SlideShare una empresa de Scribd logo

Redefining Security in the Cloud

Mike Spaulding
Mike Spaulding

Ambiguity and uncertainty are synonymous when cloud security is discussed. As organizations transition to the cloud, security must be prepared to handle the new and evolving threats impacting cloud resources. Additional business changes affecting the cloud transition; legal, privacy, mobility, etc must also be considered when developing your overall security strategy. This talk will do a quick breakdown on defining the cloud as it stands today, along with security’s role in the cloud, and how security will evolve in a world that is ‘cloud-centric’ and where the cloud strategy will lead us within the next ten years. The talk will also provide a plan of action for building a cloud security strategy and key considerations when preparing your roadmap in a secure cloud-centric future.

Tecnología
1 de 20
Descargar para leer sin conexión
DOGFOODCON ‘16 REDEFINING SECURITY IN A CLOUD- CENTRIC FUTURE
MIKE SPAULDING - DOGFOODCON - 2016 DISCLAIMER My opinions, commentary, and discussion today are my own, not my employer(s) My tweets are my own. If they offend you, then you probably shouldn’t follow me. I will not discuss anything about my employer(s) in any detail or extent
MIKE SPAULDING - DOGFOODCON - 2016 HOW THE CLOUD WORKS It’s simple: It really is someone else’s hard drive. The hard drive sits in multiple countries and is shared by lots of people You are placing your trust in the third party to do its job: keep your data separate from other people’s data. Security is either sold softly (ie. ‘we’ve got you covered’) or it is a hard sale (ie. ‘buy this feature and this to feel safe’)
MIKE SPAULDING - DOGFOODCON - 2016 UNDERSTANDING YOUR CLOUD • SalesForce • ServiceNow • Office365 • Kronos It is estimated that most large companies are leveraging between 600 - 1000 SaaS Applications on a daily basis. • Rackspace • MSFT Azure • IBM SmartCloud • SoftLayer • Amazon AWS • MSFT Azure • IBM BlueMix • Cloud Foundry • Google AppEngine Cloud AppsCloud Infrastructure Platforms (SaaS)(IaaS) (PaaS) Owner: Business Relationship Manager Owner: Historically Legacy Infrastructure Teams Owner: Sometimes Developers, other times it is Infrastructure • SalesForce • ServiceNow • Office365 • Kronos
MIKE SPAULDING - DOGFOODCON - 2016 CLOUD SECURITY RESPONSIBILITY Applications Data Runtime Middleware O/S Virtualization Servers Storage Networking Local/On Premise (Your Data Center) Applications Data Runtime Middleware O/S Virtualization Storage Networking Infrastructure (IaaS) Applications Data Runtime Middleware O/S Virtualization Servers Storage Networking Platform Apps (PaaS) Servers Applications Data Runtime Middleware O/S Virtualization Servers Storage Networking Cloud Apps (SaaS) Your Co. Vendor SharedResponsible Party & Accountability
MIKE SPAULDING - DOGFOODCON - 2016 EXAMPLE: COMPARING YOUR CLOUD WITH PIZZA
MIKE SPAULDING - DOGFOODCON - 2016 UNDERSTANDING YOUR DATA IN THE CLOUD • DropBox • Box • iCloud • Facebook Information Sharing (SaaS) Owner:Business Relationship Mgr. Security Requirements Authentication Authorization Confidentiality Audit Non-Repudiation Solutions Company Modified PaaS Company Modified SaaS Hybrid Cloud Accountability Business Owner Technical Owner Process Owner Technical Requirements Two-Factor Authentication Business Intelligence Encryption Data Loss Prevention Verification Services Business Requirements Rights Management: Expiration Dates Limited Distribution Ability to limit Users Ability to Audit Activities Stakeholders Legal & Procurement Information Security Architecture Infrastructure Data Types • PII • PHI • PCI • IP
MIKE SPAULDING - DOGFOODCON - 2016 SAAS RESPONSIBILITY CLARIFICATION Applications Data Runtime Middleware O/S Virtualization Servers Storage Networking Cloud Apps (SaaS)Cloud Apps have a shared responsibility at the Application layer: You are accountable for the user access functions, but overall app support (dev, MX, and MGMT) resides with the provider. Administrative Tasks: • User Management • SOX • User Behavior Monitoring Authentication Authorization Audit Technical Tasks: • Application Development • Application Upgrades • Application Management Support Your Co. Vendor SharedResponsible Party & Accountability
MIKE SPAULDING - DOGFOODCON - 2016 MULTITENANCY: HOW THEY MAKE THE CLOUD CHEAPER A software architecture in which a single instance of software runs on a server and serves multiple tenants (or the sharing of a common cloud resource in our situation). Risks: Data Leakage Insecure Configuration Crossover from other Tenants Benefits: Lower Costs Mitigation Strategy: Isolated Resources Security as a Foundation
MIKE SPAULDING - DOGFOODCON - 2016 API SECURITY (OR HOW MOST LARGE CLOUD HACKS HAPPEN) These are application programming interfaces (APIs) used to build applications in the cloud computing market. Cloud APIs allow software to request data and computations from one or more services through a direct or indirect interface. Risks Account or Service HiJacking Insecure APIs Known Vulnerabilities Lack of Control Benefits Customizable Services Integration with Internal Systems Mitigation Strategies Evaluate the type and strength of the API Security Features. Security as a foundation
