Hi everyone, thanks for joining us. Today I'm going to talk about building secure architecture in the cloud. It's like the talk of the town wherein people who have never thought of moving to cloud are talking about moving to cloud. Now this is a situation happening because of the pandemic that we are in, so why not talk about it? That how can we secure the architecture in the cloud when it's the need of the hour? And it's not just that the bigger organizations have to make sure that they are secure, it goes for the startups as well. So today I'm going to give you a brief architecture or the knowledge that I have around building secure architecture in the cloud. So while we deep dive into it, let me talk a bit about myself. IBM, Vandana Verma Segur. My day job is with one of the multinational companies where I am working as a product security architect. Apart from that, I root role owner work wherein I support OwAs, which is open web application security project. I'm one of the global board of director for OwAs and I also work a lot bringing diversity and information security, which doesn't only need to be come, it can be anyone who wants to be part of cybersecurity. It can be from different domains, it can be the person who's going to be flipping domain from any other to information security. So that's what I do during my free time. I love thinking about topics that I know or I love researching about new things in cybersecurity. Today's agenda is more around cloud strategy. Why do we need to have an architecture review for cloud when we are thinking about moving to cloud, or even if we have already moved to cloud, what are the things that we need to consider? At the same time, what are the scenarios that are stopping us from moving to the cloud or when we have already tough, okay, now this is the way to go. What are the considerations that we should have? And then we will sum up all of that. So when I talk about public cloud and the data that is moving to cloud, that's a huge number and has per one of the research which is latest, that 90% of the data and analytics would be there in public cloud by 2022. And at the same time when we are in pandemic, there are over 98% people, 98% organizations which have moved to cloud. That's one of the status. And some people were planning to move to the cloud, but this situation has made us so that we have taken the steps to move to the cloud. At the same time, when I talk about the services that are part of the cloud, solutions or public cloud. The services market is expected to reach its new number, which is 354 billion dollars, which is huge number. And 83% of the enterprises workloads will be in cloud by 2020. That was the saying. But now when we are in pandemic, that situation has reached another peak point. Apart from that, 66% of the enterprises already have a central cloud team or a cloud center for excellence. They've started to things about it. They want to have something that can maintain. They wanted to have a team which can maintain the cloud. Now when we are talking about this numbers wherein the organizations are spending so much on the cloud, talking about moving to cloud, or have moved to the cloud and reaching its own big number organisations are moving to the cloud, sometimes the situation says, okay, you have a plan, you're going to go to the cloud by this date. But now when we are in a kind of a situation wherein we are dealing with a pandemic, organizations have already fast forwarded their move to the cloud and more than 1.3 trillion it spending will be affected by this shift. And always when we talk about these numbers, cloud adoption, spending on the cloud, it has positive as well as negative impact. There are organizations who have a view that, okay, this is what they want in the cloud, but at the same time, there are organisations who have a plan to move to cloud, but they don't know whether cloud is the best solution or which cloud is the best solution for them. So these are some numbers which are going to spill the beans and change the numbers in the coming future. If I talk about why organizations have concerns in moving to the cloud, or when a small startup thinks that they're going to move to the cloud, but they are facing some challenges. If I highlight some, it's because of the unknown territory that everything is moving out of the organizations. And since ages, all the data were always in the data centers. But now when we are moving, the scenario or the paradigm is shifting, cybersecurities are becoming day to day struggle for businesses. Recent trends in cybersecurity statistics reveal a huge increase in the cybersecurity space, like the organisations getting hacked, data breaches. And not just that. Now when we are living in the world of IoT, Internet, connected devices, mobiles, there's another shift which is happening. There's so much of concern around the data breach. Additionally, recent security research suggests that most companies have unprotected data poor cybersecurity practices in place. There are teams who are working towards securing in organizations where there's so much data still lying out there and there are still vulnerable services on which if we talk about touching, that takes a huge amount of time to patch a vulnerability. If it exists, especially if it's an internal vulnerability, people take time to resolve that. Another shift that I've heard that people are moving their legacy applications to containers or to cloud. But think about legacy applications already have an overhead. Why do we need to move them to docker or containers if we don't have a proper plan? They will still be an overhead if we don't properly update it. Lifting and shifting never, always helps. And when it comes to the legacy applications, that's what have been the strategy for a lot of organizations. So we need to address that concern as well, wherein if there is an application which is legacy application, and we are trying to go ahead and move that to the cloud, we need to make some changes so that