SlideShare uma empresa Scribd logo

Red flags and attention points in cloud security audit, watch the security gates.

Transferir como PPTX, PDF
Peter GEELEN ✔
Peter GEELEN ✔

In his presentation, Peter will share his insights and experiences on Red flags and attention points in cloud security audit, watch the security gates.

Tecnologia
1 de 31
AI, Cloud & Modern Workplace Conference 2024 15, 16 & 17 February , Online Conference https://aicmwc.azurewebsites.net
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Red flags and attention points in cloud security audit Watch the security gates 15 February 2024 , 21:00 P.M. (GMT+2) Peter GEELEN MVP Security (Identity & Access) https://www.linkedin.com/in/pgeelen/
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Important to know: Security = PPT • PPT • People • Process • Technology
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Important to know: Security = PPT • PPT • People • Process • Technology
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Security across the company • Strategic • Tactical • Operational STRATEGIC (CxO) TACTICAL (Dept.) OPERATIONAL
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Management team tasks • Accountability • Planning • Resources • Operations • Performance • Continuous improvement Act Plan Do Check Act Plan Do Check Security Improvement Time
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Security controls • Asset management • Identity & access management • System & network security • Secure configuration & baseline • Physical security • Threat and vulnerability management • Application security • Policies & procedures • Documentation • HR security • Supplier Management • Incident management • Business continuity • Disaster recovery
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Security is a process, continuously changing 1 2 3 In Few tasks simple Change Important volume of tasks Dependent tasks Balance from one to another Out Lots of tasks Lengthy Complex Legal impact Possible reactivation Uniqueness Conflicts
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference How are you doing?
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference How is your customer or supplier doing?
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Monitoring or Audit: what’s the difference ? Monitoring • Performance check • Continuous (or high frequency) • By Owner Audit • Compliance check • Regular intervals (lower frequency) • Independent from owner
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Audit types • 1st party (internal audit) • 2nd party • Customer > supplier • Supplier > customer • 3rd party • external
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Audit types : internal audit • Self-validation (Auditing within company) • No publication to external parties • No certificate
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Audit types : 2nd party audit (mutual) • Commercial interest first • Contractual dependence • Due diligence • Mutual interest • Customer checking (potential) supplier • Supplier checking (potential) customer, eg before onboarding • Delegation / verification of compliance • Verification if delegated tasks are done correctly
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Audit types : 3rd party audit (external) • Independence between parties • Auditor vs customer • No combination of consulting & audit allowed • Segregation of duties • Official certificate • Published • Available to external parties
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Audit main principles • Snapshot of situation • Quick estimation of situation • Risk based • Solution based, continuous improvement Some hands-on experience to stay out of trouble … detecting the red flags
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 1. First login with god mode • First login • First administrator • Full power • God mode Solution - Create special admin account - No mail, enable MFA
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 2. User ID and password • Typically personal account • User ID… and just password (an mail address) Solution • MFA • Hardware tokens • Passkeys (MFA next gen)
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 3. Default groups • Azure Groups • Large volume of Azure and M365 Roles Solution • Avoid the use of default groups • Task based access, granular control • Only use default groups when no other option left
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 4. Ad-hoc (eh..no) Identity Management • Manual management • No process • User duplication from existing users Solution • Setup basic IDM (identity mgmt) • Setup IAM (identity and access mgmt) 1 2 3 In Start of identity Hire, onboarding, provisioning, create, Begin, ... Change of identity, move, promotion, update, maintenance, operations, ... Out End-of-life Fire, termination, End-of-contract, deprovisioning, Revocation, delete, ...
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 5. No process management • Manual management • No process owner • No process • No idea how data flows • No idea on changes Solution • Use basic process definitions • Check ISO9001
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 6. All-in one account • User account = admin account • Mail enabled • Used for office and admin tasks Solution • Account separation • Segregation of duties • Separate logins for users and administrators
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 7. All-in one desktop • Login account = local admin account • Full access • … Solution • Daily operations as user • Admin for specific access
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 8. RDP remote access • RDP to Azure • … Solution • Bastion host
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 9. One network • One network • Direct connections to Azure • No segmentation (neither in Azure as physical) Solution • Segmentation • Firewalls on every host and every network
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 9. Onetime configuration • One configuration fixed at first configuration • But once set, never reset … • No review • No IDM cycle Solution: check... • Everytime on new configuration • During changes • Check regularly (put it on your agenda) • Use IDM (lifecycle)
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Presentation Title 18 February , 9 P.M. (GMT+2) References • Microsoft • Azure compliance: ISO27001 • Azure compliance: ISO27017 / ISO 27018 • Learn Microsoft Azure audit and logging fundamentals • Azure security logging and auditing • Azure security management and monitoring overview
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Presentation Title 18 February , 9 P.M. (GMT+2) References • Azure hardening • Azure security best practices and patterns
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Presentation Title 18 February , 9 P.M. (GMT+2) References • ISO standards • ISO 27001: ISMS (information security management system) • ISO 27002: ISMS guidance • ISO 27017: cloud security • ISO 27018: PII in cloud (data protection in cloud • Cloud security basics (CCSK by CSA) • https://cloudsecurityalliance.org/ • Cloud controls matrix
AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Presentation Title 18 February , 9 P.M. (GMT+2) More of this… • On my blog • Identity Underground • https://identityunderground.wordpress.com/
Thank You !!! AI, Cloud & Modern Workplace Conference 2024 15, 16 & 17 February , Online Conference

