cloud security discussion isaca, jacksonville … security discussion isaca, jacksonville chapter...
TRANSCRIPT
Cloud Security Discussion ISACA, Jacksonville Chapter
October 2017 Meeting
Craig GalleyInformation Security OfficerSANS Mentor
Intro and Bio
❖ Jacksonville Resident 34 years
❖ 16 years involvement in Information Security
❖ Information Security Officer for the City of Jacksonville
❖ SANS Instructor
❖ Former “Biker”, now full time “Dance Dad”
❖ Searching for my next hobby (fishing?, crochet?, gardening?)
Why Cloud Services?
❖ Lower Total Cost of Ownership
❖ Reduce head count
❖ Performance gains and higher Return on Investment
❖ High Availability / Disaster Recovery
❖ Transfer Risk
❖ Security
Security?
“Lost laptops are a billion dollar business problem. And potentially greater than the loss of an expensive piece of kit is the loss of the sensitive data inside it. Cloud computing gives you greater security when this happens. Because your data is stored in the cloud, you can access it no matter what happens to your machine. And you can even remotely wipe data from lost laptops so it doesn’t get into the wrong hands.”
ref - https://www.salesforce.com/uk/blog/2015/11/why-move-to-the-cloud-10-benefits-of-cloud-computing.html
❖ Cloud Service Provider (CSP)
❖ Cloud Customer
❖ Cloud Access Security Broker (CASB)
❖ Public, Private, Community, and Hybrid
❖ IaaS
❖ PaaS
❖ SaaS
Cloud Security Responsibility?
❖ Cloud Customer!!!
❖ Cannot transfer the risk of housing PII data in the Cloud
❖ Ultimately responsible for ensuring that the Business Requirements are met when utilizing services in the Cloud
❖ Security concerns evolve rapidly; the Cloud Customer must understand how this impacts the organization.
Initial Considerations
❖ Reliability of the Cloud Service Provider
❖ Location of Service and Data
❖ Breach reports and history of the Cloud Service Provider
❖ Auditors and Regulation
❖ Resource considerations
Long Term Concerns
❖ Retention Policies
❖ What is the out strategy?
❖ Data Remnants
❖ Compliance
❖ Crypto-shredding
SaaS Security Concerns
❖ Cloud Provider
❖ Platform, Infrastructure, Physical
❖ Cloud Customer
❖ GRC, Data
❖ Shared Responsibilities
❖ Application
PaaS Security Concerns
❖ Cloud Provider
❖ Physical, Infrastructure
❖ Cloud Customer
❖ GRC, Data, Application
❖ Shared Responsibilities
❖ Platform
IaaS Security Concerns
❖ Cloud Provider
❖ Physical
❖ Cloud Customer
❖ GRC, Data, Application, Platform
❖ Shared Responsibilities
❖ Infrastructure
Continuous Monitoring
❖ Breach and Incident notifications
❖ Centralized logging
❖ Access to Cloud stored logs
Cloud Application Security
❖ Not all applications are Cloud ready
❖
CSA - The Treacherous 12
❖ Data Breaches
❖ Insufficient Identity, Credential and Access Management
❖ Insecure Interfaces and APIs
❖ System Vulnerabilities
❖ Account Hijacking
❖ Malicious Insiders
ref - https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf
CSA - The Treacherous 12 (cont.)
❖ Advanced Persistent Threats
❖ Data Loss
❖ Insufficient Due Diligence
❖ Abuse and Nefarious Use of Cloud Services
❖ Denial of Service
❖ Shared Technology issues
ref - https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf
“At the end of the day….”
❖ Cloud Customer is always responsible for GRC and Data
❖ Cloud Services offer many advertised cost benefits
❖ Risk is present in many forms throughout Cloud models
❖ Information Security Professionals must be involved to voice the risk
❖ Senior Managers weigh the cost benefits vs the risk and make the decision based on risk appetite.
InfoSecJax
❖ ISACA, Infragard, ISSA, (ISC)2
❖ Tech Coast Conference
❖ B-Sides Jacksonville
❖ 2600 Meetings
❖ Hack@FSCJ
Craig Galley’s SANS Schedule
❖ MGT414: SANS Training Program for CISSP® Certification
❖ Not a bootcamp!
❖ Next Class starts on January 23rd, 2018 runs through March 6th 2018
❖ 7 weeks
❖ Each Tuesday from 6:00pm - 9:00pm
❖ Location: TBD
Questions???
❖ CISSP, CSSLP, GSLC, GSEC, GISP, Security+
❖ @bullpwr (Twitter) or LinkedIn