SlideShare a Scribd company logo
1 of 21
Download to read offline
Meetup #4
IT Audit & Security
Sharing in the Cloud
© 2017 PT. Indonesian Cloud
Cloud Computing
Critical Areas of Focus
PUBLIC
Public Release Authorized
2
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
Herwono W. Wijaya
Head of Cyber Security Division
He started his career in IT industry for more than 10 years ago,
started as a programmer and a Linux system engineer with
experience in various IT projects both in Indonesia and outside
Indonesia, while security (hacking) itself is his hobby.
Now he is more active as a security professional that focuses on the
implementation of security as a business enabler for the
organization and he also learn a lot about virtualization and cloud
computing technology and sometimes still doing the programming
in his spare times. He held certification of C|EH, VMware vExpert.
At IndonesianCloud he’s responsible as a head of the cybersecurity
division and cybersecurity business unit. He's responsible for all
relevant compliance, and IT security in the organization and also to
ensure target achievement of the cybersecurity business unit.
HERE IS A LITTLE BIT ABOUT ME
herwonowr@indonesiancloud.com
linkedin.com/in/herwonowr
@HerwonoWr
ABOUT ME
3
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
AGENDA
OVERVIEW
CLOUD COMPUTING INTRODUCTION
CRITICAL AREAS IN CLOUD COMPUTING
BONUS
Taking over Docker host from Container
(Portainer, Docker, & CoreOS)
4
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
OVERVIEW
The rise of cloud computing as an ever evolving technology
brings with it a number of opportunities and challenges.
We need to focus on
Critical areas of focus to mitigating the risks associated with
the adoption of cloud computing technology.
5
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CLOUD COMPUTING INTRODUCTION
Cloud Computing Definition
Cloud computing is a new operational model and set of technologies for managing shared pools of computing
resources.
Essential
Characteristics
Resource Pooling
Broad
Network Access
Rapid
Elasticity
Measured
Service
On-Demand
Self-Service
Service
Models
IaaS
Infrastructure as a Service
PaaS
Platform as a Service
SaaS
Software as a Service
Development
Models Public Private Hybrid
6
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CLOUD COMPUTING INTRODUCTION con’t
Cloud Computing Models
Who owns and manages?
Infrastructure
Managed By
Infrastructure
Located
Accessible and
Consumed By
Public
Private
Hybrid
Third-Party Provider Off-Premises Untrusted
Trusted
Organization
Third-Party Provider
On-Premises
Off-Premises
Both Organization &
Third-Party Provider
Both On-Premises &
Off-Premises
Trusted &
Untrusted
7
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CLOUD COMPUTING INTRODUCTION con’t
Security Responsibilities
Service
Models
IaaS
Infrastructure as a Service
PaaS
Platform as a Service
SaaS
Software as a Service
Security Responsibility
Mostly Consumer Mostly Provider
8
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CRITICAL AREAS IN CLOUD COMPUTING
Critical Areas of Focus
DOMAIN 01
Governance and Enterprise
Risk Management
DOMAIN 02
Legal Issues, Contracts and
Electronic Discovery
DOMAIN 03
Compliance and Audit
Management
DOMAIN 04
Information Governance
DOMAIN 05
Management Plane and
Business Continuity
DOMAIN 06
Infrastructure Security
DOMAIN 07
Virtualization and Containers
DOMAIN 08
Incident Response,
Notification and
Remediation
DOMAIN 09
Application Security
DOMAIN 10
Data Security and
Encryption
DOMAIN 11
Identity, Entitlement, and
Access Management
9
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CRITICAL AREAS IN CLOUD COMPUTING con’t
What we need to focus on
DOMAIN
01
Governance and Enterprise
Risk Management
§ Identify the shared responsibilities of security and risk management
§ Understand how a contract affects your governance
§ Develop a process for cloud provider assessments
§ Align risk requirements to the specific assets
§ Create a specific risk management and risk
acceptance/mitigation methodology
§ Use controls to manage residual risks
§ Use tooling to track approved providers based on asset
classification
10
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CRITICAL AREAS IN CLOUD COMPUTING con’t
What we need to focus on
DOMAIN
02
Legal Issues, Contracts and
Electronic Discovery
§ Understand the relevant legal and regulatory frameworks
§ Understand the policies, requirements and capabilities
§ Conduct a comprehensive evaluation of a proposed cloud
service
