Post on 15-Jan-2017
transcript
ISE Proprietary
SECURITY + CLOUDTed Harrington, Executive Partner |
ted.harrington@securityevaluators.com
ISE Proprietary
why is this important?
ISE Proprietary
ISE Confidential - not for distribution
THREAT MODELING
ISE Proprietary
ISE Proprietary
“If you don’t know where you’re going, any road will take you there”
ISE Proprietary
EXTERNAL ADVERSARIES
ISE Proprietary
ISE Proprietary
ISE Proprietary
CASUAL HACKER
ISE Proprietary
HACKTIVIST
ISE Proprietary
CORPORATE ESPIONAGE
ISE Proprietary
ORGANIZED CRIME
ISE Proprietary
NATION STATE
ISE Proprietary
INTERNAL ADVERSARIES
Internal Adversaries
ISE Confidential - not for distribution
Internal Adversaries
ISE Confidential - not for distribution
ACCIDENTAL
Internal Adversaries
ISE Confidential - not for distribution
OPPORTUNISTIC
Internal Adversaries
ISE Confidential - not for distribution
DETERMINED
ISE Confidential - not for distribution
SECURITY + CLOUD
Security + Cloud
ISE Confidential - not for distribution
Security + Cloud
ISE Confidential - not for distribution
Platform must be hardened
Security + Cloud
ISE Confidential - not for distribution
Configuration is CRITICAL!
Security + Cloud
ISE Confidential - not for distribution
“But I don’t own the equipment!”
Security + Cloud
ISE Confidential - not for distribution
“But I don’t own the equipment!”
Bad if: cloud platform < on-premGood if: cloud platform > on-prem
Cautionary Tale
ISE Confidential - not for distribution
ISE Confidential - not for distribution
!
ISE Confidential - not for distribution
SECURE DESIGN PRINCIPLES
Least Privilege
ISE Confidential - not for distribution
Privilege Separation
ISE Confidential - not for distribution
Defense in Depth
ISE Confidential - not for distribution
Trust Reluctance
ISE Confidential - not for distribution
Open Design
ISE Confidential - not for distribution
Economy of Mechanism
ISE Confidential - not for distribution
Complete Mediation
ISE Confidential - not for distribution
Psychological Acceptability
ISE Confidential - not for distribution
Fail Secure
ISE Confidential - not for distribution
Secure the Weakest Link
ISE Confidential - not for distribution
Reduce Asset Handling
ISE Confidential - not for distribution
Build Security In
ISE Confidential - not for distribution
Ongoing Reassessment
ISE Confidential - not for distribution
ISE Confidential - not for distribution
ANTI-PRINCIPLES
Compliance
ISE Confidential - not for distribution
Complexity
ISE Confidential - not for distribution
Obscurity
ISE Confidential - not for distribution
Security Through Legality
ISE Confidential - not for distribution
Deferral of Risk
ISE Confidential - not for distribution
ISE Confidential - not for distribution
SECURITY ASSESSMENT:The Wrong Way
Security Assessment Fail
ISE Confidential - not for distribution
ISE Confidential - not for distribution
SECURITY ASSESSEMENT:The Right Way
Security Assessment Win
ISE Confidential - not for distribution
ISE Confidential - not for distribution
KEY TAKEAWAYS
Key Takeaways• Configuration is critical!• Cloud could be more secure, could be less secure• Assessment methodology matters
ISE Confidential - not for distribution
How Can ISE Help?• Security assessment
– Application– Infrastructure– Supply Chain– Vendor
• Design guidance• Training• Embed
ISE Confidential - not for distribution
ISE Confidential - not for distribution
Questions?Ted.Harrnington@securityevaluators.com