Camelot - Manyhats club meetup 23 10 18

•Transferir como PPTX, PDF•

1 gostou•90 visualizações

This document outlines an agenda for a talk on cloud security architecture. The agenda includes an introduction to security architecture in traditional vs cloud environments, challenges of a security architect in cloud, Camelot's journey to AWS, how to sell cloud security architecture internally, examples of what worked and didn't work for Camelot, and key takeaways. The document provides an overview of the topics that will be discussed during the presentation.

Tecnologia

I’m a security architect with my head in the cloud
Oct 2018
Francesco Cipollone
David Boda
Public

Agenda
• Security architecture – traditional vs cloud
• Cloud – what’s different?
• Intro to Camelot and our AWS journey
• How to sell cloud security architecture to the business
• What worked for us and what did not work so well
• Key Take aways
Our Agenda
Public

Intro
Francesco Cipollone
Cloud Security Architect @ Camelot
Francesco is a security Consultant focused on Cloud problems working as Security Architect in Camelot
@FraSEC42
David Boda
Head of Information security @ Camelot
David Boda is the Head of information security at Camelot
Public

Intro to Security Architecture
• What is a security architect?
• What’s the architect role in the strategy?
• What is the role of a security architect in this
modern word ?
• What is the added value?
Public

What is this cloud and can I have a piece of it
• Cloud: Just someone else’s computer
• Comes in different flavours and acronyms:
IaaS, PaaS, SaaS, IDaaS…
• Scalable and ‘rapid’
• Different models: Cloud provider or specific
service providers
Public

Challenges of a Security Architect
• Traditional challenge of a security
architect
• Cloud challenges plus a bag of classical
security issues
• Tech Stack constant changing

Bringing it all together
• Why is the cloud different?
• Note – we will be focusing on AWS
• Due diligence on SaaS and PaaS
Public

Security @ Camelot
APPs
interfaces
code
Terminals
Datacentre
Physical/Cloud
Payment Interfaces
Infrastructure
Cloud solution (SaaS)
accounts
...as well as supporting
our sister business and
it’s customers
VSATs
Retailers
Draws Offices
Staff
800+ High tier prize
payments / yr 5000 investigations / yr
Public

How to sell security architecture to the business?
• How do we do it in Camelot?
• What has worked and what has not worked?
Public

Security Architecture – Selling Point
• Security by design – avoid delays
• Minimal incremental security improvements
• Effective and efficient controls
• Strategy and vision built in each project

Cloud Architecture – Is it just blueprint right?
• Architecting in cloud is different
Technology
• Leveraging on blueprints
• Looking forward and thinking
strategically is challenging
• Everyone thinks is an architect in the
cloud
• Challenges for Security as anyone
spins services
Public

Traditional vs Cloud Security Architecture
• Traditional vs cloud
• Different Technology
• Different patterns
• Some similarities (e.g. IaaS
traditional)
Public

Cloud Architecture – Examples – where it did work
Where it did work:
• Cloud transformation supported
by strategy
• Strong Foundation
• Use of native controls
• Monitoring and alerting
• Make use of automation
• Train and plan hiring
Public

Cloud Architecture – Examples – where it didn't work
Where it didn’t work:
• Weak Foundation
• No management involved/strategy
• Weak Processes
• No monitoring/Alerting
• No plan in hiring
Public

Cloud Security Incidents management in the cloud
• You can’t pull cables in the cloud
• Incident management and detecting can be harder
• Monitor and alerting on billing and your resources
• Education on the various services…is not just
another VM in the Datacentre
• Prevention of spinning up expensive service with
policies
Public

Key Take Away
Cloud transformations can be a treacherous journey
especially for security professionals:
- Cloud is different than traditional
- Do your due diligence up front
- Start early create a solid foundation
- Automate where possible
- Native cloud controls! Use them
- Decisions based on risk
- Skill shortage: be prepared to learn
Public

Get in touch
Get in touch:
FC-LinkedIn
Camelot Careers
Thank you
@FraSEC42
DB-LinkedIn
Public

Mais conteúdo relacionado

Mais procurados

Fog Computing & Emerging Technologies

Ramneek Kalra

Sask 3.0 Summit David G. Brown

SaskSummit

Cloud in a Box by Codestone Solutions Ltd simplifies the process, cost and complexity of moving from onpremise hardware to Cloud service delivery. It includes Office 365, File access in the Cloud, Security, 'cloudifies' your line of business apps, includes AV, backup and 24/7/365 support. A low cost of entry and fixed monthly per user fee provides greater flexibility as your business changes. Contact sf@codestone.net for more details.

