b4 optimizing security spend and ... •document the lessons learned identify an initial...

Download B4 OPTIMIZING SECURITY SPEND AND ... •Document the lessons learned Identify an initial application

Post on 25-Apr-2020

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • B4 OPTIMIZING SECURITY SPEND

    AND MAXIMIZING RISK REDUCTION

    WITH CSA TOOLS

    Jon-Michael Brook, CISSP, CCSK

    Randall Brooks, CISSP, CCSK

    @jonmichaelbrook @randallsbrooks

    Copyright © 2018 Guide Holdings

  • • A brief Cloud History and architectural components

    • Using the CAIQ and/or STARWatch in an assessment process

    • Using the STAR and 3rd party ratings in vetting your supply chain

    exposure

    • Compliance cross-mapping and automation

    • Automated assessment tools for AWS, Azure & Google Cloud

    • Compare business spending

    • Other bonus information on Top Threats

    LEARNING OBJECTIVES

    Copyright © 2018 Guide Holdings

  • WHAT ENABLED THE CLOUD?

    Copyright © 2018 Guide Holdings

    Pre-cloud • Early Virtualization

    • 2001 - VMware created the first x86 server virtualization product

    • 2003 - Release of first open-source x86 hypervisor, Xen

    • Microsoft releases Microsoft Virtual PC

    • 2005 - VMware Player, a free player for virtual machines

    • Hardware Support • 2006 Intel (VT-x) and AMD (AMD-V)

    introduced with limited hardware virtualization support

    • 2006 - Amazon Elastic Compute Cloud (EC2) Beta

    2000 2003 2006 2009 2012 2015

    Post AWS • More Choices

    • 2008 - Eucalyptus open-source Elastic Computing service

    • 2010 - Rackspace teams up with NASA to release OpenStack

    • More Segmentation • 2013 - Docker Open Source LinuX Container

    (LXC) runs Unix processes in isolation

    • 2013 - VMware introduces vCloud Hybrid Service (vCHS)

    • 2014 - Software Defined Perimeter (SDP)

    • 2015 – Lambda

    • 2016 - Kubernetes

  • Technologies

    • PaaS, IaaS, SaaS, Flat Network, VPN

    Reliance on enterprise backhaul

    • Cloud native technology lag for required services (DLP)

    • Identity and Access Management - Active Directory

    Trusted Insider – biggest concern

    • 16 domains/133 controls in CSA Cloud Controls Matrix

    • ISO27001: 14 groups/114 controls

    • SANS Critical Controls/PCI/FedRAMP/PiPEDA

    • Applications/Information/Management/Network

    • Risks Type (Operational/Compliance/Strategic/Market)

    ARCHITECTURAL COMPONENTS

    Copyright © 2018 Guide Holdings

    Evaluation describes necessary mitigations categorically

  • INTRODUCTION TO THE CLOUD SECURITY ALLIANCE (CSA)

    “The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to

    defining and raising awareness of best practices to help ensure a secure cloud computing

    environment.”

    • Cloud Controls Matrix (CCM)

    • Consensus Assessments Initiative Questionnaire (CAIQ)

    • CloudAudit

    • Cloud Trust Protocol (CTP)

    5

    https://cloudsecurityalliance.org

    Copyright © 2018 Guide Holdings

  • Strategic drivers

    • What is the root justification for a

    move to the cloud?

    • What could/shouldn’t be moved?

    • Are security concerns keeping you

    from migrating to the cloud?

    • Where are the serious risks within

    your cloud strategy?

    PURPOSE

    • How do you prepare your team

    for the migration?

    • What steps are necessary for

    success?

    • How do you instill best practices

    and uncover institutional

    deficiencies that will impact the

    project?

    Ease your journey to the cloud. Understand the impact of adoption on your current IT infrastructure, policies & processes. Compare options of services with the necessity and efficacy of mitigations.

    Copyright © 2018 Guide Holdings

  • Security Concerns Impacting

    Migration

    • Identify migration security concerns

    • Review or develop cloud strategy

    • Generate success requirements

    • Compare your organizational needs

    with cloud expectations

    • Perform a risk assessment and

    discuss risk tolerances

    METHODOLOGY - SURVEY

    • Review, validate or create

    institutional policies for cloud

    appropriateness

    • Review or develop a data

    classification methodology and

    protection capabilities

    • Provide your team cloud baseline

    understanding through group

    training

    • Provide best practices and find

    institutional deficiencies Transformative advisory or co-development services for your move through the stages of cloud deployment. As you prepare for your cloud journey, we’ll help you address the pre-migration security details.

