The talk will take the audience on a journey on the cloud evolution, the recent hacks and the need to make security everyone's responsibility.
The talk will explore major challenges in cloud transformation from an organization and security perspective with top 8 solutions to address them.
The solution will explore:
the shared responsibility model
Foundation architecture
Cloud pattern available
Design security and security by design
Gamification and the use of EoP in everything security
Shift left and bringing security at the beginning of the development
Security testing and automation
DEV-SEC ops and the integration of Security and Business/Architecture
If time is available the talk will explore the top 5 key cloud patterns (Account isolation, Firewall and access control, Logging and cascade pattern, Identity and access management, Key/secret management)
Audience Take Away:
When starting a cloud security journey or by being already into one what shall you do and consider.
Key security element to consider from day 1 to delivery
automation and why is so vital to automate security vulnerability
3. Is the Cloud Secure?
CSA AGM 2019 - HSBC (London)
@FrankSEC42
It’s easy if you do it smart
https://uk.linkedin.com/in/fracipo
4. Disclaimer: the pictures and the format in this presentation are under license to NSC42 Ltd
Agenda About the author
Conclusions & Take Away
Q&A
Solution to reach there
The problem and ideal
world
How things have changed
Context
@FrankSEC42
CSA Conference & Awards
5. www.nsc42.co.uk
About the Francesco
5
Francesco Cipollone
Founder – NSC42 LTD
I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Public Speaker,
Researcher and Director of Events of Cloud security Alliance UK, Researcher
and associate to ISC2.
I’ve been helping organizations define and implement cybersecurity strategies
and protect their organizations against cybersecurity attacks
FC-LinkedIn E-Mail Website Articles NSC42 LinkedIn
Security is everybody’s job
@FrankSEC42
@FrankSEC42https://uk.linkedin.com/in/fracipo
Security is challenging, we have to know inch deep and miles wide
6. www.nsc42.co.uk
How Things Have Changed
6
How did we evolve to reach here?
What is the impact on the security?
@FrankSEC42https://uk.linkedin.com/in/fracipo
8. www.nsc42.co.uk
Challenges
8
- Increasing number of breaches
- Impact on Cost (Brand, Fines, …)
- Fast change
- No collaboration teams and security
Security is everybody’s responsibility
@FrankSEC42https://uk.linkedin.com/in/fracipo
Security Challenges in cloud transformations?
9. www.nsc42.co.uk
Major Breaches
9
2009/
2010
2012
Microsoft
Heartland
US Military
Aol
TJMax
2013
2016
2017
2014
2015
2018
Sony PSN
NHS
Betfair
Steam
Deep Root
IRS
Anthem
Dropbox
Lastfm
Blizzard
Marriot
Twitter
MyHeritage
Uber
Quora..
Why security is everybody’s responsibility?
Myspace
Twitter
Yahoo
Linkedin
Friend Finder
Dailymotion
Mossack Fonseca
JP Morgan
Home Depo
Ebay
Yahoo(orignal)
US Retailers
Adobe
UbiSoft
Court Ventures
2012
2019
…
Because we all get affected by it…
@FrankSEC42https://uk.linkedin.com/in/fracipo
11. www.nsc42.co.uk
Challenges
11
- Increasing number of breaches
- Impact on Cost (Brand, Fines, …)
- Fast change
- No collaboration teams and security
Security is everybody’s responsibility
@FrankSEC42https://uk.linkedin.com/in/fracipo
Security Challenges in cloud transformations?
