Practical Cloud Protection: A Guide for Modern Businesses

Although I'm not a native English speaker, but I hope my presentation is interesting as I did my best to, to prepare a very practical presentation and talk about cloud security. Okay, the name is Practical Cloud Protection, A Guide for Modern Businesses. And I know there are lots of CISOs here who are working for small measurement enterprises. Do we have CISO from public sector, public institutions in this room now? Interesting because Central Bank of Army is public institution and pure.

My, my session, there was another session in this room and the presenter was talking about public sector that they are mostly using in on-prem solutions. And my, my presentation can be little provocative, so just stop me at any moment during my presentation and ask any questions you might have. Let's start. As Paul mentioned, I'm the Director of Technology and cybersecurity, the Central Bank of Armenia. I'm a short term expert for IMF, for regulation and supervision, including risk management, IT governance, cybersecurity governance.

I'm also short term expert for World Bank for Govtech activities and digital transformation, and also a visiting professor for American University in, in Armenia, actually teaching a subject accounting information systems, which is not related to cyber security. But there are many things in this subject and my slogan is the following. And I'm in Germany, one of my favorite cities. Will you please guess where it come from? It comes from this, this slogan, let's make this world a better place to live. German person, German rock group, singing a song, living for tomorrow. Scorpions.

Scorpions. So it comes from scorpions and it's my, my favorite, one of my favorite songs. So let's start. It's already a third day. We are here in this conference after lunch. It's really challenging once again to capture your attention. We heard about lots of things about emerging threats, cloud security, IOT, everything. And I will focus on, especially on cloud. And what is my motivation for, for this presentation? As I mentioned, my slogan is, let's make this world a better place to live. And they just turn it in a way, let's make this world cloud security.

If, if you can do that, clear all, let's start Cloud. Why cloud? If a Google cloud, what are the top 10 advantages or benefits of using cloud? You will find a couple of nice marketing messages. I captured two of them. First from, from Google and I highlight it. Can you find security in the highlighted test text? Is there anything about security? So Google being one of the third, one of the top five. Actually Google is third cloud service provider by shares in the world.

When Google is talking about cloud infrastructure, cloud computing, there is no single word about security, about cybersecurity. Another message, I just Google it and then found couple of them and just shared first cost saving. When we go cloud, we are doing cost saving. That's fully correct. Here we can see the, the, the security as a, as a second key, key keyword in this message. But once again, when we are going to cloud, what are the most important questions we need to clearly understand before going cloud?

Because after we are in cloud, using cloud, it can be not nightmare for any CISS, for any business or public institution. 94% of businesses, actually this is a very, very nice report. After the survey and I I I took couple of messages, 94% of businesses claimed that they, they saw some improvement in security when they moved to cloud, especially for government compliance requirements. That's fully correct. If you do not have any cybersecurity professional at your office, you don't have CISO who will take care of, of this governmental requirements and compliance.

Then when you go to cloud, there are some, some embedded, some default features, components, everything which helps businesses to, to comply with the governmental requirements. It's, it's fully true. The next there should be another, another picture.

Okay, now let's talk about the shared responsibility model. Anyone in this room is aware of this shared responsibility model?

Yeah, most of you. So I try to make a parallel between pizza as a service, then I talk about cloud as a service. Okay? There are different types of options. Let me as I don't have clicker, may I, may I have clicker. Is there a LA laser pointer in that clicker?

Yeah, that's, that will be great 'cause just the white one in the middle. Sorry.

Oh, no problem. So software as a service, infrastructure as a service, let's start from the beginning. Make at home, we have everything at home for pizza. I'm not fan of pizza, but if I have all this, all these components, then I can prepare a pizza at home. Second option pizza as a service or infrastructure as a service. Take and bake. I can buy this from someone from somewhere, from supermarket. And if I have additional oven, electricity, soda, coca, I dunno, maybe vodka with pizza, then I can prepare a pizza. Then the next is pizza delivery. I can call to pizza delivery.

Then the guy after five minutes will come bring a pizza or I can go to the restaurant or pizza area, pay and eat and that's it. That sounds nice. Pay and eat. That's it. Okay. Now there are millions of risks here. Millions. Imagine you are traveling to Africa and going to pit area to buy a pizza. You can see I've been in many, many African countries. Sometimes you go to to eat something and you can see, I dunno, some dirty places, dirty tables, et cetera. And you are very hungry and you have to eat something. You cannot die and you have to pay and eat no matter what are other circumstances.

Okay? Now let's use the same model for cloud, okay? What we have on-prem, even on-prem, we are using some shared responsibilities with our internet service providers. This is our mobile network operator, I dunno, internet service provider. They are responsible for network and we are also responsible for network.

Here, it's clear that responsibilities are shared in the green area. I, I forgot to say in green area, it's your responsibility in red area. It's not your responsibility, it's your service provider's responsibility. Okay?

Now, when we have infrastructure as a service, look at up to the operating system level is your service provider's responsibility, in this case, cloud service provider's responsibility and only operating system, which can be configured by, by themselves. Later on, I'm going to show you real example. After that, this is your responsibility to manage your middleware application data, et cetera.

And as, as much we go from left to right, we'll see software as a service. Here you have only responsibility to manage your data. Everything else should be done by your internet. I I mean cloud service provider.

