Upload
stki
View
219
Download
0
Embed Size (px)
Citation preview
7/25/2019 Getting to the Cloud Event 2015
1/20
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graphSTKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
2016
Getting to the CloudSecurity & Risk Management
How will Digital Transformation transform all of us
Ariel Evans, EVP
Senior Cyber Security and Risk Analyst
7/25/2019 Getting to the Cloud Event 2015
2/20
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
About MeCISO Telco US
7 years of security experience
Compliance Expert
Primary Author of the PCI e-commerce guideline
20 years Risk Manager on Wall Street
Consultant to DHS on Middleware Vulnerabilities
7/25/2019 Getting to the Cloud Event 2015
3/20
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graphSTKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
What we will cover today
Cyber
SecurityWhat is Cyber
Security?
Cloud SecurityWhat are the similarities and
differences between cloud
security and cyber?
Getting to the
CloudWhat are the
requirements to get to
the cloud?
Cloud
Security
ComponentsService Provider
Responsibilities vs.
Customer
Responsibilities
Risk
ManagementMeasuring effectiveness
of security in the context
of the EU data directive
C
R
7/25/2019 Getting to the Cloud Event 2015
4/20
7/25/2019 Getting to the Cloud Event 2015
5/20STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
CSP & Customer Relationsh
7/25/2019 Getting to the Cloud Event 2015
6/20STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
Cloud Security
Relationship between customer and cloud service provider
Defined by the components of the solution
Evolving
Most CSPs will now provide Logs
Penetration tests for Hypervisior Data Center Inspections
Limited Service Agreements
Enhanced Security Service Capabilities
Cloud Access Security Brokers - CASBs
Data Classification
Cyber Risk Management
7/25/2019 Getting to the Cloud Event 2015
7/20STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
Israel cloud adoption - by sePrivateCloud
Army, Banks,Government,
Utility
Cloud curiouschecking thetechnology
Government
Finance
TelecomOperators
Health
Cloud adopters
running 2-5
application in cloud
TelecomVendor
Industry
services
Utilities
Clomo
in
Source:MosheFerber,CloudSecurityAllianceIsrael
7/25/2019 Getting to the Cloud Event 2015
8/20STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
Cloud Security Componen
7/25/2019 Getting to the Cloud Event 2015
9/20STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
Bank of Israel RegulationCore system data cannot be in the cloud
What is core data?How can we classify different types of data and how it is prote
cloud?
Follow the EU Data Directive
Ensure compliance
Risk Management
Board Room Approvals
7/25/2019 Getting to the Cloud Event 2015
10/20STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
Evolving - Cyber OrganizatiThe CISO of the future is the one who can run the risk-management organiz
Reports to the business either CEO, CFO, CRO or COOmoving out of repo
The days of security being led by the 'network person' who did security in thand learned on the job are over and increasingly we are seeing seasoned prowith real business experience & business school qualifications stepping into
space reporting to the board of director on Cyber Risk.
7/25/2019 Getting to the Cloud Event 2015
11/20STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
Classifying DataOld Way - Manual
Thousands of man hours
Most projects fail
Business Owner Dependent
Costly to maintain
Constantly changing
New WayData Classification Products
Machine Learning
Clustering
One month deliverable
7/25/2019 Getting to the Cloud Event 2015
12/20
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
EU Data Directive
This deliverable reports on the current legal framework regulating tstorage and processing the data on the cloud and introduces a risk
assessment methodology to analyze the business risks associated w
outsourcing data.
AUTOMATING CYBER RISK AND CLOUD RISK
https://practice-project.eu/downloads/publications/D31.1-Risk-assessment
PU-M12.pdf
7/25/2019 Getting to the Cloud Event 2015
13/20
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
How cyber Risk is manageIdentification of Threats
Compliance Regulation
Define the Control Test the
MeasureImplement and Protect Network Domains
In addition, further development of
policies, processes, and systems
must continue to ensure that:
Firewall configuration standards include requirements
firewall at each Internet connection, and between any D
and the internal network zone;
Current network diagram is consistent with the firewal
configuration standards;
Firewall rules prevent internal addresses passing from
Internet into the DMZ.
Firewall rules prevent direct connections inbound or
outbound for traffic between the Internet and the cardh
data environment.
Prohibit direct public access between the Internet and
system component in the cardholder data environment;
Require that all outbound traffic from the cardholder d
environment to the Internet is explicitly authorized.
PCI DSS
Objective 1.1.3
Objective 1.3
Objective 1.3.3-5Objective 1.3.7
SOC 3.2, 3.5, 3.8
EU Data Directive
7/25/2019 Getting to the Cloud Event 2015
14/20
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
Risk Management
14
1 Insignificant 2 Minor 3 Moderate 4 M
No fines or additional
costs
No fines but increased
monitoring costs
Some fines and moderate
consequences
Large fines
card privlmajor econ
A -Almost certain to occur in most
circumstancesMedium (M) High (H) High (H) Very Hi
B -Answer = None = 4 Likely to occur
frequentlyMedium (M) Medium (M) High (H) Hig
C -Answer = Partially = 3 Possible and
likely to occur at some timeLow (L) Medium (M) High (H) Hig
D -Answer = Fully = 2 Unlikely to occur
but could happenLow (L) Low (L) Medium (M) Mediu
E -May occur but only in rare and
exceptional circumstancesLow (L) Low (L) Medium (M) Mediu
Li
ke
lihoo
d
7/25/2019 Getting to the Cloud Event 2015
15/20
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
Risk DashboardsReal Time Risk
Risk linked to business assets
Mitigation
Task Management
Drill into risk
See risk effectiveness across
Divisions
Systems
Assets
7/25/2019 Getting to the Cloud Event 2015
16/20
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
CASBCloud access security brokers (CASBs) are on-premises, or cloud-basedpolicy enforcement points, placed between cloud service consumers and cloproviders to combine and interject enterprise security policies as the cloud-bresources are accessed. CASBs consolidate multiple types of security policy
enforcement. Example security policies include authentication, single sign-oauthorization, credential mapping, device profiling, encryption, tokenizationalerting, malware detection/prevention and so on.
7/25/2019 Getting to the Cloud Event 2015
17/20
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
Sanctioned
IT
Cloud
DLPApps
Firewall
User
Behavior
Analytics
Off-Network
(Cloud-to-Cloud)
ShadowIT
7/25/2019 Getting to the Cloud Event 2015
18/20
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
7/25/2019 Getting to the Cloud Event 2015
19/20
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
Discussion ItemsWhat is the definition of core data?
What products will help you to show how this data is in the cl
What level of Encryption will be accepted for the cloud?
What products can help you who compliance here?
What new technologies will help demonstrate risk managemeeffective for the cloud and provide EU data directive complain
What benefits will CASBs provide the Israeli Market?
7/25/2019 Getting to the Cloud Event 2015
20/20
STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph
Thats it.Thank you!