Seeing through the Fog: Navigating the Security Landscape of a Cloud-First World

Ben Johnson | Co-Founder & CTO
OWASP OC 2018-03-22
SEEING THROUGH THE FOG

@chicagoben | @obsidiansec
Background Check // Ben Johnson
Co-Founder and CTO, Obsidian
Co-Founder and Former CTO, Carbon Black
Former CNO/Cyber // NSA, CIA, DoD

Today’s Goal?
TO SPARK CONTEMPLATION
(and give you something to remember!)

Transformation

Digital Transformation

Race to the Cloud!
Lots of benefits of cloud adoption … we aren’t really here for that.

Observation

IT and the Cloud
“IT is the broad subject concerned with all aspects
of managing and processing information,
especially within a large organization or company.”
Cloud computing is an information technology (IT) paradigm that
enables ubiquitous access to shared pools of
configurable system resources and higher-level services that can
be rapidly provisioned with minimal management effort, often over
the Internet. Cloud computing relies on sharing of resources to
achieve coherence and economies of scale, similar to a public utility.
IT
Cloud

IT and the Cloud (Reality)
“Let’s stop managing hardware and a lot of the software”
“Let’s scale up and down as necessary”
“Let’s get access to cool new technologies more quickly”
“Uptime is [mostly] someone else’s problem”

Information Security and the Cloud
“Information security, sometimes shortened to InfoSec, is the practice
of preventing unauthorized access, use, disclosure, disruption,
modification, inspection, recording or destruction of information. ”
Cloud computing is an information technology (IT) paradigm that
enables ubiquitous access to shared pools of
configurable system resources and higher-level services that can
be rapidly provisioned with minimal management effort, often over
the Internet. Cloud computing relies on sharing of resources to
achieve coherence and economies of scale, similar to a public utility.
InfoSec
Cloud

Information Security and the Cloud (Reality)
“IT is going from 0 to 100 in the cloud and leaving security in the dust”
- Fmr. CISO, Lending Club
“We’re blind to all these new SaaS accounts”
- Director, Cyber Intelligence, Top Athletics Brand
“We don’t know what users are doing on our AWS/Azure accounts”
- Too Many Organizations
“Hackers don’t break in, they login.”
- CISO, Cisco

Modern Times are Leaky
Booz Allen
OneLogin
The RNC
Verizon
Accenture
Dow Jones
Viacom
Deloitte
Sweden
California

Recent Headlines

Data Breaches

Data Breaches: Not Just IaaS
As of now, Deloitte cannot be "100% sure what was taken" by the hackers
https://www.ciodive.com/news/deloitte-hack-email-migration-microsoft-office-365/506946/

Breach Fatigue Anyone?
Anyone getting CLOUD breach fatigue?
If not you, do you think others are?

Causation

Confusion Over Responsibility

Providers Have Challenges
Goals are Misaligned
Focus is on availability of variety of services with a minimum layer of security built-in
Failure Can Be Easy
A simple click can share huge amounts of data publicly (e.g. S3)
Monitoring is Extra Work
Logging & monitoring often have to be enabled separately
Mo’ People, Mo’ Complexity
Identities and policies are often complex to manage (maybe an understatement?)
Sweet Spot is Elusive
Policy and control options either feel too flexible or too rigid

Customers Have Challenges
Lack of Understanding
The notion of shared responsibility and the differences in built-in security are often foreign.
Taking the Plunge
Departments race to the cloud, leaving security scrambling. (Is security slowing down adoption?)
Bending the Rules
Unsanctioned cloud use or lack of reporting to security what is in use.
New Environment, Same Security Team
Surface area is expanding, changing, and dynamic, yet security team isn’t as agile.
“Operators think that once it’s in the cloud it’s no longer their responsibility”
- Fmr. CIO of the Air Force

Current Trends Making Things Harder

IT and Security Disconnect
IT Security
Authentication
Authorization
Activity
Enablement Threat Management
DISCONNECTED
Provisioning Anomaly Detection

Obligation

Cloud Security: “Of” Versus “In”
Cloud Service Provider:
responsible for security OF the cloud
Customer:
responsible for security IN the cloud

AWS Responsibilities?

AZURE Responsibilities?

SaaS: “Of” Versus “In”
The SaaS Provider handles all aspects except
for identity and access management, client
devices controls, and data accountability.
The Customer, therefore, must understand
users, devices & data related to that service.

Office 365?
Microsoft handles the underlying infrastructure,
including patching and updating, and handles
accessibility of the service.
You are responsible for what is emailed, who
accesses the email, and how they access the
email.

AZURE Responsibilities?Hackers want this!

AWS Responsibilities?
Hackers want this!

Amelioration

OWASP TOP 10?

Awareness, Auditing, Adaptation, Automation

Awareness
๏Where are you using the cloud?
๏What “clouds” are you using?
๏Why are you using the cloud?
๏How are you using the cloud?
๏Who’s responsible for what’s in the cloud?

Auditing
๏Understand current state (IT)…assets, users, devices.
๏Understand current state (Security).
๏Understand initiatives that involve cloud.
๏Understand security capabilities related to cloud.

Adaptation
๏Put policies and checks in place for new deployments
๏Update security scans and tests to account for cloud
๏Enable tracking of all changes from current state
๏Have a process for monitoring all new accounts, assets, etc.

Automation
๏Change your processes to reduce risk!
๏Security audits should be automated.
๏Cloud Providers have APIs – write code or use integrations to
automate the collection of data, the taking of actions, the verification
of changes.
๏Avoid manual activities.

Hygiene

Triple-A!
Authentication AccountingAuthorization
Industry focus Neglected Forgotten

IT and Security: Hand-in-Hand
๏Change your processes to reduce risk!
๏Security audits should be automated.
๏Cloud Providers have APIs – write code or use
integrations to automate the collection of data,
the taking of actions, the verification of changes.
๏Avoid manual activities.
๏Where are you using the cloud?
๏What “clouds” are you using?
๏Why are you using the cloud?
๏How are you using the cloud?
๏Who’s responsible for what’s in the cloud?
๏Understand current state (IT)…assets, users, devices.
๏Understand current state (Security).
๏Understand initiatives that involve cloud.
๏Understand security capabilities related to cloud.
๏Put policies and checks in place for new deployments
๏Update security scans and tests to account for cloud
๏Enable tracking of all changes from current state
๏Have a process for monitoring all new accounts, assets,
etc.

IT and Security: Hand-in-Hand
Automate Change to Reduce Error and Risk
Understanding Surface Area
Understand Details and Processes
Update processes and policies

Journey vs. Outcomes
Security teams often focus where they
have the most autonomy; they get
comfortable in this never-ending journey
vs. driving toward new destinations.

Engineering vs. Analysis

Take-Aways
Understand where, how, and why you are using cloud.
Understand who is responsible.
Providers need to do more.
They could reduce users shooting themselves in the foot, improve default security levels, and
better show surface area.
(Please encourage them to do more!)
The rest is on you:
(Awareness, Auditing, Adaptation, Automation)!
Oh, yeah, Triple-A:
(Authentication, Authorization, Accounting)!
(and don’t forget hygiene.)

Cloud: Massive Opportunity for Unifying IT & Security
IT Security
Enablement Enablement
Provides Appropriate Tech Provides Appropriate Risk
CONNECTED?

Ben Johnson, CTO
ben@obsidiansecurity.com
THANK YOU!

Seeing through the Fog: Navigating the Security Landscape of a Cloud-First World

More Related Content

What's hot (18)

Similar to Seeing through the Fog: Navigating the Security Landscape of a Cloud-First World (20)

Recently uploaded (20)

Seeing through the Fog: Navigating the Security Landscape of a Cloud-First World