MIKE SPAULDING - DOGFOODCON - 2016 CLOUD PORTABILITY Cloud Portability and Continuity of Operations is a set of policies and procedures that help to assure that your services continue. Risks Denial of Service Vendor Lock-In Un-Exportable Services Benefits Peace of Mind Structured Approach to BCP/DR Mitigation Strategies Develop Business Continuity Plan Develop an Exit Strategy
MIKE SPAULDING - DOGFOODCON - 2016 CLOUD RELIABILITY Cloud Architecture is more complex and abstract than traditional on-premise computing architectures. Risks Denial of Service Risk is outside of your control Skills Atrophy Benefits Higher Level of Service at a Lower Cost Redundancy, Load Balancing, Network Security Mitigation Strategies Hybrid Cloud Option Documentation
MIKE SPAULDING - DOGFOODCON - 2016 DATA ENCRYPTION Protecting your data both at rest and in-transit. Risks Vendor Lock-In Un-Retrievable Data Proprietary Tooling Benefits Minimized Potential for Data Loss Structured Approach for Data Management Mitigation Strategies Establish an Independent Key Management Service Develop a Data Security Strategy/Standard
MIKE SPAULDING - DOGFOODCON - 2016 SECURITY AS A SERVICE (CASB) Cloud providers are beginning to offer Security capabilities as a service. These services are both traditional (AAA) and non-traditional (cloud to cloud security) Risks Improperly Positioned Services Skills Atrophy Proprietary Tooling Benefits Higher Security Capability with lower barrier Ability to have a single security context across multiple vendors Mitigation Strategies Security as a Foundation Security Auditing
MIKE SPAULDING - DOGFOODCON - 2016 TRADITIONAL SECURITY MIGRATED TO THE CLOUD Leveraging Virtualized Software, many traditional security vendors have created cloud- based firewalls, IPS, reverse proxies, web application firewalls, and malware detection tools into many of the most popular cloud services. Risks Improperly Positioned Services False Sense of Security Benefits Easier transition to cloud services for current staff Ability to understand/visualize security posture Mitigation Strategies Security as a Foundation Security Fundamentals
MIKE SPAULDING - DOGFOODCON - 2016 INTERNATIONAL PRIVACY/COMPLIANCE RISKS The Data in the cloud is still YOUR DATA. Liability of the data is not transferred away, ultimately, YOU ARE responsible for how the data is handled. Risks EU, Non-US resident data co-mingled Data residing within countries which do not have treaties with EU, Canada, etc. Mitigation Strategies Ensure that Location specific services are enabled and that specific data centers are used for meeting international privacy compliance (make sure that German data stays on German servers) Leverage data centers that can handle both US and EU Data Privacy requirements, such as Canadian servers.
MIKE SPAULDING - DOGFOODCON - 2016 LEGALLY YOURS REMEMBER: It is your data, how you use it is at your discretion. No cloud provider will ever sign on as being 100% liable for your data and you must prove how they failed. You will only get your portion of your money back (think of something like tires or a mattress). The warranty is limited to unused services only. The model of the cloud is on shared services, so no respecting cloud provider will sign away their rights to you. Liability is limited and at most they go out of business and walk away from the mess. You will own the mess, not them. YOUR DATA IS YOUR RESPONSIBILITY!
MIKE SPAULDING - DOGFOODCON - 2016 SO WHERE DO WE GO FROM HERE? Everything is moving to the cloud - it is really hard to find an industry that has no cloud presence. Don’t fight the kool aid now! Containerization and portability will be the next big wave for enterprises in the cloud. Although infrastructure in the cloud is becoming very mainstream, we have yet to see the cloud ‘killer’ app. If we look at things like Facebook, SalesForce, or Box what we find is that we made it easier for a large number of people to do something that would previously be more complex or cumbersome. Automation is already hitting the cloud, but we have not truly embraced it. Machine learning will make coding in the cloud even easier for the less technical and sharing data will be almost too easy or simple.
MIKE SPAULDING - DOGFOODCON - 2016 THE SINGLE, BIGGEST QUESTION TO ASK YOUR CLOUD VENDOR Where does your security end and my security begin?
MIKE SPAULDING - DOGFOODCON - 2016 THANK YOU I appreciate your time today during this session. If you need to reach me, try here: https://www.linkedin.com/in/therealfatherofmaddog @fatherofmaddog Columbus BSides Security Conference - January 16th, 2017 Due to my work/personal schedule, I cannot work for you (at least right now). Maybe some time down the road. Who knows. I need to thank - John Sanders (Ent. Architect/CIO), the guys at Secure Idea, and the person that created Pizza as a Service - Albert Barron.

