Getting To The Cloud Event 2015

Getting to the Cloud
Security & Risk Management
2016
Ariel Evans, EVP
Senior Cyber SecurityHow
and will
RiskDigital
Analyst
Transformation transform all of us
ariel@stki.info
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
About Me
CISO Telco US
7 years of security experience
Compliance Expert
Primary Author of the PCI e-commerce guideline
20 years Risk Manager on Wall Street

Consultant to DHS on Middleware Vulnerabilities
What we will cover today
Cyber
Security
What is Cyber
Security?
Cloud Security
What are the similarities and
differences between cloud
security and cyber?
Getting to the
Cloud
What are the
requirements to get to
the cloud?
Cloud
Security
Components
Service Provider
Responsibilities vs.
Customer
Responsibilities
Risk
Management
Cloud Security
Technologies
Measuring effectiveness
of security in the context
of the EU data directive
CASBs
Risk Management Tools
Data Classification
Tools
.
What
is Cloud
Cyber
Security
What
is Cyber
Security
People, Process & Tools
Data Center
Network
Relationship
Data Storage
between
Protect Confidentiality, Integrity & Accessibility
Hypervisors
CSP
Stopping or Limiting Damage from Unauthorized Access
and
Processing & Memory
Applies to the Entire Lifecycle of data
Customer
Any time data is stored, transmitted or processed
Data
GUIs
Holistic Approach
APIs
Virtual
Machines
Programming Languages
Virtual Network Architecture

Operating Systems
Effectiveness is measured using Risk Management
CSP & Customer Relationship
Cloud Security
Relationship between customer and cloud service provider
Defined by the components of the solution
Evolving
Most CSPs will now provide
Logs
Penetration tests for Hypervisior
Data Center Inspections
Limited Service Agreements
Enhanced Security Service Capabilities

Cloud Access Security Brokers - CASBs
Data Classification
Cyber Risk Management
6
Israel cloud adoption - by sector

Source: Moshe Ferber, Cloud Security Alliance Israel
Private
Cloud
Army, Banks,
Government,
Utility
Cloud curious
checking the
technology
Government
Finance
Telecom
Operators
Health
Cloud adopters
Cloud focus
running 2-5
application in cloud
most application
in the cloud
Telecom
Vendor
Industry
services
High-Tech
Startups
SMB
Utilities
7
Cloud Security Components
8
Bank of Israel Regulation

Core system data cannot be in the cloud
What is core data?
How can we classify different types of data and how it is protected in the
cloud?
Follow the EU Data Directive

Ensure compliance
Risk Management
Board Room Approvals
Evolving - Cyber Organizations

The CISO of the future is the one who can run the risk-management organization.
Reports to the business either CEO, CFO, CRO or COO moving out of reporting to CIO.
The days of security being led by the 'network person' who did security in their spare time
and learned on the job are over and increasingly we are seeing seasoned professionals
with real business experience & business school qualifications stepping into the security
space reporting to the board of director on Cyber Risk.
10
Classifying Data
Old Way - Manual
Thousands of man hours
Most projects fail
Business Owner Dependent
Costly to maintain
Constantly changing
New Way Data Classification Products

Machine Learning
Clustering
One month deliverable
15
11
EU Data Directive
https://practice-project.eu/downloads/publications/D31.1-Risk-assessment-legal-statusPU-M12.pdf
This deliverable reports on the current legal framework regulating the
storage and processing the data on the cloud and introduces a risk
assessment methodology to analyze the business risks associated with
outsourcing data.
AUTOMATING CYBER RISK AND CLOUD RISK
15
12
How cyber Risk is managed

Identification of Threats
Implement and Protect Network Domains
Compliance Regulation
PCI DSS
Objective 1.1.3
Objective 1.3
Objective 1.3.3-5
Objective 1.3.7
SOC 3.2, 3.5, 3.8
EU Data Directive
Define the Control
Test the Control
In addition, further development of

policies, processes, and systems
Measure the
must continue to ensure that:
Firewall configuration standards include requirements for a
firewall at each Internet connection, and between any DMZ
and the internal network zone;
Current network diagram is consistent with the firewall
configuration standards;
Firewall rules prevent internal addresses passing from the
Internet into the DMZ.
Firewall rules prevent direct connections inbound or
outbound for traffic between the Internet and the cardholder
data environment.
Prohibit direct public access between the Internet and any
system component in the cardholder data environment;
Require that all outbound traffic from the cardholder data
environment to the Internet is explicitly authorized.
Risk
13
13
Likelihood
Risk Management
1 Insignificant
2 Minor
No fines or additional
costs
No fines but increased

monitoring costs
3 Moderate
4 Major
Some fines and moderate Large fines and loss of

consequences
card privledges w ith
major economic impact
5 Catastrophic
Company unable to stay
active
A-
Almost certain to occur in most

circumstances
Medium (M)
High (H)
High (H)
Very High (VH)
Very High (VH)
B-
Answer = None = 4 Likely to occur

frequently
Medium (M)
Medium (M)
High (H)
High (H)
Very High (VH)
C-
Answer = Partially = 3 Possible and

likely to occur at some time
Low (L)
Medium (M)
High (H)
High (H)
High (H)
D-
Answer = Fully = 2 Unlikely to occur

but could happen
Low (L)
Low (L)
Medium (M)
Medium (M)
High (H)
E-
May occur but only in rare and

exceptional circumstances
Low (L)
Low (L)
Medium (M)
Medium (M)
High (H)
14
14
Risk Dashboards
Real Time Risk
Risk linked to business assets
Mitigation
Task Management
Drill into risk
See risk effectiveness across
Divisions
Systems
Assets
15
CASB
Cloud access security brokers (CASBs) are on-premises, or cloud-based security

policy enforcement points, placed between cloud service consumers and cloud service
providers to combine and interject enterprise security policies as the cloud-based
resources are accessed. CASBs consolidate multiple types of security policy
enforcement. Example security policies include authentication, single sign-on,
authorization, credential mapping, device profiling, encryption, tokenization, logging,
alerting, malware detection/prevention and so on.
16
Sanctioned
IT
Cloud
DLP
User
Behavior
Analytics
Off-Network
(Cloud-to-Cloud)
ShadowIT
On-Network
ShadowIT
Apps
Firewall
17
18
18
Discussion Items
What is the definition of core data?
What products will help you to show how this data is in the cloud?
What level of Encryption will be accepted for the cloud?
What products can help you who compliance here?
What new technologies will help demonstrate risk management is
effective for the cloud and provide EU data directive complaince?
What benefits will CASBs provide the Israeli Market?
15
19
Thats it.
Thank you!
20

Getting To The Cloud Event 2015

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Getting To The Cloud Event 2015

Hochgeladen von

Copyright:

Verfügbare Formate

Getting to the Cloud

Security & Risk Management

20 years Risk Manager on Wall Street

What we will cover today

People, Process & Tools

Virtual Network Architecture

CSP & Customer Relationship

Enhanced Security Service Capabilities

Israel cloud adoption - by sector

Cloud Security Components

Bank of Israel Regulation

Follow the EU Data Directive

Evolving - Cyber Organizations

New Way Data Classification Products

How cyber Risk is managed

Define the Control

Test the Control

In addition, further development of

No fines but increased

Some fines and moderate Large fines and loss of

Almost certain to occur in most

Very High (VH)

Very High (VH)

Answer = None = 4 Likely to occur

Very High (VH)

Answer = Partially = 3 Possible and

Answer = Fully = 2 Unlikely to occur

May occur but only in rare and

Cloud access security brokers (CASBs) are on-premises, or cloud-based security

Das könnte Ihnen auch gefallen