0
Managing Cloud Security Risks
in your organization

23 November 2013
Seminar Kriptografi dan Keamanan Informasi
Sekolah Ti...
About me
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
Researcher – Information Security Research Group and Lecturer
Swiss...
AGENDA
 Cloud

Computing

 Cloud

Security

 Cloud

Risks

 CSA

– Cloud Security Alliance

 Case
 Safe

Study – SSH...
Cloud Computing – NIST Definition
 NIST

define 5 essential characteristics, 3
Service models, 4 cloud deployment models
...
Service Models
 IaaS

= Infrastructure
as a Service

 PaaS

= Platform as a
Service

 SaaS

= Software as a
Service

 ...
Cloud Taxonomy

Master of Information

6
Where are the risks?

Master of Information

7
Cloud Computing Consideration

Master of Information
Challenges and benefits

Master of Information
The Hybrid enterprise

private clouds
public clouds

Extended Virtual Data Center
•
•
•
•

Notional
organizational
boundar...
Good Practice is the key

Compliance
+ Audit

Certification
+ Standards

Good Governance, Risk and Compliance

Industry r...
Cloud Computing – Top Threats/Risks

Master of Information
Shared Technologies Vulnerabilities

Master of Information
Data Loss / Leakage

Master of Information
Malicious Insiders

Master of Information
Interception or Hijacking of traffic

Master of Information
Insecure APIs

Master of Information
Nefarious use of service

Master of Information
Unknown Risk Profiles

Master of Information
CSA – Cloud Security Framework
Cloud Architecture
Governance and Enterprise Risk Management
Legal and Electronic Discovery...
CSA – Cloud Security Framework Domain
Understand Cloud Architecture
Governing in the Cloud
1. Governance & Risk Mgt

2. Le...
Domain 2
Domain3
Governance
Legal and
and
Enterprise
Electronic
Discovery
Risk
Management
Domain 7
Traditional
Domain 11
D...
CSA – Cloud Assessment Framework

Master of Information
Sample Assessment Governance

• Best opportunity to secure cloud engagement is

before procurement – contracts, SLAs, arch...
Sample Assessment Operation

•

Encrypt data when possible, segregate key mgt from
cloud provider

•
•

Adapt secure softw...
Cloud Control Matrix Tool
Controls derived from
guidance
Rated as applicable to SP-I
Customer vs Provider role
Mapped to I...
Cloud Adoption - Challenges
Market Perception toward cloud

Master of Information
Case Study – SSH decrypted (VM)
 Based

 Key

on Brian Hay and Kara Nance paper

Motivation:

 Malware

encrypted commu...
Case Study – SSH decrypted (VM)
 Approach:
 Identification

(Processes of crypto lib and calls made

to the lib)
 Recov...
Case Study – SSH decrypted (VM)
 Sebek

Installation & Operation

 http://www.honeynet.org/project/sebek

 http://www.s...
Case Study – SSH decrypted (VM)

Master of Information
Case Study – SSH decrypted (VM)

Master of Information
Case Study – SSH decrypted (VM)

Master of Information
Case Study – SSH decrypted (VM)

Master of Information
Safe Cloud – is it possible?
 Big

Question: Is it possible to have a safe
cloud? (https://www.safeswisscloud.ch)

Master...
New Development – Cloud Crypto

https://itunes.apple.com/us/app/cloudcapsule/id673662021

Master of Information

36
Related Works
 Related

Works
Lim et. al. ,
“Risk Analysis and comparative study of
Different Cloud Computing Providers
I...
Other Security-related Publications
 Related

Works
Lim et. al. ,
"Forensics Analysis of Corporate and Personal Informati...
Conclusion
is no 100% security  It is all about
managing risks

 There

 It

all depends on single, exploitable
vulnera...
References
– Cloud computing risk assessment
(http://www.enisa.europa.eu/activities/riskmanagement/files/deliverables/clou...
Thank You
Questions

Master of Information

42
Upcoming SlideShare
Loading in...5
×

Managing Cloud Security Risks in Your Organization

402

Published on

Any Organization in the World need to prepare themselves before they move to the cloud, i.e. cloud security risk assessment. It is all about managing your risks if you accept to move to the cloud and understanding the risks and benefits should be essential part of any organization thinking to move to cloud infrastructure.