Recomendados

Is the Cloud Safe? Ensuring Security in the Cloud
Is the Cloud Safe? Ensuring Security in the CloudIs the Cloud Safe? Ensuring Security in the Cloud
Is the Cloud Safe? Ensuring Security in the CloudTechSoup
 
EveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PieceEveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PiecePaul Richards
 
Forcepoint Dynamic Data Protection
Forcepoint Dynamic Data ProtectionForcepoint Dynamic Data Protection
Forcepoint Dynamic Data ProtectionMarketingArrowECS_CZ
 
Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...Ulf Mattsson
 
Improving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityImproving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityDoug Copley
 
Webinar: Worried about privacy of your data on public cloud - Bring your own key
Webinar: Worried about privacy of your data on public cloud - Bring your own keyWebinar: Worried about privacy of your data on public cloud - Bring your own key
Webinar: Worried about privacy of your data on public cloud - Bring your own keyVaultastic
 
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Veritas Technologies LLC
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and auditMarc Vael
 

Recomendados

Is the Cloud Safe? Ensuring Security in the Cloud
Is the Cloud Safe? Ensuring Security in the CloudIs the Cloud Safe? Ensuring Security in the Cloud
Is the Cloud Safe? Ensuring Security in the CloudTechSoup
 
EveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PieceEveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PiecePaul Richards
 
Forcepoint Dynamic Data Protection
Forcepoint Dynamic Data ProtectionForcepoint Dynamic Data Protection
Forcepoint Dynamic Data ProtectionMarketingArrowECS_CZ
 
Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...Ulf Mattsson
 
Improving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityImproving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityDoug Copley
 
Webinar: Worried about privacy of your data on public cloud - Bring your own key
Webinar: Worried about privacy of your data on public cloud - Bring your own keyWebinar: Worried about privacy of your data on public cloud - Bring your own key
Webinar: Worried about privacy of your data on public cloud - Bring your own keyVaultastic
 
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Veritas Technologies LLC
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and auditMarc Vael
 
The GDPR - A data revolution
The GDPR - A data revolutionThe GDPR - A data revolution
The GDPR - A data revolutionDan Brookman
 
Global Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingGlobal Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingCloudSecurityAllianceAustralia
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAVeritas Technologies LLC
 
Stop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityStop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityCloudLock
 
How secure are chat and webconf tools
How secure are chat and webconf toolsHow secure are chat and webconf tools
How secure are chat and webconf toolsMarc Vael
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Netskope
 
Identity and Access Managemt (IAM) in the era of cloud, mobile and social tra...
Identity and Access Managemt (IAM) in the era of cloud, mobile and social tra...Identity and Access Managemt (IAM) in the era of cloud, mobile and social tra...
Identity and Access Managemt (IAM) in the era of cloud, mobile and social tra...Marcin Szary
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityThe TNS Group
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfYounesChafi1
 
Privacy and social, it's a bitch. Get over it!
Privacy and social, it's a bitch. Get over it!Privacy and social, it's a bitch. Get over it!
Privacy and social, it's a bitch. Get over it!Aurélie Pols
 
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the CloudPeak 10
 
10 Good Reasons: NetApp for Data Protection
10 Good Reasons: NetApp for Data Protection10 Good Reasons: NetApp for Data Protection
10 Good Reasons: NetApp for Data ProtectionNetApp
 
