COMPLIANCE AND TRANSPARENCY OF CLOUD
FEATURES vs. SECURITY STANDARDS
YURY CHEMERKIN
DeepIntel 2013
[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin

http://sto-strategy.com

 EXPERIENCED IN :







REVERSE ENG...
I. Opinions & Facts
Cloud Issues
Known Issues











Threats
Privacy
Compliance
Legal
Vendor lock-in
Open source / Open standard...
What is about Public Clouds
Some known facts about AWS & Azure
 Top clouds are not OpenSource


OpenStack is APIs compat...
Clouds: Public vs. Private
Known security issues of Public Clouds
 "All Your Clouds are Belong to us – Security Analysis ...
Clouds: Public vs. Private
It is generally known, that private clouds are most secure There is no a POC to prove a stateme...
II. CSA Framework
• Cloud
Model

• Basic
Security
Model

Cloud

CSA
CMM
• Enhanced
Security
Model

CSA
CAIQ

Mapping
• Compliance
Model
II. NIST Framework
NIST Framework
 The consolidated framework over all NIST documents
 Logically clearly defined documents, e.g.
 Categori...
NIST Framework
Complementarity
 NIST Enhance Control
 Your own security control
Interchangeability
 Replacing basic c...
NIST Framework
Interchangeability
 Basic controls aren’t applicable in case of
 Information systems need to communicate ...
III. Clouds
Clouds
Amazon Web Services
 Generally IaaS
 +SaaS, PaaS
Microsoft Azure
 Generally PaaS
 Recent changes – IaaS
Blac...
• BlackBerry
Z10/Q10,
• Playbook

• BlackBerry
4,5,6,7

BES 10

Unified
Device
Platform
• Android, iOS
• Unified
Managemen...
IV. Cloud & Compliance Specific
Cloud & Compliance Specific
There is no one “cloud”

There are many models and architectures

There is no one “standard...
Cloud & Compliance Specific
There is no one “cloud”
There is no one “standard”
 The Goal is bringing a transparency of cl...
Cloud & Compliance Specific
Compliance,

Transparency,

 CAIQ/CCM provides equivalent of recommendations over
several sta...
Description
Third Party Audits

DIFFERENCE (AWS vs. AZURE)
As opposed to AWS, Azure does not have a clearly defined statem...
Compliance: from CSA’s viewpoint
Examinationof CSA
Consumer Relationship only
 Everything except SA-13 “Location-aware t...
Compliance: from CSA’s viewpoint
Examinationof CSA

References NIST

Data Governance - Information Leakage (DG-07).
 Sec...
Compliance: from CSA’s viewpoint
Examinationof CSA

References ISO

Data Governance - Information Leakage (DG-07).
 Secu...
Cloud & Compliance Specifics. Example
CSA
 Data Governance
 NIST :: access control, media
management, etc.
 Ownership ...
Cloud & Compliance Specifics. Example
NIST
 Access Control
 Account, Session Management
 Access / Information Flow Enfo...
Cloud & Compliance Specifics. Example
CSA / NIST
AWS’s Vision is not Data Distribution, however
CSA :: Data Governance i...
COMPLIANCE AND MDM
CSA Mobile Device Management: Key Components
Device diversity
Configuration management
Software Dist...
[ DEVICE MANAGEMENT ]
Concurrencyover native & additional security features
𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀
𝛥 – se...
[ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’SVECTOR
 GOALS - MOBILE RESOURCES / AIM OF ATTACK
 DEVICE RESOURCES
 OUT...
[ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK
Background processing
BlackBerry Messenger
Calendar, Contacts
Camera
Device...
[ iOS. Settings ]
Component

Unit
Safari
Camera, FaceTime
iTunes Store, iBookstore
Siri
Manage applications*
Manage applic...
[ Android. Permissions ]
List contains~150 permissions

I have ever seen that on old BlackBerry devices

ACCESS_CHECKIN_PR...
[ Android. Permission Groups ]
But there only 30 permissions groups
 ACCOUNTS
 AFFECTS_BATTERY
 APP_INFO
 AUDIO_SETTIN...
MDM . Extend your device security capabilities
Android
 CAMERA AND VIDEO
 HIDE THE DEFAULT CAMERA APPLICATION
 PASSWORD...
MDM . Extend your device security capabilities
iOS




