As public and private cloud adoption skyrockets, the number of attacks against cloud infrastructure is also increasing dramatically. Now more than ever, it is crucial to secure your cloud assets and data against advanced threats.
We’ll dig into what it means to be successful in the cloud and what successful organizations do more of (and less of) than their less successful peers. We’ll look across technologies adopted, organizational and operational practices, and vendors embraced.
Recorded webinar: https://youtu.be/Og1-xcc7JNs
Separation of Lanthanides/ Lanthanides and Actinides
Cyber Security in The Cloud
1.
2. Presenter:
Beverly Burnett-Roberts is an independent consultant in the technology
sector for the last 25 years. As a DBA, Developer, Application and
Infrastructure Architect, a PMO implementer and is now focused Cyber
Security Architecture. Having worked for some of the largest financial,
insurance, regulatory, pharmaceutical, legal, ecommerce and aviation
companies in today’s market place. She brings a broad range of skills to
guide clients through fast paced Cloud, Security and Compliance
Ecosystems. Integrating PMI/Agile methodologies to implement cutting
edge technologies, IT & Cyber security, risk management, vulnerability
management and global compliance metrics.
Linkedin.com/in/beverly-roberts-03314610
3. Goals for this webinar
1. What is the cloud a quick review of IaaS, SaaS, PaaS
2. Bridging the gap between business requirements and
application capabilities,
3. When should the security team enter the project life cycle
4. Question and Answer session
4. What is the Cloud???
• MS Azure
– https://azure.microsoft.com/en-
us/free
• Amazon Web Services
– https://aws.amazon.com/
• Google Cloud Platform
– https://cloud.google.com/gcp/
• IBM
– https://www.ibm.com/services/cloud
Hosted infrastructure, platform(s) and
software services. Public or Private
On premises assets moved to Fully
Hosted, Hybrid and MultiCloud.
5. Level Setting Our Discussion
• During the past 10 years there has been an amazing
shift in the way businesses of every type, present
their goods, services and content to an ever
increasingly mobile global marketplace. Financial
institutions, streaming content providers,
ecommerce, gaming brands, all have at least one
foot in the cloud!
• So how do Cyber Security professionals get an early
foothold in the Configuration, Development,
Testing and other parts of the of Cloud Project Life
Cycle?
6. How does all fit together
• IaaS – Infrastructure as a
Service
• Paas - Platform as a
Service
• Saas – Software as a
service
• Cost Models - Pay as you
go, or Pay for what you
use billing models of
Cloud Hosting Services.
• Cost
Models
• SaaS
• PaaS• IaaS
Business,
Requirements,
PMO
Transformation
& Development
Security Risk,
Vulnerability,
Compliance
Automation,
Monitoring,.
Standards
7. IaaS
• Infrastructure as a service (IaaS) is a standardized,
highly automated offering in which computing resources
owned by a service provider, complemented by storage
and networking capabilities, are offered to customers on
demand. Resources are scalable and elastic in near real
time and metered by use. Self-service interfaces,
including an API and a graphical user interface (GUI), are
exposed directly to customers. Resources may be single-
tenant or multitenant, and are hosted by the service
provider or on-premises in a customer’s data center.
Gartner: https://www.gartner.com/it-glossary/infrastructure-as-a-service-iaas
8. SaaS
• Software as a service (SaaS) is software that is
owned, delivered and managed remotely by
one or more providers. The provider delivers
software based on one set of common code
and data definitions that is consumed in a
one-to-many model by all contracted
customers at anytime on a pay-for-use basis
or as a subscription based on use metrics.
Gartner: https://www.gartner.com/it-glossary/software-as-a-service-saas
9. PaaS
• Platform as a service (PaaS) is a type of cloud
offering that delivers application infrastructure
(middleware) capabilities as a service. Gartner
tracks multiple types of PaaS (xPaaS), including,
among many more, application platform as a
service (aPaaS), integration PaaS (iPaaS), API
management PaaS (apimPaaS), function PaaS
(fPaaS), business analytics PaaS (baPaaS), IoT
PaaS and database PaaS (dbPaaS). PaaS capability
can be delivered as provider-managed or self-
managed, multitenant or dedicated.
Gartner: https://www.gartner.com/it-glossary/platform-as-a-service-paas
10. Cost Models
Configuration and Usage
Determines Price
• Cost is always reflective of
the level of service(s) your
client select
• The service catalogues are
extensive and increasing
rapidly
• So where do you start?
Transfer of Risk to Cloud
Provider
• IaaS can reduce provisioning
time, transfer the
component level risk and
provide just in time scaling.
