Securing the cloud

279
-1

Published on

This presentation is my keynote from the Business Meets IT cloud security seminar from 2 years ago, and it is still relevant! What is cloud security, and what is security in the cloud? I also included some best practices for European companies that are moving to the cloud

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
279
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Securing the cloud

  1. 1. SECURING THE CLOUD ERWIN GEIRNAERT CO-FOUNDER ZION SECURITY
  2. 2. 693.000.000 SEARCH RESULTS And everybody has to say something about cloud security, including me!
  3. 3. 25 YEARS OF CLOUD Domain Name System (DNS)
  4. 4. SECURE CLOUD?
  5. 5. SECURE CLOUD?
  6. 6. WHAT’S IN A NAME SECURE CLOUD CLOUD SECURITY • Secure environment • Security-as-aservice • In an (external) datacenter • Multi-tenant • SLA • Buy online • Mail security • Web security • Web application security • Vulnerability scanning • Anti-virus • Anti-malware
  7. 7. WHAT IS NOT CLOUD • Virtual version of hardware appliance • Next Generation Hosting
  8. 8. CLOUD SECURITY ALLIANCE Security Control & Compliance
  9. 9. SECURE CLOUD REQUIREMENTS • Secure datacenter • Secure network • Secure infrastructure • Secure OS • Secure application • Secure Keep-it-running • Secure employees • Secure logging
  10. 10. COMPARING CLOUDS Which one is the best?
  11. 11. WHAT WE SEE • Traditional hosting providers still struggle to secure their classical hosting environment • • • Web site security offering = SSL certificates! Shared hosting is bad for security but follow the same approach to setup cloud Hosting providers use other cloud providers services • • Without the client his knowledge • Without any legal binding contract • Without any SLA • In a different country  Belgian Court has a lot of problems with non-Belgian hosting • • Inadequate logging of the cloud provider • Takes a lot of time to get the information with a court order • Most providers don’t give information or too late Insider threat: employees with a company credit card • We found a cheap cloud provider in Russia called SpamEngine
  12. 12. WHAT IS NOT THE RIGHT WAY The DIY approach is not leveraging the power of a secure cloud: • Installing & configuring your virtual firewall • Installing & configuring your web application firewall • Install your Operating System • Patching yourself • Monitoring yourself • Do your own software installations & upgrades
  13. 13. MALWARE ATTACKS • Most cloud-based applications and cloud administration require only username/password • Malware like ZeuS/SpyEye that attack homebanking also collect credentials • • • • • Twitter/Facebook/… Salesforce.com? Amazon AWS? Credentials are sold on Internet and automatically abused by malware running in the cloud Require from your cloud provider: • • • • Strong authentication SSL VPN for remote management IP blocking Logging + logging + logging + logging
  14. 14. SECURE CLOUD INNOVATIONS
  15. 15. SOME THOUGHTS • FISA: Foreign Intelligence Surveillance Act • Data stored in the US can be inspected and copied • • Without telling you…. Just think about data encryption • Where are the keys stored? • How are you sure it is really encrypted? • Same for China: • What is stored in China is copied! • A new U.S. intelligence report declares the most active and persistent perpetrator of economic espionage is China • http://www.defensenews.com/story.php?i=8160472&&s=T OP
  16. 16. WHAT YOU NEED • Moving to the cloud can be a security catalysator for your existing infrastructure and applications! • Moving is not copying your virtual machines!!!!!!!!!!!!!!! • Stay in the European Union with all your data • Log everything to a different cloud provider or on-premise • Do not trust the logo on the flashy web site, review the audit reports • Monitor the SLA • Classify data and locations
  17. 17. ADVANCED CLOUD HACKING CIA Drone landed in IRAN - GPS SPOOFING
  18. 18. SECURITY FOR LIFE Music for Life 2011 – We do give a shit!
  19. 19. QUESTIONS erwin.geirnaert@zionsecurity.com @ZIONSECURITY www.zionsecurity.com www.zionsecured.com

×