Executives guide to cloud security TierPoint
-
Upload
dori-degenhardt -
Category
Technology
-
view
66 -
download
0
Transcript of Executives guide to cloud security TierPoint
E X E C U T I V E ’ S G U I D E T O
M A X I M I Z E Y O U R O P P O RT U N I T Y. M I T I G AT E Y O U R R I S K S .
WHAT YOU WILL FIND IN THIS SlideShare:
• An update on the latest cloud adoption trends and security threats• A few important terms to know• A framework for guiding your cloud security strategy
WHAT YOU WON’T FIND IN THIS SlideShare:
When it comes to cloud security, beware of guides that claim to be “all you’ll ever need.” Cloud security is a deep topic and an ever-moving target as technologies advance and cyber threats evolve. This guide will help you start a discussion around cloud security with your IT team, not take the place of one.
A FEW CLOUD TERMS YOU NEED TO KNOW
On-premises private clouds — A cloud infrastructure a company hosts at their privately-owned data center. Resources, such as data, storage and applications, are dedicated to a single company and are owned by that company. Synonyms: internal cloud, corporate cloud.
Hosted private clouds — Similar to a private cloud except the resources are owned by a cloud services provider who manages the dedicated infrastructure at their facility. In many commercial scenarios, these are actually “multi-tenant private clouds” in that some of the infrastructure, e.g., compute resources, is shared by the customers served by the cloud provider.
Public clouds — A hyperscaler cloud environment with shared resources, all available over the internet.
Hybrid clouds — Not actually a type of cloud in itself, a hybrid cloud refers to a corporate infrastructure that leverages several different types of clouds.
Why do we need to talk about cloud computing?Won’t we be more secure
if we keep everything on-premises?
QUESTION:
THE TREMENDOUS ADVANTAGES OF THE CLOUD
Moving CapEx to OpEx will remain a top priority for many midmarket companies in 2017.
From TierPoint’s View
Experiment21%
Non-Critical Use 38%
Full Production 33%
Transformed IT 8%
CLOUD ADOPTION DISTRIBUTION
of companies surveyed are beyond the experimental
stage of utilizing the Cloud.
COMPETITIVE LANDSCAPE
79%If you’re on-premises-only, you may be losing ground to your competitors
Most cloud decisions are not (and should not be) about completely shutting down data centers and moving everything to the cloud…Look at cloud decisions on a
workload-by-workload basis, rather than taking an “all or nothing” approach.
GOOD ADVICE:
0
10
20
30
40
50
60
70
Email Businessproductivity
CRM Analytics/BI FinanicalMgmt.
HR Mgmt. Help Desk ERP Call Center
Cloud On-premises
WHICH APPLICATIONS ARECOMPANIES MOVING TO THE CLOUD?
• Sensitivity of data• Performance requirements • Integration with other applications• Application “fitness” for the cloud• Internal skill set
• Current infrastructure investments• Industry regulations• Compliance requirements• Reliability of local Internet connectivity
TIP: The answers to these questions can also help you determine which type of cloud is right for each workload.
THERE ARE SEVERAL FACTORS TO CONSIDER
53% of executives surveyed in 2016 cited
general security concernsas a barrier to cloud adoption.
That’s up 8% from 2015.
SECURITY IS OFTEN CITED AS A KEY CONCERN
MYTH:
FACT:
Cloud computing is less secure than using on-premises resources.
Most data breaches involve on-premises data centers or privately managed clouds. (offsite data centers owned and managed by the organization breached.)
STAFFINGCyber security talent is expensive, and few midmarket companies can afford to cover all areas with internal, full-time talent. Because our utilization rate is higher, we can afford to hire the best.
FOCUSInternal IT staff is often required to wear multiple hats. Our security personnel are focused on cyber-security and keeping our clients systems and data safe 24X7.
EXPERIENCECompanies often get blindsided by attacks they “never saw coming.” Because our staff lives and breathes cyber security, we are some of the first to know about the latest threats and techniques.
TOOLSWe always have the latest tools at our disposal whether we develop them in house or have access to them because of our partnership with leading cloud providers such as Microsoft and Amazon.
WHY IS THE CLOUD OFTEN MORE SECURE?
• 82% of tech executives said they lacked the necessary skills internally to keep their systems and data secure.
• There are currently 209,000 US cybersecurity jobs without candidates and demand for cybersecurity professionals is expected to grow 53% through 2018.
