1.
Square10 Solutions LLCConfidential
Cloud Security.
Understand the Technical to Enable
Business Decisions
ILTA – New York City
1

2.
Presenters
2
John LaVigne, a Systems Engineer for Fortinet, has over
15 years of experience in the network field. His focus today
is on network security solutions for customers. John has
previously worked in a number of project delivery roles in
networking, security and messaging.
Nick Sandone is a System Architect with Square10
Solutions. His areas of expertise include network design
and optimization, advanced threat protection, enterprise
monitoring, and securing cloud and hybrid networks. Nick
has diverse experience having worked in industries ranging
from legal, engineering and healthcare to cloud-based
supply chain management.
Patrick Sklodowski, a Principal with Square10 Solutions,
is a proven technology professional with over two decades
of expertise. He works with clients to provide solutions
focused on strategic delivery and the alignment of
technology with business requirements. His areas of
specialty include system architecture, delivery of cloud
solutions, messaging, technical project management,
disaster recovery and complex migrations.

3.
Cloud Security = Shared Responsibility
3
• Know Your Role and Responsibilities!
• Responsibility dependent on:
• Type of service
• Delivery model
• Service provider
Courtesy of AWS

4.
Today’s Focus
4Courtesy of Microsoft

5.
Physical Security
5
• Not “our” problem!

6.
Host Infrastructure
6
• Secure the virtual device like it’s
“within your walls”
• AV & threat protection
• Patching
• Application updates
• Host encryption

7.
Network Controls
7
• What can we expect from CSP?
• Provide the infrastructure
• Protect their infrastructure
• Basic built-in tools for customer

8.
Network Controls
8
• CSP Provides
• Virtual Networking
• Load Balancing
• DNS
• Gateway
• VPN
• Network Security Groups (group of ACLs)
• Basic NAT or PAT
• Basic port open port closed
• Logical Network Segmentation

9.
Network Controls
9
• Customer Responsibility
• Next Generation Firewall (NGFW)
• Web Application Firewall (WAF)
• Route all traffic through NGFW
• Access Management
• Consider 2FA
• Interrogate/Inspect traffic
• AV/Malware/IPS/DLP
• Log and monitor traffic
• Encrypt traffic

10.
Application Level Controls
10
• Infrastructure as a Service (IaaS)
• We install the applications, we must
security them!
• Platform as a Service (PaaS)
• SQL
• Web Services
• PaaS protection through
• Application level “firewall” settings
• Identity management
• SAML
• Azure Active Directory
“Because you’re building systems on top of the AWS
cloud infrastructure, the security responsibilities will
be shared: AWS manages the underlying
infrastructure, and you secure anything you put on
the infrastructure or connect to the infrastructure.”
- Amazon Web Services
“Sharing the Security Services”

11.
Identity & Access Management
11
• Access and authorization
• Identity protection
• Service management through user access
• Tools
• Multi Factor Authentication
• Same sign on / Single sign on
• Identity providers / SAML
• Roles
• Auditing and alerting
• Conditional access

12.
Single Sign On and Identity Management
12
• More password = less secure passwords
• Identity providers – OKTA, Duo,
Microsoft, OneLogin
• Regardless of Identity Solution
• Every business needs to be setup in
Microsoft Azure Active Directory
• Most businesses should be federated
with Azure Active Directory
• Enables
• Windows Store for Business
• Identity management
• Keeps users away from consumer
accounts!

13.
Client & End-point Protection
13
• End-points are always our responsibility
• How end point connects determines risk
• PaaS is probably connected to my network
• IaaS same risks as on-prem
• SaaS more likely app or browser based
devices won’t directly access systems
• Device has access to data flowing through it!
• Advanced threat protection
• Microsoft Defender and Intune
• Cylance
• Carbon Black

14.
Data Classification & Accountability
14
• Compliance obligations
• Distinguish - and potentially secure - sensitive
data
• SaaS - capabilities aren’t meaningful without
classification – Digital Loss Prevention
• PaaS & IaaS – Data management fully your
responsibility
• Backups
• Encryption

15.
Resources
15
• Data Classification for Cloud Computing
• http://aka.ms/dataclassificationforcloud
• The ABC’s of the Share Responsibility Model
• https://www.trendmicro.com/aws/aws-shared-security-model/
• Microsoft Incident Response and shared responsibility for cloud computing
• https://azure.microsoft.com/en-us/blog/microsoft-incident-response-and-shared-responsibility-for-cloud-computing/
• What Does Shared Responsibility in the Cloud Mean
• https://blogs.msdn.microsoft.com/azuresecurity/2016/04/18/what-does-shared-responsibility-in-the-cloud-mean/
• Shared Responsibility Model
• https://aws.amazon.com/compliance/shared-responsibility-model/
• Everything you need to know about Microsoft Azure security
• https://channel9.msdn.com/Events/Ignite/Microsoft-Ignite-Orlando-2017/BRK2210

16.
16