SlideShare ist ein Scribd-Unternehmen logo

Cloud Security: A Business-Centric Approach in 12 Steps

Omar Khawaja
Omar Khawaja

This document discusses aligning cloud security to business needs in 12 steps. It provides guidance on how to classify data based on business impact, inventory data and users, determine appropriate access and controls, and validate that controls are implemented and effective across cloud environments. The goal is to ensure data and users are properly secured while allowing the business to realize the benefits of cloud computing.

TechnologieBusiness
1 von 27
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. PID# Cloud Security Aligning it to the business in 12 steps Omar Khawaja June 2013
@smallersecurity LOICm-
@smallersecurity What’s the common theme? Top Business Technology Trends High-IQ Networks Enterprise Clouds Big Data Social Enterprise Video Personalization of Service Consumerization of IT M2M2P Compliance Energy Efficiency …make it easier to transport data …store data in disparate places TMI …make it easier produce / share data Data is worth more than ever before Humans don’t have monopoly on data … mandates protection of certain data ???
@smallersecurity Is liberation of information good? Mobility and Cloud 2 sides of the same coin Cloud Mobility Democratization of IT Consumerization of IT Liberation of Information
. Setting the stage…
@smallersecurity Risk Management in the Cloud What Matters? Users Data Applications Compute / Storage Network Physical Platforms ??? SaaS PaaS IaaS
. Implementing data-centric security in the cloud
@smallersecurity Data-Centric Security for Cloud Key Ingredients Data Users Business Processes Clouds Controls Compliance
@smallersecurity 1. Define business relevance of each data set being moved to the cloud 2. Classify each data set based on business impact 3. Inventory data 4. Destroy (or archive offline) any unnecessary data 5. Inventory users 6. Associate data access with business processes, users, roles 7. Determine standard control requirements for each data set 8. Determine feasible controls for each cloud environment 9. For each data set, identify acceptable cloud environments 10. Ensure only users that need access to data have appropriate access to it 11. Identify and implement appropriate controls across each cloud environment 12. Validate and monitor control effectiveness Data-Centric Security for Cloud A Recipe… App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt … Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance
@smallersecurity One Caveat… • Variations exist – SaaS vs. PaaS vs. IaaS – Public vs. Private vs. Hybrid – Geography-Specific – …
@smallersecurity Data Set 1 Business Processes •ABC •GHI Data Set 1 Data Set 2 Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL Data Set 3 1. Define Business Relevance of Each Data Set Being Moved to the Cloud
@smallersecurity Data Set 1 Business Processes •ABC •GHI Data Set 1 Data Set 2 Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL Data Set 3 LOWHIGHMEDIUM 2. Classify Each Data Set Based on Business Impact
@smallersecurity 3. Inventory Data (Technical & Consultative)
@smallersecurity 4. Destroy (or Archive Offline) any Unnecessary Data
@smallersecurity User Role 1 User Role 3 User Role 2 5. Inventory Users
@smallersecurity Data Set 1 Business Processes •ABC •GHI Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL LOWHIGHMEDIUM 6. Associate Data Access w/ Business Processes, Users, Roles User Role 1 User Role 3 User Role 2
@smallersecurity Data Set 1 Business Processes •ABC •GHI Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL LOWHIGHMEDIUM Standard Control Requirements 1 Standard Control Requirements 2 Standard Control Requirements 3 7. Determine Standard Control Requirements for Each Data Set
@smallersecurity Feasible Controls 3 Cloud 1 Cloud 2 Cloud 3 Feasible Controls 1 Feasible Controls 2 8. Determine Feasible Controls for Each Cloud Environment
@smallersecurity 9. For Each Data Set, Identify Acceptable Platforms
@smallersecurity 10. Ensure Only Users that Need Access to Data Have Appropriate Access to it Data Set 1 Business Processes •ABC •GHI Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL LOWHIGHMEDIUM
@smallersecurity Implemented Controls Implemented Controls Implemented Controls 11. Identify & Implement Appropriate Controls Across Each Cloud Environment
@smallersecurity 12. Validate and Monitor Control Effectiveness
@smallersecurity Finally… • Start with the business context, not the security controls • Classify based on the business value, not the IT value • Controls have to be standard, feasible, implemented and monitored Data* and Users can’t be outsourced! *Ownership of data
@smallersecurity Security Leadership Why Verizon? Industry Recognition  Largest & highly rated MSSP (Frost & Sullivan, Gartner, Forrester)  Founding and Executive Member of Open Identity Exchange  Security Consulting practice recognized as a Strong Performer (Forrester)  ICSA Labs is the industry standard for certifying security products (started in 1991) Credentials  More PCI auditors (140+ QSAs) than any other firm in the world  HITRUST Qualified CSF Assessor  Actively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortia  Personnel hold 40+ unique industry, technology and vendor certifications Global Reach  550+ dedicated security consultants in 28 countries speak 28 languages  Investigated breaches in 36 countries in 2011  7 SOCs on 4 continents manage security devices in 45+ countries  Serve 77% of Forbes Global 2000 Experience  Verizon’s SMP is the oldest security certification program in the industry  Analyzed 2500+ breaches involving 1+ Billion records  Manage identities in 50+ countries and for 25+ national governments  Delivered 5000+ security consulting engagements in the past 3 years ISO 9001 ISO 17025
@smallersecurity An unparalleled perspective on IT security threats • 84% of initial compromises took hours or less. • 76% exploited weak or stolen credentials. • 78% of intrusions required little or no specialist skills or resources. Some highlights Find out more at verizonenterprise.com/DBIR/2013 2013 DBIR of breaches lie undiscovered for months of breaches are detected by 3rd party • 47,000+ security incidents analyzed. • 621 confirmed data breaches investigated. • 19 international contributors. – Including law enforcement, government agencies and other private companies. • 6th consecutive year.
@smallersecurity Global Capabilities Countries where Verizon currently has clients
@smallersecurity Verizon’s Security Portfolio Protecting what the business cares about 6 security solution areas: – Data Protection – Governance, Risk & Compliance – Identity & Access Mgmt – Investigative Response – Threat Mgmt (MSS) – Vulnerability Mgmt

