SlideShare uma empresa Scribd logo
1 de 31
Baixar para ler offline
Is the Cloud Secure?
CSA AGM 2019 - HSBC (London)
@FrankSEC42
It’s easy if you do it smart
https://uk.linkedin.com/in/fracipo
@FrankSEC42https://uk.linkedin.com/in/fracipo
Is the Cloud Secure?
CSA AGM 2019 - HSBC (London)
@FrankSEC42
It’s easy if you do it smart
https://uk.linkedin.com/in/fracipo
Disclaimer: the pictures and the format in this presentation are under license to NSC42 Ltd
Agenda About the author
Conclusions & Take Away
Q&A
Solution to reach there
The problem and ideal
world
How things have changed
Context
@FrankSEC42
CSA Conference & Awards
www.nsc42.co.uk
About the Francesco
5
Francesco Cipollone
Founder – NSC42 LTD
I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Public Speaker,
Researcher and Director of Events of Cloud security Alliance UK, Researcher
and associate to ISC2.
I’ve been helping organizations define and implement cybersecurity strategies
and protect their organizations against cybersecurity attacks
FC-LinkedIn E-Mail Website Articles NSC42 LinkedIn
Security is everybody’s job
@FrankSEC42
@FrankSEC42https://uk.linkedin.com/in/fracipo
Security is challenging, we have to know inch deep and miles wide
www.nsc42.co.uk
How Things Have Changed
6
How did we evolve to reach here?
What is the impact on the security?
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Cloud Evolution
7
2005
2006
Datacentre
Land 2007
2008
2013
2010
2011
2012
2014
Cloud
Adoption
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Challenges
8
- Increasing number of breaches
- Impact on Cost (Brand, Fines, …)
- Fast change
- No collaboration teams and security
Security is everybody’s responsibility
@FrankSEC42https://uk.linkedin.com/in/fracipo
Security Challenges in cloud transformations?
www.nsc42.co.uk
Major Breaches
9
2009/
2010
2012
Microsoft
Heartland
US Military
Aol
TJMax
2013
2016
2017
2014
2015
2018
Sony PSN
NHS
Betfair
Steam
Deep Root
IRS
Anthem
Dropbox
Lastfm
Blizzard
Marriot
Twitter
MyHeritage
Uber
Quora..
Why security is everybody’s responsibility?
Myspace
Twitter
Yahoo
Linkedin
Friend Finder
Dailymotion
Mossack Fonseca
JP Morgan
Home Depo
Ebay
Yahoo(orignal)
US Retailers
Adobe
UbiSoft
Court Ventures
2012
2019
…
Because we all get affected by it…
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Major Breaches
10@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Challenges
11
- Increasing number of breaches
- Impact on Cost (Brand, Fines, …)
- Fast change
- No collaboration teams and security
Security is everybody’s responsibility
@FrankSEC42https://uk.linkedin.com/in/fracipo
Security Challenges in cloud transformations?
www.nsc42.co.uk
Ideal cybersecurity world
12
In an ideal cybersecurity world we would have infinite time, infinite
resource to do things right, and all the boring chores would be
automated
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Solutions
13
1. Cloud Responsibility Matrix
2. Cloud Foundation
3. Cloud Patterns
4. Design Security
5. Security by Design
6. Dev shift left
7. Security Testing
8. DEV-SEC-OPS + BIZ/ARCH
Security by design = everyone
participate in security
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Step 1 - Cloud Responsibilities
14
Customer Application & Content
Network
Security
Identity &
Access
Control
Operating
System/
Platform
Data
Encryption
The
Customer
Customer
Defines
controls
security IN
Cloud
Customer
takes care of
the security
OF Cloud
Physical
Infrastructure
Network
Infrastructure
Virtualization
Layer
Cloud platform
“Understand Shared Responsibility model Delegation and you’ll master cloud”
Consider what are you are getting yourself into in a cloud migration. Cloud
is not natively secure or insecure
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Step 1 - Cloud Pizza
15
IaaS, PaaS, SaaS, …
Who cares give me pizza!
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Step 2 – Foundation
16
How do you build a solid
house?
You don’t skip the foundation!
How do you build a solid
cloud?
You don’t skip the foundation!
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Step 2 – Foundation
17
1. Management Support
2. Disruption and strategy
3. Security as part of the cloud journey
4. Skills shortages
5. Architecture patterns & Re-use
How do you build a solid cloud (security) foundation?
Cultural, Management support and skills
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Step 2 – Foundation
18
What Tools do you use for the solid cloud (Security)
Foundation?
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Step 3 – Cloud Patterns
19
- Account Isolation
- Controls Traditional vs cloud
- Logging and monitoring
- Identity and access management
- Key Management
“There is no such a thing as free lunch…
but leverage on patterns as starting point”
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Step 4 – Design Security
20
“How would expand the security team without expanding the team?”
Train Software Engineers on security and you’ll have ‘extended
security team’”
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Step 5 – Security by Design
21
“So what would the software engineer do with the security hat on?”
“gamification…remember to have fun when doing your job”
How do we make threat security fun?”
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Step 6 – Shift left in DEV
22
“Security as early as possible: Integrate security in the software
development pipeline”
Keep Threat or fraud model exercise concise and fun! Don’t overcomplicate
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Step 7 – Security in Test
23
“Security (Testing) as early as possible”
Security testing as bug bounty program! Make it fun and rewarding
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Step 8 - DEV–SEC–OPS(BIZ)
24
What kind of animal is the DEV-SEC-OPS?
Integrate security into the OPS team (and add a spark of BIZ)
Security is everybody responsibility.
@FrankSEC42https://uk.linkedin.com/in/fracipo
Reward security effort with -> Low cost High Impact
Integrating Security
www.nsc42.co.uk
The Future
25
“Cybersecurity due diligence will remain the
same regardless of the technology chosen”
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Conclusions
26
- Evolution & Challenges
- Ideal world and step to reach it
- What’s in the future
Security in the journey to the Cloud not at destination
Security is everybody’s job
@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Mentoring
Research
Events
Networking
Twitter: @csaukchapter
LinkedIn: https://www.linkedin.com/groups/3745837/
CSA-UK - We need you
27@FrankSEC42https://uk.linkedin.com/in/fracipo
Join!
Every Fortnight 1.30 PM UK
Time
#MentoringMonday Call
@FraSEC42
Cyber Security Awards 2019
Cloud Security Influencer of the Year
Submission – 10 of May 2019
Ceremony 4 July
2019
#CYSECAWARDS19https://cybersecurityawards.com/
https://cloudsecurityalliance.org.uk
Submit: info@cybersecurityawards.com
Info:
www.nsc42.co.uk
Q&A
30@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk
Contacts
31
Get in touch:
https://uk.linkedin.com/in/fracipo
Francesco.cipollone (at) nsc42.co.uk
www.nsc42.co.uk
Thank you
WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY
@FrankSEC42
@FrankSEC42https://uk.linkedin.com/in/fracipo