BROWSER



CONTROLLED 16 GROUPSONLY

DEFAULT APP,
AUTOFILL, COO...
MDM . Extend your device security capabilities
BlackBerry (new, 10, qnx)


CONTROLLED 7 GROUPSONLY





GENERAL



...
MDM . Extend your device security capabilities
Blackberry (old)
 THERE 55 GROUPS CONTROLLED IN ALL
 EACH GROUP CONTAINS ...
CONCLUSION
 The best Security & Permissions ruled by AWS
 Most cases are not clear in according to the roles
and respons...
Q&A
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013
Upcoming SlideShare
Loading in …5
×

(Pdf) yury chemerkin deep_intel_2013

321 views
170 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
321
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

(Pdf) yury chemerkin deep_intel_2013

  1. 1. COMPLIANCE AND TRANSPARENCY OF CLOUD FEATURES vs. SECURITY STANDARDS YURY CHEMERKIN DeepIntel 2013
  2. 2. [ YURY CHEMERKIN ] www.linkedin.com/in/yurychemerkin http://sto-strategy.com  EXPERIENCED IN :       REVERSE ENGINEERING & AV SOFTWARE PROGRAMMING & DOCUMENTATION MOBILE SECURITY AND MDM CYBER SECURITY & CLOUD SECURITY COMPLIANCE & TRANSPARENCY FORENSICS AND SECURITY WRITING  HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA  PARTICIPATION AT CONFERENCES     INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS, DEFCONMOSCOW, HACTIVITY, HACKFEST CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY yury.s@chemerkin.com
  3. 3. I. Opinions & Facts
  4. 4. Cloud Issues Known Issues           Threats Privacy Compliance Legal Vendor lock-in Open source / Open standards Security Abuse IT governance Ambiguity of terminology Known Solutions/Opinions           Customization , security solutions Crypto anarchism CSA, ISO, PCI, SAS 70 Typically US Location Platform, Data, Tools Lock-In Top clouds are not open-source Physical clouds more secured than Public Botnets and Malware Infections/Misuse Depends on organization needs Reference to wide services, solutions, etc.
  5. 5. What is about Public Clouds Some known facts about AWS & Azure  Top clouds are not OpenSource  OpenStack is APIs compatible with Amazon EC2 and Amazon S3 and thus client applications written for AWS can be used with OpenStack with minimal porting effort, while Azure is not  Platform lock-in  There are Import/Export tools to migrate from/to VMware, while Azure doesn’t have  Data Lock-in  Native AWS solutions linked with Cisco routers to upload, download and tunneling as well as 3rd party storage like SMEStorage (AWS, Azure, Dropbox, Google, etc.) in order to issues mentioned above  Tools Lock-in  Longing for an inter-cloud managing tools that are industrial and built with compliance  APIs Lock-In  Longing for inter-cloud APIs, however there were known inter-OS APIs for PC, MDM, Mobiles, etc.  No Transparency  Weak compliance and transparency due to SAS 70 and NDA relationships between cloud vendor and third party auditors and experts  Abuse  Abusing is not a new issue and is everywhere  AWS Vulnerability Bulletins as a kind of quick response and stay tuned
  6. 6. Clouds: Public vs. Private Known security issues of Public Clouds  "All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces", 3rd CCSW, October 2011  A black box analysis methodology of AWS control interfaces compromised via the XSS techniques, HTML injections, MITM  [AWS] :: “Reported SOAP Request Parsing Vulnerabilities”  Utilizing the SSL/HTTPS only with certificate validation and utilizing API access mechanisms like REST/Query instead of SOAP  Activating access via MFA and creating IAM accounts limited in access, AWS credentials rotation enhanced with Key pairs and X.509  Limiting IP access enhanced with API/SDK & IAM and significant researches on it as a POC  “The most dangerous code in the world: validating SSL certificates in non-browser software”, 19th ACM Conference on Computer and Communications Security, October 2012  Incorrect behavior in the SSL certificate validation mechanisms of AWS SDK for EC2, ELB, and FPS  [AWS] :: “Reported SSL Certificate Validation Errors in API Tools and SDKs”  Despite of that, AWS has updated all SDK (for all services) to redress it
