Every young company discovers that installing security in place can be expensive. So they need to manage the priorities. In the presentation we discuss the various phases in start-up life cycle and which security controls should be placed on each phase.
2. About:
Moshe Ferber, 39, lives in Modiin (+2).
Information security professional for over 20 years.
Popular industry speaker and lecturer.
Founded Cloud7, Managed Security Services provider (currently owned
by Matrix).
Shareholder at Clarisite – Your customer’s eye view
Shareholder at FortyCloud – Make your public cloud private
Member of the board at MacshavaTova – Narrowing societal gaps
Co-Chairman of the Board, Cloud Security Alliance, Israeli Chapter.
2
3. The benefits of cloud computing are
clear, What are the risks?
5. Cyber attacks trends for
cloud computingCloud services
ransom malwares
Bitcoin
API
Attacks
Supply chain
Attacks
6. So, how to build your security?
Infrastructure security
Application Security
Operational security
7. Good Security is based on controls…
Preventive
• Firewall
(Security
Groups)
• Authentication
• AntiVirus
• Guards
Detective
• IDS
• System
monitoring
• Motion
detector
Corrective
• Upgrades &
Patches
• Vulnerability
scanning
Compensatory
• DRP & Backup
• Firewall logs
• Reviews
• Audit &
reconciliation
Based on http://www.sans.edu/research/security-
laboratory/article/security-controls
8. The security phases of startup
Phase 1 –
Building blocks
• From Seed to
the first
customers
Phase 2 –
Maturing
• Growing and
adding
customers.
Phase 3 – Build
trust
• Maturing your
services.
9. Phase 1 – Make sure you got the right
building blocks
Plan your architecture: logical and physical segmentation.
Understand your data lifecycle.
Laws and regulations to consider.
Choose your partners: software, IT, backend.
Start your SSDLC building block – threat modeling.
Architecture.
Implement IaaS best practices:
• Identity & Access.
• Compensating controls
11. Best practices for IAM
Don’t use master
account
Delete root access key
Enable MFA for critical
users
Apply good password
policy
Rotate credential
periodically
Safeguard your host &
access keys
Create individual users with
specific roles
13. Phase 2
Production environment is now maturing. Its time for roles
separation at production.
Authentication mechanism should be mature by now.
Security in Software Development life cycle (SSDLC) should
take more focus.
vulnerability scan &
penetration tests
Identity Federation
Services
Encryption of data at
rest
Security training for
R&D
14. Phase 3
operational security begins to matter.
More detective controls should be placed.
Incident management procedures should mature.
Transparency will be an advantage.
DR, BC and active
secondary location
Log management &
Event correlation.
Patch & change
management
Automation of
configuration
Ongoing security
awareness program
16. Cloud security is maturing fast (it took us over 20 years to
secure the PC…)
Security is expensive, but with the right building blocks you
can integrate with the grow of business.
Make sure you do the basics from the first day, it will be hard
to add them later.
To wrap things up…
Don’t be the next CodeSpaces
17. Keep in Touch
Moshe Ferber
moshe@onlinecloudsec.com
www.onlinecloudsec.com
http://il.linkedin.com/in/MosheFerber
Cloud Security Course Schedule can be find at:
http://www.onlinecloudsec.com/course-schedule