Programa de Ciberseguridad

ASIGNATURA: GESTIÓN DE LA CIBERSEGURIDAD

Ms. MANUEL CALDAS NUÑEZ
Senior Manager como Arquitecto de Ciberseguridad y Cloud Computing. He liderado
proyectos y servicios corporativos en diversos sectores como: Retail,
Telecomunicaciones, Minería, Banca y Finanzas, entre otros.
He sido un Evangelista Cloud para Telefónica España y Perú. Mi misión principal es la
de promover la adopción de Cloud de manera segura, mediante el uso de las mejores
prácticas en Cloud Computing.
Cuento una Maestría en Ingeniería de Seguridad Informática, así como también un
Master en Investigación Avanzada en la Universidad Politécnica de Cataluña (UPC) –
Barcelona
Project Management PMP, DevSecOps Trainer en DevOps Institute, Certificate Cloud Security Knowledge (CCSK), Senior Lead Implementer ISO
27001, AWS Certified Solutions Architect, Senior Cybersecurity Manager ISO 27032, Senior IT Governance ISO 38500, ITIL Expert, ITIL Manager
´s, COBIT 5 Foundations & Implementing, otras certificaciones en proceso
Presentación del grupo de Programa de Ciberseguridad

1. Nombres y apellidos
2. Grado Académico
3. Experiencia Laboral
4. Certificaciones internacionales: Seguridad, Cloud computing, ITIL, COBIT,
PMP, otros.
5. Expectativas del programa / curso
 VISIÓN HOLÍSTICA DE
LA SEGURIDAD DE LA
Tema 1: Clic para editar título
INFORMACIÓN Y
CIBERSEGURIDAD
 ? Cybersecurity in the Cloud

Extraído desde https://gestion.pe/tecnologia/cineplanet-datos-de-miles-de-cinefilos-peruanos-quedan-expuestos-tras-filtracion-por-cadena-cineplanet-noticia/

+&cd=12&hl=es-419&ct=clnk&gl=pe

Extraído desde https://elcomercio.pe/lima/sucesos/cineplanet-base-de-datos-no-segura-expuso-en-internet-informacion-privada-de-miles-de-usuarios-nndc-noticia/

+&cd=18&hl=es-419&ct=clnk&gl=pe
 ? Cybersecurity in the Cloud

Extraído desde
https://rpp.pe/economia/economia/banc
a-peruana-privada-repele-ciberataque-
mundial-noticia-1144143?ref=rpp

Extraído desde
https://rpp.pe/economia/economia/bcp-revela-
que-en-ataque-cibernetico-del-2018-hackers-
accedieron-a-datos-de-clientes-noticia-1232964?
ref=rpp
 ? Cybersecurity in the Cloud

Extraído desde https://www.theregister.co.uk/2019/03/20/steffan_needham_aws_rampage_prison_sentence_voova/

Extraído desde https://corpgov.law.harvard.edu/2017/01/12/a-strategic-cyber-roadmap-for-the-board/

Caso: Harvard - Evitar la trampa de la alineación
en tecnologías de la información
¿Cuál es la relación entre el alineamiento de TI con el
Negocio?

¿Impacta del alineamiento de Seguridad con el

Negocio?

¿Es realmente el negocio consciente de la importancia

de la Seguridad?

Extraído desde Harvard - Evitar la trampa de la alineación en tecnologías de la información

Caso: ISACA - La Gerencia de la Seguridad de la
Información - Evolución y retos emergentes

¿Cómo se relacionan la Seguridad de la Información

con la Seguridad Informática?

¿Y la Ciberseguridad?

¿Qué es entonces?

Extraído desde ISACA - La Gerencia de la Seguridad de la Información - Evolución y Retos Emergente

 Guía de Cloud Security Alliance (CSA)
1

Cloud Security Alliance (CSA) usa el modelo NIST para la definición de

Cloud Computing.

CSA también se respalda sobre el modelo propuesto por ISO / IEC. En la

Guía de Seguridad V4.0, se hace referencia a ambos

Cloud Security Alliance, C. (2017). Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in
Cloud Computing. 1 -152.

“Cloud providers and customers must share the responsibility for security
and privacy in cloud computing environments, but sharing levels will differ
for different delivery model”.

Takabi, H., Joshi, J., & Gail-Joon. (2010). Security and Privacy Challenges in Cloud Computing Environments. IEEE, 24 -31.
 Fundamentos en Cloud Computing
1
“NIST defines cloud computing by
describing five essential
characteristics, three cloud service
models, and four cloud deployment
models.”

