MindTheSec 2020 Keynote: Is Cloud Migration Our Best Chance to Fix Security?

•

0 j'aime•123 vues

This was given at Mind The Sec 2020 www.mindthesec.com.br as one of the keynotes The video is somewhere around there https://www.mindthesec.com.br/meetings/virtual/XLT43LkrZwnwRSFw7

Technologie

Is Cloud Migration
Our Best Chance to “Fix Security”?
Dr Anton Chuvakin
Security Solution Strategy @ Chronicle / Google Cloud
1

Confidential
Outline
o Security: Doomed to be an Add-on Forever … or
Not?
o From Security Failures to Cloud Failures
o Cloud Security Choices
o Ideal Cloud Security Criteria
o Can a Move to Cloud Transform your Security?
o Recommendations
2

Security: Sad History of Being a Bolt-on
● 1980: Internet without security
● 1990: Windows without security
● 2000: Mobile devices without security
● 2005: Cloud without security
● 2010: IoT without security
● 2015: ML/AI without security
● Don’t even get me started on blockchain :-)
3

Question:
Have you seen security included from day
1 in a new system or technology?
4

Cloud Security Choices
1. Cloud provider brings security
tools (paid or free)
2. Cloud customer brings own
existing security tools
3. Cloud customer purchases
tools from 3rd party vendors
just for cloud
4. Combination of the above
5

Question:
What are the pros and cons of each
approach?
6

Cloud Security Failures
Despite these approaches, we hear about cloud security
failures …
…. think “open S3 buckets” and “hard-coded API keys” and
“firewall configuration errors”
7

Whose Fault Is It?
In fact, Gartner says...
“Through 2025, 99% of cloud security
failures will be the customer’s fault.”
What does it mean?
8

Question:
Is it fair to blame cloud customers for
nearly all security problems?
9

Ideal Cloud Security Criteria
Default security
e.g. logging that just works and is always centrally collected and
searchable
Opt-out security e.g. tight permissions that loudly object to being loosened
Transparent security e.g. encryption of data in transit and at rest
Native to the system e.g. not sold separately and requiring integration work
Automated security e.g. turned on after deployment via an API
Role-based security
e.g. specific roles must be granted for management and access
(but without the headache!)
Obvious security e.g. not require the failure-prone user education
10

Question:
Can well-built cloud computing platform
make security near-transparent?
11

Deeper Examples
12
Web Server
Exposing a web server
externally should
require adequate
security checks and
controls
Container
Deployment
Securing application within the
container is responsibility of a
customer, but what about
Docker daemons
Automated
Logging
Tuned security logging
enabled by default
Shared Responsibility
1 2 3

Question:
Is this change realistic or are we doomed
to bring our pre-cloud security problems
to the cloud?
13

Recommendations
● Migration to cloud infrastructure is a unique opportunity to
dismantle the legacy security debt of the past two
decades.
● Think how you can use cloud migration to actually do
security from day one, not day +1 after the breach.
● Push your cloud provider to make it easier to secure your
assets.
● Finally, remember that joint responsibility model is
forever; there will always be security tasks that a customer
14

Further Reading
● “Move to Cloud: A Chance to Finally Transform
Security?”
● “Google Security Model”
● “Psychoanalyzing Security Cloud Fears”
● “Top Threats to Cloud Computing: Deep Dive”
15

Contenu connexe

Plus de Anton Chuvakin

SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends

Anton Chuvakin

SOCstock 2021 The Cloud-native SOC

Anton Chuvakin

Modern SOC Trends 2020

Anton Chuvakin

Anton's 2020 SIEM Best and Worst Practices - in Brief

Anton Chuvakin

Generic siem how_2017

Anton Chuvakin

Tips on SIEM Ops 2015

Anton Chuvakin

Five SIEM Futures (2012)

Anton Chuvakin

RSA 2016 Security Analytics Presentation

Anton Chuvakin

End-User Case Study: Five Best and Five Worst Practices for SIEM Implementing SIEM sounds straightforward, but reality sometimes begs to differ. In this session, Dr. Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of security monitoring and intelligence. Understanding how to avoid pitfalls and create a successful SIEM implementation will help maximize security and compliance value, and avoid costly obstacles, inefficiencies, and risks

Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin

Anton Chuvakin

Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin

Anton Chuvakin

Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin

Anton Chuvakin

SIEM Primer:

Anton Chuvakin

Title: Log management and compliance: What's the real story? by Dr. Anton Chuvakin One of the problems in making an Enterprise Content Management (ECM) strategy work with compliance initiatives is that compliance needs accountability at a very granular level. Consequently, IT shops are turning to log management as a solution, with many of those solutions being deployed for the purposes of regulatory compliance. The language however, regarding log management solutions can sometimes be vague which can lead to confusion. This session will lend some clarity to the regulations that affect log management. Topics will include: Best practices for how to best mesh compliance ECM and compliance strategies with log management Tips and suggestions for monitoring and auditing access to regulated content, with a focus on Microsoft Sharepoint logging. An examination of a handful of the regulations affecting how organizations view log management and information security including The Payment Card Industry Data Security Standard (PCI DSS), ISO 27001, The North American Electric Reliability Council (NERC), HIPAA and the HITECH Act.

Log management and compliance: What's the real story? by Dr. Anton Chuvakin

Anton Chuvakin

On Content-Aware SIEM by Dr. Anton Chuvakin

Anton Chuvakin

Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin

Anton Chuvakin

PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin

Anton Chuvakin

How to Gain Visibility and Control: Compliance Mandates, Security Threats and...

