cot 2012 panic in the cloud
TRANSCRIPT
-
7/29/2019 Cot 2012 Panic in the Cloud
1/10
1
June1,2011
JustinDrain
1June6,2012 RaisingSecurityIQ
DisclaimerTheviewsandopinionsexpressedduringthisconferencearethoseofthespeakersanddonotnecessarilyreflecttheviewsandopinionsheldbytheInformationSystemsSecurityAssociation(ISSA),theSiliconValleyISSA,theSanFranciscoISSAortheSanFranciscoBayAreaInfraGardMembersAlliance(IMA). NeitherISSA,InfraGard,noranyofitschapterswarrantstheaccuracy,timelinessorcompletenessoftheinformationpresented. Nothinginthisconferenceshouldbeconstruedasprofessionalorlegaladviceorascreatingaprofessionalcustomerorattorneyclientrelationship. Ifprofessional,legal,or
otherexpert
assistance
is
required,
the
services
of
acompetent
professionalshouldbesought.
TheseviewsandopinionsarealsodonotreflectthoseofFremontBancorp.
2June6,2012 RaisingSecurityIQ
-
7/29/2019 Cot 2012 Panic in the Cloud
2/10
2
June1,2011
Introductions JustinDrain,CISM,CRISC,CISSP
DataSecurityManager FremontBank
SecurityExperience:banking,aerospace,federal
government,medical
3June6,2012 RaisingSecurityIQ
4
Agenda
CloudByAnyOtherName
CloudUp! Uh,Why?(WhyNot?)
UncomfortableDiscovery
HandlingtheTruth
Recovery
WinningtheWarNextTime
Recap&TakeAWays
June6,2012 RaisingSecurityIQ
-
7/29/2019 Cot 2012 Panic in the Cloud
3/10
3
June1,2011
5
Cloud ByAny
Other
Name
Buzzwords
SaaS (softwareasaservice)
PaaS (platformasaservice)
IaaS (infrastructureasaservice)
June6,2012 RaisingSecurityIQ
6
Cloud ByAnyOtherName WhoDoesWhat
SaaS providersSalesforce.com,Sage
Platform providersGoogleApps,iCloud
Infrastructure providerslikeAmazonEC2,
GoGrid
Virtualization technologyproviders
VMware,Xen
June6,2012 RaisingSecurityIQ
-
7/29/2019 Cot 2012 Panic in the Cloud
4/10
4
June1,2011
7
CloudService
Models
PrivateCloud
oCompanyOwnedOrLeased
o InSomeCases OnSite
PublicCloud
oLargeScaleInfrastructureforPublicSale
CommunityCloud
oSharedInfrastructureCommunity
HybridCloud
oComposedOfMultipleClouds
June6,2012 RaisingSecurityIQ
8
CloudAdvantages
WhatDoYouGet?
FinancialCostSavings
ImprovedComputingAndNetwork
Performance
ScalabilityOfServices/Operations(PayAs
YouGo)
SimplificationOfITSolutions
June6,2012 RaisingSecurityIQ
-
7/29/2019 Cot 2012 Panic in the Cloud
5/10
5
June1,2011
9June6,2012 RaisingSecurityIQ
Toahammer,
everything
lookslikea
nail
DontBe
TheNail Enable,NotBlock
10
CloudUp! Uh,Why?/WhyNot?
RiskofnotCloudingUp
WhyBiggerIsBetter
WhyBiggerIsNotAlwaysBetter
NotPerformance Risk
June6,2012 RaisingSecurityIQ
-
7/29/2019 Cot 2012 Panic in the Cloud
6/10
6
June1,2011
11
UncomfortableDiscovery
(orDude,WheresOurData?)
StopMeIfYouveHeardThisOne
RequestonanidleThursday
CousinJoeysoft
Staging
VendorManagement?
UnfamiliarBreachnotice?
June6,2012 RaisingSecurityIQ
12
HandlingtheTruth
FiveStagesofIncidentDiscovery
1.Denial
2.Anger
3.Bargaining
4.Depression
5.Acceptance
June6,2012 RaisingSecurityIQ
-
7/29/2019 Cot 2012 Panic in the Cloud
7/10
7
June1,2011
June1,2011
VirtualProblems RealAnswers
13
Acceptance
14
Recovery BandAids&Bullets
WhatCan/ShouldBeDone(asidefromprayer)
Assess
Stabilize
DoingWhatItTakesToMakeItRight
WhoAre
You
Going
To
Call?
Compliancevs.Fauxpliance
LegallyDefensible
June6,2012 RaisingSecurityIQ
-
7/29/2019 Cot 2012 Panic in the Cloud
8/10
8
June1,2011
15
WinningThe
War
Next
Time
WeDontKnowWhatWeDontKnow.BePrepared(orRemembertheBasics)
SecuritySLA VisibilityIntoProvidersSystems;
SharedReachLiability
3Rs(Reporting,Response,Reading)
3rdParty
And
4th
Party
Agreements
Costs
June6,2012 RaisingSecurityIQ
16
WinningTheWarNextTime
June6,2012 RaisingSecurityIQ
PlayingTheFearCard
WeArenttheOnesYou
Need
to
Convince
-
7/29/2019 Cot 2012 Panic in the Cloud
9/10
9
June1,2011
17
WinningThe
War
Next
Time
WheresMyLawyer?
RiskAssessmentIn/From/ToTheCloud?
IncidentResponse?
Encryption,Duh!
SecurityBypassed(BeIntheRoom still)
June6,2012 RaisingSecurityIQ
18
RecapandTakeaways
BePrepared
3Rs(WhatsYOURPolicy?)
DontBetheNail
FearISanOptionSometimes
Dont
Forget
The
Basics
June6,2012 RaisingSecurityIQ
-
7/29/2019 Cot 2012 Panic in the Cloud
10/10
10
June1,2011
19June6,2012 RaisingSecurityIQ
Final
Thought
The state of mind which enables a man to
do work of this kind is akin to that of the
religious worshiper or the lover; the daily
effort comes from no deliberate intention or
program, but straight from the heart.
-Albert EinsteinPhysical Society address, 1918
20
Disclaimer
Theviews
and
opinions
expressed
during
this
conference
are
those
of
the
speakers
and
do
not
necessarily
reflect
the
views
and
opinionsheldbytheInformationSystemsSecurityAssociation(ISSA),theSiliconValleyISSA,theSanFranciscoISSAortheSan
FranciscoBayAreaInfraGardMembersAlliance(IMA). NeitherISSA,InfraGard,noranyofitschapterswarrantstheaccuracy,
timelinessorcompletenessoftheinformationpresented. Nothinginthisconferenceshouldbeconstruedasprofessionalorlegal
adviceorascreatingaprofessionalcustomerorattorneyclientrelationship. Ifprofessional,legal,orotherexpertassistanceis
required,theservicesofacompetentprofessionalshouldbesought.
Thank You!
Questions?
June6,2012 RaisingSecurityIQ
JustinDrain