Microsoft Trusted Cloud - Harald Leitenmüller (Microsoft)
Microsoft Trusted Cloud - Harald Leitenmüller (Microsoft)Microsoft Trusted Cloud - Harald Leitenmüller (Microsoft)
Microsoft Trusted Cloud - Harald Leitenmüller (Microsoft)Microsoft Österreich
 
Cloud Security (CASB) for Slack
Cloud Security (CASB) for SlackCloud Security (CASB) for Slack
Cloud Security (CASB) for SlackSachin Yadav
 
Microsoft 365 Compliance
Microsoft 365 ComplianceMicrosoft 365 Compliance
Microsoft 365 ComplianceDavid J Rosenthal
 
CipherCloud_Corporate Overview
CipherCloud_Corporate OverviewCipherCloud_Corporate Overview
CipherCloud_Corporate OverviewScott Dierks
 
An Introduction to Cloud computing for SMEs
An Introduction to Cloud computing for SMEsAn Introduction to Cloud computing for SMEs
An Introduction to Cloud computing for SMEsTortrix Ltd
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityBill Burns
 
Phil Carter of IDC: An analyst point of view
Phil Carter of IDC: An analyst point of viewPhil Carter of IDC: An analyst point of view
Phil Carter of IDC: An analyst point of viewVeritas Technologies LLC
 
Scot-Cloud 2015
Scot-Cloud 2015Scot-Cloud 2015
Scot-Cloud 2015Ray Bugg
 
Securing The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StorySecuring The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StoryCloudLock
 
Security: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudSecurity: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudCapgemini
 

Más contenido relacionado

La actualidad más candente

The GDPR - A data revolution
The GDPR - A data revolutionThe GDPR - A data revolution
The GDPR - A data revolutionDan Brookman
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAVeritas Technologies LLC
 
Stop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityStop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityCloudLock
 
How secure are chat and webconf tools
How secure are chat and webconf toolsHow secure are chat and webconf tools
How secure are chat and webconf toolsMarc Vael
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Netskope
 
Identity and Access Managemt (IAM) in the era of cloud, mobile and social tra...
Identity and Access Managemt (IAM) in the era of cloud, mobile and social tra...Identity and Access Managemt (IAM) in the era of cloud, mobile and social tra...
Identity and Access Managemt (IAM) in the era of cloud, mobile and social tra...Marcin Szary
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfYounesChafi1
 
Privacy and social, it's a bitch. Get over it!
Privacy and social, it's a bitch. Get over it!Privacy and social, it's a bitch. Get over it!
Privacy and social, it's a bitch. Get over it!Aurélie Pols
 
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the CloudPeak 10
 
10 Good Reasons: NetApp for Data Protection
10 Good Reasons: NetApp for Data Protection10 Good Reasons: NetApp for Data Protection
10 Good Reasons: NetApp for Data ProtectionNetApp
 
Microsoft Trusted Cloud - Harald Leitenmüller (Microsoft)
Microsoft Trusted Cloud - Harald Leitenmüller (Microsoft)Microsoft Trusted Cloud - Harald Leitenmüller (Microsoft)
Microsoft Trusted Cloud - Harald Leitenmüller (Microsoft)Microsoft Österreich
 
Cloud Security (CASB) for Slack
Cloud Security (CASB) for SlackCloud Security (CASB) for Slack
Cloud Security (CASB) for SlackSachin Yadav
 
CipherCloud_Corporate Overview
CipherCloud_Corporate OverviewCipherCloud_Corporate Overview
CipherCloud_Corporate OverviewScott Dierks
 
An Introduction to Cloud computing for SMEs
An Introduction to Cloud computing for SMEsAn Introduction to Cloud computing for SMEs
An Introduction to Cloud computing for SMEsTortrix Ltd
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityBill Burns
 
Phil Carter of IDC: An analyst point of view
Phil Carter of IDC: An analyst point of viewPhil Carter of IDC: An analyst point of view
Phil Carter of IDC: An analyst point of viewVeritas Technologies LLC
 

La actualidad más candente (19)

The GDPR - A data revolution
The GDPR - A data revolutionThe GDPR - A data revolution
The GDPR - A data revolution
 
Global Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingGlobal Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud Computing
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEA
 
Stop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityStop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS Security
 
How secure are chat and webconf tools
How secure are chat and webconf toolsHow secure are chat and webconf tools
How secure are chat and webconf tools
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
 
Identity and Access Managemt (IAM) in the era of cloud, mobile and social tra...
Identity and Access Managemt (IAM) in the era of cloud, mobile and social tra...Identity and Access Managemt (IAM) in the era of cloud, mobile and social tra...
Identity and Access Managemt (IAM) in the era of cloud, mobile and social tra...
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
 
Privacy and social, it's a bitch. Get over it!
Privacy and social, it's a bitch. Get over it!Privacy and social, it's a bitch. Get over it!
Privacy and social, it's a bitch. Get over it!
 
