SlideShare una empresa de Scribd logo

Evolution security controls towards Cloud Services

Descargar como PPTX, PDF
Hugo Rodrigues
Hugo Rodrigues

Evolution of Security Controls Towards Cloud Services discusses security controls for cloud services. It summarizes the Cloud Security Alliance's Security Trust Assurance and Risk framework for guiding cloud vendors and assessing cloud security risks. It also discusses the Cloud Controls Matrix version 3.0 which provides guidance on implementing security controls in cloud environments based on 16 security domains. Managing uncertainty is key when using cloud services, and formal verification methods can help ensure security. Continuous monitoring of cloud environments helps gain visibility and detect security issues.

Tecnología
1 de 18
Evolution of Security Controls Towards Cloud Services Hugo Rodrigues
2© 2019 Hugo Rodrigues. All rights reserved. Where to start? Where to look? What’s relevant? What to do? How to do it? Security Controls Cloud Services
3© 2019 Hugo Rodrigues. All rights reserved. CSA - Security Trust Assurance and Risk (STAR) Security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider Assurance, Education, Research, Community Example topics: What are the base-level security controls required for an IoT system? What are the top threats to cloud computing? How will we protect networks and data in the era of quantum computing? https://cloudsecurityalliance.org/star/ Source: Cloud Security Alliance
4© 2019 Hugo Rodrigues. All rights reserved. Tool for the systematic assessment of a cloud implementation, to provide guidance on which security controls should be implemented by which actor within the cloud supply chain • Control framework for cloud computing • 16 domains covering all key aspects of the cloud technology • Map to Standards, Regulations & Controls Frameworks • .. CCM v3.0.1 is available as a free download to help companies evaluate cloud providers and guide security efforts
5© 2019 Hugo Rodrigues. All rights reserved. Uncertainty with cloud Security matters at every layer of modern computing systems, but especially at the level of distributed systems and networks Modern computing systems and modern applications are typically distributed systems, with data storage and computation happening at different nodes in the distributed system The formal protection mechanisms are enough? e.g. patents, trademarks, industry designs, utility models and copyright,…
6© 2019 Hugo Rodrigues. All rights reserved. Formal protection in distributed systems Amazon Web Services have used programmatic formal methods including formal verification and model checking to verify the correctness of their widely used Simple Storage System (S3) Facebook Infer static analyzer is used to identify null pointer access and resource leaks in Java programs. It builds on the key technology of separation logic, which enables precise but scalable reasoning about program code that performs complex heap manipulation. This system has been released as open source Formal protection at the technology level is key for cloud services
7© 2019 Hugo Rodrigues. All rights reserved. Source: Pooyan Jamshidi, Cloud Architecture Model with Layers SaaS, PaaS, and IaaS Multidimensional decision points - under uncertainty
8© 2019 Hugo Rodrigues. All rights reserved. Manage uncertainty Cloud applications are software systems with layered, distributed architectures that utilize layer-specific resources provided through services Focus on decision points from the intersection between services with technologies Set specific goals to measure the need for change vs lift and shift Prepare the environment to an abstraction level suitable to enterprise maturity in working with distributed systems Due to the uncertainty that prevails in the cloud, using change patterns at the core of models and rules has helped to map uncertain situations into manageable ones
9© 2019 Hugo Rodrigues. All rights reserved. Gain visibility over cloud services Set compliance controls and Set operational controls Data collected from operational controls supports threads being discovered from pattern mismatch analysis
10© 2019 Hugo Rodrigues. All rights reserved. Pay attention to data behavior Source: Zhenguo Chen, Trust evaluation model of cloud user based on behavior data Example:
11© 2019 Hugo Rodrigues. All rights reserved. Manage your data “As with any function or application, weak data leads to weak results. In cybersecurity, that means too many false positives for overburdened security analysts, higher risk of successful breaches, and greater losses from each breach.” - Stu Bradley, SAS
12© 2019 Hugo Rodrigues. All rights reserved. Source: Nathan Sanders, HDSR MIT Turn data into gold Prediction: Given a new measurement, you want to use an existing data set to build a model that reliably chooses the correct identifier from a set of outcomes Complement vendors’ standard with own signatures
13© 2019 Hugo Rodrigues. All rights reserved. Cloud services increase security events? • Perimeter evaporated and cloud environment shifts rapidly • Former on-prem services now in the cloud • External logs may have reliability / availability issues • EDR deployment complicated by volume and velocity • Containment is hampered by volatility and lack of access • Convergence and new connectivity requirements Source: RSA Conference 2019
14© 2019 Hugo Rodrigues. All rights reserved. Respond To Security Event - cloud services Anticipation is key for compliance - Follow the CCM to the maximum extent Proactivity is key for operations – Use analytics and insights Response is needed for everything else Build a Cloud-Specific Incident Response Plan: A well-defined plan allows to effectively identify, minimize the damage, and reduce the cost of an attack, while finding and fixing the cause to prevent future attacks Mitigation of control gaps is never sufficient, infrastructure will always have gaps and zero day vulnerabilities The Three Elements: Plan, Team, and Tools
15© 2019 Hugo Rodrigues. All rights reserved. Impact analysis to measure financials Risk itself can be a qualitative measure, but the impact around an incident (the cost of a downed asset associated with lost revenue, recovery, etc.) can be quantitative. Consider a Risk Management Framework even before you move systems Source: Journal of risk and Financial management
16© 2019 Hugo Rodrigues. All rights reserved. Financial health You can’t own a problem if you don’t measure it Quantifying the impact of security incidents is a great way to mature beyond “our risk is yellow” Analytics, Intelligence & Response: apply investigative and analytic techniques to anticipate and resolve incidents The Human & Process Security: navigate management issues such as operational risk strategies, as well as people-related issues such as social engineering
Q&A Hugo Rodrigues hugosrodrigues
Thank you!

