SlideShare a Scribd company logo

GRC Dynamics in Securing Cloud

N
Noman Bari PMP,CISSP,CCSP,AWSx4,CISM,CISA

GRC Dynamics in Securing Cloud

Technology
1 of 24
GRC Dynamics in Securing Cloud Noman Bari PMP,CISSP,CCSP, AWSCCP, CISA,CISM,CEH,ISO 27001 LI MMIS Information Security Management (NSU) www.linkedin.com/in/nbari nomanbari@gmail.com
Disclaimer I am not representing any company/organization as I am doing this presentation in my personal capacity. The views/opinions shared are mine. I am not affiliated with Digital Perspective. The information being shared is easily available in public domain and wherever possible source of the information has been shared. The companies which I will be mentioning will be done to explain points relevant to my presentation.
Information Security Governance According to Information Security Audit and Control Association (ISACA): The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.
Questions to Ask • Who owns the information security risk(s)? • Do the owner(s) cares about those risk(s)? • Do you as a security professional care about those risk(s)? • Do you know what your mission critical assets are & where are they located? • What are the key security objectives with regards to protecting your critical assets? • How much resources your organization is willing to provide to secure those critical assets? • Do you have unlimited security budget?
IT Governance vs Information Security Governance • IT Governance focuses more on aspects of IT operations/ IT services • Information Security Governance focuses on overall information security posture of the organization • CISO reporting to CIO debate • The role of Board • Your role
Risk Management • Know your assets • Categorize your assets • Prioritize assets with regards to their criticality to your organization’s business objectives • Do you have unlimited security budget? • Can you have Zero risk? • Can you guarantee 100% risk mitigation? • What’s your organization’s risk appetite? • Practicing due diligence & due care in minimizing risk(s) • Never ends as new risk(s) contiguously rise • Powerful Sponsor(s) – An absolute must
Current Cybersecurity Risk Environment • The threat landscape is a target rich environment. • So far it looks like there is no such thing as 100% secure cloud/on-prem network/operating systems/applications. • There are great chances that there will always be vulnerabilities in the cloud/on-prem network/operating systems/applications. • The complexities of various technologies and how they interact with each other provides new threat vectors to a hostile adversary. • Moving to the Cloud doesn’t mean your information will be more secure.
Big Question How far an adversary is willing to go to compromise the information which is valuable to You?
Compliance • Plethora of Compliance standards • Organizations still get breached • Compliance sets the minimum bar that you will have to meet • You will have to do more • Know your business & business objectives
Goal • Vulnerabilities will always be there leading to exploitable risk(s). • Threat actors will always be out there trying to exploit the risk(s) vulnerabilities present. • Our goal should be to continuously strive for minimizing the risk(s), vulnerabilities pose.
Information Security Governance Outcomes ISACA’s research shows 6 outcomes of effective GRC program: Strategic Alignment – Aligning security activities in support of organizational objectives Risk Management – Executing appropriate measures to manage risks and potential impacts to an acceptable level Business Process Assurance/Governance – Integrate all relevant assurance processes to improve overall security & efficiency Value Delivery – Optimizing investments in support of organization’s business objectives Resource Management – Utilizing organizational resources efficiently and effectively Performance Management - Monitoring and reporting on security processes to ensure that business objectives are achieved
GRC in Cloud • Same GRC fundamentals and thought process transpires into cloud • Moving to Cloud inherently DOES NOT secure you • As noted by AWS, AWS responsibility is Security of the Cloud whereas customer is responsible of Security in the Cloud (https://aws.amazon.com/compliance/shared-responsibility-model/)
Shared Responsibility Model
Scaling GRC in Cloud by AWS https://aws.amazon.com/blogs/security/scaling-a-governance-risk-and-compliance-program-for- the-cloud/
AWS Artifact AWS Artifact Reports provides several compliance reports from 3rd party auditors who have tested and verified AWS compliance with a variety of global, regional, and industry specific security standards and regulations. When new reports are released, they are made available in AWS Artifact. https://aws.amazon.com/artifact/
IAM in Cloud
IAM Example
Cloud Access Security Broker • CASB acts as a proxy between apps in the cloud and users • Provides visibility into what users are doing in the cloud • Helps in achieving compliance and meeting regulatory requirements • Integrate with your on prem Microsoft AD and/or IDP • Minimize risks related to Shadow IT https://www.esecurityplanet.com/products/top-casb-vendors.html https://www.forcepoint.com/product/casb-cloud-access-security- broker
Blockchain Fundamentals • Blockchain is a persistent, transparent, public, append-only ledger. • Blockchain is a system that you can only add data to but not delete it or not change previous data within it. • Blockchain does this through a mechanism for creating consensus between scattered or distributed parties that do not need to trust each other rather trust the mechanism by which their consensus has arrived at. • Blockchain relies on some form of challenge such that no one actor on the network is able to solve this challenge consistently more than everyone else on the network. • Blockchain randomizes the process and in theory it ensures that no one can force the blockchain to accept a particular entry onto the ledger that others disagree with. One that relies on the mechanism for a peer-to-peer network that can maintain updates to the ledger and then verify those updates in such a way that it is impossible to defraud and impossible to alter after the fact. Finn Brunton, New York University
Blockchain Fundamentals (Contd.) • Essentially Blockchain is a specific type of database, a copy of which is replicated to each and every node of a blockchain network. • The contents of Blockchain ledger, albeit a digital one, comprises of these core components - Mathematically computed digital transactions based on cryptographic algorithm that are replicated, shared & synchronized throughout the nodes in the peer-to-peer network - Secured by virtue of Cryptography - Deleting/editing the existing blocks in the chain isn’t allowed so Blockchain is immutable. • Blockchain is based on a Distributed Ledger Technology
Blockchain Future Massive growth projections forecasted in Blockchain utilization https://www.statista.com/statistics/647231/worldwide-blockchain-technology-market-size/
GRC - Blockchain • Every other day there is a data breach news • Using blockchain data can be tokenized rendering it illegible and then splits it into fragments that are randomly spread across private blockchain https://www.paymentssource.com/opinion/blockchain-can-take- friction-out-of-pci-compliance https://www.altr.com/ https://aws.amazon.com/blockchain/
Q & A

