Women in Cyber Security Middle East (WiCSME)The 2020 cloud computing results show that enterprises...

www.WomeninCyberSecurity.ME Women in Cyber Security Middle East (WiCSME) Group| V3.0 | Public

18th August 2020;

Saudi BootCamp

Women in Cyber Security

Middle East (WiCSME)

Sapna SinghAdvocate and Member of WiCSME Group

Deloitte

2 Women in Cyber Security Middle East (WiCSME) Group| V3.0 | Public

About Me

• Cyber Security Professional with 10+ years of experience

• Global Speaker (RSA Conference, SANS, Lehack)

• Member Women in Cyber Security Middle East

• Co-Organizer WiCSME Kuwait Affiliate

• Supporting Deloitte WiC and W-CS (ISSA) Core team@sapnas1ngh

Women in Cyber Security Middle East (WiCSME) Group| V3.0 | Publicwww.WomeninCyberSecurity.ME

Cloud Security


Agenda

Introduction to Cloud

2 Cloud benefits and challenges

1

3 Approach to Secure Cloud Adoption


Cloud is not really about “the cloud”

The cloud is many things to many people:

• Online storage for an individual’s files and music? That’s the cloud.

• Powerful servers hosted offsite to run a company’s proprietary business software? That’s the cloud, too.

• Web hosting? The cloud.

• Large file transfer that allows individuals to send their videos of their kids to the grandparents? Once again, the cloud.

• Online software for managing a business? The cloud.

• Online network management? The cloud.

Just another buzz word? No

Cloud

Women in Cyber Security Middle East (WiCSME) Group| V3.0 | Public4


Understanding the cloud ecosystem is a pre-requisite to any cloud conversation

According to the official NIST definition, "cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Women in Cyber Security Middle East (WiCSME) Group| V3.0 | Public5


Cloud Characteristics

On-Demand Self Service

Broad Network Access

Resource Pooling

Rapid Elasticity

Measured Service


Cloud Deployment Models

“Organizations can mix and match according to their needs ..”

*Source: https://sciencenow001.wordpress.com/2017/03/25/cloud-deployment-models/


Infrastructure As Service (IAAS)

Platform As Service (PAAS)

Software As Service (SAAS)

Data

Applications

Runtime

Middleware

OS

Virtualization

Servers

Storage

Networking

Data

Applications

Runtime

Middleware

OS

Virtualization

Servers

Storage

Networking

Data

Applications

Runtime

Middleware

OS

Virtualization

Servers

Storage

Networking

Data

Applications

Runtime

Middleware

OS

Virtualization

Servers

Storage

Networking

Cu

sto

me

rC

lou

d S

erv

ice

P

rovi

de

r

Clo

ud

Se

rvic

e

Pro

vid

er

Clo

ud

Se

rvic

e

Pro

vid

er

Cu

sto

me

r

On-Premise

Cloud Service Delivery Models



Move to cloud has been accelerated

Cloud Adoption Statistics

Cloud Service Providers – projected total revenue growth 2017- 2021

$154bn

2017 2018 2019 2020 2021

63% growth

Many entities’ move to Cloud has been accelerated by a need to create IT environments that can support emerging technologies, such as the internet of things, edge computing, artificial intelligence and 5G, in addition to the other benefits Cloud brings. through to 2022.

A handful of pioneers say they have already reached

cloud-only status, with the move to a virtual datacenter

on top of mind for many CEOs, CFOs, CIOs, and CISOs

$186bn

21% growth

$ 303bn83% of enterprise workloads will be in the cloud by 2020

94% of enterprises already use a cloud service.

84% of enterprises run on a multi-cloud strategy.

https://www.flexera.com/blog/industry-trends/trend-of-cloud-computing-2020/https://www.forbes.com/sites/louiscolumbus/2018/01/07/83-of-enterprise-workloads-will-be-in-the-cloud-by-2020/#7f8e235e6261

The 2020 cloud computing results show that enterprises continue to embrace multi-cloud and hybrid cloud strategies and are already using more than two public and two private clouds on average.