Mais conteúdo relacionado

Semelhante a Nsc42-CSA AGM is the cloud secure - is easy if you do it smart

Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNSC42 Ltd
 
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNSC42 Ltd
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
 CSA - Nsc42 - London chapter keynote - cloud transformation security challenges CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challengesNSC42 Ltd
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenixNSC42 Ltd
 
Identity and Access Management At Mozilla
Identity and Access Management At MozillaIdentity and Access Management At Mozilla
Identity and Access Management At MozillaMichael Van Kleeck
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015skantos
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNSC42 Ltd
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksMighty Guides, Inc.
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Mighty Guides, Inc.
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
 
The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)Erik Trautman
 
Cissp Course Online
Cissp Course OnlineCissp Course Online
Cissp Course OnlineLearning2471
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesDevOps Indonesia
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmapsecurityxploded
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...Codemotion
 

Semelhante a Nsc42-CSA AGM is the cloud secure - is easy if you do it smart (20)

Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
 
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
 CSA - Nsc42 - London chapter keynote - cloud transformation security challenges CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenix
 
Identity and Access Management At Mozilla
Identity and Access Management At MozillaIdentity and Access Management At Mozilla
Identity and Access Management At Mozilla
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)
 
Cissp Course Online
Cissp Course OnlineCissp Course Online
Cissp Course Online
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
 

Último

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 

Último (20)

