Organizations now have an opportunity to more rapidly overcome their security concerns by using third-party cloud platforms. In this session, Dell SecureWorks security experts discuss the Shared Security Responsibility model, how organizations need to think about security architecture in the cloud, and new Dell SecureWorks services that are helping organizations plan, architect, manage and respond to threats in the cloud.
2. Here’s How It Sometimes Goes
• Someone says
“Hey! Cloud is faster.
Cloud is less expensive.
Cloud is easier.
Let’s do cloud!”
– And what they mean is usually public cloud
• So a cloud initiative is created
• The security function, if they are consulted at all,
has to catch up as this is often a done deal long
before security is considered
3. Another Way It Sometimes Goes
• Someone says
“Hey! Cloud is faster.
Cloud is less expensive.
Cloud is easier.
Let’s do cloud!”
• But someone else says “Wait! What about security!
Do we really want to put our <important apps
and data> in someone else’s data center?”
• And the security function gets blamed for saying
“no” and standing in the way of “business process
innovation”.
– Or the security function says “no”, everybody pauses,
and then says “Let’s do it anyway!”
4. Yet Another Way It Sometimes Goes
• CEO or CFO suddenly “notices” public cloud spend
o Gets a bill from a provider
o Sees a number of expenses from same place
• Says “Wow! Why are we spending so much
on cloud?”
o Then comes a phase where the
company creates an intentional
strategy about using cloud
• Again, the security function must
catch up to what has happened
5. Either Way, You Are Not Alone
• Security is one of the biggest challenges in the
transition into cloud
o Added on as an afterthought
o Or treated as a roadblock
• This presentation:
o Talks about how clients adopt cloud
– Five phases of adoption
– Things to consider at each phase
– When you’re too big for cloud
o Discusses the shared security responsibility model
o How you should manage your cloud security
– Do it yourself
– Get help
6. The Five Stages of Cloud Adoption
Virtualized
datacenters,
but no active
plan for 3rd-
party cloud
Recognition of
need for plan,
but not there
yet. Plan in
development
Active projects to move
individual workstreams to
cloud, often for new
internally-developed
applications. No formal
security architecture yet
Design for cloud as primary or
exclusive datacenter.
Accompanied by a thought-
out security strategy
Cloud does
not offer cost
savings at
massive scale
Likelihood of Shadow IT
7. Two Epiphanies
1
2
• “Hey, we’re spending a lot on
cloud already – we should have
a plan.”
• “Hey, this cloud really delivers a
lot of advantages. We should
have a plan.”
• “Hey, we’re spending so much
on cloud and we’re not really
seeing the savings we expected.
Maybe we should bring this back
in house?”
• Relatively few organizations will
get here.
8. Things to Think About At Each Phase
Plan
• Create a security reference architecture for your cloud presence
• Select multiple cloud providers and evaluate their security approaches & their terms
• Create a governance model for what data is allowed in the cloud and what is not
Transition
• Reconsider the architecture of your applications (forklift v. redesign)
• Test your applications once they’re in cloud (pen test, red team)
• Extend your security operations model (scanning, patching) to include cloud
Dept/Dev
• You generally care about the same security controls in cloud as in traditional data center
• Consider how your security model needs to change in response to cloud (pets v. cattle)
• Consider incident response planning and/or retainer
All-In
• Your security operational model must be fully implemented in this phase
• Forensics readiness is very important – will you know what to do if there’s an incident
Too Big
• Security for pets v. Security for cattle
• Incident Response and Threat Intelligence become even more critical here
10. What This Means
• Cloud Providers generally have excellent cloud infrastructure security
o It is designed to protect THEM; it is NOT DESIGNED to protect YOU
• Security of YOUR application and YOUR data in the cloud is YOUR
responsibility
• If you put an unpatched Windows server on a public IP address in a
well-defended public cloud, it will be compromised in seconds
11. How to Manage Your Cloud Security – Option A
• Public cloud security infrastructure MUST be managed and monitored just like anything else.
• You can certainly do it yourself
• 10 things to consider:…
12. Security in Public Clouds: 10 Things To Consider
1. Make sure you understand where your provider's responsibilities end and yours begin. Understand
how your service provide is willing to work with you. Understand the role they play in your operational
security. Understand their security & limits on their liability.
2. Make sure you have the right to audit your environment.
3. Make sure your data and applications are mobile and not locked into a proprietary format.
4. Make sure you have a method for retrieving/removing your application(s) and data.
5. Encrypt your data where possible. Encrypt your data where impossible. Ensure your cloud provider
does not have keys.
6. Monitor everything -- server activity, user activity, device activity, data in motion.
7. Make sure your identity and access management solution is robust and cloud-aware. Tie it into your
existing systems for increased user adoption and lower management costs.
8. Back up your data and applications regularly – when it’s gone in cloud, it’s gone forever.
9. Ensure you have incident response plan and adequate forensics data. Forensics in cloud can be
harder.
10. Ensure that you budget for your security infrastructure. Don’t get surprised by unexpected compute,
storage, or network transfer costs associated with your security infrastructure.
13. How to Manage Your Cloud Security – Option B
Incident ManagementManaged Security Security and Risk Consulting
Managed Vulnerability
& Web App Scanning
Managed Network IPS
Security Design &
Architecture Service
Cloud Security
Strategy & Risk
Assessment
Incident Management
Retainer
Penetration Tests
WASA for Cloud
Web API Testing
Cloud Vendor
Security Assessment
Advanced Penetration
Tests
Remote Red Team
PCI, HIPAA, GLBA,
FISMA, EI3PA
Emergency Incident
Response
Monitored Firewall
Monitored WAF
Monitored Elastic
Server Group Logs