1 / 11

Managing Security in The Cloud

Managing Security in The Cloud. Adam Ely CISO, Heroku at salesforce.com Founder & COO, Bluebox adam@bluebox.com www.bluebox.com Twitter: @adamely. Why you’re listening to me. CISO of Heroku BU at salesforce.com I know cloud security

gyda
Download Presentation

Managing Security in The Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Security in The Cloud • Adam Ely • CISO, Heroku at salesforce.com • Founder & COO, Bluebox • adam@bluebox.com • www.bluebox.com • Twitter: @adamely

  2. Why you’re listening to me • CISO of Heroku BU at salesforce.com • I know cloud security • Security leadership roles at Heroku/salesforce.com TiVo, and Walt Disney • I feel your pain • Been around for ASP, OSP, HSP, SaaS, IaaS and PaaS • I know more acronyms than you :P • CISSP, CISA, MBA, and some other stuff like that • I have more acronyms than you :(

  3. Defining “cloud” • IaaS - Infrastructure as as service • EC2, Rackspace • PaaS - Platform as a service • Heroku • SaaS - Software as a service • salesforce.com, box, workday • Combining Service Types • AWS EC2 + AWS SQS + Heroku Postgres + Rackspace

  4. Areas of risk • IaaS • Physical • Personnel • Internal operations/InfoSec • PaaS • Platform (OS, services, configurations) • SaaS • Web application security

  5. We must think differently • Not all vendors are the same • One-size-fits-all checklists are dead, don’t be that guy • Rationalize the risks • If the service is not interacting with card holder data, don’t demand it must be PCI compliant. Focus on the risks present. • Accept transfer of responsibilities • You’re not going to manage the security of the vendor, be thankful for less work. Stop being a control freak. • Innovate, adapt, and improve • Focus on the real risks, what you can do to ensure protections, and move to continuous assessment, not checklist auditing

  6. Step 1: Know thy self • Develop a security baseline • You do have a data classification and handling guide, right? Define your critical assets, define controls, build a minimum baseline for vendors (intent not implementation) • Understand the types of services • How can you know the risks if you don’t know what it does? • What concerns us about each service? • Determine the potential risk based on the service and develop assessments against the relevant guideline • Accept transfer of responsibilities • You’re not going to manage the security of the vendor, be thankful for less work. Stop being a control freak.

  7. Step 2: Start Dating • Work with the provider • Ask them about their security, see what they provide, maybe that’ll be enough, or maybe you’ll think of new things • Tailor your assessment • Tailor your approach to the type of service, how your org will use it, and the risks present • Don’t expect everything for $8/month • Enough said. • Communicate intent, not implementation • Work with the vendor to meet intent and understand their implementation

  8. Step 3: Use Protection • Encryption = data condom • Really concerned about the data? Wrap it up! • Audit • Backhaul logs, monitor, alert, and react • Continuous Audit • Use vendor APIs to continuously audit settings, users, permissions, data, unicorns, whatever • Communicate intent, not implementation • Work with the vendor to meet intent and understand their implementation

  9. Where to look? • Is customer data co-mingled? • Does the vendor perform security assessments? • Always ask about scope and status of remediation • What kind and frequency • Encryption • Data storage, external & internal transmission, queueing systems, backups, and in 3rd party services used by the vendor • How are keys protected? Same key for all data/customers? • Architecture • Architecture review, determine what has access to your assets including 3rd party services • If a SQLi vulnerability is exploited is your data at risk?

  10. Working with providers • Know every provider is different • Accept responsibility for risk management • Understand what’s in place, make decisions based on risk • Use vendors based on acceptable risk levels • Help vendors achieve more, let them learn from you

  11. Managing Security in The Cloud • Adam Ely • adam@bluebox.com • www.bluebox.com • Twitter: @adamely

More Related