SlideShare ist ein Scribd-Unternehmen logo

Nsc42-CSA AGM is the cloud secure - is easy if you do it smart

Als PPTX, PDF herunterladen
NSC42 Ltd
NSC42 Ltd

The talk will take the audience on a journey on the cloud evolution, the recent hacks and the need to make security everyone's responsibility. The talk will explore major challenges in cloud transformation from an organization and security perspective with top 8 solutions to address them. The solution will explore: the shared responsibility model Foundation architecture Cloud pattern available Design security and security by design Gamification and the use of EoP in everything security Shift left and bringing security at the beginning of the development Security testing and automation DEV-SEC ops and the integration of Security and Business/Architecture If time is available the talk will explore the top 5 key cloud patterns (Account isolation, Firewall and access control, Logging and cascade pattern, Identity and access management, Key/secret management) Audience Take Away: When starting a cloud security journey or by being already into one what shall you do and consider. Key security element to consider from day 1 to delivery automation and why is so vital to automate security vulnerability

Technologie
1 von 31
Is the Cloud Secure? CSA AGM 2019 - HSBC (London) @FrankSEC42 It’s easy if you do it smart https://uk.linkedin.com/in/fracipo
@FrankSEC42https://uk.linkedin.com/in/fracipo
Is the Cloud Secure? CSA AGM 2019 - HSBC (London) @FrankSEC42 It’s easy if you do it smart https://uk.linkedin.com/in/fracipo
Disclaimer: the pictures and the format in this presentation are under license to NSC42 Ltd Agenda About the author Conclusions & Take Away Q&A Solution to reach there The problem and ideal world How things have changed Context @FrankSEC42 CSA Conference & Awards
www.nsc42.co.uk About the Francesco 5 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Public Speaker, Researcher and Director of Events of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks FC-LinkedIn E-Mail Website Articles NSC42 LinkedIn Security is everybody’s job @FrankSEC42 @FrankSEC42https://uk.linkedin.com/in/fracipo Security is challenging, we have to know inch deep and miles wide
www.nsc42.co.uk How Things Have Changed 6 How did we evolve to reach here? What is the impact on the security? @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Cloud Evolution 7 2005 2006 Datacentre Land 2007 2008 2013 2010 2011 2012 2014 Cloud Adoption @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Challenges 8 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42https://uk.linkedin.com/in/fracipo Security Challenges in cloud transformations?
www.nsc42.co.uk Major Breaches 9 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why security is everybody’s responsibility? Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … Because we all get affected by it… @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Major Breaches 10@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Challenges 11 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42https://uk.linkedin.com/in/fracipo Security Challenges in cloud transformations?
www.nsc42.co.uk Ideal cybersecurity world 12 In an ideal cybersecurity world we would have infinite time, infinite resource to do things right, and all the boring chores would be automated @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Solutions 13 1. Cloud Responsibility Matrix 2. Cloud Foundation 3. Cloud Patterns 4. Design Security 5. Security by Design 6. Dev shift left 7. Security Testing 8. DEV-SEC-OPS + BIZ/ARCH Security by design = everyone participate in security @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 1 - Cloud Responsibilities 14 Customer Application & Content Network Security Identity & Access Control Operating System/ Platform Data Encryption The Customer Customer Defines controls security IN Cloud Customer takes care of the security OF Cloud Physical Infrastructure Network Infrastructure Virtualization Layer Cloud platform “Understand Shared Responsibility model Delegation and you’ll master cloud” Consider what are you are getting yourself into in a cloud migration. Cloud is not natively secure or insecure @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 1 - Cloud Pizza 15 IaaS, PaaS, SaaS, … Who cares give me pizza! @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 2 – Foundation 16 How do you build a solid house? You don’t skip the foundation! How do you build a solid cloud? You don’t skip the foundation! @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 2 – Foundation 17 1. Management Support 2. Disruption and strategy 3. Security as part of the cloud journey 4. Skills shortages 5. Architecture patterns & Re-use How do you build a solid cloud (security) foundation? Cultural, Management support and skills @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 2 – Foundation 18 What Tools do you use for the solid cloud (Security) Foundation? @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 3 – Cloud Patterns 19 - Account Isolation - Controls Traditional vs cloud - Logging and monitoring - Identity and access management - Key Management “There is no such a thing as free lunch… but leverage on patterns as starting point” @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 4 – Design Security 20 “How would expand the security team without expanding the team?” Train Software Engineers on security and you’ll have ‘extended security team’” @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 5 – Security by Design 21 “So what would the software engineer do with the security hat on?” “gamification…remember to have fun when doing your job” How do we make threat security fun?” @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 6 – Shift left in DEV 22 “Security as early as possible: Integrate security in the software development pipeline” Keep Threat or fraud model exercise concise and fun! Don’t overcomplicate @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 7 – Security in Test 23 “Security (Testing) as early as possible” Security testing as bug bounty program! Make it fun and rewarding @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Step 8 - DEV–SEC–OPS(BIZ) 24 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ) Security is everybody responsibility. @FrankSEC42https://uk.linkedin.com/in/fracipo Reward security effort with -> Low cost High Impact Integrating Security
www.nsc42.co.uk The Future 25 “Cybersecurity due diligence will remain the same regardless of the technology chosen” @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Conclusions 26 - Evolution & Challenges - Ideal world and step to reach it - What’s in the future Security in the journey to the Cloud not at destination Security is everybody’s job @FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Mentoring Research Events Networking Twitter: @csaukchapter LinkedIn: https://www.linkedin.com/groups/3745837/ CSA-UK - We need you 27@FrankSEC42https://uk.linkedin.com/in/fracipo Join!
Every Fortnight 1.30 PM UK Time #MentoringMonday Call @FraSEC42
Cyber Security Awards 2019 Cloud Security Influencer of the Year Submission – 10 of May 2019 Ceremony 4 July 2019 #CYSECAWARDS19https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info:
www.nsc42.co.uk Q&A 30@FrankSEC42https://uk.linkedin.com/in/fracipo
www.nsc42.co.uk Contacts 31 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42 @FrankSEC42https://uk.linkedin.com/in/fracipo

