Getting to the Cloud Event 2015

7/25/2019 Getting to the Cloud Event 2015

1/20

STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graphSTKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph

2016

Getting to the CloudSecurity & Risk Management

How will Digital Transformation transform all of us

Ariel Evans, EVP

Senior Cyber Security and Risk Analyst

[email protected]


2/20

STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph

About MeCISO Telco US

7 years of security experience

Compliance Expert

Primary Author of the PCI e-commerce guideline

20 years Risk Manager on Wall Street

Consultant to DHS on Middleware Vulnerabilities


3/20

STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graphSTKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph

What we will cover today

Cyber

SecurityWhat is Cyber

Security?

Cloud SecurityWhat are the similarities and

differences between cloud

security and cyber?

Getting to the

CloudWhat are the

requirements to get to

the cloud?

Cloud

Security

ComponentsService Provider

Responsibilities vs.

Customer

Responsibilities

Risk

ManagementMeasuring effectiveness

of security in the context

of the EU data directive

C

R


4/20


5/20STKIs work Copyright@2016. Do not remove source or attribution from any slide, graph or portion of graph

CSP & Customer Relationsh



Cloud Security

Relationship between customer and cloud service provider

Defined by the components of the solution

Evolving

Most CSPs will now provide Logs

Penetration tests for Hypervisior Data Center Inspections

Limited Service Agreements

Enhanced Security Service Capabilities

Cloud Access Security Brokers - CASBs

Data Classification

Cyber Risk Management



Israel cloud adoption - by sePrivateCloud

Army, Banks,Government,

Utility

Cloud curiouschecking thetechnology

Government

Finance

TelecomOperators

Health

Cloud adopters

running 2-5

application in cloud

TelecomVendor

Industry

services

Utilities

Clomo

in

Source:MosheFerber,CloudSecurityAllianceIsrael



Cloud Security Componen



Bank of Israel RegulationCore system data cannot be in the cloud

What is core data?How can we classify different types of data and how it is prote

cloud?

Follow the EU Data Directive

Ensure compliance

Risk Management

Board Room Approvals



Evolving - Cyber OrganizatiThe CISO of the future is the one who can run the risk-management organiz

Reports to the business either CEO, CFO, CRO or COOmoving out of repo

The days of security being led by the 'network person' who did security in thand learned on the job are over and increasingly we are seeing seasoned prowith real business experience & business school qualifications stepping into

space reporting to the board of director on Cyber Risk.



Classifying DataOld Way - Manual

Thousands of man hours

Most projects fail

Business Owner Dependent

Costly to maintain

Constantly changing

New WayData Classification Products

Machine Learning

Clustering

One month deliverable


12/20


EU Data Directive

This deliverable reports on the current legal framework regulating tstorage and processing the data on the cloud and introduces a risk

assessment methodology to analyze the business risks associated w

outsourcing data.

AUTOMATING CYBER RISK AND CLOUD RISK

https://practice-project.eu/downloads/publications/D31.1-Risk-assessment

PU-M12.pdf


13/20


How cyber Risk is manageIdentification of Threats

Compliance Regulation

Define the Control Test the

MeasureImplement and Protect Network Domains

In addition, further development of

policies, processes, and systems

must continue to ensure that:

Firewall configuration standards include requirements

firewall at each Internet connection, and between any D

and the internal network zone;

Current network diagram is consistent with the firewal

configuration standards;

Firewall rules prevent internal addresses passing from

Internet into the DMZ.

Firewall rules prevent direct connections inbound or

outbound for traffic between the Internet and the cardh

data environment.

Prohibit direct public access between the Internet and

system component in the cardholder data environment;

Require that all outbound traffic from the cardholder d

environment to the Internet is explicitly authorized.

PCI DSS

Objective 1.1.3

Objective 1.3

Objective 1.3.3-5Objective 1.3.7

SOC 3.2, 3.5, 3.8

EU Data Directive


14/20


Risk Management

14

1 Insignificant 2 Minor 3 Moderate 4 M

No fines or additional

costs

No fines but increased

monitoring costs

Some fines and moderate

consequences

Large fines

card privlmajor econ

A -Almost certain to occur in most

circumstancesMedium (M) High (H) High (H) Very Hi

B -Answer = None = 4 Likely to occur

frequentlyMedium (M) Medium (M) High (H) Hig

C -Answer = Partially = 3 Possible and

likely to occur at some timeLow (L) Medium (M) High (H) Hig

D -Answer = Fully = 2 Unlikely to occur

but could happenLow (L) Low (L) Medium (M) Mediu

E -May occur but only in rare and

exceptional circumstancesLow (L) Low (L) Medium (M) Mediu

Li

ke

lihoo

d


15/20


Risk DashboardsReal Time Risk

Risk linked to business assets

Mitigation

Task Management

Drill into risk

See risk effectiveness across

Divisions

Systems

Assets


16/20


CASBCloud access security brokers (CASBs) are on-premises, or cloud-basedpolicy enforcement points, placed between cloud service consumers and cloproviders to combine and interject enterprise security policies as the cloud-bresources are accessed. CASBs consolidate multiple types of security policy

enforcement. Example security policies include authentication, single sign-oauthorization, credential mapping, device profiling, encryption, tokenizationalerting, malware detection/prevention and so on.


17/20


Sanctioned

IT

Cloud

DLPApps

Firewall

User

Behavior

Analytics

Off-Network

(Cloud-to-Cloud)

ShadowIT


18/20



19/20


Discussion ItemsWhat is the definition of core data?

What products will help you to show how this data is in the cl

What level of Encryption will be accepted for the cloud?

What products can help you who compliance here?

What new technologies will help demonstrate risk managemeeffective for the cloud and provide EU data directive complain

What benefits will CASBs provide the Israeli Market?


20/20


Thats it.Thank you!

Documents

Getting to the Cloud Event 2015