SlideShare a Scribd company logo

Securing The Clouds with The Standard Best Practices-1.pdf

C
Chinatu Uzuegbu

The document discusses best practices for securing cloud computing services, highlighting the increasing reliance on cloud solutions among enterprises. It details the cloud service models, deployment models, and regulations that guide cloud security, emphasizing the importance of due diligence and adherence to frameworks for effective vulnerability management. The content underlines the necessity for organizations to ensure confidentiality, integrity, and security of their cloud environments through proper planning and compliance with applicable regulations.

Technology
Related topics:
Cloud Security Insights
1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Securing The Clouds with The Standard Best Practices Chinatu Uzuegbu CISSP, CCISO, CISM, CISA, CEH, …. Managing Cyber Security Consultant RoseTech CyberCrime Solutions Ltd.
❖Content Contributor. ❖Security Congress Event Advisory Committee. ❖Chapters Advisory Committee(CAC). ❖Blogger. ❖Authorized Instructor. ❖Founding Past President , Nigeria Chapter. Chinatu Uzuegbu Managing Cyber Security Consultant, RoseTech CyberCrime Solutions Limited https://www.linkedin.com/in/chinatu-uzuegbu-67593119/ https://de.slideshare.net/Chinatu Volunteering VigiTrust Chartered Advisory Board. ❖Global Speaker, Mentor, Volunteer and Delegate. ❖Over 20 years wealth of experience as an IT/Cyber Security Professional Professional ❖CISSP, CCISO, CISM, CISA, CEH, Others. ❖Top 50 Women in Cyber Security , Africa, 2020. Educational ❖Honorary Doctorate, London Graduate School. ❖MSc. Information Systems Management, University of Liverpool. ❖Bsc. Computer Science/Maths, University of Port Harcourt. ❖Global Conference Speaker. ❖Global Ambassador. ❖Mentor.
The Cloud in The New Normal ● 94% of enterprises use cloud services. ● 67% of enterprise infrastructure is now cloud-based. ● 92% of businesses have a multi-cloud strategy in place or in the works. ● The global cloud computing industry has a market size of $480.04 billion, as of 2022. ● The U.S. public cloud market is projected to reach $206.1 billion by the end of 2022. https://www.zippia.com/advice/cloud-adoption-statistics/
● The Concept of Cloud Computing. ● The Cloud computing Reference Architecture. ● Business Motivations for Adopting The Cloud Tech. ● Characteristics of The Authentic Cloud. ● Regulations and Frameworks for an Authentic Cloud Service Provider. ● The Cloud Service Model of Your choice. ● The Cloud Deployment Model of Your Choice. ● Securing The Cloud with The Standard Best Practices and Frameworks. ● Conclusion. Securing The Cloud with The Standard Best Practices is Our Obligation!
The Concept of Cloud Computing (NIST 800-145) Minimal Management Efforts or Service Provider’s Interactions. Ubiquitous convenient Broad Band Network Access Rapidly Provisioned and Released Shared Pool of Configurable Resources (Networks, Servers, Storage, Applications, Databases, Repositories, Platforms, Services and others) Cloud Computing
The Cloud Computing Reference Architecture(CCRA): https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication500-292.pdf Cloud Service Entity Description Alias Cloud Service provider(CSP) Provisioning and processing the Cloud resources for customers. Data Processor Cloud Service Customer(CSC ) Opt-in Cloud Service Subscriber consuming the services offered by the Cloud Provider. Data Controller/Dat a Owner Cloud Service Broker(CASB) The Middle man offering a catalogue of Cloud Services from Cloud Providers to Customers. Identity Provider, Intermediary Cloud Auditor(CA) Overseeing the cloud processes to assure compliance and necessary attestations(TPA) in mind. Auditor Third Party Attester(TPA). Others Cloud Business Mgr, Cloud Service Integrator, Cloud Service Admin, Inter Cloud Provider, others
Business Motivators for Adopting The Cloud Tech Speed Scalability Cost Reduced cost of Capital and Operating Expenses Rapid Provisioning and seamless Operations Agility with less Administrative Bottle-necks. ❖Outline the Key Business processes. ❖Align the Pointers and critical paths with a workable Business Case and Cost Benefit Analysis. ❖Involve the Asset or Process Owner and your Security Steering Committee.