Empfohlen

Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...NSC42 Ltd
 
Nsc42 - is the cloud secure - is easy if you do it smart UNICOM
Nsc42 - is the cloud secure - is easy if you do it smart UNICOMNsc42 - is the cloud secure - is easy if you do it smart UNICOM
Nsc42 - is the cloud secure - is easy if you do it smart UNICOMNSC42 Ltd
 
Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...
Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...
Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...Codemotion
 
ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ? ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ? Jakub Kałużny
 
Fowa2010 progressive-enhancement
Fowa2010 progressive-enhancementFowa2010 progressive-enhancement
Fowa2010 progressive-enhancementChristian Heilmann
 
Why conquering complexity is a critical component of an effective security pr...
Why conquering complexity is a critical component of an effective security pr...Why conquering complexity is a critical component of an effective security pr...
Why conquering complexity is a critical component of an effective security pr...Dominic Vogel
 
A New Zero-Day Vulnerability Discovered Every Week in 2015
A New Zero-Day Vulnerability Discovered Every Week in 2015A New Zero-Day Vulnerability Discovered Every Week in 2015
A New Zero-Day Vulnerability Discovered Every Week in 2015RapidSSLOnline.com
 
Ab cs of software security
Ab cs of software securityAb cs of software security
Ab cs of software securityDavid Klassen
 

Empfohlen

Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...NSC42 Ltd
 
Nsc42 - is the cloud secure - is easy if you do it smart UNICOM
Nsc42 - is the cloud secure - is easy if you do it smart UNICOMNsc42 - is the cloud secure - is easy if you do it smart UNICOM
Nsc42 - is the cloud secure - is easy if you do it smart UNICOMNSC42 Ltd
 
Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...
Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...
Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...Codemotion
 
ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ? ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ? Jakub Kałużny
 
Fowa2010 progressive-enhancement
Fowa2010 progressive-enhancementFowa2010 progressive-enhancement
Fowa2010 progressive-enhancementChristian Heilmann
 
