Governance and Security in
Cloud and Mobile Apps
http://privateers.in/9f

Security
Michael Scheidell, CISO
Priva(eers™
Bring Your
AGENDA Own Policy
Sub headline
Michael Scheidell, CISO

Security Priva(eers
@scheidell
561-948-1305 / michael@s...
AGENDA
Sub headline

•

Common Risks
Desktop, Server, Cloud, Mobile

•

Platform Specific Issues
Android, iPhone

•

Gover...
Spacely Sprockets
We make our Clients go NUTS(tm)
STOCKS ALLOCATED
CLOSE TO
CUSTOMER

SHORT
DELIVERY
TIME

ON LINE HELP
SE...
We are NUTS(tm)

•Daily Scrum
•Daily Work

Sprint
Planning
meeting

PREPARATION
•Business case & funding
•Contractual agre...
Top 10 Vulnerabilities, Top 10 - 2013
AGENDA
Sub headline
Open Web Application Security Project (OWASP)

Common Vulnerabil...
AGENDA

New Platform, Old Mistakes
Sub headline
Keep doing the same thing hoping for different results

Found in web, clou...
New Platform, Old Mistakes
AGENDA
Sub headline
Keep doing the same thing hoping for different results

Web, Cloud, Mobile ...
New Problems
AGENDA
Sub headline
You didn’t learn this at FIU or Nova

Android Application Permissions

1

Each applicatio...
New Problems
AGENDA
Sub headline
You didn’t learn this at FIU or Nova

Encrypt Data in Motion

4

17% of applications that...
Compliance
AGENDA / Regulations
Sub headline
HIPAA/HITECH/GLBA/SOX/FISMA/FFIEC/FERPA/NIST/ABC/123

Build in Compliance, Wr...
It’s getting Cloudy now

• SaaS (Applications)
• Office365
• Salesforce
• Google
• Microsoft Azure instances
• PaaS (Windo...
It’s getting Cloudy now

• Public Cloud: SaaS
• Non regulated Data
• Standardized application
• Lots of users
• Incrementa...
It’s getting Cloudy now

•
•
•
•
•
•
•
•

Any Device, Anywhere
Storage
Authentication Services
Platform rollout
Geographic...
Security
AGENDAGuidance for Critical Areas of Focus in Cloud Computing V3.0
Sub headline
Cloud Security Alliance

Risk Ana...
Compliance
AGENDA and Governance
Sub headline
We can keep you out of jail cheaper than break you out of jail

Governing in...
Compliance
AGENDA and Governance
Sub headline
We can keep you out of jail cheaper than break you out of jail

Operating in...
New Platform, Old Mistakes
AGENDA
Sub headline
Keep doing the same thing hoping for different results

•
•
•
•
•
•

Join I...
Governance and Security in Cloud and Mobile Applications
AGENDA
Sub headline
Where to get Help

Security Priva(eers
@schei...
Upcoming SlideShare
Loading in...5
×

Governance and Security in Cloud and Mobile Apps

2,217

Published on

Presented by Michael Scheidell, CISO Security Privateers at the PMI South Florida Day of Excellence.
Common Risks in Desktop, Server, Web, Cloud and Mobile.
Platform Specific Issues
Governance
Cloud Types: Shared, Private, Hybrid
Services to Protect: Authentication, Storage, Processing

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,217
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Governance and Security in Cloud and Mobile Apps"

