E X E C U T I V E ’ S G U I D E T O

M A X I M I Z E Y O U R O P P O RT U N I T Y. M I T I G AT E Y O U R R I S K S .

WHAT YOU WILL FIND IN THIS SlideShare:

• An update on the latest cloud adoption trends and security threats• A few important terms to know• A framework for guiding your cloud security strategy

WHAT YOU WON’T FIND IN THIS SlideShare:

When it comes to cloud security, beware of guides that claim to be “all you’ll ever need.” Cloud security is a deep topic and an ever-moving target as technologies advance and cyber threats evolve. This guide will help you start a discussion around cloud security with your IT team, not take the place of one.

A FEW CLOUD TERMS YOU NEED TO KNOW

On-premises private clouds — A cloud infrastructure a company hosts at their privately-owned data center. Resources, such as data, storage and applications, are dedicated to a single company and are owned by that company. Synonyms: internal cloud, corporate cloud.

Hosted private clouds — Similar to a private cloud except the resources are owned by a cloud services provider who manages the dedicated infrastructure at their facility. In many commercial scenarios, these are actually “multi-tenant private clouds” in that some of the infrastructure, e.g., compute resources, is shared by the customers served by the cloud provider.

Public clouds — A hyperscaler cloud environment with shared resources, all available over the internet.

Hybrid clouds — Not actually a type of cloud in itself, a hybrid cloud refers to a corporate infrastructure that leverages several different types of clouds.

Why do we need to talk about cloud computing?Won’t we be more secure

if we keep everything on-premises?

QUESTION:

THE TREMENDOUS ADVANTAGES OF THE CLOUD

Moving CapEx to OpEx will remain a top priority for many midmarket companies in 2017.

From TierPoint’s View

Experiment21%

Non-Critical Use 38%

Full Production 33%

Transformed IT 8%

CLOUD ADOPTION DISTRIBUTION

of companies surveyed are beyond the experimental

stage of utilizing the Cloud.

COMPETITIVE LANDSCAPE

79%If you’re on-premises-only, you may be losing ground to your competitors

Most cloud decisions are not (and should not be) about completely shutting down data centers and moving everything to the cloud…Look at cloud decisions on a

workload-by-workload basis, rather than taking an “all or nothing” approach.

GOOD ADVICE:

0

10

20

30

40

50

60

70

Email Businessproductivity

CRM Analytics/BI FinanicalMgmt.

HR Mgmt. Help Desk ERP Call Center

Cloud On-premises

WHICH APPLICATIONS ARECOMPANIES MOVING TO THE CLOUD?

• Sensitivity of data• Performance requirements • Integration with other applications• Application “fitness” for the cloud• Internal skill set

• Current infrastructure investments• Industry regulations• Compliance requirements• Reliability of local Internet connectivity

TIP: The answers to these questions can also help you determine which type of cloud is right for each workload.

THERE ARE SEVERAL FACTORS TO CONSIDER

53% of executives surveyed in 2016 cited

general security concernsas a barrier to cloud adoption.

That’s up 8% from 2015.

SECURITY IS OFTEN CITED AS A KEY CONCERN

MYTH:

FACT:

Cloud computing is less secure than using on-premises resources.

Most data breaches involve on-premises data centers or privately managed clouds. (offsite data centers owned and managed by the organization breached.)

STAFFINGCyber security talent is expensive, and few midmarket companies can afford to cover all areas with internal, full-time talent. Because our utilization rate is higher, we can afford to hire the best.

FOCUSInternal IT staff is often required to wear multiple hats. Our security personnel are focused on cyber-security and keeping our clients systems and data safe 24X7.

EXPERIENCECompanies often get blindsided by attacks they “never saw coming.” Because our staff lives and breathes cyber security, we are some of the first to know about the latest threats and techniques.

TOOLSWe always have the latest tools at our disposal whether we develop them in house or have access to them because of our partnership with leading cloud providers such as Microsoft and Amazon.

WHY IS THE CLOUD OFTEN MORE SECURE?

• 82% of tech executives said they lacked the necessary skills internally to keep their systems and data secure.

• There are currently 209,000 US cybersecurity jobs without candidates and demand for cybersecurity professionals is expected to grow 53% through 2018.

• 62% of tech executives said that current IT talent shortage would prevent them from keeping pace with technology changes.