  7. 7. Clouds: Public vs. Private It is generally known, that private clouds are most secure There is no a POC to prove a statement on public clouds  [AWS] :: “Xen Security Advisories”  There are known XEN attacks (Blue Pills, etc.)  No one XEN vulnerability was not applied to the AWS, Azure or SaaS/PaaS services  Very customized clouds  [CSA] :: “CSA The Notorious Nine Cloud Computing Top Threats in 2013”  Replaced a document published in 2009  Such best practices provides a least security  No significant changes since 2009, even examples  Top Threats Examples  “1.0. Threat: Data Breaches // Cross-VM Side Channels and Their Use to Extract private Keys”,  “7.0. Threat: Abuse of Cloud Services // Cross-VM Side Channels and Their Use to Extract private Keys”  “4.0. Threat: Insecurity Interfaces and APIs”  Besides of Reality of CSA Threats  1.0 & 7.0 cases highlight how the public clouds e.g. AWS EC2 are vulnerable  1.0 & 7.0 cases are totally focused on a private cloud case (VMware and XEN), while there is no a known way to adopt it to AWS.  4.0 case presents issues raised by a SSO access not related to public clouds (except Dropbox, SkyDrive) and addressed to insecurity of APIs.
  8. 8. II. CSA Framework
  9. 9. • Cloud Model • Basic Security Model Cloud CSA CMM • Enhanced Security Model CSA CAIQ Mapping • Compliance Model
  10. 10. II. NIST Framework
  11. 11. NIST Framework  The consolidated framework over all NIST documents  Logically clearly defined documents, e.g.  Categorization systems  Selecting control  FIPS  Forensics  Logging (SCAP)  Etc.  Complementarity  Interchangeability  Expansibility  Dependence  Mapping (NIST, ISO only)
  12. 12. NIST Framework Complementarity  NIST Enhance Control  Your own security control Interchangeability  Replacing basic controls by enhanced controls Expansibility  impact or support the implementation of a particular security control or control enhancement  Your own way to improve a framework Mapping (NIST, ISO only)  NIST->ISO  ISO->NIST  NIST->Common Criteria (rev4 only)
  13. 13. NIST Framework Interchangeability  Basic controls aren’t applicable in case of  Information systems need to communicate with other systems across different policy  APT  Insiders Threats  Mobility (mobile location, non-fixed)  Single-User operations  Interchangeability  Replacing basic controls by enhanced controls  Expansibility  impact or support the implementation of a particular security control or control enhancement  Your own way to improve a framework  Mapping (NIST, ISO only)  NIST->ISO  ISO->NIST  NIST->Common Criteria (rev4 only)
  14. 14. III. Clouds
  15. 15. Clouds Amazon Web Services  Generally IaaS  +SaaS, PaaS Microsoft Azure  Generally PaaS  Recent changes – IaaS BlackBerry Enterprise Service  Separated  Integrated with Office365  SaaS as a MDM solution
  16. 16. • BlackBerry Z10/Q10, • Playbook • BlackBerry 4,5,6,7 BES 10 Unified Device Platform • Android, iOS • Unified Management BES 5 Office integration • Office • Office365 • Cisco/VoIP
  17. 17. IV. Cloud & Compliance Specific
  18. 18. Cloud & Compliance Specific There is no one “cloud” There are many models and architectures There is no one “standard” There are many ways to built cloud in alignment to… What vision is adopted by cloud vendors? Virtualizing of anything able to be virtualized What vision is adopted by cloud operators (3rd party)? Data distribution, service distribution, unified management What is your way to use and manage cloud? Clear  All of that reflected in the compliance requirements
  19. 19. Cloud & Compliance Specific There is no one “cloud” There is no one “standard”  The Goal is bringing a transparency of cloud controls and features, especially security controls and features  Such documents have a claim to be up-to-date with expert-level understanding of significant threats and vulnerabilities  Unifying recommendations for all clouds  Up to now, it is the 3rd revision  All recommendations are linked with other standards  PCI DSS, ISO, COBIT  NIST, FEDRAMP  CSA’ own vision how it must be referred There are many models and architectures There are many ways to built cloud in alignment to…  Top known cloud vendors announced they are in compliance with it  Some of reports are getting old by now  Customers have to control their environment by their needs  Customers want to know whether it is in compliance in, especially local regulations and how far  Customers want to know whether it makes clouds quite transparency to let to build an appropriate