it can be cloud ready. It shouldn't be just, we are going to pick it up and post it there. It should not be the copy and paste. There will be lot of overhead. And not just that, there will be lot of budgeting constraints that will come into picture, because to manage that in the cloud, we would need resources and whatnot, and whether the application will get the required kind of support would be there or not. Who knows about that. Another concern is the hybrid cloud kind of an environment or multicloud kind of an environment. Organizations think that do we need a multicloud strategy, hybrid cloud strategy, what kind of things that we are looking for? So that's, again another kind of a scenario which needs to be addressed. Because if we don't understand that vendor lock in could be there, if one cloud doesn't suits us, we can move to another cloud. So that's a very big area to address. At the same time, regulatory concerns. There are so many regulations that we have to follow, especially if in us, we talk about CCPA, if it's California, if it's a european, then we have to talk about GDPR. And then there are so many other compliance certifications that are there, or requirements which are there, which needs to be addressed. There are standards that needs to be adhered to. There's a governance mechanism that we need. How are we going to attain that? That's a really big area to be addressed. Now let's look at if we don't have a right kind of architecture in the cloud, what could go wrong? Managing data on the cloud is a function, actually a task that is co owned and co managed by the cloud. Customer, which could be us or could be an organisations and the cloud service provider which is CSP. So it's a shared responsibility and this adds up to efficiency and cost optimization at the same time. But there are still few gray areas that we need to address and look after. So as the saying goes, the chain is only as strong as its weakest link, while a regular pen test activity offers a certain level of assurance that yes, we are safeguarded from the threat actors and our infrastructure is secure. However, it may not go into the details of overall architecture design and if we don't do the right architecture design, we could be in trouble. So a secure review of architecture is very, very important. It look at what's there in the internal network and what are the nuts and bolts of a network. We also need to have the information around our architecture. We need to do some exercises to get to know our own network. If we do not know, which is like security misconfiguration or we have left a bucket open for anyone and everyone to see, the database credentials are there in the code which is publicly available even when you change it. The thing that is there on the code on public that will be cached forever. And the code of public or cloud Secure architecture review is to identify and highlight those cloud security weaknesses and strengths and provide the right guidance towards making a mature security architect structure. Now with an increasing number of organisations which are moving towards agile and DevOps methodologies and running their infrastructure in the cloud, and they are trying to attain the whole product itself, their organisations is based out of the cloud. So it's really, really important to secure that the attack surface has actually widened for them, and not just for them, but overall it is widened and it's very, very difficult to sometimes understand that what's our own play area or what's our own environment now there has been moving parts in that also wherein we are deploying changes into the production itself directly. I have seen organisations deploying changes to production, who does that? It's like the most unsafe thing to do, that you're just putting an x on your own feet. So identifying the attack surface and evaluating our own environment is the first and foremost thing. And if we don't understand and address these challenges, we're going to be in big, big trouble. So do we need an architecture review? Think about it. Obviously we do need it, because we have seen that there have been increase in the cybercrimes and breaches and every other day we see that were is an organization getting attacked or hacked or breached. Now when that happens, as per one of the study, when an organization gets breached. That doesn't happen for one, like, that doesn't happen once. It happens a couple of times in a short span. Now, the organization know that we have been compromised, and still the same continues to happen, because it's not that the organization don't safeguard them, it's because sometimes we don't understand our own attack surface. So it's very important to understand what's our protect surface, which is like our own data network assets or applications, or even our users. So it's very important to understand these aspects. So if they don't understand, what would be the impact. So the risk of breaches can be huge. It can be that organization could have penalties, which is due to regulatories, like they've seen so many penalties due to GDPR or customer data loss. This is like losing the customer data and then losing the customer. So we can have a big problem, and then the reputation, which is one of the most important thing in brand value. Another thing would be once we lose one customer, we tend to lose multiple at the same time. And when we talk about the statistics that go a long way. So security breaches have increased in huge number, I would say by 11% since 2018 and 67% since 2014. There's a huge number or huge increase. Hackers attack every 39 seconds on an average. Wow, that's gross. So the average time to identify a breach in 2019 was 206 days. God, if an organization figure out that much of time, that, yes, they have been compromised. It's a big problem. So all these data have collected from the Ponymon research done by IBM in partnership with the IBM. So you can look at the report done in 2020 that has the latest data about what could be the impact