Codestone Cloud in a Box Overview

SimonFenech

How to make the move towards hybrid cloud computing

David Strom

If you signed up to impact the world for your mission and not manage your IT infrastructure, you need cloud technology. More and more nonprofits are taking advantage of advanced security, availability, and cost-efficiency provided by cloud technology. Patrick Callihan, executive director of Tech Impact and author of Cloud Computing for Nonprofits, introduces you to cloud computing in this presentation and how your nonprofit can use this technology to be more effective and efficient in delivering your mission.

Fundraising and Technology: A Match Made in the Cloud

Blackbaud

Domain Driven Design - garajco Education 2017

Can Pekdemir

View this webinar on-demand where we discuss common misconceptions and how important a mature capacity management process is – especially when it comes to DevOps and agile environments underpinned by elastic infrastructure, whether hybrid and/or public Cloud. During this webinar you will learn more about: • How the DevOps process provides the agility and speed of deployments for new IT services • How and why the cloud fits into this model • How to counter the perceptions that cloud capacity is infinite • How AI and machine learning perceive to offer control over capacity and performance on-demand

Capacity Management for a Digital and Agile World

Precisely

Cloud overview slideshare

Sebastian Krueger

Storage as a service v4 eng

Dell EMC

Cloud computing elisheba wiggins

Elisheba Wiggins

Group 2 - Cloud Storage

12201375

IoT 2014 global challenges

DunavNET

In this webinar, Michael Nash of BoldRadius explores the Typesafe Reactive Platform. The Typesafe Reactive Platform is a suite of technologies and tools that support the creation of reactive applications, that is, applications that handle the kind of responsiveness requirements, data volume, and user load that was out of practical reach only a few years ago. From analysis of the human genome to wearable technology to communications at a massive scale, BoldRadius has the premier team of experts with decades of collective experience in designing and building these types of applications, and in helping teams adopt these tools.

Introduction to the Typesafe Reactive Platform

BoldRadius Solutions

Cloud computing-pdf

Subash Basnet

Romi tech cloud workspace overview

romitech

The rise of IT as Service (ITaaS) is result of the intense rate of change brought about by technologies such as cloud computing, social media, consumerization, mobility, analytics and big data. The pace of change is only increasing, and these emerging technologies need to be rapidly integrated into modern enterprise, almost in real-time. Enter ITaaS, on-demand. In its various forms, ITaaS on-demand solves the myriad problems of modern IT resource consumption. When technology is restructured to be flexible, fast and ready, capabilities are provided based on usage. Transitioning to an on-demand hybrid infrastructure is a complete transformation that can support your future business goals, help fuel business innovation and turn IT from a cost center to a value center. This is the future of IT, it will be hybrid, and it will be on-demand with utmost flexibility, scalability and cost-efficiency.

The Future of IT Infrastructure is Hybrid and on Demand

Codero

Barriers to mana

Karl Donert

Managing and protecting critical data across servers and applications in multiple locations around the globe is challenging. And the more decentralized and complex your infrastructure, the more difficult it is to manage your data. The potential bad news? Data loss, site outages, revenue loss, and potential non-compliance with regulations. But here’s the good news: centralizing data protection in the cloud can make all the difference. That’s why you should join our webinar and hear from storage expert, George Crump, from Storage Switzerland and Druva’s W. Curtis Preston, Chief Technologist, as they discuss: • Why protecting a distributed data center is challenging with traditional methods • How a cloud-centralized backup strategy can be a game changer for your organization • How Druva can help you drastically improve data protection quality, reduce costs, and simplify global management and configuration?

Webinar: All in the Cloud - Data Protection Up, Costs Down

Storage Switzerland

Using OpenStack to Control VM Chaos

David Strom

Shamit Khemka talks about facts on cloud computing helping small business to ...

SynapseIndia

Mais procurados (20)

Fog Computing & Emerging Technologies

Sask 3.0 Summit David G. Brown

Codestone Cloud in a Box Overview

How to make the move towards hybrid cloud computing

Fundraising and Technology: A Match Made in the Cloud

Domain Driven Design - garajco Education 2017

Capacity Management for a Digital and Agile World

Cloud overview slideshare

Storage as a service v4 eng

Cloud computing elisheba wiggins

Group 2 - Cloud Storage

IoT 2014 global challenges

Introduction to the Typesafe Reactive Platform

Cloud computing-pdf

Romi tech cloud workspace overview

The Future of IT Infrastructure is Hybrid and on Demand

Barriers to mana

Webinar: All in the Cloud - Data Protection Up, Costs Down

Using OpenStack to Control VM Chaos

Shamit Khemka talks about facts on cloud computing helping small business to ...