§ Understand how cloud provider physically operates and stores
information
11
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CRITICAL AREAS IN CLOUD COMPUTING con’t
What we need to focus on
DOMAIN
03
Compliance and Audit
Management
§ Understand the compliance obligations
§ Understand the scope of assessments and certifications, including both
the controls and the features/services covered
§ Select auditors with experience in cloud computing
§ Keep a register of cloud providers used
12
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CRITICAL AREAS IN CLOUD COMPUTING con’t
What we need to focus on
DOMAIN
04
Information Governance
§ Determine your governance requirements
§ Ensure information governance policies and practices extend to the
cloud
§ Use the data security lifecycle to help model data handling and
controls (Don’t bring bad habits)
13
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CRITICAL AREAS IN CLOUD COMPUTING con’t
What we need to focus on
DOMAIN
05
Management Plane and
Business Continuity
§ Management plane (metastructure) security
§ E.g. Consistently implement least privilege accounts for
metastructure access
§ Business continuity
§ Take a risk-based approach to everything
§ Consider your DR plan
14
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CRITICAL AREAS IN CLOUD COMPUTING con’t
What we need to focus on
DOMAIN
06
Infrastructure Security
§ Know the infrastructure security of your provider or platform
§ Make sure your provider is following cloud infrastructure best-
practices and regulations
§ Understand your network security
§ Understand and comply with cloud provider limitations on vulnerability
assessments and penetration testing
15
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CRITICAL AREAS IN CLOUD COMPUTING con’t
What we need to focus on
DOMAIN
07
Virtualization and Containers
§ Understand Virtualization Security
§ Understand the capabilities offered by cloud providers as well as
any security gaps
§ Properly configure virtualization services
§ Understand Containers Security
§ Understand the security isolation capabilities
§ Ensure that only approved, known, and secure container images
can be deployed
16
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CRITICAL AREAS IN CLOUD COMPUTING con’t
What we need to focus on
DOMAIN
08
Incident Response,
Notification and
Remediation
§ Understand the SLAs and setting expectations around what the
customer does versus what the provider does
§ Set up proper communication paths with the provider
§ Understand the content and format of data that the cloud provider will
supply for analysis purposes
§ Continuous monitoring
§ Understand your incident response plan and how those change in the
cloud
17
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CRITICAL AREAS IN CLOUD COMPUTING con’t
What we need to focus on
DOMAIN
09
Application Security
§ Understand the new architectural options and requirements in the cloud
§ Build security into the initial design process
§ Reviewing SDLC basics and how those change in the cloud
§ Understand the security capabilities of your cloud providers to
leveraging cloud capabilities for more secure cloud applications
18
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CRITICAL AREAS IN CLOUD COMPUTING con’t
What we need to focus on
DOMAIN
10
Data Security and
Encryption
§ Understand the specific capabilities of the cloud platform you are using
§ Don’t dismiss cloud provider data security. In many cases it is more
secure than building your own, and comes at a lower cost
§ Create an entitlement matrix for determining access controls
§ Use the appropriate encryption option based on the threat model for
your data, business, and technical requirements
§ Consider use of encryption and storage options
§ Leverage architecture to improve data security
§ Ensure both API and data-level monitoring are in place
19
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
CRITICAL AREAS IN CLOUD COMPUTING con’t
What we need to focus on
DOMAIN
11
Identity, Entitlement, and
Access Management
§ Organizations should develop a comprehensive and formalized plan
and processes for managing identities and authorizations with cloud
services
§ Develop an entitlement matrix for each cloud provider
§ Prefer Attribute-based access control (ABAC) over Role-based access
control (RBAC) for cloud computing
20
Meetup #4
IT Audit & Security
© 2017 PT. Indonesian Cloud
BONUS
Taking over Docker host from Container
DEMO TIME
Container Management Docker Engine Host Operating System
Thank You!

