This document discusses aligning cloud security to business needs in 12 steps. It provides guidance on how to classify data based on business impact, inventory data and users, determine appropriate access and controls, and validate that controls are implemented and effective across cloud environments. The goal is to ensure data and users are properly secured while allowing the business to realize the benefits of cloud computing.
Cloud Security: A Business-Centric Approach in 12 Steps
1. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
PID#
Cloud Security
Aligning it to the business in 12 steps
Omar Khawaja
June 2013
3. @smallersecurity
What’s the common theme?
Top Business
Technology Trends
High-IQ Networks
Enterprise Clouds
Big Data
Social Enterprise
Video
Personalization of Service
Consumerization of IT
M2M2P
Compliance
Energy Efficiency
…make it
easier to
transport
data
…store
data in
disparate
places
TMI …make it
easier
produce /
share data
Data is
worth more
than ever
before
Humans
don’t have
monopoly
on data
…
mandates
protection
of certain
data ???
4. @smallersecurity
Is liberation of information good?
Mobility and Cloud
2 sides of the same coin
Cloud Mobility
Democratization
of IT
Consumerization
of IT
Liberation
of
Information
9. @smallersecurity
1. Define business relevance of each data set being moved to the cloud
2. Classify each data set based on business impact
3. Inventory data
4. Destroy (or archive offline) any unnecessary data
5. Inventory users
6. Associate data access with business processes, users, roles
7. Determine standard control requirements for each data set
8. Determine feasible controls for each cloud environment
9. For each data set, identify acceptable cloud environments
10. Ensure only users that need access to data have appropriate access to it
11. Identify and implement appropriate controls across each cloud environment
12. Validate and monitor control effectiveness
Data-Centric Security for Cloud
A Recipe…
App
Security
Anti-X
Config
Mgmt
DLP Encryption IAM, NAC
Patching
Policy
Mgmt
Threat
Mgmt
VPN
Vuln.
Mgmt
…
Risk
Assessment
Security
Policy
Organization
of Info
Security
Asset
Management
Human
Resources
Management
Physical&
Environment
Security
Comms&
OpsMgmt
Access
Control
Info Systems
Acquisition,
Dev, & Maint.
Info Security
Incident
Management
Business
Continuity
Management
Compliance
11. @smallersecurity
Data Set 1
Business Processes
•ABC
•GHI
Data Set 1
Data Set 2 Data Set 2
Business Processes
•DEF
•GHI
Data Set 3
Business Processes
•ABC
•JKL
Data Set 3
1. Define Business Relevance of Each
Data Set Being Moved to the Cloud
12. @smallersecurity
Data Set 1
Business Processes
•ABC
•GHI
Data Set 1
Data Set 2 Data Set 2
Business Processes
•DEF
•GHI
Data Set 3
Business Processes
•ABC
•JKL
Data Set 3
LOWHIGHMEDIUM
2. Classify Each Data Set Based on
Business Impact
16. @smallersecurity
Data Set 1
Business Processes
•ABC
•GHI
Data Set 2
Business Processes
•DEF
•GHI
Data Set 3
Business Processes
•ABC
•JKL
LOWHIGHMEDIUM
6. Associate Data Access w/ Business
Processes, Users, Roles
User Role
1
User Role
3
User Role
2
17. @smallersecurity
Data Set 1
Business Processes
•ABC
•GHI
Data Set 2
Business Processes
•DEF
•GHI
Data Set 3
Business Processes
•ABC
•JKL
LOWHIGHMEDIUM
Standard Control
Requirements 1
Standard Control
Requirements 2
Standard Control
Requirements 3
7. Determine Standard Control
Requirements for Each Data Set
20. @smallersecurity
10. Ensure Only Users that Need Access
to Data Have Appropriate Access to it
Data Set 1
Business Processes
•ABC
•GHI
Data Set 2
Business Processes
•DEF
•GHI
Data Set 3
Business Processes
•ABC
•JKL
LOWHIGHMEDIUM
23. @smallersecurity
Finally…
• Start with the business
context, not the security
controls
• Classify based on the
business value, not the IT
value
• Controls have to be
standard, feasible,
implemented and monitored
Data* and Users
can’t be
outsourced!