Semelhante a Camelot - Manyhats club meetup 23 10 18

Are you considering Microservice architecture for your next project? Are you planning to migrate an existing legacy / monolithic application to Microservices? Are you curious about Microservice architecture? If the answer to one of the above questions is YES, then this session is for you. Join me to know all about Microservice architecture: - When to adopt it? - When not to adopt it? - How to assess your team’s readiness to adopt Microservice architecture? - Starting a new project with Microservice architecture. - Migrate an existing project to Microservice architecture. - Microservice architecture main anti-patterns and how to fix them. - Are monoliths really that bad?

Practical Microservice Architecture (edition 2022).pdf

Ahmed Misbah

Cloud Innovation Tour - Discover Track

LaurenWendler

Bmit cloud market_survey_visterin_2013

William Visterin

Cloud Innovation Tour - Discover Track

LaurenWendler

So you’ve bought into the concept of “cloud” technology

Cisco Canada

Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked. While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives. With the emergence of the Cloud, IT risk has suffered yet another radical transformation. The past couple of years have also brought along new vulnerabilities, exploits, and attack methods, as well as new data privacy requirements such as the GDPR. While all of these things require significant changes to any existing processes and tools, they mostly require a different approach when catering to people's IT security awareness, especially when moving to the Cloud.

Security & Compliance in the Cloud [2019]

Tudor Damian

MCM_Publicv1.01.pptx

Kai Viljanen

Intelligently Migrate to the Cloud and Continuously Keep Spend Low Cloud migrations are complex and challenging projects. Traditional approaches often fail, losing time, money, and resources. Neo4j, the creator and leader of the graph database category, and Process Tempo have come together to make cloud migration faster, easier, and more cost-effective than ever. Join us to learn how the combined power of our technologies helps you plan, execute, monitor, and optimize your migration project – all while avoiding common pitfalls – to help ensure a smooth migration from beginning to end. In this 45-minute session, you’ll learn: What the most common pitfalls of cloud migration are and how to avoid them What the essential requirements and best practices for a successful migration are How graph analytics can improve and accelerate the critical stages of your migration

Neo4j + Process Tempo present Plan Your Cloud Migration with Confidence

Neo4j

Choosing Public vs. Private vs. Hybrid Cloud Computing

Skytap Cloud

Amongst the various cloud technology vendors and certification bodies offering cloud training, cloud solution architecture (CSA) is by far the most commonly served area. Architecture is undeniably important, but what is it that makes cloud architecture so deserving of this attention? What changed for architects in cloud computing? How do IT professionals, and the trainers and consultants supporting them, make this transition to cloud architecture successfully? We’re honored to have Mark Skilton, accomplished digital consultant, academic, and author of the CCC Professional Cloud Solutions Architect syllabus, provide the underpinning competencies critical for successfully transitioning to CSA. Understand what aspects of cloud make architecture a critical area for re-skilling. Discuss the evolution of cloud adoption and demand for qualified CSA. Gain insights on the value and future outlook of cloud computing and architecture.

Architecting your way up in the cloud

Cloud Credential Council

Avoiding Cloud Computing Planning & Implementation Failure

Nathaniel Payne

The rapid growth and many flavors of cloud capabilities can provide great business value. If not well planned, they may also give security professionals fits. With perspective and a deliberate approach, CISOs can not only manage cloud security effectively, but leverage the cloud to power security capabilities. This session will introduce challenges and trends relating to the cloud for information security practitioners. Much of the session will focus on the speaker's own successes, failures, pitfalls and pratfalls as CISO for a cloud-based startup that built an AWS-based SAAS predictive analytics platform. We will also touch on private cloud concerns, architecture planning and real-world solutions.

Thin Air or Solid Ground? Practical Cloud Security

Dan Fitzgerald, CISSP, CIPM

The Cloud is in the details webinar - Rothke

Ben Rothke

Cloud computing essentials

Ghanshyam Baheti

Single Realm Multi-Cloud Security Management with Palo Alto Networks

2nd Watch

How To Leverage Cloud Computing for Business & Operational Benefit - CAMP IT

Skytap Cloud

Conversations in the Cloud

James Kelly

How Cloud Computing will change how you and your team will run IT

Peter HJ van Eijk

What the auditor need to know about cloud computing

Moshe Ferber

Moving to the Cloud-How to Develop Cloud Strategy for Your Organization

Emtec Inc.