Attributes of an Authentic Cloud Service Provider The Authentic Cloud Broad Band Network Access Rapid Elasticity CSA STAR CSA CAIQ
Regulations and Frameworks for an Authentic Cloud Service Provider S/N Regulation/Framework Web-Site 1 NIST 800-145(Cloud Computing) https://csrc.nist.gov/publications/detail/sp/800-145/final 2 Cloud Computing Reference Architecture https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication500-292.pdf https://aistandardshub.org/ai-standards/information-technology-cloud-computing-vocabulary/ 3 Cloud Security Alliance Consensus Assessments Initiative Questionnaire and Cloud Control Model https://cloudsecurityalliance.org/research/cloud-controls-matrix/ https://cloudsecurityalliance.org/blog/2020/10/16/what-is-the-cloud-controls-matrix-ccm/ 4 CSA STAR(Security, Trust, and Assurance Registry Levels( Self-Assessment, Certifications, Continuous Monitoring) https://cloudsecurityalliance.org/star/registry/ 5 Statement on Standards for Attestation Engagements(SSAE 18(SOC2 &SOC3) https://ssae-16.com/ssae-16/the-ssae-18-audit-standard/ https://kfinancial.com/what-you-need-to-know-about-ssae-18-reports/ 6 ISO 31000 on Risk Management https://www.iso.org/iso-31000-risk-management.html 7 ENISA(Cloud Risk Frameworks) European Union Agency for Cyber Security https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security/enisa-cloud-computing-risk-assessment. https://www.clubcloudcomputing.com/top-8-cloud-security-risks-according-enisa/ 8 ISO 27018-Cloud Data Privacy https://www.itgovernance.co.uk/iso-27017-and-iso-27018 9 Privacy Regulations on PII GDPR, HIPAA, GLBA, PIPEDA, NDPR , PCI-DSS and others 10 FIPS-140(Cryptographic Modules) https://csrc.nist.gov/publications/detail/fips/140/2/final 11 ISO 28000-Supply Chain Security Management https://www.scribd.com/document/441398920/ISO-28000-pdf 12 ISO 27001:2022-Security and Compliance https://www.scribd.com/document/561930847/Main-Changes-in-ISO-27001-2022
The Cloud Service Models Service Model Description Advantages Disadvantages Potential Customer Infrastructure As a Service •CPU •RAM •Networks •Storage •Memory •Servers •Others •Reduced cost of Asset Ownership, pram location, IT personnel and others. •Pay As you Go. •FIPS-140 HSM Cryptographic Module. •Customer has the highest level of control around Patching, Operating Systems, Applications and Data. •Loss of total control around the physical environ and Data Center, hardware, networks and other infrastructures. •Manual Scaling IT Operations Platform As a Service •IaaS •The host •Operating System(OS) •Runtime Engines •Dev. environments •Programming Languages. •Databases •Others •IaaS but Customer has control only around the development environment, the applications running on it and the data being processed. •Auto-Scaling •Seamless BCDR • IaaS + •Challenge with Vendor Lock- in/Lock-out. •Software Developer •Database Administrator. Software As a Service •IaaS + PaaS •Applications •IaaS+PaaS but Customer has control only around the Data and the Software licensing of the Applications processing the customer’s data. •IaaS +PaaS + •Issues with Data disposal and destruction. • Data Analyst •Data Processor
The Cloud Service Models Cont’d Chart of responsibilities Responsibility On-Premise IaaS PaaS SaaS Data Applications Operating System Runtime Middle ware Virtualization Servers Storage Networking Physical Activity Customer Provider
The Cloud Deployment Model of Your Choice Model Description Advantages Disadvantages Customer Private Dedicated to the Customer and in some cases deployed on the premise of the customer. •Focused Control. •Mostly for top secret and highly regulated Subscribers. • Quite Expensive to deploy. •Accessing Data remotely could be difficult. •Regulatory Bodies. •Top Governing Bodies. •Military and other Forces. Public Publicly available to anyone that subscribes. It is also required for seamless BCDR, Test environments, file sharing and others. •Quite cheap and affordable. •High availability of data center pool of resources. •Virtualization, Agility for customers. •On-demand provisioning, Outsourcing of enterprise IT infrastructures. •BCDR •Minimal control of Customers resources. •Subject to threats of Spoofing, Data tampering, repudiation, Information Disclosure, Denial of Service and escalation of Privilege. •Dropbox, Gmail, iCloud, Google