larry whiteside - optiv cloud ready or steam rolled csa version

Cloud Ready or Steam Rolled?Larry Whiteside Jr., VP, Healthcare and Critical Infrastructure, oCISO

Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.

2

Agenda

1. Enterprise IT and Cloud: Trends

2. Concerns over Cloud Adoption and Risks

3. Seven Cloud Security Tips

4. Summary


3

The ability to adapt quickly is less of an advantage when everyone can do it; rather, not adopting cloud is becoming a competitive disadvantage."

- HBR “Cloud: Driving a Faster, More Connected Business”(2015)


4

Rise of Cloud UsageUptake of cloud in these offerings may mean your data is ALREADY cloud hosted.

**Source: SkyHigh Cloud Adoption Risk Report 2014

Growth of traditional IT will be 5 percent vs. 30 percent in Cloud

shift of IT budget from in-house IT cloud. 11% (Goldman Sachs, 2015)

59% Up from 41 percent in 2013of the total cloud

Workloads will be Software-as-a-Service (SaaS) workloads. (Cisco, 2015)

Cloud Adoption: By Industry


5

Seven TipsUnderstand Your Cloud

Risk Appetite

Adopt a Control Baseline

Don’t Underestimate Learning Curves

Ready your DR and Incident Plans

Align Identity and Access to Cloud Strategy

Identify and Understand Existing Usage

Centralize Procurement and Assessments

1

2

34

5

6

7


6

• How transparent are our CSPs?– Control visibility – Roles & responsibilities

• Do we have inaccurate assumptions?– Our security it better!– Their security is worse!

• Do CSP capabilities match our needs?– May impact compliance efforts – Controls may not cleanly translate

Tip 1: Understand Your Cloud Risk Appetite


7

Real Enterprise Cloud Risks

Control Validation and Security Posture – Risk: Lack of transparency in controls at the provider– Risk: Inability to maintain governance across multiple providers

Uncontrolled Storage and Service Usage Awareness– Risk: Data exfiltration - can you tell if it’s okay or not?– Risk: Uncontrolled service usage (“Shadow IT”)

Enterprise Application and Infrastructure Architecture– Risk: Approaching cloud designs in a 1:1 manner – expensive and inefficient– Risk: Not balancing service provider controls and your own


8

Evolution of the CISO to CIROThe focus has changed from protecting the IT infrastructure to managing the information risk to the organization

Securing the Organization

CISO Secure the internal organization

Understand and manage the risk of third parties

Understand and manage regulatory risks

Communicate information risk in business termsBusiness Acumen

Regulatory Compliance Management

Third-Party Risk Management

Information Security

CIRO


9

Going down (left to right)• You (IT) do it• Direct control• More cost• Slower to deploy

Control Frameworks• CSA’s Cloud Control Matrix• ISO 27001:2013 • ISO 27017, 27018• NIST 800-53/FedRamp

Tip 2: Adopt a Control Baseline

*“Source: Security Guidance for Critical Areas of Focus in Cloud Computing” (Cloud Security Alliance, 2011).


10

Ease of Use – Great Power, Great Responsibility

Architecture and Workload Planning

Additional Layer of Security Management• Console access• VM access • User key management (IAM)• ACLs for data and services

Tip 3: Don’t Underestimate Learning Curves


11

Tip 4: Centralize Procurement and Assessments

• Facilitated thorough uniform control selection

• Key partnerships must be developed:Procurement – due diligencePrivacy and Legal – contracts, policy, incident IT – architectural considerations, cost, performanceSecurity – risk analysis, control design, policy enforcementLine of business – education on usage, consumption and access

• Consolidate into third-party governance processes where possible


12

Potential Sources:

• Asset inventories• Endpoint solutions• Proxy server logs• NetFlow data • Data leak prevention solutions• Cloud access security brokers• Accounting & expense reports

Tip 5: Identify and Understand Existing Usage


13

• Forces the issue of identity as the perimeter

• Access Enforcement Considerations:– Fully integrated (authentication/access)– Centralized authentication & local access control– Standalone authentication and access control

• May worsen existing IAM processes if unplanned

Tip 6: Align Identity and Access to Cloud Strategies


14

• Cloud is not immune from DR tests

• Incident response tests- simulate CSP – Validate recovery – Prepare contingencies

• Understand CSP response capabilities– Legal hold process– Forensics support (integrity, CoC)

• CSP uptime measurement formulas vary

Tip 7: Ready DR and Incident Response Plans


15

Plan, Build, Run

• Understand Cloud Risk Appetite

• Adopt a Control Framework• Ready and Train Your Staff

• Develop DR & Incident Response Plans

• Align to IAM Strategy

• Centralize Procurement • Identify Existing Usage


16

Summary • Security fundamentals extend to the cloud environments

• Leverage industry frameworks for controls & measurement

• Prepare contingency and incident plans

• Engage CSPs & stakeholders to manage risks


17

QuestionsLarry Whiteside Jr.VP, Healthcare and Critical [email protected]@LarryWhiteside

larry whiteside - optiv cloud ready or steam rolled csa version

Technology