surviving the lion’s den… the lions den - igtcloud... · igtcloud meetup. about information...
TRANSCRIPT
Pitching cloud servicesto security folks
Moshe Ferber, CCSK Onlinecloudsec.com
Surviving the Lion’s den…
IGTcloud Meetup
About
Information security professional for over 20 years Working on cloud strategy with the world largest software vendors Founded Cloud7, Managed Security Services provider (currently2bsecure cloud services)
Partner at Clarisite – Your customer’s eye view Partner at FortyCloud –Make your public cloud private Member of the board at Macshava Tova –Narrowing societal gaps Certified CCSK instructor for the Cloud Security Alliance. Co-Chairman of the Board, Cloud Security Alliance, Israeli Chapter
Cloud Computing
How the CIO see it?
Cloud Computing
How the End-user see it?
Cloud Computing
How the CFO see it?
Cloud Computing
And how the CISO see it?
Mistakes Cloud provider do #1
Mistakes Cloud provider do #2
Mistakes Cloud provider do #3
Mistakes Cloud provider do #4
What else ciso’s don’t like
AgilityAgility
What do you say… And how the CISO understand it
ScalabilityScalability
What do you say… And how the CISO understand it
ComplianceCompliance
What you say? How the CISO understand it
ManageabilityManageability
What do you say… And how the CISO understand it
ReliabilityReliability
What do you say… And how the CISO understand it
So what is the ciso looking for?
So, how do we create trust?
1.Transparency
2.Competency
Transparency
Transparency #1 takeout
Security in the cloud is a sharedresponsibility
Source: Trend Micro Blog
Transparency #2 Security Policy
Security Policy is mandatory, it should contain allaspects of how you protect your customers data.
Transparency #3 Audits
Don’t run away from security audits
Competency
Skill Design Governance
Skill
• Make sure your sales / pre-salesunderstand cloud security.
• Understand the standards andregulation relevant to your sector.
Skill #2
• Make your security building blocktangible to the customers.
Monitoring andIncident management
Application Security
Data Security
Infrastructure Security
Data Center Security
Understand Cloud threats & Risks
Threat RISK
LosingMoney
Theft UnsecureDoor
AttackVector
Cloud Attack vectors
Cloudattack
vectors
Provideradministration
Managementconsole
Multitenancy &
virtualization
Automation&
API
Chain ofsupply
Side channelattack
Insecureinstances
Understanding controls
Preventive
• Firewall(SecurityGroups)
• Authentication• Anti Virus• Guards
Detective
• IDS• System
monitoring• Motion
detector
Corrective
• Upgrades &Patches
• Vulnerabilityscanning
Compensatory
• DRP & Backup• Firewall logs• Reviews• Audit &
reconciliation
Design
Threat Security Service
Spoofing Authentication
Tampering Digital Signature, Hash
Repudiation Audit Logging
InformationDisclosure
Encryption
Denial of Service Availability
Elevation ofprivilege
Authorization
• Integrate security to yoursoftware lifecycle.
• Account for cloud specificthreats.
• Think about separation oftenants.
• Explore encryption at all layers.• Think about 3rd party access.
Governance
• Most security companies simplydon’t know how to do ongoingoperational security.
• If you are guarding banks data,you need Banks operationalcapabilities.
Questions?
To wrap things up
Speak your customers lingo
Use good building blocks
Don’t hesitate to betransparent on your securitycontrols.
Cloud Security is very much about yourcustomers market sector.
Be proactive in your security, thinkahead of your customers.
Moshe Ferber
www.onlinecloudsec.com
http://il.linkedin.com/in/MosheFerber
KEEP IN TOUCH
Cloud Security Course Schedule can be find at:http://www.onlinecloudsec.com/course-schedule