Drive.,One Note,Yahoo, Facebook,, OneDrive, Application Development., Application Testing, File sharing, Email Hybrid A mix of one or two deployment models, mostly a mix of Private + Public Clouds or On Premise + Public Cloud. Usually applied during bursts of sales for outsourcing Rapid elasticity in Publc Cloud. •A good economical fix for periodic on high demand sales where another deployment Model is required to add to the existing model or on premise . • Issues of Inter-operability due to complicated technology. •Jumia + AWS •On Premise Production + Public Cloud Deployment. •Others Community Mostly applied for subscribers with common goal for example an Alumni Class of a University, forum of all Cloud Security Pros. • Focused control. •Shared Computing Resources. •Multiple Organizaions •Identity Management and Authentications Issues •Communities with shared goal. •Whatsapp groups •Federated Identities
Summary of Cloud Deployment Models Public Supports All Users Software & Hardware testing Subscription App Dev & Testing File Sharing Private Single Org. Managed internally or by service provider More Expensive Tighter Security Better Privacy Hybrid Interconnected Infrastructure Enterprise, Private and Public Cloud Can scale rapidly Cloud Bursting Peak sales Community Shared Resources Multiple Orgs. Community of Works Example Universities Cloud Security Association
Securing The Cloud with The Standard Best Practices Infrastructures Security Host Security Applications Security Data Security Operations Security •Virtualization •Hypervisor •Virtual machines •Virtual Instance •Multiple Jurisdictions •Hardware Security Module. •Volume & Object Storage •Computing •Networking •Memory •Application Programming Interface(API) Portability Inter-Operability Reversibility Recoverability Data Encryption Data Loss Prevention Data Disposal Data Rights Mgt. Info Rights mgt. Intellectual Properties E-discovery Forensics Software Testing Penetration Testing Dynamic Testing Static App Testing Databases Uptime Institute Cabling Fire Protection Business continuity Disaster Recovery Configuration Mgt. Incident Mgt. Change Mgt. Problem Mgt. Integrations Automations Patch Mgt Deployment Mgt Release Mgt. VM Maintenance. Back-ups •Confidentialit y •Process Integrity •Availability •Privacy •Security •Safety •Authenticity •Resiliency •Redundancy Supply Chain Security •Multi-layered Security Laws, Ethical & Legal Proceedings Contract terms Service Level Agreement Due Diligence Due Care Multiple Jurisdictions Data Protection Regulation Privacy Regulations(ISO 27018), others Holistic Security-ISO 27001 Cloud Control Matrix ENISA CSA CAIQ CSA STAR SOC 2 SOC 3 Third Party Attestations ISO 31000-Risk Mgt.
Conclusion ❖ Due Diligence and Due Care right from the decision-making and planning stage. ❖ What Cloud Computing Entails as stated in NIST 800-145 and CCRA(please review the slides and download the frameworks). ❖ Collaborate with the Security Steering Committee/Key Players to ascertain the Business Drivers with desired Cost Benefit Analysis. ❖ The Characteristics that attest for an Authentic Cloud Provider, refer to the Cloud Security Alliance CAIQ, STAR, SSAE-SOCs 2 and 3, and other frameworks. ❖ Hire a reliable Third Party Auditor for CSP’s Attestations and Certifications. ❖ Work with Frameworks, Privacy Regulations, Contractual Regulations, Data Protection Regulations and other Regulatory Requirements. ❖ Clarify Issues of Multiple Jurisdictions especially on the location the Cloud Service is hosted. ❖ The Threats and Risks around each Cloud Service and Deployment Model. ❖ The Security Measures to apply around each Model. ❖ The Objective is to assure an acceptable level of Confidentiality, Integrity, Availability, Privacy, Authenticity, Resiliency and Security around the Cloud Technology. ❖ The Customer is the Data Owner and accountable/liable to any kind of Data Losses. ❖ The Contract and Service Level agreement must be explicit . ❖ PAY ATTENTION TO DUE DILIGENCE and DUE CARE To Secure The Clouds with The Standard Best Practices:
Thank You! Chinatu Uzuegbu CISSP, CCISO, CISM, CISA, CEH,…. Managing Cyber Security Consultant RoseTech Cybercrime Solutions Limited chinatuuzuegbu@outlook.com https://www.linkedin.com/in/chinatu-uzuegbu-67593119/ https://de.slideshare.net/Chinatu