Anton Chuvakin

Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...

Anton Chuvakin

Zero Day Response: Strategies for the Security Innovation in Corporate Defens...

Anton Chuvakin

What PCI DSS Taught Us About Security by Dr. Anton Chuvakin

Anton Chuvakin

Plus de Anton Chuvakin (20)

SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends

SOCstock 2021 The Cloud-native SOC

Modern SOC Trends 2020

Anton's 2020 SIEM Best and Worst Practices - in Brief

Generic siem how_2017

Tips on SIEM Ops 2015

Five SIEM Futures (2012)

RSA 2016 Security Analytics Presentation

Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin

Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin

SIEM Primer:

Log management and compliance: What's the real story? by Dr. Anton Chuvakin

On Content-Aware SIEM by Dr. Anton Chuvakin

Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin

PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin

How to Gain Visibility and Control: Compliance Mandates, Security Threats and...

Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...

Zero Day Response: Strategies for the Security Innovation in Corporate Defens...

What PCI DSS Taught Us About Security by Dr. Anton Chuvakin

Dernier

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

Histor y of HAM Radio presentation slide

vu2urc

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Real Time Object Detection Using Open CV

Khem

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Dernier (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Driving Behavioral Change for Information Management through Data-Driven Gree...

Tech Trends Report 2024 Future Today Institute.pdf

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

[2024]Digital Global Overview Report 2024 Meltwater.pdf

HTML Injection Attacks: Impact and Mitigation Strategies

Histor y of HAM Radio presentation slide

Data Cloud, More than a CDP by Matt Robison

Boost PC performance: How more available memory can improve productivity

Real Time Object Detection Using Open CV

Exploring the Future Potential of AI-Enabled Smartphone Processors

Apidays New York 2024 - The value of a flexible API Management solution for O...

Partners Life - Insurer Innovation Award 2024

Automating Google Workspace (GWS) & more with Apps Script

🐬 The future of MySQL is Postgres 🐘

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

How to Troubleshoot Apps for the Modern Connected Worker

Strategies for Landing an Oracle DBA Job as a Fresher

Scaling API-first – The story of a global engineering organization

MindTheSec 2020 Keynote: Is Cloud Migration Our Best Chance to Fix Security?

1. Is Cloud Migration Our Best Chance to “Fix Security”? Dr Anton Chuvakin Security Solution Strategy @ Chronicle / Google Cloud 1

2. Confidential Outline o Security: Doomed to be an Add-on Forever … or Not? o From Security Failures to Cloud Failures o Cloud Security Choices o Ideal Cloud Security Criteria o Can a Move to Cloud Transform your Security? o Recommendations 2

3. Security: Sad History of Being a Bolt-on ● 1980: Internet without security ● 1990: Windows without security ● 2000: Mobile devices without security ● 2005: Cloud without security ● 2010: IoT without security ● 2015: ML/AI without security ● Don’t even get me started on blockchain :-) 3

4. Question: Have you seen security included from day 1 in a new system or technology? 4

5. Cloud Security Choices 1. Cloud provider brings security tools (paid or free) 2. Cloud customer brings own existing security tools 3. Cloud customer purchases tools from 3rd party vendors just for cloud 4. Combination of the above 5

6. Question: What are the pros and cons of each approach? 6

7. Cloud Security Failures Despite these approaches, we hear about cloud security failures … …. think “open S3 buckets” and “hard-coded API keys” and “firewall configuration errors” 7

8. Whose Fault Is It? In fact, Gartner says... “Through 2025, 99% of cloud security failures will be the customer’s fault.” What does it mean? 8

9. Question: Is it fair to blame cloud customers for nearly all security problems? 9

10. Ideal Cloud Security Criteria Default security e.g. logging that just works and is always centrally collected and searchable Opt-out security e.g. tight permissions that loudly object to being loosened Transparent security e.g. encryption of data in transit and at rest Native to the system e.g. not sold separately and requiring integration work Automated security e.g. turned on after deployment via an API Role-based security e.g. specific roles must be granted for management and access (but without the headache!) Obvious security e.g. not require the failure-prone user education 10

11. Question: Can well-built cloud computing platform make security near-transparent? 11

12. Deeper Examples 12 Web Server Exposing a web server externally should require adequate security checks and controls Container Deployment Securing application within the container is responsibility of a customer, but what about Docker daemons Automated Logging Tuned security logging enabled by default Shared Responsibility 1 2 3

13. Question: Is this change realistic or are we doomed to bring our pre-cloud security problems to the cloud? 13

14. Recommendations ● Migration to cloud infrastructure is a unique opportunity to dismantle the legacy security debt of the past two decades. ● Think how you can use cloud migration to actually do security from day one, not day +1 after the breach. ● Push your cloud provider to make it easier to secure your assets. ● Finally, remember that joint responsibility model is forever; there will always be security tasks that a customer 14

15. Further Reading ● “Move to Cloud: A Chance to Finally Transform Security?” ● “Google Security Model” ● “Psychoanalyzing Security Cloud Fears” ● “Top Threats to Cloud Computing: Deep Dive” 15

MindTheSec 2020 Keynote: Is Cloud Migration Our Best Chance to Fix Security?

Recommandé

Recommandé

Contenu connexe

Plus de Anton Chuvakin

Plus de Anton Chuvakin (20)

Dernier

Dernier (20)

MindTheSec 2020 Keynote: Is Cloud Migration Our Best Chance to Fix Security?