1. Shankar Subramaniyan
ISACA Greater Houston Chapter
August 17,2017
Cloud Security Governance
1

2. • Why Cloud Security ?
• Cloud Service Provider Security
• Cloud Consumer Security
• Major Challenges in implementation
2
Agenda

3. Cloud Security
3

4. KEY CONCERNS
Attack Vector
Lack of Visibility
Loss of Control
Physical
Inaccessibility
Cross Border
Laws
Multi Tenancy
Data Privacy
Regulatory
Compliance

5. Top Security Risks
5
Compliance Risks
Data Leakage/Loss
Insecure Cloud Software
Malicious use of Cloud services
Account hijacking
Malicious Insider
Loss of Governance
Lock-In
Isolation Failure
Management Interface
Compromise
Insecure or Incomplete Data
Deletion
Administrative or legal outages

6. 6
Cloud Security Risks
Unauthorized
use/ Analytics
Outage of Cloud
services due to
employee error
Data Mix-up
Hospital gown
vulnerability
Data Leakage
Misconfigured
cloud storage
exposed to
internet
Cloud hosted malware
73% of Companies Have
Critical Security
Misconfigurations -
Threat Stack
44 percent of malware in enterprise
cloud apps delivered ransomware
-Netskope

7. Cloud Types
7
Private,
Community
Public & Hybrid
Clouds

8. Cloud Security Provider Security
8

9. Shared Responsibility Model
9
https://www.enisa.europa.eu/publications/cloud-computing-information-assurance-framework

10. Cloud Security Guidance
10https://cloudsecurityalliance.org/guidance/#_overview
Contracts
Management
Plane
New Audit
Skill
Software
defined
infrastructure
Short lived
virtual assets
Image
Protection
DevOps
Server less
ArchitectureDirect storage
access
Open source
CSPCustomer

11. Cloud GRC Stack
11
Delivering  Stack Pack  Description
Continuous monitoring …
with a purpose
• Common technique and nomenclature to
request and receive evidence and affirmation
of current cloud service operating
circumstances from cloud providers
Claims, offers, and the
basis for auditing service
delivery
• Common interface and namespace to
automate the Audit, Assertion, Assessment,
and Assurance (A6) of cloud environments
Pre-audit checklists and
questionnaires to
inventory controls
• Industry-accepted ways to document what
security controls exist
The recommended
foundations for controls
• Fundamental security principles in specifying
the overall security needs of a cloud
consumers and assessing the overall security
risk of a cloud provider
https://cloudsecurityalliance.org/research/grc-stack/#_overview

12. Cloud Consumer Security
12
Through 2020, 80% of cloud breaches will
be due to customer misconfiguration,
mismanaged credentials or insider theft,
not cloud provider vulnerabilities
-Gartner

13. Consumer Security Responsibilities
13
DDoS
Protecti
on
ACLs
Virtual
Networ
k
Isolatio
n
NSGs
VM
Firewall
• Security Configuration
• Redundancy (ISP/CSP)
• Access management
• Source Control/Drifting
• Network Segregation
• Monitoring
• Patch management (IAAS)

14. Additional Security Services -IAAS
14
CloudTrail AWS Config
CloudWatch
Alarms
AWS Trusted
Advisor AWS IAM
AWS KMS
• Log Monitoring and Alerts
• Performance monitoring
• Configuration management
• Vulnerability scanning
• Encryption
• Identity and Access
Management
• End Point Security Module
• Network Security-
FW,IDS/IPS,WAF
• Antimalware
Azure
Security
center
https://summitroute.com/blog/2017/05/30/free_tools_for_auditing_the_security_of_an_aws_account/
Netflix
Security
Monkey

15. Challenges in Implementation
• Cloud Discovery
• Gaps in contract
• Challenges in Cloud Supply Chain
• Rapidly changing services and architecture
15
https://www.skyhighnetworks.com/cloud-security-university/what-is-shadow-it/
Shadow IT Cloud Usage
-Skyhigh

16. Thank You
2contactshankar@gmail.com 16