Cloud Ready or Steam Rolled? Larry Whiteside Jr., VP, Healthcare and Critical Infrastructure, oCISO
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
2
Agenda
1. Enterprise IT and Cloud: Trends
2. Concerns over Cloud Adoption and Risks
3. Seven Cloud Security Tips
4. Summary
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
3
The ability to adapt quickly is less of an advantage when everyone can do it; rather, not adopting cloud is becoming a competitive disadvantage."
- HBR “Cloud: Driving a Faster, More Connected Business”(2015)
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
4
Rise of Cloud UsageUptake of cloud in these offerings may mean your data is ALREADY cloud hosted.
**Source: SkyHigh Cloud Adoption Risk Report 2014
Growth of traditional IT will be 5 percent vs. 30 percent in Cloud
shift of IT budget from in-house IT cloud. 11% (Goldman Sachs, 2015)
59% Up from 41 percent in 2013of the total cloud
Workloads will be Software-as-a-Service (SaaS) workloads. (Cisco, 2015)
Cloud Adoption: By Industry
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
5
Seven TipsUnderstand Your Cloud
Risk Appetite
Adopt a Control Baseline
Don’t Underestimate Learning Curves
Ready your DR and Incident Plans
Align Identity and Access to Cloud Strategy
Identify and Understand Existing Usage
Centralize Procurement and Assessments
1
2
34
5
6
7
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
6
• How transparent are our CSPs?– Control visibility – Roles & responsibilities
• Do we have inaccurate assumptions?– Our security it better!– Their security is worse!
• Do CSP capabilities match our needs?– May impact compliance efforts – Controls may not cleanly translate
Tip 1: Understand Your Cloud Risk Appetite
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
7
Real Enterprise Cloud Risks
Control Validation and Security Posture – Risk: Lack of transparency in controls at the provider– Risk: Inability to maintain governance across multiple providers
Uncontrolled Storage and Service Usage Awareness– Risk: Data exfiltration - can you tell if it’s okay or not?– Risk: Uncontrolled service usage (“Shadow IT”)
Enterprise Application and Infrastructure Architecture– Risk: Approaching cloud designs in a 1:1 manner – expensive and inefficient– Risk: Not balancing service provider controls and your own
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
8
Evolution of the CISO to CIROThe focus has changed from protecting the IT infrastructure to managing the information risk to the organization
Securing the Organization
CISO Secure the internal organization
Understand and manage the risk of third parties
Understand and manage regulatory risks
Communicate information risk in business termsBusiness Acumen
Regulatory Compliance Management
Third-Party Risk Management
Information Security
CIRO
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
9
Going down (left to right)• You (IT) do it• Direct control• More cost• Slower to deploy
Control Frameworks• CSA’s Cloud Control Matrix• ISO 27001:2013 • ISO 27017, 27018• NIST 800-53/FedRamp
Tip 2: Adopt a Control Baseline
*“Source: Security Guidance for Critical Areas of Focus in Cloud Computing” (Cloud Security Alliance, 2011).
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
10
Ease of Use – Great Power, Great Responsibility
Architecture and Workload Planning
Additional Layer of Security Management• Console access• VM access • User key management (IAM)• ACLs for data and services
Tip 3: Don’t Underestimate Learning Curves
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
11
Tip 4: Centralize Procurement and Assessments
• Facilitated thorough uniform control selection
• Key partnerships must be developed:Procurement – due diligencePrivacy and Legal – contracts, policy, incident IT – architectural considerations, cost, performanceSecurity – risk analysis, control design, policy enforcementLine of business – education on usage, consumption and access
• Consolidate into third-party governance processes where possible
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
12
Potential Sources:
• Asset inventories• Endpoint solutions• Proxy server logs• NetFlow data • Data leak prevention solutions• Cloud access security brokers• Accounting & expense reports
Tip 5: Identify and Understand Existing Usage
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
13
• Forces the issue of identity as the perimeter
• Access Enforcement Considerations:– Fully integrated (authentication/access)– Centralized authentication & local access control– Standalone authentication and access control
• May worsen existing IAM processes if unplanned
Tip 6: Align Identity and Access to Cloud Strategies
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
14
• Cloud is not immune from DR tests
• Incident response tests- simulate CSP – Validate recovery – Prepare contingencies
• Understand CSP response capabilities– Legal hold process– Forensics support (integrity, CoC)
• CSP uptime measurement formulas vary
Tip 7: Ready DR and Incident Response Plans
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
15
Plan, Build, Run
• Understand Cloud Risk Appetite
• Adopt a Control Framework• Ready and Train Your Staff
• Develop DR & Incident Response Plans
• Align to IAM Strategy
• Centralize Procurement • Identify Existing Usage
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
16
Summary • Security fundamentals extend to the cloud environments
• Leverage industry frameworks for controls & measurement
• Prepare contingency and incident plans
• Engage CSPs & stakeholders to manage risks
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
17
QuestionsLarry Whiteside Jr.VP, Healthcare and Critical [email protected]@LarryWhiteside