Now, if you're talking about Google, Google Cloud, I mean AWS or Microsoft, they have pretty good infrastructure. They have maybe better cyber cybersecurity team, whether technology, whether so better everything than most of companies in the world.

But what, what about small and medium businesses? When we are using some cloud services, which is not Amazon, which is not Microsoft or cloud, do they really understand this model? If is it myth or reality that businesses are really understand this shared responsibility model and they really knows what to do before the go to cloud? What to do when you are using cloud services and how to be sure that your cloud service provider do not have access to your information and data? Let move forward and say the following. If you think that everything is so clear, then congratulations.

You are like top 25% of people in the world that say it's, it's obvious. I'm responsible for this. My cloud service provider is responsible for that.

In fact, these are from the same survey, 77% of it decision makers including CSOs, CTOs, CIOs, CDOs and other c-level technology managers say they believe that public cloud providers were responsible for securing customer's data in cloud. And close to 70% said they believed these providers were responsible for securing customers applications as well. So imagine in the previous slide, I don't like to go back and forth as I have very limited time.

So imagine you're using infrastructure as a service, which means you are building your application, but you think that your service provider is responsible for your application security. It's nice moving forward. Let me show you two real examples, okay? In this model, I'm talking about the infrastructure as a service and platform as a service. So I used to be an admin of small family business. Actually my wife is the CEO of the business, but I, I'm like her tech advisor, but she's running the business by, by, by her own, okay?

But the entire infrastructure has been set up by myself from zero. And this is the setup.

It's, it's really very interesting that my cloud service provider is a German German provider. It's really very interesting. I'm in Germany and my cloud service provider is a German company, very nice company. I'm not here to, to market the company if it's good or bad, but I'm using their services more than like 10 years and they provide different types of services. I have couple of virtual private servers in their environment. So I'm using, as I mentioned, let me go back. I'm using this model infrastructure as a service means at this level, our responsibilities are shared.

They have image of the system. I can, I can choose Windows, Linux, different types of Linux, et cetera, et cetera. So they have their responsibilities. I have my own responsibility to set up that, that image to take care of security and other, other stuff, okay? And I am providing actually my wife through this small company, which is just running hosting company is fun.

It's not, it's not a business. Even sometimes our spendings are more than our, our incomes. But it's fun because it's a great environment to learn to understand this, this responsibilities not in a, in a theoretical way, but in a real, real use cases. Okay? So once again, this is my service provider and this me now anyone of you, have you ever been hosted a website, a domain in a, in a hosting environment? When you host a website, a domain you mean, I mean means in 99% of cases you use this hosting server for serving your website and your emails. Okay? Now what do you think?

Can I have access to my clients? If I click here right now, I, I do it in a demo right away. Can I access to my users' emails or not? True? Is it okay? But can I have an access or not? Theoretically and practically I can. It's my server. I set up everything. Okay. I can even access to, to the mailbox of any single domain users, although there are lots of controls. If I access to their e their mailboxes, they'll get a message or next time they, they will log in, they'll see another log on from Frankfurt for example.

But I can do it from the command line, from the SSS and no one can can see what I, I've I've done. So I have full access to my customer's data emails, which is nowadays I think the most important channel between employees, between businesses, et cetera. But what can my cloud service provider do? Convo. They can copy my, my vm, they can delete my vm, they can do whatever they like my, with my virtual machine. I think even they can do the same things for my clients, like read their emails for example. But most small and medium businesses don't care about this unfortunately.

Let me give you a real concrete example. Three, three minutes.

Three, three. Oh, okay, then, then, then, okay, this what I have actually very fresh example happened with me before I traveled to Frankfurt Central Bank of Armenia. We were working to to buy a software as a service solution for HR management, performance measurement, et cetera. Very nice solution. Although to be an, I removed the name of the company and put X, Y, z, like imagine X, Y, Z company is providing this software as a service.

And we wrote down some 10 questions to understand our responsibility and their responsibilities and look at here, is there any possibility to extract all my data? Yes, of course there is a possibility generally would be as APDF. Good. Imagine I'm using software as a service for 10 years. Lots of data is there and then I'm unhappy with the service provider. I would like to move to another one and I am asking them, would you please give my data? Oh yeah. Here is PDFI can, I can fax you. Perfect.

We are living in 21st century and cloud service provider are giving you your data in the PDF format. Perfect. Another question, second one or third one, who has access to my data?

Nice, simple question. And they say like from customer support perspective, our admin or admins, I dunno who are them, can have access to your data. Next question. Which is even more interesting. Do we have access to our data backup? No. They are backing up my data, but they don't have access to my data, to my backup. Is it strange? Yes it is. But they are very famous provider, quite successful listed company, you know. So the last one, how can I be sure that you will delete all my data in a secure way after I disconnect my contract?

They say we can send you a letter like yes, we promise you we'll delete for sure. We are very honest.

But, but is it enough just to rely on the letter? In my former life I was an auditor and we had another slogan in God, we trust others, we audit. So do we have a right to audit?

No, of course you don't have to audit to your, to your cloud service providers. So these are practical questions, ladies and gentlemen. Unfortunately, I don't have much time and I have to exit my presentation and I'll be happy to answer all your questions. Thank you so much. Thank you commenter. Very excellent.