SlideShare une entreprise Scribd logo
1  sur  27
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
PID#
Cloud Security
Aligning it to the business in 12 steps
Omar Khawaja
June 2013
@smallersecurity
LOICm-
@smallersecurity
What’s the common theme?
Top Business
Technology Trends
High-IQ Networks
Enterprise Clouds
Big Data
Social Enterprise
Video
Personalization of Service
Consumerization of IT
M2M2P
Compliance
Energy Efficiency
…make it
easier to
transport
data
…store
data in
disparate
places
TMI …make it
easier
produce /
share data
Data is
worth more
than ever
before
Humans
don’t have
monopoly
on data
…
mandates
protection
of certain
data ???
@smallersecurity
Is liberation of information good?
Mobility and Cloud
2 sides of the same coin
Cloud Mobility
Democratization
of IT
Consumerization
of IT
Liberation
of
Information
.
Setting the stage…
@smallersecurity
Risk Management in the Cloud
What Matters?
Users
Data
Applications
Compute / Storage
Network
Physical
Platforms
???
SaaS
PaaS
IaaS
.
Implementing data-centric security in the
cloud
@smallersecurity
Data-Centric Security for Cloud
Key Ingredients
Data Users
Business
Processes
Clouds Controls Compliance
@smallersecurity
1. Define business relevance of each data set being moved to the cloud
2. Classify each data set based on business impact
3. Inventory data
4. Destroy (or archive offline) any unnecessary data
5. Inventory users
6. Associate data access with business processes, users, roles
7. Determine standard control requirements for each data set
8. Determine feasible controls for each cloud environment
9. For each data set, identify acceptable cloud environments
10. Ensure only users that need access to data have appropriate access to it
11. Identify and implement appropriate controls across each cloud environment
12. Validate and monitor control effectiveness
Data-Centric Security for Cloud
A Recipe…
App
Security
Anti-X
Config
Mgmt
DLP Encryption IAM, NAC
Patching
Policy
Mgmt
Threat
Mgmt
VPN
Vuln.
Mgmt
…
Risk
Assessment
Security
Policy
Organization
of Info
Security
Asset
Management
Human
Resources
Management
Physical&
Environment
Security
Comms&
OpsMgmt
Access
Control
Info Systems
Acquisition,
Dev, & Maint.
Info Security
Incident
Management
Business
Continuity
Management
Compliance
@smallersecurity
One Caveat…
• Variations exist
– SaaS vs. PaaS vs. IaaS
– Public vs. Private vs. Hybrid
– Geography-Specific
– …
@smallersecurity
Data Set 1
Business Processes
•ABC
•GHI
Data Set 1
Data Set 2 Data Set 2
Business Processes
•DEF
•GHI
Data Set 3
Business Processes
•ABC
•JKL
Data Set 3
1. Define Business Relevance of Each
Data Set Being Moved to the Cloud
@smallersecurity
Data Set 1
Business Processes
•ABC
•GHI
Data Set 1
Data Set 2 Data Set 2
Business Processes
•DEF
•GHI
Data Set 3
Business Processes
•ABC
•JKL
Data Set 3
LOWHIGHMEDIUM
2. Classify Each Data Set Based on
Business Impact
@smallersecurity
3. Inventory Data (Technical &
Consultative)
@smallersecurity
4. Destroy (or Archive Offline) any
Unnecessary Data
@smallersecurity
User Role
1
User Role
3
User Role
2
5. Inventory Users
@smallersecurity
Data Set 1
Business Processes
•ABC
•GHI
Data Set 2
Business Processes
•DEF
•GHI
Data Set 3
Business Processes
•ABC
•JKL
LOWHIGHMEDIUM
6. Associate Data Access w/ Business
Processes, Users, Roles
User Role
1
User Role
3
User Role
2
@smallersecurity
Data Set 1
