ENTERPRISE SECURITY & THE CLOUD VENDOR

Disclaimer:

These slides are based on my experience managing enterprise business cloud architecture and security, working for mid-size Internet firms in Silicon Valley. Your experiences and your methods may differ. I don’t presume to speak for all enterprise security pros.

Doug Meier

Director, Security & Compliance

Pandora Media Inc.

Twitter: @TurkEllis

blog: riskof.ghost.io

INTRO – WHAT’S COVERED

We’re here to discuss securing cloud apps in the enterprise. We’re going to cover these topics:

1. Thinking realistically about cloud security

2. It’s about the data … that matters

3. The background check (CVOC)

4. Centralized IDM / auth – SSO rules

5. Cloud security and mobile endpoints

6. Security awareness backed w clear security policy

7. Compliance is cloud security’s enabling friend

8. Enlist the business and the enterprise team

9. Raising the bar on tiny vendors

10.I put it on my personal credit card (fencing the de-perimeter)

11.OK now let’s securely onboard a vendor!

EMBRACING CLOUD SHADOW IT

Note: Shadow IT of informal IT shops working at odds with IT is a diff problem.

• Employees/teams have good reasons to commit cloud shadow IT.

• Stealth onboarding of productivity, collaboration, automation apps -- NOT a sin.

• Think of business cloud this way:

– web 1.0: early stages

– web 2.0: cautious adoption by experts

– web 3.0: ubiquity, contextualization

• Consumerization of IT Personalization of IT

• Your org runs way more cloud apps than you realize.

SAME CONCERNS / DIFFERENT APPROACH

Biz apps: on-prem model meets outsourced model

Similarity: as with network security, you are dealing with someone else’s product.

Dis-similarity: in the de-perimeterized cloud, defense in depth and layered approaches can be irrelevant.

Approach to business cloud environment security:

• vendor-dependent as much as ntwk team dependent

• Requires security processes that network security templates can’t provide

YES IT IS ABOUT THE DATA… THE DATA MATTERS

• “data-centric” security – what does it mean?

• Most firms have their DLP cart in front of the horse: Trying to secure data without acknowledging the pareto principle of 80/20

• Fundamentals of data management -- classification, mapping, retention, handling, disposal

• DLP isn’t a single, one-time solution

• Identify, classify, protect the data that matters most

FUNDAMENTALS: THE VENDOR SECURITY & RESILIENCE AUDIT

Pandora’s Cloud Vendor Onboarding Certification audit form: 60+ questions for the vendor.

Background check to verify vendor resilience:

• Appropriate Logical access

• Appropriate change mgmt of production code

• Clear problem resolution

• Data backup & recovery methods

And…

• Means of data integration

• Evidence of regulatory compliance / certs

• Adequate support, resources

CENTRALIZE IDM/AUTH

Apply common sense to logical access security

• Use Corporate accounts only

• Restrict access to critical apps via centralized auth mechanism

• Closely manage privileged admin accounts

Emphasize the advantages of SSO to the biz

Have tech staff that knows and supports SSO

Keep refining the SSO implementation

THE NEW SSO RULES

Make your SSO a paragon of secure cloud best practices:

1. Establish an SSO test / staging environment

2. Limit admin access to SSO prod env to minimum

3. Changes to SSO prod env by admins require a documented request

4. SSO connector devs shall not make changes in SSO prod

5. Periodic reviews of admin access to SSO prod env

6. Periodic reporting of changes to SSO prod env

7. Leverage the SSO vendor relationship

CLOUD SECURITY & BYOD

• Smartphones: employees don’t separate life from work

• BYOD critical mass

• BYOS may the best BYOD solution

• Secure mobile computing policy

• Encrypt drives, devices, data where appropriate

• Make it very clear: employee is legally liable for confidential/sensitive info on their devices

• SSO extending to the smartphone (OneLogin Launcher)

PR CHALLENGE: INSTILLING SECURITY AWARENESS

• Fact: in de-perimeterized, ultra-socialized business cloud, business is conducted in & out of band.

• Confidential discussions, collabs, chats can’t be filtered or blocked at the firewall

• Stopping blaming the millennials already

• Depend on ongoing security awareness training and security comms

• Leverage internal training group, Legal team, exec staff

COMPLIANCE IS NOT THE ENEMY

Good standard secure ops leads to compliance.

Compliance standards ensure transparency and accountability.

• SOX controls: accountability & survivability

• PCI-DSS 3.0 standard: security of payment networks SSAE 16 reporting standard: SOC1 & SOC2

• ISO 27001: International standard

• COBIT 5 (ISACA): roadmap for GRC

• CSA Cloud Controls Matrix (CCM) – cloud security playbook

• STAR – cloud provider trust and assurance

ENLIST THE BUSINESS OWNER AND THE PM

Today’s urgent vendor onboard request …

• Slow it down:

– Do we already support an app that does this?

– Are other groups asking for a similar hosted app/service?

– Have we looked at alternatives?

• Simple question: how did you hear about this vendor?

• Position a strong point person(s) to interact with business and PMs

• Enlist PMs to get in front of vendor requests Communicate the positives of cloud security process/program

RISK OF TINY VENDOR

Six critical tells:

• How long have you been a company?

• How many employees on staff?

• Sources of financial support?

• Do you have paying customers?

• Is your product in GA?

• Do you have a security program/staff?

Cloud app vendors/market being held more, not less, accountable.

THE CVOC PROCESS

FENCING THE DE-PERIMETER @ PANDORA

Let’s review:

• Communicate vendor assessment and onboarding process well

• Obtain exec staff support for the process

• Make security awareness and training a priority

• Beware the freemium service, the endless POC, the tiny vendor

• Ask for SOC1s and SOC2

• Use a centralized auth mechanism and funnel vendors to audit

• Enlist the PM teams and biz owners

• Run quarterly vulnerability scans of onboarded apps

• Support AND monitor AND re-assess cloud apps

DO RIGHT BY YOUR COMPANY

Disclaimer reminder: if you can “perimeterize” your cloud, more power to you.

Final advice:

• It’s a conversation

• Reduce noise & complexity

• Establish a reliable process

• Adjust vendor mgmt for the cloud

• Embrace compliance

• Don’t go it alone

• Keep your sense of humor, confidence

• Do what’s right for you

• Use the growing body of knowledge

FURTHER GUIDANCE

Jericho Forum commandments/Cloud Cube model -- https://collaboration.opengroup.org/jericho/cloud_cube_model_v1.0.pdf

CSA – Cloud Controls Matrix (CCM)

CSA - Consensus Initiative Assessment Questionnaire

CSA - Security Trust & Assurance Registry (STAR)

OneLogin Toolkit

OneLogin’s IdentityFirst.org

Pareto ((80/20) Effect – Vincenze Pareto

Know your data -- Jon Toigo – drunkendata.com