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud
 
10 Good Reasons: NetApp for Data Protection
10 Good Reasons: NetApp for Data Protection10 Good Reasons: NetApp for Data Protection
10 Good Reasons: NetApp for Data Protection
 
Microsoft Trusted Cloud - Harald Leitenmüller (Microsoft)
Microsoft Trusted Cloud - Harald Leitenmüller (Microsoft)Microsoft Trusted Cloud - Harald Leitenmüller (Microsoft)
Microsoft Trusted Cloud - Harald Leitenmüller (Microsoft)
 
Cloud Security (CASB) for Slack
Cloud Security (CASB) for SlackCloud Security (CASB) for Slack
Cloud Security (CASB) for Slack
 
Microsoft 365 Compliance
Microsoft 365 ComplianceMicrosoft 365 Compliance
Microsoft 365 Compliance
 
CipherCloud_Corporate Overview
CipherCloud_Corporate OverviewCipherCloud_Corporate Overview
CipherCloud_Corporate Overview
 
An Introduction to Cloud computing for SMEs
An Introduction to Cloud computing for SMEsAn Introduction to Cloud computing for SMEs
An Introduction to Cloud computing for SMEs
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud Security
 
Phil Carter of IDC: An analyst point of view
Phil Carter of IDC: An analyst point of viewPhil Carter of IDC: An analyst point of view
Phil Carter of IDC: An analyst point of view
 

Similar a Redefining Security in the Cloud

Scot-Cloud 2015
Scot-Cloud 2015Scot-Cloud 2015
Scot-Cloud 2015Ray Bugg
 
Securing The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StorySecuring The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StoryCloudLock
 
Security: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudSecurity: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudCapgemini
 
EveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PieceEveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PieceKeith Purves
 
Hybrid Enterprise IaaS Cloud - what you need to know!
Hybrid Enterprise IaaS Cloud - what you need to know!Hybrid Enterprise IaaS Cloud - what you need to know!
Hybrid Enterprise IaaS Cloud - what you need to know!ShapeBlue
 
Going to the SP2013 Cloud - what does a business need to make it successful?
Going to the SP2013 Cloud - what does a business need to make it successful?Going to the SP2013 Cloud - what does a business need to make it successful?
Going to the SP2013 Cloud - what does a business need to make it successful?Matt Groves
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Cloud Security Alliance Lviv Chapter
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloudpatmisasi
 
The evolving CIO|CISO relationship
The evolving CIO|CISO relationship The evolving CIO|CISO relationship
The evolving CIO|CISO relationship Zscaler
 
The Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinThe Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinCloud Expo
 
Moving Sucks. Making Secure Cloud Migration Painless
Moving Sucks. Making Secure Cloud Migration PainlessMoving Sucks. Making Secure Cloud Migration Painless
Moving Sucks. Making Secure Cloud Migration PainlessJoAnna Cheshire
 
Microsoft Teams in the Modern Workplace
Microsoft Teams in the Modern WorkplaceMicrosoft Teams in the Modern Workplace
Microsoft Teams in the Modern WorkplaceJoanne Klein
 
CLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACHCLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACHSHAIMA A R
 
What is 'Cloud Computing'?
What is 'Cloud Computing'?What is 'Cloud Computing'?
What is 'Cloud Computing'?CLASS Training
 
M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365
M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365
M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365Joanne Klein
 
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Tudor Damian
 
Tech equity - Cloud presentation
Tech equity - Cloud presentationTech equity - Cloud presentation
Tech equity - Cloud presentationAdrian Hall
 

Similar a Redefining Security in the Cloud (20)

Scot-Cloud 2015
Scot-Cloud 2015Scot-Cloud 2015
Scot-Cloud 2015
 
Securing The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StorySecuring The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's Story
 
Security: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudSecurity: Enabling the Journey to the Cloud
Security: Enabling the Journey to the Cloud
 
EveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PieceEveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_Piece
 
Cloud Seeding
Cloud SeedingCloud Seeding
Cloud Seeding
 
Hybrid Enterprise IaaS Cloud - what you need to know!
Hybrid Enterprise IaaS Cloud - what you need to know!Hybrid Enterprise IaaS Cloud - what you need to know!
Hybrid Enterprise IaaS Cloud - what you need to know!
 