Business Processes
•ABC
•GHI
Data Set 2
Business Processes
•DEF
•GHI
Data Set 3
Business Processes
•ABC
•JKL
LOWHIGHMEDIUM
Standard Control
Requirements 1
Standard Control
Requirements 2
Standard Control
Requirements 3
7. Determine Standard Control
Requirements for Each Data Set
@smallersecurity
Feasible
Controls 3
Cloud 1
Cloud 2
Cloud 3
Feasible
Controls 1
Feasible
Controls 2
8. Determine Feasible Controls for Each
Cloud Environment
@smallersecurity
9. For Each Data Set, Identify Acceptable
Platforms
@smallersecurity
10. Ensure Only Users that Need Access
to Data Have Appropriate Access to it
Data Set 1
Business Processes
•ABC
•GHI
Data Set 2
Business Processes
•DEF
•GHI
Data Set 3
Business Processes
•ABC
•JKL
LOWHIGHMEDIUM
@smallersecurity
Implemented
Controls
Implemented
Controls
Implemented
Controls
11. Identify & Implement Appropriate
Controls Across Each Cloud Environment
@smallersecurity
12. Validate and Monitor Control
Effectiveness
@smallersecurity
Finally…
• Start with the business
context, not the security
controls
• Classify based on the
business value, not the IT
value
• Controls have to be
standard, feasible,
implemented and monitored
Data* and Users
can’t be
outsourced!
*Ownership of data
@smallersecurity
Security Leadership
Why Verizon?
Industry Recognition
 Largest & highly rated MSSP (Frost & Sullivan, Gartner, Forrester)
 Founding and Executive Member of Open Identity Exchange
 Security Consulting practice recognized as a Strong Performer (Forrester)
 ICSA Labs is the industry standard for certifying security products (started in 1991)
Credentials
 More PCI auditors (140+ QSAs) than any other firm in the world
 HITRUST Qualified CSF Assessor
 Actively participate in 30+ standards / certification bodies, professional
organizations and vertical specific consortia
 Personnel hold 40+ unique industry, technology and vendor certifications
Global Reach
 550+ dedicated security consultants in 28 countries speak 28 languages
 Investigated breaches in 36 countries in 2011
 7 SOCs on 4 continents manage security devices in 45+ countries
 Serve 77% of Forbes Global 2000
Experience
 Verizon’s SMP is the oldest security certification program in the industry
 Analyzed 2500+ breaches involving 1+ Billion records
 Manage identities in 50+ countries and for 25+ national governments
 Delivered 5000+ security consulting engagements in the past 3 years
ISO 9001
ISO 17025
@smallersecurity
An unparalleled perspective on IT security threats
• 84% of initial compromises took hours or less.
• 76% exploited weak or stolen credentials.
• 78% of intrusions required little or no specialist
skills or resources.
Some highlights
Find out more at verizonenterprise.com/DBIR/2013
2013 DBIR
of breaches lie
undiscovered for months
of breaches are detected
by 3rd party
• 47,000+ security incidents analyzed.
• 621 confirmed data breaches investigated.
• 19 international contributors.
– Including law enforcement, government agencies
and other private companies.
• 6th consecutive year.
@smallersecurity
Global Capabilities
Countries where Verizon currently has clients
@smallersecurity
Verizon’s Security Portfolio
Protecting what the business cares about
6 security solution areas:
– Data Protection
– Governance, Risk & Compliance
– Identity & Access Mgmt
– Investigative Response
– Threat Mgmt (MSS)
– Vulnerability Mgmt

