Post on 13-Apr-2017
Checklist for Competent Cloud Security ManagementBarriers and Challenges to Opportunities and ROI
Dr. Mariana CarrollCloud Advisor and Trainer
© Cloud Credential Council
Poll: Testing - can you hear us and see the slides?
A. Yes, I can hear you and see the slidesB. I can hear you, but not see the slidesC. I can see the slides, but not hear youD. No, I cannot hear you or see the slides
© Cloud Credential Council
> Introduction: Cloud Credential Council Tristano VacondioMarketing ManagerCCC
> Checklist for Competent Cloud Security Management: Barriers and Challenges to Opportunities and ROI
Dr. Mariana CarrollCloud Advisor and TrainerMariana Carroll Consulting
Agenda
© Cloud Credential Council
A. IT training providerB. IT consultantC. IT training and consultingD. IT practitioner
Poll: What is your area of work?
© Cloud Credential Council
A. Extensive experience (approx 6+ years)B. Some experience (approx 4-6 years)C. Intermediate (approx 1-3 years)D. Little (up to 1 year)E. None
Poll: How much IT security experience do you have?
© Cloud Credential Council
A. TrueB. False
1. Customers in the same cloud can attack each other.
© Cloud Credential Council
A. TrueB. False
2. External Internet threats are more threatening in the cloud.
© Cloud Credential Council
A. TrueB. False
3. You can't control where your data resides in the cloud.
© Cloud Credential Council
A. TrueB. False
4. Certifications are standard in a cloud environment and provide assurance to subscribers.
© Cloud Credential Council
A. TrueB. False
5. It is easy to change from one cloud provider to another whenever I want to.
© Cloud Credential Council
Agenda
CCC IntroductionBackgroundWhat is the Current State of Cloud Security?What are the common gaps and how do we address Cloud Security?Stepping into Cloud Security ManagementA Checklist to Ensure Secure Cloud Adoption and UseTraining and Development: Building a Career in Cloud SecurityThe Future of Cloud SecurityQuestions and AnswersQuiz Answers
© Cloud Credential Council
Introduction
© Cloud Credential Council
● Vendor Neutral● International● Non Profit
The Cloud Credential Council
Professional Cloud SeriesCCC Background
CCC Background (cont…)
© Cloud Credential Council
Certification Scheme
© Cloud Credential Council
Accreditation Scheme
© Cloud Credential Council
Checklist for Competent Cloud Security ManagementBarriers and Challenges to Opportunities and ROI
© Cloud Credential Council
BackgroundWhat is the Current State of Cloud Security?
© Cloud Credential Council
Journey to a Digital World
Business
Cloud
Mobile
Data
Social business
IoT
Wearables
Hacktivists
Insiders
Espionage
Criminal syndicates
States
Control failure
© Cloud Credential Council
Cloud Characteristics
What is Cloud Computing?
cloud definition“A network of remote servers hosted on the Internet and used to store, manage, and process data in stead of local servers or personal computers”.
Software-as-a-Service (SaaS)
Platform-as-a-Service (PaaS)
Infrastructure-as-a-Service (IaaS)
Public cloud
Private cloud
Community cloud
Hybrid cloud
Virtual private clouds
● On-demand self service
● Broad network access
● Resource pooling
● Rapid elasticity
● Measured service
“A Cloud is a visible mass of tiny, condensed water droplets or ice crystals suspended in the atmosphere”
Clo
ud S
ervi
ce M
odel
s
Cloud Deployment Models
© Cloud Credential Council
The State of Cloud Computing
© Cloud Credential Council
The State of Cloud Computing
© Cloud Credential Council
The State of Cloud Computing
Gartner: The worldwide market for public cloud systems will hit $204 billion this year.
Gartner: • Highest growth
expected in IaaS (38,4%)
• Solid growth across public cloud services
• SaaS growing 20,3%• Cloud management
and security services growing 24,7%
• PaaS growing 21,1%
IDC: Hyper-convergence spending will nearly double from $806.8 million in 2015 to nearly $1.6 billion in 2016.
