Post on 16-May-2018
ENTERPRISE SECURITY & THE CLOUD VENDOR
Disclaimer:
These slides are based on my experience managing enterprise business cloud architecture and security, working for mid-size Internet firms in Silicon Valley. Your experiences and your methods may differ. I don’t presume to speak for all enterprise security pros.
Doug Meier
Director, Security & Compliance
Pandora Media Inc.
Twitter: @TurkEllis
blog: riskof.ghost.io
INTRO – WHAT’S COVERED
We’re here to discuss securing cloud apps in the enterprise. We’re going to cover these topics:
1. Thinking realistically about cloud security
2. It’s about the data … that matters
3. The background check (CVOC)
4. Centralized IDM / auth – SSO rules
5. Cloud security and mobile endpoints
6. Security awareness backed w clear security policy
7. Compliance is cloud security’s enabling friend
8. Enlist the business and the enterprise team
9. Raising the bar on tiny vendors
10.I put it on my personal credit card (fencing the de-perimeter)
11.OK now let’s securely onboard a vendor!
EMBRACING CLOUD SHADOW IT
Note: Shadow IT of informal IT shops working at odds with IT is a diff problem.
• Employees/teams have good reasons to commit cloud shadow IT.
• Stealth onboarding of productivity, collaboration, automation apps -- NOT a sin.
• Think of business cloud this way:
– web 1.0: early stages
– web 2.0: cautious adoption by experts
– web 3.0: ubiquity, contextualization
• Consumerization of IT Personalization of IT
• Your org runs way more cloud apps than you realize.
SAME CONCERNS / DIFFERENT APPROACH
Biz apps: on-prem model meets outsourced model
Similarity: as with network security, you are dealing with someone else’s product.
Dis-similarity: in the de-perimeterized cloud, defense in depth and layered approaches can be irrelevant.
Approach to business cloud environment security:
• vendor-dependent as much as ntwk team dependent
• Requires security processes that network security templates can’t provide
YES IT IS ABOUT THE DATA… THE DATA MATTERS
• “data-centric” security – what does it mean?
• Most firms have their DLP cart in front of the horse: Trying to secure data without acknowledging the pareto principle of 80/20
• Fundamentals of data management -- classification, mapping, retention, handling, disposal
• DLP isn’t a single, one-time solution
• Identify, classify, protect the data that matters most
FUNDAMENTALS: THE VENDOR SECURITY & RESILIENCE AUDIT
Pandora’s Cloud Vendor Onboarding Certification audit form: 60+ questions for the vendor.
Background check to verify vendor resilience:
• Appropriate Logical access
• Appropriate change mgmt of production code
• Clear problem resolution
• Data backup & recovery methods
And…
• Means of data integration
• Evidence of regulatory compliance / certs
• Adequate support, resources
CENTRALIZE IDM/AUTH
Apply common sense to logical access security
• Use Corporate accounts only
• Restrict access to critical apps via centralized auth mechanism
• Closely manage privileged admin accounts
Emphasize the advantages of SSO to the biz
Have tech staff that knows and supports SSO
Keep refining the SSO implementation
THE NEW SSO RULES
Make your SSO a paragon of secure cloud best practices:
1. Establish an SSO test / staging environment
2. Limit admin access to SSO prod env to minimum
3. Changes to SSO prod env by admins require a documented request
4. SSO connector devs shall not make changes in SSO prod
5. Periodic reviews of admin access to SSO prod env
6. Periodic reporting of changes to SSO prod env
7. Leverage the SSO vendor relationship
CLOUD SECURITY & BYOD
• Smartphones: employees don’t separate life from work
• BYOD critical mass
• BYOS may the best BYOD solution
• Secure mobile computing policy
• Encrypt drives, devices, data where appropriate
• Make it very clear: employee is legally liable for confidential/sensitive info on their devices
• SSO extending to the smartphone (OneLogin Launcher)
PR CHALLENGE: INSTILLING SECURITY AWARENESS
• Fact: in de-perimeterized, ultra-socialized business cloud, business is conducted in & out of band.
• Confidential discussions, collabs, chats can’t be filtered or blocked at the firewall
• Stopping blaming the millennials already
• Depend on ongoing security awareness training and security comms
• Leverage internal training group, Legal team, exec staff
COMPLIANCE IS NOT THE ENEMY
Good standard secure ops leads to compliance.
Compliance standards ensure transparency and accountability.
• SOX controls: accountability & survivability
• PCI-DSS 3.0 standard: security of payment networks SSAE 16 reporting standard: SOC1 & SOC2
• ISO 27001: International standard
• COBIT 5 (ISACA): roadmap for GRC
• CSA Cloud Controls Matrix (CCM) – cloud security playbook
• STAR – cloud provider trust and assurance
ENLIST THE BUSINESS OWNER AND THE PM
Today’s urgent vendor onboard request …
• Slow it down:
– Do we already support an app that does this?
– Are other groups asking for a similar hosted app/service?
– Have we looked at alternatives?
• Simple question: how did you hear about this vendor?
• Position a strong point person(s) to interact with business and PMs
• Enlist PMs to get in front of vendor requests Communicate the positives of cloud security process/program
RISK OF TINY VENDOR
Six critical tells:
• How long have you been a company?
• How many employees on staff?
• Sources of financial support?
• Do you have paying customers?
• Is your product in GA?
• Do you have a security program/staff?
Cloud app vendors/market being held more, not less, accountable.
FENCING THE DE-PERIMETER @ PANDORA
Let’s review:
• Communicate vendor assessment and onboarding process well
• Obtain exec staff support for the process
• Make security awareness and training a priority
• Beware the freemium service, the endless POC, the tiny vendor
• Ask for SOC1s and SOC2
• Use a centralized auth mechanism and funnel vendors to audit
• Enlist the PM teams and biz owners
• Run quarterly vulnerability scans of onboarded apps
• Support AND monitor AND re-assess cloud apps
DO RIGHT BY YOUR COMPANY
Disclaimer reminder: if you can “perimeterize” your cloud, more power to you.
Final advice:
• It’s a conversation
• Reduce noise & complexity
• Establish a reliable process
• Adjust vendor mgmt for the cloud
• Embrace compliance
• Don’t go it alone
• Keep your sense of humor, confidence
• Do what’s right for you
• Use the growing body of knowledge
FURTHER GUIDANCE
Jericho Forum commandments/Cloud Cube model -- https://collaboration.opengroup.org/jericho/cloud_cube_model_v1.0.pdf
CSA – Cloud Controls Matrix (CCM)
CSA - Consensus Initiative Assessment Questionnaire
CSA - Security Trust & Assurance Registry (STAR)
OneLogin Toolkit
OneLogin’s IdentityFirst.org
Pareto ((80/20) Effect – Vincenze Pareto
Know your data -- Jon Toigo – drunkendata.com