Published in: Technology
2 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total Views
402
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
24
Comments
2
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Managing Cloud Security Risks in Your Organization"

  1. 1. Managing Cloud Security Risks in your organization 23 November 2013 Seminar Kriptografi dan Keamanan Informasi Sekolah Tinggi Sandi Negara Menara 165, JL TB Simatupang Kav 1, Cilandak, Jakarta Selatan Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
  2. 2. About me Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI Researcher – Information Security Research Group and Lecturer Swiss German University Charles.lims [at] gmail.com and charles.lim [at] sgu.ac.id http://people.sgu.ac.id/charleslim I am currently a doctoral student in University of Indonesia Research Interest Malware Intrusion Detection Vulnerability Analysis Digital Forensics Cloud Security Community Indonesia Honeynet Project - Chapter Lead Academy CSIRT - member Master of Information
  3. 3. AGENDA  Cloud Computing  Cloud Security  Cloud Risks  CSA – Cloud Security Alliance  Case  Safe Study – SSH decrypted Cloud – is it possible?  Related Works  Conclusion  References Master of Information 3
  4. 4. Cloud Computing – NIST Definition  NIST define 5 essential characteristics, 3 Service models, 4 cloud deployment models  http://csrc.nist.gov/publications/nistpubs/800- 145/SP800-145.pdf Master of Information 4
  5. 5. Service Models  IaaS = Infrastructure as a Service  PaaS = Platform as a Service  SaaS = Software as a Service  XaaS = Anything as a Service (not included in NIST) Master of Information 5
  6. 6. Cloud Taxonomy Master of Information 6
  7. 7. Where are the risks? Master of Information 7
  8. 8. Cloud Computing Consideration Master of Information
  9. 9. Challenges and benefits Master of Information
  10. 10. The Hybrid enterprise private clouds public clouds Extended Virtual Data Center • • • • Notional organizational boundary Dispersal of applications Dispersal of data Dispersal of users Dispersal of endpoint devices Master of Information cloud of users
  11. 11. Good Practice is the key Compliance + Audit Certification + Standards Good Governance, Risk and Compliance Industry recognized certification Secured Infrastructure Secured and tested technologies Data Security Data Security Lifecycle Master of Information
  12. 12. Cloud Computing – Top Threats/Risks Master of Information
  13. 13. Shared Technologies Vulnerabilities Master of Information
  14. 14. Data Loss / Leakage Master of Information
  15. 15. Malicious Insiders Master of Information
  16. 16. Interception or Hijacking of traffic Master of Information
  17. 17. Insecure APIs Master of Information
  18. 18. Nefarious use of service Master of Information
  19. 19. Unknown Risk Profiles Master of Information
  20. 20. CSA – Cloud Security Framework Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management G o v e r n i n g Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Master of Information t h e C l o u d
  21. 21. CSA – Cloud Security Framework Domain Understand Cloud Architecture Governing in the Cloud 1. Governance & Risk Mgt 2. Legal and Electronic Discovery 3. Compliance & Audit 4. Information Lifecycle Mgt 5. Portability & Interoperability Operating in the Cloud 1. Security, Business Continuity and Disaster Recovery 2. Data Center Operations 3. Incident Response 4. Application Security 5. Encryption & Key Mgt 6. Identity & Access Mgt 7. Virtualization Master of Information
  22. 22. Domain 2 Domain3 Governance Legal and and Enterprise Electronic Discovery Risk Management Domain 7 Traditional Domain 11 Domain 12 Security, Business Encryption and Identity and Continuity, and Key Access Disaster Recovery Management Management Domain 5 Information Lifecycle Management Domain 6 Portability and Domain Domain 7 11 Domain 12 Domain 9 Traditional Encryption and Key Identity and Access Security, Business Incident Management Management Continuity, and Response, Notificati Disaster Recovery on, and Remediation Interoperability Domain 10 Application Security Domain 13 Virtualization Domain 6 Portability and Interoperability Domain 2 Governance and Enterprise Risk Management Domain 4 Domain 6 Domain 8 Portability Data and Center Operations Interoperability Master of Information Compliance and Audit How Security Gets Integrated