Going to the SP2013 Cloud - what does a business need to make it successful?
Going to the SP2013 Cloud - what does a business need to make it successful?Going to the SP2013 Cloud - what does a business need to make it successful?
Going to the SP2013 Cloud - what does a business need to make it successful?
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
 
The evolving CIO|CISO relationship
The evolving CIO|CISO relationship The evolving CIO|CISO relationship
The evolving CIO|CISO relationship
 
The Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinThe Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny Heaberlin
 
Moving Sucks. Making Secure Cloud Migration Painless
Moving Sucks. Making Secure Cloud Migration PainlessMoving Sucks. Making Secure Cloud Migration Painless
Moving Sucks. Making Secure Cloud Migration Painless
 
Microsoft Teams in the Modern Workplace
Microsoft Teams in the Modern WorkplaceMicrosoft Teams in the Modern Workplace
Microsoft Teams in the Modern Workplace
 
CLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACHCLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACH
 
What is 'Cloud Computing'?
What is 'Cloud Computing'?What is 'Cloud Computing'?
What is 'Cloud Computing'?
 
M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365
M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365
M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365
 
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
 
Cloud Industry Forum Report: Cloud for Business, Why Security is No Longer a ...
Cloud Industry Forum Report: Cloud for Business, Why Security is No Longer a ...Cloud Industry Forum Report: Cloud for Business, Why Security is No Longer a ...
Cloud Industry Forum Report: Cloud for Business, Why Security is No Longer a ...
 
Tech equity - Cloud presentation
Tech equity - Cloud presentationTech equity - Cloud presentation
Tech equity - Cloud presentation
 

Más de Mike Spaulding

BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...Mike Spaulding
 
Attacking Automation: Hacking for the Next Fifty Years
Attacking Automation: Hacking for the Next Fifty YearsAttacking Automation: Hacking for the Next Fifty Years
Attacking Automation: Hacking for the Next Fifty YearsMike Spaulding
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Data Leakage Presentation
Data Leakage PresentationData Leakage Presentation
Data Leakage PresentationMike Spaulding
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004Mike Spaulding
 
CMH Security Summit 2014 - InfoSec Warrior
CMH Security Summit 2014 - InfoSec WarriorCMH Security Summit 2014 - InfoSec Warrior
CMH Security Summit 2014 - InfoSec WarriorMike Spaulding
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015Mike Spaulding
 

Más de Mike Spaulding (11)

BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
 
Attacking Automation: Hacking for the Next Fifty Years
Attacking Automation: Hacking for the Next Fifty YearsAttacking Automation: Hacking for the Next Fifty Years
Attacking Automation: Hacking for the Next Fifty Years
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Policy Map
Policy MapPolicy Map
Policy Map
 
Data Leakage Presentation
Data Leakage PresentationData Leakage Presentation
Data Leakage Presentation
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004
 
DNS Vulnerabilities
DNS VulnerabilitiesDNS Vulnerabilities
DNS Vulnerabilities
 
CMH Security Summit 2014 - InfoSec Warrior
CMH Security Summit 2014 - InfoSec WarriorCMH Security Summit 2014 - InfoSec Warrior
CMH Security Summit 2014 - InfoSec Warrior
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015
 