  20. 20. Cloud & Compliance Specific Compliance, Transparency,  CAIQ/CCM provides equivalent of recommendations over several standards, CAIQ provides more details on security and privacy but NIST more specific  CSA recommendations are pure with technical details  It helps vendors not to have their solutions worked out in details and/or badly documented  It helps them to put a lot of references on 3rd party reviewers under NDA (SOC 1 or SAS 70)  Bad idea to let vendors fills such documents  They provide fewer public details  They take it to NDA reports Elaboration  Vendors general explanations multiplied by general standards recommendations are extremely far away from transparency  Clouds call for specific levels of audit logging, activity reporting, security controlling and data retention  It is often not a part of SLA offered by providers  It is outside recommendations  AWS often falls in details with their architecture documents  AWS solutions are very well to be in compliance with old standards and specific local regulations  NIST 800-53, or even Russian security standards (however the Russian framework is out of cloud framework)
  21. 21. Description Third Party Audits DIFFERENCE (AWS vs. AZURE) As opposed to AWS, Azure does not have a clearly defined statement whether their customers able to perform their own vulnerability test Compliance: from Cloud Vendor’s viewpoint Information System Regulatory AWS falls in details to comply it that results of differences between CAIQ and CMM Mapping Handling / Labeling / Security Policy AWS falls in details what customers are allowed to do and how exactly while Azure does not Retention Policy AWS points to the customers’ responsibility to manage data, exclude moving between Availability Zones inside one region; Azure ensures on validation and processing with it, and indicate about data historical auto-backup Compliance, Transparency, Elaboration Secure Disposal Not seriously, AWS relies on DoD 5220.22 additionally while Azure does NIST 800-88 only Information Leakage Policy, User Access, MFA Baseline Requirements Encryption, Encryption Key Management Vulnerability / Patch Management AWS relies on AMI and EBS services, while Azure does on Integrity data No both have Nondisclosure Agreements, Party Agreements User ID Credentials (Non)Production Network Security Segmentation Mobile Code AWS provides more high detailed how-to docs than Azure, allows to import trusted VM from VMware, Azure AWS offers encryption features for VM, storage, DB, networks while Azure does for XStore (Azure Storage) AWS provides their customers to ask for their own pentest while Azure does not Third AWS highlights that they does not leverage any 3rd party cloud providers to deliver AWS services to the customers. Azure points to the procedures, NDA undergone with ISO Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requirements while Azure addresses to the AD to perform these actions environments, AWS provides more details how-to documents to having a compliance Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, while Azure points to features built in infrastructure on a vendor side AWS points their clients to be responsible to meet such requirements, while Azure points to build solutions tracked for mobile code
  22. 22. Compliance: from CSA’s viewpoint Examinationof CSA Consumer Relationship only  Everything except SA-13 “Location-aware technologies may be used to validate connection authentication integrity based on known equipment location” Vendor Relationship only  Requirements include technical and management solutions Consumer Relationship shared with Vendor  Include non-technical solutions only  Such policies, roles, procedures, training All requirements cover SaaS, PaaS, IaaS cloud types General requirements only Missing details (like DoD)