  23. 23. CSA – Cloud Assessment Framework Master of Information
  24. 24. Sample Assessment Governance • Best opportunity to secure cloud engagement is before procurement – contracts, SLAs, architecture • Know provider’s third parties, BCM/DR, financial viability, employee vetting • • • • Identify data location when possible Plan for provider termination & return of assets Preserve right to audit where possible Reinvest provider cost savings into due diligence Master of Information
  25. 25. Sample Assessment Operation • Encrypt data when possible, segregate key mgt from cloud provider • • Adapt secure software development lifecycle • Logging, data exfiltration, granular customer segregation • • Hardened VM images Understand provider’s patching, provisioning, protection Assess provider IdM integration, e.g. SAML, OpenID Master of Information
  26. 26. Cloud Control Matrix Tool Controls derived from guidance Rated as applicable to SP-I Customer vs Provider role Mapped to ISO 27001, COBIT, PCI, HIPA A Help bridge the “cloud gap” for IT & IT auditors Master of Information
  27. 27. Cloud Adoption - Challenges Market Perception toward cloud Master of Information
  28. 28. Case Study – SSH decrypted (VM)  Based  Key on Brian Hay and Kara Nance paper Motivation:  Malware encrypted communication with C & C  Law Enforcement capability to monitor deployed cloud and enterprise VM  Novelty:  Visibility into cryptographically protected data and communication channels  No modifications to VM Master of Information
  29. 29. Case Study – SSH decrypted (VM)  Approach:  Identification (Processes of crypto lib and calls made to the lib)  Recovery (input to & output to – crypto functions)  Identification (crypto keys)  Recovery (crypto keys above)  Recovery of plaintext (using recovered keys)  How to  Minimum described in the paper  Keywords  Xen platform, libvirt, sebek techniques Master of Information
  30. 30. Case Study – SSH decrypted (VM)  Sebek Installation & Operation  http://www.honeynet.org/project/sebek  http://www.sans.org/reading- room/whitepapers/detection/turning-tables-loadablekernel-module-rootkits-deployed-honeypotenvironment-996  http://vimeo.com/11912850  Limitation  Sebek modules can be detected with rootkit detection tools Master of Information
  31. 31. Case Study – SSH decrypted (VM) Master of Information
  32. 32. Case Study – SSH decrypted (VM) Master of Information
  33. 33. Case Study – SSH decrypted (VM) Master of Information
  34. 34. Case Study – SSH decrypted (VM) Master of Information
  35. 35. Safe Cloud – is it possible?  Big Question: Is it possible to have a safe cloud? (https://www.safeswisscloud.ch) Master of Information 35
  36. 36. New Development – Cloud Crypto https://itunes.apple.com/us/app/cloudcapsule/id673662021 Master of Information 36
  37. 37. Related Works  Related Works Lim et. al. , “Risk Analysis and comparative study of Different Cloud Computing Providers In Indonesia," ICCCSN 2012 Amanatullah et. al. "Toward Cloud Computing Reference Architecture: Cloud Service Management Perspective,” ICISS 2013 Master of Information
  38. 38. Other Security-related Publications  Related Works Lim et. al. , "Forensics Analysis of Corporate and Personal Information Remaining on Hard Disk Drives Sold on the Secondhand Market in Indonesia," Advanced Science Letters, 2014 Suryajaya et. al. "PRODML Performance Evaluation as SOT Data Exchange Standard,” IC3INA 2013 Master of Information
  39. 39. Conclusion is no 100% security  It is all about managing risks  There  It all depends on single, exploitable vulnerability (the weakest link)  Cloud greatest risk is still the insiders  CSA Risk Assessment helps to bridge the gap between the Cloud model and compliance  Uncovering crypto keys in the cloud is possible  important to malware research Master of Information
  40. 40. References – Cloud computing risk assessment (http://www.enisa.europa.eu/activities/riskmanagement/files/deliverables/cloudcomputing-risk-assessment)  ENISA  Cloud Security Alliance (https://cloudsecurityalliance.org/)  Hay, Brian, and Kara Nance. "Circumventing cryptography in virtualized environments." In Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on, pp. 32-38. IEEE, 2012. Master of Information
  41. 41. Thank You
  42. 42. Questions Master of Information 42
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×