Recomendados

Session 2023-11.pptx
Session 2023-11.pptxSession 2023-11.pptx
Session 2023-11.pptxAndreeaTom
 
UiPath 23.4 Product Release Updates
UiPath 23.4 Product Release UpdatesUiPath 23.4 Product Release Updates
UiPath 23.4 Product Release UpdatesDianaGray10
 
ITCamp 2019 - Mihai Tataran - Governing your Cloud Resources
ITCamp 2019 - Mihai Tataran - Governing your Cloud ResourcesITCamp 2019 - Mihai Tataran - Governing your Cloud Resources
ITCamp 2019 - Mihai Tataran - Governing your Cloud ResourcesITCamp
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup SlidesJacksonMorgan9
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group NovemberPolarSeven Pty Ltd
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackLaurenWendler
 
What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…SecureAuth
 
AMIS Oracle OpenWorld en Code One Review 2018 - Blockchain, Integration, Serv...
AMIS Oracle OpenWorld en Code One Review 2018 - Blockchain, Integration, Serv...AMIS Oracle OpenWorld en Code One Review 2018 - Blockchain, Integration, Serv...
AMIS Oracle OpenWorld en Code One Review 2018 - Blockchain, Integration, Serv...Getting value from IoT, Integration and Data Analytics
 

Recomendados

Session 2023-11.pptx
Session 2023-11.pptxSession 2023-11.pptx
Session 2023-11.pptxAndreeaTom
 
UiPath 23.4 Product Release Updates
UiPath 23.4 Product Release UpdatesUiPath 23.4 Product Release Updates
UiPath 23.4 Product Release UpdatesDianaGray10
 
ITCamp 2019 - Mihai Tataran - Governing your Cloud Resources
ITCamp 2019 - Mihai Tataran - Governing your Cloud ResourcesITCamp 2019 - Mihai Tataran - Governing your Cloud Resources
ITCamp 2019 - Mihai Tataran - Governing your Cloud ResourcesITCamp
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup SlidesJacksonMorgan9
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group NovemberPolarSeven Pty Ltd
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackLaurenWendler
 
What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…SecureAuth
 
AMIS Oracle OpenWorld en Code One Review 2018 - Blockchain, Integration, Serv...
AMIS Oracle OpenWorld en Code One Review 2018 - Blockchain, Integration, Serv...AMIS Oracle OpenWorld en Code One Review 2018 - Blockchain, Integration, Serv...
AMIS Oracle OpenWorld en Code One Review 2018 - Blockchain, Integration, Serv...Getting value from IoT, Integration and Data Analytics
 