Contenu connexe

Tendances

The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsOurCrowd
 
Cloud Identity
Cloud IdentityCloud Identity
Cloud IdentityNetIQ
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
 
Preventing Data Breaches
Preventing Data BreachesPreventing Data Breaches
Preventing Data Breachesxband
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)Trustmarque
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayIvanti
 
SC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsSC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsForeScout Technologies
 
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...NetIQ
 
Scrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanScrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanNetIQ
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Bloxx
 
Leveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and ComplexityLeveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and ComplexityNetIQ
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsIgnyte Assurance Platform
 
Cyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesCyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesDave Reeves
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditSBWebinars
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
 

Tendances (20)

The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for Investors
 
Cloud Identity
Cloud IdentityCloud Identity
Cloud Identity
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
 
Preventing Data Breaches
Preventing Data BreachesPreventing Data Breaches
Preventing Data Breaches
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges Today
 
SD-WAN - comSpark 2019
SD-WAN - comSpark 2019SD-WAN - comSpark 2019
SD-WAN - comSpark 2019
 
SC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsSC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey Results
 
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
 
Scrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanScrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky Clean
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges
 
Leveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and ComplexityLeveraging Identity to Manage Change and Complexity
Leveraging Identity to Manage Change and Complexity
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
 
Cyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesCyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical Services
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance Audit
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
 

Similaire à Cloud Security: A Business-Centric Approach in 12 Steps

Mobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric ApproachMobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric ApproachOmar Khawaja
 
Shield db data security
Shield db   data securityShield db   data security
Shield db data securityMousumi Manna
 
Shield db data security
Shield db   data securityShield db   data security
Shield db data securityMousumi Manna
 
Shield db data security
Shield db   data securityShield db   data security
Shield db data securityTapan Biswas
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Protecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareProtecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareCloudera, Inc.
 
Government Webinar: Improving Security Compliance with IT Monitoring Tools
Government Webinar: Improving Security Compliance with IT Monitoring Tools Government Webinar: Improving Security Compliance with IT Monitoring Tools
Government Webinar: Improving Security Compliance with IT Monitoring Tools SolarWinds
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowPECB
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Amazon Web Services
 
GDPR Part 5: Better Together Quest & Cyberquest
GDPR Part 5: Better Together Quest & CyberquestGDPR Part 5: Better Together Quest & Cyberquest
GDPR Part 5: Better Together Quest & CyberquestAdrian Dumitrescu
 
Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...
Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...
Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...ActureSolutions
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesCamilo Fandiño Gómez
 
MT54 Better security is better business
MT54 Better security is better businessMT54 Better security is better business
MT54 Better security is better businessDell EMC World
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
 
Webinar: Real IT Compliance with SolarWinds
Webinar: Real IT Compliance with SolarWindsWebinar: Real IT Compliance with SolarWinds
Webinar: Real IT Compliance with SolarWindsSolarWinds
 

Similaire à Cloud Security: A Business-Centric Approach in 12 Steps (20)

Mobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric ApproachMobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric Approach
 
MEDS
MEDSMEDS
MEDS
 
BREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAPBREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAP
 
Shield db data security
Shield db   data securityShield db   data security
Shield db data security
 
Shield db data security
Shield db   data securityShield db   data security
Shield db data security
 
Shield db data security
Shield db   data securityShield db   data security
Shield db data security
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Protecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareProtecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomware
 
Government Webinar: Improving Security Compliance with IT Monitoring Tools
Government Webinar: Improving Security Compliance with IT Monitoring Tools Government Webinar: Improving Security Compliance with IT Monitoring Tools
Government Webinar: Improving Security Compliance with IT Monitoring Tools
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
 
GDPR Part 5: Better Together Quest & Cyberquest
GDPR Part 5: Better Together Quest & CyberquestGDPR Part 5: Better Together Quest & Cyberquest
GDPR Part 5: Better Together Quest & Cyberquest
 
Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...
Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...
Acture Solutions - 5 Efficient Ways To Align Your District's Cybersecurity w/...
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
 
MT54 Better security is better business
MT54 Better security is better businessMT54 Better security is better business
MT54 Better security is better business
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
 
Webinar: Real IT Compliance with SolarWinds
Webinar: Real IT Compliance with SolarWindsWebinar: Real IT Compliance with SolarWinds
Webinar: Real IT Compliance with SolarWinds
 

Dernier

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Dernier (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Cloud Security: A Business-Centric Approach in 12 Steps