Empfohlen

Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security Omar Khawaja
 
Smarter Security - A Practical Guide to Doing More with Less
Smarter Security - A Practical Guide to Doing More with LessSmarter Security - A Practical Guide to Doing More with Less
Smarter Security - A Practical Guide to Doing More with LessOmar Khawaja
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...NetIQ
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesNetIQ
 
How Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedHow Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedJerry Paul Acosta
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 

Empfohlen

Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security Omar Khawaja
 
Smarter Security - A Practical Guide to Doing More with Less
Smarter Security - A Practical Guide to Doing More with LessSmarter Security - A Practical Guide to Doing More with Less
Smarter Security - A Practical Guide to Doing More with LessOmar Khawaja
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...NetIQ
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesNetIQ
 
How Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedHow Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedJerry Paul Acosta
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsOurCrowd
 
Cloud Identity
Cloud IdentityCloud Identity
Cloud IdentityNetIQ
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
 
Preventing Data Breaches
Preventing Data BreachesPreventing Data Breaches
Preventing Data Breachesxband
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)Trustmarque
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayIvanti
 
SD-WAN - comSpark 2019
SD-WAN - comSpark 2019SD-WAN - comSpark 2019
SD-WAN - comSpark 2019Advanced Technology Consulting (ATC)
 
SC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsSC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsForeScout Technologies
 
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...NetIQ
 
Scrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanScrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanNetIQ
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Bloxx
 
Leveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and ComplexityLeveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and ComplexityNetIQ
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsIgnyte Assurance Platform
 
Cyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesCyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesDave Reeves
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditSBWebinars
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
 
Mobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric ApproachMobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric ApproachOmar Khawaja
 
MEDS
MEDSMEDS
MEDSmielmarketing
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsOurCrowd
 