• SaaS & PaaS remove the
responsibility for software
upgrades, patching,
• Professional Services to
avoid configuration errors.
• Training - internal team
SME’s
11. Let’s talk early and often
When to call Cyber Security Cyber Security Out Reach
• Lunch and learns
– Even Encryption is palatable
when paired with pizza
• Speak English not CISSP
• Leave the abbreviations for
last. DDOS, ICAM, FoD …..
• Be an SME not a Dictator
– Set Policy, Expectations,
– Explain the Exception Process
– Security & the PMO
12. A seat at the table
• Approach the PMO first
– Security team access to the PMO Process
• Early reviews of requirements with the business
• Part of Change Control/Management
• Part of the Notification Tree(s)
• Is the Term Lift and Shit an over simplification
– Security Assessment Reviews of function & usage
• Is it really an exact duplicate of current on-premise
• What changes have to be made to secure
– Taking a look a the 3 L’s
• Licenses, Legal, Location
• Define a new Cyber Security Engagement Model
• Get IT Security Management and Business Onboard
– Then Evangelize
13. Transformation & Development
Determine stays On-Premise
• Depending on the business all
or select functionality and
assets may off the current on
premises environment
• This does not mean they
cannot be interact with a
public or private cloud, hybrid
cloud or multicloud
• Professional services are less
expensive the correcting
configuration errors across
multiple tenants or
ecosystems in production.
Cloud Architecture
• Remember, this is the time
to ensure, that past bad
habits and less than optimal
workarounds are not part of
the design or technical
requirements.
– Implement Identity
management
– Understand, segregate and
protect your data.
– Monitor, log, analyze and
review. Look for patterns
14. Security, Dev, Testing…
Partners Concept to Production Cyber Security Life Cycle
• Can our configuration support
this.
• What version is the Dev Team
using
• Have regular/automated code
scans been implemented
• Are the scans reviewed, how
are vulnerabilities vetted and
remediated
• Does management see the
need for early security team
participation. Bring it up
15. Security, Risk, Vulnerability, Compliance
Prioritize, analyze and apply a cost to
remediate. What is the path to
compliance
16. A Security Program
Engagement Model
• Security Awareness
• Security Assessments Report -
SAR
• Compliance IT & Cyber Security
Standards
• Monitoring
• Automation
• Mandatory IT/Cyber
Security Training by
organizational role
• Living documents, linked to
change/risk/ exception
reviews and release
authorization processes.
Supply the PMO with a
documentation required to
start and complete the SAR
Require with Justifications
17. A Security Program
Engagement Model
• Data Classification &
Projection
• Compliance IT & Cyber
Security Standards
• You cannot be to careful when
it comes to data. There are a
host of laws and standards
related to data, its
classification, data access, data
at rest, data in transit, GDPR,
etc.
• There is a long and ever
growing list of Security
Standards. But they are your
friends. ISO/IEC, NIST, in
country regulatory &
compliance.
Require with Justifications
18. A Security Program
Engagement Model
• Monitoring & Automation
• Deliverables, Timelines,
and Approvals –
Require with Justifications
• Where to start – In a sandbox!
Security must have a Dev/Test
separate from the project,
QA, etc. Monitoring, logs and
alert generation, analysis and
patterns.
• What is due, why are we
asking for it, when do we need
it. How has to approve it.
• What happens it late changes
are made, what happens if……
•
19. A Security Program
Engagement Model
• Authorization To Operate
ATO’s
• Validity Periods
Require with Justifications
• ATO - Authorization to
Operate is taken form the
DoD playbook and frankly is
works. It is the last
milestone for the
implementing Cyber
Security Team. With one
last caveat the Validity
Period. 3 months, 12
months, 18 months.
•
20. What's Next on
the Horizon
Cyber Security is the best field for the
curious, the pragmatic person that
solve a problem.
As there are many problems solve and
questions to answer we should be kept
busy for the foreseeable future.
Cloud technology is all is forms is on it
way to becoming the standard.
I will open up the question and answer
session now and hope to see on
another webinar and feel free to reach
out to me on LinkedIn.
Thank you for your time.
Beverly Burnett-Roberts
21. ISO/IEC 27032
Training Courses
• ISO/IEC 27032 Introduction
1 Day Course
• ISO/IEC 27032 Foundation
2 Days Course
• ISO/IEC 27032 Lead Cybersecurity
Manager
5 Days Course
Exam and certification fees are included in the training price.
www.pecb.com/en/education-and-certification-for-individuals/iso-
iec-27032
www.pecb.com/events