Recommended

Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec
 
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and ControlWhose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and ControlDavid Etue
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24
 
Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Alert Logic
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Decisions
 
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionA Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionAmazon Web Services
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 

Recommended

Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec
 
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and ControlWhose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and ControlDavid Etue
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24
 
Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Alert Logic
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Decisions
 
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionA Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionAmazon Web Services
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlSafeNet
 
Security and governance in the cloud
Security and governance in the cloudSecurity and governance in the cloud
Security and governance in the cloudJulian Knight
 
3 Reasons Why the Cloud is More Secure than Your Server
3 Reasons Why the Cloud is More Secure than Your Server3 Reasons Why the Cloud is More Secure than Your Server
3 Reasons Why the Cloud is More Secure than Your ServerClio - Cloud-Based Legal Technology
 
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At OddsJervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Oddscentralohioissa
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesSkybox Security
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cyber Solutions
 
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...RightScale
 
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security AutomationHexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automationbarbara bogue
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3RazaMehmood7
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
Workshop on CASB Part 2
Workshop on CASB Part 2Workshop on CASB Part 2
Workshop on CASB Part 2Priyanka Aash
 
Optimize IT Infrastructure
Optimize IT InfrastructureOptimize IT Infrastructure
Optimize IT InfrastructureScalar Decisions
 
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudShared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudAlert Logic
 
Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24
 
Outpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud securityOutpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud securityOutpost24
 
Stop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityStop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityOneLogin
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftAlert Logic
 
Security in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataSecurity in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataProcore Technologies
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 
Public cloud and the state of security
Public cloud and the state of securityPublic cloud and the state of security
Public cloud and the state of securityOlivier Schmitt
 

More Related Content

What's hot

Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlSafeNet
 
Security and governance in the cloud
Security and governance in the cloudSecurity and governance in the cloud
Security and governance in the cloudJulian Knight
 
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At OddsJervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Oddscentralohioissa
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesSkybox Security
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cyber Solutions
 
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...RightScale
 
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security AutomationHexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automationbarbara bogue
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3RazaMehmood7
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
Workshop on CASB Part 2
Workshop on CASB Part 2Workshop on CASB Part 2
Workshop on CASB Part 2Priyanka Aash
 
Optimize IT Infrastructure
Optimize IT InfrastructureOptimize IT Infrastructure
Optimize IT InfrastructureScalar Decisions
 
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudShared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudAlert Logic
 
Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24
 
Outpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud securityOutpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud securityOutpost24
 
Stop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityStop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityOneLogin
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftAlert Logic
 
Security in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataSecurity in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataProcore Technologies
 

What's hot (20)

Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
 
Security and governance in the cloud
Security and governance in the cloudSecurity and governance in the cloud
Security and governance in the cloud
 