Accelerate ML Deployment with H2O Driverless AI on AWS
Accelerate ML Deployment with H2O Driverless AI on AWSAccelerate ML Deployment with H2O Driverless AI on AWS
Accelerate ML Deployment with H2O Driverless AI on AWSSri Ambati
 
The Case for Embedded Analytics: Improve the Value of your Applications with ...
The Case for Embedded Analytics: Improve the Value of your Applications with ...The Case for Embedded Analytics: Improve the Value of your Applications with ...
The Case for Embedded Analytics: Improve the Value of your Applications with ...TIBCO Jaspersoft
 
Maximizing Team Productivity with Microsoft Office 365
Maximizing Team Productivity with Microsoft Office 365Maximizing Team Productivity with Microsoft Office 365
Maximizing Team Productivity with Microsoft Office 365SWC Technology Partners
 
Cloud Customer Architecture for Big Data and Analytics V2.0
Cloud Customer Architecture for Big Data and Analytics V2.0Cloud Customer Architecture for Big Data and Analytics V2.0
Cloud Customer Architecture for Big Data and Analytics V2.0Cloud Standards Customer Council
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanWorkshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanNeo4j
 
CGI-IgniteChicago
CGI-IgniteChicagoCGI-IgniteChicago
CGI-IgniteChicagoMNaveedAnjum1
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackLaurenWendler
 
30 March 2017 - Vuzion Ireland Love Cloud
30 March 2017 - Vuzion Ireland Love Cloud30 March 2017 - Vuzion Ireland Love Cloud
30 March 2017 - Vuzion Ireland Love CloudVuzion
 
Cloud Customer Architecture for API Management
Cloud Customer Architecture for API ManagementCloud Customer Architecture for API Management
Cloud Customer Architecture for API ManagementCloud Standards Customer Council
 
Vitalii Bondarenko and Eugene Berko "Cloud AI Platform as an accelerator of e...
Vitalii Bondarenko and Eugene Berko "Cloud AI Platform as an accelerator of e...Vitalii Bondarenko and Eugene Berko "Cloud AI Platform as an accelerator of e...
Vitalii Bondarenko and Eugene Berko "Cloud AI Platform as an accelerator of e...Lviv Startup Club
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
Blockchain, Integration, Serverless, Microservices - OOW / Code One 2018 Review
Blockchain, Integration, Serverless, Microservices - OOW / Code One 2018 ReviewBlockchain, Integration, Serverless, Microservices - OOW / Code One 2018 Review
Blockchain, Integration, Serverless, Microservices - OOW / Code One 2018 ReviewRobert van Mölken
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenNCCOMMS
 
Lights-Out Testing for Lights-On Business
Lights-Out Testing for Lights-On BusinessLights-Out Testing for Lights-On Business
Lights-Out Testing for Lights-On BusinessWorksoft
 
The Need for Speed
The Need for SpeedThe Need for Speed
The Need for SpeedCapgemini
 
Pivoting to Cloud: How an MSP Brokers Cloud Services
Pivoting to Cloud: How an MSP Brokers Cloud Services Pivoting to Cloud: How an MSP Brokers Cloud Services
Pivoting to Cloud: How an MSP Brokers Cloud Services RightScale
 
IBM Blockchain Labs Explained v1.0
IBM Blockchain Labs Explained v1.0IBM Blockchain Labs Explained v1.0
IBM Blockchain Labs Explained v1.0Matt Lucas
 
Azure_Business_Opportunity
Azure_Business_OpportunityAzure_Business_Opportunity
Azure_Business_OpportunityNojan Emad
 
Crosswalk Introduction CSI National Sept. 23rd, 2021
Crosswalk Introduction CSI National Sept. 23rd, 2021Crosswalk Introduction CSI National Sept. 23rd, 2021
Crosswalk Introduction CSI National Sept. 23rd, 2021Hugh Seaton
 
Get Started with Microsoft Azure.pptx
Get Started with Microsoft Azure.pptxGet Started with Microsoft Azure.pptx
Get Started with Microsoft Azure.pptxAnjaliMishra647628
 
Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Peter GEELEN ✔
 
Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Peter GEELEN ✔
 

Mais conteúdo relacionado

Semelhante a Red flags and attention points in cloud security audit, watch the security gates.