  • 1. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. PID# Cloud Security Aligning it to the business in 12 steps Omar Khawaja June 2013
  • 3. @smallersecurity What’s the common theme? Top Business Technology Trends High-IQ Networks Enterprise Clouds Big Data Social Enterprise Video Personalization of Service Consumerization of IT M2M2P Compliance Energy Efficiency …make it easier to transport data …store data in disparate places TMI …make it easier produce / share data Data is worth more than ever before Humans don’t have monopoly on data … mandates protection of certain data ???
  • 4. @smallersecurity Is liberation of information good? Mobility and Cloud 2 sides of the same coin Cloud Mobility Democratization of IT Consumerization of IT Liberation of Information
  • 6. @smallersecurity Risk Management in the Cloud What Matters? Users Data Applications Compute / Storage Network Physical Platforms ??? SaaS PaaS IaaS
  • 8. @smallersecurity Data-Centric Security for Cloud Key Ingredients Data Users Business Processes Clouds Controls Compliance
  • 9. @smallersecurity 1. Define business relevance of each data set being moved to the cloud 2. Classify each data set based on business impact 3. Inventory data 4. Destroy (or archive offline) any unnecessary data 5. Inventory users 6. Associate data access with business processes, users, roles 7. Determine standard control requirements for each data set 8. Determine feasible controls for each cloud environment 9. For each data set, identify acceptable cloud environments 10. Ensure only users that need access to data have appropriate access to it 11. Identify and implement appropriate controls across each cloud environment 12. Validate and monitor control effectiveness Data-Centric Security for Cloud A Recipe… App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt … Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance
  • 10. @smallersecurity One Caveat… • Variations exist – SaaS vs. PaaS vs. IaaS – Public vs. Private vs. Hybrid – Geography-Specific – …
  • 11. @smallersecurity Data Set 1 Business Processes •ABC •GHI Data Set 1 Data Set 2 Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL Data Set 3 1. Define Business Relevance of Each Data Set Being Moved to the Cloud
  • 12. @smallersecurity Data Set 1 Business Processes •ABC •GHI Data Set 1 Data Set 2 Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL Data Set 3 LOWHIGHMEDIUM 2. Classify Each Data Set Based on Business Impact
  • 13. @smallersecurity 3. Inventory Data (Technical & Consultative)
  • 14. @smallersecurity 4. Destroy (or Archive Offline) any Unnecessary Data
  • 16. @smallersecurity Data Set 1 Business Processes •ABC •GHI Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL LOWHIGHMEDIUM 6. Associate Data Access w/ Business Processes, Users, Roles User Role 1 User Role 3 User Role 2
  • 17. @smallersecurity Data Set 1 Business Processes •ABC •GHI Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL LOWHIGHMEDIUM Standard Control Requirements 1 Standard Control Requirements 2 Standard Control Requirements 3 7. Determine Standard Control Requirements for Each Data Set
  • 18. @smallersecurity Feasible Controls 3 Cloud 1 Cloud 2 Cloud 3 Feasible Controls 1 Feasible Controls 2 8. Determine Feasible Controls for Each Cloud Environment
  • 19. @smallersecurity 9. For Each Data Set, Identify Acceptable Platforms
  • 20. @smallersecurity 10. Ensure Only Users that Need Access to Data Have Appropriate Access to it Data Set 1 Business Processes •ABC •GHI Data Set 2 Business Processes •DEF •GHI Data Set 3 Business Processes •ABC •JKL LOWHIGHMEDIUM
  • 21. @smallersecurity Implemented Controls Implemented Controls Implemented Controls 11. Identify & Implement Appropriate Controls Across Each Cloud Environment
  • 22. @smallersecurity 12. Validate and Monitor Control Effectiveness
  • 23. @smallersecurity Finally… • Start with the business context, not the security controls • Classify based on the business value, not the IT value • Controls have to be standard, feasible, implemented and monitored Data* and Users can’t be outsourced! *Ownership of data
  • 24. @smallersecurity Security Leadership Why Verizon? Industry Recognition  Largest & highly rated MSSP (Frost & Sullivan, Gartner, Forrester)  Founding and Executive Member of Open Identity Exchange  Security Consulting practice recognized as a Strong Performer (Forrester)  ICSA Labs is the industry standard for certifying security products (started in 1991) Credentials  More PCI auditors (140+ QSAs) than any other firm in the world  HITRUST Qualified CSF Assessor  Actively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortia  Personnel hold 40+ unique industry, technology and vendor certifications Global Reach  550+ dedicated security consultants in 28 countries speak 28 languages  Investigated breaches in 36 countries in 2011  7 SOCs on 4 continents manage security devices in 45+ countries  Serve 77% of Forbes Global 2000 Experience  Verizon’s SMP is the oldest security certification program in the industry  Analyzed 2500+ breaches involving 1+ Billion records  Manage identities in 50+ countries and for 25+ national governments  Delivered 5000+ security consulting engagements in the past 3 years ISO 9001 ISO 17025
  • 25. @smallersecurity An unparalleled perspective on IT security threats • 84% of initial compromises took hours or less. • 76% exploited weak or stolen credentials. • 78% of intrusions required little or no specialist skills or resources. Some highlights Find out more at verizonenterprise.com/DBIR/2013 2013 DBIR of breaches lie undiscovered for months of breaches are detected by 3rd party • 47,000+ security incidents analyzed. • 621 confirmed data breaches investigated. • 19 international contributors. – Including law enforcement, government agencies and other private companies. • 6th consecutive year.
  • 27. @smallersecurity Verizon’s Security Portfolio Protecting what the business cares about 6 security solution areas: – Data Protection – Governance, Risk & Compliance – Identity & Access Mgmt – Investigative Response – Threat Mgmt (MSS) – Vulnerability Mgmt

