Upload
glen-roberts-cissp
View
419
Download
3
Embed Size (px)
DESCRIPTION
Security in the Skies, a presentation given at the Cloud Security Alliance, Austin Chapter meeting held on March 1, 2012.
Citation preview
SECURITY IN THE SKIES
Mano ‘dash4rk’ Paul CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI
SecuRisk Solutions / Express Certifications
mano(dot)paul(at)securisksolutions(dot)com mano(dot)paul@expresscertifications(dot)com
© 2007-2012 - SecuRisk Solutions
Who am I? – The ABC’s • Author
• The 7 Qualities of Highly Secure Software (May 2012) • Official (ISC)2 Guide to the CSSLPCM
• Information Security Management Handbook
• Advisor – Software Assurance, (ISC)2
• Biologist – Shark Researcher • Christian – HackFormers • CEO – SecuRisk Solutions &
Express Certifications … • VP – Education, Austin CSA
2
© 2007-2012 - SecuRisk Solutions
Awards and Recognition 2010 President’s Award 2011 Americas Information Security
Leadership Award (Practitioner)
3
© 2007-2012 - SecuRisk Solutions
In the News – Feb 27, 2012
4
Source: StratFor Emails Leaked by Wikileaks http://www.myfoxaustin.com
What are we here to learn about? • Topic: Security in the Skies
• Concerns, Threats and Controls in Cloud Computing • Dark Clouds (Concerns, Threats) and Silver Lining (Controls)
• Agnostic • Technology • Vendor
• Level: • Snorkel / Mid-range / Deep sea
• Tweet (@manopaul) / Blog
5
© 2007-2012 - SecuRisk Solutions
What is the Cloud?
6
CLOUD 3-4-5 3 – Service Models 4 – Deployment Models / Types 5 – Characteristics
IT delivered as a Standardized Service
7
© 2007-2012 - SecuRisk Solutions
3 – Cloud Service Models
8
Virtual(desktops,(Data,(Apps(…
• Use(the(provider’s(applica8ons(• Running(on(a(cloud(infrastructure(• No(management(or(control(
OS,(Middleware,((
Execu8on(Run8me,(…
• Consumer(deploys(to(cloud(
infrastructure(
• Consumer(created(or(acquired(
applica8ons(
• Consumer(does(not(manage(or(
control(infrastructure(
• Some(control(over(deployed(apps(
and(app.(hos8ng(environment(
Networking,(Storage,(Servers,((
Virtual(machines((…
• Capability(for(consumer(
provisioning(of(Processing/(
Storage/(Networks/(Other(
resources(
• Consumer(does(not(control(
underlying(cloud(infrastructure(
((
4 – Cloud Deployment Models / Types
9
• A(composi8on(of(two(or(more(cloud(types(
• Bound(together(by(technology(to(enable(data(and(applica8on(portability(
• Organiza8on(specific(• Managed(by(organiza8on(or(3rd(party(
• On/Off(premise;(Mostly(On(
• Shared(Infrastructure(–(Related(par8es(• Managed(by(organiza8on(or(3rd(party(
• On/Off(premise(
• Shared(Infrastructure(–(Unrelated(par8es(• Owned/Managed(by(service(provider(
• Off(premise(
On-Demand Self Service Consumer direct, automated provisioning with no human interaction at provider
5 - Characteristics
10
Broad Network Access Capabilities delivered over the network accessed through standard mechanisms
Measured Service Cloud system automatically monitors, optimizes, controls and reports resource use transparently
Resource Pooling Providers computing resources are pooled and dynamically assigned to serve multiple consumers
Rapid Elasticity Capabilities are rapidly and elastically provisioned, some automated, depending on requirements.
WHO-ever
WHAT-ever
WHEN-ever
WHERE-ever
Wherein LIES the Control?
11
(On-Premises)
Storage
Servers
Networking
OS
Middleware
Virtualization
Data
Applications
Runtime
You
man
age
Infrastructure as a Service
Storage
Servers
Networking
OS
Middleware
Virtualization
Data
Applications
Runtime
Other M
anages
You
man
age
Platform as a Service
Other M
anages
You
man
age
Storage
Servers
Networking
OS
Middleware
Virtualization
Applications
Runtime
Data
Software as a
Service
Other M
anages
Storage
Servers
Networking
OS
Middleware
Virtualization
Applications
Runtime
Data
Opportunity or Crisis?
