launching a highly-regulated startup in the cloud · device farm. lean, agile, scrappy disruptor 4...
TRANSCRIPT
![Page 1: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/1.jpg)
Launchinga Highly-regulated Startup
in the CloudPoornaprajna Udupi (@poornaudupi)
1SANS Cloud Security Summit 2017
![Page 2: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/2.jpg)
Starting in the Cloud
2SANS Cloud Security Summit 2017
86%by 2020¶
¶ Cisco Global Cloud Index: Forecast and Methodology, 2015–2020
![Page 3: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/3.jpg)
Building blocks, Cost, Scalability
3SANS Cloud Security Summit 2017
Compute Networking Storage Database
Monitoring Alarm Deployments Key
Management
Access
Control
Machine Learning
Data Pipeline Search
IoTGaming
User
Management
Notifications
Device Farm
![Page 4: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/4.jpg)
Lean, Agile, Scrappy Disruptor
4SANS Cloud Security Summit 2017
Experiment Iterate MVP Growth
![Page 5: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/5.jpg)
5SANS Cloud Security Summit 2017
Security Questionnaire
![Page 6: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/6.jpg)
Heard on the field ...
6SANS Cloud Security Summit 2017
We use HTTPS
We use AWS
Compliance Report: Here is AWS SOC2 report
Incident Management: Never happened so far, Yet to experience a security incident
Disaster Recovery: 99.95% uptime - from EC2 SLA,Enterprise-grade SLA
Vulnerability Management: We use Sophos Anti Virus
Risk Assessment: Free Qualys Scan Report
Military-grade encryption
![Page 7: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/7.jpg)
Coming of Age
7SANS Cloud Security Summit 2017
Security whitepaperSelf Assessment
Client Assessment
![Page 8: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/8.jpg)
Compliance
8SANS Cloud Security Summit 2017
![Page 9: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/9.jpg)
9SANS Cloud Security Summit 2017
Security
Standardized Assessments
Compliance
Guidelines
![Page 10: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/10.jpg)
10SANS Cloud Security Summit 2017
Security
Compliance
Guidelines
¶ http://smartfaststartup.com/2011/09/20/how-to-become-a-must-have/
¶
![Page 11: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/11.jpg)
11SANS Cloud Security Summit 2017
![Page 12: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/12.jpg)
12SANS Cloud Security Summit 2017
Designed by Freepik
![Page 13: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/13.jpg)
13SANS Cloud Security Summit 2017
Production Development
Staging
Marketing
SalesCorporate
![Page 14: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/14.jpg)
14SANS Cloud Security Summit 2017
Production Development
Staging
Marketing
SalesCorporate
![Page 15: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/15.jpg)
15
Data Protection
SANS Cloud Security Summit 2017
Encryption
Storage
Application (multi tenant)
Amazon KMS, Azure Key Vault
Confidant (by Lyft)
¶ https://azure.microsoft.com/en-us/services/sql-database/
Data Classification
Scope
Sensitivity
AWS Tags
Data Loss Prevention
Alerts
Monitoring
AWS CloudWatch, Google Compute StackDriver
Monitoring
Backup & Recovery
Periodic snapshots
Periodic backups
Server snapshots
AWS RDS, AWS AMI snapshots, Azure SQL
Database¶
![Page 16: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/16.jpg)
16SANS Cloud Security Summit 2017
Production Development
Staging
Marketing
SalesCorporate
![Page 17: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/17.jpg)
17
Network Access
SANS Cloud Security Summit 2017
Segregation
Based on data classification
AWS Virtual Private Cloud, Azure Virtual
Network
Application Access
Allow port 443 only
AWS Security Groups, AWS Certificate Manager,
Azure Network Security Groups, AWS Web
Application Firewall
Microservice Access
Subnets
NAT Gateway
Security Groups
Role based access
Employee Access
Virtual Private Network (VPN) Tunnel only
SSH required
WiFi, Network requirements
![Page 18: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/18.jpg)
18SANS Cloud Security Summit 2017
Production Development
Staging
Marketing
SalesCorporate
![Page 19: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/19.jpg)
19
Endpoints
SANS Cloud Security Summit 2017
Mobile Device Management
Installed applications
Accessible data
Disk encryption,
Firewall
Best practices (screen lock, password)
JAMF Cloud for Apple Macs, iPhones, iPads,
Microsoft Intune for PCs, Windows mobile,
Google MDM for Androids
Anti Virus, Anti Malware
Removable Media
Forbid.
