Security in the Skies

SECURITY IN THE SKIES

Mano ‘dash4rk’ Paul CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI

SecuRisk Solutions / Express Certifications

mano(dot)paul(at)securisksolutions(dot)com mano(dot)paul@expresscertifications(dot)com

© 2007-2012 - SecuRisk Solutions

Who am I? – The ABC’s • Author

•  The 7 Qualities of Highly Secure Software (May 2012) •  Official (ISC)2 Guide to the CSSLPCM

•  Information Security Management Handbook

• Advisor – Software Assurance, (ISC)2

• Biologist – Shark Researcher • Christian – HackFormers • CEO – SecuRisk Solutions &

Express Certifications … • VP – Education, Austin CSA

2


Awards and Recognition 2010 President’s Award 2011 Americas Information Security

Leadership Award (Practitioner)

3


In the News – Feb 27, 2012

4

Source: StratFor Emails Leaked by Wikileaks http://www.myfoxaustin.com

What are we here to learn about? •  Topic: Security in the Skies

•  Concerns, Threats and Controls in Cloud Computing •  Dark Clouds (Concerns, Threats) and Silver Lining (Controls)

• Agnostic •  Technology •  Vendor

•  Level: •  Snorkel / Mid-range / Deep sea

•  Tweet (@manopaul) / Blog

5


What is the Cloud?

6

CLOUD 3-4-5 3 – Service Models 4 – Deployment Models / Types 5 – Characteristics

IT delivered as a Standardized Service

7


3 – Cloud Service Models

8

Virtual(desktops,(Data,(Apps(…

•  Use(the(provider’s(applica8ons(•  Running(on(a(cloud(infrastructure(•  No(management(or(control(

OS,(Middleware,((

Execu8on(Run8me,(…

•  Consumer(deploys(to(cloud(

infrastructure(

•  Consumer(created(or(acquired(

applica8ons(

•  Consumer(does(not(manage(or(

control(infrastructure(

•  Some(control(over(deployed(apps(

and(app.(hos8ng(environment(

Networking,(Storage,(Servers,((

Virtual(machines((…

•  Capability(for(consumer(

provisioning(of(Processing/(

Storage/(Networks/(Other(

resources(

•  Consumer(does(not(control(

underlying(cloud(infrastructure(

((

4 – Cloud Deployment Models / Types

9

•  A(composi8on(of(two(or(more(cloud(types(

•  Bound(together(by(technology(to(enable(data(and(applica8on(portability(

•  Organiza8on(specific(•  Managed(by(organiza8on(or(3rd(party(

•  On/Off(premise;(Mostly(On(

•  Shared(Infrastructure(–(Related(par8es(•  Managed(by(organiza8on(or(3rd(party(

•  On/Off(premise(

•  Shared(Infrastructure(–(Unrelated(par8es(•  Owned/Managed(by(service(provider(

•  Off(premise(

On-Demand Self Service Consumer direct, automated provisioning with no human interaction at provider

5 - Characteristics

10

Broad Network Access Capabilities delivered over the network accessed through standard mechanisms

Measured Service Cloud system automatically monitors, optimizes, controls and reports resource use transparently

Resource Pooling Providers computing resources are pooled and dynamically assigned to serve multiple consumers

Rapid Elasticity Capabilities are rapidly and elastically provisioned, some automated, depending on requirements.

WHO-ever

WHAT-ever

WHEN-ever

WHERE-ever

Wherein LIES the Control?

11

(On-Premises)

Storage

Servers

Networking

OS

Middleware

Virtualization

Data

Applications

Runtime

You

man

age

Infrastructure as a Service

Storage

Servers

Networking

OS

Middleware

Virtualization

Data

Applications

Runtime

Other M

anages

You

man

age

Platform as a Service

Other M

anages

You

man

age

Storage

Servers

Networking

OS

Middleware

Virtualization

Applications

Runtime

Data

Software as a

Service

Other M

anages

Storage

Servers

Networking

OS

Middleware

Virtualization

Applications

Runtime

Data

Opportunity or Crisis?