Accelerate ML Deployment with H2O Driverless AI on AWS
Accelerate ML Deployment with H2O Driverless AI on AWSAccelerate ML Deployment with H2O Driverless AI on AWS
Accelerate ML Deployment with H2O Driverless AI on AWSSri Ambati
 
The Case for Embedded Analytics: Improve the Value of your Applications with ...
The Case for Embedded Analytics: Improve the Value of your Applications with ...The Case for Embedded Analytics: Improve the Value of your Applications with ...
The Case for Embedded Analytics: Improve the Value of your Applications with ...TIBCO Jaspersoft
 
Maximizing Team Productivity with Microsoft Office 365
Maximizing Team Productivity with Microsoft Office 365Maximizing Team Productivity with Microsoft Office 365
Maximizing Team Productivity with Microsoft Office 365SWC Technology Partners
 
Cloud Customer Architecture for Big Data and Analytics V2.0
Cloud Customer Architecture for Big Data and Analytics V2.0Cloud Customer Architecture for Big Data and Analytics V2.0
Cloud Customer Architecture for Big Data and Analytics V2.0Cloud Standards Customer Council
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanWorkshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanNeo4j
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackLaurenWendler
 
30 March 2017 - Vuzion Ireland Love Cloud
30 March 2017 - Vuzion Ireland Love Cloud30 March 2017 - Vuzion Ireland Love Cloud
30 March 2017 - Vuzion Ireland Love CloudVuzion
 
Vitalii Bondarenko and Eugene Berko "Cloud AI Platform as an accelerator of e...
Vitalii Bondarenko and Eugene Berko "Cloud AI Platform as an accelerator of e...Vitalii Bondarenko and Eugene Berko "Cloud AI Platform as an accelerator of e...
Vitalii Bondarenko and Eugene Berko "Cloud AI Platform as an accelerator of e...Lviv Startup Club
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
Blockchain, Integration, Serverless, Microservices - OOW / Code One 2018 Review
Blockchain, Integration, Serverless, Microservices - OOW / Code One 2018 ReviewBlockchain, Integration, Serverless, Microservices - OOW / Code One 2018 Review
Blockchain, Integration, Serverless, Microservices - OOW / Code One 2018 ReviewRobert van Mölken
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenNCCOMMS
 
Lights-Out Testing for Lights-On Business
Lights-Out Testing for Lights-On BusinessLights-Out Testing for Lights-On Business
Lights-Out Testing for Lights-On BusinessWorksoft
 
The Need for Speed
The Need for SpeedThe Need for Speed
The Need for SpeedCapgemini
 
Pivoting to Cloud: How an MSP Brokers Cloud Services
Pivoting to Cloud: How an MSP Brokers Cloud Services Pivoting to Cloud: How an MSP Brokers Cloud Services
Pivoting to Cloud: How an MSP Brokers Cloud Services RightScale
 
IBM Blockchain Labs Explained v1.0
IBM Blockchain Labs Explained v1.0IBM Blockchain Labs Explained v1.0
IBM Blockchain Labs Explained v1.0Matt Lucas
 
Azure_Business_Opportunity
Azure_Business_OpportunityAzure_Business_Opportunity
Azure_Business_OpportunityNojan Emad
 
Crosswalk Introduction CSI National Sept. 23rd, 2021
Crosswalk Introduction CSI National Sept. 23rd, 2021Crosswalk Introduction CSI National Sept. 23rd, 2021
Crosswalk Introduction CSI National Sept. 23rd, 2021Hugh Seaton
 