Cloud Identity
Cloud IdentityCloud Identity
Cloud IdentityNetIQ
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
 
Preventing Data Breaches
Preventing Data BreachesPreventing Data Breaches
Preventing Data Breachesxband
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)Trustmarque
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayIvanti
 
SC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsSC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsForeScout Technologies
 
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...NetIQ
 
Scrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanScrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanNetIQ
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Bloxx
 
Leveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and ComplexityLeveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and ComplexityNetIQ
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsIgnyte Assurance Platform
 
Cyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesCyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesDave Reeves
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditSBWebinars
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
 

Was ist angesagt? (20)

The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for Investors
 
Cloud Identity
Cloud IdentityCloud Identity
Cloud Identity
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
 
Preventing Data Breaches
Preventing Data BreachesPreventing Data Breaches
Preventing Data Breaches
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges Today
 
SD-WAN - comSpark 2019
SD-WAN - comSpark 2019SD-WAN - comSpark 2019
SD-WAN - comSpark 2019
 
SC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsSC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey Results
 
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
 
Scrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanScrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky Clean
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges
 
Leveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and ComplexityLeveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and Complexity
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
 
Cyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesCyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical Services
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance Audit
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
 

Ähnlich wie Cloud Security: A Business-Centric Approach in 12 Steps

Mobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric ApproachMobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric ApproachOmar Khawaja
 
Shield db data security
Shield db data securityShield db data security
Shield db data securityMousumi Manna
 
Shield db data security
Shield db data securityShield db data security
Shield db data securityTapan Biswas
 
Shield db data security
Shield db data securityShield db data security
Shield db data securityMousumi Manna
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Protecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareProtecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareCloudera, Inc.
 
Government Webinar: Improving Security Compliance with IT Monitoring Tools
Government Webinar: Improving Security Compliance with IT Monitoring Tools Government Webinar: Improving Security Compliance with IT Monitoring Tools
Government Webinar: Improving Security Compliance with IT Monitoring Tools SolarWinds
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowPECB
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Amazon Web Services
 
GDPR Part 5: Better Together Quest & Cyberquest
GDPR Part 5: Better Together Quest & CyberquestGDPR Part 5: Better Together Quest & Cyberquest
GDPR Part 5: Better Together Quest & CyberquestAdrian Dumitrescu
 
Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...
Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...
Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...ActureSolutions
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesCamilo Fandiño Gómez
 
MT54 Better security is better business
MT54 Better security is better businessMT54 Better security is better business
MT54 Better security is better businessDell EMC World
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
 
Webinar: Real IT Compliance with SolarWinds
Webinar: Real IT Compliance with SolarWindsWebinar: Real IT Compliance with SolarWinds
Webinar: Real IT Compliance with SolarWindsSolarWinds
 

Ähnlich wie Cloud Security: A Business-Centric Approach in 12 Steps (20)

Mobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric ApproachMobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric Approach
 
MEDS
MEDSMEDS
MEDS
 
BREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAPBREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAP
 
Shield db data security
Shield db data securityShield db data security
Shield db data security
 
Shield db data security
Shield db data securityShield db data security
Shield db data security
 
Shield db data security
Shield db data securityShield db data security
Shield db data security
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Protecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareProtecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomware
 
Government Webinar: Improving Security Compliance with IT Monitoring Tools
Government Webinar: Improving Security Compliance with IT Monitoring Tools Government Webinar: Improving Security Compliance with IT Monitoring Tools
Government Webinar: Improving Security Compliance with IT Monitoring Tools
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
 
GDPR Part 5: Better Together Quest & Cyberquest
GDPR Part 5: Better Together Quest & CyberquestGDPR Part 5: Better Together Quest & Cyberquest
GDPR Part 5: Better Together Quest & Cyberquest
 
Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...
Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...
Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
 
MT54 Better security is better business
MT54 Better security is better businessMT54 Better security is better business
MT54 Better security is better business
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
 