© Cloud Credential Council
The State of Cloud Computing
© Cloud Credential Council
The State of Cloud ComputingKey takeaways:• Increased spending on
Security and Cloud Computing
© Cloud Credential Council
The State of Cloud ComputingKey takeaways:• Increased spending on Security and
Cloud Computing
• Large need for Cloud Computing and Security skills
© Cloud Credential Council
BackgroundWhat are the common gaps and how do we address Cloud Security?
© Cloud Credential Council
What is Security?Protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide:1. confidentiality, which means preserving authorised restrictions on access and
disclosure, including means for protecting personal privacy and proprietary information;2. integrity, which means guarding against improper information modification or
destruction, and includes ensuring information nonrepudiation and authenticity; and3. availability, which means ensuring timely and reliable access to and use of information.
Information Systems Security (InfoSec):Protection of information systems against unauthorised access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorised users, including those measures necessary to detect, document, and counter such threats.
Source: SP 800-66; 44 U.S.C., Sec 3541, CNSSI-4009
© Cloud Credential Council
Security Considerations when moving to the Cloud
Shadow ITThird party risks
Complex hybrid models outside of traditional “walls”
Controls gap
Single target for attack Resource capability constraints
© Cloud Credential Council
Cloud Security Opportunities
Free up resources to focus on your core
Cloud providers are in the “business of IT” – security should be their main concern
Beat the skills gap – cloud providers attract the specialists
© Cloud Credential Council
Cloud Security Responsibility
© Cloud Credential Council
A Risk-based Approach
Source: Deloitte (2015)
© Cloud Credential Council
Stepping into Cloud Security ManagementA Checklist to Ensure Secure Cloud Adoption and Use
© Cloud Credential Council
Implementing Cloud Security MeasuresPl
anni
ng a
nd s
copi
ng
What are the key business objectives, needs or
challenges?Look at the value proposition drivers of Cloud adoption to meet business objectives or solve
existing need(s) or challenge(s).
List the key drivers for Cloud adoption
Examples: Improve business agility, improve
operating cost, enter new markets.
Select the Cloud service model that best suit the business need
and security requirements SaaS PaaS IaaS BPaaS Other
Why?
Select the best suited and secure method of delivery
Public Private Community Hybrid
Why? Clo
ud S
ecur
ity
Stra
tegy
© Cloud Credential Council
Implementing Cloud Security MeasuresDevelop a security strategy to manage risks as the business
moves to the cloud Evaluate the current state (Inherent Risk) Assess residual risk for high priority
cloud services Develop draft plans, policies and a
strategic roadmap
Develop a cloud security reference architecture
(blueprint)
Develop a tailored Cloud Security reference architecture (blueprint) for the various cloud
models together with recommended technologies.
Implement security and governance capabilities to
manage cloud security risks Design and Implement security
controls Design and implement platform
specific controls (i.e., SaaS specific) Ensue adequate GRC+R across the
cloud and IT stack
Dev
elop
a C
loud
Str
ateg
y
Formalise
Impl
emen
t
Rev
iew
and
mon
itor
© Cloud Credential Council
Cloud Security Competencies• Knowledge of Information Technology concepts, Cloud Computing, IT security, Risk management,
Data security, Network security, Policy creation and maintenance, Regulatory compliance, IT Governance, Business continuity / disaster recovery, Incident management, System and application security, Security architecture, and Auditing / Assurance processes / procedures
• Ability to evaluate business processes and IT technology landscapes, identify risks and evaluate controls (including risk assessment, gap analysis, business impact analysis, etc.)