TALENT SHORTAGE + HIGH SALARIES = TROUBLE FOR U.S. COMPANIES

AVERAGE CYBER-SECURITY SALARIES(not adjusted for cost of living)

• Minneapolis $131, 302• San Francisco $149,744• Denver $123,222• Boston $99, 274

We were just audited for PCI, HIPAA, etc…

Do I still need to worry about cyber security?

QUESTION:

MYTH:

FACT:

Because cloud security and compliance are the same thing, If I focus on one, I’ll have them both covered.

The most notable breaches happened at companies that had been audited and deemed compliant.

I’ve got malware and virus protection on our systems.

What else do I need to worry about?

QUESTION:

PERCEPTION REALITY• “Hacktivist” groups who want to punish a

corporation or country, usually for political reasons

• Hostile governments and terrorist groups

• Criminal organizations perpetrated 72.4% of all cyber-attacks in August 2016

TIP: Security professionals sometimes prefer “threat actor” to the term “hacker” since it is more all-encompassing.

WHAT IS A HACKER?

• Sole individual with no motive

• Teenager living in parents basement

• A “hacker” just causing trouble

• Bots generate about 50% of website traffic• 30% of this traffic is malicious, e.g.:

• DDoS• Site Scraping• Comment Spam• SEO Spam• Business logic attacks

SAD FACT: If you want to bring down a website but don’t have the skills, you can rent a botnet for about $6 a month.

BAD BOT!

• SITE SCRAPING – Bots figure out how your database is organized and use that info to steal price lists, customer lists, and other proprietary information.

• DENIAL OF SERVICE ATTACK (DOS) – Bots disable your network by flooding it with useless traffic.

• BOTNET – A network of internet connected devices that are infected and controlled together.

• DISTRIBUTED DENIAL OF SERVICE ATTACK – Bots take over multiple systems (see Botnet) and use them to gang up on their core target.

A FEW BOT-RELATED TERMS YOU (UNFORTUNATELY) NEED TO KNOW:

A FEW MORE TERMS:

• PHISHING – Posing as a legitimate company to gain access to a user’s credentials or systems.

• SPEAR-PHISHING – An email that appears to be from an individual or company you know but contains malware or other attempts to gather personal information.

• SOCIAL ENGINEERING – Psychologically manipulating people into providing personal information. e.g., “I’m from the IRS…”

• RANSOMWARE – Software designed to block access or encrypt files until a ransom is paid.

• Hacker’s are using smokescreens to divert

attention from their real target. DoS and DDoS are

particularly useful.

• In 2011, hackers used denial of service attacks to

distract Sony’s IT team while they stole account

information from millions of customers.

• The FFIEC (Federal Financial Institutions

Examination Council) has issued statements

warning banks about the use of DDoS as a

diversionary tactic.

Is it a DDOS or something else?

MULTI-VECTOR ATTACKS:

300% increase in attacks this year.

4,000 attacks a dayin 2016.

Something must be working (for the criminals).

RANSOMWARE

HOW IT WORKS:1. Your systems are infected, often through a

malicious email, but even legit websites can contain malware.

2. The malware encrypts your files or blocks access to your systems.

3. Attackers demand payment (usually in bitcoin) to receive a decryption key.

4. If ransom is paid, decryption key sometimes works.

Can you bring it all together for me?

I need a framework so I can ensure we have all our bases covered.

QUESTION:

A FIVE-STEP SECURITY FRAMEWORK

#1 IDENTIFYDetermine which workloads

are most vulnerable

#2 PROTECTProtect these assets

from attack

#3 DETECTDetect incoming

attacks and threats

#4 RESPONDWhen an attack occurs

(and it will), defendthese assets

#5 RECOVERRestore damaged

capabilities and services

• Mission critical to the business• Highest value to cyber thieves,

e.g., financial data• Covered by regulations, e.g., PCI and HIPPA

STEP #1: IDENTIFY VULNERABLE WORKLOADS

• Credit card data is only $5 – $30 in the U.S.

• Login credentials for a bank account worth $2,000 per bank account will bring in roughly $190.

• Login credentials to online payment services like PayPal can bring in $20 – $300 depending on the balance.

• Credentials to an online auction account can go for as much as $1,200.

HOWEVER…• Data for a single patient can net from $500 – $1,800 depending on

the age of the person and their insurance coverage.

