NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
297727851 getting-to-the-cloud-event-2015
1. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
1
STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
2016
Getting to the Cloud
Security & Risk Management
How will Digital Transformation transform all of us
Ariel Evans, EVP
Senior Cyber Security and Risk Analyst
ariel@stki.info
2. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
2
About Me
•CISO Telco US
• 7 years of security experience
•Compliance Expert
• Primary Author of the PCI e-commerce guideline
•20 years Risk Manager on Wall Street
•Consultant to DHS on Middleware Vulnerabilities
3. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
3
STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
What we will cover today
Cyber
Security
What is Cyber
Security?
Cloud Security
What are the similarities and
differences between cloud
security and cyber?
Getting to the
Cloud
What are the
requirements to get to
the cloud?
Cloud
Security
Components
Service Provider
Responsibilities vs.
Customer
Responsibilities
Risk
Management
Measuring effectiveness
of security in the context
of the EU data directive
Cloud Security
Technologies
CASBs
Risk Management Tools
Data Classification
Tools
.
4. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
4
What is Cyber Security
4
• People, Process & Tools
• Holistic Approach
• Protect Confidentiality, Integrity & Accessibility
• Stopping or Limiting Damage from Unauthorized Access
• Applies to the Entire Lifecycle of data
• Any time data is stored, transmitted or processed
• Effectiveness is measured using Risk Management
What is Cloud Cyber Security
Data
APIs
Virtual
Machines
GUIs
Operating Systems
Programming Languages
Virtual Network Architecture
Hypervisors
Data Storage
Processing & Memory
Network
Data Center
Relationship
between
CSP
and
Customer
5. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
5
CSP & Customer Relationship
6. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
6
Cloud Security
• Relationship between customer and cloud service provider
• Defined by the components of the solution
• Evolving
• Most CSPs will now provide
• Logs
• Penetration tests for Hypervisior
• Data Center Inspections
• Limited Service Agreements
• Enhanced Security Service Capabilities
• Cloud Access Security Brokers - CASBs
• Data Classification
• Cyber Risk Management
7. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
7
Israel cloud adoption - by sector
Private
Cloud
Army, Banks,
Government,
Utility
Cloud curious
checking the
technology
Government
Finance
Telecom
Operators
Health
Cloud adopters
running 2-5
application in cloud
Telecom
Vendor
Industry
services
Utilities
Cloud focus
most application
in the cloud
High-Tech
Startups
SMB
Source:
Moshe
Ferber,
Cloud
Security
Alliance
Israel
8. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
8
Cloud Security Components
9. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
9
Bank of Israel Regulation
•Core system data cannot be in the cloud
•What is core data?
•How can we classify different types of data and how it is protected in the
cloud?
•Follow the EU Data Directive
•Ensure compliance
•Risk Management
•Board Room Approvals
10. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
10
Evolving - Cyber Organizations
•The CISO of the future is the one who can run the risk-management organization.
•Reports to the business either CEO, CFO, CRO or COO – moving out of reporting to CIO.
•The days of security being led by the 'network person' who did security in their spare time
and learned on the job are over and increasingly we are seeing seasoned professionals
with real business experience & business school qualifications stepping into the security
space reporting to the board of director on Cyber Risk.
11. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
11
15
Classifying Data
•Old Way - Manual
• Thousands of man hours
• Most projects fail
• Business Owner Dependent
• Costly to maintain
• Constantly changing
• New Way – Data Classification Products
• Machine Learning
• Clustering
• One month deliverable
12. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
12
15
EU Data Directive
This deliverable reports on the current legal framework regulating the
storage and processing the data on the cloud and introduces a risk
assessment methodology to analyze the business risks associated with
outsourcing data.
AUTOMATING CYBER RISK AND CLOUD RISK
https://practice-project.eu/downloads/publications/D31.1-Risk-assessment-legal-status-
PU-M12.pdf
13. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
13
How cyber Risk is managed
13
Identification of Threats
Compliance Regulation
Define the Control Test the Control
Measure the Risk
Implement and Protect Network Domains
In addition, further development of
policies, processes, and systems
must continue to ensure that:
• Firewall configuration standards include requirements for a
firewall at each Internet connection, and between any DMZ
and the internal network zone;
• Current network diagram is consistent with the firewall
configuration standards;
• Firewall rules prevent internal addresses passing from the
Internet into the DMZ.
• Firewall rules prevent direct connections inbound or
outbound for traffic between the Internet and the cardholder
data environment.
• Prohibit direct public access between the Internet and any
system component in the cardholder data environment;
• Require that all outbound traffic from the cardholder data
environment to the Internet is explicitly authorized.
PCI DSS
Objective 1.1.3
Objective 1.3
Objective 1.3.3-5
Objective 1.3.7
SOC 3.2, 3.5, 3.8
EU Data Directive
14. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
14
Risk Management
14
1 – Insignificant 2 – Minor 3 – Moderate 4 – Major 5 – Catastrophic
No fines or additional
costs
No fines but increased
monitoring costs
Some fines and moderate
consequences
Large fines and loss of
card privledges w ith
major economic impact
Company unable to stay
active
A -
Almost certain to occur in most
circumstances
Medium (M) High (H) High (H) Very High (VH) Very High (VH)
B -
Answer = None = 4 Likely to occur
frequently
Medium (M) Medium (M) High (H) High (H) Very High (VH)
C -
Answer = Partially = 3 Possible and
likely to occur at some time
Low (L) Medium (M) High (H) High (H) High (H)
D -
Answer = Fully = 2 Unlikely to occur
but could happen
Low (L) Low (L) Medium (M) Medium (M) High (H)
E -
May occur but only in rare and
exceptional circumstances
Low (L) Low (L) Medium (M) Medium (M) High (H)
Likelihood
15. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
15
Risk Dashboards
•Real Time Risk
•Risk linked to business assets
•Mitigation
•Task Management
•Drill into risk
•See risk effectiveness across
• Divisions
• Systems
• Assets
16. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
16
CASB
Cloud access security brokers (CASBs) are on-premises, or cloud-based security
policy enforcement points, placed between cloud service consumers and cloud service
providers to combine and interject enterprise security policies as the cloud-based
resources are accessed. CASBs consolidate multiple types of security policy
enforcement. Example security policies include authentication, single sign-on,
authorization, credential mapping, device profiling, encryption, tokenization, logging,
alerting, malware detection/prevention and so on.
17. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
17
Sanctioned
IT
Cloud
DLP
Apps
Firewall
User
Behavior
Analytics
On-Network
“Shadow”IT
Off-Network
(Cloud-to-Cloud)
“Shadow”IT
18. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
18
18
19. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
19
15
Discussion Items
•What is the definition of core data?
•What products will help you to show how this data is in the cloud?
•What level of Encryption will be accepted for the cloud?
•What products can help you who compliance here?
•What new technologies will help demonstrate risk management is
effective for the cloud and provide EU data directive complaince?
•What benefits will CASBs provide the Israeli Market?
20. STKI’s work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
20
That’s it.
Thank you!