A Unified Approach to Cloud Security

By Jared Naude

Elevator Pitch

With enterprises rapidly migrating to the public cloud, how can we enforce security, governance and risk mitigation through the use of automation? Let’s explore best practices, tools and techniques for building out cloud security controls and the challenges you will face.

Description

With the alluring benefits of cost savings, flexibility and virtually endless scalability, an increasing number enterprises are considering migrating to public cloud services. However, with data breaches becoming increasingly common, cloud security is of paramount importance to organizations. Cloud Security can be quite an encumbering and complex challenge to tackle, however by building some security controls and automation capabilities, we can go a long way in achieving a solid cloud security foundation.

In this talk, I will share my experiences and lessons learnt from architecting and engineering cloud security controls at a large South African Bank. I’ll explore using DevOps principles and automation to enforce security, governance and risk mitigation in a public cloud environment. We’ll explore the problems and challenges associated with DevOps, like the “You build it, you own it” principle, which can prove to be a challenge in a heavy regulated environment with segregation of duties. During this discussion, I’ll share some lessons we learnt from building an automated Continuous Delivery & Continuous Integration pipeline for our cloud infrastructure utilizing tools like Jenkins, Chef, Ansible and Terraform.

This talk will explore cloud security basics from Identity and Access Management (IAM) and general best practices to the more advanced aspects such as event driven security, logging and monitoring, software assurance, DDoS Protection, incident response and vulnerability management. Lastly, I will talk about cloud security from a broader context and highlight the some lessons learnt from the use of agile techniques, story maps and the importance of value chain mapping as well as new legislation like POPI, the cybercrimes bill and GDPR.

I’m striving to make this talk applicable to a wide audience, so whether you are considering migrating to cloud or are already currently using public cloud, this talk should be beneficial to everyone. This talk will be AWS focussed, however these principles are applicable to all cloud providers.

About Me: I work as a Software Engineer specializing in security and cryptography at Synthesis, a specialized software development and cloud consulting firm for the financial services industry. Synthesis is the first AWS Advanced Consulting Partner in Africa & the Middle East.

Notes

I am very passionate about technology and information security and as a result I have spoken at multiple security conferences and I have also presented guest lectures at universities on security. I work as a Software Engineer specializing in security and cryptography at Synthesis, a specialized software development and cloud consulting firm for the financial services industry. I am currently helping a large South African bank design, architect and build out their cloud security controls and capabilities. I currently hold 4 AWS Certifications (soon to be 7 certifications!), including both associate and professional certifications. I am one of 16 people in the country with the AWS Certified Solutions Architect Professional certification.