THE CLOUD-CENTRIC FUTURE OF CYBERSECURITY

Jim ReavisCEO, Cloud Security Alliance

ABOUT THE CLOUD SECURITY ALL IANCE

“To promote the use of best

practices for providing security

assurance within Cloud Computing,

and provide education on the uses

of Cloud Computing to help secure

all other forms of computing.”

CLOUD PROVIDER CERTIFICATION – CSA

STAR

WE SEE CLOUD AS THE FOUNDATION FOR

DIGITAL TRANSFORMATION!

USER CERTIFICATION – CCSK

BUILDING SECURITY BEST PRACTICES FOR

NEXT GENERATION IT

RESEARCH AND EDUCATIONAL PROGRAMS

GLOBAL, NOT-FOR-PROFIT ORGANIZATION

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

35+ACTIVE WORKING GROUPS

2009CSA FOUNDED

SINGAPORE // AS IA PACIF IC HEADQUARTERS

EDINBURGH // EMEA HEADQUARTERS (V IRTUAL)

SEATTLE/BELL INGHAM, WA // AMERICAS HEADQUARTERS

90,000+INDIV IDUAL MEMBERS

400+CORPORATE MEMBERS

80+CHAPTERS

Strategic partnerships

with governments,

research institutions,

professional

associations and

industry

CSA research is

FREE!

OUR COMMUNITY

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

EWho Belongs to CSA?

• World’s leading cloud providers

• Information security thought leaders

• Over 50 global financial services companies

• End users from finance, insurance, transportation,

energy, manufacturing, retail and many more

• Top system integrators and the Big 4

• IT bellwethers

• Leading companies in North America, Europe and Asia

• Trusted advisor to governments around the world

• Thank you China for your support and participation!

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

Looking to the future: Digital Transformation

of the Enterprise enabled by Cloud & IoT

• Massive increase in compute

• Cloud Computing is the back end

• Internet of Things is the endpoint

• Compute is Everywhere …

• But, you won’t know where Anything is…

• Devices, software, networks continuously

updated

• The enterprise is a virtual, software-defined

construct

• Existing security must transform to keep up

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

Security Megatrends for Digital

Transformation• Information security becomes Cybersecurity

• Not just information protection

• Safety and availability of critical infrastructure

• Airbus 380 is a big IoT device

• Security and Privacy work together

• Radical Automation required for scalability

• Artificial Intelligence is the brain

managing the digital enterprise

• Blockchain provides the trusted language &

rules: Worldwide Ledger of Trust

• Cloud & Autonomics orchestrate IoT (Fog)

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

Cybersecurity is the Critical Investment

• Protect the brand

• Stay compliant

• GDPR fines 20M Euros or 4% worldwide revenue

• Stay out of trouble

• Ransomware damage costs predicted to hit $11.5B by 2019 (source Cybersecurity Ventures)

• Unleash opportunities

• What new business is possible if you can be secure anywhere, anytime?

• But, cybersecurity needs to be “on demand”

to enable the agile digital enterprise…

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

How Cybersecurity is Delivered

• Continuous Encryption: reduce the

“plaintext” window of exposure

• Identify Mgt beyond the human to all

entities

• Software Defined Perimeter

• DevSecOps automates the Cloud-Native

Security

• AI/Machine learning to scale up

• Cloud becomes the dominant compute and

cybersecurity platform

• Secure enclaves, Trusted execution environments, Virtual Private Clouds

• Security as a Service

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

EToday: Understand the Cloud Security Focus

1. Layered Cloud Model

I N F R A S T R U C T U RE A S A S E R V I C E

P L A T F O R M A S A S E R V I C E

S O F T W A R E A S A S E R V I C E

Larger number

of vendors

For vetting

2. Shared Responsibility

3. Impact to Security

Program

Greater

technical

security control

implementation

responsibility

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

Case Study: Building a 100% Cloud-based

Bank

• Medium-sized bank

• Mission: “Bank in the Public Cloud”

• Combination legacy app migration and new cloud apps

• Introduced concept of “Virtual Enclaves”

• Implementation vetted by regulators

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

Bank high level implementation

• Implemented in AWS & Azure clouds “Virtual Enclave”

Architecture (Could have used other Cloud Providers)

• Key components

• CSP Virtual Private Clouds / SDN tools

• CSA Software Defined Perimeter (“Enclave Perimeters”)