    Copyright © 2018 Guide Holdings

  • Getting Your Cloud Project Off the

    Ground

    • Evaluate/recommend security tools

    for cloud capabilities

    • Document areas of concern by

    security domain, business segment

    or internal processes

    • Identify, catalog and architect risk

    mitigations

    METHODOLOGY - PREPARE

    Copyright © 2018 Guide Holdings

    • Compare organizational performance

    against similarly sized companies, by

    industry verticals or by compliance

    obligations

    • Design, review and integrate third party

    cloud vendor assessment

    methodologies

    • Develop a deployment roadmap

    Resiliency, speed and cost are common benefits of cloud adoption – not accounting for cloud native designs and security patterns will

    destroy most of those advantages. These oversights may leave an organization open to security and compliance risks.

  • How and When for the Initial

    Move

    • Schedule timelines and a project

    plan

    • Identify and catalog top transition

    candidate applications

    • Design and Integrate cloud into

    existing processes

    • Identify and architect necessary

    security patterns

    METHODOLOGY - EXECUTE

    Copyright © 2018 Guide Holdings

    • Implement and test a sand boxed

    pilot demo with sample data

    • Migrate and test in the production

    environment

    • Document the lessons learned

    Identify an initial application candidate and recommend a deployment methodology. Institutionalize the process with the identified

    stakeholders, decision makers and reviewers. Know where and how organizational structure impacts capability integration. We’ll identify the

    quick win with the expectation additional migrations will be justified.

  • Industry Standard CSA information • Cloud Controls Matrix (CCM) evaluations • CAIQ – Questionnaire for CCM • STAR – Repository of CAIQ responses

    • Varying levels of reporting/auditing

    CAIQ/STAR as foundation of rating • 298 Q’s allows wider distribution • Non-STAR needs confidence

    incorporation Methodology: Quantitative vs. Qualitative • Consistency from submission to

    submission • Automated Executive/Change Control

    Board Dashboarding

    COMPARISONS AND RATINGS FOR TOOLS

    Copyright © 2018 Guide Holdings

  • TOOLS - REPEATABLE RISK CALCULATIONS

    Copyright © 2018 Guide Holdings

    RISK = LIKELIHOOD x IMPACT QUALITATIVE vs. QUANTIATIVE

  • CONSENSUS ASSESSMENT INITIATIVE

    CAIQ provides consistent assessment questionnaire across vendors

    Copyright © 2018 Guide Holdings

  • CAIQ binary answers (Y/N/NA)

    Justifications typically in notes

    Validation through automation

    • No answer, Two answers, No justification

    Increase with public access

    • STAR entry and audit level

    • Length, verbs, links

    Answer Correlation/Congruence

    testing

    CSA Assessor’s Grid – 1-16

    CONFIDENCE OVERVIEW

    Example CAIQ with selected answers

    Ratings for CMM/I speaks to care, maturity and repeatability

    Copyright © 2018 Guide Holdings

  • STAR WATCH

    https://star.watch/en/

    STAR watch portal allows CCM/CAIQ assessment from a browser

    Copyright © 2018 Guide Holdings

  • STAR Watch portal allows CAIQ

    assessment from a browser

    Features include question

    assignments and maturity ratings

    STAR WATCH ASSESSMENT

    https://star.watch/en/assessment/

    Copyright © 2018 Guide Holdings

  • Toggle Mappings

    Mappings from the CCM against

    the CAIQ

    • Enterprise Architecture

    • COBIT

    • PCI

    • EU DPD

    • Etc…

    INDUSTRY STANDARD MAPPINGS

    Standards mappings within the STAR Watch portal

    Copyright © 2018 Guide Holdings

  • •Single Focus (Domains)

    •Rudimentary

    •Assessment Phase 1

    DOMAIN DEFICIENCY SCORING

    Initial Domain Dashboard

    Copyright © 2018 Guide Holdings

    DOMAIN DEFICIENCY SCORING

    AIS AAC BCR CCM DSI DCS EKM GRM HRM IAM IVS IPY MOS SEF STF TVM

    A p

    p lic

    a ti o

    n &

    I n

    te rf

    a c e

    S e

    c u

    ri ty

    A u

    d it A

    s s u

    ra n

    c e

    & C

    o m

    p lia

    n c e