  23. 23. Compliance: from CSA’s viewpoint Examinationof CSA References NIST Data Governance - Information Leakage (DG-07).  Security mechanisms shall be implemented to prevent data leakage refer  AC-2 Account Management  AC-3 Access Enforcement  AC-4 Information Flow Enforcement  AC-6 Least Privilege (the most correct reference)  AC-11 Session Lock General requirements only  Security mechanisms shall be implemented to prevent data leakage missed in turn (no references at all)  AC-7 Unsuccessful Login Attempts  AC-8 System Use Notification  AC-9 Previous Logon (Access) Notification  AC-10 Concurrent Session Control
  24. 24. Compliance: from CSA’s viewpoint Examinationof CSA References ISO Data Governance - Information Leakage (DG-07).  Security mechanisms shall be implemented to prevent data leakage also refers to ISO  A.10.6.2 Security of network services  A.10.6.2 refers to NIST in turn  CA-3 Information System Connections  SA-9 External Information System Services  SC-8 Transmission Integrity  SC-9 Transmission Confidentiality  DG-07 should refer to PE-19 Information Leakage in fact  It could include the NIST requirement “AC-6. Least Privilege” too  A few of them applicable in case of Cloud MDM and should be extended by different toolkit
  25. 25. Cloud & Compliance Specifics. Example CSA  Data Governance  NIST :: access control, media management, etc.  Ownership / Stewardship  Classification  Handling / Labeling / Security Policy  Retention Policy  Secure Disposal  Non-Production Data  Information Leakage  Risk Assessments Cloud :: Azure  Azure’s vision - Distribution of information  CSA , ISO is better applicable than NIST  NIST is applicable as a custom controls’ collection  Best way is adopt NIST enhancements with CSA  Need to remap CSA->NIST rev4  Technical / Access Control / Security Attributes  Attribute Configuration  Permitted Attributes for Specified InfoSystems  Permitted Values and Ranges for Attributes
  26. 26. Cloud & Compliance Specifics. Example NIST  Access Control  Account, Session Management  Access / Information Flow Enforcement  Least Privilege, Security Attributes  Remote / Wireless Access Cloud :: AWS  AWS’s Vision is not Data Distribution  NIST is better applicable than CSA  NIST is applicable as a custom controls’ collection  There are many enhancements to include (rev4)  Dynamic Account Creation  Restrictions on Use of Shared Groups Accounts  Group Account Requests Appovals/Renewals  Account Monitoring - Atypical Usage  e.g. :: log-delivery-write for S3
  27. 27. Cloud & Compliance Specifics. Example CSA / NIST AWS’s Vision is not Data Distribution, however CSA :: Data Governance is applicable from the resource-based viewpoint  Resource based policy  Attached to resource AWS’s Vision is not Data Distribution, however NIST :: Access Control is applicable from the userbased viewpoint  Account based policy  Attached to users  define that policy for MDM users to access internal network resources  Combine with a mobile policy Cloud :: AWS
  28. 28. COMPLIANCE AND MDM CSA Mobile Device Management: Key Components Device diversity Configuration management Software Distribution Device policy compliance & enforcement Enterprise Activation Logging Security Settings Security Wipe, Lock IAM Make you sure to start managing security under uncertain terms without AI  NIST-124 Refers to NIST-800-53 and other  Sometimes missed requirements such as locking device, however it is in NIST-800-53 A bit details than CSA No statements on permission management Make you sure to start managing security under uncertain terms without AI 
