Embed Size (px)
Citation preview
Making Security a
PriorityHow Ed Tech Security Bridges the Gap with Cloud Security
November 1, 2017 | Educause Annual Conference 2017
Key Takeaways
• Set your goals
• Have a documented, well-understood security strategy for
consuming cloud applications
• Prioritize the most critical assets based on risk
• Evaluate products to find solutions that work best in your
environment
• Work with peers who have completed similar strategies
2
Kristyanne Patullo
Present: Consulting Systems
Engineer, Cisco Umbrella
Past: OpenDNS, Cloudflare, Rutgers
Brian Markham
Present: AVP, Infosec @ GWU
Past: PwC, KPMG, UMD
@maru37
3
4
Source: https://www.cloudlock.com/blog/the-oauth-attack-goes-mainstream/5
Source: https://www.cloudlock.com/blog/the-oauth-attack-goes-mainstream/6
Source: https://www.cloudlock.com/wp-content/uploads/2017/05/Hackers-Have-Moved-onto-the-Cloud-Exploiting-OAuth.pdf
8
IT in Higher Education
• Why do we do what we do?
• We seek to enable learning and research;
• We seek to create an environment where creativity and
intellectual pursuits can be pursued; and
• We seek to create distinctive experiences for our
students, parents, faculty, staff, and alumni.
9
IT in Higher Education
• Technology can enhance learning
• Technology can help to improve graduation rates
• Technology can enable better student experiences
• Technology can lead to more sustainable business models
for institutions of higher education
10
IT in Higher Education
• The result? We invest in technology:
• Expansion of data across more platforms
• Meanwhile:
• Computing is more mobile and personal than ever
• Cloud technology is ubiquitous and the new normal
11
IT in Higher Education
• Centralized/decentralized IT
service models
• Mixed-use networks
• Academic freedom
• Personally-owned devices
(BYOD)
• Internet of (all the) Things
• Compliance (DMCA, FERPA,
GLB, HIPAA, PCI-DSS, etc.)
12
IT in Higher Education
• No longer just a buzzword: it’s
reality.
• E-mail, ERPs, file storage,
applications - all cloud apps
• Traditional security model +
new security models to
counter the risks (third-party
assurance)
• Not necessarily more risks but
different risks
13
14
• Your users are using more
devices than ever before,
that they own and configure
• Your users are everywhere,
specifically on networks that
you do not manage or have
visibility into
• Your network perimeter is
still important but less
relevant
• Your enterprise apps are
Internet-facing and not in
your data center
15
Ubiquity of Cloud Apps
16
17
– Gartner
“CIOs and CISOs need to stop obsessing over
unsubstantiated cloud security worries; instead, they
need to apply their imaginations and energy to
developing new approaches to cloud control. This will
enable them to securely, compliantly and reliably
leverage the benefits of this increasingly ubiquitous
computing model.”
Source: G00315580 18
Source: https://twitter.com/playing_dad/status/69052711635452313619
Security Goals
• Understand the institution, its goals, and key processes to
prioritize security activities/initiatives
• Defend users, data, and the network
• Understand risk and manage it to an acceptable level
• Implement processes and technology to meet security objectives
• Train people to be an effective first line of defense
• Gain reasonable assurance that security controls have been
designed and are operating effectively
20
– Cisco 2017 Midyear Cybersecurity Report
“Cloud service providers are responsible for the
physical, legal, operational, and infrastructure security
of the technology they sell. However, businesses are
responsible for securing the use of underlying cloud
services. Applying the same best practices that they
use to ensure security in on-premises environments ”
21
Cloud Security
Responsibilities
Source: Cisco eBook, Security’s New Frontier: The Cloud (2017) 22
23
Cloud + Security
Pre-work: Basic equipment
• Skilled security/IT personnel who understand and
embrace cloud technologies
• Strong, effective governance and support from faculty,
business, and IT
• A risk management framework and associated
governance
• A vendor security methodology
24
25
Cloud + Security
Step #1: Set your goals
• What do you wish to achieve from a cloud security
program?
• What is the governance model?
• How does a cloud product go from idea to procurement to
production use?
• Baseline current capabilities: where are the gaps?
26
27
Cloud + Security
Step #2: Take an inventory
• What services are currently running outside your data
center?
• What is the data classification (high water mark) for data
being processes/stored/transacted by that service?
• What is worth investing in vs. what risks are acceptable?
28
29
Cloud + Security
Step #3: Control what you can control
• What can you control? Endpoints? Identity? Data flow?
Start here.
• Implement controls (administrative & technical) to reduce
risks to accidental or intentional (malicious) data exposure
• Implement tools that provide visibility and assurance for
stated outcomes
30
Cloud + Security
Step #4: Continuous monitoring
• What does good look like? Measure and report.
• Continuous improvement: how are you using data to
improve outcomes over time?
• How does policy, procedure, standards and guidance have
to change as we learn more about user behavior and
risks/threats evolve?
32
33
Cloud + Security
• A capable toolset is necessary to augment your
administrative and technical controls
• Security information and event management (SIEM)
• Identity management (SSO + 2FA)
• Network visibility
• Application visibility (DLP, CASB)
34
Traits of a Cloud Security
Vendor
35
Cisco Umbrella
36
View of the Internet
37
Classifiers
38
Cisco Cloudlock
39
Cloud Access Security Broker (CASB)
Evolving Perimeter
40
Evolving Risk
41
GW + Cloudlock
• Used for Box (new service) and Google (5+ years in
service)
• Covers faculty and staff
• Supports policy enforcement
• Visibility!
42
GW + Cloudlock
• Mo’ visibility, mo’ problems:
• Take a structured approach
• Develop policies, standards, criteria
• Test!
• Don’t try to do everything at once
• Partner with user support
43
44
Key Takeaways
• Set your goals
• Have a documented, well-understood security strategy for
consuming cloud applications
• Prioritize the most critical assets based on risk
• Evaluate products to find solutions that work best in your
environment
• Work with peers who have completed similar strategies
45
Questions/Discussion
46
