Upload
tzar-umang
View
124
Download
0
Embed Size (px)
Citation preview
What is cloud?involves computing over a network, where a program or application may run on many connected computers at the same time. It specifically refers to a computing hardware machine or group of computing hardware machines commonly referred as a server connected through a communication network such as the Internet, an intranet, a local area network (LAN) or wide area network (WAN)
-Wikipedia
The Cloud Pyramid
Infrastructure as a Service
Platform as a Service
Software as a Service
Business Process as a Service
IBM Xforce Report2012 Sampling of Security Incidents by Attack Type, Time and Impact
Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses
Coverage20,000+ devices
under contract
3,700+ managed clients worldwide
13B+ events managed per day
133 monitored countries (MSS)
1,000+ security related patents
Depth14B analyzed web pages & images
40M spam & phishing attacks
64K documented vulnerabilities
Billions of intrusion attempts daily
Millions of unique malware samples
Security Challenges• Virtual and Infrastructure
o NCloud Mappingo Co-residenceo Side Channeling
• Data Management Issueso Data Integrityo Data Provenanceo Data Remanenceo Data Availability
• Users / People-wareo Identityo Policy Development
ApplicationsWeb
ApplicationsSystems
Applications
Web 2.0Mobile
Applications
InfrastructureDatacenters PCs Laptops Mobile Cloud Non-traditional
Data At rest In motionUnstructuredStructured
PeopleHackers Suppliers
Consultants Terrorists
Employees Outsourcers
Customers
Employees
Unstructured
Web 2.0Systems
Applications
Outsourcers
Structured In motion
Customers
Mobile Application
s
4 Dimensions of Security Challenge
Virtual Machine Security Challenge
• Cloud MappingA plot of the internal IP addresses assigned to instances launched during the initial mapping experiment using Account A A plot of the internal IP address of instances launched in Zone 3 by Account A, and 39 hours later, by Account B. 55 of the Account B IPs were repeats of those assigned to instances for Account A
Cloud Mapping Mitigation• Mapping:
o Use a randomized scheme to allocate IP addresseso Block some scanning tools/activities (nmap,traceroute)
• Co-residence checks:o Prevent identification of dom0/hypervisor
Virtual Machine Security Challenge
• Co-residence# of
victims v# of
probes pcoverage
Zone 11 20 1/1
10 20 5/10
20 20 7/20
Zone 21 20 0/1
10 18 3/10
20 19 8/20
Zone 31 20 1/1
10 20 2/10
20 20 8/20
Results of launching p probes 5 minutes after the launch of v victims. The rightmost column specifies success coverage: the number of victims for which a probe instance was co-resident over the total number of victims.
TrialAccount
TotalA B
Midday 2/5 2/5 4/10
Afternoon 1/5 3/5 4/10
Night 2/5 2/5 4/10
The number of victims for which a probe achieved co-residence for three separate runs of 10 repetitions of launching 1 victim instance and, 5 minutes later, 20 probe instances. Odd numbered repetition used Account A; even-numbered repetitions used Account B
What can co-residence do?• Co-Residency affords the ability to:
o Denial of Serviceo Estimate victim's work load
• Cache• Network Traffic
• Extract cryptographic keys via cache-based side channels.
• Other cross-VM attacks
Co – residence Mitigation• Not allow co-residence at all:
o Beneficial for cloud userso Not efficient for cloud providerso N-tier trust model?
• Information leakage:o Prevent cache load attacks?
Virtual Machine Security Challenge
Results of executing 100 Prime+Trigger+Probe cache timing measurements for three pairs of m1.small instances, both when concurrently making HTTP get requests and when not. Instances in Trial 1 and Trial 2 were co-resident on distinct physical machines. Instances in Trial 3 were not co-resident
• Side Channeling
Side Channel Attack Mitigation
• Create better Encryption Technologyo Oblivious
• Work on large chunks• Partition the encryption process into: • A slow but short part: implemented securely
o Non – Colliding
Data Concerns in the Cloud• Data Integrity
o Cloud Service Provider (CSP) Concernso Third Party Auditing (TPA)o Encryption and Multitenancy
• Data Provenance• Data Remanence• Data Availability
o Elasticityo CSP Related Downtimeo Malicious Attacks
Data Integrity• Cloud Service Provider (CSP) Concerns
o CSP Security • Data Transfer• Data-at-Rest
o CSP Data Loss• Unintentional• Intentional
o Third Party Auditing• The Auditor• Support for Dynamic Data
Data Integrity• Encryption & Multitenancy
o Multitenancy – Storage of data from multiple clients in a single repository
o Inability to use encryption in order to support indexingo Encryption largely irrelevant if data is analyzed on the cloud, as
analysis requires decryption.