More Related Content

What's hot

Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockAmazon Web Services
 
SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)Priyanka Aash
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Moshe Ferber
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)BAKOTECH
 
Cisco Connect 2018 Singapore - Changing the Security Equation
Cisco Connect 2018 Singapore - Changing the Security EquationCisco Connect 2018 Singapore - Changing the Security Equation
Cisco Connect 2018 Singapore - Changing the Security EquationNetworkCollaborators
 
SACON - Cloud Security Architecture (Moshe Ferber)
SACON - Cloud Security Architecture (Moshe Ferber)SACON - Cloud Security Architecture (Moshe Ferber)
SACON - Cloud Security Architecture (Moshe Ferber)Priyanka Aash
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Cloud Encryption Gateways (how enterprises can leverage cloud SaaS without co...
Cloud Encryption Gateways (how enterprises can leverage cloud SaaS without co...Cloud Encryption Gateways (how enterprises can leverage cloud SaaS without co...
Cloud Encryption Gateways (how enterprises can leverage cloud SaaS without co...Mark Silverberg
 
Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019
Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019 Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019
Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019 Amazon Web Services
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation  - Cloud Security Alliance East Europe Congress 2013Cloud security innovation  - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Moshe Ferber
 
SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)Priyanka Aash
 
Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsMoshe Ferber
 
2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint 2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint e-Xpert Solutions SA
 
Esg lab-validation-check-point-cloud guard-mar-2018
Esg lab-validation-check-point-cloud guard-mar-2018Esg lab-validation-check-point-cloud guard-mar-2018
Esg lab-validation-check-point-cloud guard-mar-2018Alejandro Daricz
 
Zero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fastZero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fastCloudflare
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.Moshe Ferber
 
Enterprise-Grade Trust: Collaboration Without Compromise
Enterprise-Grade Trust: Collaboration Without CompromiseEnterprise-Grade Trust: Collaboration Without Compromise
Enterprise-Grade Trust: Collaboration Without CompromiseRobb Boyd
 

What's hot (20)

Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - Twistlock
 
SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
 
Cisco Connect 2018 Singapore - Changing the Security Equation
Cisco Connect 2018 Singapore - Changing the Security EquationCisco Connect 2018 Singapore - Changing the Security Equation
Cisco Connect 2018 Singapore - Changing the Security Equation
 
SACON - Cloud Security Architecture (Moshe Ferber)
SACON - Cloud Security Architecture (Moshe Ferber)SACON - Cloud Security Architecture (Moshe Ferber)
SACON - Cloud Security Architecture (Moshe Ferber)
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Cloud Encryption Gateways (how enterprises can leverage cloud SaaS without co...
Cloud Encryption Gateways (how enterprises can leverage cloud SaaS without co...Cloud Encryption Gateways (how enterprises can leverage cloud SaaS without co...
Cloud Encryption Gateways (how enterprises can leverage cloud SaaS without co...
 
Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019
Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019 Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019
Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation  - Cloud Security Alliance East Europe Congress 2013Cloud security innovation  - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
 
SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)
 
Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startups
 
2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint 2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint
 
Esg lab-validation-check-point-cloud guard-mar-2018
Esg lab-validation-check-point-cloud guard-mar-2018Esg lab-validation-check-point-cloud guard-mar-2018
Esg lab-validation-check-point-cloud guard-mar-2018
 
Zero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fastZero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fast
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
 
Enterprise-Grade Trust: Collaboration Without Compromise
Enterprise-Grade Trust: Collaboration Without CompromiseEnterprise-Grade Trust: Collaboration Without Compromise
Enterprise-Grade Trust: Collaboration Without Compromise
 

Similar to Cloud Computing - Critical Areas of Focus

Thin Air or Solid Ground? Practical Cloud Security
Thin Air or Solid Ground? Practical Cloud SecurityThin Air or Solid Ground? Practical Cloud Security
Thin Air or Solid Ground? Practical Cloud SecurityDan Fitzgerald, CISSP, CIPM
 
Moving to the Cloud-How to Develop Cloud Strategy for Your Organization
Moving to the Cloud-How to Develop Cloud Strategy for Your OrganizationMoving to the Cloud-How to Develop Cloud Strategy for Your Organization
Moving to the Cloud-How to Develop Cloud Strategy for Your OrganizationEmtec Inc.
 