Recomendados

From Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber ResilienceFrom Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber Resilience
accenture
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
Christophe Foulon, CISSP
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
Fahmi Albaheth
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
IBM Security
 
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa versionLarry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Trish McGinity, CCSK
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
Information Security Awareness Group
 
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire
 
Intelligence soc as a service
Intelligence soc as a serviceIntelligence soc as a service
Intelligence soc as a service
nairshyam
 

Recomendados

From Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber ResilienceFrom Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber Resilience
accenture
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
Christophe Foulon, CISSP
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
Fahmi Albaheth
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
IBM Security
 
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa versionLarry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Trish McGinity, CCSK
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
Information Security Awareness Group
 
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire
 
Intelligence soc as a service
Intelligence soc as a serviceIntelligence soc as a service
Intelligence soc as a service
nairshyam
 
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Fujitsu Middle East
 
What is cyber resilience?
What is cyber resilience?What is cyber resilience?
What is cyber resilience?
Aaron Clark-Ginsberg
 
Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016
Matthew Rosenquist
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
Christian Have
 
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsFS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
Puneet Kukreja
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Knowledge Group
 
What has changed in Corporate Cybersecurity?
What has changed in Corporate Cybersecurity?What has changed in Corporate Cybersecurity?
What has changed in Corporate Cybersecurity?
Nixu Corporation
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
Alex Rudie
 
Threat Life Cycle Management
Threat Life Cycle ManagementThreat Life Cycle Management
Threat Life Cycle Management
Fujitsu Middle East
 
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
Top 5 Information Security Lessons Learned from Transitioning to the CloudTop 5 Information Security Lessons Learned from Transitioning to the Cloud
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
Forcepoint LLC
 
Optimize IT Infrastructure
Optimize IT InfrastructureOptimize IT Infrastructure
Optimize IT Infrastructure
Scalar Decisions
 
cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sector
Olivier Busolini
 
Duncan hine input1_irm_and_outsourcing
Duncan hine input1_irm_and_outsourcingDuncan hine input1_irm_and_outsourcing
Duncan hine input1_irm_and_outsourcing
E-Government Center Moldova
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
IBM Security
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
John D. Johnson
 
Forcepoint Corporate Presentation_Short.pptx
Forcepoint Corporate Presentation_Short.pptxForcepoint Corporate Presentation_Short.pptx
Forcepoint Corporate Presentation_Short.pptx
caesar92
 
J3602068071
J3602068071J3602068071
J3602068071
ijceronline
 

Más contenido relacionado

La actualidad más candente

Threat Life Cycle Management
Threat Life Cycle ManagementThreat Life Cycle Management
Threat Life Cycle Management
Fujitsu Middle East
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
IBM Security
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 

La actualidad más candente (20)

Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
 
What is cyber resilience?
What is cyber resilience?What is cyber resilience?
What is cyber resilience?
 
Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
 
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsFS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
 
What has changed in Corporate Cybersecurity?
What has changed in Corporate Cybersecurity?What has changed in Corporate Cybersecurity?
What has changed in Corporate Cybersecurity?
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
 
Threat Life Cycle Management
Threat Life Cycle ManagementThreat Life Cycle Management
Threat Life Cycle Management
 
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
Top 5 Information Security Lessons Learned from Transitioning to the CloudTop 5 Information Security Lessons Learned from Transitioning to the Cloud
Top 5 Information Security Lessons Learned from Transitioning to the Cloud
 
Optimize IT Infrastructure
Optimize IT InfrastructureOptimize IT Infrastructure
Optimize IT Infrastructure
 
cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sector
 
Duncan hine input1_irm_and_outsourcing
Duncan hine input1_irm_and_outsourcingDuncan hine input1_irm_and_outsourcing
Duncan hine input1_irm_and_outsourcing
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 

Similar a Evolution security controls towards Cloud Services

Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud security
Arun Gopinath
 
Ast 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_securityAst 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_security
Accenture
 
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapteIT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte
mariuse18nolet
 
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docx
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docxIT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docx
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docx
vrickens
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
David Spinks
 
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
ijcnes
 

Similar a Evolution security controls towards Cloud Services (20)

Forcepoint Corporate Presentation_Short.pptx
Forcepoint Corporate Presentation_Short.pptxForcepoint Corporate Presentation_Short.pptx
Forcepoint Corporate Presentation_Short.pptx
 
J3602068071
J3602068071J3602068071
J3602068071
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud security
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud security
 
Ast 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_securityAst 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_security
 
Cloud computing risk assesment report
Cloud computing risk assesment reportCloud computing risk assesment report
Cloud computing risk assesment report
 
IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital Forensic
 
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapteIT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte
 
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docx
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docxIT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docx
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docx
 
Hybrid & Multi-cloud Environment.pdf
Hybrid & Multi-cloud Environment.pdfHybrid & Multi-cloud Environment.pdf
Hybrid & Multi-cloud Environment.pdf
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
 
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdfUNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
 
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxthe_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
 
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
 
Ad4502189193
Ad4502189193Ad4502189193
Ad4502189193
 

Más de Hugo Rodrigues

Investigação Operacional // How to raise up to 80% gross margin based in effi...
Investigação Operacional // How to raise up to 80% gross margin based in effi...Investigação Operacional // How to raise up to 80% gross margin based in effi...
Investigação Operacional // How to raise up to 80% gross margin based in effi...
Hugo Rodrigues
 
Service Oriented Architecture
Service Oriented ArchitectureService Oriented Architecture
Service Oriented Architecture
Hugo Rodrigues
 

Más de Hugo Rodrigues (15)

Paper: Crypto Currency Mining
Paper: Crypto Currency MiningPaper: Crypto Currency Mining
Paper: Crypto Currency Mining
 
Blockchain and Bitcoin
Blockchain and BitcoinBlockchain and Bitcoin
Blockchain and Bitcoin
 
Alibaba goes India
Alibaba goes IndiaAlibaba goes India
Alibaba goes India
 
RISE AND FALL ON CORPORATE UNCERTAINTY
RISE AND FALL ON CORPORATE UNCERTAINTYRISE AND FALL ON CORPORATE UNCERTAINTY
RISE AND FALL ON CORPORATE UNCERTAINTY
 
Apresentação Produtividade e Desempenho
Apresentação Produtividade e DesempenhoApresentação Produtividade e Desempenho
Apresentação Produtividade e Desempenho
 
Relatório candidatura QREN
Relatório candidatura QRENRelatório candidatura QREN
Relatório candidatura QREN
 
Modelo de segmentação de Clientes
Modelo de segmentação de ClientesModelo de segmentação de Clientes
Modelo de segmentação de Clientes
 
TAEG: nominal - real- efectiva
TAEG: nominal - real- efectivaTAEG: nominal - real- efectiva
TAEG: nominal - real- efectiva
 
Investigação Operacional // How to raise up to 80% gross margin based in effi...
Investigação Operacional // How to raise up to 80% gross margin based in effi...Investigação Operacional // How to raise up to 80% gross margin based in effi...
Investigação Operacional // How to raise up to 80% gross margin based in effi...
 