“These are the characteristics that

make a cloud a cloud. If something
has these characteristics, we
consider it cloud computing. If it
lacks any of them, it is likely not a
cloud”

Cloud Security Alliance, C. (2017). Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing. 1 -152.
 Modelo de Responsabilidad Compartida
1
By Dr. Kai Chen, Director
of Cybersecurity
Technology, Huawei
Technologies Co. Ltd
“Every leading CSP has
published whitepapers or
statements on shared
security responsibility,
explaining their roles and
responsibilities in cloud
provisioning”
Cloud Security Alliance, C. (2018). Guideline on Effectively Managing Security Service in the Cloud. 1 -
53.
“In other words, there are certain security
responsibilities that are left to the cloud
customers and are written down in cloud
service agreements”
“The Guideline provides an easy-to-
understand guidance to cloud customers
on how to design, deploy, and operate a
secure cloud service with respect to
different cloud service models, namely
IaaS, PaaS, and SaaS, helping them ensure
the secure running of service systems”
 Modelo de Responsabilidad de
Seguridad
1
Compartida_

“Here, we refer to Gartner’s shared security responsibility model to develop the below shared
security responsibility figure. It illustrates the security handoff points for IaaS, PaaS, and SaaS cloud models. The handoff point
moves up the stack across the models. The IaaS CSP offers the most control, with the commensurate security responsibility left to
customers The SaaS customer offers the least control, with the CSP taking on most of the security responsibility”

Cloud Security Alliance, C. (2018). Guideline on Effectively Managing Security Service in the Cloud. 1 - 53.
 Modelo de Responsabilidad de
Seguridad
1
Compartida

Cloud Security Alliance, C. (2018). Guideline on Effectively Managing Security Service in the Cloud. 1 - 53.
Caso: ISACA - IT Security Responsibilities
Change When Moving to the Cloud
¿Y ahora qué tengo que hacer? ¿Cómo se definen los nuevos roles?

Extraído desde ISACA - IT Security Responsibilities Change When Moving to the Cloud
 ¿Las responsabilidades en TI también
cambian?
1
“How will an organization’s information
security staff be affected if the
organization’s computer systems are
moved to a cloud environment?”

“What about the change in

responsibilities within the organization
and the expectations of the cloud service
provider (CSP)?”

Fuente: Salesforce. (16 de Julio de 2018). What is cloud computing? Obtenido de

https://www.salesforce.com/what-is-cloud-computing/

“Enterprises working in or planning a transition to computer

systems working in the cloud should consider the job function
responsibilities of their technical staff and evaluate their skills and
weaknesses”

Wlosinski, L. (2013). IT Security Responsibilities Change When Moving to the Cloud. ISACA Journal, 1- 4.
 Defense in Depth for Cibersecurity in the
Cloud
1

Fuente: TATA. (2018). Defense-In-Depth – What Strategy To

Follow?

A New Security Paradigm: The traditional layers of security have

fundamentally changed where the Application Layer now is now
outside the Perimeter and therefore existing tools provide no
protection to sensitive data. IT departments traditionally make
assumptions that the data is secured based on the outside layers but
often this no longer applies. It is increasingly important to tackle
Data Security head-on.
Fuente: SHALE Magazine. (2018). 5 Ways to Improve Cybersecurity in the
Cloud data
 Modelo de Gobierno Cloud
1
Gobernanza es responsabilidad de los
ejecutivos (o consejo ejecutivo), y
Gestión es responsabilidad de los
gestores.

Employees purchasing or using

technology for the workplace
without the approval or knowledge
of the IT department.

Fuente: ISACA: Shadow IT: What Is It and Is It Really Risky? 2015 Fuente: Sachahuamán, N. (20 de 02 de 2019). Gobierno en Cloud Computing, CSA
Perú.
 Modelo de Gobierno Cloud
“Es parte del Gobierno1 TI y está formado
por los procesos, políticas, estructuras
organizativas y herramientas que aseguran
que la organización posee la capacidad
necesaria para sostener y facilitar el logro
de sus objetivos y estrategias, apoyándose
en soluciones basadas en Cloud
Computing”

Fuente: Forecast Overview: Public Cloud Services, Worldwide, 2011-2016, Fuente: Sachahuamán, N. (20 de 02 de 2019). Gobierno en
4Q12 Update Published 2013 Cloud Computing, CSA Perú.
 La falta de prácticas para el Gobierno en
Cloud
1
y Ciberseguridad???

