 10 things to consider:…
Security in Public Clouds: 10 Things To Consider
1. Make sure you understand where your provider's responsibilities end and yours begin. Understand
how your service provide is willing to work with you. Understand the role they play in your operational
security. Understand their security & limits on their liability.
2. Make sure you have the right to audit your environment.
3. Make sure your data and applications are mobile and not locked into a proprietary format.
4. Make sure you have a method for retrieving/removing your application(s) and data.
5. Encrypt your data where possible. Encrypt your data where impossible. Ensure your cloud provider
does not have keys.
6. Monitor everything -- server activity, user activity, device activity, data in motion.
7. Make sure your identity and access management solution is robust and cloud-aware. Tie it into your
existing systems for increased user adoption and lower management costs.
8. Back up your data and applications regularly – when it’s gone in cloud, it’s gone forever.
9. Ensure you have incident response plan and adequate forensics data. Forensics in cloud can be
harder.
10. Ensure that you budget for your security infrastructure. Don’t get surprised by unexpected compute,
storage, or network transfer costs associated with your security infrastructure.
How to Manage Your Cloud Security – Option B
Incident ManagementManaged Security Security and Risk Consulting
Managed Vulnerability
& Web App Scanning
Managed Network IPS
Security Design &
Architecture Service
Cloud Security
Strategy & Risk
Assessment
Incident Management
Retainer
Penetration Tests
WASA for Cloud
Web API Testing
Cloud Vendor
Security Assessment
Advanced Penetration
Tests
Remote Red Team
PCI, HIPAA, GLBA,
FISMA, EI3PA
Emergency Incident
Response
Monitored Firewall
Monitored WAF
Monitored Elastic
Server Group Logs
ResourcesBrowse:• dell.com/security• powermore.dell.com • Secureworks.com
Watch:Dell YouTube Channel
Interact:@DellSecurity@DellSecureWorks
Thanks!