of all these breaches that are happening now. When we talk about migration to the cloud, that's actually a fear of unknown. And cloud brings the Internet benefits and it brings the breaches also at the same time. So building on top of the native security of the cloud, which is there, will help us big time. Sometimes we don't understand that, yes, this is there in the cloud and we can take help from. I have seen it. So it's very, very important to understand what our cloud security provider, which is providing. So there are still so many questions that are unanswered, or there are gray areas which are lingering around and which lead to these exposures and breaches that happen. Now, what are these? If I talk about these questions, how my data look in terms of format, state flow, and more when we talk about on premise and cloud. But what do we need to understand? Like, how are we going to safeguard my data when we talk about moving from on premise to the cloud, what level of access do the cloud security provider employees get to the data when I host on the cloud, like whether they're going to access my data, and if I host it on the cloud, that means they have access to anything and everything. So are they segregating it or not? At the same time, if I talk about cloud security providers native security features, which are great, I've seen with so many vendors, there are great features, but how do I know how much of them have been exercised or thought through, or whether they are even effective? And how do I get that there is an assurance? Yes, there are regulatory requirements my cloud provider have met and there are auditors who have come and measured that. So it's very important for me to understand. And how do I get notified if there is a breach with that cloud provider, or even if were is a breach attempt also? So that's really, really a concerning area. And if I talk about the research by Gartner. And Gartner predicts that by 2023, the lead cloud service provider will have a distributive ATM environment which have the presence to serve many services and apprehensions to not take a backseat. So all these things will be considered. Now, if I talk about how should we do the architecture review? Now, I have talked a lot about breaches. I've talked about this could be the impact, but did I talk about architecture, which is like, talk is all about. So now we're going to talk about architecture. What are the lessons that we should be learning from that? So first, and the foremost thing is that it's all about aligning the fact that there are risks, understanding that there are risks when we are moving to the cloud, the first thing that we have to understand that our network is hostile, completely hostile, before even moving to the cloud. So we start that, yes, now we have to secure our environment, and that's where the first step lies. And when we are there, we need to assess the risk and we have to have a proper plan that how are we going to secure our own network. At the same time, there are responsibility models that we are going to be talking about. We need to understand them. That, yes, it's a shared responsibility of a client and cloud service provider. So it's a shared responsibility. I cannot say that I have hosted my data on the cloud and I am all secure. No cloud security provider has given you a platform, he has given you infrastructure, or he has given you the software, or they've given you that, but your data is on your own responsibility. I can't say that. I have a house and I have my tenants, and my tenants are going to take care of my full house. No, that's not going to be there. You have to manage your own house. Tenants will be there. If something goes wrong, they're going to call you, they're not the offers. So it's like that when we are moving to cloud, it's like we are moving to a house which is we have rented. So we need to understand the whole clauses which are there in the agreement. It's very, very important to get the lawyers and the people who understand the language, or the auditors who understand the language. Yes. This is what this cloud provider is abiding by. And these are the things that needed to be considered while moving to the cloud. Now let me show you an architecture. This is an IBM cloud architecture. And if I talk about AWS or Azure, most of the clouds almost look similar, wherein we have to address the concerns which are there as part of governance, risk and compliance. Then we have to understand the different areas which are there which talk about security in the cloud, like identity and access management, application security, data security, infrastructure security, or anything else. Like there are multiple layers. People say that there are seven layers that we need to understand. There are seven parts that we need to understand, and it's an integrated thing wherein we address the physical security, the whole platform security, even the services that we are getting in the cloud. So based on the business needs, companies adopt for different models which are part of the cloud, like whether they want to go for public cloud, private cloud, or even kind of hybrid cloud. And now a thing called multicloud. So organizations have started to talk about it. And when we are selecting the appropriate cloud, okay, this is what I need. We need to understand the deployment model, what kind of deployment model we will be going by, and the type of application that we have, the data sensitivity we have. We have to very much understand that and the kind of business process importance, who will be our target users. So it's very important. And if we talk about single deployment or development and management exercises across the platform, if I talk about public, private and hybrid cloud, it's important to understand the basics that what do we need? If I am okay to take the route for public cloud, or if I'm okay to take the route of private or a public cloud, or do I really want to be a part of multicloud strategy. So it's all depend on organization. And