Cloud computing is the #1 most in-demand hard skill, according to LinkedIn. Half of the most promising jobs of 2019 required a good knowledge of this emerging technology. (Source:Linkedin)

https://www.flexera.com/blog/industry-trends/trend-of-cloud-computing-2020/

https://www.forbes.com/sites/louiscolumbus/2018/01/07/83-of-enterprise-workloads-will-be-in-the-cloud-by-2020/#7f8e235e6261


Cloud Adoption Statistics for 2020

*Source: Netskope - June 2017 - Cloud Report

Statistics should lead us to better control

Percentage Increase In Cloud Threats by Vertical: January to April 2020

Energy and Utilities

Financial Services

Manufacturing

Government

Education

Transportation andLogistics

FinancialServices

Government

Real Estate andConstruction

Education

Manufacturing +144%

+114%

+63%

+45%

+36%

Percentage Increase in Enterprise Cloud Service Use: January to April 2020

+ 300%

+ 200%

+ 350%

+ 600%

Increase in Usage of Collaboration cloud services

* Source: McAfee Cloud Adoption and Risk Report


Cloud Drivers

Regulatory requirement

• Security & Compliance

• Cloud First Policy

Business Transformation

• Digital transformation

• Cost Reduction Program

• New Product development

Compelling Event

• Data Center closure / Disaster

• Operational/Cyber incidents

• Reached Capacity


Disruptive & emerging technology use cases


COVID-19 use cases in the cloud

15 Women in Cyber Security Middle East (WiCSME) Group| V3.0 | Public© 2020 Deloitte & Touche (M.E.) All rights reserved.

Cloud Security Challenges and Concerns

Insecure APIs

Regulationand

compliance

Insufficient Due Diligence

Human Error

Data Security

Abuse of Cloud based

servicesOutages


Business-Critical Cloud Adoption Growing yet Security Gaps Persist

What does cloud security mean in practice? Not many entities are starting from scratch in their move to Cloud, as almost all have already adopted some level of cloud usage. This has provided an understanding , for example the challenges associated with so-called cloud sprawl when it comes to migration.

The lack of strong governance in technology adoption can lead to siloed data and application islands, limiting an organizations ability to take advantage of Cloud’s benefits.

What is cloud sprawl?

When an organization uses several different clouds, without the central means to view, secure or manage each of them

effectively, this can result in a lack of visibility and control.

Cloud-based Migration Challenges


Deloitte approach for a secure cloud adoption

Advanced Threat

Readiness & Preparation

Cloud RiskAnalytics

Security OperationsCenter

Threat Intelligence

& Analysis

Application Protection

Identity & Access

Management

Information Privacy &Protection

Implement cloud security

controls to mitigate the main

risks, while ensuring the

upkeep of your business.

Develop a cloud security

program aligned with the

strategic goals of an

organization.

Carry out effective awarenessplans and training to help youminimize cloud securityincidents.

Cyber Strategy,Transformation

& Assessments

Cyber Training, Education

& Awareness

Cloud Risk Management &

Compliance

SecureStrategy Vigilant Resilient

Cloud CrisisManagement

Cyber War gaming

Prepare capabilitybuilding, response,automation, as well asrealistic and systematiccybersecurity incidentresponse testing.

Detect and respond quicklyand effectively to incidentsresulting from cloudthreats, by optimizing andconstantly enhancingsecurity event and alert management systems.

Infrastructure Protection

Vulnerability Management

Securing your move to – and operating in – the cloud


Security and compliance at the core of the planning process

Cloud service providers implement innovation at a rapid pace, and potential opportunities, but also challenges, change rapidly and constantly.

The move to cloud is a multi-step journey and strategy.

It is important to put security and compliance at the core of the planning process from the beginning and keep it as an

integrated aspect throughout the whole innovation, migration and operations process .

