Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
GRC Dynamics in Securing Cloud
1. GRC Dynamics in
Securing Cloud
Noman Bari
PMP,CISSP,CCSP, AWSCCP, CISA,CISM,CEH,ISO 27001 LI
MMIS Information Security Management (NSU)
www.linkedin.com/in/nbari
nomanbari@gmail.com
2. Disclaimer
I am not representing any company/organization as I am doing this
presentation in my personal capacity. The views/opinions shared are
mine. I am not affiliated with Digital Perspective. The information being
shared is easily available in public domain and wherever possible
source of the information has been shared. The companies which I will
be mentioning will be done to explain points relevant to my
presentation.
3. Information Security Governance
According to Information Security Audit and Control Association
(ISACA):
The set of responsibilities and practices exercised by the board and
executive management with the goal of providing
strategic direction,
ensuring that objectives are achieved,
ascertaining that risks are managed appropriately, and
verifying that the enterprise’s resources are used responsibly.
4. Questions to Ask
• Who owns the information security risk(s)?
• Do the owner(s) cares about those risk(s)?
• Do you as a security professional care about those risk(s)?
• Do you know what your mission critical assets are & where are they
located?
• What are the key security objectives with regards to protecting your
critical assets?
• How much resources your organization is willing to provide to secure
those critical assets?
• Do you have unlimited security budget?
5. IT Governance vs Information Security
Governance
• IT Governance focuses more on aspects of IT operations/ IT services
• Information Security Governance focuses on overall information
security posture of the organization
• CISO reporting to CIO debate
• The role of Board
• Your role
6. Risk Management
• Know your assets
• Categorize your assets
• Prioritize assets with regards to their criticality to your organization’s
business objectives
• Do you have unlimited security budget?
• Can you have Zero risk?
• Can you guarantee 100% risk mitigation?
• What’s your organization’s risk appetite?
• Practicing due diligence & due care in minimizing risk(s)
• Never ends as new risk(s) contiguously rise
• Powerful Sponsor(s) – An absolute must
7. Current Cybersecurity Risk Environment
• The threat landscape is a target rich environment.
• So far it looks like there is no such thing as 100% secure
cloud/on-prem network/operating systems/applications.
• There are great chances that there will always be
vulnerabilities in the cloud/on-prem network/operating
systems/applications.
• The complexities of various technologies and how they interact
with each other provides new threat vectors to a hostile
adversary.
• Moving to the Cloud doesn’t mean your information will be
more secure.
8. Big Question
How far an adversary is willing to go to compromise the information
which is valuable to You?
9. Compliance
• Plethora of Compliance standards
• Organizations still get breached
• Compliance sets the minimum bar that you will have to meet
• You will have to do more
• Know your business & business objectives
10. Goal
• Vulnerabilities will always be there leading to
exploitable risk(s).
• Threat actors will always be out there trying to exploit
the risk(s) vulnerabilities present.
• Our goal should be to continuously strive for
minimizing the risk(s), vulnerabilities pose.
11. Information Security Governance Outcomes
ISACA’s research shows 6 outcomes of effective GRC program:
Strategic Alignment – Aligning security activities in support of organizational objectives
Risk Management – Executing appropriate measures to manage risks and potential impacts to an
acceptable level
Business Process Assurance/Governance – Integrate all relevant assurance processes to improve
overall security & efficiency
Value Delivery – Optimizing investments in support of organization’s business objectives
Resource Management – Utilizing organizational resources efficiently and effectively
Performance Management - Monitoring and reporting on security processes to ensure that business
objectives are achieved
12. GRC in Cloud
• Same GRC fundamentals and thought process transpires into cloud
• Moving to Cloud inherently DOES NOT secure you
• As noted by AWS, AWS responsibility is Security of the Cloud whereas customer is responsible of
Security in the Cloud (https://aws.amazon.com/compliance/shared-responsibility-model/)
14. Scaling GRC in Cloud by AWS
https://aws.amazon.com/blogs/security/scaling-a-governance-risk-and-compliance-program-for-
the-cloud/
15. AWS Artifact
AWS Artifact Reports provides several compliance reports from 3rd party auditors who have tested
and verified AWS compliance with a variety of global, regional, and industry specific security
standards and regulations. When new reports are released, they are made available in AWS Artifact.
https://aws.amazon.com/artifact/
19. Cloud Access Security Broker
• CASB acts as a proxy between apps in the cloud and users
• Provides visibility into what users are doing in the cloud
• Helps in achieving compliance and meeting regulatory requirements
• Integrate with your on prem Microsoft AD and/or IDP
• Minimize risks related to Shadow IT
https://www.esecurityplanet.com/products/top-casb-vendors.html
https://www.forcepoint.com/product/casb-cloud-access-security-
broker
20. Blockchain Fundamentals
• Blockchain is a persistent, transparent, public, append-only ledger.
• Blockchain is a system that you can only add data to but not delete it or not
change previous data within it.
• Blockchain does this through a mechanism for creating consensus between
scattered or distributed parties that do not need to trust each other rather trust
the mechanism by which their consensus has arrived at.
• Blockchain relies on some form of challenge such that no one actor on the
network is able to solve this challenge consistently more than everyone else on
the network.
• Blockchain randomizes the process and in theory it ensures that no one can force
the blockchain to accept a particular entry onto the ledger that others disagree
with. One that relies on the mechanism for a peer-to-peer network that can
maintain updates to the ledger and then verify those updates in such a way that
it is impossible to defraud and impossible to alter after the fact.
Finn Brunton, New York University
21. Blockchain Fundamentals (Contd.)
• Essentially Blockchain is a specific type of database, a copy of which is
replicated to each and every node of a blockchain network.
• The contents of Blockchain ledger, albeit a digital one, comprises of these
core components
- Mathematically computed digital transactions based on cryptographic
algorithm that are replicated, shared & synchronized throughout the nodes
in the peer-to-peer network
- Secured by virtue of Cryptography
- Deleting/editing the existing blocks in the chain isn’t allowed so Blockchain
is immutable.
• Blockchain is based on a Distributed Ledger Technology
23. GRC - Blockchain
• Every other day there is a data breach news
• Using blockchain data can be tokenized rendering it illegible and then
splits it into fragments that are randomly spread across private
blockchain
https://www.paymentssource.com/opinion/blockchain-can-take-
friction-out-of-pci-compliance
https://www.altr.com/
https://aws.amazon.com/blockchain/