@InformationWeek

Tuning your Data Storage Strategy to the

Hybrid Cloud
Sponsored by
 @InformationWeek

Webinar Logistics
Optimize your experience today

• Enable pop-ups within your browser

• Turn on your system’s sound to hear the streaming presentation

• Questions? Submit them to the presenters at anytime on the console

• Technical problems? Click “Help” or submit a question for assistance

 @InformationWeek

Featured Presenters
Our knowledgeable speakers today are:

Jonathan Trull Sam Werner Sara Peters

Senior Vice President VP, IBM Storage Editor-in-Chief
of Customer Solutions Product Management InformationWeek
Qualys IBM
Data Storage
Strategy for the
Hybrid Cloud
Jonathan C. Trull
Senior Vice President, Qualys
www.qualys.com

Corey T. Jackson, MBA, CISSP

Founder/President of SACRO, LLC a Cybersecurity Advisory Firm
www.sacrollc.com
Agenda
• Introduction

• Hybrid Cloud vs. Multi-Cloud

• Risk Decision Making Framework

• Cloud Shared Responsibility Framework

• Open Framework and Zero Trust to Control Risk

• Strategic Considerations for Hybrid Cloud Adoption

• Threats to cloud workloads

• Wrap Up

• Questions & Answers (Q&A)

2
Hybrid Cloud vs. Multi-Cloud
Cloud Cloud Cloud
Solution Solution Solution
Provider 1 Provider 2 Provider 3

Private
Cloud
Risk & Strategy Decision Making
CEO
Digital Set Company Business Strategy
Transformation Responsible for risk management process

Business Leadership Business and

Security Strategy
Set Technical Company Policy and Direction
CDO CIO CISO
Data & Security Govern data and IT assets
Technical Leadership Strategy, Programs, Manage risks to the company
and Epics
Develop technical architectures aligned to
Architecture and company policy and direction
Policy
Architects & Technical Managers
Technical Planning

Plan, implement, and operate solutions

Implementation
Implementation
Managing Information\Cyber Risk Source: May 2021 - https://aka.ms/SecurityRoles
Security responsibilities or “jobs to be done”

Information Risk Management Program Management Office (PMO)

Supply Chain Risk (People, Process, Technology)
Incident
Posture Management Preparation

Incident
Response
Incident
Management

Threat
Hunting
 Cloud Shared Responsibility Model
Be Clear on Your Responsibilities and those of the CSP

Due Diligence,
Notification, Right to
Audit
• In the Shared Security Model there are
numerous areas the CSP is directly
responsible for.
• Do your diligence to
monitor and audit whether
those activities are happening
as expected.
• You may not have enough leverage
in the relationship to audit your CSP, but
at least ensure you are reviewing their
compliance reports (e.g. SOC2) and
following any news/announcements
regarding their security posture or events.
(Note: Your business customers likely require
this.)

11
The digitized world is interconnected and dynamic

• Normalization of remote work

• Rapidly evolving partnerships and competitors
• Rapidly changing communication patterns
• Evolving national interests and regulations

• Automated Policy Enforcement - to address

changing processes and models in an agile manner
at minimum cost
• Adaptive identity management - to respond to
rapidly changing roles, responsibilities and
relationships
• Data-centric and asset-centric approaches – to
APIs
o Better focus security resources by limiting the
scope of what to protect (via trusted zones,
tokenization, or similar approaches)
o Better monitor assets and respond to threats
regardless of network location.
 Zero Trust
Core Principles

ORGANIZATIONAL VALUE AND RISK

1. Modern Work Enablement – Users in organizational ecosystems must be 1. The scope and level of protection should be
able to work on any network in any location with the same security specific and appropriate to the asset at risk.
assurances.
2. Goal Alignment – Security must align with and enable organization goals 2. Security mechanisms must be pervasive, simple,
within the risk tolerance and threshold. scalable, and easy to manage.
3. Risk Alignment – Security risk must be managed and measured using a
consistent risk framework and considering organizational risk tolerance and 3. Assume context at your peril.
thresholds.
GOVERNANCE 4. Devices and applications must communicate using
open, secure protocols.
4. People Guidance and Inspiration – Organizational governance frameworks must guide people, process, and
technology decisions with clear ownership of decisions, policy and aspirational visions. 5. All devices must be capable of maintaining their
security policy on an un-trusted network.
5. Risk and Complexity Reduction – Governance must reduce both complexity and threat surface area. 6. All people, processes, and technology must have
declared & transparent levels of trust for any
6. Alignment and Automation – Policies and security success metrics must map directly to organizational transaction to take place.
mission and risk requirements and should favor automated execution and reporting.
7. Mutual trust assurance levels must be
7. Security for the Full Lifecycle – Risk analysis and confidentiality, integrity, and availability assurances must determinable.
be sustained for the lifetime of the data, transaction, or relationship. 8. Authentication, authorization, and accountability
must interoperate/exchange outside of your
TECHNOLOGY AND SECURITY CONTROLS locus/area of control.
Asset-Centric Security – Security must be as close to the assets as possible (i.e., data-centric 9. Access to data should be controlled by security
and application-centric approaches instead of network-centric strategies) to provide a tailored
attributes of the data itself.
approach the minimizes productivity disruption.
Least Privilege – Access to systems and data must be granted only as required 10. Data privacy (and security of any asset of
sufficiently high value) requires a segregation of
and removed when no longer required.
10. Simple and Pervasive Security – Security mechanisms must be simple, scalable, and duties/privileges.
easy to implement and manage throughout the organizational ecosystem (whether 11. By default, data must be appropriately secured
internal or external). when stored, in transit, and in use.
11. Explicit Trust Validation – Assumptions of integrity and trust level must be explicitly
validated against organization risk threshold and tolerance.
Strategic Considerations for Hybrid Cloud Adoption

• Legal, privacy, and compliance • Legacy code and speed to

considerations rearchitect

• Data security pros and cons • Transaction speeds required for

application
• Data volume and cost
considerations • Resilience pros and cons
 In which environment is your data more vulnerable, or more at risk?

Governing Data: IaaS vs PaaS vs SaaS

Aspects to consider –

• Full stack • The data controller or owner

• Access mgmt. • The data holder
• Share responsibility • The data subject

• Test Data Masking (TDM)

• Encryption (native or 3rd party)
• Attestation
• Configuration and patch mgmt.
• Accountability
• Brand Reputation

10
Operational Considerations

• Multi-Cloud and/or Hybrid environment

• 1 – to – 3 => security staff to CSP/data center mgmt.

• Cloud IaaS/PaaS multi-environment (growing) vs. 1 Team

• Cloud agnostic

• Risk mgmt. and governance

• IT teams are not growing as fast
• A distributed world (people, customers and apps)
• How should security support efficient operations?

7
Threats to Data in the Cloud
• Exposed storage containers/buckets

• Misconfigured cloud endpoints (APIs, Administrative Portals, etc.)

• Compromised cloud administrative credentials

• 4.1 billion records exposed in the first half of
2019.
• Source: Trusted Cloud: Microsoft Azure Security,
• Infected images pulled from the Internet Privacy, Compliance, Reliability/Resiliency, and
Intellectual Property

• Supply chain
Data Exposure 36% (24 of 67) of error- related

• As of 2020on-prem
breaches involved
• Traditional @)% of Cyber Attacks are through
compromises in the Cloud
pivot misconfigurations on databases,
often cloud storage – not good.

8
CSP Data Management Decision Points
• Set clear standards for data protection.

• Are you comfortable with the native encryption offerings, or do you want to encrypt before
storage in the CSP?

• Who controls the keys?

• How many keys do you want [customer segmentation]?

• How are they managed?

• Do you have the right visibility and access logging everywhere sensitive data is
stored?

14
Wrap Up
• Start with policy first: define the types of data appropriate for a public vs. private cloud

• Maintain an inventory of your data and the cloud assets that have access to the data

• Adopt a zero-trust approach to protect data in a hybrid model

• Understand common threats to cloud workloads and implement controls to prevent/limit their occurrence

15
Cyber Resilience is Critical to Safeguard your Enterprise

Sam Werner

Vice President, IBM Storage Product Management

Cyberattacks are the top cause
of business disruption, with Average cost of a data breach
ransomware leading the way (38% from business disruption)

$1.59M
portion of data breach costs attributable to
lost business, including business
disruption, system downtime, lost
customers and reputation losses.1

23%
of all security attacks in 2020 were the
result of ransomware, up 15% from
2019.2

20%
Share of breaches initially caused by
compromised credentials, the most
common initial attack vector. 1
1 IBM Security Cost of a Data Breach Report 2021
IBM Security / © 2021 IBM Corporation 2 IBM 19
Security X-Force Threat Intelligence Index 2021
Ransomware has evolved to become the most prevalent threat
Revil
Ryuk Double extortion: Business is
Nefilim Occurs about 60 booming:
RagnarLocker
percent of the time We estimate
Netwalker
attackers couple Sodinokibi/Revil
ransomware with
Maze
stealing data
alone earned
CLOP $120M
Waiting
SNAKE/EKANS
PJX
Shift to Ransomware- Supply chain is a
as-a-Service: new attack surface:
Phobos
Affiliate or franchise Ransomware attacks
Medusa
operations, enables originated from supply
Locky
multiple infection chain and living-off-
Egregor
vectors using the same the-land
Crysis/Dharma ransomware
Cerber

0% 5% 10% 15% 20% 25% 30%

IBM Security / © 2021 IBM Corporation 20

How quickly you can move from detection to recovery can be the
difference between a minor incident and a major breach
Detect Respond phase
phase
Recover phase
Major
Breach What if you breach Infrastructure
could recover recovery
impact in hours rather Infrastructure
than weeks? 3 recovery
2 complete
Platform Platform
recovery recovery
complete
1
Initial
Compromise 0 30 45 60 90 2 hrs 10 hrs 2 days 3 days 1 week 2 weeks
tier 1 tier 2
recovery recovery

Without proper data resilience, It takes even longer to identify all

Corruption of data occurs – but
1 not yet detected 2 corruption is detected much later and 3 impacted data once the corruption
has a greater chance to spread has spread within the enterprise
 Having the right data resiliency is Copy Separation:

critical to meeting recovery objectives

Create a structure of data separation across multiple
layers and services including
- Copy Services
- Backup Services
Cold Data Vault with Air Gap - Separation of security controls
(tape)

Immutability & Access Isolation:

WORM Data Archives Create a structure of data isolation multiple layers
(write once, read many) and services including
- Air Gap
RPO - RTO

- Non-erasable / Non-rewritable Storage

- Cold Storage / Object Storage
Data Backups
(local & isolated)
NENR Data Archives - Data Vaults
(object / disk storage) - Isolated Infrastructure

Storage based
Snapshots Cyber Resilience:
(local & isolated) Backup enabled Snapshots Requires short- and long-term retention capability
(local & isolated)
- High snapshot frequency & fastest restore for
short-term recovery
Policy Governed Application Aware Snapshots (local & isolated)
- RPO policy governed snapshot frequency for
long-term retention and fast recovery

IBM Security / © 2021 IBM Corporation

Data Accessibility Temperature 22
Practitioners Best Practice for Data Resilience

1 2 3 4 5 6

Administrative Identify Pervasive Multiple Air Gap Automation &

Security & Monitor Encryption Recovery Layers & Isolation Orchestration

Manage credentials Malware, ransomware End to end data System snapshots / Logical – Object, Orchestration of
and acquisition of detection encryption to render it backup snapshots disaster testing and
data unusable Traditional backups WORM, Cloud failover processes
AI-based pattern Isolated environment across heterogeneous
Roles and rights for anomaly detection Physical – Tape systems for
data copy reliable, speedy, and
management error-free recovery
Immutable Snapshots provide the means to recover in hours
rather than weeks – Same capability on-prem or Cloud
IBM Safeguarded Copy prevents point-in-time copies of data from being modified or deleted by user
errors, malicious destruction, or ransomware attacks – Logical Air Gap of Data

Separation of duties Protected copies of data Speed of recovery

Additional security capabilities to Capabilities to regularly create Functionality that enables different
prevent non-privileged users secure, immutable point in time use cases to restore corrupted
from compromising production copies data in minutes or hours vs days
data or weeks
 VALIDATION

Key capabilities for cyber FORENSIC

recovery
OFFLINE BACKUP

CATASTROPHIC

SURGICAL
25
We cannot only design backup for traditional events

As physical disasters remain a severe

issue .....

..... Cyber Crime / logical corruption

results in the same severe issues and
is increasing in numbers.

26
 @InformationWeek

Questions?
Submit questions to the presenters via the on-screen text box

Jonathan Trull Sam Werner Sara Peters

Senior Vice President VP, IBM Storage Editor-in-Chief
of Customer Solutions Product Management InformationWeek
Qualys IBM
 @InformationWeek

Thank you for attending

Please visit our sponsor and any of the resources featured in the
resource section of the attendee console.