More Related Content

PPTX
Securing The Clouds Proactively-BlackisTech.pptx
Chinatu Uzuegbu
 
PDF
Securing The Journey To The Cloud
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
PPTX
Cloud Security using NIST guidelines
Srishti Ahuja
 
PPTX
Cloud Security using NIST guidelines
Srishti Ahuja
 
PPT
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Bill Annibell
 
PPT
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
TT L
 
PDF
Fundamentals for Stronger Cloud Security2.pdf
Chinatu Uzuegbu
 
PPT
4831586.ppt
ahmad21315
 
Securing The Clouds Proactively-BlackisTech.pptx
Chinatu Uzuegbu
 
Securing The Journey To The Cloud
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
Cloud Security using NIST guidelines
Srishti Ahuja
 
Cloud Security using NIST guidelines
Srishti Ahuja
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Bill Annibell
 
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
TT L
 
Fundamentals for Stronger Cloud Security2.pdf
Chinatu Uzuegbu
 
4831586.ppt
ahmad21315
 

Similar to Securing The Clouds with The Standard Best Practices-1.pdf (20)

PPTX
Transforming cloud security into an advantage
Moshe Ferber
 
PPT
Effectively and Securely Using the Cloud Computing Paradigm
fanc1985
 
PPTX
Cloud is not an option, but is security?
Jody Keyser
 
PPT
Cloud Security Alliance's GRC Stack Overview
Valdez Ladd MBA, CISSP, CISA,
 
PPTX
dtechnClouologyassociatepart2
Anne Starr
 
PDF
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak
 
PDF
R1. John W. RittinghouseCloud Computing Implementation, Management, and Secur...
ArunKumar750226
 
PPTX
Cloud security Presentation
Ajay p
 
PPTX
Cloud monitoring overview
Dr. Ramkumar Lakshminarayanan
 
PPTX
gkkCloudtechnologyassociate(cta)day 2
Anne Starr
 
PPT
cloudintro-lec018.1.ppt
gunvinit931
 
PPTX
Cloud Computing Security Frameworks - our view from exoscale
Antoine COETSIER
 
PPTX
Cloud Security
AWS User Group Bengaluru
 
PPTX
Cloud Security
AWS User Group Bengaluru
 
PDF
MISA Cloud workshop - Cloud 101
MISA Ontario Cloud SIG
 
PPTX
40369A Microsoft Cloud Fundamentals - Chapter 1
AndersPistaceci1
 
PPTX
Cloud computing arma_nnj
scm24
 
PPTX
(ISC)2 CCSP - Certified Cloud Security Professional
Hatem ElSahhar
 
PPTX
MARLABS - Cloud services CIO Conference
Marlabs
 
PDF
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
United States Cybersecurity Institute (USCSI®)
 
Transforming cloud security into an advantage
Moshe Ferber
 
Effectively and Securely Using the Cloud Computing Paradigm
fanc1985
 
Cloud is not an option, but is security?
Jody Keyser
 
Cloud Security Alliance's GRC Stack Overview
Valdez Ladd MBA, CISSP, CISA,
 
dtechnClouologyassociatepart2
Anne Starr
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak
 
R1. John W. RittinghouseCloud Computing Implementation, Management, and Secur...
ArunKumar750226
 