*Ownership of data
24. @smallersecurity
Security Leadership
Why Verizon?
Industry Recognition
Largest & highly rated MSSP (Frost & Sullivan, Gartner, Forrester)
Founding and Executive Member of Open Identity Exchange
Security Consulting practice recognized as a Strong Performer (Forrester)
ICSA Labs is the industry standard for certifying security products (started in 1991)
Credentials
More PCI auditors (140+ QSAs) than any other firm in the world
HITRUST Qualified CSF Assessor
Actively participate in 30+ standards / certification bodies, professional
organizations and vertical specific consortia
Personnel hold 40+ unique industry, technology and vendor certifications
Global Reach
550+ dedicated security consultants in 28 countries speak 28 languages
Investigated breaches in 36 countries in 2011
7 SOCs on 4 continents manage security devices in 45+ countries
Serve 77% of Forbes Global 2000
Experience
Verizon’s SMP is the oldest security certification program in the industry
Analyzed 2500+ breaches involving 1+ Billion records
Manage identities in 50+ countries and for 25+ national governments
Delivered 5000+ security consulting engagements in the past 3 years
ISO 9001
ISO 17025
25. @smallersecurity
An unparalleled perspective on IT security threats
• 84% of initial compromises took hours or less.
• 76% exploited weak or stolen credentials.
• 78% of intrusions required little or no specialist
skills or resources.
Some highlights
Find out more at verizonenterprise.com/DBIR/2013
2013 DBIR
of breaches lie
undiscovered for months
of breaches are detected
by 3rd party
• 47,000+ security incidents analyzed.
• 621 confirmed data breaches investigated.
• 19 international contributors.
– Including law enforcement, government agencies
and other private companies.
• 6th consecutive year.
27. @smallersecurity
Verizon’s Security Portfolio
Protecting what the business cares about
6 security solution areas:
– Data Protection
– Governance, Risk & Compliance
– Identity & Access Mgmt
– Investigative Response
– Threat Mgmt (MSS)
– Vulnerability Mgmt
Notes de l'éditeur
Each of these trends is working to liberate information in one way or anotherWhich of these trends is relevant to your customer…and how can you help them solve these requirementsTop Biz Tech Trends taken from Vz press release on 11/15/2011
[Source: IBM]1 Quintillion = 1 million terabytesIt is here to stayAnywhere vs. everywhere?
Data is what the business cares about and it’s ownership (unlike that of network, compute, platform, applications) can’t be outsourced. It is the common denominator. The (perceived) data owner is always responsible from a compliance and reputation standpoint4-methylimidazole, Coca Cola
How much is the data worth protecting?Who has access to the data?What business processes do the data power?What controls are in place?Do the clouds have sufficient implementable controls and sufficient visibility?Can compliance be demonstrated?
7
8
Standard -> Feasible -> Implemented
This is perhaps the most important step in becoming comfortable w/ the notion of moving sensitive data into the cloud. If we use parents as a metaphor for a CIO, then parents’ most important asset is their children;the CIO’s is data. When parents make the decision to move their most important asset to a third party location (e.g.: day care) they may do it for similar reasons as the CIO moves data to the cloud: economic, agility, etc. A parent feels much more comfortable leaving their child in a daycare facility if they know they can see their child at anytime during the day by going online and looking at the live webcam footage. The idea behind #12 is to provide the CIO an equivalent level of visibility to a parent remotely watching their child – so they can rest assured that their most valuable asset is being well taken of. What does this visibility look like: audits, vuln scans, application logs, user access info, IDS / FW incidents, deep packet capture, etc.
For the latest version, please contact Omar KhawajaCREST approved penetration testerActively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortia
Solutions = MgdSvcs + Intelligence + ConsultingThis is the ONE slide that describes our security story and portfolioData-centric is stepping stone to business-centric