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationGetting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationITpreneurs
 
Geting cloud architecture right the first time linthicum interop fall 2013
Geting cloud architecture right the first time linthicum interop fall 2013Geting cloud architecture right the first time linthicum interop fall 2013
Geting cloud architecture right the first time linthicum interop fall 2013David Linthicum
 
2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01promediakw
 
SpeedyCloud Technologies - Beijing, China
SpeedyCloud Technologies - Beijing, ChinaSpeedyCloud Technologies - Beijing, China
SpeedyCloud Technologies - Beijing, ChinaZaighum Malik 赞谋
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Standards Customer Council
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsThousandEyes
 
Cloud Migration for Financial Services - Toronto - October 2016
Cloud Migration for Financial Services - Toronto - October 2016Cloud Migration for Financial Services - Toronto - October 2016
Cloud Migration for Financial Services - Toronto - October 2016Amazon Web Services
 
The Sky Is The Limit (CCC)
The Sky Is The Limit (CCC)The Sky Is The Limit (CCC)
The Sky Is The Limit (CCC)ITpreneurs
 
Cisco Powered: Your Trusted Source for Cloud and Managed Services
Cisco Powered: Your Trusted Source for Cloud and Managed ServicesCisco Powered: Your Trusted Source for Cloud and Managed Services
Cisco Powered: Your Trusted Source for Cloud and Managed ServicesCisco Canada
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsThousandEyes
 
Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013David Linthicum
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Hardening the cloud : Assuring agile security in high-growth environments
Hardening the cloud : Assuring agile security in high-growth environmentsHardening the cloud : Assuring agile security in high-growth environments
Hardening the cloud : Assuring agile security in high-growth environmentsPriyanka Aash
 
5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use CasesNetskope
 
Introduction to Cloud B2B Integration
Introduction to Cloud B2B IntegrationIntroduction to Cloud B2B Integration
Introduction to Cloud B2B IntegrationMark Morley, MBA
 
Интуитивная сеть как платформа для надежного бизнеса
Интуитивная сеть как платформа для надежного бизнесаИнтуитивная сеть как платформа для надежного бизнеса
Интуитивная сеть как платформа для надежного бизнесаCisco Russia
 

Similar to Cloud Computing - Critical Areas of Focus (20)

Thin Air or Solid Ground? Practical Cloud Security
Thin Air or Solid Ground? Practical Cloud SecurityThin Air or Solid Ground? Practical Cloud Security
Thin Air or Solid Ground? Practical Cloud Security
 
Moving to the Cloud-How to Develop Cloud Strategy for Your Organization
Moving to the Cloud-How to Develop Cloud Strategy for Your OrganizationMoving to the Cloud-How to Develop Cloud Strategy for Your Organization
Moving to the Cloud-How to Develop Cloud Strategy for Your Organization
 
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationGetting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
 
Geting cloud architecture right the first time linthicum interop fall 2013
Geting cloud architecture right the first time linthicum interop fall 2013Geting cloud architecture right the first time linthicum interop fall 2013
Geting cloud architecture right the first time linthicum interop fall 2013
 
2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01
 
SpeedyCloud Technologies - Beijing, China
SpeedyCloud Technologies - Beijing, ChinaSpeedyCloud Technologies - Beijing, China
SpeedyCloud Technologies - Beijing, China
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of Concepts
 
Cloud Migration for Financial Services - Toronto - October 2016
Cloud Migration for Financial Services - Toronto - October 2016Cloud Migration for Financial Services - Toronto - October 2016
Cloud Migration for Financial Services - Toronto - October 2016
 
The Sky Is The Limit (CCC)
The Sky Is The Limit (CCC)The Sky Is The Limit (CCC)
The Sky Is The Limit (CCC)
 
Cisco Powered: Your Trusted Source for Cloud and Managed Services
Cisco Powered: Your Trusted Source for Cloud and Managed ServicesCisco Powered: Your Trusted Source for Cloud and Managed Services
Cisco Powered: Your Trusted Source for Cloud and Managed Services
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of Concepts
 
Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Hardening the cloud : Assuring agile security in high-growth environments
Hardening the cloud : Assuring agile security in high-growth environmentsHardening the cloud : Assuring agile security in high-growth environments
Hardening the cloud : Assuring agile security in high-growth environments
 
