Abstract :
The prospect of the cloud is extremely attractive to many enterprises, so it’s no surprise that several industries are in an all out sprint to get there. Cloud has become so popular that many CIOs have simply been given the directive “get to the cloud,” and thus are moving forward at a staggering rate with little regard for cost or security. This is putting security teams on their heels, in large part because many haven’t had the chance to truly grasp the shared responsibility model that most cloud providers operate under.

There is a common misconception in the industry that, when you buy space with a cloud provider, the cloud provider is also responsible for securing your data. This simply isn’t the case. The agreement is much more like leasing an apartment - the landlord maintains the roof, walls and windows, but if you leave the door unlocked that’s on you. That said, determining who has responsibility for the protection of applications, services, and data once cloud has become part of an enterprise stack is a lot harder than locking a door. If it weren’t, we wouldn’t be constantly reading about huge troves of sensitive data stored on unsecured AWS servers. So, figuring out this shared model has become one of the major challenges of navigating this new and only vaguely-defined landscape.

The first thing we all need to understand is that cloud providers are not managing data so much as providing a platform or infrastructure, so the protection of the data is still up to the enterprises. While the cloud offers more availability and uptime, it can also make data more vulnerable to attack. Every copy of data is a potential liability, so while availability is convenient it comes with elevated risk. Cloud providers can certainly make it easier for enterprises to set up their servers correctly, but enterprises need to own the responsibility of securing their data and make sure they are maintaining access control lists properly, performing quality-assurance on configurations and policies, and auditing who has access to what.

In this session we will explore how security professionals can own security for their organization as they migrate to the cloud, and detail the steps they can take to make sure the cloud stays secure for their enterprise, thus ensuring that they don’t end up making headlines for all the wrong reasons.


About Ben Johnson
Ben Johnson is a prominent voice in cybersecurity, having co-founded and been CTO of both Obsidian Security and Carbon Black. Additionally, Ben sits on several cyber start-up boards and spent 7 years at the NSA. Ben has spoken to over 600 organizations and given thought-leadership presentations in 15 countries.

Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...