control the creep: streamline security and compliance by sharing the workload
TRANSCRIPT
US SIGNAL PRESENTS
SECURITY IN THE CLOUD
Overview
1. Where IT Security started2. Where we are today and how we got here3. Why we are starting to come apart and what’s
next.4. A new look at a complete security program5. How cloud services help6. Risk management and service catalogs7. How to know if you need help
Where we started
HP 3000 w/ 64 MB RAM Netware BoarderManager Stateless Firewall
Where we started
- One shared egress point- Stateless Packet Filtering and NAT- Inside = Trusted- Outside = Untrusted
Where we are and how we got here
- Defense-in-depth- Advanced Unified
Threat Management- Trust No One!
Where we are and how we got here
- NIST SP 500-299- NIST SP 500-291- NIST SP 500-292- NIST SP 500-293- NIST SP 500-316- NIST SP 500-800
- Over 13,000 pages of documentation
- Management Framework: PCI, HIPAA, FDA, FedRAMP, ISO 27001/2, ISACA COBIT, ITIL, NIST, BITS, GAPP…..
What’s next: How we are starting to come apart
- Lack of executive representation- Ongoing quality is an afterthought- Increased complexity- Line-item budget veto- Legacy workloads- Staff Skill-sets- Lack of comprehensive security strategy- Limited or no visibility into internal trends- Bolt-on vs. Baked-in Security Model- Threats/Vulnerabilities change too quickly - Outdated or missing Risk Management Process- No Incident Response Plans- Limited Testing- Immature Disaster Recovery
Munro, D. (2016, January 04). Data Breaches In Healthcare Totaled Over 112 Million Records In 2015. from http://www.forbes.com
What a complete program looks like
PhysicalTechnical
AdministrativeControl Plane Data Plane
Application - - - -
Middleware - - - -
Database - - - -
Operating System - - - -
Compute and Memory - - - -
Storage - - - -
Internet - - - -
Data Center LAN/WAN - - - -
Facilities - - - -
- Customer Responsibility
How cloud services help
PhysicalTechnical
AdministrativeControl Plane Data Plane
Application - - - -
Middleware - - - -
Database - - - -
Operating System - - - -
Compute and Memory - - - -
Storage - - - -
Internet - - - -
Data Center LAN/WAN - - - -
Facilities - - - -
- Provider Responsibility
- Customer Responsibility
Services-based Risk Management
Public Cloud
Enterprise Cloud
Colocation
On-Premise
Private Cloud
Multi-Cloud Services Portfolio
- Public Cloud- Public data, WebServices, Highly-
dynamic workloads- Enterprise Cloud
- Production workloads, Disaster Recovery, First-step cloud services
- Colocation- Hybrid approaches, vetting service
providers, highly-regulated workloads
- On-Premise- Legacy ops, they are cool, large
organizations <25,000 sq. ft.
How to know if you need help
- Lack of executive representation- Ongoing quality is an afterthought- Increased complexity- Line-item budget veto- Legacy workloads- Staff Skill-sets- Lack of comprehensive security strategy- Limited or no visibility into internal trends- Bolt-on vs. Baked-in Security Model- Threats/Vulnerabilities change too quickly- Outdated or missing Risk Management Process- No Incident Response Plans- Limited Testing- Immature Disaster Recovery
PhysicalTechnical Administrativ
eControl Plane Data Plane
Application - - - -
Middleware - - - -
Database - - - -
Operating System - - - -
Compute and Memory - - - -
Storage - - - -
Internet - - - -
Data Center LAN/WAN - - - -
Facilities - - - -
If you are struggling with these:
Or if you have not complete something like this: