Security in the Cloud.....What Changes?

Transcript

1. None
2. None
3. None

4. 4 2.6B Transactions/Month

5. Infrastructure as a Service (IaaS) is projected to grow 36.6%

   in 2017 alone, reaching $34.7B this year (Gartner)

6. ISO/IEC definition: Paradigm for enabling network access to a scalable

   and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand.
7. None
8. None

9. Cloud computing changes the how more than the what

10. According to Verizon's 2018 Data Breach Investigations Report, 40% of

    system breaches occur at the application layer. Yet only 3% to 4% of annual security budgets are spent on protecting applications. https://twitter.com/petecheslock/status/595617204273618944?lang=en

11. Visibility Auditability Automated Response ML/AR Encryption Rapid Innovation Physical/Environmental Containers/Patching

    Mis-config!!! Secrets/Creds No (few) gates Cloud as glorified CoLo Skillset changes Defining normal OSS Vulnerabilities Ephemeral Organizations including Verizon, Booz Allen Hamilton, the WWE Foundation, Alteryx, the U.S. National Credit Federation, the Australian Broadcasting Corporation (ABC), and Accenture have all left information exposed due to configuration errors.
12. None

13. And more…..Machine Learning and Automated Reasoning (Zelkova/Tiros)

14. None

15. Current Landscape Network perimeter is gone Increased spending has not

    made us more secure Prevention measures have proven to have limited efficacy - Breaches will happen Attempts to significantly limit user access can impact agility and business goals “Bolt-on” solutions get worked around 99.9% of exploited vulnerabilities > 1yr Social attacks were utilized in 43% of all breaches (2017 VDBIR) Increase in compliance requirements (SOC, PCI, FERPA, States) Our Strategy Move preventative controls closer to the data (robust IAM, data encryption, masking and de- identification) Build security “guardrails”, not ridged procedures Invest in new methods and technologies to improve Visibility/Detection/Response (VDR) capabilities Let VDR inform preventative control investment (inc. deception tools) Continuously scan for vulnerabilities and fix them Incident response needs to be a core competency Build security into processes and leverage automation Develop “Human Firewalls” – awareness and training

16. Design ASVS (Security) Requirements Threat Modeling (Tier 3 Applications) Develop

    Secret Management Software Composition Analysis (SCA) Configuration & Change Management Test Feature & Functionality Security Testing Interactive Security Testing (IAST) Selective Application Penetration Testing Prod Application Security Monitoring/Activity Logging Infrastructure Security Monitoring & Patching Runtime Protection (RASP) Incident Response JIRA & Application Support Risk Weighted Vulnerabilities Security Events
17. None