Webinar: Real IT Compliance with SolarWinds
Webinar: Real IT Compliance with SolarWindsWebinar: Real IT Compliance with SolarWinds
Webinar: Real IT Compliance with SolarWinds
 

Kürzlich hochgeladen

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 

Kürzlich hochgeladen (20)

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 

Cloud Security: A Business-Centric Approach in 12 Steps

  • 1. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. PID# Cloud Security Aligning it to the business in 12 steps Omar Khawaja June 2013
  • 3. @smallersecurity What’s the common theme? Top Business Technology Trends High-IQ Networks Enterprise Clouds Big Data Social Enterprise Video Personalization of Service Consumerization of IT M2M2P Compliance Energy Efficiency …make it easier to transport data …store data in disparate places TMI …make it easier produce / share data Data is worth more than ever before Humans don’t have monopoly on data … mandates protection of certain data ???
  • 4. @smallersecurity Is liberation of information good? Mobility and Cloud 2 sides of the same coin Cloud Mobility Democratization of IT Consumerization of IT Liberation of Information
  • 6. @smallersecurity Risk Management in the Cloud What Matters? Users Data Applications Compute / Storage Network Physical Platforms ??? SaaS PaaS IaaS
  • 8. @smallersecurity Data-Centric Security for Cloud Key Ingredients Data Users Business Processes Clouds Controls Compliance
  • 9. @smallersecurity 1. Define business relevance of each data set being moved to the cloud 2. Classify each data set based on business impact 3. Inventory data 4. Destroy (or archive offline) any unnecessary data 5. Inventory users 6. Associate data access with business processes, users, roles 7. Determine standard control requirements for each data set 8. Determine feasible controls for each cloud environment 9. For each data set, identify acceptable cloud environments 10. Ensure only users that need access to data have appropriate access to it 11. Identify and implement appropriate controls across each cloud environment 12. Validate and monitor control effectiveness Data-Centric Security for Cloud A Recipe… App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt … Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance
  • 10. @smallersecurity One Caveat… • Variations exist – SaaS vs. PaaS vs. IaaS – Public vs. Private vs. Hybrid – Geography-Specific – …
  • 11. @smallersecurity Data Set 1 Business Processes •ABC •GHI Data Set 1 Data Set 2 Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL Data Set 3 1. Define Business Relevance of Each Data Set Being Moved to the Cloud
  • 12. @smallersecurity Data Set 1 Business Processes •ABC •GHI Data Set 1 Data Set 2 Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL Data Set 3 LOWHIGHMEDIUM 2. Classify Each Data Set Based on Business Impact
  • 13. @smallersecurity 3. Inventory Data (Technical & Consultative)
  • 14. @smallersecurity 4. Destroy (or Archive Offline) any Unnecessary Data
  • 16. @smallersecurity Data Set 1 Business Processes •ABC •GHI Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL LOWHIGHMEDIUM 6. Associate Data Access w/ Business Processes, Users, Roles User Role 1 User Role 3 User Role 2
  • 17. @smallersecurity Data Set 1 Business Processes •ABC •GHI Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL LOWHIGHMEDIUM Standard Control Requirements 1 Standard Control Requirements 2 Standard Control Requirements 3 7. Determine Standard Control Requirements for Each Data Set
  • 18. @smallersecurity Feasible Controls 3 Cloud 1 Cloud 2 Cloud 3 Feasible Controls 1 Feasible Controls 2 8. Determine Feasible Controls for Each Cloud Environment
  • 19. @smallersecurity 9. For Each Data Set, Identify Acceptable Platforms
  • 20. @smallersecurity 10. Ensure Only Users that Need Access to Data Have Appropriate Access to it Data Set 1 Business Processes •ABC •GHI Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL LOWHIGHMEDIUM
  • 21. @smallersecurity Implemented Controls Implemented Controls Implemented Controls 11. Identify & Implement Appropriate Controls Across Each Cloud Environment
  • 22. @smallersecurity 12. Validate and Monitor Control Effectiveness
  • 23. @smallersecurity Finally… • Start with the business context, not the security controls • Classify based on the business value, not the IT value • Controls have to be standard, feasible, implemented and monitored Data* and Users can’t be outsourced! *Ownership of data
  • 24. @smallersecurity Security Leadership Why Verizon? Industry Recognition  Largest & highly rated MSSP (Frost & Sullivan, Gartner, Forrester)  Founding and Executive Member of Open Identity Exchange  Security Consulting practice recognized as a Strong Performer (Forrester)  ICSA Labs is the industry standard for certifying security products (started in 1991) Credentials  More PCI auditors (140+ QSAs) than any other firm in the world  HITRUST Qualified CSF Assessor  Actively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortia  Personnel hold 40+ unique industry, technology and vendor certifications Global Reach  550+ dedicated security consultants in 28 countries speak 28 languages  Investigated breaches in 36 countries in 2011  7 SOCs on 4 continents manage security devices in 45+ countries  Serve 77% of Forbes Global 2000 Experience  Verizon’s SMP is the oldest security certification program in the industry  Analyzed 2500+ breaches involving 1+ Billion records  Manage identities in 50+ countries and for 25+ national governments  Delivered 5000+ security consulting engagements in the past 3 years ISO 9001 ISO 17025
  • 25. @smallersecurity An unparalleled perspective on IT security threats • 84% of initial compromises took hours or less. • 76% exploited weak or stolen credentials. • 78% of intrusions required little or no specialist skills or resources. Some highlights Find out more at verizonenterprise.com/DBIR/2013 2013 DBIR of breaches lie undiscovered for months of breaches are detected by 3rd party • 47,000+ security incidents analyzed. • 621 confirmed data breaches investigated. • 19 international contributors. – Including law enforcement, government agencies and other private companies. • 6th consecutive year.
  • 27. @smallersecurity Verizon’s Security Portfolio Protecting what the business cares about 6 security solution areas: – Data Protection – Governance, Risk & Compliance – Identity & Access Mgmt – Investigative Response – Threat Mgmt (MSS) – Vulnerability Mgmt