the most important thing that we need to understand is that we need to have a proper plan to address the security components that are part of our security architecture. If I talk about network security, I need to understand that what will be my boundary protections or if I'll have isolation or not, what will be the network access control would be there, or boundary protection would be there for my web application or not, whether I will also have a firewall which is there for my internal resources. I have seen cases where we are talking about web app firewall or WAF for our external resources, but we tend to forget our internal resources. If there is an internal attack happens, for God's sake, nothing should happen. If that happens, how are we going to detect that, especially on our internal applications? We have so many internal applications in the organizations, could be HR, could be internal employee apps, or even for learning portal. So there are so many applications that we have, or there are some mission critical applications that we have. So how are we going to handle that situation? How are we going to address the concerns which are there with the identity and access management? Especially now when we are not in the four walls of an organization, it becomes even more important to address these access or authentication or authorization related flaws. How about having multifactor authentication, and not just for the people who are privileged users, but for everyone and adopting the principle of least privilege, how are we going to, can we have different authenticator management systems? Like I'm not comfortable in getting OTP on my phone. I have seen a lot of recent cases wherein it was cloned and then attackers gained lot of money out of it. So those are SIM card issues. But then again those are concerns. And when we talk about cloud, cloud is like, if I get your credentials, especially root credentials, I can own your network. And the fun fact is that for one of the project I was working, it's not a recent incident, but sometime old incident wherein the developers were using the root credentials and I was like, wow, if these credentials go anywhere, what could go wrong? The whole applications can go down, or somebody might have access to anything and everything at the same time. We need to address the concerns which are there for our own application and workload security like vulnerability scanning, understanding the virtual services which are there, or the ingress points that we have. And now when we are talking about Kubernetes services or services, we need to understand that, how are we going to provide the access to that? And are we going to have role based access what kind of access are we going to have? So it's very, very important to have. We also would need to address the data security concerns, whether the data would be encrypted at rest, motion or in transit. Are we going to have TLS, endpoint security, confidentiality and integrity, or are we going to have encryption key management? So these are the things that if we don't understand on, we're going to be in trouble. And last but not the least, if we don't log it, we can never safeguard ourselves. So how are we going to manage our audit events, relevant audit logs, where are we going to store it, for how long we are going to store it, how are we going to protect our audit information? At the same time, what infrastructure we would be monitoring, where the audit records would be there for retention. So it's very, very important to understand that. And when we talk about architecture services. So this is the architecture which I picked up from one of the social media sites. I don't know who posted it, but yes, I found it really relevant that these are the things that we need to address, which starts with the whole strategy, planning and then having the right governance, doing the gap analysis or education, which is important, the training for the teams are very important. Doing the right kind of risk assessment is very, very important. So we need to have an architecture review methodology which starts with data flow diagram. And even before that, when I talk about the new normal that we are in, businesses have to have a quicker and agile transition to the cloud, which is with cloud enabled operations. This means thriving a lesser known environment with unprecedented threat, which I don't know what we are going to be doing with those threats in the cloud. So these unprecedented times or unknown times have taught us so many things about our own environment. So this time has tough us a lot. Were should we start off? We should first start off with the data flow diagram. We need to understand our own cloud architecture infrastructure and this will be done by referring to target organization, where we need to have a high level cloud architecture. So data flow diagrams actually help in that. Then we have to have a proper threat modeling done of our cloud infrastructure and there has to be proper resources that should be created for that. We also have to have a risk based plan that, okay, this is how we are going to move to the cloud. These are the things that we need to safeguard. This is where we are going to be landing. And we need to have adequate visibility on our environment and understand our own environment with a gap analysis. Where is the gap? How should we address that so let's start with the threat modeling. Threat modeling is crucial, as it sounds, or it help teams to proactively understand and develop a strategy for identifying the potential threats early. And for cloud, it's very, very important to do the threat modeling of our own environment. There are multiple models which are there like stride, pasta, trike, wasp. There are so many. I have been working on stride a lot lately, and I really like the kind of model stride is. And when we talk about threat modeling, threat modeling can be done as a code. And threat modeling, we need to understand that this is not just code as well. So