Projeto de Controlo de Silo para Parqueamento
Projeto de Controlo de Silo para ParqueamentoProjeto de Controlo de Silo para Parqueamento
Projeto de Controlo de Silo para Parqueamento
 
Rede Social // Social Network for Kids #Concept
Rede Social // Social Network for Kids #ConceptRede Social // Social Network for Kids #Concept
Rede Social // Social Network for Kids #Concept
 
SOA - Service Oriented Architecture
SOA - Service Oriented ArchitectureSOA - Service Oriented Architecture
SOA - Service Oriented Architecture
 
Análise Organizacional Zack
Análise Organizacional ZackAnálise Organizacional Zack
Análise Organizacional Zack
 
Soluções Sector Financeiro
Soluções Sector FinanceiroSoluções Sector Financeiro
Soluções Sector Financeiro
 
Service Oriented Architecture
Service Oriented ArchitectureService Oriented Architecture
Service Oriented Architecture
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Evolution security controls towards Cloud Services

  • 1. Evolution of Security Controls Towards Cloud Services Hugo Rodrigues
  • 2. 2© 2019 Hugo Rodrigues. All rights reserved. Where to start? Where to look? What’s relevant? What to do? How to do it? Security Controls Cloud Services
  • 3. 3© 2019 Hugo Rodrigues. All rights reserved. CSA - Security Trust Assurance and Risk (STAR) Security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider Assurance, Education, Research, Community Example topics: What are the base-level security controls required for an IoT system? What are the top threats to cloud computing? How will we protect networks and data in the era of quantum computing? https://cloudsecurityalliance.org/star/ Source: Cloud Security Alliance
  • 4. 4© 2019 Hugo Rodrigues. All rights reserved. Tool for the systematic assessment of a cloud implementation, to provide guidance on which security controls should be implemented by which actor within the cloud supply chain • Control framework for cloud computing • 16 domains covering all key aspects of the cloud technology • Map to Standards, Regulations & Controls Frameworks • .. CCM v3.0.1 is available as a free download to help companies evaluate cloud providers and guide security efforts
  • 5. 5© 2019 Hugo Rodrigues. All rights reserved. Uncertainty with cloud Security matters at every layer of modern computing systems, but especially at the level of distributed systems and networks Modern computing systems and modern applications are typically distributed systems, with data storage and computation happening at different nodes in the distributed system The formal protection mechanisms are enough? e.g. patents, trademarks, industry designs, utility models and copyright,…
  • 6. 6© 2019 Hugo Rodrigues. All rights reserved. Formal protection in distributed systems Amazon Web Services have used programmatic formal methods including formal verification and model checking to verify the correctness of their widely used Simple Storage System (S3) Facebook Infer static analyzer is used to identify null pointer access and resource leaks in Java programs. It builds on the key technology of separation logic, which enables precise but scalable reasoning about program code that performs complex heap manipulation. This system has been released as open source Formal protection at the technology level is key for cloud services
  • 7. 7© 2019 Hugo Rodrigues. All rights reserved. Source: Pooyan Jamshidi, Cloud Architecture Model with Layers SaaS, PaaS, and IaaS Multidimensional decision points - under uncertainty
  • 8. 8© 2019 Hugo Rodrigues. All rights reserved. Manage uncertainty Cloud applications are software systems with layered, distributed architectures that utilize layer-specific resources provided through services Focus on decision points from the intersection between services with technologies Set specific goals to measure the need for change vs lift and shift Prepare the environment to an abstraction level suitable to enterprise maturity in working with distributed systems Due to the uncertainty that prevails in the cloud, using change patterns at the core of models and rules has helped to map uncertain situations into manageable ones
  • 9. 9© 2019 Hugo Rodrigues. All rights reserved. Gain visibility over cloud services Set compliance controls and Set operational controls Data collected from operational controls supports threads being discovered from pattern mismatch analysis