20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 

Nsc42-CSA AGM is the cloud secure - is easy if you do it smart

  • 1. Is the Cloud Secure? CSA AGM 2019 - HSBC (London) @FrankSEC42 It’s easy if you do it smart https://uk.linkedin.com/in/fracipo
  • 3. Is the Cloud Secure? CSA AGM 2019 - HSBC (London) @FrankSEC42 It’s easy if you do it smart https://uk.linkedin.com/in/fracipo
  • 4. Disclaimer: the pictures and the format in this presentation are under license to NSC42 Ltd Agenda About the author Conclusions & Take Away Q&A Solution to reach there The problem and ideal world How things have changed Context @FrankSEC42 CSA Conference & Awards
  • 5. www.nsc42.co.uk About the Francesco 5 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Public Speaker, Researcher and Director of Events of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks FC-LinkedIn E-Mail Website Articles NSC42 LinkedIn Security is everybody’s job @FrankSEC42 @FrankSEC42https://uk.linkedin.com/in/fracipo Security is challenging, we have to know inch deep and miles wide
  • 6. www.nsc42.co.uk How Things Have Changed 6 How did we evolve to reach here? What is the impact on the security? @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 8. www.nsc42.co.uk Challenges 8 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42https://uk.linkedin.com/in/fracipo Security Challenges in cloud transformations?
  • 9. www.nsc42.co.uk Major Breaches 9 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why security is everybody’s responsibility? Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … Because we all get affected by it… @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 11. www.nsc42.co.uk Challenges 11 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42https://uk.linkedin.com/in/fracipo Security Challenges in cloud transformations?
  • 12. www.nsc42.co.uk Ideal cybersecurity world 12 In an ideal cybersecurity world we would have infinite time, infinite resource to do things right, and all the boring chores would be automated @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 13. www.nsc42.co.uk Solutions 13 1. Cloud Responsibility Matrix 2. Cloud Foundation 3. Cloud Patterns 4. Design Security 5. Security by Design 6. Dev shift left 7. Security Testing 8. DEV-SEC-OPS + BIZ/ARCH Security by design = everyone participate in security @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 14. www.nsc42.co.uk Step 1 - Cloud Responsibilities 14 Customer Application & Content Network Security Identity & Access Control Operating System/ Platform Data Encryption The Customer Customer Defines controls security IN Cloud Customer takes care of the security OF Cloud Physical Infrastructure Network Infrastructure Virtualization Layer Cloud platform “Understand Shared Responsibility model Delegation and you’ll master cloud” Consider what are you are getting yourself into in a cloud migration. Cloud is not natively secure or insecure @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 15. www.nsc42.co.uk Step 1 - Cloud Pizza 15 IaaS, PaaS, SaaS, … Who cares give me pizza! @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 16. www.nsc42.co.uk Step 2 – Foundation 16 How do you build a solid house? You don’t skip the foundation! How do you build a solid cloud? You don’t skip the foundation! @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 17. www.nsc42.co.uk Step 2 – Foundation 17 1. Management Support 2. Disruption and strategy 3. Security as part of the cloud journey 4. Skills shortages 5. Architecture patterns & Re-use How do you build a solid cloud (security) foundation? Cultural, Management support and skills @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 18. www.nsc42.co.uk Step 2 – Foundation 18 What Tools do you use for the solid cloud (Security) Foundation? @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 19. www.nsc42.co.uk Step 3 – Cloud Patterns 19 - Account Isolation - Controls Traditional vs cloud - Logging and monitoring - Identity and access management - Key Management “There is no such a thing as free lunch… but leverage on patterns as starting point” @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 20. www.nsc42.co.uk Step 4 – Design Security 20 “How would expand the security team without expanding the team?” Train Software Engineers on security and you’ll have ‘extended security team’” @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 21. www.nsc42.co.uk Step 5 – Security by Design 21 “So what would the software engineer do with the security hat on?” “gamification…remember to have fun when doing your job” How do we make threat security fun?” @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 22. www.nsc42.co.uk Step 6 – Shift left in DEV 22 “Security as early as possible: Integrate security in the software development pipeline” Keep Threat or fraud model exercise concise and fun! Don’t overcomplicate @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 23. www.nsc42.co.uk Step 7 – Security in Test 23 “Security (Testing) as early as possible” Security testing as bug bounty program! Make it fun and rewarding @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 24. www.nsc42.co.uk Step 8 - DEV–SEC–OPS(BIZ) 24 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ) Security is everybody responsibility. @FrankSEC42https://uk.linkedin.com/in/fracipo Reward security effort with -> Low cost High Impact Integrating Security
  • 25. www.nsc42.co.uk The Future 25 “Cybersecurity due diligence will remain the same regardless of the technology chosen” @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 26. www.nsc42.co.uk Conclusions 26 - Evolution & Challenges - Ideal world and step to reach it - What’s in the future Security in the journey to the Cloud not at destination Security is everybody’s job @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 28. Every Fortnight 1.30 PM UK Time #MentoringMonday Call @FraSEC42
  • 29. Cyber Security Awards 2019 Cloud Security Influencer of the Year Submission – 10 of May 2019 Ceremony 4 July 2019 #CYSECAWARDS19https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info:
  • 31. www.nsc42.co.uk Contacts 31 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42 @FrankSEC42https://uk.linkedin.com/in/fracipo

Notas do Editor

  1. Q&A
  2. Q&A