Cloud security Presentation
Ajay p
 
Cloud monitoring overview
Dr. Ramkumar Lakshminarayanan
 
gkkCloudtechnologyassociate(cta)day 2
Anne Starr
 
cloudintro-lec018.1.ppt
gunvinit931
 
Cloud Computing Security Frameworks - our view from exoscale
Antoine COETSIER
 
Cloud Security
AWS User Group Bengaluru
 
Cloud Security
AWS User Group Bengaluru
 
MISA Cloud workshop - Cloud 101
MISA Ontario Cloud SIG
 
40369A Microsoft Cloud Fundamentals - Chapter 1
AndersPistaceci1
 
Cloud computing arma_nnj
scm24
 
(ISC)2 CCSP - Certified Cloud Security Professional
Hatem ElSahhar
 
MARLABS - Cloud services CIO Conference
Marlabs
 
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
United States Cybersecurity Institute (USCSI®)
 
Ad

More from Chinatu Uzuegbu (18)

PDF
Business Process Revamp is Paramount in 2024.pdf
Chinatu Uzuegbu
 
PDF
Preventing Cloud Data Breaches.pdf
Chinatu Uzuegbu
 
PDF
World Password Management Day, 2023.pdf
Chinatu Uzuegbu
 
PPTX
The Nigerian Cybersecurity Space-How Regulated Are We?
Chinatu Uzuegbu
 
PDF
Effectiveness of Cyber Security Awareness.pdf
Chinatu Uzuegbu
 
PDF
What The Cyber Entails-2.pdf
Chinatu Uzuegbu
 
PDF
What The Cyber Entails-1.pdf
Chinatu Uzuegbu
 
PDF
Combating Cyber Crimes Proactively.pdf
Chinatu Uzuegbu
 
PDF
Identity & Access Management Day 2022.pdf
Chinatu Uzuegbu
 
PDF
Combating cyber crimes chinatu
Chinatu Uzuegbu
 
PDF
Understanding Identity Management and Security.
Chinatu Uzuegbu
 
PDF
Practical approach to combating cyber crimes
Chinatu Uzuegbu
 
PPSX
Cyber Security Awareness Month 2017-Wrap-Up
Chinatu Uzuegbu
 
PPSX
Cyber Security Awareness Month 2017-Nugget 6
Chinatu Uzuegbu
 
PDF
Cyber crime (prohibition,prevention,etc)_act,_2015
Chinatu Uzuegbu
 
PPSX
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
PPSX
Cyber Security Awareness Month 2017- Nugget2
Chinatu Uzuegbu
 
PPSX
Cyber Security Awareness Month 2017
Chinatu Uzuegbu
 
Business Process Revamp is Paramount in 2024.pdf
Chinatu Uzuegbu
 
Preventing Cloud Data Breaches.pdf
Chinatu Uzuegbu
 
World Password Management Day, 2023.pdf
Chinatu Uzuegbu
 
The Nigerian Cybersecurity Space-How Regulated Are We?
Chinatu Uzuegbu
 
Effectiveness of Cyber Security Awareness.pdf
Chinatu Uzuegbu
 
What The Cyber Entails-2.pdf
Chinatu Uzuegbu
 
What The Cyber Entails-1.pdf
Chinatu Uzuegbu
 
Combating Cyber Crimes Proactively.pdf
Chinatu Uzuegbu
 
Identity & Access Management Day 2022.pdf
Chinatu Uzuegbu
 
Combating cyber crimes chinatu
Chinatu Uzuegbu
 
Understanding Identity Management and Security.
Chinatu Uzuegbu
 
Practical approach to combating cyber crimes
Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Wrap-Up
Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 6
Chinatu Uzuegbu
 
Cyber crime (prohibition,prevention,etc)_act,_2015
Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017- Nugget2
Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017
Chinatu Uzuegbu
 
Ad

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPT
Teaching material agriculture food technology
LiaRayya
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Approach and Philosophy of On baking technology
30anthuong17
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Teaching material agriculture food technology
LiaRayya
 