12. www.nsc42.co.uk
Ideal cybersecurity world
12
In an ideal cybersecurity world we would have infinite time, infinite
resource to do things right, and all the boring chores would be
automated
@FrankSEC42https://uk.linkedin.com/in/fracipo
13. www.nsc42.co.uk
Solutions
13
1. Cloud Responsibility Matrix
2. Cloud Foundation
3. Cloud Patterns
4. Design Security
5. Security by Design
6. Dev shift left
7. Security Testing
8. DEV-SEC-OPS + BIZ/ARCH
Security by design = everyone
participate in security
@FrankSEC42https://uk.linkedin.com/in/fracipo
14. www.nsc42.co.uk
Step 1 - Cloud Responsibilities
14
Customer Application & Content
Network
Security
Identity &
Access
Control
Operating
System/
Platform
Data
Encryption
The
Customer
Customer
Defines
controls
security IN
Cloud
Customer
takes care of
the security
OF Cloud
Physical
Infrastructure
Network
Infrastructure
Virtualization
Layer
Cloud platform
“Understand Shared Responsibility model Delegation and you’ll master cloud”
Consider what are you are getting yourself into in a cloud migration. Cloud
is not natively secure or insecure
@FrankSEC42https://uk.linkedin.com/in/fracipo
15. www.nsc42.co.uk
Step 1 - Cloud Pizza
15
IaaS, PaaS, SaaS, …
Who cares give me pizza!
@FrankSEC42https://uk.linkedin.com/in/fracipo
16. www.nsc42.co.uk
Step 2 – Foundation
16
How do you build a solid
house?
You don’t skip the foundation!
How do you build a solid
cloud?
You don’t skip the foundation!
@FrankSEC42https://uk.linkedin.com/in/fracipo
17. www.nsc42.co.uk
Step 2 – Foundation
17
1. Management Support
2. Disruption and strategy
3. Security as part of the cloud journey
4. Skills shortages
5. Architecture patterns & Re-use
How do you build a solid cloud (security) foundation?
Cultural, Management support and skills
@FrankSEC42https://uk.linkedin.com/in/fracipo
18. www.nsc42.co.uk
Step 2 – Foundation
18
What Tools do you use for the solid cloud (Security)
Foundation?
@FrankSEC42https://uk.linkedin.com/in/fracipo
19. www.nsc42.co.uk
Step 3 – Cloud Patterns
19
- Account Isolation
- Controls Traditional vs cloud
- Logging and monitoring
- Identity and access management
- Key Management
“There is no such a thing as free lunch…
but leverage on patterns as starting point”
@FrankSEC42https://uk.linkedin.com/in/fracipo
20. www.nsc42.co.uk
Step 4 – Design Security
20
“How would expand the security team without expanding the team?”
Train Software Engineers on security and you’ll have ‘extended
security team’”
@FrankSEC42https://uk.linkedin.com/in/fracipo
21. www.nsc42.co.uk
Step 5 – Security by Design
21
“So what would the software engineer do with the security hat on?”
“gamification…remember to have fun when doing your job”
How do we make threat security fun?”
@FrankSEC42https://uk.linkedin.com/in/fracipo
22. www.nsc42.co.uk
Step 6 – Shift left in DEV
22
“Security as early as possible: Integrate security in the software
development pipeline”
Keep Threat or fraud model exercise concise and fun! Don’t overcomplicate
@FrankSEC42https://uk.linkedin.com/in/fracipo
23. www.nsc42.co.uk
Step 7 – Security in Test
23
“Security (Testing) as early as possible”
Security testing as bug bounty program! Make it fun and rewarding
@FrankSEC42https://uk.linkedin.com/in/fracipo
24. www.nsc42.co.uk
Step 8 - DEV–SEC–OPS(BIZ)
24
What kind of animal is the DEV-SEC-OPS?
Integrate security into the OPS team (and add a spark of BIZ)
Security is everybody responsibility.
@FrankSEC42https://uk.linkedin.com/in/fracipo
Reward security effort with -> Low cost High Impact
Integrating Security
26. www.nsc42.co.uk
Conclusions
26
- Evolution & Challenges
- Ideal world and step to reach it
- What’s in the future
Security in the journey to the Cloud not at destination
Security is everybody’s job
@FrankSEC42https://uk.linkedin.com/in/fracipo
29. Cyber Security Awards 2019
Cloud Security Influencer of the Year
Submission – 10 of May 2019
Ceremony 4 July
2019
#CYSECAWARDS19https://cybersecurityawards.com/
https://cloudsecurityalliance.org.uk
Submit: info@cybersecurityawards.com
Info: