Multi-Cloud Security Strategy, how to design one that fit your environment
CarloDapino
147 views
17 slides
Oct 08, 2024
Slide 1 of 17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
About This Presentation
This presentation target is to clarify the different type of multi cloud strategies you can adopt and how to avoid to get trick in misunderstanding and under estimate the risks. A full youtube presentation is going to be recorded, check my youtube channel https://www.youtube.com/channel/UCK0Z7e2riiR...
Slide Content
Strategy
Multi-cloud
Cyber Security
Designing a
Presenter: Carlo DapinoCopyright 2024 - Carlo Dapino
Multi-cloud
Cyber Security
Designing a
Presenter: Carlo DapinoCopyright 2024 - Carlo Dapino
Agenda
15 min. presentation
5 min. Q&ACopyright 2024 - Carlo Dapino
Multi-cloud definition
Not all multi-cloud journeys are the same
Layers that have to be part of a multi-cloud transformation
Commons issues to consider for all designs
Risk of a multi-cloud strategy
Lesson learnt on multi-cloud attacks
Attacker’s pattern
OT security challenges in Industry 4.0
Multi-cloud transformation architecture principles
Q&A
15 min. presentation
5 min. Q&ACopyright 2024 - Carlo Dapino
Multi-cloud definition
Not all multi-cloud journeys are the same
Layers that have to be part of a multi-cloud transformation
Commons issues to consider for all designs
Risk of a multi-cloud strategy
Lesson learnt on multi-cloud attacks
Attacker’s pattern
OT security challenges in Industry 4.0
Multi-cloud transformation architecture principles
Q&A
Multi-cloud definition
NIST SP 500-292: Multi-cloud refers to the use of more than one cloud service provider
(CSP) within a single architecture or system. This typically involves using various cloud
services (such as storage, compute, or applications) from multiple vendors to avoid
vendor lock-in, enhance redundancy, and leverage the unique strengths of each
provider's offerings.
European Union Agency for Cybersecurity (ENISA) defines multi-cloud as the
practice of using multiple cloud computing services from different cloud
providers, typically to avoid vendor lock-in, enhance reliability, and meet
different business, technical, or regulatory requirements.
European Telecommunications Standards Institute (ETSI) defines
multi-cloud as the use of cloud services from different cloud
service providers (CSPs) simultaneously to support a single
business or organizational environment. ETSI emphasizes multi-
cloud as an approach that enables organizations to optimize
resource allocation, mitigate risks, and increase flexibility.Copyright 2024 - Carlo Dapino
NIST SP 500-292: Multi-cloud refers to the use of more than one cloud service provider
(CSP) within a single architecture or system. This typically involves using various cloud
services (such as storage, compute, or applications) from multiple vendors to avoid
vendor lock-in, enhance redundancy, and leverage the unique strengths of each
provider's offerings.
European Union Agency for Cybersecurity (ENISA) defines multi-cloud as the
practice of using multiple cloud computing services from different cloud
providers, typically to avoid vendor lock-in, enhance reliability, and meet
different business, technical, or regulatory requirements.
European Telecommunications Standards Institute (ETSI) defines
multi-cloud as the use of cloud services from different cloud
service providers (CSPs) simultaneously to support a single
business or organizational environment. ETSI emphasizes multi-
cloud as an approach that enables organizations to optimize
resource allocation, mitigate risks, and increase flexibility.Copyright 2024 - Carlo Dapino
Not all multi-cloud journeys are the same Copyright 2024 - Carlo Dapino Company A Company B Company C
CTO is having a mix of IaaS, PaaS and SaaS
the main target is to standarize visibility, monitoring
and governance.
There is no appetite to refactor applications to unify,
for example only on PaaS.
The company is multi-cloud using multiple services
but want to let every department to use what they
need without restriction
Company did a lift and shift, testing multiple IaaS and
approaching to SaaS. CTO decided to refactor
application using a standard PaaS and cloud first, but
want to move the workload across multiple CSP. The
IaaS footprint will be reduced, migrating to PaaS or
using SaaS services.
IT and OT road map are both pointing to a bigger
usage of cloud services. OT, due to Industry 4.0
analytics and IIOT will start to consume cloud services.
CTO and CISO are worry on how the two worlds, IT and
OT, will converge keeping the proper isolation,
governance and risk management.
CTO is having a mix of IaaS, PaaS and SaaS
the main target is to standarize visibility, monitoring
and governance.
There is no appetite to refactor applications to unify,
for example only on PaaS.