  • 10. 10© 2019 Hugo Rodrigues. All rights reserved. Pay attention to data behavior Source: Zhenguo Chen, Trust evaluation model of cloud user based on behavior data Example:
  • 11. 11© 2019 Hugo Rodrigues. All rights reserved. Manage your data “As with any function or application, weak data leads to weak results. In cybersecurity, that means too many false positives for overburdened security analysts, higher risk of successful breaches, and greater losses from each breach.” - Stu Bradley, SAS
  • 12. 12© 2019 Hugo Rodrigues. All rights reserved. Source: Nathan Sanders, HDSR MIT Turn data into gold Prediction: Given a new measurement, you want to use an existing data set to build a model that reliably chooses the correct identifier from a set of outcomes Complement vendors’ standard with own signatures
  • 13. 13© 2019 Hugo Rodrigues. All rights reserved. Cloud services increase security events? • Perimeter evaporated and cloud environment shifts rapidly • Former on-prem services now in the cloud • External logs may have reliability / availability issues • EDR deployment complicated by volume and velocity • Containment is hampered by volatility and lack of access • Convergence and new connectivity requirements Source: RSA Conference 2019
  • 14. 14© 2019 Hugo Rodrigues. All rights reserved. Respond To Security Event - cloud services Anticipation is key for compliance - Follow the CCM to the maximum extent Proactivity is key for operations – Use analytics and insights Response is needed for everything else Build a Cloud-Specific Incident Response Plan: A well-defined plan allows to effectively identify, minimize the damage, and reduce the cost of an attack, while finding and fixing the cause to prevent future attacks Mitigation of control gaps is never sufficient, infrastructure will always have gaps and zero day vulnerabilities The Three Elements: Plan, Team, and Tools
  • 15. 15© 2019 Hugo Rodrigues. All rights reserved. Impact analysis to measure financials Risk itself can be a qualitative measure, but the impact around an incident (the cost of a downed asset associated with lost revenue, recovery, etc.) can be quantitative. Consider a Risk Management Framework even before you move systems Source: Journal of risk and Financial management
  • 16. 16© 2019 Hugo Rodrigues. All rights reserved. Financial health You can’t own a problem if you don’t measure it Quantifying the impact of security incidents is a great way to mature beyond “our risk is yellow” Analytics, Intelligence & Response: apply investigative and analytic techniques to anticipate and resolve incidents The Human & Process Security: navigate management issues such as operational risk strategies, as well as people-related issues such as social engineering

Notas del editor

  1. Download: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v3-0-1/
  2. the cloud as a multi-stakeholder and heterogeneous environment requires a multi-dimensional approach to selecting a suitable evolution process, here done through a variability model driving a staged evolution based on migration patterns. To deal with adaptation, the uncertainty is mastered through statistical and logical approaches Pahl, Claus & Jamshidi, Pooyan & Weyns, Danny. (2017). Cloud architecture continuity: Change models and change rules for sustainable cloud software architectures. Journal of Software: Evolution and Process. 29. e1849. 10.1002/smr.1849.
  3. In the process of using the cloud platform, how to ensure the safety of users is a matter we must concern. The user authentication can provide a certain degree of security, but when the user information was leaked, this method will not be effective. Therefore, this article proposes a trust evaluation model based on user behavior data. https://www.researchgate.net/publication/325242412_Trust_evaluation_model_of_cloud_user_based_on_behavior_data
  4. Increasing the number of devices, compliance requirement, business needs to capture the data for events are necessary for all types of business. Analyzing logs can give you real insights into what’s happening within your IT environment. Some of the real-time examples: Capacity planning Early problem detection
  5. https://hdsr.mitpress.mit.edu/pub/a7gxkn0a
  6.  community emergency response team (CERT), computer security incident response team (CSIRT), and security operations center (SOC)
  7. Start by quantifying before you move into cloud services https://www.mdpi.com/1911-8074/10/2/10/pdf