12


DARK CLOUDS Security Threats to Cloud Computing

13


Top Threats – Lists/Publications •  (ISC)2 (GISWS 2011) – Top 7

•  Unauthorized Disclosure •  Data Loss/Leakage •  Weak Access Controls •  Susceptibility to Cyber Attacks •  Disruptions •  Inability to support compliance audit •  Inability to support forensic

investigations •  CSA v1.0 (2010) – 7 deadly sins

•  Abuse and nefarious use of cloud computing

•  Insecure APIs •  Malicious Insider •  Shared Technology Vulnerabilities •  Data Loss/Leakage •  Account/Service & Traffic Hijacking •  Unknown Risk Profile

•  OWASP (pre-alpha 2011) – Top 10 •  Accountability and Data Ownership •  User Identity Federation •  Regulatory Compliance •  Business Continuity and Resiliency •  User Privacy and Secondary use of

Data •  Service and Data Integration •  Multi-tenancy and Physical security •  Incidence analysis and Forensic

Support •  Infrastructure Security •  Non-production Environment

Exposure

14

Top Threats to Cloud Computing

Source:((ISC)2(Global(Informa8on(Security(Workforce(Study(

CSA(Top(Threats(to(Cloud(Compu8ng(v(1.0(

Data Security / Loss / Leakage / Remanence

Access Controls / Account, Service & Traffic Hijacking

Susceptibility to Cyber Attacks / Insecure Interfaces or APIs

Cyber Forensics / Unknown Risk Profile / Malicious Insiders

Abuse or Nefarious Use / Shared Technology Issues

15


SILVER LINING “there’s a silver lining to every cloud that sails about the heavens if we could only see it”

Marian or Young Maid’s Fortune, Dublin Magazine, 1840 “Hope is a good thing, maybe the best of things, and no good thing ever dies.”

The Shawshank Redemption

16


Dark Clouds / Silver Lining

• Cryptography Protection (Encryption/Hashing) • Cryptographic Agility • Secure Data Disposal (Overwriting*) • DLP technologies

17

• Controls Data Security / Loss / Leakage / Remanence



• Access Control Lists (ACLs) / RBACs • Chinese Wall • Session Management

•  Eavesdropping •  Redirection

18

Access Controls / Account, Service & Traffic Hijacking


Image Source: (ISC)2 Whitepaper

Dark Clouds / Silver Lining • Vendor lock-in

•  Understand dependency chain of APIs (Vendor lock-in) •  Perform ROI exercise for proprietary APIs

• Don’t use deprecated/insecure APIs • Secure Authentication

•  SSO (Weakest Link)

19

Susceptibility to Cyber Attacks / Insecure Interfaces or APIs

Image Source: CloudAve



• Hardening & Sandboxing •  Platform/Hypervisor Exploits

• Cloud Isolation Technologies • Secure Communications

20

Abuse or Nefarious Use / Shared Technology Issues

Image Source: apigee.com



•  Identity Management •  Provisioning/De-provisioning

•  Logging and Auditing •  Detective and Deterrent

•  Trust but verify •  Don’t Trust AND Verify

21

Cyber Forensics / Malicious Insiders / Unknown Risk Profile


Some closing thoughts

22


References •  Security in the Skies – (ISC)2 Whitepaper •  (ISC)2 Global Information Security Workforce Study (2011) •  CSA Top threats to Cloud Computing v1.0 (2010) •  7 Deadly Sins of Cloud Security (2010) •  OWASP Cloud 10 project (pre-alpha) •  ASIS/(ISC)2 Security Congress Cloud Security Panel (2011) •  Gartner/IEEE Publications

23


THANK YOU

Mano ‘dash4rk’ Paul CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI

SecuRisk Solutions / Express Certifications

mano(dot)paul(at)securisksolutions(dot)com mano(dot)paul(at)expresscertifications(dot)com

24