The company is multi-cloud using multiple services
but want to let every department to use what they
need without restriction
Company did a lift and shift, testing multiple IaaS and
approaching to SaaS. CTO decided to refactor
application using a standard PaaS and cloud first, but
want to move the workload across multiple CSP. The
IaaS footprint will be reduced, migrating to PaaS or
using SaaS services.
IT and OT road map are both pointing to a bigger
usage of cloud services. OT, due to Industry 4.0
analytics and IIOT will start to consume cloud services.
CTO and CISO are worry on how the two worlds, IT and
OT, will converge keeping the proper isolation,
governance and risk management.
Not all multi-cloud journeys are the same Copyright 2024 - Carlo Dapino Company A
CTO is having a mix of IaaS, PaaS and SaaS
the main target is to standarize visibility, monitoring and governance.
There is no appetite to refactor applications to unify, for example only on PaaS.
The company is multi-cloud using multiple services but want to let every
department to use what they need without restriction
CTO is having a mix of IaaS, PaaS and SaaS
the main target is to standarize visibility, monitoring and governance.
There is no appetite to refactor applications to unify, for example only on PaaS.
The company is multi-cloud using multiple services but want to let every
department to use what they need without restriction
Not all multi-cloud journeys are the same Copyright 2024 - Carlo Dapino Company B
Company did a lift and shift, testing multiple IaaS and approaching to SaaS.
CTO decided to refactor application using a standard PaaS and cloud first, but
want to move the workload across multiple CSP. The IaaS footprint will be
reduced, migrating to PaaS or using SaaS services.
Option A
use a native CSP PaaS portability, like GCP
Anthos, Azure ARC
Option B
invest in a pure multicloud CI/CD, like GitOps
and RedHat OpenShift
Company did a lift and shift, testing multiple IaaS and approaching to SaaS.
CTO decided to refactor application using a standard PaaS and cloud first, but
want to move the workload across multiple CSP. The IaaS footprint will be
reduced, migrating to PaaS or using SaaS services.
Option A
use a native CSP PaaS portability, like GCP
Anthos, Azure ARC
Option B
invest in a pure multicloud CI/CD, like GitOps
and RedHat OpenShift
Not all multi-cloud journeys are the same Company C
IT and OT road map are both pointing to a bigger usage of cloud services. OT,
due to Industry 4.0 analytics and IIOT will start to consume cloud services. CTO
and CISO are worry on how the two worlds, IT and OT, will converge keeping the
proper isolation, governance and risk management.Copyright 2024 - Carlo Dapino
IT and OT road map are both pointing to a bigger usage of cloud services. OT,
due to Industry 4.0 analytics and IIOT will start to consume cloud services. CTO
and CISO are worry on how the two worlds, IT and OT, will converge keeping the
proper isolation, governance and risk management.Copyright 2024 - Carlo Dapino
Layers that have to be part of a multi-cloud transformation Copyright 2024 - Carlo Dapino
CI/CD
pipeline security
Transport Bus
Kafka
CDN
balancing and WAF
(A/B Testing)
SASE
Zero-Trust
HSM
Tokenizer
FIPS requirements (PCI)
DNS security API gateway DLPAAA
CA security End-Point Security
Visibility
CI/CD
pipeline security
Transport Bus
Kafka
CDN
balancing and WAF
(A/B Testing)
SASE
Zero-Trust
HSM
Tokenizer
FIPS requirements (PCI)
DNS security API gateway DLPAAA
CA security End-Point Security
Visibility
Common issues to consider for all designes Copyright 2024 - Carlo Dapino Company C Company A Company B
Data transfer in/out CSP cost
Incident response centralization
Zero-Trust design uniformity
API exposure
Data residency
Disaster recovery complexity and point of failure
(including CI/CD redundancy)
Data transfer in/out CSP cost
Incident response centralization
Zero-Trust design uniformity
API exposure
Data residency
Disaster recovery complexity and point of failure
(including CI/CD redundancy)
Risk of a multi-cloud strategy
Automation
scalability
and
lock-in
Disaster
recovery
challenges
Capability
to consume
native security
controls
CI/CD capability to scale to all
stack. Centralization of the
controls in a platform only.
Capability to consume native
CSP security controls
De-coupling Disaster recovery
across all stack can be a
challenge, some specific data
could need ad-hoc processes
API integration and
stardarization of controls across
all stack
Incident
response
standarization
Each component can have
different access of
capabilities for analysis and
restore of components, during
an incident
Learning curve
on the new
automation
Adaptation to new processes
and learning curve to reach full
potential can require timeCopyright 2024 - Carlo Dapino
Automation
scalability
and
lock-in
Disaster
recovery
challenges
Capability
to consume
native security
controls
CI/CD capability to scale to all
stack. Centralization of the
controls in a platform only.
Capability to consume native
CSP security controls
De-coupling Disaster recovery
across all stack can be a
challenge, some specific data
could need ad-hoc processes
API integration and
stardarization of controls across
all stack
Incident
response
standarization
Each component can have
different access of
capabilities for analysis and
restore of components, during
an incident
Learning curve
on the new
automation
Adaptation to new processes
and learning curve to reach full
potential can require timeCopyright 2024 - Carlo Dapino
Incident
response
standarization
Risk of a multi-cloud strategy
Automation
scalability
and
lock-in
Disaster
recovery
challenges
Capability
to consume
native security
controls
CI/CD capability to scale to all
stack. Centralization of the
controls in a platform only.
Capability to consume native
CSP security controls
De-coupling Disaster recovery
across all stack can be a
challenge, some specific data
could need ad-hoc processes
API integration and
stardarization of controls across
all stack
Each component can have
different access of
capabilities for analysis and
restore of components, during
an incident
Learning curve
on the new
automation
Adaptation to new processes
and learning curve to reach full
potential can require timeCopyright 2024 - Carlo Dapino
Risk
Mitigation
Define open standards, to avoid automation lock-in
Invest on a transport bus to standarize secure data transport across
environments (for example Kafka)
Invest on IAM, token management and SSL management to be compatible and
scalable
Manage supply chain risk by a framework
Invest on continuous threat modeling
Evaluate a Disaster recovery strategy that can implement all main CSP that will
be needed
Evaluate continuous forensics tools and consider to integrate in the main
pipeline (CI/CD) to standarize and automate the adoption, securing the
environment
Establish a training journey to embrace the multi-cloud digital transformation,
to allow all organization to be aware of the various change stages
response
standarization
Risk of a multi-cloud strategy
Automation
scalability
and
lock-in
Disaster
recovery
challenges
Capability
to consume
native security
controls
CI/CD capability to scale to all
stack. Centralization of the
controls in a platform only.
Capability to consume native
CSP security controls
De-coupling Disaster recovery
across all stack can be a
challenge, some specific data
could need ad-hoc processes
API integration and
stardarization of controls across
all stack
Each component can have
different access of
capabilities for analysis and
restore of components, during
an incident
Learning curve
on the new
automation
Adaptation to new processes
and learning curve to reach full
potential can require timeCopyright 2024 - Carlo Dapino
Risk
Mitigation
Define open standards, to avoid automation lock-in
Invest on a transport bus to standarize secure data transport across
environments (for example Kafka)
Invest on IAM, token management and SSL management to be compatible and
scalable
Manage supply chain risk by a framework
Invest on continuous threat modeling
Evaluate a Disaster recovery strategy that can implement all main CSP that will
be needed
Evaluate continuous forensics tools and consider to integrate in the main
pipeline (CI/CD) to standarize and automate the adoption, securing the
environment
Establish a training journey to embrace the multi-cloud digital transformation,
to allow all organization to be aware of the various change stages
Lesson learnt on multi-cloud attacks
Accellion Data Breach (2020)
Details: A vulnerability in Accellion’s file transfer
software was exploited to breach various institutions.
Attackers moved across affected environments to
steal sensitive data.
Lateral Movement: Attackers exploited the
vulnerability, gaining initial access through file
transfer systems and then laterally moved across
on-prem and multi-cloud environments where the
software was deployed.
SolarWinds Attack (2020)
Details: The SolarWinds breach involved nation-state
actors who compromised the company’s Orion
software, which is widely used for network
management.
Lateral Movement: Once inside the target
environment, the attackers used credential theft and
privilege escalation to laterally move across hybrid
environments, including on-premise servers and
multi-cloud environments.
Capital One Breach (2019)
Details: The Capital One data breach occurred due to
a misconfigured web application firewall (WAF) in an
AWS environment. A former AWS engineer exploited
this vulnerability and accessed over 100 million
customer records.
Lateral Movement: After breaching the WAF, the
attacker used a combination of privilege escalation
techniques and AWS services to move laterally
across various cloud assets within Capital One’s
infrastructure.Copyright 2024 - Carlo Dapino
Accellion Data Breach (2020)
Details: A vulnerability in Accellion’s file transfer
software was exploited to breach various institutions.
Attackers moved across affected environments to
steal sensitive data.
Lateral Movement: Attackers exploited the
vulnerability, gaining initial access through file
transfer systems and then laterally moved across
on-prem and multi-cloud environments where the
software was deployed.
SolarWinds Attack (2020)
Details: The SolarWinds breach involved nation-state
actors who compromised the company’s Orion
software, which is widely used for network
management.
Lateral Movement: Once inside the target
environment, the attackers used credential theft and
privilege escalation to laterally move across hybrid
environments, including on-premise servers and
multi-cloud environments.
Capital One Breach (2019)
Details: The Capital One data breach occurred due to
a misconfigured web application firewall (WAF) in an
AWS environment. A former AWS engineer exploited
this vulnerability and accessed over 100 million
customer records.
Lateral Movement: After breaching the WAF, the
attacker used a combination of privilege escalation
techniques and AWS services to move laterally
across various cloud assets within Capital One’s
infrastructure.Copyright 2024 - Carlo Dapino
Attacker’s pattern
PRIVILEDGE
ESCALATION
DEFENSE
EVASION
CREDENTIAL
ACCESS
LATERAL
MOVE
COLLECTION
EXFILTRATION Copyright 2024 - Carlo Dapino
INIITIAL
ACCESS
EXECUTION
DISCOVERY
IMPACTT1190, T1078 T1059, T1072 T1068, T1078.003 T1562, T1070, T1578 T1552, T1212, T1110 T1083, T1518, T1482 T1570, T1021, T1071, T1075 T1530, T1602 T1048, T1567 T1485, T1531
PRIVILEDGE
ESCALATION
DEFENSE
EVASION
CREDENTIAL
ACCESS
LATERAL
MOVE
COLLECTION
EXFILTRATION Copyright 2024 - Carlo Dapino
INIITIAL
ACCESS
EXECUTION
DISCOVERY
IMPACTT1190, T1078 T1059, T1072 T1068, T1078.003 T1562, T1070, T1578 T1552, T1212, T1110 T1083, T1518, T1482 T1570, T1021, T1071, T1075 T1530, T1602 T1048, T1567 T1485, T1531
OT security challenges in Industry 4.0 Copyright 2024 - Carlo Dapino
Multi-cloud transformation architecture principles Copyright 2024 - Carlo Dapino
TOGAF 9.2
Architecture Vision
Define the business and IT goals for multi-cloud
adoption, including alignment with enterprise
strategy, cost savings, operational efficiency, and
risk management.
Business Architecture
Ensure business processes and cloud services align.
Data Architecture
Manage data across multiple cloud platforms,
ensuring consistency, security, and accessibility.
Application Architecture
Define a flexible, interoperable application
framework across multiple clouds.
Technology Architecture
Define the infrastructure, network, and tools required to
support a multi-cloud environment.
Security Architecture
Ensure unified security policies and practices
across all cloud platforms.
Governance and Compliance
Establish policies, processes, and tools to manage the
multi-cloud architecture efficiently.
Operations Architecture
Define how cloud operations (day-to-day management) will be
handled across multiple platforms.
Migration and Integration
Develop a migration strategy to move existing
workloads and data to a multi-cloud environment.
Change Management
Manage the continuous changes in a multi-cloud environment,
ensuring alignment with the evolving enterprise architecture.
Continuous security monitoring
Manage the supply chain and risk across the various environment
establishing an effective and continuous security monitoring
TOGAF 9.2
Architecture Vision
Define the business and IT goals for multi-cloud
adoption, including alignment with enterprise
strategy, cost savings, operational efficiency, and
risk management.
Business Architecture
Ensure business processes and cloud services align.
Data Architecture
Manage data across multiple cloud platforms,
ensuring consistency, security, and accessibility.
Application Architecture
Define a flexible, interoperable application
framework across multiple clouds.
Technology Architecture
Define the infrastructure, network, and tools required to
support a multi-cloud environment.
Security Architecture
Ensure unified security policies and practices
across all cloud platforms.
Governance and Compliance
Establish policies, processes, and tools to manage the
multi-cloud architecture efficiently.
Operations Architecture
Define how cloud operations (day-to-day management) will be
handled across multiple platforms.
Migration and Integration
Develop a migration strategy to move existing
workloads and data to a multi-cloud environment.
Change Management
Manage the continuous changes in a multi-cloud environment,
ensuring alignment with the evolving enterprise architecture.
Continuous security monitoring
Manage the supply chain and risk across the various environment
establishing an effective and continuous security monitoring
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 147
- Slides 17
- Age 419 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views