This document outlines an agenda for a talk on cloud security architecture. The agenda includes an introduction to security architecture in traditional vs cloud environments, challenges of a security architect in cloud, Camelot's journey to AWS, how to sell cloud security architecture internally, examples of what worked and didn't work for Camelot, and key takeaways. The document provides an overview of the topics that will be discussed during the presentation.
3. Agenda
• Security architecture – traditional vs cloud
• Cloud – what’s different?
• Intro to Camelot and our AWS journey
• How to sell cloud security architecture to the business
• What worked for us and what did not work so well
• Key Take aways
Our Agenda
Public
4. Intro
Francesco Cipollone
Cloud Security Architect @ Camelot
Francesco is a security Consultant focused on Cloud problems working as Security Architect in Camelot
@FraSEC42
David Boda
Head of Information security @ Camelot
David Boda is the Head of information security at Camelot
Public
5. Intro to Security Architecture
• What is a security architect?
• What’s the architect role in the strategy?
• What is the role of a security architect in this
modern word ?
• What is the added value?
Public
6. What is this cloud and can I have a piece of it
• Cloud: Just someone else’s computer
• Comes in different flavours and acronyms:
IaaS, PaaS, SaaS, IDaaS…
• Scalable and ‘rapid’
• Different models: Cloud provider or specific
service providers
Public
7. Challenges of a Security Architect
• Traditional challenge of a security
architect
• Cloud challenges plus a bag of classical
security issues
• Tech Stack constant changing
8. Bringing it all together
• Why is the cloud different?
• Note – we will be focusing on AWS
• Due diligence on SaaS and PaaS
Public
11. How to sell security architecture to the business?
• How do we do it in Camelot?
• What has worked and what has not worked?
Public
12. Security Architecture – Selling Point
• Security by design – avoid delays
• Minimal incremental security improvements
• Effective and efficient controls
• Strategy and vision built in each project
13. Cloud Architecture – Is it just blueprint right?
• Architecting in cloud is different
Technology
• Leveraging on blueprints
• Looking forward and thinking
strategically is challenging
• Everyone thinks is an architect in the
cloud
• Challenges for Security as anyone
spins services
Public
14. Traditional vs Cloud Security Architecture
• Traditional vs cloud
• Different Technology
• Different patterns
• Some similarities (e.g. IaaS
traditional)
Public
15. Cloud Architecture – Examples – where it did work
Where it did work:
• Cloud transformation supported
by strategy
• Strong Foundation
• Use of native controls
• Monitoring and alerting
• Make use of automation
• Train and plan hiring
Public
16. Cloud Architecture – Examples – where it didn't work
Where it didn’t work:
• Weak Foundation
• No management involved/strategy
• Weak Processes
• No monitoring/Alerting
• No plan in hiring
Public
17. Cloud Security Incidents management in the cloud
• You can’t pull cables in the cloud
• Incident management and detecting can be harder
• Monitor and alerting on billing and your resources
• Education on the various services…is not just
another VM in the Datacentre
• Prevention of spinning up expensive service with
policies
Public
18. Key Take Away
Cloud transformations can be a treacherous journey
especially for security professionals:
- Cloud is different than traditional
- Do your due diligence up front
- Start early create a solid foundation
- Automate where possible
- Native cloud controls! Use them
- Decisions based on risk
- Skill shortage: be prepared to learn
Public