• Hardware Security Module (HSM) for key access

• Multiple Availability Zones / DCs / Regions

• “Continuous Encryption” - shrink plaintext window

• “Immutable Containers” – virtually tamper proof (DevOps)

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

Bank High Level Implementation

Integrated Cloud Security and Architecture with SDPPerimeter Security

Strong User Authentication

Active Directory

WAF, F/W, IPS, IDS, DDoS

ForensicsPreservation

Ready Incident Response

ThreatMonitoring

Machine Learning, UBA

Resilient Operations

Continuous Encryption

Continuous Monitoring

Highly Granular Access Control

Governance, Risk and

ComplianceContinuous Compliance Monitoring

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

Strong hierarchical Admin security

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

Immutable Container Pipeline

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

Software Defined Perimeter

• Architecture for creating highly secure and trusted

end-to-end networks

• BYOD and Internet of Things

• Secure app-layer virtual private clouds

• Make network “dark” until entity is authenticated

• Create dynamic perimeters around clients,

applications and hosts

• Complementary to Software Defined Networks (SDN)

• https://cloudsecurityalliance.org/research/sdp

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

Software Defined Perimeter

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

E

Bank Lessons Learned

• Moving apps between AWS & Azure not seamless, “several

months to modify”

• No longer focus on Disaster Recovery

• Major Clouds “Cannot Fail”

• Focus on increasing resilience

• CSA’s Software Defined Perimeter key to successful

implementation

• Makes cloud infrastructure invisible

• Eliminates several threat vectors

• Immutable Containers – even Administrators cannot change

• Continuous deployment is the biggest improvement in software development security

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

EPrepare for the Future: Transform your

Knowledge

• Master the topics• Immutable Workload Design

• DevSecOps

• Containerization & Microservices

• CASB

• Control inheritance

• Software Designed Perimeter

• Much more!

• Certificate of Cloud Security Knowledge

(CCSK) can help• www.cloudsecurityalliance.org/education/ccsk/

CO

PY

RIG

HT

© 2

01

8 C

LO

UD

SE

CU

RIT

Y A

LLIA

NC

ECritical (and free) CSA Tools

• Security Guidance• Fundamental catalog of cloud security issues and best

practices

• https://cloudsecurityalliance.org/guidance

• Top Threats• Analysis of key threats and risks magnified by cloud

• https://cloudsecurityalliance.org/group/top-threats

• Cloud Controls Matrix (CCM)• Popular security controls framework

• https://cloudsecurityalliance.org/group/cloud-controls-matrix/

• Consensus Assessments Initiative Questionnaire• Cloud assessment tool based on CCM

• https://cloudsecurityalliance.org/ group/consensus-assessments/

• CSA Security, Trust & Assurance Registry• Repository of cloud provider security assertions

• https://cloudsecurityalliance.org/star

• GDPR Code of Conduct• Compliance tool for providers and customers

• https://gdpr.cloudsecurityalliance.org/

• Translations as available at www.c-csa.cn

COPYRIGHT © 2018 CLOUD SECURITY ALLIANCE

Active Research Working Groups

• BLOCKCHAIN/DISTRIBUTED LEDGER

• CLOUD CYBER INCIDENT SHARING

• CLOUD COMPONENT SPECIFICATIONS

• CLOUD CONTROLS MATRIX

• CLOUD SECURITY SERVICES MANAGEMENT

• CONSENSUS ASSESSMENTS

• CONTAINERS AND MICROSERVICES

• ENTERPRISE ARCHITECTURE

• ERP SECURITY

• FINANCIAL SERVICES

• INTERNET OF THINGS

• MOBILE

• OPEN CERTIFICATION

• PRIVACY LEVEL AGREEMENT

• QUANTUM-SAFE SECURITY

• SECURITY AS A SERVICE

• SECURITY GUIDANCE

• SOFTWARE DEFINED PERIMETER

• TOP THREATS

• TAKEDOWN (EC PROJECT)

• MAST (APAC) / STRATUS PROJECT

H T T P S : / / C L O U D S E C U R I T Y A L L I A N C E . O R G /21

Contact CSA

Email: jreavis@cloudsecurityalliance.org

Twitter: @Cloudsa

Site: www.cloudsecurityalliance.org

Thank You!