Adam Ely CISO, Heroku at salesforce.com Founder & COO, Bluebox Managing Security in The Cloud.

Slides:

Advertisements

Similar presentations

Impacts of 3 rd Party IaaS on broadband network operations and businesses Prabhat Kumar Managing Partner, i 3 m 3 Solutions.

Advertisements

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Cloud Computing NSAA Tallahassee September 2010 Brian Rue

Agenda COBIT 5 Product Family Information Security COBIT 5 content

BYOD: RISKS, MATURITY, AND SOLUTIONS ADAM ELY

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

The Cloud: Demystified Neil Cattermull Frontier Technology.

Stephen S. Yau CSE , Fall Security Strategies.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security,

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Website Hardening HUIT IT Security | Sep

* Who we are? * Animation Industry, Challenges… * What is Render Cloud Farm? * Render Cloud Farm for Whom? * Scope of Blender? * Types of Rendering farms.

Security Framework For Cloud Computing -Sharath Reddy Gajjala.

TOP 10 TECHNOLOGY INITIATIVES © Robert G. Parker S-1 9. Preventing and Responding to Computer Fraud IT Security Ranked #2 Preventing and Responding.

A Brief Overview by Aditya Dutt March 18 th ’ Aditya Inc.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.

Cloud computing.

Patch Management Only part of the solution….. Bob Isaak Mar 04, 2004.

The eHealth Services Capstone Project

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

About Sally Smoczynski Background in process improvement Consultant in Information Security, Service Management and Business Continuity Strong experience.

Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion.

1 © 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential Cloud Computing – The Value Proposition Wayne Clark Architect, Intelligent Network.

Solving the Back End with Platform Solutions Tom Shafron, CEO Viewbiquity February 2012.

IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.

WAFs in the Cloud A new direction for WAFs? Ofer Shezaf January 2010.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Conduct A Strong Evaluation Soar to New Heights! 2013 National Equipment Finance Summit, Albuquerque, NM.

SecSDLC Chapter 2.

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Bay Ridge Security Consulting (BRSC) Cloud Computing.

OTech CalCloud Security General 1  Meets the operational and compliance requirements of the State  SAM/SIMM  NIST  FedRAMP v2  Other necessary regulatory.

Innovative Partnership Solution-Driven Commitment Agile Value Sustainable.

What Project Managers Need to Know About Cloud Computing Stacy Taylor President, Red Mountain Services

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”

Clouding with Microsoft Azure

Maciej Pęciak Robert Dąbroś

Chapter 6: Securing the Cloud

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Cloud adoption NECOOST Advisory | June 2017.

Hot Topics:Mobility in the Cloud

Chapter 21: Cloud Computing and Related Security Issues

Chapter 22: Cloud Computing Technology and Security

I have many checklists: how do I get started with cyber security?

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Assessing the Security of the Cloud

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Developing a Baseline On Cloud Security Jim Reavis, Executive Director

Security Essentials for Small Businesses

"Cloud services" - what it is.

CONTENTS BACKGROUND CLOUD MODELS SECURITY CONSIDERATIONS MANAGING RISK.

What is Interesting in the CCSP certification?

Cloud Computing: Concepts

Journey to the Cloud – Guidance and Lessons Learned

Windows Azure Hybrid Architectures and Patterns

Class 5 (Part1) Dr. Zakariya Belkhamza

Salesforce.com Salesforce.com is the world leader in on-demand customer relationship management (CRM) services Manages sales, marketing, customer service,

IT Management Services Infrastructure Services

Presentation transcript:

Adam Ely CISO, Heroku at salesforce.com Founder & COO, Bluebox Managing Security in The Cloud

Why you’re listening to me CISO of Heroku BU at salesforce.com -I know cloud security Security leadership roles at Heroku/salesforce.com TiVo, and Walt Disney -I feel your pain Been around for ASP, OSP, HSP, SaaS, IaaS and PaaS -I know more acronyms than you :P CISSP, CISA, MBA, and some other stuff like that -I have more acronyms than you :(

Defining “cloud” IaaS - Infrastructure as as service -EC2, Rackspace PaaS - Platform as a service -Heroku SaaS - Software as a service -salesforce.com, box, workday Combining Service Types -AWS EC2 + AWS SQS + Heroku Postgres + Rackspace

Areas of risk IaaS -Physical -Personnel -Internal operations/InfoSec PaaS -Platform (OS, services, configurations) SaaS -Web application security

We must think differently Not all vendors are the same -One-size-fits-all checklists are dead, don’t be that guy Rationalize the risks -If the service is not interacting with card holder data, don’t demand it must be PCI compliant. Focus on the risks present. Accept transfer of responsibilities -You’re not going to manage the security of the vendor, be thankful for less work. Stop being a control freak. Innovate, adapt, and improve -Focus on the real risks, what you can do to ensure protections, and move to continuous assessment, not checklist auditing

Step 1: Know thy self Develop a security baseline -You do have a data classification and handling guide, right? Define your critical assets, define controls, build a minimum baseline for vendors (intent not implementation) Understand the types of services -How can you know the risks if you don’t know what it does? What concerns us about each service? -Determine the potential risk based on the service and develop assessments against the relevant guideline Accept transfer of responsibilities -You’re not going to manage the security of the vendor, be thankful for less work. Stop being a control freak.

Step 2: Start Dating Work with the provider -Ask them about their security, see what they provide, maybe that’ll be enough, or maybe you’ll think of new things Tailor your assessment -Tailor your approach to the type of service, how your org will use it, and the risks present Don’t expect everything for $8/month -Enough said. Communicate intent, not implementation -Work with the vendor to meet intent and understand their implementation

Step 3: Use Protection Encryption = data condom -Really concerned about the data? Wrap it up! Audit -Backhaul logs, monitor, alert, and react Continuous Audit -Use vendor APIs to continuously audit settings, users, permissions, data, unicorns, whatever Communicate intent, not implementation -Work with the vendor to meet intent and understand their implementation

Where to look? Is customer data co-mingled? Does the vendor perform security assessments? -Always ask about scope and status of remediation -What kind and frequency Encryption -Data storage, external & internal transmission, queueing systems, backups, and in 3rd party services used by the vendor -How are keys protected? Same key for all data/customers? Architecture -Architecture review, determine what has access to your assets including 3rd party services -If a SQLi vulnerability is exploited is your data at risk?

Working with providers Know every provider is different Accept responsibility for risk management Understand what’s in place, make decisions based on risk Use vendors based on acceptable risk levels Help vendors achieve more, let them learn from you

Adam Ely Managing Security in The Cloud