5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases
 
Introduction to Cloud B2B Integration
Introduction to Cloud B2B IntegrationIntroduction to Cloud B2B Integration
Introduction to Cloud B2B Integration
 
Интуитивная сеть как платформа для надежного бизнеса
Интуитивная сеть как платформа для надежного бизнесаИнтуитивная сеть как платформа для надежного бизнеса
Интуитивная сеть как платформа для надежного бизнеса
 

Recently uploaded

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 

Recently uploaded (20)

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 

Cloud Computing - Critical Areas of Focus

  • 1. Meetup #4 IT Audit & Security Sharing in the Cloud © 2017 PT. Indonesian Cloud Cloud Computing Critical Areas of Focus PUBLIC Public Release Authorized
  • 2. 2 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud Herwono W. Wijaya Head of Cyber Security Division He started his career in IT industry for more than 10 years ago, started as a programmer and a Linux system engineer with experience in various IT projects both in Indonesia and outside Indonesia, while security (hacking) itself is his hobby. Now he is more active as a security professional that focuses on the implementation of security as a business enabler for the organization and he also learn a lot about virtualization and cloud computing technology and sometimes still doing the programming in his spare times. He held certification of C|EH, VMware vExpert. At IndonesianCloud he’s responsible as a head of the cybersecurity division and cybersecurity business unit. He's responsible for all relevant compliance, and IT security in the organization and also to ensure target achievement of the cybersecurity business unit. HERE IS A LITTLE BIT ABOUT ME herwonowr@indonesiancloud.com linkedin.com/in/herwonowr @HerwonoWr ABOUT ME
  • 3. 3 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud AGENDA OVERVIEW CLOUD COMPUTING INTRODUCTION CRITICAL AREAS IN CLOUD COMPUTING BONUS Taking over Docker host from Container (Portainer, Docker, & CoreOS)
  • 4. 4 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud OVERVIEW The rise of cloud computing as an ever evolving technology brings with it a number of opportunities and challenges. We need to focus on Critical areas of focus to mitigating the risks associated with the adoption of cloud computing technology.
  • 5. 5 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CLOUD COMPUTING INTRODUCTION Cloud Computing Definition Cloud computing is a new operational model and set of technologies for managing shared pools of computing resources. Essential Characteristics Resource Pooling Broad Network Access Rapid Elasticity Measured Service On-Demand Self-Service Service Models IaaS Infrastructure as a Service PaaS Platform as a Service SaaS Software as a Service Development Models Public Private Hybrid
  • 6. 6 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CLOUD COMPUTING INTRODUCTION con’t Cloud Computing Models Who owns and manages? Infrastructure Managed By Infrastructure Located Accessible and Consumed By Public Private Hybrid Third-Party Provider Off-Premises Untrusted Trusted Organization Third-Party Provider On-Premises Off-Premises Both Organization & Third-Party Provider Both On-Premises & Off-Premises Trusted & Untrusted
  • 7. 7 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CLOUD COMPUTING INTRODUCTION con’t Security Responsibilities Service Models IaaS Infrastructure as a Service PaaS Platform as a Service SaaS Software as a Service Security Responsibility Mostly Consumer Mostly Provider
  • 8. 8 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CRITICAL AREAS IN CLOUD COMPUTING Critical Areas of Focus DOMAIN 01 Governance and Enterprise Risk Management DOMAIN 02 Legal Issues, Contracts and Electronic Discovery DOMAIN 03 Compliance and Audit Management DOMAIN 04 Information Governance DOMAIN 05 Management Plane and Business Continuity DOMAIN 06 Infrastructure Security DOMAIN 07 Virtualization and Containers DOMAIN 08 Incident Response, Notification and Remediation DOMAIN 09 Application Security DOMAIN 10 Data Security and Encryption DOMAIN 11 Identity, Entitlement, and Access Management
  • 9. 9 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CRITICAL AREAS IN CLOUD COMPUTING con’t What we need to focus on DOMAIN 01 Governance and Enterprise Risk Management § Identify the shared responsibilities of security and risk management § Understand how a contract affects your governance § Develop a process for cloud provider assessments § Align risk requirements to the specific assets § Create a specific risk management and risk acceptance/mitigation methodology § Use controls to manage residual risks § Use tooling to track approved providers based on asset classification