the tool is less important than the data recorded. So we have to have data recorded in that and using a tool already. Okay, keep doing so if you're doing it. Whiteboarding is my favorite. So I always say that for threat modeling, whiteboarding is like, amazing way to go. How are we going to have the threat models that we have created for longer run? Now, there's another thing that we have to understand. When we are doing the threat modeling, we need to create data flow diagrams. Now, when we create the data flow diagrams, we need to define our trust boundary. And when we are creating those trust boundaries, we need to understand the whole architecture, especially this new normal demands businesses to have a quicker and agile transition. So how are we going to connect the systems with the data flow and where the data would be passing through? So it's very, very important to have the whole map. So the advantages of utilizing these processes or application flow diagrams, wherein we can create the threat models, which are developer friendly, and wherein we can showcase, okay, these are the applications we have. This is the whole architecture that we have. And it can also help us in creating the process map, which shows how individuals move through an application. Security professionals and developers can then view that these applications, if I don't act upon time, how the attacker might be envisioning them, which is more efficiently prioritizing the potential threat. And if we have a standardization of these threat modeling processes, it can help us in consistent, actionable output, which can help us a long way. And companies need to govern how data or how connections to data sets are established, and we need to monitor this data transfer. So data flow diagrams are the best way to go. And employees, organizations need to understand that the risk of data exposure is huge. And if we don't have the right kind of training around these data flow diagrams, or in general about cloud security, it can lead us to a wrong way. Now, we've talked about threat modeling a bit, data flow diagrams a bit. Now, let's talk about shared responsibility model that we were talking about in the beginning. So shared responsibility model, talk about that. What would be the responsibility of the cloud provider and what would be the responsibility of a client or us, let's say, to be precise. So identifying the security risk management responsibility is very, very important. Clearly chartered security responsibility model is the way to go. So the Covid-19 pandemic changed the business practices worldwide and the traditional workspace transformed or changed for many, the new norm, like people are saying, new normal, new norm, which is now a new home office. We are all homebound, we are doing the virtual, we are in a virtual workspace, all servers are on cloud and we are meeting over different platforms like Slack hangout teams and whatnot. So the cloud is busier than ever. Making cloud security is more important than ever. So in public cloud, there is a shared responsibility model wherein how cloud security provider and we are going to manage it and security for things like data classification, network controls, physical security and whatnot. So if you can see on the screen, we have talked a bit about data classification and accountability and endpoint protection. We have talked about application level controls, network controls, host infrastructure, and not to forget physical security. If we don't understand and address that, that can be a big concern. So based on whether we are running IIs infrastructure as a service or pass implementation, which is platform as a service implementation, we might want to certain the additional security responsibilities that we have. So whether it's in the data center, using a service, server based infrastructure as a server instance or serverless system, or even a past system, we are always responsible for securing our own data. Talk about information and data. If we don't retain our control over the information and data which we maintain, we would never be able to understand what is the visibility of our data. We will have zero visibility into our data and all the data access in our control would never be there. And again, another thing is identity and access management. So how there are different facets to it, different terms to it. So if we don't have the right IBM set, which is identity and access management set, right kind of group set, we don't have a single sign on mechanism or multi factor authentication, we're going to be in trouble, big trouble. Apart from that, we need to understand the application logic and code. So regardless of how we choose to spin up the cloud resources, our proprietary applications are ours to secure and the control throughout the application lifecycle. If we have moved an application to the cloud, we cannot say that now the cloud provider is going to secure our application? No, there can be abuses that can happen. So this includes securing our own code repositories from the malicious or misuse and talking about application build testing throughout the lifecycle, ensuring that secure production access is there and maintaining security on any connected systems. Talk about virtual machine accesses which are there in the cloud. So it's very important to have a role based access control or started using the principles of least privilege. So when we spin up the cloud environment, we control the operation environment. And how do we maintain or control those environments varies based on the kind of instance that we are going for, whether we are talking about maintaining the operating system. So we have to harden it. If we are maintaining the applications, we have to make sure that when we are doing the devsecops, we are doing it with the right things. So for the serverless resources, the cloud providers control planes give us the access to the setup of the configuration. So it's very, very important to understand what's our control