Data Security

IaaS PaaS SaaS

Customer Data

Platform, Middleware & Application

Operating system, network & firewall configuration

Compute Storage DatabaseNetworki

ng

Hardware

Customer Data




ng

Hardware

Customer Data




ng

Hardware

Security Governance Risk and Compliance (GRC)

Physical Security

Platform Security &

Application Security

Infrastructure

Security

Enterprise

Responsibility

Cloud Provider

ResponsibilityLegend:

Cloud Security is a shared responsibility model



Identity and access management at security strategy’s heart

Cloud Risks & Challenges

Secure

Securely preventphishing, social engineering, and data breaches while enabling

seamless access to cloud and mobile apps

Vigilant

Vigilant detect unusual behavior while respecting user privacy and

keeping alert volumes manageable

Resilient

Resilient in response to possible attacks through adaptive access and

alerting across both On-Premise and cloud apps

Identity

UserExperience

Account takeover Data Breaches

Lost/stolen mobiledevices

Socialengineering

Visibility into useractivity

Phishing

Managingaccess

Weakpasswords

Man inthemiddleattacks

Multi-Factor Authentication

User and Entity Behavioral Analytics

https://www.watchguard.com/wgrd-resource-center/predictions-2020%23perimeter


http://www.watchguard.com/wgrd-resource-center/predictions-2020%23perimeter


Best practices for cloud encryption involve the following steps:

• Formulate a cloud encryption policy

• Define what data needs encryption, and when

• Identify where that data resides

• Implement encryption solutions and key management

To protect data stored in the cloud, organizations must have a strong cloud data policy and be proactive in implementing best

practices for protecting cloud data. One of the most important security safeguards for protecting cloud data is encryption.

Data Encryption as Security Safeguard



Continuous cloud monitoring

• Another key area is to establish continuous, proactive

monitoring of the cloud environment to ensure security

and compliance controls are being adhered to.

• Don’t just trust that everything deployed in Cloud is

performing as expected.

Continuous cloud monitoring will not only help detect cyber threats but will also enable clear sight of all workloads migrated to

Cloud, to monitor whether they are running as they should on a day-to-day basis, ensuring optimum cost-efficiency, and that they

fulfil all security, privacy and compliance requirements.



DevSecOps sees the security, development and operations teams working together holistically to ensure security is embedded from the

very beginning, and into each phase, of the DevSecOps pipeline.

DevSecOps (Development, Security, Operations)


• It is important to establish foundational DevSecOps

governance in the early stages to provide a roadmap to

transform people, processes and technology.

• The main challenge is to ensure all stakeholders adapt to

the new approach and work together.Penetration Testing

Compliance Validation

Code Review

Static Analysis

Threat Model Policies

Log

Audit

Threat Intelligence

Monitor

Detect

Response

Recover


Cyber-attacks are accelerating in multifold targeting cloud services with the adoption of cloud at wide scale by organizations. Cyber professionals are dealing with sheer volume of security alerts on a daily basis due to exponential number of attacks.

• In the ever-changing threat landscape, cloud security responseautomation is crucial to combat sophisticated adversaries.

• Automating the defense mechanism which enables security teams to efficiently manage repetitive and time consuming security incidents and conserve time for more critical incidents.

Automation


Women in Cyber Security Middle East (WiCSME) Group| V3.0 | Public© 2020 Deloitte & Touche (M.E.) All rights reserved.22


Automation – Infrastructure as Code


TerraformAWS CloudFormationGoogle Cloud Deployment Manager Chef Infra

Developer Infrastructure Code Automation

through API

On Cloud Infrastructure

On-Premises Infrastructure

Code Version Control

Manage

Manage

Code Push or Pull


Automation – Security as Code



Q & A

Twitter: @sapnas1ngh

Linkedin: sapna-singh-cissp-ccsk-msclis-86479626/


Women in Cyber Security Middle East [WiCSME]

in Social Media

http://www.WomeninCyberSecurity.ME

https://www.linkedin.com/groups/10385217/

@WiCSME

https://www.snapchat.com/add/wicsme

https://www.instagram.com/womenincybersecuritymiddleeast

http://www.womenincybersecurity.me/

https://www.linkedin.com/groups/10385217/

www.WomeninCyberSecurity.ME Women in Cyber Security Middle East (WiCSME) Group| V3.0 | Public

Thank you

Women in Cyber Security Middle East (WiCSME)The 2020 cloud computing results show that enterprises...

Documents

Transcript of Women in Cyber Security Middle East (WiCSME)The 2020 cloud computing results show that enterprises...