  29. 29. [ DEVICE MANAGEMENT ] Concurrencyover native & additional security features 𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 𝛥 – set of OS permissions, 𝛢 – set of device permissions, 𝛣 – set of MDM permissions, 𝛤 – set of missed permissions (lack of controls), 𝜰 – set of rules are explicitly should be applied to gain a compliance 𝚮 = 𝚬+ 𝚭, 𝚬 ⊃ 𝚨∪ 𝚩 𝛨 – set of APIs , 𝛦 – set of APIs that interact with sensitive data, 𝛧 – set of APIs that do not interact with sensitive data To get a mobile security designed with full granularity the set 𝛤 should be empty set to get 𝚬 ⊇ 𝚨 ∪ 𝚩 instead of 𝚬 ⊃ 𝚨 ∪ 𝚩, so the matter how is it closer to empty. On another hand it should find out whether assumptions 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 are true and if it is possible to get ⊆ 𝐀. The situationis very serious  Set of permissions < Set of activities  efficiency is  typical case < 100%,  ability to control each API = 100%  More than 1 permission per APIs >100%   lack of knowledge about possible attacks improper granularity AV, MDM, DLP, VPN Non-app features MDM features Kernel protection Permissions
  30. 30. [ DEVICE MANAGEMENT ] APPLICATION LEVEL ATTACK’SVECTOR  GOALS - MOBILE RESOURCES / AIM OF ATTACK  DEVICE RESOURCES  OUTSIDE-OF-DEVICE RESOURCES  ATTACKS – SET OF ACTIONS UNDER THE THREAT  APIs - RESOURCES WIDELY AVAILABLE TO CODERS  SECURITY FEATURES  KERNEL PROTECTION , NON-APP FEATURES  PERMISSIONS - EXPLICITLY CONFIGURED  3RD PARTY  AV, FIREWALL, VPN, MDM  COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY IN ALIGNMENT WITH COMPLIANCE TO… Goals AV, MDM, DLP, VPN Non-app features MDM features Kernel protection Permissions APIs Attacks APIs
  31. 31. [ BLACKBERRY. PERMISSIONS ] BB 10 Cascades SDK Background processing BlackBerry Messenger Calendar, Contacts Camera Device identifying information Email and PIN messages GPS location Internet Location Microphone Narrow swipe up Notebooks Notifications Player Phone Push Shared files Text messages Volume BB 10 AIR SDK + + + + + + + + + + + + + + + - PB (NDK/AIR) + via invoke calls + + via invoke calls + + + + + + + +
  32. 32. [ iOS. Settings ] Component Unit Safari Camera, FaceTime iTunes Store, iBookstore Siri Manage applications* Manage applications* Explicit Language (Siri) Privacy*, Accounts* Content Type Restrictions* Restrictions :: Native application Restrictions :: 3rd application Unit subcomponents Privacy :: Location Privacy :: Private Info Accounts Content Type Restrictions Game Center Manage applications Per each 3rd party app For system services Contacts, Calendar, Reminders, Photos Bluetooth Sharing Twitter, Facebook Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts Find My Friends Volume limit Ratings per country and region Music and podcasts Movies, Books, Apps, TV shows In-app purchases Require Passwords (in-app purchases) Multiplayer Games Adding Friends (Game Center) Installing Apps Removing Apps
  33. 33. [ Android. Permissions ] List contains~150 permissions I have ever seen that on old BlackBerry devices ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION, OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_ ,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH, ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE, PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_ ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P ,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA ,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_ TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_ MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_ REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY, OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_ TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_ GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS, RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY, LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
  34. 34. [ Android. Permission Groups ] But there only 30 permissions groups  ACCOUNTS  AFFECTS_BATTERY  APP_INFO  AUDIO_SETTINGS  BLUETOOTH_NETWORK  BOOKMARKS  CALENDAR  CAMERA  COST_MONEY  DEVELOPMENT_TOOLS  DEVICE_ALARMS  DISPLAY  HARDWARE_CONTROLS I have ever seen that on old BlackBerry devices too  LOCATION  MESSAGES  MICROPHONE  NETWORK  PERSONAL_INFO  PHONE_CALLS  SCREENLOCK  SOCIAL_INFO  STATUS_BAR  STORAGE  SYNC_SETTINGS  SYSTEM_CLOCK  SYSTEM_TOOLS  USER_DICTIONARY  VOICEMAIL  WALLPAPER  WRITE_USER_DICTIONARY