Get Started with Microsoft Azure.pptx
Get Started with Microsoft Azure.pptxGet Started with Microsoft Azure.pptx
Get Started with Microsoft Azure.pptxAnjaliMishra647628
 

Semelhante a Red flags and attention points in cloud security audit, watch the security gates. (20)

Accelerate ML Deployment with H2O Driverless AI on AWS
Accelerate ML Deployment with H2O Driverless AI on AWSAccelerate ML Deployment with H2O Driverless AI on AWS
Accelerate ML Deployment with H2O Driverless AI on AWS
 
The Case for Embedded Analytics: Improve the Value of your Applications with ...
The Case for Embedded Analytics: Improve the Value of your Applications with ...The Case for Embedded Analytics: Improve the Value of your Applications with ...
The Case for Embedded Analytics: Improve the Value of your Applications with ...
 
Maximizing Team Productivity with Microsoft Office 365
Maximizing Team Productivity with Microsoft Office 365Maximizing Team Productivity with Microsoft Office 365
Maximizing Team Productivity with Microsoft Office 365
 
Cloud Customer Architecture for Big Data and Analytics V2.0
Cloud Customer Architecture for Big Data and Analytics V2.0Cloud Customer Architecture for Big Data and Analytics V2.0
Cloud Customer Architecture for Big Data and Analytics V2.0
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanWorkshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
CGI-IgniteChicago
CGI-IgniteChicagoCGI-IgniteChicago
CGI-IgniteChicago
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover Track
 
30 March 2017 - Vuzion Ireland Love Cloud
30 March 2017 - Vuzion Ireland Love Cloud30 March 2017 - Vuzion Ireland Love Cloud
30 March 2017 - Vuzion Ireland Love Cloud
 
Cloud Customer Architecture for API Management
Cloud Customer Architecture for API ManagementCloud Customer Architecture for API Management
Cloud Customer Architecture for API Management
 
Vitalii Bondarenko and Eugene Berko "Cloud AI Platform as an accelerator of e...
Vitalii Bondarenko and Eugene Berko "Cloud AI Platform as an accelerator of e...Vitalii Bondarenko and Eugene Berko "Cloud AI Platform as an accelerator of e...
Vitalii Bondarenko and Eugene Berko "Cloud AI Platform as an accelerator of e...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Blockchain, Integration, Serverless, Microservices - OOW / Code One 2018 Review
Blockchain, Integration, Serverless, Microservices - OOW / Code One 2018 ReviewBlockchain, Integration, Serverless, Microservices - OOW / Code One 2018 Review
Blockchain, Integration, Serverless, Microservices - OOW / Code One 2018 Review
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
 
Lights-Out Testing for Lights-On Business
Lights-Out Testing for Lights-On BusinessLights-Out Testing for Lights-On Business
Lights-Out Testing for Lights-On Business
 
The Need for Speed
The Need for SpeedThe Need for Speed
The Need for Speed
 
Pivoting to Cloud: How an MSP Brokers Cloud Services
Pivoting to Cloud: How an MSP Brokers Cloud Services Pivoting to Cloud: How an MSP Brokers Cloud Services
Pivoting to Cloud: How an MSP Brokers Cloud Services
 
IBM Blockchain Labs Explained v1.0
IBM Blockchain Labs Explained v1.0IBM Blockchain Labs Explained v1.0
IBM Blockchain Labs Explained v1.0
 
Azure_Business_Opportunity
Azure_Business_OpportunityAzure_Business_Opportunity
Azure_Business_Opportunity
 
Crosswalk Introduction CSI National Sept. 23rd, 2021
Crosswalk Introduction CSI National Sept. 23rd, 2021Crosswalk Introduction CSI National Sept. 23rd, 2021
Crosswalk Introduction CSI National Sept. 23rd, 2021
 
Get Started with Microsoft Azure.pptx
Get Started with Microsoft Azure.pptxGet Started with Microsoft Azure.pptx
Get Started with Microsoft Azure.pptx
 