Why conquering complexity is a critical component of an effective security pr...
Why conquering complexity is a critical component of an effective security pr...Why conquering complexity is a critical component of an effective security pr...
Why conquering complexity is a critical component of an effective security pr...Dominic Vogel
 
A New Zero-Day Vulnerability Discovered Every Week in 2015
A New Zero-Day Vulnerability Discovered Every Week in 2015A New Zero-Day Vulnerability Discovered Every Week in 2015
A New Zero-Day Vulnerability Discovered Every Week in 2015RapidSSLOnline.com
 
Ab cs of software security
Ab cs of software securityAb cs of software security
Ab cs of software securityDavid Klassen
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNSC42 Ltd
 
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNSC42 Ltd
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challengesNSC42 Ltd
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenixNSC42 Ltd
 
Identity and Access Management At Mozilla
Identity and Access Management At MozillaIdentity and Access Management At Mozilla
Identity and Access Management At MozillaMichael Van Kleeck
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015skantos
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNSC42 Ltd
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksMighty Guides, Inc.
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Mighty Guides, Inc.
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
 
The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)Erik Trautman
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesDevOps Indonesia
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmapsecurityxploded
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...Codemotion
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Weitere ähnliche Inhalte

Ähnlich wie Nsc42-CSA AGM is the cloud secure - is easy if you do it smart

Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNSC42 Ltd
 
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNSC42 Ltd
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challengesNSC42 Ltd
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenixNSC42 Ltd
 
Identity and Access Management At Mozilla
Identity and Access Management At MozillaIdentity and Access Management At Mozilla
Identity and Access Management At MozillaMichael Van Kleeck
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015skantos
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNSC42 Ltd
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksMighty Guides, Inc.
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Mighty Guides, Inc.
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
 
The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)Erik Trautman
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesDevOps Indonesia
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmapsecurityxploded
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...Codemotion
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 

Ähnlich wie Nsc42-CSA AGM is the cloud secure - is easy if you do it smart (20)

Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
 
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
CSA - Nsc42 - London chapter keynote - cloud transformation security challenges
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenix
 
Identity and Access Management At Mozilla
Identity and Access Management At MozillaIdentity and Access Management At Mozilla
Identity and Access Management At Mozilla
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)The Design of Blockchain-Based Apps (DApps)
The Design of Blockchain-Based Apps (DApps)
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
It’s All About Developers. Discover Cisco DevNet. - Jason Goecke - Codemotion...
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 

Kürzlich hochgeladen

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Kürzlich hochgeladen (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

