1. Adam Ely CISO, Heroku at salesforce.com Founder & COO, Bluebox adam@bluebox.com www.bluebox.com Twitter: @adamely Managing Security in The Cloud

2. Why you’re listening to me CISO of Heroku BU at salesforce.com -I know cloud security Security leadership roles at Heroku/salesforce.com TiVo, and Walt Disney -I feel your pain Been around for ASP, OSP, HSP, SaaS, IaaS and PaaS -I know more acronyms than you :P CISSP, CISA, MBA, and some other stuff like that -I have more acronyms than you :(

3. Defining “cloud” IaaS - Infrastructure as as service -EC2, Rackspace PaaS - Platform as a service -Heroku SaaS - Software as a service -salesforce.com, box, workday Combining Service Types -AWS EC2 + AWS SQS + Heroku Postgres + Rackspace

4. Areas of risk IaaS -Physical -Personnel -Internal operations/InfoSec PaaS -Platform (OS, services, configurations) SaaS -Web application security

5. We must think differently Not all vendors are the same -One-size-fits-all checklists are dead, don’t be that guy Rationalize the risks -If the service is not interacting with card holder data, don’t demand it must be PCI compliant. Focus on the risks present. Accept transfer of responsibilities -You’re not going to manage the security of the vendor, be thankful for less work. Stop being a control freak. Innovate, adapt, and improve -Focus on the real risks, what you can do to ensure protections, and move to continuous assessment, not checklist auditing

6. Step 1: Know thy self Develop a security baseline -You do have a data classification and handling guide, right? Define your critical assets, define controls, build a minimum baseline for vendors (intent not implementation) Understand the types of services -How can you know the risks if you don’t know what it does? What concerns us about each service? -Determine the potential risk based on the service and develop assessments against the relevant guideline Accept transfer of responsibilities -You’re not going to manage the security of the vendor, be thankful for less work. Stop being a control freak.

7. Step 2: Start Dating Work with the provider -Ask them about their security, see what they provide, maybe that’ll be enough, or maybe you’ll think of new things Tailor your assessment -Tailor your approach to the type of service, how your org will use it, and the risks present Don’t expect everything for $8/month -Enough said. Communicate intent, not implementation -Work with the vendor to meet intent and understand their implementation

8. Step 3: Use Protection Encryption = data condom -Really concerned about the data? Wrap it up! Audit -Backhaul logs, monitor, alert, and react Continuous Audit -Use vendor APIs to continuously audit settings, users, permissions, data, unicorns, whatever Communicate intent, not implementation -Work with the vendor to meet intent and understand their implementation

9. Where to look? Is customer data co-mingled? Does the vendor perform security assessments? -Always ask about scope and status of remediation -What kind and frequency Encryption -Data storage, external & internal transmission, queueing systems, backups, and in 3rd party services used by the vendor -How are keys protected? Same key for all data/customers? Architecture -Architecture review, determine what has access to your assets including 3rd party services -If a SQLi vulnerability is exploited is your data at risk?

10. Working with providers Know every provider is different Accept responsibility for risk management Understand what’s in place, make decisions based on risk Use vendors based on acceptable risk levels Help vendors achieve more, let them learn from you

11. Adam Ely adam@bluebox.com www.bluebox.com Twitter: @adamely Managing Security in The Cloud