Securing The Clouds with The Standard Best Practices-1.pdf

  • 1. Securing The Clouds with The Standard Best Practices Chinatu Uzuegbu CISSP, CCISO, CISM, CISA, CEH, …. Managing Cyber Security Consultant RoseTech CyberCrime Solutions Ltd.
  • 2. ❖Content Contributor. ❖Security Congress Event Advisory Committee. ❖Chapters Advisory Committee(CAC). ❖Blogger. ❖Authorized Instructor. ❖Founding Past President , Nigeria Chapter. Chinatu Uzuegbu Managing Cyber Security Consultant, RoseTech CyberCrime Solutions Limited https://www.linkedin.com/in/chinatu-uzuegbu-67593119/ https://de.slideshare.net/Chinatu Volunteering VigiTrust Chartered Advisory Board. ❖Global Speaker, Mentor, Volunteer and Delegate. ❖Over 20 years wealth of experience as an IT/Cyber Security Professional Professional ❖CISSP, CCISO, CISM, CISA, CEH, Others. ❖Top 50 Women in Cyber Security , Africa, 2020. Educational ❖Honorary Doctorate, London Graduate School. ❖MSc. Information Systems Management, University of Liverpool. ❖Bsc. Computer Science/Maths, University of Port Harcourt. ❖Global Conference Speaker. ❖Global Ambassador. ❖Mentor.
  • 3. The Cloud in The New Normal ● 94% of enterprises use cloud services. ● 67% of enterprise infrastructure is now cloud-based. ● 92% of businesses have a multi-cloud strategy in place or in the works. ● The global cloud computing industry has a market size of $480.04 billion, as of 2022. ● The U.S. public cloud market is projected to reach $206.1 billion by the end of 2022. https://www.zippia.com/advice/cloud-adoption-statistics/
  • 4. ● The Concept of Cloud Computing. ● The Cloud computing Reference Architecture. ● Business Motivations for Adopting The Cloud Tech. ● Characteristics of The Authentic Cloud. ● Regulations and Frameworks for an Authentic Cloud Service Provider. ● The Cloud Service Model of Your choice. ● The Cloud Deployment Model of Your Choice. ● Securing The Cloud with The Standard Best Practices and Frameworks. ● Conclusion. Securing The Cloud with The Standard Best Practices is Our Obligation!
  • 5. The Concept of Cloud Computing (NIST 800-145) Minimal Management Efforts or Service Provider’s Interactions. Ubiquitous convenient Broad Band Network Access Rapidly Provisioned and Released Shared Pool of Configurable Resources (Networks, Servers, Storage, Applications, Databases, Repositories, Platforms, Services and others) Cloud Computing
  • 6. The Cloud Computing Reference Architecture(CCRA): https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication500-292.pdf Cloud Service Entity Description Alias Cloud Service provider(CSP) Provisioning and processing the Cloud resources for customers. Data Processor Cloud Service Customer(CSC ) Opt-in Cloud Service Subscriber consuming the services offered by the Cloud Provider. Data Controller/Dat a Owner Cloud Service Broker(CASB) The Middle man offering a catalogue of Cloud Services from Cloud Providers to Customers. Identity Provider, Intermediary Cloud Auditor(CA) Overseeing the cloud processes to assure compliance and necessary attestations(TPA) in mind. Auditor Third Party Attester(TPA). Others Cloud Business Mgr, Cloud Service Integrator, Cloud Service Admin, Inter Cloud Provider, others
  • 7. Business Motivators for Adopting The Cloud Tech Speed Scalability Cost Reduced cost of Capital and Operating Expenses Rapid Provisioning and seamless Operations Agility with less Administrative Bottle-necks. ❖Outline the Key Business processes. ❖Align the Pointers and critical paths with a workable Business Case and Cost Benefit Analysis. ❖Involve the Asset or Process Owner and your Security Steering Committee.
  • 8. Attributes of an Authentic Cloud Service Provider The Authentic Cloud Broad Band Network Access Rapid Elasticity CSA STAR CSA CAIQ
  • 9. Regulations and Frameworks for an Authentic Cloud Service Provider S/N Regulation/Framework Web-Site 1 NIST 800-145(Cloud Computing) https://csrc.nist.gov/publications/detail/sp/800-145/final 2 Cloud Computing Reference Architecture https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication500-292.pdf https://aistandardshub.org/ai-standards/information-technology-cloud-computing-vocabulary/ 3 Cloud Security Alliance Consensus Assessments Initiative Questionnaire and Cloud Control Model https://cloudsecurityalliance.org/research/cloud-controls-matrix/ https://cloudsecurityalliance.org/blog/2020/10/16/what-is-the-cloud-controls-matrix-ccm/ 4 CSA STAR(Security, Trust, and Assurance Registry Levels( Self-Assessment, Certifications, Continuous Monitoring) https://cloudsecurityalliance.org/star/registry/ 5 Statement on Standards for Attestation Engagements(SSAE 18(SOC2 &SOC3) https://ssae-16.com/ssae-16/the-ssae-18-audit-standard/ https://kfinancial.com/what-you-need-to-know-about-ssae-18-reports/ 6 ISO 31000 on Risk Management https://www.iso.org/iso-31000-risk-management.html 7 ENISA(Cloud Risk Frameworks) European Union Agency for Cyber Security https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security/enisa-cloud-computing-risk-assessment. https://www.clubcloudcomputing.com/top-8-cloud-security-risks-according-enisa/ 8 ISO 27018-Cloud Data Privacy https://www.itgovernance.co.uk/iso-27017-and-iso-27018 9 Privacy Regulations on PII GDPR, HIPAA, GLBA, PIPEDA, NDPR , PCI-DSS and others 10 FIPS-140(Cryptographic Modules) https://csrc.nist.gov/publications/detail/fips/140/2/final 11 ISO 28000-Supply Chain Security Management https://www.scribd.com/document/441398920/ISO-28000-pdf 12 ISO 27001:2022-Security and Compliance https://www.scribd.com/document/561930847/Main-Changes-in-ISO-27001-2022
  • 10. The Cloud Service Models Service Model Description Advantages Disadvantages Potential Customer Infrastructure As a Service •CPU •RAM •Networks •Storage •Memory •Servers •Others •Reduced cost of Asset Ownership, pram location, IT personnel and others. •Pay As you Go. •FIPS-140 HSM Cryptographic Module. •Customer has the highest level of control around Patching, Operating Systems, Applications and Data. •Loss of total control around the physical environ and Data Center, hardware, networks and other infrastructures. •Manual Scaling IT Operations Platform As a Service •IaaS •The host •Operating System(OS) •Runtime Engines •Dev. environments •Programming Languages. •Databases •Others •IaaS but Customer has control only around the development environment, the applications running on it and the data being processed. •Auto-Scaling •Seamless BCDR • IaaS + •Challenge with Vendor Lock- in/Lock-out. •Software Developer •Database Administrator. Software As a Service •IaaS + PaaS •Applications •IaaS+PaaS but Customer has control only around the Data and the Software licensing of the Applications processing the customer’s data. •IaaS +PaaS + •Issues with Data disposal and destruction. • Data Analyst •Data Processor
  • 11. The Cloud Service Models Cont’d Chart of responsibilities Responsibility On-Premise IaaS PaaS SaaS Data Applications Operating System Runtime Middle ware Virtualization Servers Storage Networking Physical Activity Customer Provider
  • 12. The Cloud Deployment Model of Your Choice Model Description Advantages Disadvantages Customer Private Dedicated to the Customer and in some cases deployed on the premise of the customer. •Focused Control. •Mostly for top secret and highly regulated Subscribers. • Quite Expensive to deploy. •Accessing Data remotely could be difficult. •Regulatory Bodies. •Top Governing Bodies. •Military and other Forces. Public Publicly available to anyone that subscribes. It is also required for seamless BCDR, Test environments, file sharing and others. •Quite cheap and affordable. •High availability of data center pool of resources. •Virtualization, Agility for customers. •On-demand provisioning, Outsourcing of enterprise IT infrastructures. •BCDR •Minimal control of Customers resources. •Subject to threats of Spoofing, Data tampering, repudiation, Information Disclosure, Denial of Service and escalation of Privilege. •Dropbox, Gmail, iCloud, Google Drive.,One Note,Yahoo, Facebook,, OneDrive, Application Development., Application Testing, File sharing, Email Hybrid A mix of one or two deployment models, mostly a mix of Private + Public Clouds or On Premise + Public