Semelhante a Camelot - Manyhats club meetup 23 10 18 (20)

Practical Microservice Architecture (edition 2022).pdf

Cloud Innovation Tour - Discover Track

Bmit cloud market_survey_visterin_2013

Cloud Innovation Tour - Discover Track

So you’ve bought into the concept of “cloud” technology

Security & Compliance in the Cloud [2019]

MCM_Publicv1.01.pptx

Neo4j + Process Tempo present Plan Your Cloud Migration with Confidence

Choosing Public vs. Private vs. Hybrid Cloud Computing

Architecting your way up in the cloud

Avoiding Cloud Computing Planning & Implementation Failure

Thin Air or Solid Ground? Practical Cloud Security

The Cloud is in the details webinar - Rothke

Cloud computing essentials

Single Realm Multi-Cloud Security Management with Palo Alto Networks

How To Leverage Cloud Computing for Business & Operational Benefit - CAMP IT

Conversations in the Cloud

How Cloud Computing will change how you and your team will run IT

What the auditor need to know about cloud computing

Moving to the Cloud-How to Develop Cloud Strategy for Your Organization

Mais de NSC42 Ltd

Nsc42 the security phoenix

NSC42 Ltd

Nsc42 - the security phoenix devsecops - risk-present_0_3 share

NSC42 Ltd

Title: The Security Phoenix Subtitle: From the ashes of DEVOPS Synopsis: The talk will take the audience on a path to integrate security in development covering aspect like SDLC, People and Technology, Metrix, and maturity matrix. The Talk will focus on several aspect like: • Visibility of vulnerabilities in production • Traceability of software built and source of the component • Visualization of vulnerabilities and target (Divide in quarter, Build vs Fix) • Maturity matrix and path to evolution with KCI • Advanced concepts like breaking the build, license to operate If time is available, the talk will explore some additional lesson learned rough length: Compressed 25+5 min long version 30 min Audience Take Away: ● How to build a cybersecurity programme with people and technology at the heart ● How and why to trace component and how they are built ● Why visibility in production and traceability is important ● How to set targets for product teams and what to measure in various phases ● How to involve risk assessment and where to apply governance ● Use cases to visualize vulnerabilities

The security phoenix - from the ashes of DEV-OPS Appsec California 2020

NSC42 Ltd

Security Architecture in DEVOPS Title: Security Architect, slayer of dragons defenders of the realms and protectors of the cybersecurity automation Synopsis: The talk will take the audience on a journey from the origin of the security architecture, the challenge of cloud security and the role of an architect in the dev-sec-ops world. The talk explains the difference between traditional command and control governance and the solution to avoid starving automation and innovation with traditional security governance We will explore: Security Gates and why they do not always work in dev-ops Automation how-tos: How to deploy cybersecurity at scale Why is important to know how to deal with people Automation in the pipeline is the king If time is available the talk will explore some additional lesson learned rough length: compressed version 30 min normally 50 min or workshop format Audience Take Away: How to build a cybersecurity programme with architecture at the heart how to do traditional security governance how to mix governance and agile development as well as dev sec ops how to extract patterns from existing design the value of design principle patterns and why they are key to go fast. how and when to use tools (SAST/DAST) and when to engineer

Nsc42 security knights slayer of dragons 0-5_very_short_15m_share

NSC42 Ltd

The talk will take the audience on a journey on the cloud evolution, the recent hacks and the need to make security everyone's responsibility. The talk will explore major challenges in cloud transformation from an organization and security perspective with top 8 solutions to address them. The solution will explore: the shared responsibility model Foundation architecture Cloud pattern available Design security and security by design Gamification and the use of EoP in everything security Shift left and bringing security at the beginning of the development Security testing and automation DEV-SEC ops and the integration of Security and Business/Architecture If time is available the talk will explore the top 5 key cloud patterns (Account isolation, Firewall and access control, Logging and cascade pattern, Identity and access management, Key/secret management) Audience Take Away: When starting a cloud security journey or by being already into one what shall you do and consider. Key security element to consider from day 1 to delivery automation and why is so vital to automate security vulnerability

Nsc42-CSA AGM is the cloud secure - is easy if you do it smart

NSC42 Ltd

Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference

NSC42 Ltd

Nsc42 - is the cloud secure - is easy if you do it smart UNICOM

NSC42 Ltd

Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...

NSC42 Ltd

CSA - Nsc42 - London chapter keynote - cloud transformation security challenges

NSC42 Ltd

Mais de NSC42 Ltd (9)