Pitching cloud servicesto security folks

Moshe Ferber, CCSK Onlinecloudsec.com

Surviving the Lion’s den…

IGTcloud Meetup

About

Information security professional for over 20 years Working on cloud strategy with the world largest software vendors Founded Cloud7, Managed Security Services provider (currently2bsecure cloud services)

Partner at Clarisite – Your customer’s eye view Partner at FortyCloud –Make your public cloud private Member of the board at Macshava Tova –Narrowing societal gaps Certified CCSK instructor for the Cloud Security Alliance. Co-Chairman of the Board, Cloud Security Alliance, Israeli Chapter

Cloud Computing

How the CIO see it?

Cloud Computing

How the End-user see it?

Cloud Computing

How the CFO see it?

Cloud Computing

And how the CISO see it?

Mistakes Cloud provider do #1

Mistakes Cloud provider do #2

Mistakes Cloud provider do #3

Mistakes Cloud provider do #4

What else ciso’s don’t like

AgilityAgility

What do you say… And how the CISO understand it

ScalabilityScalability

What do you say… And how the CISO understand it

ComplianceCompliance

What you say? How the CISO understand it

ManageabilityManageability

What do you say… And how the CISO understand it

ReliabilityReliability

What do you say… And how the CISO understand it

So what is the ciso looking for?

So, how do we create trust?

1.Transparency

2.Competency

Transparency

Transparency #1 takeout

Security in the cloud is a sharedresponsibility

Source: Trend Micro Blog

Transparency #2 Security Policy

Security Policy is mandatory, it should contain allaspects of how you protect your customers data.

Transparency #3 Audits

Don’t run away from security audits

Competency

Skill Design Governance

Skill

• Make sure your sales / pre-salesunderstand cloud security.

• Understand the standards andregulation relevant to your sector.

Skill #2

• Make your security building blocktangible to the customers.

Monitoring andIncident management

Application Security

Data Security

Infrastructure Security

Data Center Security

Understand Cloud threats & Risks

Threat RISK

LosingMoney

Theft UnsecureDoor

AttackVector

Cloud Attack vectors

Cloudattack

vectors

Provideradministration

Managementconsole

Multitenancy &

virtualization

Automation&

API

Chain ofsupply

Side channelattack

Insecureinstances

Understanding controls

Preventive

• Firewall(SecurityGroups)

• Authentication• Anti Virus• Guards

Detective

• IDS• System

monitoring• Motion

detector

Corrective

• Upgrades &Patches

• Vulnerabilityscanning

Compensatory

• DRP & Backup• Firewall logs• Reviews• Audit &

reconciliation

Design

Threat Security Service

Spoofing Authentication

Tampering Digital Signature, Hash

Repudiation Audit Logging

InformationDisclosure

Encryption

Denial of Service Availability

Elevation ofprivilege

Authorization

• Integrate security to yoursoftware lifecycle.

• Account for cloud specificthreats.

• Think about separation oftenants.

• Explore encryption at all layers.• Think about 3rd party access.

Governance

• Most security companies simplydon’t know how to do ongoingoperational security.

• If you are guarding banks data,you need Banks operationalcapabilities.

Questions?

To wrap things up

Speak your customers lingo

Use good building blocks

Don’t hesitate to betransparent on your securitycontrols.

Cloud Security is very much about yourcustomers market sector.

Be proactive in your security, thinkahead of your customers.

Moshe Ferber

www.onlinecloudsec.com

http://il.linkedin.com/in/MosheFerber

KEEP IN TOUCH

Cloud Security Course Schedule can be find at:http://www.onlinecloudsec.com/course-schedule