Security in the world of Cloud and Chaos Engineering

Transcript

1. Security in the world of Cloud and Chaos Engineering Information

   Security Meetup, New York – December, 2017

2. Who am I? Ashish Rajan Security Architect Trying to make

   cloud a safer space J

3. What is covered • Security Training • Technology challenges in

   Cloud • Security challenges in Cloud
4. None
5. None

6. • Public • Multi- geo Location • Existing Security Measures

   don’t work • Shared Security Model • Public breaches • Unknown Challenges in a cloud environment
7. None

8. Security principles do not change with cloud or any new

   platform

9. However, security challenges do

10. Security Challenge - 1 Identity & Access Management Employees Customers

    & Partners

11. IAM Identity and Access Management Join, modify, leave Role based

    Access Control (RBAC) Auditing - Identities

12. Security Challenge - 2 Data security and compliance Data Residency

    Data Access Data Encryption (at rest) Data Encryption (in transit)

13. Security Challenge – 3 Monitoring & Alerting

14. Security Challenge – 4 Auditing

15. None

16. Using cloud capabilities to achieve security goals

17. Cloud Journey for security Stage - 0 Users Access Audit

    Data Residency RBAC (Users & Servers) Basic Security Posture Admin Users Access Encryption (at rest)

18. Cloud Journey for security Stage - 1 Blast Radius CI/CD

    Pipeline API Access Encryption (in transit) Automation Log Aggregation

19. Cloud Journey for security Stage - 2 API Key Rotation

    Incident Response Plan Key Management Plan Offsite Backups Guard Rails Security through CI/CD Pipeline

20. §Application focused protection – WAF, CDN §OS focused security –

    Anti-Virus, Vulnerability Scanning §Binary & security testing of each committed code § Centralized Visibility Tool § Log alerting (intelligence) from SIEM Logs §Event Notifications Stage 3 and beyond

21. But Ashish, what about Chaos engineering?

22. Tools & Cloud Provider APIs

23. Best Practices 1. Security Best Practices Whitepaper 2. Compliance section

    of the cloud provider 3. Cloud Security Alliance Standards 4. Center for Internet Security (CIS) Standard for cloud provider

24. Take away - Security principles do not change with any

    new platform, only challenges do. - Security controls can be achieved by leveraging services from cloud provider. - Use security controls to raise the level of trust in a new platform - Trust but verify

25. Next Evolution “IT spending is steadily shifting from traditional IT

    offerings to cloud services (cloud shift). The aggregate amount of cloud shift in 2016 is estimated to reach $111 billion, increasing to $216 billion in 2020. ” – Gartner – July,2016

26. Next Evolution of security in a cloud world 1. Cloud

    Provider Security Posture 2. Event Driven Security 3. Compliance as Code 4. Serverless - Compliance as Code Model 5. DevSecOps - Security in CI/CD Pipeline 6. CASBs - Security broker for SaaS applications

27. Ashish Rajan Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan Q & A