Último

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

Último (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 

Redefining Security in the Cloud

  • 1. DOGFOODCON ‘16 REDEFINING SECURITY IN A CLOUD- CENTRIC FUTURE
  • 2. MIKE SPAULDING - DOGFOODCON - 2016 DISCLAIMER My opinions, commentary, and discussion today are my own, not my employer(s) My tweets are my own. If they offend you, then you probably shouldn’t follow me. I will not discuss anything about my employer(s) in any detail or extent
  • 3. MIKE SPAULDING - DOGFOODCON - 2016 HOW THE CLOUD WORKS It’s simple: It really is someone else’s hard drive. The hard drive sits in multiple countries and is shared by lots of people You are placing your trust in the third party to do its job: keep your data separate from other people’s data. Security is either sold softly (ie. ‘we’ve got you covered’) or it is a hard sale (ie. ‘buy this feature and this to feel safe’)
  • 4. MIKE SPAULDING - DOGFOODCON - 2016 UNDERSTANDING YOUR CLOUD • SalesForce • ServiceNow • Office365 • Kronos It is estimated that most large companies are leveraging between 600 - 1000 SaaS Applications on a daily basis. • Rackspace • MSFT Azure • IBM SmartCloud • SoftLayer • Amazon AWS • MSFT Azure • IBM BlueMix • Cloud Foundry • Google AppEngine Cloud AppsCloud Infrastructure Platforms (SaaS)(IaaS) (PaaS) Owner: Business Relationship Manager Owner: Historically Legacy Infrastructure Teams Owner: Sometimes Developers, other times it is Infrastructure • SalesForce • ServiceNow • Office365 • Kronos
  • 5. MIKE SPAULDING - DOGFOODCON - 2016 CLOUD SECURITY RESPONSIBILITY Applications Data Runtime Middleware O/S Virtualization Servers Storage Networking Local/On Premise (Your Data Center) Applications Data Runtime Middleware O/S Virtualization Storage Networking Infrastructure (IaaS) Applications Data Runtime Middleware O/S Virtualization Servers Storage Networking Platform Apps (PaaS) Servers Applications Data Runtime Middleware O/S Virtualization Servers Storage Networking Cloud Apps (SaaS) Your Co. Vendor SharedResponsible Party & Accountability
  • 6. MIKE SPAULDING - DOGFOODCON - 2016 EXAMPLE: COMPARING YOUR CLOUD WITH PIZZA
  • 7. MIKE SPAULDING - DOGFOODCON - 2016 UNDERSTANDING YOUR DATA IN THE CLOUD • DropBox • Box • iCloud • Facebook Information Sharing (SaaS) Owner:Business Relationship Mgr. Security Requirements Authentication Authorization Confidentiality Audit Non-Repudiation Solutions Company Modified PaaS Company Modified SaaS Hybrid Cloud Accountability Business Owner Technical Owner Process Owner Technical Requirements Two-Factor Authentication Business Intelligence Encryption Data Loss Prevention Verification Services Business Requirements Rights Management: Expiration Dates Limited Distribution Ability to limit Users Ability to Audit Activities Stakeholders Legal & Procurement Information Security Architecture Infrastructure Data Types • PII • PHI • PCI • IP
  • 8. MIKE SPAULDING - DOGFOODCON - 2016 SAAS RESPONSIBILITY CLARIFICATION Applications Data Runtime Middleware O/S Virtualization Servers Storage Networking Cloud Apps (SaaS)Cloud Apps have a shared responsibility at the Application layer: You are accountable for the user access functions, but overall app support (dev, MX, and MGMT) resides with the provider. Administrative Tasks: • User Management • SOX • User Behavior Monitoring Authentication Authorization Audit Technical Tasks: • Application Development • Application Upgrades • Application Management Support Your Co. Vendor SharedResponsible Party & Accountability
  • 9. MIKE SPAULDING - DOGFOODCON - 2016 MULTITENANCY: HOW THEY MAKE THE CLOUD CHEAPER A software architecture in which a single instance of software runs on a server and serves multiple tenants (or the sharing of a common cloud resource in our situation). Risks: Data Leakage Insecure Configuration Crossover from other Tenants Benefits: Lower Costs Mitigation Strategy: Isolated Resources Security as a Foundation
  • 10. MIKE SPAULDING - DOGFOODCON - 2016 API SECURITY (OR HOW MOST LARGE CLOUD HACKS HAPPEN) These are application programming interfaces (APIs) used to build applications in the cloud computing market. Cloud APIs allow software to request data and computations from one or more services through a direct or indirect interface. Risks Account or Service HiJacking Insecure APIs Known Vulnerabilities Lack of Control Benefits Customizable Services Integration with Internal Systems Mitigation Strategies Evaluate the type and strength of the API Security Features. Security as a foundation