Cloud. Usually applied during bursts of sales for outsourcing Rapid elasticity in Publc Cloud. •A good economical fix for periodic on high demand sales where another deployment Model is required to add to the existing model or on premise . • Issues of Inter-operability due to complicated technology. •Jumia + AWS •On Premise Production + Public Cloud Deployment. •Others Community Mostly applied for subscribers with common goal for example an Alumni Class of a University, forum of all Cloud Security Pros. • Focused control. •Shared Computing Resources. •Multiple Organizaions •Identity Management and Authentications Issues •Communities with shared goal. •Whatsapp groups •Federated Identities
  • 13. Summary of Cloud Deployment Models Public Supports All Users Software & Hardware testing Subscription App Dev & Testing File Sharing Private Single Org. Managed internally or by service provider More Expensive Tighter Security Better Privacy Hybrid Interconnected Infrastructure Enterprise, Private and Public Cloud Can scale rapidly Cloud Bursting Peak sales Community Shared Resources Multiple Orgs. Community of Works Example Universities Cloud Security Association
  • 14. Securing The Cloud with The Standard Best Practices Infrastructures Security Host Security Applications Security Data Security Operations Security •Virtualization •Hypervisor •Virtual machines •Virtual Instance •Multiple Jurisdictions •Hardware Security Module. •Volume & Object Storage •Computing •Networking •Memory •Application Programming Interface(API) Portability Inter-Operability Reversibility Recoverability Data Encryption Data Loss Prevention Data Disposal Data Rights Mgt. Info Rights mgt. Intellectual Properties E-discovery Forensics Software Testing Penetration Testing Dynamic Testing Static App Testing Databases Uptime Institute Cabling Fire Protection Business continuity Disaster Recovery Configuration Mgt. Incident Mgt. Change Mgt. Problem Mgt. Integrations Automations Patch Mgt Deployment Mgt Release Mgt. VM Maintenance. Back-ups •Confidentialit y •Process Integrity •Availability •Privacy •Security •Safety •Authenticity •Resiliency •Redundancy Supply Chain Security •Multi-layered Security Laws, Ethical & Legal Proceedings Contract terms Service Level Agreement Due Diligence Due Care Multiple Jurisdictions Data Protection Regulation Privacy Regulations(ISO 27018), others Holistic Security-ISO 27001 Cloud Control Matrix ENISA CSA CAIQ CSA STAR SOC 2 SOC 3 Third Party Attestations ISO 31000-Risk Mgt.
  • 15. Conclusion ❖ Due Diligence and Due Care right from the decision-making and planning stage. ❖ What Cloud Computing Entails as stated in NIST 800-145 and CCRA(please review the slides and download the frameworks). ❖ Collaborate with the Security Steering Committee/Key Players to ascertain the Business Drivers with desired Cost Benefit Analysis. ❖ The Characteristics that attest for an Authentic Cloud Provider, refer to the Cloud Security Alliance CAIQ, STAR, SSAE-SOCs 2 and 3, and other frameworks. ❖ Hire a reliable Third Party Auditor for CSP’s Attestations and Certifications. ❖ Work with Frameworks, Privacy Regulations, Contractual Regulations, Data Protection Regulations and other Regulatory Requirements. ❖ Clarify Issues of Multiple Jurisdictions especially on the location the Cloud Service is hosted. ❖ The Threats and Risks around each Cloud Service and Deployment Model. ❖ The Security Measures to apply around each Model. ❖ The Objective is to assure an acceptable level of Confidentiality, Integrity, Availability, Privacy, Authenticity, Resiliency and Security around the Cloud Technology. ❖ The Customer is the Data Owner and accountable/liable to any kind of Data Losses. ❖ The Contract and Service Level agreement must be explicit . ❖ PAY ATTENTION TO DUE DILIGENCE and DUE CARE To Secure The Clouds with The Standard Best Practices:
  • 16. Thank You! Chinatu Uzuegbu CISSP, CCISO, CISM, CISA, CEH,…. Managing Cyber Security Consultant RoseTech Cybercrime Solutions Limited chinatuuzuegbu@outlook.com https://www.linkedin.com/in/chinatu-uzuegbu-67593119/ https://de.slideshare.net/Chinatu