By Exception.
Allow auditable transmission of data only.
![Page 20: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/20.jpg)
20SANS Cloud Security Summit 2017
Production Development
Staging
Marketing
SalesCorporate
![Page 21: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/21.jpg)
21
Access Control
SANS Cloud Security Summit 2017
Minimum Necessary, Least Privilege
Administrators
Cross-account access
Role-based access
Groups
AWS Security Policies, AWS Identity and Access Manager, Azure Active Directory, Google Cloud
IAM
Bless (by Netflix)
![Page 22: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/22.jpg)
22
Audit, Logging & Monitoring
SANS Cloud Security Summit 2017
System Activities (create, read, update, delete) and Admin activities
Application
Servers
Database
Network
Report, Monitor and Audit periodically
AWS CloudTrail, AWS CloudWatch, AWS VPC Flow Logs, Azure Application Insights, Azure Operational Insights, Google
StackDriver Monitoring
Security Monkey (by Netflix), ElastAlert (by Yelp), ElasticSearch (by Elastic)
![Page 23: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/23.jpg)
23SANS Cloud Security Summit 2017
Production Development
Staging
Marketing
SalesCorporate
![Page 24: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/24.jpg)
Configure for best practices
24SANS Cloud Security Summit 2017
Password Management
Single Sign On
Multi-factor
Strength
Reuse
AWS IAM, Google Cloud IAM, Azure Active Directory
Managed updates
Vulnerability management
Patching level
Time
Red/black
AWS ElasticBeanstalk, Azure CloudServices, Azure
Websites and Apps, Google App Engine
Real time guidance on security, performance, cost, fault
tolerance
AWS Trusted Advisor, AWS Config
Security Monkey (by Netflix), DbDat (by foospidy)
![Page 25: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/25.jpg)
25
Organizational Maturity
SANS Cloud Security Summit 2017
Vulnerability Management
Up to date inventory of assets: servers, workstations,
portable devices, software
Up to date with vendor software
Handling zero-day vulnerabilities
AWS Config, JAMF, Google MDM, Microsoft Intune
Physical and Environmental Security
Lean on the clouds
No local data storage & processing
Visitor logs and system Changes
Network access requirements
Third-Party Risk Assessment
Contractual guarantees
Xfer compliance requirements
Minimum required data sets, access
Monitor SLAs
Incident Response
Up to date procedures for handling incidents
Organizational Structure for handlers and
communicators
![Page 26: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/26.jpg)
26
Organizational Maturity
SANS Cloud Security Summit 2017
Risk Management
Know the risks and manage them
Likelihood and Impact analysis
Outsourcing (e.g. Business Associate Agreement)
Secure SDLC
Secure coding practices
Code reviews, OWASP Top 10
Issue tracking, Change Management
findbugs, find-sec-bugs
Disaster Recovery & Business Continuity
Up to date procedure to start from scratch
Organizational Structure for handlers
Recovery Time Objective
Recovery Point Objective
Education, Training and Awareness
US-CERT
SANS Newsletters
Training
Cybrary, Coursera, Udemy
![Page 27: Launching a Highly-regulated Startup in the Cloud · Device Farm. Lean, Agile, Scrappy Disruptor 4 SANS Cloud Security Summit 2017 Experiment Iterate MVP Growth. 5 SANS Cloud Security](https://reader034.vdocuments.site/reader034/viewer/2022042305/5ed0b191a233ca78797902e2/html5/thumbnails/27.jpg)
Launchinga Highly-regulated Startup
in the CloudPoornaprajna Udupi (@poornaudupi)
27SANS Cloud Security Summit 2017