  • 11. MIKE SPAULDING - DOGFOODCON - 2016 CLOUD PORTABILITY Cloud Portability and Continuity of Operations is a set of policies and procedures that help to assure that your services continue. Risks Denial of Service Vendor Lock-In Un-Exportable Services Benefits Peace of Mind Structured Approach to BCP/DR Mitigation Strategies Develop Business Continuity Plan Develop an Exit Strategy
  • 12. MIKE SPAULDING - DOGFOODCON - 2016 CLOUD RELIABILITY Cloud Architecture is more complex and abstract than traditional on-premise computing architectures. Risks Denial of Service Risk is outside of your control Skills Atrophy Benefits Higher Level of Service at a Lower Cost Redundancy, Load Balancing, Network Security Mitigation Strategies Hybrid Cloud Option Documentation
  • 13. MIKE SPAULDING - DOGFOODCON - 2016 DATA ENCRYPTION Protecting your data both at rest and in-transit. Risks Vendor Lock-In Un-Retrievable Data Proprietary Tooling Benefits Minimized Potential for Data Loss Structured Approach for Data Management Mitigation Strategies Establish an Independent Key Management Service Develop a Data Security Strategy/Standard
  • 14. MIKE SPAULDING - DOGFOODCON - 2016 SECURITY AS A SERVICE (CASB) Cloud providers are beginning to offer Security capabilities as a service. These services are both traditional (AAA) and non-traditional (cloud to cloud security) Risks Improperly Positioned Services Skills Atrophy Proprietary Tooling Benefits Higher Security Capability with lower barrier Ability to have a single security context across multiple vendors Mitigation Strategies Security as a Foundation Security Auditing
  • 15. MIKE SPAULDING - DOGFOODCON - 2016 TRADITIONAL SECURITY MIGRATED TO THE CLOUD Leveraging Virtualized Software, many traditional security vendors have created cloud- based firewalls, IPS, reverse proxies, web application firewalls, and malware detection tools into many of the most popular cloud services. Risks Improperly Positioned Services False Sense of Security Benefits Easier transition to cloud services for current staff Ability to understand/visualize security posture Mitigation Strategies Security as a Foundation Security Fundamentals
  • 16. MIKE SPAULDING - DOGFOODCON - 2016 INTERNATIONAL PRIVACY/COMPLIANCE RISKS The Data in the cloud is still YOUR DATA. Liability of the data is not transferred away, ultimately, YOU ARE responsible for how the data is handled. Risks EU, Non-US resident data co-mingled Data residing within countries which do not have treaties with EU, Canada, etc. Mitigation Strategies Ensure that Location specific services are enabled and that specific data centers are used for meeting international privacy compliance (make sure that German data stays on German servers) Leverage data centers that can handle both US and EU Data Privacy requirements, such as Canadian servers.
  • 17. MIKE SPAULDING - DOGFOODCON - 2016 LEGALLY YOURS REMEMBER: It is your data, how you use it is at your discretion. No cloud provider will ever sign on as being 100% liable for your data and you must prove how they failed. You will only get your portion of your money back (think of something like tires or a mattress). The warranty is limited to unused services only. The model of the cloud is on shared services, so no respecting cloud provider will sign away their rights to you. Liability is limited and at most they go out of business and walk away from the mess. You will own the mess, not them. YOUR DATA IS YOUR RESPONSIBILITY!
  • 18. MIKE SPAULDING - DOGFOODCON - 2016 SO WHERE DO WE GO FROM HERE? Everything is moving to the cloud - it is really hard to find an industry that has no cloud presence. Don’t fight the kool aid now! Containerization and portability will be the next big wave for enterprises in the cloud. Although infrastructure in the cloud is becoming very mainstream, we have yet to see the cloud ‘killer’ app. If we look at things like Facebook, SalesForce, or Box what we find is that we made it easier for a large number of people to do something that would previously be more complex or cumbersome. Automation is already hitting the cloud, but we have not truly embraced it. Machine learning will make coding in the cloud even easier for the less technical and sharing data will be almost too easy or simple.
  • 19. MIKE SPAULDING - DOGFOODCON - 2016 THE SINGLE, BIGGEST QUESTION TO ASK YOUR CLOUD VENDOR Where does your security end and my security begin?
  • 20. MIKE SPAULDING - DOGFOODCON - 2016 THANK YOU I appreciate your time today during this session. If you need to reach me, try here: https://www.linkedin.com/in/therealfatherofmaddog @fatherofmaddog Columbus BSides Security Conference - January 16th, 2017 Due to my work/personal schedule, I cannot work for you (at least right now). Maybe some time down the road. Who knows. I need to thank - John Sanders (Ent. Architect/CIO), the guys at Secure Idea, and the person that created Pizza as a Service - Albert Barron.