Hinweis der Redaktion

  1. Each of these trends is working to liberate information in one way or anotherWhich of these trends is relevant to your customer…and how can you help them solve these requirementsTop Biz Tech Trends taken from Vz press release on 11/15/2011
  2. [Source: IBM]1 Quintillion = 1 million terabytesIt is here to stayAnywhere vs. everywhere?
  3. Data is what the business cares about and it’s ownership (unlike that of network, compute, platform, applications) can’t be outsourced. It is the common denominator. The (perceived) data owner is always responsible from a compliance and reputation standpoint4-methylimidazole, Coca Cola
  4. How much is the data worth protecting?Who has access to the data?What business processes do the data power?What controls are in place?Do the clouds have sufficient implementable controls and sufficient visibility?Can compliance be demonstrated?
  5. 7
  6. 8
  7. Standard -> Feasible -> Implemented
  8. This is perhaps the most important step in becoming comfortable w/ the notion of moving sensitive data into the cloud. If we use parents as a metaphor for a CIO, then parents’ most important asset is their children;the CIO’s is data. When parents make the decision to move their most important asset to a third party location (e.g.: day care) they may do it for similar reasons as the CIO moves data to the cloud: economic, agility, etc. A parent feels much more comfortable leaving their child in a daycare facility if they know they can see their child at anytime during the day by going online and looking at the live webcam footage. The idea behind #12 is to provide the CIO an equivalent level of visibility to a parent remotely watching their child – so they can rest assured that their most valuable asset is being well taken of. What does this visibility look like: audits, vuln scans, application logs, user access info, IDS / FW incidents, deep packet capture, etc.
  9. For the latest version, please contact Omar KhawajaCREST approved penetration testerActively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortia
  10. DBIR Video: http://www.verizonenterprise.com/resources/media/large-133871-DBIR+2013.xml DBIR Sales
  11. Solutions = MgdSvcs + Intelligence + ConsultingThis is the ONE slide that describes our security story and portfolioData-centric is stepping stone to business-centric