• 62% of tech executives said that current IT talent shortage would prevent them from keeping pace with technology changes.
TALENT SHORTAGE + HIGH SALARIES = TROUBLE FOR U.S. COMPANIES
AVERAGE CYBER-SECURITY SALARIES(not adjusted for cost of living)
• Minneapolis $131, 302• San Francisco $149,744• Denver $123,222• Boston $99, 274
We were just audited for PCI, HIPAA, etc…
Do I still need to worry about cyber security?
QUESTION:
MYTH:
FACT:
Because cloud security and compliance are the same thing, If I focus on one, I’ll have them both covered.
The most notable breaches happened at companies that had been audited and deemed compliant.
I’ve got malware and virus protection on our systems.
What else do I need to worry about?
QUESTION:
PERCEPTION REALITY• “Hacktivist” groups who want to punish a
corporation or country, usually for political reasons
• Hostile governments and terrorist groups
• Criminal organizations perpetrated 72.4% of all cyber-attacks in August 2016
TIP: Security professionals sometimes prefer “threat actor” to the term “hacker” since it is more all-encompassing.
WHAT IS A HACKER?
• Sole individual with no motive
• Teenager living in parents basement
• A “hacker” just causing trouble
• Bots generate about 50% of website traffic• 30% of this traffic is malicious, e.g.:
• DDoS• Site Scraping• Comment Spam• SEO Spam• Business logic attacks
SAD FACT: If you want to bring down a website but don’t have the skills, you can rent a botnet for about $6 a month.
BAD BOT!
• SITE SCRAPING – Bots figure out how your database is organized and use that info to steal price lists, customer lists, and other proprietary information.
• DENIAL OF SERVICE ATTACK (DOS) – Bots disable your network by flooding it with useless traffic.
• BOTNET – A network of internet connected devices that are infected and controlled together.
• DISTRIBUTED DENIAL OF SERVICE ATTACK – Bots take over multiple systems (see Botnet) and use them to gang up on their core target.
A FEW BOT-RELATED TERMS YOU (UNFORTUNATELY) NEED TO KNOW:
A FEW MORE TERMS:
• PHISHING – Posing as a legitimate company to gain access to a user’s credentials or systems.
• SPEAR-PHISHING – An email that appears to be from an individual or company you know but contains malware or other attempts to gather personal information.
• SOCIAL ENGINEERING – Psychologically manipulating people into providing personal information. e.g., “I’m from the IRS…”
• RANSOMWARE – Software designed to block access or encrypt files until a ransom is paid.
• Hacker’s are using smokescreens to divert
attention from their real target. DoS and DDoS are
particularly useful.
• In 2011, hackers used denial of service attacks to
distract Sony’s IT team while they stole account
information from millions of customers.
• The FFIEC (Federal Financial Institutions
Examination Council) has issued statements
warning banks about the use of DDoS as a
diversionary tactic.
Is it a DDOS or something else?
MULTI-VECTOR ATTACKS:
300% increase in attacks this year.
4,000 attacks a dayin 2016.
Something must be working (for the criminals).
RANSOMWARE
HOW IT WORKS:1. Your systems are infected, often through a
malicious email, but even legit websites can contain malware.
2. The malware encrypts your files or blocks access to your systems.
3. Attackers demand payment (usually in bitcoin) to receive a decryption key.
4. If ransom is paid, decryption key sometimes works.
Can you bring it all together for me?
I need a framework so I can ensure we have all our bases covered.
QUESTION:
A FIVE-STEP SECURITY FRAMEWORK
#1 IDENTIFYDetermine which workloads
are most vulnerable
#2 PROTECTProtect these assets
from attack
#3 DETECTDetect incoming
attacks and threats
#4 RESPONDWhen an attack occurs
(and it will), defendthese assets
#5 RECOVERRestore damaged
capabilities and services
• Mission critical to the business• Highest value to cyber thieves,
e.g., financial data• Covered by regulations, e.g., PCI and HIPPA
STEP #1: IDENTIFY VULNERABLE WORKLOADS
• Credit card data is only $5 – $30 in the U.S.
• Login credentials for a bank account worth $2,000 per bank account will bring in roughly $190.
• Login credentials to online payment services like PayPal can bring in $20 – $300 depending on the balance.
• Credentials to an online auction account can go for as much as $1,200.