3 Reasons Why the Cloud is More Secure than Your Server
3 Reasons Why the Cloud is More Secure than Your Server3 Reasons Why the Cloud is More Secure than Your Server
3 Reasons Why the Cloud is More Secure than Your Server
 
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At OddsJervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
 
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
 
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security AutomationHexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Workshop on CASB Part 2
Workshop on CASB Part 2Workshop on CASB Part 2
Workshop on CASB Part 2
 
Optimize IT Infrastructure
Optimize IT InfrastructureOptimize IT Infrastructure
Optimize IT Infrastructure
 
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudShared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public Cloud
 
Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security
 
Outpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud securityOutpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud security
 
Stop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityStop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS Security
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
 
Security in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataSecurity in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your Data
 

Similar to GRC Dynamics in Securing Cloud

#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 
Public cloud and the state of security
Public cloud and the state of securityPublic cloud and the state of security
Public cloud and the state of securityOlivier Schmitt
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? Jorge García
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...Robert Parker
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...Leif Davidsen
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorAmazon Web Services
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxBabatundeAbioye2
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDSweta Kumari Barnwal
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxLokNathRegmi1
 
What is the significance of cybersecurity in cloud.pptx
What is the significance of cybersecurity in cloud.pptxWhat is the significance of cybersecurity in cloud.pptx
What is the significance of cybersecurity in cloud.pptxinfosec train
 
Adopting Multi-Cloud Services with Confidence
Adopting Multi-Cloud Services with ConfidenceAdopting Multi-Cloud Services with Confidence
Adopting Multi-Cloud Services with ConfidenceKevin Hakanson
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 

Similar to GRC Dynamics in Securing Cloud (20)

#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 
Public cloud and the state of security
Public cloud and the state of securityPublic cloud and the state of security
Public cloud and the state of security
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night?
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public Sector
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptx
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
CCSK.pptx
CCSK.pptxCCSK.pptx
CCSK.pptx
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptx
 
What is the significance of cybersecurity in cloud.pptx
What is the significance of cybersecurity in cloud.pptxWhat is the significance of cybersecurity in cloud.pptx
What is the significance of cybersecurity in cloud.pptx
 
Adopting Multi-Cloud Services with Confidence
Adopting Multi-Cloud Services with ConfidenceAdopting Multi-Cloud Services with Confidence
Adopting Multi-Cloud Services with Confidence
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
Webinar: Microsoft 365 - Your Gateway to Data Loss Prevention
Webinar: Microsoft 365 - Your Gateway to Data Loss PreventionWebinar: Microsoft 365 - Your Gateway to Data Loss Prevention
Webinar: Microsoft 365 - Your Gateway to Data Loss Prevention
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
 

Recently uploaded

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 

Recently uploaded (20)