• Investigative, analytical and project management skills• Ability to translate business needs and problems into viable and accepted solutions• Ability to liaise with individuals across a wide variety of operational, functional, and technical
disciplines• Effectively communicating with executive management to ensure support for the Cloud Security
program and effective reporting on metrics• Advising and making recommendations regarding appropriate personnel, physical and technical
security controls
© Cloud Credential Council
Training and DevelopmentBuilding a Career in Cloud Security
© Cloud Credential Council
Module 1: Course Introduction• Course Agenda• Case Study• Activities• Questions and Answers
Module 3: Security Threats and Challenges in Cloud Computing• Security and Compliance in the Cloud• Cloud Operations• Physical Security and Cloud Computing
Module 2: Security, Governance and Risks• Cloud Computing Basics• Security, Governance and Risk in IT• Cloud Computing Security
Module 4: Security Management in Cloud Computing
• Identity and Access Management• Data Classification• Data Security Lifecycle• Forensics in the Cloud
How far can the CCC Certification get you?
© Cloud Credential Council
Module 5: Legal, Contractual and Operational Monitoring• Legal and Regulatory Landscape• Monitoring – Providers and Subscribers• Security Operations in the Cloud
Module 7: Business Continuity, Disaster Recovery and Capacity / Performance Planning• Business Continuity (BC)• Disaster Recovery (DR) Resilient Technology• Capacity and Performance Planning for Cloud
Module 6: Network Security Management
• Network Management in the Cloud• Vulnerability, Patch Management and Pen-Testing• Cloud Security Architecture
Module 8: Advanced Cloud Security Management
• Container Cloud Security• Secure Development Standards in Cloud• Application Programming Interface API Security
Module 9: Security Planning, Standards and Cloud
• Cloud Security Planning• Cloud Standards, Controls and Auditing• Cloud Security Evolution
How far can the CCC Certification get you?
© Cloud Credential Council
Course Details
• Suggested delivery format is instructor-led classroom-based learning• Suggested duration: 24 learning hours
Exam Details
• Online• 25 Questions• 45 Minutes• No Prerequisites - however, it is recommended to attain the Cloud Technology Associate certification• Supervision is via Webcam• Closed book• Pass rate of 70%
Course and Exam Details
© Cloud Credential Council
Building a Cloud Security Career
© Cloud Credential Council
The Future of Cloud SecurityWhat is Next?
© Cloud Credential Council
Impact over the next 3-5 years
© Cloud Credential Council
What is Next?Building Block Approach
Business and IT alignment
GRC+R
Fill the skills gap
Identify potential deal breakers & through careful analysis decide on the best approach!
© Cloud Credential Council
Questions and Answers
© Cloud Credential Council
It is not easy for an attack to be triggered by another cloud subscriber in a multitenant cloud environment. In addition, some cloud providers offer options to further mitigate multitenancy risks.
Cloud subscribers should evaluate their applications and requirements and choose a cloud provider and cloud offering based on the needs of their applications.
1. Customers in the same cloud can attack each other.
© Cloud Credential Council
External Internet threats are real, but no more threatening to the cloud than to any other service delivery environment.
Enterprises deploying a private cloud must provide the same level of scrutiny for both detection and prevention that they would take when deploying workloads using a hosting provider or their own internal IT infrastructure.
2. External Internet threats are more threatening in the cloud.
© Cloud Credential Council
This myth is easily addressed by selecting a cloud provider that has a global footprint and offers data accountability. When the workloads and applications being moved to cloud require it, a private cloud is a simple way to address data governance.
3. You can't control where your data resides in the cloud.
© Cloud Credential Council
Certifications are good reference points, but by themselves they are insufficient proof that the cloud provider will satisfy all of the subscribed organization's security and compliance needs.
It is ultimately the cloud consumers who are accountable for ensuring that their organizations' security and compliance requirements are met. Subscribers need to understand the security capabilities and processes of their cloud provider and not rely on certifications alone.
4. Certifications are standard in a cloud environment and provide assurance to subscribers.
© Cloud Credential Council
In fact, the bottom lines of many niche cloud providers require them to lock in their customers, typically with long-term contracts or painfully high early termination fees.
If you don’t go with an industry-leading provider, make sure to read all the fine print and get a professional second opinion.
5. It is easy to change from one cloud provider to another whenever I want to.