  35. 35. MDM . Extend your device security capabilities Android  CAMERA AND VIDEO  HIDE THE DEFAULT CAMERA APPLICATION  PASSWORD  DEFINE PASSWORD PROPERTIES  REQUIRE LETTERS (incl. case)  REQUIRE NUMBERS  REQUIRE SPECIAL CHARACTERS  DELETE DATA AND APPLICATIONS FROM THE DEVICE AFTER  INCORRECT PASSWORD ATTEMPTS  DEVICE PASSWORD  ENABLE AUTO-LOCK CONTROLLED FOUR GROUPS ONLY     LIMIT PASSWORD AGE LIMIT PASSWORD HISTORY RESTRICT PASSWORD LENGTH MINIMUM LENGTH FOR THE DEVICE PASSWORD THAT IS ALLOWED  ENCRYPTION  APPLY ENCRYPTION RULES  ENCRYPT INTERNAL DEVICE STORAGE  TOUCHDOWN SUPPORT  MICROSOFT EXCHANGE SYNCHRONIZATION  EMAIL PROFILES  ACTIVESYNC
  36. 36. MDM . Extend your device security capabilities iOS   BROWSER   CONTROLLED 16 GROUPSONLY DEFAULT APP, AUTOFILL, COOKIES, JAVASCRIPT, POPUPS MESSAGING (DEFAULT APP)   BACKUP / DOCUMENT PICTURE / SHARING ONLINE STORE  CAMERA, VIDEO, VIDEO CONF  CERTIFICATES (UNTRUSTED CERTs)  MESSAGING (DEFAULT APP)  CLOUD SERVICES  PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)  PHONE AND MESSAGING (VOICE DIALING)  CONNECTIVITY      OUTPUT, SCREEN CAPTURE, DEFAULT APP BACKUP / DOCUMENT / PICTURE / SHARING ONLINE STORES , PURCHASES, PASSWORD DEFAULT STORE / BOOK / MUSIC APP  PROFILE & CERTs (INTERACTIVE INSTALLATION) NETWORK, WIRELESS, ROAMING DATA, VOICE WHEN ROAMING  SOCIAL (DEFAULT APP) CONTENT (incl. EXPLICIT) RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS    CONTENT      DIAGNOSTICS AND USAGE (SUBMISSION LOGS) STORAGE AND BACKUP   SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS DEVICE BACKUP AND ENCRYPTION VOICE ASSISTANT (DEFAULT APP)
  37. 37. MDM . Extend your device security capabilities BlackBerry (new, 10, qnx)  CONTROLLED 7 GROUPSONLY     GENERAL   MOBILE HOTSPOT AND TETHERING PLANS APP, APPWORLD  PASSWORD (THE SAME WITH ANDROID, iOS)  BES MANAGEMENT (SMARTPHONES, TABLETS)  SOFTWARE      OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE BBM VIDEO ACCESS TO WORK NETWORK VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK SECURITY       CERTIFICATES & CIPHERS & S/MIME HASH & ENCRYPTION ALGS AND KEY PARAMS TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC WI-FI PROFILES    WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE VOICE CONTROL & DICTATION IN WORK & USER APPS BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE PC ACCESS TO WORK & PERSONAL SPACE (USB, BT) PERSONAL SPACE DATA ENCRYPTION EMAIL PROFILES     NETWORK ACCESS CONTROL FOR WORK APPS PERSONAL APPS ACCESS TO WORK CONTACTS SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS PROXY PASSWORD/PORT/SERVER/SUBNET MASK VPN PROFILES    PROXY, SCEP, AUTH PROFILE PARAMS TOKENS, IKE, IPSEC OTHER PARAMS PROXY PORTS, USERNAME, OTHER PARAMS
  38. 38. MDM . Extend your device security capabilities Blackberry (old)  THERE 55 GROUPS CONTROLLED IN ALL  EACH GROUP CONTAINS FROM 10 TO 30 UNITS ARE CONTROLLED TOO  EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs INSTEAD OF A WAY ‘DISABLE/ENABLED & HIDE/UNHIDE’  EACH EVENT IS  CONTROLLED BY CERTAIN PERMISSION  ALLOWED TO CONTROL BY SIMILAR PERMISSIONS TO BE MORE FLEXIBLE  DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME MORE THAN OTHER DOCUMENTS Huge amount of permissions are MDM & device built-in  EACH UNIT CAN’T CONTROL ACTIVITY UNDER ITSELF  ‘CREATE, READ, WRITE/SAVE, SEND, DELETE’ ACTIONS IN REGARDS TO MESSAGES LEAD TO SPOOFING BY REQUESTING A ‘MESSAGE’ PERMISSION ONLY  SOME PERMISSIONS AREN’T REQUIRED (TO DELETE ANY OTHER APP)  SOME PERMISSIONS ARE RELATED TO APP, WHICH 3RD PARTY PLUGIN WAS EMBEDDED IN, INSTEAD OF THAT PLUGIN
  39. 39. CONCLUSION  The best Security & Permissions ruled by AWS  Most cases are not clear in according to the roles and responsibilities of cloud vendors & customers  May happen swapping responsibilities and shifting the vendor job on to customer shoulders  Referring to independent audits reports under NDA as many times as they can  CSA put the cross references to other standards that impact on complexity & lack of clarity more than NIST SP800-53 Apply CSA as common Select Security Controls CSA Check Scope Define Granularity Remap to NIST NIST enhanc. Improve basic CSA Combine custom sets
  40. 40. Q&A

×