Checklist for Competent Cloud Security Management

Checklist for Competent Cloud Security ManagementBarriers and Challenges to Opportunities and ROI

Dr. Mariana CarrollCloud Advisor and Trainer

© Cloud Credential Council

Poll: Testing - can you hear us and see the slides?

A. Yes, I can hear you and see the slidesB. I can hear you, but not see the slidesC. I can see the slides, but not hear youD. No, I cannot hear you or see the slides


> Introduction: Cloud Credential Council Tristano VacondioMarketing ManagerCCC

> Checklist for Competent Cloud Security Management: Barriers and Challenges to Opportunities and ROI

Dr. Mariana CarrollCloud Advisor and TrainerMariana Carroll Consulting

Agenda


A. IT training providerB. IT consultantC. IT training and consultingD. IT practitioner

Poll: What is your area of work?


A. Extensive experience (approx 6+ years)B. Some experience (approx 4-6 years)C. Intermediate (approx 1-3 years)D. Little (up to 1 year)E. None

Poll: How much IT security experience do you have?


A. TrueB. False

1. Customers in the same cloud can attack each other.


A. TrueB. False

2. External Internet threats are more threatening in the cloud.


A. TrueB. False

3. You can't control where your data resides in the cloud.


A. TrueB. False

4. Certifications are standard in a cloud environment and provide assurance to subscribers.


A. TrueB. False

5. It is easy to change from one cloud provider to another whenever I want to.


Agenda

CCC IntroductionBackgroundWhat is the Current State of Cloud Security?What are the common gaps and how do we address Cloud Security?Stepping into Cloud Security ManagementA Checklist to Ensure Secure Cloud Adoption and UseTraining and Development: Building a Career in Cloud SecurityThe Future of Cloud SecurityQuestions and AnswersQuiz Answers


Introduction


● Vendor Neutral● International● Non Profit

The Cloud Credential Council

Professional Cloud SeriesCCC Background

CCC Background (cont…)


Certification Scheme


Accreditation Scheme


Checklist for Competent Cloud Security ManagementBarriers and Challenges to Opportunities and ROI


BackgroundWhat is the Current State of Cloud Security?


Journey to a Digital World

Business

Cloud

Mobile

Data

Social business

IoT

Wearables

Hacktivists

Insiders

Espionage

Criminal syndicates

States

Control failure


Cloud Characteristics

What is Cloud Computing?

cloud definition“A network of remote servers hosted on the Internet and used to store, manage, and process data in stead of local servers or personal computers”.

Software-as-a-Service (SaaS)

Platform-as-a-Service (PaaS)

Infrastructure-as-a-Service (IaaS)

Public cloud

Private cloud

Community cloud

Hybrid cloud

Virtual private clouds

● On-demand self service

● Broad network access

● Resource pooling

● Rapid elasticity

● Measured service

“A Cloud is a visible mass of tiny, condensed water droplets or ice crystals suspended in the atmosphere”

Clo

ud S

ervi

ce M

odel

s

Cloud Deployment Models


The State of Cloud Computing



Gartner: The worldwide market for public cloud systems will hit $204 billion this year.

Gartner: • Highest growth

expected in IaaS (38,4%)

• Solid growth across public cloud services

• SaaS growing 20,3%• Cloud management

and security services growing 24,7%

• PaaS growing 21,1%

IDC: Hyper-convergence spending will nearly double from $806.8 million in 2015 to nearly $1.6 billion in 2016.


The State of Cloud ComputingKey takeaways:• Increased spending on

Security and Cloud Computing


The State of Cloud ComputingKey takeaways:• Increased spending on Security and

Cloud Computing

• Large need for Cloud Computing and Security skills


BackgroundWhat are the common gaps and how do we address Cloud Security?


What is Security?Protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide:1. confidentiality, which means preserving authorised restrictions on access and

disclosure, including means for protecting personal privacy and proprietary information;2. integrity, which means guarding against improper information modification or

destruction, and includes ensuring information nonrepudiation and authenticity; and3. availability, which means ensuring timely and reliable access to and use of information.

Information Systems Security (InfoSec):Protection of information systems against unauthorised access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorised users, including those measures necessary to detect, document, and counter such threats.

Source: SP 800-66; 44 U.S.C., Sec 3541, CNSSI-4009


Security Considerations when moving to the Cloud

Shadow ITThird party risks

Complex hybrid models outside of traditional “walls”

Controls gap

Single target for attack Resource capability constraints


Cloud Security Opportunities

Free up resources to focus on your core

Cloud providers are in the “business of IT” – security should be their main concern

Beat the skills gap – cloud providers attract the specialists


Cloud Security Responsibility


A Risk-based Approach

Source: Deloitte (2015)


Stepping into Cloud Security ManagementA Checklist to Ensure Secure Cloud Adoption and Use


Implementing Cloud Security MeasuresPl

anni

ng a

nd s

copi

ng

What are the key business objectives, needs or

challenges?Look at the value proposition drivers of Cloud adoption to meet business objectives or solve

existing need(s) or challenge(s).

List the key drivers for Cloud adoption

Examples: Improve business agility, improve

operating cost, enter new markets.

Select the Cloud service model that best suit the business need

and security requirements SaaS PaaS IaaS BPaaS Other

Why?