HOWEVER…• Data for a single patient can net from $500 – $1,800 depending on
the age of the person and their insurance coverage.
TIP: Think about the value of your data in hacker’s terms
• Firewalls
• Web Application Firewall
• Encryption at rest
• Data Loss Prevention (DLP)
• Intrusion Prevention
• Threat Management
• Web Content Filtering
• Penetration Testing
• Vulnerability Scanning
• Multi-Factor Authentication
• Virtual Private Networking
• Spam Filtering/Email Protection
• System Hardening
Just a few of the tools in the toolbox…
STEP #2: PROTECT
Many [operating systems and applications] have autoupdate mechanisms, but administrators and users often disable or ignore autoupdate routines to avoid service interruptions or other unintended consequences.
~ Why patching is still a problem – and how to fix it, InfoWorld, January 2016.
• 5,000 – 6,000 security vulnerabilities uncovered each year. ~ 15 a day.
• These are not “bugs,” but “weaknesses” discovered by hackers (or the vendors).
• Some of these represent significant holes in your security defenses.
Application and OS Management services ensure these patches get installed with minimal disruption to your operations.
EVER WONDER…?
Why you get so many updates from your application and OS vendors?
Gartner predicts:• 20.8 billion objects connected to the
Internet by 2020.• By 2020, autonomous software agents will
participate in 5% of all economic transactions.
• By 2018, more than 3 million workers globally will be supervised by a “robo-boss.”
~ Smarter With Gartner, October 6, 2015
Don’t turn your back on your devices!
THE IoT AND SECURITY
These are the “things” botnets are designed to take over and that they use to execute DDOS attacks.
STEP #3: DETECT
DETECTION TOOLS:• Intrusion Detection
• Antivirus Protection (Server, Network, and Endpoint)
• File Integrity Monitoring
• Log Management
85 percent of firms with fewer than
1,000 employees indicate their
systems have been successfully
penetrated, compared to about 60
percent of
larger companies.— CFO.com, June 2015
Preventing a security event is only
the first step. Companies must
assume they have been breached
and work to discover and respond to
those intrusions.— Paul Mazzucco
DETECTION: A MAJOR ISSUE
FULLREMEDIATIONDETECTIONINTRUSION 146 DAYS
Most damage occurs between intrusion and detection when malicious attackers have free reign over systems and access to data.
DETECTION TOOLS:• Intrusion Detection
• Antivirus Protection (Server, Network, and Endpoint)
• File Integrity Monitoring
• Log Management
STEP #4: RESPOND
First-things-first: Plug the hole and adhere to any compliance reporting requirements.
RESPONDING TO RANSOMWARE
TIPS FROM THE FBI• Back up data regularly and test
backups.• Secure all backups, including
cloud backups, so they are inaccessible to a spreading ransomware virus.
• Conduct annual vulnerability and penetration testing.
FULLREMEDIATION
GOALS:• Minimize financial impact to the business• Repair lost consumer and market confidence• Conduct post mortem to strengthen security
STEP #5: RECOVER
DETECTIONINTRUSION RECOVERY PHASE
TIP: Disaster Recovery and Business Continuity Planning is about more than data backups and recovery. Include elements such as crisis communication procedures.
• The more you have in the cloud the more you rely on/benefit from your provider’s security capabilities.
• Security as a Service offers additional services such as DDOS mitigation, log monitoring, and vulnerability and penetration testing.
CLOUD SECURITY SHAREDRESPONSIBILITY MODEL
RESPONSIBILITY ON-PREMISE IaaS PaaS SaaS
Data classification & accountability
Client & end-point protection
Identity & access management
Application levelcontrols
Network controls
Host infrastructure
Physical Security
Cloud Customer Cloud Provider
WANT TO LEARN MORE? DOWNLOAD THESE RESOURCES
ARTICLE:Multi-layered attacks
require more
sophisticated IT security TierPoint
ARTICLE:Incidents of
ransomware
on the rise FBI
GUIDE:Ransomware
prevention and response
for for CISOs FBI
ARTICLE:Ransomware prevention
and response for for
CISOs
FBI
On-Demand Webinar:Multi-layered online attacks:
IT security strategies to
protect your company TierPoint and Imperva
E X E C U T I V E ’ S G U I D E T O
M A X I M I Z E Y O U R O P P O RT U N I T Y. M I T I G AT E Y O U R R I S K S .
844.267.3687
www.tierpoint.com
CONTACT US TODAY