La gobernanza es la disciplina clave para

enfrentar todos estos desafíos y
maximizar el retorno de la inversión de
las organizaciones en Cloud Computing
(CC)

Bounagui, Y., Mezrioui, A., & Hafiddi, H. (2018). Toward a unified framework for cloud computing governance: an
approach for evaluating and integrating it management and governance models. Computer Standards & Interfaces, 98-118.
 Prácticas para el Gobierno en
Cloud Computing_
1

El gobierno de Cloud Computing se define como un

conjunto de políticas, procesos, roles,
responsabilidades y prácticas que se utilizan para
administrar y controlar la adopción e
implementación de Cloud Computing de acuerdo
con los objetivos comerciales

Bounagui, Y., Mezrioui, A., & Hafiddi, H. (2018). Toward a unified framework for cloud computing governance: an
approach for evaluating and integrating it management and governance models. Computer Standards & Interfaces, 98-
118.
 ? ¿Cómo se pudo evitar?

Extraído desde https://gestion.pe/tecnologia/cineplanet-datos-de-miles-de-cinefilos-peruanos-quedan-expuestos-tras-filtracion-por-cadena-cineplanet-noticia/

+&cd=12&hl=es-419&ct=clnk&gl=pe

Extraído desde https://elcomercio.pe/lima/sucesos/cineplanet-base-de-datos-no-segura-expuso-en-internet-informacion-privada-de-miles-de-usuarios-nndc-noticia/

+&cd=18&hl=es-419&ct=clnk&gl=pe
 ? Share Responsability Model

Cloud computing is a shared

technology model where different
organizations are frequently
responsible for implementing and
managing different parts of the
stack.

As a result security responsibilities

are also distributed across the stack,
and thus across the organizations
involved.

This is commonly referred to as the

shared responsibility model.

Extraído desde Cloud Security Alliance Global: Security Guidance for Critical Areas of Focus in Cloud Computing v4.0
Extraído desde ISC2 CCSP Certified Cloud Security Professional
 ?Share Responsability Model

The most important security consideration is knowing exactly who is responsible for what in any
given cloud project. It’s less important if any particular cloud provider offers a specific security
control, as long as you know precisely what they do offer and how it works. You can fill the gaps with
your own controls, or choose a different provider if you can’t close the controls gap. Your ability to
do this is very high for IaaS, and less so for SaaS.

25

Extraído desde Cloud Security Alliance Global: Security Guidance for Critical Areas of Focus in Cloud Computing v4.0
 Architecture example of IaaS
These resources are pooled using
abstraction and orchestration.
Abstraction, often via virtualization,
frees the resources from their
physical constraints to enable
pooling.

Then a set of core connectivity and

delivery tools (orchestration) ties
these abstracted resources together,
creates the pools, and provides the
automation to deliver them to
customers.

Extraído desde Cloud Security Alliance Global: Security Guidance for Critical Areas of Focus in Cloud Computing v4.0

Extraído desde ISC2 CCSP Certified Cloud Security Professional

 Architecture example of IaaS

Volume storage: A virtual hard drive

that can be attached to a virtual
machine instance and be used to host
data within file system. Ejm: Amazon
EBS.

Object storage: Object storage is like a

file share accessed via APIs or a web
interface. Ejm: Amazon S3.

Extraído desde Cloud Security Alliance Global: Security Guidance for Critical Areas of Focus in Cloud Computing v4.0

Extraído desde ISC2 CCSP Certified Cloud Security Professional

 Breach example of IaaS
Let’s begin by
exploring the nature
of a Cloud-Native
Breach (CNB), which
does not follow the
traditional malware-
infiltration and
defense strategy
we’re accustomed to
within network
borders and on
managed devices.

Extraído desde https://www.mcafee.com/enterprise/en-us/assets/skyhigh/white-papers/rp-cloud-adoption-risk-report-iaas.pdf

Extraído desde ISC2 CCSP Certified Cloud Security Professional
 Breach example of IaaS
The most common point of leverage for a
“Land” action is a misconfiguration in an
IaaS resource, which is wholly the
responsibility of the cloud customer but
often overlooked.

The velocity of cloud deployments

means that misconfigurations are
introduced, removed, or resolved on a
constant basis as new infrastructure is
rolled out. Much of this is automated by
DevOps teams in the practice of CI/CD,
which unfortunately automates
misconfigurations along with all the rest

Extraído desde https://www.mcafee.com/enterprise/en-us/assets/skyhigh/white-papers/rp-cloud-adoption-risk-report-iaas.pdf

Extraído desde ISC2 CCSP Certified Cloud Security Professional
 VISIÓN HOLÍSTICA DE
LA SEGURIDAD DE LA
Tema 1: Clic para editar título
INFORMACIÓN Y
CIBERSEGURIDAD