Mais de Peter GEELEN ✔

Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Peter GEELEN ✔
 
Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Peter GEELEN ✔
 
20210325 Slides - (ISC) BeLux Chapter - Using Enterprise Security for cyberse...
20210325 Slides - (ISC) BeLux Chapter - Using Enterprise Security for cyberse...20210325 Slides - (ISC) BeLux Chapter - Using Enterprise Security for cyberse...
20210325 Slides - (ISC) BeLux Chapter - Using Enterprise Security for cyberse...Peter GEELEN ✔
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)Peter GEELEN ✔
 
20200206 privatum privacy after work - notes 3p
20200206 privatum privacy after work - notes 3p20200206 privatum privacy after work - notes 3p
20200206 privatum privacy after work - notes 3pPeter GEELEN ✔
 
Identity Days 2019 - Sécurisation MiM (Peter Geelen)
Identity Days 2019 - Sécurisation MiM (Peter Geelen)Identity Days 2019 - Sécurisation MiM (Peter Geelen)
Identity Days 2019 - Sécurisation MiM (Peter Geelen)Peter GEELEN ✔
 

Mais de Peter GEELEN ✔ (7)

Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)
 
Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)
 
20210325 Slides - (ISC) BeLux Chapter - Using Enterprise Security for cyberse...
20210325 Slides - (ISC) BeLux Chapter - Using Enterprise Security for cyberse...20210325 Slides - (ISC) BeLux Chapter - Using Enterprise Security for cyberse...
20210325 Slides - (ISC) BeLux Chapter - Using Enterprise Security for cyberse...
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)
 
20200206 privatum privacy after work - notes 3p
20200206 privatum privacy after work - notes 3p20200206 privatum privacy after work - notes 3p
20200206 privatum privacy after work - notes 3p
 
Risk management basics
Risk management basicsRisk management basics
Risk management basics
 
Identity Days 2019 - Sécurisation MiM (Peter Geelen)
Identity Days 2019 - Sécurisation MiM (Peter Geelen)Identity Days 2019 - Sécurisation MiM (Peter Geelen)
Identity Days 2019 - Sécurisation MiM (Peter Geelen)
 

Último

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideStefan Dietze
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 

Último (20)

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 

Red flags and attention points in cloud security audit, watch the security gates.