Select the best suited and secure method of delivery

Public Private Community Hybrid

Why? Clo

ud S

ecur

ity

Stra

tegy


Implementing Cloud Security MeasuresDevelop a security strategy to manage risks as the business

moves to the cloud Evaluate the current state (Inherent Risk) Assess residual risk for high priority

cloud services Develop draft plans, policies and a

strategic roadmap

Develop a cloud security reference architecture

(blueprint)

Develop a tailored Cloud Security reference architecture (blueprint) for the various cloud

models together with recommended technologies.

Implement security and governance capabilities to

manage cloud security risks Design and Implement security

controls Design and implement platform

specific controls (i.e., SaaS specific) Ensue adequate GRC+R across the

cloud and IT stack

Dev

elop

a C

loud

Str

ateg

y

Formalise

Impl

emen

t

Rev

iew

and

mon

itor


Cloud Security Competencies• Knowledge of Information Technology concepts, Cloud Computing, IT security, Risk management,

Data security, Network security, Policy creation and maintenance, Regulatory compliance, IT Governance, Business continuity / disaster recovery, Incident management, System and application security, Security architecture, and Auditing / Assurance processes / procedures

• Ability to evaluate business processes and IT technology landscapes, identify risks and evaluate controls (including risk assessment, gap analysis, business impact analysis, etc.)

• Investigative, analytical and project management skills• Ability to translate business needs and problems into viable and accepted solutions• Ability to liaise with individuals across a wide variety of operational, functional, and technical

disciplines• Effectively communicating with executive management to ensure support for the Cloud Security

program and effective reporting on metrics• Advising and making recommendations regarding appropriate personnel, physical and technical

security controls


Training and DevelopmentBuilding a Career in Cloud Security


Module 1: Course Introduction• Course Agenda• Case Study• Activities• Questions and Answers

Module 3: Security Threats and Challenges in Cloud Computing• Security and Compliance in the Cloud• Cloud Operations• Physical Security and Cloud Computing

Module 2: Security, Governance and Risks• Cloud Computing Basics• Security, Governance and Risk in IT• Cloud Computing Security

Module 4: Security Management in Cloud Computing

• Identity and Access Management• Data Classification• Data Security Lifecycle• Forensics in the Cloud

How far can the CCC Certification get you?


Module 5: Legal, Contractual and Operational Monitoring• Legal and Regulatory Landscape• Monitoring – Providers and Subscribers• Security Operations in the Cloud

Module 7: Business Continuity, Disaster Recovery and Capacity / Performance Planning• Business Continuity (BC)• Disaster Recovery (DR) Resilient Technology• Capacity and Performance Planning for Cloud

Module 6: Network Security Management

• Network Management in the Cloud• Vulnerability, Patch Management and Pen-Testing• Cloud Security Architecture

Module 8: Advanced Cloud Security Management

• Container Cloud Security• Secure Development Standards in Cloud• Application Programming Interface API Security

Module 9: Security Planning, Standards and Cloud

• Cloud Security Planning• Cloud Standards, Controls and Auditing• Cloud Security Evolution

How far can the CCC Certification get you?


Course Details

• Suggested delivery format is instructor-led classroom-based learning• Suggested duration: 24 learning hours

Exam Details

• Online• 25 Questions• 45 Minutes• No Prerequisites - however, it is recommended to attain the Cloud Technology Associate certification• Supervision is via Webcam• Closed book• Pass rate of 70%

Course and Exam Details


Building a Cloud Security Career


The Future of Cloud SecurityWhat is Next?


Impact over the next 3-5 years


What is Next?Building Block Approach

Business and IT alignment

GRC+R

Fill the skills gap

Identify potential deal breakers & through careful analysis decide on the best approach!


Questions and Answers


It is not easy for an attack to be triggered by another cloud subscriber in a multitenant cloud environment. In addition, some cloud providers offer options to further mitigate multitenancy risks.

Cloud subscribers should evaluate their applications and requirements and choose a cloud provider and cloud offering based on the needs of their applications.

1. Customers in the same cloud can attack each other.


External Internet threats are real, but no more threatening to the cloud than to any other service delivery environment.

Enterprises deploying a private cloud must provide the same level of scrutiny for both detection and prevention that they would take when deploying workloads using a hosting provider or their own internal IT infrastructure.

2. External Internet threats are more threatening in the cloud.


This myth is easily addressed by selecting a cloud provider that has a global footprint and offers data accountability. When the workloads and applications being moved to cloud require it, a private cloud is a simple way to address data governance.

3. You can't control where your data resides in the cloud.


Certifications are good reference points, but by themselves they are insufficient proof that the cloud provider will satisfy all of the subscribed organization's security and compliance needs.

It is ultimately the cloud consumers who are accountable for ensuring that their organizations' security and compliance requirements are met. Subscribers need to understand the security capabilities and processes of their cloud provider and not rely on certifications alone.

4. Certifications are standard in a cloud environment and provide assurance to subscribers.


In fact, the bottom lines of many niche cloud providers require them to lock in their customers, typically with long-term contracts or painfully high early termination fees.

If you don’t go with an industry-leading provider, make sure to read all the fine print and get a professional second opinion.

5. It is easy to change from one cloud provider to another whenever I want to.

Checklist for Competent Cloud Security Management

Technology

Transcript of Checklist for Competent Cloud Security Management