plane and the data planes that will surround us and how the control plane will be managing the configuration. And if a cloud provider is giving us the right to manage that, there's nothing beautiful than that. And in case of server based instance, we need to understand that. How are we going to manage the identity and directory infrastructure? How are we going to manage our own applications? How are we going to manage the network controls that are there? How are we going to manage the operating system? I can go on and on. When we talk about shared responsibility model, there's a huge thing to understand and not to miss. We need to have a right kind of risk based approach and if we don't have a plan, we can never attain a right kind of shared responsibility model. It will just lie there and nothing is going to happen. So what are the various data sets plan to migrate to the cloud? Understand that. What are the regulatory requirements from a trust border perspective? Like there are data centers which are there. If I'm moving the data from one data center to another, how are we going to manage those cross border perspectives? And do we have policies and baseline defined to be enforced on these workloads? How does the data lifecycle look like? How are we going to manage our own data? What are the encryption measures which are there and how do we translate it to the cloud? So the outcome would bring in a clear and documented cloud security roadmap. If we understand these things, if we have a plan, we understand shared responsibility model. We address the identity and access management concerns and the concerns which are part of the different layers that we have. Last but not the least, gaining the right kind of visibility. And if we have the right kind of visibility, we can have the right set of service level agreements defined. What is actually the need of the r for the business. So a due diligence. Diligence is very, very important. And not to forget, we need to have a kind of right logging and monitoring. We have to have an incident reporting, a proper response plan that has to be there. What will be the business continuity management if one data center goes down, what are the legal implications that would be there or if were are contract that I need to change if I want to move from one vendor to another, what will be the legal implications or if I want to move services from one cloud provider to the other provider? And if there is a vendor lock in, how are we going to move past that? So another important thing is that uptime a right to audit, can we audit the cloud provider? I have seen that cloud providers are not, a lot of cloud providers are not let clients do the risks assessment. Instead they give the reports which are there. So how are we going to understand that these things are important for us, things which are not to miss, which are latest things and people don't recognize it and don't address it. So let's start with CASP. So Casp is cloud access security broker which is required as a central shared security thing which can be there at cloud edge which can help in cloud related traffic monitoring and preventing controls. Another thing would be data user behavior and activity monitoring within and across the authorized and unauthorized SaaS cloud providers. How about using the shadow it and how about using those shadow cloud and protect that? How are we going to have protection against the malwares? At the same time, understanding the cloud infrastructure, configuration management, container security, traffic management, threat management. So CASp is the anchored multi cloud safety net is very, very important for us to use. Now how about were going to address the challenges which are there across the cloud security providers? We have to address the concerns for identity, authorization and authentication mechanisms. So we need to have a pragmatic approach towards implementing all across the cloud providers. Another thing is that application security basics like implementation, configuration and audit of security design and configuration is very, very important, especially if we have within SaaS has pass and now functional as a service as well. So what will be the management from the cloud security provider, end IBM configuration or network configuration? What will they be managing? What are the services that they are providing? So it's very very important to address these concerns. When we talked about cloud security architecture. Now, to sum it up, we need to look at the broader picture that we have. We need to protect the customers, partners and our own business. We work with a lot of partners. We need to think out of the box. We need to have a different kind of understanding about our own network. I have seen organizations who are moving to cloud, they don't understand their environment well. They don't know what they have in their environment currently, which is a big, big gap. And if we address that, we address the skill gap that is there. Another important aspect is that when think about moving to cloud, we need to do the design thinking. Like, okay, this is how my design is going to look. We need to involve all the stakeholders which will be part of this movement to cloud. There must be multiple teams who would be moving to cloud. So changed is the only thing that is constant. And when we talk about cybersecurity, it's very important to address these concerns. Now, one more important thing that I want to tell before we go that building a security in the cloud is not an easy task, but not a difficult task. What we can do is we can start with building the security architecture with zero trust. Thank you so much. If you have any questions, any concerns, any discussions you want to have, please do feel free to ask me any questions. I am happy to have a conversation on my twitter handle, which is infosec one Dana, or you can reach out to me on LinkedIn. I'm there, Verma, and I'll be more than happy to have a discussion around this topic. Thank you so much.