Nsc42-CSA AGM is the cloud secure - is easy if you do it smart

  • 1. Is the Cloud Secure? CSA AGM 2019 - HSBC (London) @FrankSEC42 It’s easy if you do it smart https://uk.linkedin.com/in/fracipo
  • 3. Is the Cloud Secure? CSA AGM 2019 - HSBC (London) @FrankSEC42 It’s easy if you do it smart https://uk.linkedin.com/in/fracipo
  • 4. Disclaimer: the pictures and the format in this presentation are under license to NSC42 Ltd Agenda About the author Conclusions & Take Away Q&A Solution to reach there The problem and ideal world How things have changed Context @FrankSEC42 CSA Conference & Awards
  • 5. www.nsc42.co.uk About the Francesco 5 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Public Speaker, Researcher and Director of Events of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks FC-LinkedIn E-Mail Website Articles NSC42 LinkedIn Security is everybody’s job @FrankSEC42 @FrankSEC42https://uk.linkedin.com/in/fracipo Security is challenging, we have to know inch deep and miles wide
  • 6. www.nsc42.co.uk How Things Have Changed 6 How did we evolve to reach here? What is the impact on the security? @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 8. www.nsc42.co.uk Challenges 8 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42https://uk.linkedin.com/in/fracipo Security Challenges in cloud transformations?
  • 9. www.nsc42.co.uk Major Breaches 9 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why security is everybody’s responsibility? Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … Because we all get affected by it… @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 11. www.nsc42.co.uk Challenges 11 - Increasing number of breaches - Impact on Cost (Brand, Fines, …) - Fast change - No collaboration teams and security Security is everybody’s responsibility @FrankSEC42https://uk.linkedin.com/in/fracipo Security Challenges in cloud transformations?
  • 12. www.nsc42.co.uk Ideal cybersecurity world 12 In an ideal cybersecurity world we would have infinite time, infinite resource to do things right, and all the boring chores would be automated @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 13. www.nsc42.co.uk Solutions 13 1. Cloud Responsibility Matrix 2. Cloud Foundation 3. Cloud Patterns 4. Design Security 5. Security by Design 6. Dev shift left 7. Security Testing 8. DEV-SEC-OPS + BIZ/ARCH Security by design = everyone participate in security @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 14. www.nsc42.co.uk Step 1 - Cloud Responsibilities 14 Customer Application & Content Network Security Identity & Access Control Operating System/ Platform Data Encryption The Customer Customer Defines controls security IN Cloud Customer takes care of the security OF Cloud Physical Infrastructure Network Infrastructure Virtualization Layer Cloud platform “Understand Shared Responsibility model Delegation and you’ll master cloud” Consider what are you are getting yourself into in a cloud migration. Cloud is not natively secure or insecure @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 15. www.nsc42.co.uk Step 1 - Cloud Pizza 15 IaaS, PaaS, SaaS, … Who cares give me pizza! @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 16. www.nsc42.co.uk Step 2 – Foundation 16 How do you build a solid house? You don’t skip the foundation! How do you build a solid cloud? You don’t skip the foundation! @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 17. www.nsc42.co.uk Step 2 – Foundation 17 1. Management Support 2. Disruption and strategy 3. Security as part of the cloud journey 4. Skills shortages 5. Architecture patterns & Re-use How do you build a solid cloud (security) foundation? Cultural, Management support and skills @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 18. www.nsc42.co.uk Step 2 – Foundation 18 What Tools do you use for the solid cloud (Security) Foundation? @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 19. www.nsc42.co.uk Step 3 – Cloud Patterns 19 - Account Isolation - Controls Traditional vs cloud - Logging and monitoring - Identity and access management - Key Management “There is no such a thing as free lunch… but leverage on patterns as starting point” @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 20. www.nsc42.co.uk Step 4 – Design Security 20 “How would expand the security team without expanding the team?” Train Software Engineers on security and you’ll have ‘extended security team’” @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 21. www.nsc42.co.uk Step 5 – Security by Design 21 “So what would the software engineer do with the security hat on?” “gamification…remember to have fun when doing your job” How do we make threat security fun?” @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 22. www.nsc42.co.uk Step 6 – Shift left in DEV 22 “Security as early as possible: Integrate security in the software development pipeline” Keep Threat or fraud model exercise concise and fun! Don’t overcomplicate @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 23. www.nsc42.co.uk Step 7 – Security in Test 23 “Security (Testing) as early as possible” Security testing as bug bounty program! Make it fun and rewarding @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 24. www.nsc42.co.uk Step 8 - DEV–SEC–OPS(BIZ) 24 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ) Security is everybody responsibility. @FrankSEC42https://uk.linkedin.com/in/fracipo Reward security effort with -> Low cost High Impact Integrating Security
  • 25. www.nsc42.co.uk The Future 25 “Cybersecurity due diligence will remain the same regardless of the technology chosen” @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 26. www.nsc42.co.uk Conclusions 26 - Evolution & Challenges - Ideal world and step to reach it - What’s in the future Security in the journey to the Cloud not at destination Security is everybody’s job @FrankSEC42https://uk.linkedin.com/in/fracipo
  • 28. Every Fortnight 1.30 PM UK Time #MentoringMonday Call @FraSEC42
  • 29. Cyber Security Awards 2019 Cloud Security Influencer of the Year Submission – 10 of May 2019 Ceremony 4 July 2019 #CYSECAWARDS19https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info:
  • 31. www.nsc42.co.uk Contacts 31 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42 @FrankSEC42https://uk.linkedin.com/in/fracipo

Hinweis der Redaktion

  1. Q&A
  2. Q&A