Managing Security in The Cloud Adam Ely CISO

Managing Security in The Cloud Adam Ely CISO, Heroku at salesforce. com Founder & COO, Bluebox adam@bluebox. com www. bluebox. com Twitter: @adamely

Why you’re listening to me • CISO of Heroku BU at salesforce. com - I know cloud security • Security leadership roles at Heroku/salesforce. com Ti. Vo, and Walt Disney - I feel your pain • Been around for ASP, OSP, HSP, Saa. S, Iaa. S and Paa. S - I know more acronyms than you : P • CISSP, CISA, MBA, and some other stuff like that - I have more acronyms than you : (

Defining “cloud” • Iaa. S - Infrastructure as as service - EC 2, Rackspace • Paa. S - Platform as a service - Heroku • Saa. S - Software as a service - salesforce. com, box, workday • Combining Service Types - AWS EC 2 + AWS SQS + Heroku Postgres + Rackspace

Areas of risk • Iaa. S - Physical - Personnel - Internal operations/Info. Sec • Paa. S - Platform (OS, services, configurations) • Saa. S - Web application security

We must think differently • Not all vendors are the same - One-size-fits-all checklists are dead, don’t be that guy • Rationalize the risks - If the service is not interacting with card holder data, don’t demand it must be PCI compliant. Focus on the risks present. • Accept transfer of responsibilities - You’re not going to manage the security of the vendor, be thankful for less work. Stop being a control freak. • Innovate, adapt, and improve - Focus on the real risks, what you can do to ensure protections, and move to continuous assessment, not checklist auditing

Step 1: Know thy self • Develop a security baseline - You do have a data classification and handling guide, right? Define your critical assets, define controls, build a minimum baseline for vendors (intent not implementation) • Understand the types of services - How can you know the risks if you don’t know what it does? • What concerns us about each service? - Determine the potential risk based on the service and develop assessments against the relevant guideline • Accept transfer of responsibilities - You’re not going to manage the security of the vendor, be thankful for less work. Stop being a control freak.

Step 2: Start Dating • Work with the provider - Ask them about their security, see what they provide, maybe that’ll be enough, or maybe you’ll think of new things • Tailor your assessment - Tailor your approach to the type of service, how your org will use it, and the risks present • Don’t expect everything for $8/month - Enough said. • Communicate intent, not implementation - Work with the vendor to meet intent and understand their implementation

Step 3: Use Protection • Encryption = data condom - Really concerned about the data? Wrap it up! • Audit - Backhaul logs, monitor, alert, and react • Continuous Audit - Use vendor APIs to continuously audit settings, users, permissions, data, unicorns, whatever • Communicate intent, not implementation - Work with the vendor to meet intent and understand their implementation

Where to look? • Is customer data co-mingled? • Does the vendor perform security assessments? - Always ask about scope and status of remediation - What kind and frequency • Encryption - Data storage, external & internal transmission, queueing systems, backups, and in 3 rd party services used by the vendor - How are keys protected? Same key for all data/customers? • Architecture - Architecture review, determine what has access to your assets including 3 rd party services - If a SQLi vulnerability is exploited is your data at risk?

Working with providers • Know every provider is different • Accept responsibility for risk management • Understand what’s in place, make decisions based on risk • Use vendors based on acceptable risk levels • Help vendors achieve more, let them learn from you

Managing Security in The Cloud Adam Ely adam@bluebox. com www. bluebox. com Twitter: @adamely