Notes de l'éditeur

  1. Each of these trends is working to liberate information in one way or anotherWhich of these trends is relevant to your customer…and how can you help them solve these requirementsTop Biz Tech Trends taken from Vz press release on 11/15/2011
  2. [Source: IBM]1 Quintillion = 1 million terabytesIt is here to stayAnywhere vs. everywhere?
  3. Data is what the business cares about and it’s ownership (unlike that of network, compute, platform, applications) can’t be outsourced. It is the common denominator. The (perceived) data owner is always responsible from a compliance and reputation standpoint4-methylimidazole, Coca Cola
  4. How much is the data worth protecting?Who has access to the data?What business processes do the data power?What controls are in place?Do the clouds have sufficient implementable controls and sufficient visibility?Can compliance be demonstrated?
  5. 7
  6. 8
  7. Standard -> Feasible -> Implemented
  8. This is perhaps the most important step in becoming comfortable w/ the notion of moving sensitive data into the cloud. If we use parents as a metaphor for a CIO, then parents’ most important asset is their children;the CIO’s is data. When parents make the decision to move their most important asset to a third party location (e.g.: day care) they may do it for similar reasons as the CIO moves data to the cloud: economic, agility, etc. A parent feels much more comfortable leaving their child in a daycare facility if they know they can see their child at anytime during the day by going online and looking at the live webcam footage. The idea behind #12 is to provide the CIO an equivalent level of visibility to a parent remotely watching their child – so they can rest assured that their most valuable asset is being well taken of. What does this visibility look like: audits, vuln scans, application logs, user access info, IDS / FW incidents, deep packet capture, etc.
  9. For the latest version, please contact Omar KhawajaCREST approved penetration testerActively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortia
  10. DBIR Video: http://www.verizonenterprise.com/resources/media/large-133871-DBIR+2013.xml DBIR Sales
  11. Solutions = MgdSvcs + Intelligence + ConsultingThis is the ONE slide that describes our security story and portfolioData-centric is stepping stone to business-centric