TIP: Think about the value of your data in hacker’s terms

• Firewalls

• Web Application Firewall

• Encryption at rest

• Data Loss Prevention (DLP)

• Intrusion Prevention

• Threat Management

• Web Content Filtering

• Penetration Testing

• Vulnerability Scanning

• Multi-Factor Authentication

• Virtual Private Networking

• Spam Filtering/Email Protection

• System Hardening

Just a few of the tools in the toolbox…

STEP #2: PROTECT

Many [operating systems and applications] have autoupdate mechanisms, but administrators and users often disable or ignore autoupdate routines to avoid service interruptions or other unintended consequences.

~ Why patching is still a problem – and how to fix it, InfoWorld, January 2016.

• 5,000 – 6,000 security vulnerabilities uncovered each year. ~ 15 a day.

• These are not “bugs,” but “weaknesses” discovered by hackers (or the vendors).

• Some of these represent significant holes in your security defenses.

Application and OS Management services ensure these patches get installed with minimal disruption to your operations.

EVER WONDER…?

Why you get so many updates from your application and OS vendors?

Gartner predicts:• 20.8 billion objects connected to the

Internet by 2020.• By 2020, autonomous software agents will

participate in 5% of all economic transactions.

• By 2018, more than 3 million workers globally will be supervised by a “robo-boss.”

~ Smarter With Gartner, October 6, 2015

Don’t turn your back on your devices!

THE IoT AND SECURITY

These are the “things” botnets are designed to take over and that they use to execute DDOS attacks.

STEP #3: DETECT

DETECTION TOOLS:• Intrusion Detection

• Antivirus Protection (Server, Network, and Endpoint)

• File Integrity Monitoring

• Log Management

85 percent of firms with fewer than

1,000 employees indicate their

systems have been successfully

penetrated, compared to about 60

percent of

larger companies.— CFO.com, June 2015

Preventing a security event is only

the first step. Companies must

assume they have been breached

and work to discover and respond to

those intrusions.— Paul Mazzucco

DETECTION: A MAJOR ISSUE

FULLREMEDIATIONDETECTIONINTRUSION 146 DAYS

Most damage occurs between intrusion and detection when malicious attackers have free reign over systems and access to data.

DETECTION TOOLS:• Intrusion Detection

• Antivirus Protection (Server, Network, and Endpoint)

• File Integrity Monitoring

• Log Management

STEP #4: RESPOND

First-things-first: Plug the hole and adhere to any compliance reporting requirements.

RESPONDING TO RANSOMWARE

TIPS FROM THE FBI• Back up data regularly and test

backups.• Secure all backups, including

cloud backups, so they are inaccessible to a spreading ransomware virus.

• Conduct annual vulnerability and penetration testing.

FULLREMEDIATION

GOALS:• Minimize financial impact to the business• Repair lost consumer and market confidence• Conduct post mortem to strengthen security

STEP #5: RECOVER

DETECTIONINTRUSION RECOVERY PHASE

TIP: Disaster Recovery and Business Continuity Planning is about more than data backups and recovery. Include elements such as crisis communication procedures.

• The more you have in the cloud the more you rely on/benefit from your provider’s security capabilities.

• Security as a Service offers additional services such as DDOS mitigation, log monitoring, and vulnerability and penetration testing.

CLOUD SECURITY SHAREDRESPONSIBILITY MODEL

RESPONSIBILITY ON-PREMISE IaaS PaaS SaaS

Data classification & accountability

Client & end-point protection

Identity & access management

Application levelcontrols

Network controls

Host infrastructure

Physical Security

Cloud Customer Cloud Provider

WANT TO LEARN MORE? DOWNLOAD THESE RESOURCES

ARTICLE:Multi-layered attacks

require more

sophisticated IT security TierPoint

ARTICLE:Incidents of

ransomware

on the rise FBI

GUIDE:Ransomware

prevention and response

for for CISOs FBI

ARTICLE:Ransomware prevention

and response for for

CISOs

FBI

On-Demand Webinar:Multi-layered online attacks:

IT security strategies to

protect your company TierPoint and Imperva

E X E C U T I V E ’ S G U I D E T O

M A X I M I Z E Y O U R O P P O RT U N I T Y. M I T I G AT E Y O U R R I S K S .

sales@tierpoint.com

844.267.3687

www.tierpoint.com

CONTACT US TODAY