  • 10. 10 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CRITICAL AREAS IN CLOUD COMPUTING con’t What we need to focus on DOMAIN 02 Legal Issues, Contracts and Electronic Discovery § Understand the relevant legal and regulatory frameworks § Understand the policies, requirements and capabilities § Conduct a comprehensive evaluation of a proposed cloud service § Understand how cloud provider physically operates and stores information
  • 11. 11 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CRITICAL AREAS IN CLOUD COMPUTING con’t What we need to focus on DOMAIN 03 Compliance and Audit Management § Understand the compliance obligations § Understand the scope of assessments and certifications, including both the controls and the features/services covered § Select auditors with experience in cloud computing § Keep a register of cloud providers used
  • 12. 12 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CRITICAL AREAS IN CLOUD COMPUTING con’t What we need to focus on DOMAIN 04 Information Governance § Determine your governance requirements § Ensure information governance policies and practices extend to the cloud § Use the data security lifecycle to help model data handling and controls (Don’t bring bad habits)
  • 13. 13 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CRITICAL AREAS IN CLOUD COMPUTING con’t What we need to focus on DOMAIN 05 Management Plane and Business Continuity § Management plane (metastructure) security § E.g. Consistently implement least privilege accounts for metastructure access § Business continuity § Take a risk-based approach to everything § Consider your DR plan
  • 14. 14 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CRITICAL AREAS IN CLOUD COMPUTING con’t What we need to focus on DOMAIN 06 Infrastructure Security § Know the infrastructure security of your provider or platform § Make sure your provider is following cloud infrastructure best- practices and regulations § Understand your network security § Understand and comply with cloud provider limitations on vulnerability assessments and penetration testing
  • 15. 15 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CRITICAL AREAS IN CLOUD COMPUTING con’t What we need to focus on DOMAIN 07 Virtualization and Containers § Understand Virtualization Security § Understand the capabilities offered by cloud providers as well as any security gaps § Properly configure virtualization services § Understand Containers Security § Understand the security isolation capabilities § Ensure that only approved, known, and secure container images can be deployed
  • 16. 16 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CRITICAL AREAS IN CLOUD COMPUTING con’t What we need to focus on DOMAIN 08 Incident Response, Notification and Remediation § Understand the SLAs and setting expectations around what the customer does versus what the provider does § Set up proper communication paths with the provider § Understand the content and format of data that the cloud provider will supply for analysis purposes § Continuous monitoring § Understand your incident response plan and how those change in the cloud
  • 17. 17 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CRITICAL AREAS IN CLOUD COMPUTING con’t What we need to focus on DOMAIN 09 Application Security § Understand the new architectural options and requirements in the cloud § Build security into the initial design process § Reviewing SDLC basics and how those change in the cloud § Understand the security capabilities of your cloud providers to leveraging cloud capabilities for more secure cloud applications
  • 18. 18 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CRITICAL AREAS IN CLOUD COMPUTING con’t What we need to focus on DOMAIN 10 Data Security and Encryption § Understand the specific capabilities of the cloud platform you are using § Don’t dismiss cloud provider data security. In many cases it is more secure than building your own, and comes at a lower cost § Create an entitlement matrix for determining access controls § Use the appropriate encryption option based on the threat model for your data, business, and technical requirements § Consider use of encryption and storage options § Leverage architecture to improve data security § Ensure both API and data-level monitoring are in place
  • 19. 19 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud CRITICAL AREAS IN CLOUD COMPUTING con’t What we need to focus on DOMAIN 11 Identity, Entitlement, and Access Management § Organizations should develop a comprehensive and formalized plan and processes for managing identities and authorizations with cloud services § Develop an entitlement matrix for each cloud provider § Prefer Attribute-based access control (ABAC) over Role-based access control (RBAC) for cloud computing
  • 20. 20 Meetup #4 IT Audit & Security © 2017 PT. Indonesian Cloud BONUS Taking over Docker host from Container DEMO TIME Container Management Docker Engine Host Operating System