This document discusses security teams and technology in a cloud world. It notes that security is now everyone's responsibility rather than isolated to one team. Modern security requires new skills from specialists like basic coding knowledge and a user-focused perspective. The document advocates distributing security specialists throughout teams rather than keeping them isolated. It also presents opportunities that cloud infrastructure provides for faster deployment times and continuous monitoring through automation and aggregation of security data.
34. Setup
• Lock down operating system, applications, and data
Harden system according to NIST / best practices
Encrypt everything
• Enable service health monitoring features
Check your CSP’s documentation
• Monitor service API activities
Look for unauthorized; replication, start up, termination, etc.
Steps:
IaaS
35. Setup
• Read all the documentation
Seriously, RTFM
• Implement strong code quality systems
Automation is critical to success
• Configure access control and other security features
Check your CSP’s documentation
Steps:
PaaS
36. Setup
• Read all the documentation
Seriously, RTFM
• Configure access control and other security features
Check your CSP’s documentation
Steps:
SaaS
37. Setup
• Evaluate controls against acceptable level of risk for data
used in service
I shouldn’t have to say this
• Monitor all service provider status updates and
communications channels
Remember to include them in your IR plans
Steps:
Any Cloud Service
55. …can have a much stronger security
posture in AWS and the cloud than
they can on-premises
Andy Jassy, AWS CEO
* From an interview with the Wall Street Journal, http://www.wsj.com/articles/amazons-andy-jassy-on-the-promise-of-the-cloud-1477880220
60. New Skills Needed
• Basic understanding of development practices & ability to write simple code
Everything in the cloud is an API. Security MUST BE automated
• Puts the user first
We make the tech that they “can’t use right” … not their fault
• Perspective & understanding of practical security
No more “the sky is falling”
• Educators
Written, video, presentations, Slack,…anywhere teams are working
Steps:
Security Specialist