12
© 2007-2012 - SecuRisk Solutions
DARK CLOUDS Security Threats to Cloud Computing
13
© 2007-2012 - SecuRisk Solutions
Top Threats – Lists/Publications • (ISC)2 (GISWS 2011) – Top 7
• Unauthorized Disclosure • Data Loss/Leakage • Weak Access Controls • Susceptibility to Cyber Attacks • Disruptions • Inability to support compliance audit • Inability to support forensic
investigations • CSA v1.0 (2010) – 7 deadly sins
• Abuse and nefarious use of cloud computing
• Insecure APIs • Malicious Insider • Shared Technology Vulnerabilities • Data Loss/Leakage • Account/Service & Traffic Hijacking • Unknown Risk Profile
• OWASP (pre-alpha 2011) – Top 10 • Accountability and Data Ownership • User Identity Federation • Regulatory Compliance • Business Continuity and Resiliency • User Privacy and Secondary use of
Data • Service and Data Integration • Multi-tenancy and Physical security • Incidence analysis and Forensic
Support • Infrastructure Security • Non-production Environment
Exposure
14
Top Threats to Cloud Computing
Source:((ISC)2(Global(Informa8on(Security(Workforce(Study(
CSA(Top(Threats(to(Cloud(Compu8ng(v(1.0(
Data Security / Loss / Leakage / Remanence
Access Controls / Account, Service & Traffic Hijacking
Susceptibility to Cyber Attacks / Insecure Interfaces or APIs
Cyber Forensics / Unknown Risk Profile / Malicious Insiders
Abuse or Nefarious Use / Shared Technology Issues
15
© 2007-2012 - SecuRisk Solutions
SILVER LINING “there’s a silver lining to every cloud that sails about the heavens if we could only see it”
Marian or Young Maid’s Fortune, Dublin Magazine, 1840 “Hope is a good thing, maybe the best of things, and no good thing ever dies.”
The Shawshank Redemption
16
© 2007-2012 - SecuRisk Solutions
Dark Clouds / Silver Lining
• Cryptography Protection (Encryption/Hashing) • Cryptographic Agility • Secure Data Disposal (Overwriting*) • DLP technologies
17
• Controls Data Security / Loss / Leakage / Remanence
© 2007-2012 - SecuRisk Solutions
Dark Clouds / Silver Lining
• Access Control Lists (ACLs) / RBACs • Chinese Wall • Session Management
• Eavesdropping • Redirection
18
Access Controls / Account, Service & Traffic Hijacking
© 2007-2012 - SecuRisk Solutions
Image Source: (ISC)2 Whitepaper
Dark Clouds / Silver Lining • Vendor lock-in
• Understand dependency chain of APIs (Vendor lock-in) • Perform ROI exercise for proprietary APIs
• Don’t use deprecated/insecure APIs • Secure Authentication
• SSO (Weakest Link)
19
Susceptibility to Cyber Attacks / Insecure Interfaces or APIs
Image Source: CloudAve
© 2007-2012 - SecuRisk Solutions
Dark Clouds / Silver Lining
• Hardening & Sandboxing • Platform/Hypervisor Exploits
• Cloud Isolation Technologies • Secure Communications
20
Abuse or Nefarious Use / Shared Technology Issues
Image Source: apigee.com
© 2007-2012 - SecuRisk Solutions
Dark Clouds / Silver Lining
• Identity Management • Provisioning/De-provisioning
• Logging and Auditing • Detective and Deterrent
• Trust but verify • Don’t Trust AND Verify
21
Cyber Forensics / Malicious Insiders / Unknown Risk Profile
© 2007-2012 - SecuRisk Solutions
Some closing thoughts
22
© 2007-2012 - SecuRisk Solutions
References • Security in the Skies – (ISC)2 Whitepaper • (ISC)2 Global Information Security Workforce Study (2011) • CSA Top threats to Cloud Computing v1.0 (2010) • 7 Deadly Sins of Cloud Security (2010) • OWASP Cloud 10 project (pre-alpha) • ASIS/(ISC)2 Security Congress Cloud Security Panel (2011) • Gartner/IEEE Publications
23
© 2007-2012 - SecuRisk Solutions
THANK YOU
Mano ‘dash4rk’ Paul CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI
SecuRisk Solutions / Express Certifications
mano(dot)paul(at)securisksolutions(dot)com mano(dot)paul(at)expresscertifications(dot)com
24
© 2007-2011 - SecuRisk Solutions