Your SlideShare is downloading. ×
Managing Cloud Security Risks in Your Organization
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Managing Cloud Security Risks in Your Organization


Published on

Any Organization in the World need to prepare themselves before they move to the cloud, i.e. cloud security risk assessment. It is all about managing your risks if you accept to move to the cloud and …

Any Organization in the World need to prepare themselves before they move to the cloud, i.e. cloud security risk assessment. It is all about managing your risks if you accept to move to the cloud and understanding the risks and benefits should be essential part of any organization thinking to move to cloud infrastructure.

Published in: Technology
1 Like
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Managing Cloud Security Risks in your organization 23 November 2013 Seminar Kriptografi dan Keamanan Informasi Sekolah Tinggi Sandi Negara Menara 165, JL TB Simatupang Kav 1, Cilandak, Jakarta Selatan Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
  • 2. About me Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI Researcher – Information Security Research Group and Lecturer Swiss German University Charles.lims [at] and charles.lim [at] I am currently a doctoral student in University of Indonesia Research Interest Malware Intrusion Detection Vulnerability Analysis Digital Forensics Cloud Security Community Indonesia Honeynet Project - Chapter Lead Academy CSIRT - member Master of Information
  • 3. AGENDA  Cloud Computing  Cloud Security  Cloud Risks  CSA – Cloud Security Alliance  Case  Safe Study – SSH decrypted Cloud – is it possible?  Related Works  Conclusion  References Master of Information 3
  • 4. Cloud Computing – NIST Definition  NIST define 5 essential characteristics, 3 Service models, 4 cloud deployment models  145/SP800-145.pdf Master of Information 4
  • 5. Service Models  IaaS = Infrastructure as a Service  PaaS = Platform as a Service  SaaS = Software as a Service  XaaS = Anything as a Service (not included in NIST) Master of Information 5
  • 6. Cloud Taxonomy Master of Information 6
  • 7. Where are the risks? Master of Information 7
  • 8. Cloud Computing Consideration Master of Information
  • 9. Challenges and benefits Master of Information
  • 10. The Hybrid enterprise private clouds public clouds Extended Virtual Data Center • • • • Notional organizational boundary Dispersal of applications Dispersal of data Dispersal of users Dispersal of endpoint devices Master of Information cloud of users
  • 11. Good Practice is the key Compliance + Audit Certification + Standards Good Governance, Risk and Compliance Industry recognized certification Secured Infrastructure Secured and tested technologies Data Security Data Security Lifecycle Master of Information
  • 12. Cloud Computing – Top Threats/Risks Master of Information
  • 13. Shared Technologies Vulnerabilities Master of Information
  • 14. Data Loss / Leakage Master of Information
  • 15. Malicious Insiders Master of Information
  • 16. Interception or Hijacking of traffic Master of Information
  • 17. Insecure APIs Master of Information
  • 18. Nefarious use of service Master of Information
  • 19. Unknown Risk Profiles Master of Information
  • 20. CSA – Cloud Security Framework Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management G o v e r n i n g Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Master of Information t h e C l o u d
  • 21. CSA – Cloud Security Framework Domain Understand Cloud Architecture Governing in the Cloud 1. Governance & Risk Mgt 2. Legal and Electronic Discovery 3. Compliance & Audit 4. Information Lifecycle Mgt 5. Portability & Interoperability Operating in the Cloud 1. Security, Business Continuity and Disaster Recovery 2. Data Center Operations 3. Incident Response 4. Application Security 5. Encryption & Key Mgt 6. Identity & Access Mgt 7. Virtualization Master of Information