  • 1. AI, Cloud & Modern Workplace Conference 2024 15, 16 & 17 February , Online Conference https://aicmwc.azurewebsites.net
  • 2. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Red flags and attention points in cloud security audit Watch the security gates 15 February 2024 , 21:00 P.M. (GMT+2) Peter GEELEN MVP Security (Identity & Access) https://www.linkedin.com/in/pgeelen/
  • 3. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Important to know: Security = PPT • PPT • People • Process • Technology
  • 4. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Important to know: Security = PPT • PPT • People • Process • Technology
  • 5. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Security across the company • Strategic • Tactical • Operational STRATEGIC (CxO) TACTICAL (Dept.) OPERATIONAL
  • 6. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Management team tasks • Accountability • Planning • Resources • Operations • Performance • Continuous improvement Act Plan Do Check Act Plan Do Check Security Improvement Time
  • 7. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Security controls • Asset management • Identity & access management • System & network security • Secure configuration & baseline • Physical security • Threat and vulnerability management • Application security • Policies & procedures • Documentation • HR security • Supplier Management • Incident management • Business continuity • Disaster recovery
  • 8. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Security is a process, continuously changing 1 2 3 In Few tasks simple Change Important volume of tasks Dependent tasks Balance from one to another Out Lots of tasks Lengthy Complex Legal impact Possible reactivation Uniqueness Conflicts
  • 9. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference How are you doing?
  • 10. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference How is your customer or supplier doing?
  • 11. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Monitoring or Audit: what’s the difference ? Monitoring • Performance check • Continuous (or high frequency) • By Owner Audit • Compliance check • Regular intervals (lower frequency) • Independent from owner
  • 12. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Audit types • 1st party (internal audit) • 2nd party • Customer > supplier • Supplier > customer • 3rd party • external
  • 13. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Audit types : internal audit • Self-validation (Auditing within company) • No publication to external parties • No certificate
  • 14. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Audit types : 2nd party audit (mutual) • Commercial interest first • Contractual dependence • Due diligence • Mutual interest • Customer checking (potential) supplier • Supplier checking (potential) customer, eg before onboarding • Delegation / verification of compliance • Verification if delegated tasks are done correctly
  • 15. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Audit types : 3rd party audit (external) • Independence between parties • Auditor vs customer • No combination of consulting & audit allowed • Segregation of duties • Official certificate • Published • Available to external parties
  • 16. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Audit main principles • Snapshot of situation • Quick estimation of situation • Risk based • Solution based, continuous improvement Some hands-on experience to stay out of trouble … detecting the red flags
  • 17. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 1. First login with god mode • First login • First administrator • Full power • God mode Solution - Create special admin account - No mail, enable MFA
  • 18. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 2. User ID and password • Typically personal account • User ID… and just password (an mail address) Solution • MFA • Hardware tokens • Passkeys (MFA next gen)
  • 19. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 3. Default groups • Azure Groups • Large volume of Azure and M365 Roles Solution • Avoid the use of default groups • Task based access, granular control • Only use default groups when no other option left
  • 20. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 4. Ad-hoc (eh..no) Identity Management • Manual management • No process • User duplication from existing users Solution • Setup basic IDM (identity mgmt) • Setup IAM (identity and access mgmt) 1 2 3 In Start of identity Hire, onboarding, provisioning, create, Begin, ... Change of identity, move, promotion, update, maintenance, operations, ... Out End-of-life Fire, termination, End-of-contract, deprovisioning, Revocation, delete, ...
  • 21. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 5. No process management • Manual management • No process owner • No process • No idea how data flows • No idea on changes Solution • Use basic process definitions • Check ISO9001
  • 22. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 6. All-in one account • User account = admin account • Mail enabled • Used for office and admin tasks Solution • Account separation • Segregation of duties • Separate logins for users and administrators
  • 23. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 7. All-in one desktop • Login account = local admin account • Full access • … Solution • Daily operations as user • Admin for specific access
  • 24. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 8. RDP remote access • RDP to Azure • … Solution • Bastion host
  • 25. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 9. One network • One network • Direct connections to Azure • No segmentation (neither in Azure as physical) Solution • Segmentation • Firewalls on every host and every network
  • 26. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference 9. Onetime configuration • One configuration fixed at first configuration • But once set, never reset … • No review • No IDM cycle Solution: check... • Everytime on new configuration • During changes • Check regularly (put it on your agenda) • Use IDM (lifecycle)
  • 27. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Presentation Title 18 February , 9 P.M. (GMT+2) References • Microsoft • Azure compliance: ISO27001 • Azure compliance: ISO27017 / ISO 27018 • Learn Microsoft Azure audit and logging fundamentals • Azure security logging and auditing • Azure security management and monitoring overview
  • 28. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Presentation Title 18 February , 9 P.M. (GMT+2) References • Azure hardening • Azure security best practices and patterns
  • 29. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Presentation Title 18 February , 9 P.M. (GMT+2) References • ISO standards • ISO 27001: ISMS (information security management system) • ISO 27002: ISMS guidance • ISO 27017: cloud security • ISO 27018: PII in cloud (data protection in cloud • Cloud security basics (CCSK by CSA) • https://cloudsecurityalliance.org/ • Cloud controls matrix
  • 30. AI, Cloud & Modern Workplace Conference 2024 16, 17 & 18 February , Online Conference Presentation Title 18 February , 9 P.M. (GMT+2) More of this… • On my blog • Identity Underground • https://identityunderground.wordpress.com/
  • 31. Thank You !!! AI, Cloud & Modern Workplace Conference 2024 15, 16 & 17 February , Online Conference