  1. 1. Governance and Security in Cloud and Mobile Apps http://privateers.in/9f Security Michael Scheidell, CISO Priva(eers™
  2. 2. Bring Your AGENDA Own Policy Sub headline Michael Scheidell, CISO Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com • • • • Corporate InfoSec Consultant Certified CISO Senior Member, IEEE Founded Three South Florida Tech Companies © 2013 All Rights Reserved • Privacy Expert • Member ISSA, IAPP, ISACA, IEEE, FBI InfraGard, PMI, SFTA, CSA • Patents in Network Security • Finalist EE Times ACE Innovator of the year Security Priva(eers
  3. 3. AGENDA Sub headline • Common Risks Desktop, Server, Cloud, Mobile • Platform Specific Issues Android, iPhone • Governance Privacy: Beyond regulations • Partly Cloudy with a chance of all hail Any Device, Anywhere • Select Cloud Types Shared, Private, Hybrid • Services to Protect Authentication, Storage, Processing © 2013 All Rights Reserved Security Priva(eers
  4. 4. Spacely Sprockets We make our Clients go NUTS(tm) STOCKS ALLOCATED CLOSE TO CUSTOMER SHORT DELIVERY TIME ON LINE HELP SERVICE CONSULTANS CALL CENTER CUSTOMER SUPPORT SUPPLY CHAIN FREE UPGRADE NEW FEATURES NICE DESIGN BETTER PRODUCTS VIRAL MARKETING/USERS TIP EACH OTHER SALES & MARKETING THINK GREEN IN THE WHOLE VALUE CHAIN ATTRACT THE BEST SALES PEOPLE SUSTAINABLE PRICE BE C02 NEUTRAL CHEAP? LUXARY? AVERAGE? BUILD RELATIONHIPS ON LINE ON AIR ON TV PRINT
  5. 5. We are NUTS(tm) •Daily Scrum •Daily Work Sprint Planning meeting PREPARATION •Business case & funding •Contractual agreement •Vision •Initial productbacklog •Initial release plan •Stakeholderbuy-in •Assemble team Update product backlog Daily Cycle SCRUM PROCESS Product increment RELEASE Sprint retrospective Sprint review Product Management • Security / Privacy • Compliance • Legal QA -> Production • Beta Test • Web App Test • Source Code Review
  6. 6. Top 10 Vulnerabilities, Top 10 - 2013 AGENDA Sub headline Open Web Application Security Project (OWASP) Common Vulnerabilities, Web, Mobile, Cloud 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. SQL Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities (dependencies?) Unvalidated Redirects and Forwards © 2013 All Rights Reserved, portions © OWASP https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Security Priva(eers
  7. 7. AGENDA New Platform, Old Mistakes Sub headline Keep doing the same thing hoping for different results Found in web, cloud and mobile • SQL Injection • Lack of Encryption – Data at Rest, Data in Motion • Least Access Privilege – Authentication – Permissions © 2013 All Rights Reserved Security Priva(eers
  8. 8. New Platform, Old Mistakes AGENDA Sub headline Keep doing the same thing hoping for different results Web, Cloud, Mobile Mistakes • Data Storage – DB (SQL[ite]) or flat files? – Encrypt or not? – Least Access Privilege • Source Files – Java – Configuration Files © 2013 All Rights Reserved Security Priva(eers
  9. 9. New Problems AGENDA Sub headline You didn’t learn this at FIU or Nova Android Application Permissions 1 Each application lists the API’s they want to use, • “camera”, (scan, flashlight) • Fine Location (GPS), flashlight! Use Android ‘Intent’ instead (if you want to take a picture) Rooted / Jailbroken Phones 2 Application permissions mean nothing. Full Read/Write permissions, read passwords Platform or User Backups 3 Google backup uses reversible encryption, backs up your Wifi, application data. Dropbox uses reversible encryption. © 2013 All Rights Reserved Security Priva(eers
  10. 10. New Problems AGENDA Sub headline You didn’t learn this at FIU or Nova Encrypt Data in Motion 4 17% of applications that use SSL are flawed and susceptible to MIM attacks. AMX, Diners Club, Paypal, Twitter, Google, Yahoo, Microsoft Live ID • Use Mallowdroid to check implementations Source Code Review 5 • Design In Security: • Whitelisting vs Blacklisting • Automated Code Review (CheckMarx.com) Privacy Statements 6 Write a privacy statement, approved by Legal, endorsed by Management. Follow it! © 2013 All Rights Reserved Security Priva(eers