  • 22. Domain 2 Domain3 Governance Legal and and Enterprise Electronic Discovery Risk Management Domain 7 Traditional Domain 11 Domain 12 Security, Business Encryption and Identity and Continuity, and Key Access Disaster Recovery Management Management Domain 5 Information Lifecycle Management Domain 6 Portability and Domain Domain 7 11 Domain 12 Domain 9 Traditional Encryption and Key Identity and Access Security, Business Incident Management Management Continuity, and Response, Notificati Disaster Recovery on, and Remediation Interoperability Domain 10 Application Security Domain 13 Virtualization Domain 6 Portability and Interoperability Domain 2 Governance and Enterprise Risk Management Domain 4 Domain 6 Domain 8 Portability Data and Center Operations Interoperability Master of Information Compliance and Audit How Security Gets Integrated
  • 23. CSA – Cloud Assessment Framework Master of Information
  • 24. Sample Assessment Governance • Best opportunity to secure cloud engagement is before procurement – contracts, SLAs, architecture • Know provider’s third parties, BCM/DR, financial viability, employee vetting • • • • Identify data location when possible Plan for provider termination & return of assets Preserve right to audit where possible Reinvest provider cost savings into due diligence Master of Information
  • 25. Sample Assessment Operation • Encrypt data when possible, segregate key mgt from cloud provider • • Adapt secure software development lifecycle • Logging, data exfiltration, granular customer segregation • • Hardened VM images Understand provider’s patching, provisioning, protection Assess provider IdM integration, e.g. SAML, OpenID Master of Information
  • 26. Cloud Control Matrix Tool Controls derived from guidance Rated as applicable to SP-I Customer vs Provider role Mapped to ISO 27001, COBIT, PCI, HIPA A Help bridge the “cloud gap” for IT & IT auditors Master of Information
  • 27. Cloud Adoption - Challenges Market Perception toward cloud Master of Information
  • 28. Case Study – SSH decrypted (VM)  Based  Key on Brian Hay and Kara Nance paper Motivation:  Malware encrypted communication with C & C  Law Enforcement capability to monitor deployed cloud and enterprise VM  Novelty:  Visibility into cryptographically protected data and communication channels  No modifications to VM Master of Information
  • 29. Case Study – SSH decrypted (VM)  Approach:  Identification (Processes of crypto lib and calls made to the lib)  Recovery (input to & output to – crypto functions)  Identification (crypto keys)  Recovery (crypto keys above)  Recovery of plaintext (using recovered keys)  How to  Minimum described in the paper  Keywords  Xen platform, libvirt, sebek techniques Master of Information
  • 30. Case Study – SSH decrypted (VM)  Sebek Installation & Operation   room/whitepapers/detection/turning-tables-loadablekernel-module-rootkits-deployed-honeypotenvironment-996   Limitation  Sebek modules can be detected with rootkit detection tools Master of Information
  • 31. Case Study – SSH decrypted (VM) Master of Information
  • 32. Case Study – SSH decrypted (VM) Master of Information
  • 33. Case Study – SSH decrypted (VM) Master of Information
  • 34. Case Study – SSH decrypted (VM) Master of Information
  • 35. Safe Cloud – is it possible?  Big Question: Is it possible to have a safe cloud? ( Master of Information 35
  • 36. New Development – Cloud Crypto Master of Information 36
  • 37. Related Works  Related Works Lim et. al. , “Risk Analysis and comparative study of Different Cloud Computing Providers In Indonesia," ICCCSN 2012 Amanatullah et. al. "Toward Cloud Computing Reference Architecture: Cloud Service Management Perspective,” ICISS 2013 Master of Information
  • 38. Other Security-related Publications  Related Works Lim et. al. , "Forensics Analysis of Corporate and Personal Information Remaining on Hard Disk Drives Sold on the Secondhand Market in Indonesia," Advanced Science Letters, 2014 Suryajaya et. al. "PRODML Performance Evaluation as SOT Data Exchange Standard,” IC3INA 2013 Master of Information
  • 39. Conclusion is no 100% security  It is all about managing risks  There  It all depends on single, exploitable vulnerability (the weakest link)  Cloud greatest risk is still the insiders  CSA Risk Assessment helps to bridge the gap between the Cloud model and compliance  Uncovering crypto keys in the cloud is possible  important to malware research Master of Information
  • 40. References – Cloud computing risk assessment (  ENISA  Cloud Security Alliance (  Hay, Brian, and Kara Nance. "Circumventing cryptography in virtualized environments." In Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on, pp. 32-38. IEEE, 2012. Master of Information
  • 41. Thank You
  • 42. Questions Master of Information 42