Introduction to Cloud Security : Agile India 2018

Transcript

1. James Stewart |@jystewart | [email protected] Securing “the cloud”

2. Software developer and product manager Co-founded UK Government Digital Service

   Deputy CTO, UK Government Digital leadership, technology and security advisor James Stewart |@jystewart | [email protected]

3. @jystewart Why do we worry so much about cloud security?

4. https://www.wired.com/story/github-ddos-memcached/

5. @jystewart “Hackers stole a total of £130bn from consumers in

   2017, including £4.6bn from British internet users, according to a new report from cybersecurity firm Norton. The most common crimes were generally low- tech, such as attempts to trick individuals into revealing their personal information through bogus emails with generally low costs to victims.” https://www.theguardian.com/technology/2018/jan/23/cybercrime-130bn-stolen- consumers-2017-report-victims-phishing-ransomware-online-hacking https://us.norton.com/cyber-security-insights-2017

6. @jystewart “Why does everyone who works in government become obsessed

   with security?”

7. @jystewart It’s all about trust and competence

8. @jystewart https://scotthelme.co.uk/protect-site-from-cryptojacking-csp-sri/

9. @jystewar https://insidegovuk.blog.gov.uk/2016/11/15/incident-report-gov-uk-dns-outage/

10. @jystewart Why do we worry so much about cloud security?

11. None

12. @jystewart Cloud represents change

13. @jystewart In using cloud we have to acknowledge that responsibility

    is distributed

14. @jystewart "the risk of the new should seem negligible compared

    to the urgency of change” https://www.linkedin.com/pulse/reducing-risk-cloud-overcoming- status-quo-bias-mark-schwartz

15. @jystewart Any change requires cultural shifts

16. GDS

17. None

18. @jystewart 1. Data in transit protection 2. Asset protection and

    resilience 3. Separation between users 4. Governance framework 5. Operational security 6. Personnel security 7. Secure development 8. Supply chain security 9. Secure user management 10. Identity and authentication 11. External interface protection 12. Secure service administration 13. Audit information for users 14. Secure use of the service
19. None

20. @jystewart So first

21. @jystewart Understand your context

22. @jystewart Identify your assets

23. @jystewart Consider your threats

24. @jystewart Harness the whole team

25. @jystewart Start from the end

26. https://www.schneier.com/academic/archives/1999/12/attack_trees.html

27. @jystewar Practice, practice, practice https://gdstechnology.blog.gov.uk/2015/02/06/running-a-game-day-for-gov-uk/

28. @jystewart But what about cloud?

29. @jystewart Focus on identity

30. @jystewart 1. Data in transit protection 2. Asset protection and

    resilience 3. Separation between users 4. Governance framework 5. Operational security 6. Personnel security 7. Secure development 8. Supply chain security 9. Secure user management 10. Identity and authentication 11. External interface protection 12. Secure service administration 13. Audit information for users 14. Secure use of the service

31. @jystewart Emphasise observability

32. @jystewart Build quality in

33. @jystewart Make change easy

34. Help everyone understand their context

35. https://www.gov.uk/design-principles & https://www.flickr.com/photos/psd/9104280608/

36. @jystewart “If security doesn't work for people, it doesn't work”

    - Emma W from NCSC https://www.ncsc.gov.uk/blog-post/cyberuk-2017-people-strongest-link

37. James Stewart |@jystewart | [email protected] Thank you