Cloud Security trends, practical tips and lessons learned. Implementing holistic security controls to protect business data, Trends that will affect data security, and advice to security startups and companies evaluating them.

1. Practical Cloud Security
Lessons Learned from the Bleeding Edge
Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3

2. Background
• Production hybrid cloud security at scale
o Deployed distributed, hybrid cloud WAF
o Co-developed CloudHSM for IaaS HW root of trust
• Corporate IT “all-cloud” security strategy
o Cloud-first, mobile-first infrastructure model
o Mix of public cloud, best-of-breed SaaS
o This is the Future of corporate IT services
• RSAC Program Committee, Startup Technical Advisory
Boards, ISSA CISO Forum & Career Lifecycle
• Netflix, AOL, Netscape, Accenture Research

3. Topics
• Cloud: Why now? What’s changed?
• Forcing functions and new perimeters
• Cloud Security Controls: What’s new?
• Third-Party Risks: InfoSec and The Business
• Herding Data: Getting Started
• Security startups

4. Forcing Functions on IT Security
Cloud
Services
Network Access
Ubiquity
Mobility
Consumerization /
BYOD
Work/Life
Integration
Business
Risk
Agile/
DevOps

5. Cloud Forcing Function - Mobility
Source: Mary Meeker, KPCB

6. Cloud Forcing Function - Consumerization
• 58% / 42% of Americans now own a smartphone / tablet(1)
• By 2017: 50% of employers will require employees to
BYOD for work purposes(2)
(1) Pew Research, Jan 2014
(2) Gartner, May 2013

7. Forcing Function - Network AccessForcing Function - Network Access
• Network connectivity & seamless roaming
o 802.11ac – wireless networking now “just works”
§ Faster than typical wired ports, easier to provision
o Mobile 4G LTE is “fast enough”
§ Faster than home ISPs
§ 2018: 25% of corporate data will flow directly mobile-cloud(3)
• Blending work/life integration
o Aruba’s “#GenMobile”initiative
o Starbucks wants to be your life’s “3rd Place”
(3) Gartner, Nov 2013

8. Old: Perimeter Firewalls
• Castle and Moat defense
• Provisioning was serialized, expensive
• Place people, data behind datacenter firewalls
• “Behind firewalls” = Trusted

9. New Perimeters : Follow the Data
• Controls evolving to be more:
o Proximal - Controls are close to the application/data
o Mobile - Move with the infrastructure/application
o Resilient - Emphasize recovery, response
o Holistic - Technical, legal, and business-level input
o Coordinated - Reliant on communications, automation
o Tiered - Nothing new here
New Perimeters : Follow the Data

10. What’s Your Cloud Comfort Level?
• Cloud Adoption / Maturity:
o Naysayers: you can’t do that (but can’t articulate why)
o Pathfinders: here’s how to do it, lessons learned
o Optimizers: here’s how to do it well, what not to do

11. What’s Your Cloud Comfort Level?
• Cloud Adoption/Maturity
o Naysayers
o Pathfinders
o Optimizers
o Cloud is inevitable. Learn how to manage it.
o Example: “We have 10 years of legacy work to deal with,
we don’t have time to look at our cloud usage!”
• It’s about the business
o Board-level discussion on results, competition, risk

12. Cloud Security: New(ish) tech controls
• Goal: Track movement, access to data
o DRM/DLP-like controls, applied closer to the data
o Encrypt data, SoD for encryption keys
o Even though the data is not in your datacenter
• Goal: Restrict access to data, applications
o Forward and Reverse proxy servers
o Old: Port/protocol-based network, subnets, host firewalls
o New: Tags, labels, data and host classification/sensitivity
o Log management, anomaly detection
o IAM - Risk-based authentication, SSO (for free)

13. Risks: InfoSec and The Business
Q: Who owns the risk in a new business endeavor?

14. Risks: InfoSec and The Business
• Who owns the risk in a new business endeavors?
• The business does
• InfoSec’s role:
• Be a trusted advisor to the business
• Anticipate security risk/controls changes and needs
• Communicate technical risks in business terms
• Propose options, help the business take smart risks
• Implement guardrails based on risk, sensitivity
• Measure risk, managing remediation/response
• Measure of success: Repeat business for your team!

15. Risks: InfoSec and The Business
• Legal, business perspectives
• Managing the risk – legal levers
o Risk-based: Level of scrutiny based on data sensitivity
o Add boilerplate language in your contracts, MSAs, etc.
o Strive to require partners to have security
fundamentals in place: operational security basics,
secure development, security incident notification, etc.
o Right to audit, assess => partner with your partners

16. Risks: InfoSec and The Business
• Managing the risk – technical levers
o Trust but verify their controls. It’s your data!
o Do an initial assessment, plus ongoing automated tests
o Partner with your partners on results you find
o Things to watch out for …

17. Risks: InfoSec and The Business
• Proving data security, good security hygiene
o Service Providers should be more secure than SMBs
§ Laser-focused, homogeneous environment, etc.
o Doesn’t scale: Every customer pentesting their provider
§ Open Item: Which standard should we trust?
• Which controls are most relevant, important for
your data?
o Encryption, incident response, audit, SoD, …
o Prioritize those during negotiations, evaluations

18. Lessons learned: Getting Started
• Start simple
o Move least-risky workflows first
o Orchestrate, automate security controls
o Stage patches like other bugs and new features
o Datacenter-to-Cloud connectivity, WAN-like latency
o Wholesale migration vs. re-architecting apps
• Migration phase
o Running “hybrid”, “dual stack” or “riding roman”
o Migrate workflows systematically
o Inter-service dependencies

19. Lessons learned: Getting Started
• Infrastructure Services
o Plan: Pick 1-3 security metrics you’d like to improve in your
cloud, compare them to legacy infrastructure
o Days to patch vulns, avg host uptime, fw ACLs used
o Do: Start simple, fail fast on “uninteresting” workflows and
transactions; test response protocols
o Improve: Start codifying security policies, patches,
automating provisioning and inventory controls
o Good security starts with solid operational hygiene
o Repeat: review lessons learned often, make small course
corrections.

20. Lessons learned: Getting Started
• Corporate Services & “Shadow IT”
o Baseline: Get visibility into your cloud services
§ You’re using more than you realize
§ Meet and share with IT, legal, other stakeholders
§ Facts lead to business-level conversations
o Log: Start collecting/mining SaaS access, audit logs
o Protect and Observe:
§ Deploy SAML, 2FA, integrate with your directory
§ Evaluate cloud service brokers, features

21. Evaluating Security Startups
• Investors:
o Management team domain expertise, background
o Competitive advantages
o Market readiness, fit
o Product fit
• Customers:
o Support fit, scalability
o Roadmap fit, ability to execute against it
o Risk fit, operational hygiene / best practices

22. Guidance for Security Startups
o Be 10x better - provide superior customer value
o Look for disruptive technologies, approaches
o What else does the solution require?
o What can I turn off?
o Think API first
o Defenders & DevOps: The future is automation, interoperability,
integration
o No cheating: Build your GUI on your API
o Model, measure, provide insights
o A/B testing, modeling allows safe experimentation
o Provide insights of current risk state
o Manage my cloud risk better than my legacy infrastructure
o A good deployment strategy starts with a great migration strategy

23. Thank you
Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3