cloud 360 shared responsibility model - vi bygger danmark ... · technologies required - cloud 3600...

Cloud 3600 Shared Responsibility Model

Dave Messett

Head of Product & Solutions Marketing, EMEA, McAfee

@DaveMessett

dave_messett@mcafee.com

September 2019

”Mum, Dad – Can I go to a party?”

CONTEXT IS KING

3

Everyone Is Going To The Cloud – All That

Differs Is Speed

… and How Safely

4

Employees

Partners

Customers

Vendors

Managed

Unmanaged

Mass migration to the cloud?

On-Network Off-Network

5

How Many Cloud Services Are We Using?

0

5

10

15

20

25

30

35

2013 2014 2015 2016 2017 2018

Estimated

6

How Many Cloud Services Are We Using?

0

500

1000

1500

2000

2500

2013 2014 2015 2016 2017 2018

Reality (McAfee Cloud Adoption & Risk Report – April 2019)

7

Salesforce

Office 365

Google Docs

Slack

AWS

Custom Apps

Box

ServiceNow

High-Risk

Shadow

Med/Low-Risk

Shadow

31%

13%

11%

16%

8%

5%5%

7%

2%

2%

Where is enterprise sensitive data in the cloud?

8

Who’s Responsible For Cloud Security?

CASB Magic Quadrant 2018

“Through 2023, 99% of cloud

security failures will be the

customer’s fault”

9

So, Is Security Better or Worse?

Source: Cloud Adoption & Risk Report, April 2019, McAfee

The 3600 Shared Responsibility Model

11

Insurance (General & Add-On)

Seat belts for passengers

Up to date servicing (brakes, tyres etc.)

Seat Belts

Airbags

Build quality - Handling, won’t fall apart at first corner

The Car Rental Shared Responsibility Model

Manufacturer

Manufacturer Feature, driver responsibility

Owner (Rental Co.)

Driver / Renter

Safely tie in packages

Speed /Quality of driving

Fuel, Oil, Water

12

Data Classification & Accountability

End-Point Protection

Identity & Access Management

Application Level Security

Network Control

Host Infrastructure

Physical Security & Connectivity

SaaSPaaSIaaS

Cloud 3600 Shared Responsibility Model

Service Provider Responsibility

Service Provider feature, enterprise configuration

Enterprise Responsibility

User Responsibility

User/Device/Data control

Collaboration control

© McAfee 2019. OK for reuse if unedited

13

Example: Identity & Access Management

• Check all cloud applications

• Communicate to all owners

• Are they integrated with SSO? Data Classification & Accountability

End-Point Protection

Identity & Access Management

Application Level Security

Network Control

Host Infrastructure

Physical Security & Connectivity

SaaSPaaSIaaS

Service Provider Responsibility

Service Provider feature, enterprise configuration

Enterprise Responsibility

User Responsibility

User/Device/Data control

Collaboration control

© McAfee 2019. OK for reuse if unedited

14

Data Classification & Accountability

End-Point Protection

Identity & Access Management

Application Level Controls

Network Control

Host Infrastructure

Physical Security

SaaSPaaSIaaSTechnologies Required - Cloud 3600 Shared Responsibility Model

Link control, domain check, email controls, encryption

User/Device/Data control

Collaboration control

User Behavior analytics, user & device policies

DLP, on demand scan

Compromised account detection, malware scanning

SSO integration

Configuration audit

Audit of cloud configurations

CIS benchmarking

© McAfee 2019. OK for reuse if unedited

15

Key Takeaways

Cloud environments can be more secure than traditional infrastructures BUT

• You need to ensure you’re asking the right questions

• You need the context about the applications, the CSP, the user and the data

• You need to know who is responsible for what across the entire model

Thank You

@DaveMessett

dave_messett@mcafee.com

17

Still not convinced?

Office 365

Salesforce (CRM)

Workday (HR)

Webex

Box

Concur (Expenses)

Okta / Sailpoint (Identity)

Jira, Atlassian (Development)

Trello (Collaboration)

Zoom

Slack (Discussions)

PowerBI (Business Intelligence)

Marketo

Hoovers

Adobe Marketing Suite

Ariba (Purchasing)

Hoot (Legal)

Mindtouch (Manuals & Training)

Loopio (Database to answer Qs)

LinkedIn

Twitter

YouTube

ServiceNow (IT Support)

Clari

Digideck

BriefingEdge (Meeting Arranger)

Smartsheet (Shared Spreadsheet)

Yammer (Communications)

Skype (Communications)

Skype for Business (Communications)