Data Provenance & Remanence
• Data Provenance – Calculation Accuracyo Shared resources mean shared responsibilityo Difficulty / Impossibility in tracking involved machines
• Data Remanence – Data Cleansing o “Ghost Data” – Left behind after deletiono No remanence security plan for any major CSP
Availability• Cloud Service Provider Concern Total Downtime (HH:MM:SS)
Availability Per Day Per Month Per Year
99.999% 00:00:00.4 00:00:26 00:05:15
99.99% 00:00:08 00:04:22 00:52:35
99.9% 00:01:26 00:43:49 08:45:56
99% 00:14:23 07:18:17 87:39:29
Availability + Elasticity
• Distributed Denial of Service (DDoS) Uses Port Flooding to Slow Systems or Force Server Resets.o External Attack Modelso Similar to Traditional Strikeso Cloud Usage as Attacker o Internal Attack Modelso Protection Responsibility Lies on the Usero CSP Would Need to Detect
An Example of DDOS Mitigation
• As used on Smarter Philippines Website (smarterph.com)
Detect Get
Request
Detect Packet Activity
as to Size
Detect Activity Pattern
Flag Activities
1. Abnormal Packet Size
2. Abnormal Login Request (Brute
force)3. Abnormal Get
Request
Route Request to 127.0.0.1
Reverse Attacker’s IP
Track Attacker’s IP Routing Scheme
Add Attacker’s IP to Deny host
Solution
Key Themes
Security for Mobile DevicesProvide security for and manage traditional endpoints alongside mobile devices such as Apple iOS, Google Android, Symbian, and Microsoft Windows Phone - using a single platform
Expansion of Security ContentContinued expansion of security configuration and vulnerability content to increase coverage for applications, operating systems, and industry best practices
Security Intelligence IntegrationImproved usage of analytics - providing valuable insights to meet compliance and IT security objectives, as well as further integration with SiteProtector and the QRadar Security Intelligence Platform
Infrastructure Protection – Endpoint Vision
Policy Development• Challenges
o Define security policies and standardso Measure actual security against policyo Report violations to policyo Correct violations to conform with policyo Summarize policy compliance for the organization
Definitions• Policies
o High level statements that provide guidance to workers who must make present and future decision
• Standardso Requirement statements that provide specific
technical specifications• Guidelines
o Optional but recommended specifications
Security PolicyAccess to
network resource will be granted
through a unique user ID and passwordPasswords
should include one non-alpha and not found in dictionary
Passwords will be 8
characters long
Elements of Policies• Set the tone of Management• Establish roles and responsibility• Define asset classifications• Provide direction for decisions• Establish the scope of authority• Provide a basis for guidelines and procedures• Establish accountability• Describe appropriate use of assets• Establish relationships to legal requirements
Policies Should…Clearly identify and define
the information security goals and the goals of the group, company or
the whole country
Policy Lifecycle
Actions
Cabinet Goals
Policy
Standards Procedures Guidelines
Awareness
IS Goals
Info Security
Collect Background Information• Obtain existing policies
o Creighton's o Others
• Identify what levels of control are needed• Identify who should write the policies
Perform Risk Assessment• Justify the Policies with Risk Assessment
o Identify the critical functionso Identify the critical processeso Identify the critical datao Assess the vulnerabilities
Create a Policy Review Board• The Policy Development Process
o Write the initial “Draft”o Send to the Review Board for Commentso Incorporate Commentso Resolve Issues Face-to-Faceo Submit “Draft” Policy to Cabinet for Approval
Develop Information Security Plan
• Establish goals• Define roles• Define responsibilities• Notify the User community as to the direction• Establish a basis for compliance, risk assessment,
and audit of information security
Develop Security Policies, Standards, and
Guidelines• Policies
o High level statements that provide guidance to workers who must make present and future decision
• Standardso Requirement statements that provide specific
technical specifications• Guidelines
o Optional but recommended specifications
Implement Policies and Standards• Distribute Policies.• Obtain agreement with policies before accessing
Creighton Systems.• Implement controls to meet or enforce policies.
Awareness and Training• Makes users aware of the expected behavior• Teaches users How & When to secure information• Reduces losses & theft• Reduces the need for enforcement• On the Government, they publish it on leading
newspaper
Monitor Compliance• Management is responsible for establishing
controls• Management should REGULARLY review the
status of controls• Enforce “User Contracts” (Code of Conduct)• Establish effective authorization approval• Establish an internal review process• Internal Audit Reviews
Modify PoliciesPolicies must be modified due to:
o New Technologyo New Threatso New or changed goalso Organizational changeso Changes in the Lawo Ineffectiveness of the existing Policy
Policy HierarchyGovernance
Policy
Access ControlPolicy
User ID Policy
AccessControl
AuthenticationStandard
PasswordConstruction
Standard
User IDNaming Standard
StrongPassword
ConstructionGuidelines
SolutionIBM Identity and Access Management Vision
Key Themes
Standardized IAM and Compliance ManagementExpand IAM vertically to provide identity and access intelligence to the business; Integrate horizontally to enforce user access to data, app, and infrastructure
Secure Cloud, Mobile, Social InteractionEnhance context-based access control for cloud, mobile and SaaS access, as well as integration with proofing, validation and authentication solutions
Insider Threat and IAM GovernanceContinue to develop Privileged Identity Management (PIM) capabilities and enhanced Identity and Role management
Solution
Key Themes
Coverage for Mobile applications and new threatsContinue to identify and reduce risk by expanding scanning capabilities to new platforms such as mobile, as well as introducing next generation dynamic analysis scanning and glass box testing
Simplified interface and accelerated ROINew capabilities to improve customer time to value and consumability with out-of-the-box scanning, static analysis templates and ease of use features
Security IntelligenceIntegrationAutomatically adjust threat levels based on knowledge of application vulnerabilities by integrating and analyzing scan results with SiteProtector and the QRadar Security Intelligence Platform
Application Security Vision
Solution
Endpoint Management vulnerabilities enrich
QRadar’s vulnerability database
AppScan Enterprise
AppScan vulnerability results feed QRadar SIEM for improved
asset risk assessment
Tivoli Endpoint Manager
Guardium Identity and Access Management
IBM Security NetworkIntrusion Prevention System
Flow data into QRadar turns NIPS devices into activity
sensors
Identity context for all security domains w/ QRadar as the dashboard
Database assets, rule logic and database activity
information
Correlate new threats based on X-Force IP
reputation feeds
Hundreds of 3rd party information sources
Thank you for listening
Tzar C. UmangPresident
Tzar Enterprises
email: [email protected]/tzarumang
twitter.com/definitelytzar