De stap naar de cloud levert sommige organisaties een boel kopzorgen: is de cloud wel te vertrouwen qua privacy en security? Maar die vraag is net zo makkelijk om te draaien: hoe verantwoord is het om níet naar de cloud te gaan? Zelf voor security zorgen is niet gratis en al helemaal niet zonder risico. De juiste inschatting van (mogelijke) kosten maakt dit eigenlijk een economisch vraagstuk.
Voor Hans Rattink is het vertrouwen van de cloud geen issue meer, zolang je maar de juiste stappen zet. In deze presentatie deelt hij zijn successen en de aanpak waarmee hij die bereikte. En hij maakt u bewust van de no-brainers in het uitgebreide aanbod van cloud services.
4. Classification: //SecureWorks/Public Use:
4
About me
• Hans Rattink
• Senior Security Architect @ SecureWorks.com
• Region: Central EU
• Active in IT for over 17 years, Security over 12 years
• hrattink@secureworks.com
6. Classification: //SecureWorks/Public Use:
6
State of the art Data Centres
Foundation of Cloud Service Providers
Ref.: https://www.datapipe.com/blog/2017/11/14/touring-equinixs-state-of-the-art-dc12-data-center/
8. Classification: //SecureWorks/Public Use:
8
Through 2020, public cloud infrastructure as a service (IaaS)
workloads will suffer at least 60% fewer security incidents
than those in traditional data centres.
https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/
- Gartner, Inc.
11. Classification: //SecureWorks/Public Use:
11
By 2020, 95 percent of cloud security failures
will be the customer’s fault
Gartner, Clouds Are Secure: Are You Using Them Securely?, 21 July 2016
- Gartner, Inc.
13. Classification: //SecureWorks/Public Use:
13
• A third-party vendor working with Verizon left the
data of as many as 14 million US customers
exposed
• The data was contained on a misconfigured
Amazon S3 data repository owned and operated by
telephonic software and data firm NICE Systems, a
third-party vendor for Verizon, according to a July
12 blog post
• “This massive data leak could have been avoided by
using specific data-centric security tools, which can
ensure appropriate configuration of cloud services,
deny unauthorized access, and encrypt sensitive
data at rest.”
https://www.scmagazine.com/misconfigured-server-leaves-14-million-verizon-customer-records-exposed/article/674590/
Verizon – July 2017
14. Classification: //SecureWorks/Public Use:
15
• The perpetrators may have had access to the
server back to October or November 2016
• Deloitte acknowledged that an attacker
“accessed data from an email platform.”. Which
Deloitte used to store also usernames,
passwords, IP addresses, architectural diagrams,
health information, and sensitive security and
design details.
• The adversary accessed the Azure cloud service
by compromising an administrator's account
with unrestricted access to content. The
account did not have “two-step” verification set
up.
• To make matters worse, it appears that no one
at Deloitte noticed suspicious account activity
for months
https://www.scmagazine.com/no-accounting-for-this-deloittes-email-server-reportedly-breached/article/695503/
Deloitte – September 2017
15. Classification: //SecureWorks/Public Use:
16
• The BBC has discovered a security flaw in the office
collaboration tool Huddle that led to private
documents being exposed to unauthorised parties
• On Wednesday (8th Nov.), a BBC correspondent
logged in to Huddle to access a shared diary that his
team kept on the platform. He was instead logged in
to a KPMG account, with a directory of private
documents and invoices, and an address book.
• According to Huddle, if two people arrived on the
same login server within 20 milliseconds of one
another, they would both be issued the same
authorisation code.
• Huddle has now changed its system so that every
time it is invoked, it generates a new authorisation
code. This ensures no two people are ever
simultaneously issued the same code.
http://www.bbc.com/news/technology-41969061
Huddle – November 2017
18. Classification: //SecureWorks/Public Use:
19
Results from 1 year Data Breach Notification law
• 5,500 notifications of data breaches
• 4,000 notifications investigated
• 100’s of organisations been warned
• 10’s of organisations involved in deeper investigations
Numbers from the Dutch Authority Personal Data (AP)
Source: https://autoriteitpersoonsgegevens.nl/nl/nieuws/overzicht-
meldingen-datalekken-eerste-kwartaal-2017#subtopic-5247
GDPR
Fines for data breaches can
have a maximum of 4% of
the yearly gross turnover or
€20 Million
whatever is largest
22. Classification: //SecureWorks/Public Use:
23
Clarify and document your responsibilities
Vendor management is key
• Know where your responsibilities end and the provider’s begin
• Patching, encryption, software licenses, data retention
• Make sure there is documented responsibility for each layer in the Cloud stack
• Agree the responsibilities with the Cloud provider and ensure contracts are in
place reflecting responsibilities
• Ensure as a Cloud Consumer you have the ability to assess/audit the Cloud
Provider’s security and privacy controls
24. Classification: //SecureWorks/Public Use:
25
By 2018, the 60% of enterprises that implement
appropriate cloud visibility and control tools
will experience one-third fewer security failures.
https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/
- Gartner, Inc.
25. Classification: //SecureWorks/Public Use:
26
1 Assess and
Plan
• Security Maturity Assessment
• Identify security gaps
• Understand risks to (personal) data
• Develop risk based Security Programme that includes best practices
Increase
visibility2
• Implement (threat intel based) Security analytics
• Use a 24x7 SOC for incident analysis
• Apply a Vulnerability Scanning & Management program
• Improve Security Awareness
3 Implement
controls
• Implement governance controls
• Add controls for detection and protection
• Create runbooks and incident response plans
Test, operate
& manageTarget
• Govern Security Programme
• Test security controls, programme and
employees
• Evaluate and improve
Security roadmap
26. Classification: //SecureWorks/Public Use:
27
Build your security program
Cloud Security
Strategy
• Holistic view of
implications of
cloud computing
• Full evaluation of
threats and risks
• Identification and
implementation
of mitigating
controls against
assets and cloud
providers
• Understand their security control framework
• What information do they provide you, what is documented?
• What options do they give you to ensure security?
Check your
cloud
provider
• Where is your data now and in the future?
• Are you monitoring the security controls in place?
• What happens to your data if your cloud provider ceases service?
• Are you GDPR compliant and prepared for a security breach?
Understand
the
implications
• What are your responsibilities in keeping the data secure?
• Do you know what services you use and who has access to your critical
data in the cloud?
• Can you successfully respond to security incidents?
Assess your
existing
controls
30. Classification: //SecureWorks/Public Use:
31
Intelligence-driven information security solutions…
2,400+
employees
Recognized as an
industry leader
~4,500
clients across
61 countries
18Years of threat
intelligence data
240B
Security events
processed daily
2B+
Threat indicators
300+Expert security
analysts
700+IR engagements
last year