  11. 11. Compliance AGENDA / Regulations Sub headline HIPAA/HITECH/GLBA/SOX/FISMA/FFIEC/FERPA/NIST/ABC/123 Build in Compliance, Written Policies 1 Information Sensitivity Policy 2 Password Policy 3 Remote Access Policy 4 Software Development Policy 5 Licensing: GPL, aGPL, LGPL © 2013 All Rights Reserved Security Priva(eers
  12. 12. It’s getting Cloudy now • SaaS (Applications) • Office365 • Salesforce • Google • Microsoft Azure instances • PaaS (Windows/LAMP) • Amazon EC2 • Azure Platforms • IaaS (Firewalls, Networks, Storage) • Amazon • Azure What is the Cloud? Where is the Cloud? The cloud is many things to many people There is no cloud Someone else’s mainframe and NAS Where is your Data Stored? Where is your Processing Done? Where is the Data Flow? Private, Public, Hybrid
  13. 13. It’s getting Cloudy now • Public Cloud: SaaS • Non regulated Data • Standardized application • Lots of users • Incremental capacity • PaaS: Software development • Private Cloud: PaaS • Regulated Data • Strict Security and Control • Large Company • Non Standard/Custom Applications • Hybrid Clouds: SaaS+PaaS • PaaS for storage • VPN to SaaS What is the Cloud? Where is the Cloud? The cloud is many things to many people. There is no cloud. Someone else’s mainframe and NAS Where is your Data Stored? Where is your Processing Done? Where is the Data Flow? Private, Public, Hybrid
  14. 14. It’s getting Cloudy now • • • • • • • • Any Device, Anywhere Storage Authentication Services Platform rollout Geographic Redundancy Development and Test Disaster Recovery Web and Mobile Apps What is the Cloud? Where is the Cloud? Why is the Cloud The cloud is many things to many people. There is no cloud. Someone else’s mainframe and NAS Where is your Data Stored? Where is your Processing Done? Where is the Data Flow? What will you use the Cloud for?
  15. 15. Security AGENDAGuidance for Critical Areas of Focus in Cloud Computing V3.0 Sub headline Cloud Security Alliance Risk Analysis • Identify the Asset • Data • Applications • Functions • Processes • Evaluate the Asset Liability • Asset became widely public • Cloud Provider Accessed Asset • Process manipulated by outsider • Function provided wrong results • Data changed • Denial of Service © 2013 All Rights Reserved Security Priva(eers
  16. 16. Compliance AGENDA and Governance Sub headline We can keep you out of jail cheaper than break you out of jail Governing in the Cloud 1 Enterprise Risk Management 2 Legal Issues: Contracts and E-Discovery 3 Compliance and Audit Management 4 Information Management and Data Security 5 Interoperability and Portability © 2013 All Rights Reserved Security Priva(eers
  17. 17. Compliance AGENDA and Governance Sub headline We can keep you out of jail cheaper than break you out of jail Operating in the Cloud 1 Traditional IS, BCP, DR 2 Application Security 3 Encryption and Key Management 4 Identity and Access Management 5 Security as a Service © 2013 All Rights Reserved Security Priva(eers
  18. 18. New Platform, Old Mistakes AGENDA Sub headline Keep doing the same thing hoping for different results • • • • • • Join ISSA http://www.sfissa.org/ Join CSA https://cloudsecurityalliance.org/ Join Infragard https://www.infragard.org/ Join OWASP https://www.owasp.org Code Review http://checkmarx.com Training / Conferences / Presentations © 2013 All Rights Reserved Security Priva(eers
  19. 19. Governance and Security in Cloud and Mobile Applications AGENDA Sub headline Where to get Help Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com Call to set up an appointment for initial review Policy Gap Analysis Review current policies, compare against best practices and current government regulations. © 2013 All Rights Reserved • • • • • OWASP Training Web App Assessment SDLC Review Cloud Security Consulting Mobile Application testing Security Priva(eers

×