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

GRC Dynamics in Securing Cloud

  • 1. GRC Dynamics in Securing Cloud Noman Bari PMP,CISSP,CCSP, AWSCCP, CISA,CISM,CEH,ISO 27001 LI MMIS Information Security Management (NSU) www.linkedin.com/in/nbari nomanbari@gmail.com
  • 2. Disclaimer I am not representing any company/organization as I am doing this presentation in my personal capacity. The views/opinions shared are mine. I am not affiliated with Digital Perspective. The information being shared is easily available in public domain and wherever possible source of the information has been shared. The companies which I will be mentioning will be done to explain points relevant to my presentation.
  • 3. Information Security Governance According to Information Security Audit and Control Association (ISACA): The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.
  • 4. Questions to Ask • Who owns the information security risk(s)? • Do the owner(s) cares about those risk(s)? • Do you as a security professional care about those risk(s)? • Do you know what your mission critical assets are & where are they located? • What are the key security objectives with regards to protecting your critical assets? • How much resources your organization is willing to provide to secure those critical assets? • Do you have unlimited security budget?
  • 5. IT Governance vs Information Security Governance • IT Governance focuses more on aspects of IT operations/ IT services • Information Security Governance focuses on overall information security posture of the organization • CISO reporting to CIO debate • The role of Board • Your role
  • 6. Risk Management • Know your assets • Categorize your assets • Prioritize assets with regards to their criticality to your organization’s business objectives • Do you have unlimited security budget? • Can you have Zero risk? • Can you guarantee 100% risk mitigation? • What’s your organization’s risk appetite? • Practicing due diligence & due care in minimizing risk(s) • Never ends as new risk(s) contiguously rise • Powerful Sponsor(s) – An absolute must
  • 7. Current Cybersecurity Risk Environment • The threat landscape is a target rich environment. • So far it looks like there is no such thing as 100% secure cloud/on-prem network/operating systems/applications. • There are great chances that there will always be vulnerabilities in the cloud/on-prem network/operating systems/applications. • The complexities of various technologies and how they interact with each other provides new threat vectors to a hostile adversary. • Moving to the Cloud doesn’t mean your information will be more secure.
  • 8. Big Question How far an adversary is willing to go to compromise the information which is valuable to You?
  • 9. Compliance • Plethora of Compliance standards • Organizations still get breached • Compliance sets the minimum bar that you will have to meet • You will have to do more • Know your business & business objectives
  • 10. Goal • Vulnerabilities will always be there leading to exploitable risk(s). • Threat actors will always be out there trying to exploit the risk(s) vulnerabilities present. • Our goal should be to continuously strive for minimizing the risk(s), vulnerabilities pose.
  • 11. Information Security Governance Outcomes ISACA’s research shows 6 outcomes of effective GRC program: Strategic Alignment – Aligning security activities in support of organizational objectives Risk Management – Executing appropriate measures to manage risks and potential impacts to an acceptable level Business Process Assurance/Governance – Integrate all relevant assurance processes to improve overall security & efficiency Value Delivery – Optimizing investments in support of organization’s business objectives Resource Management – Utilizing organizational resources efficiently and effectively Performance Management - Monitoring and reporting on security processes to ensure that business objectives are achieved
  • 12. GRC in Cloud • Same GRC fundamentals and thought process transpires into cloud • Moving to Cloud inherently DOES NOT secure you • As noted by AWS, AWS responsibility is Security of the Cloud whereas customer is responsible of Security in the Cloud (https://aws.amazon.com/compliance/shared-responsibility-model/)
  • 14. Scaling GRC in Cloud by AWS https://aws.amazon.com/blogs/security/scaling-a-governance-risk-and-compliance-program-for- the-cloud/
  • 15. AWS Artifact AWS Artifact Reports provides several compliance reports from 3rd party auditors who have tested and verified AWS compliance with a variety of global, regional, and industry specific security standards and regulations. When new reports are released, they are made available in AWS Artifact. https://aws.amazon.com/artifact/
  • 18.
  • 19. Cloud Access Security Broker • CASB acts as a proxy between apps in the cloud and users • Provides visibility into what users are doing in the cloud • Helps in achieving compliance and meeting regulatory requirements • Integrate with your on prem Microsoft AD and/or IDP • Minimize risks related to Shadow IT https://www.esecurityplanet.com/products/top-casb-vendors.html https://www.forcepoint.com/product/casb-cloud-access-security- broker
  • 20. Blockchain Fundamentals • Blockchain is a persistent, transparent, public, append-only ledger. • Blockchain is a system that you can only add data to but not delete it or not change previous data within it. • Blockchain does this through a mechanism for creating consensus between scattered or distributed parties that do not need to trust each other rather trust the mechanism by which their consensus has arrived at. • Blockchain relies on some form of challenge such that no one actor on the network is able to solve this challenge consistently more than everyone else on the network. • Blockchain randomizes the process and in theory it ensures that no one can force the blockchain to accept a particular entry onto the ledger that others disagree with. One that relies on the mechanism for a peer-to-peer network that can maintain updates to the ledger and then verify those updates in such a way that it is impossible to defraud and impossible to alter after the fact. Finn Brunton, New York University
  • 21. Blockchain Fundamentals (Contd.) • Essentially Blockchain is a specific type of database, a copy of which is replicated to each and every node of a blockchain network. • The contents of Blockchain ledger, albeit a digital one, comprises of these core components - Mathematically computed digital transactions based on cryptographic algorithm that are replicated, shared & synchronized throughout the nodes in the peer-to-peer network - Secured by virtue of Cryptography - Deleting/editing the existing blocks in the chain isn’t allowed so Blockchain is immutable. • Blockchain is based on a Distributed Ledger Technology
  • 22. Blockchain Future Massive growth projections forecasted in Blockchain utilization https://www.statista.com/statistics/647231/worldwide-blockchain-technology-market-size/
  • 23. GRC - Blockchain • Every other day there is a data breach news • Using blockchain data can be tokenized rendering it illegible and then splits it into fragments that are randomly spread across private blockchain https://www.paymentssource.com/opinion/blockchain-can-take- friction-out-of-pci-compliance https://www.altr.com/ https://aws.amazon.com/blockchain/
  • 24. Q & A