Security in the Skies

655 views
588 views

Published on

Security in the Skies, a presentation given at the Cloud Security Alliance, Austin Chapter meeting held on March 1, 2012.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
655
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security in the Skies

  1. 1. SECURITY IN THE SKIES Mano ‘dash4rk’ Paul CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI SecuRisk Solutions / Express Certifications mano(dot)paul(at)securisksolutions(dot)com mano(dot)paul@expresscertifications(dot)com © 2007-2012 - SecuRisk Solutions
  2. 2. 2Who am I? – The ABC’s•  Author •  The 7 Qualities of Highly Secure Software (May 2012) •  Official (ISC)2 Guide to the CSSLPCM •  Information Security Management Handbook•  Advisor – Software Assurance, (ISC)2•  Biologist – Shark Researcher•  Christian – HackFormers•  CEO – SecuRisk Solutions & Express Certifications…•  VP – Education, Austin CSA © 2007-2012 - SecuRisk Solutions
  3. 3. 3Awards and Recognition 2010 President’s Award 2011 Americas Information Security Leadership Award (Practitioner) © 2007-2012 - SecuRisk Solutions
  4. 4. 4In the News – Feb 27, 2012 Source: StratFor Emails Leaked by Wikileaks http://www.myfoxaustin.com
  5. 5. 5What are we here to learn about?•  Topic: Security in the Skies •  Concerns, Threats and Controls in Cloud Computing •  Dark Clouds (Concerns, Threats) and Silver Lining (Controls)•  Agnostic •  Technology •  Vendor•  Level: •  Snorkel / Mid-range / Deep sea•  Tweet (@manopaul) / Blog © 2007-2012 - SecuRisk Solutions
  6. 6. 6What is the Cloud?
  7. 7. 7CLOUD 3-4-5 3 – Service Models 4 – Deployment Models / Types 5 – Characteristics IT delivered as a Standardized Service © 2007-2012 - SecuRisk Solutions
  8. 8. 8 3 – Cloud Service Models Networking,(Storage,(Servers,(( OS,(Middleware,(( Virtual(desktops,(Data,(Apps(… Virtual(machines((… Execu8on(Run8me,(… •  Use(the(provider’s(applica8ons(•  Capability(for(consumer( •  Consumer(deploys(to(cloud( •  Running(on(a(cloud(infrastructure( provisioning(of(Processing/( infrastructure( Storage/(Networks/(Other( •  No(management(or(control( •  Consumer(created(or(acquired( resources( applica8ons(•  Consumer(does(not(control( •  Consumer(does(not(manage(or( underlying(cloud(infrastructure( control(infrastructure((( •  Some(control(over(deployed(apps( and(app.(hos8ng(environment(
  9. 9. 94 – Cloud Deployment Models / Types •  Organiza8on(specific( •  Shared(Infrastructure(–(Related(par8es( •  Managed(by(organiza8on(or(3rd(party( •  Managed(by(organiza8on(or(3rd(party( •  On/Off(premise;(Mostly(On( •  On/Off(premise( •  Shared(Infrastructure(–(Unrelated(par8es( •  A(composi8on(of(two(or(more(cloud(types( •  Owned/Managed(by(service(provider( •  Bound(together(by(technology(to(enable(data( •  Off(premise( and(applica8on(portability(
  10. 10. 105 - CharacteristicsResource Pooling WHO-everProviders computing resources are pooled and dynamically assigned to serve multiple consumersRapid Elasticity WHAT-everCapabilities are rapidly and elastically provisioned, some automated, depending on requirements.On-Demand Self Service WHEN-everConsumer direct, automated provisioning with no human interaction at providerBroad Network Access WHERE-everCapabilities delivered over the network accessed through standard mechanismsMeasured ServiceCloud system automatically monitors, optimizes, controls and reports resource use transparently
  11. 11. 11Wherein LIES the Control? (On- Infrastructure Platform Software Premises) as a Service as a Service as a Service You manage Application Application Application Application s s s s Data Data Data Data You manage Runtime Runtime Runtime Runtime You manage Middleware Middleware Middleware Middleware Other Manages OS OS OS OS Other Manages Virtualization Virtualization Virtualization Virtualization Other Manages Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking
  12. 12. 12Opportunity or Crisis? © 2007-2012 - SecuRisk Solutions
  13. 13. 13DARK CLOUDS Security Threats to Cloud Computing © 2007-2012 - SecuRisk Solutions
  14. 14. 14Top Threats – Lists/Publications•  (ISC)2 (GISWS 2011) – Top 7 •  OWASP (pre-alpha 2011) – Top 10 •  Unauthorized Disclosure •  Accountability and Data Ownership •  Data Loss/Leakage •  User Identity Federation •  Weak Access Controls •  Regulatory Compliance •  Susceptibility to Cyber Attacks •  Business Continuity and Resiliency •  Disruptions •  User Privacy and Secondary use of •  Inability to support compliance audit Data •  Inability to support forensic •  Service and Data Integration investigations •  Multi-tenancy and Physical security•  CSA v1.0 (2010) – 7 deadly sins •  Incidence analysis and Forensic •  Abuse and nefarious use of cloud Support computing •  Infrastructure Security •  Insecure APIs •  Non-production Environment •  Malicious Insider Exposure •  Shared Technology Vulnerabilities •  Data Loss/Leakage •  Account/Service & Traffic Hijacking •  Unknown Risk Profile
  15. 15. 15Top Threats to Cloud Computing Data Security / Loss / Leakage / Remanence Access Controls / Account, Service & Traffic Hijacking Susceptibility to Cyber Attacks / Insecure Interfaces or APIs Abuse or Nefarious Use / Shared Technology Issues Cyber Forensics / Unknown Risk Profile / Malicious Insiders Source:((ISC)2(Global(Informa8on(Security(Workforce(Study( CSA(Top(Threats(to(Cloud(Compu8ng(v(1.0( © 2007-2012 - SecuRisk Solutions
  16. 16. 16SILVER LINING “there’s a silver lining to every cloud that sails about the heavens if we could only see it” Marian or Young Maid’s Fortune, Dublin Magazine, 1840 “Hope is a good thing, maybe the best of things, and no good thing ever dies.” The Shawshank Redemption © 2007-2012 - SecuRisk Solutions
  17. 17. 17Dark Clouds / Silver Lining Data Security / Loss / Leakage• / Controls Remanence•  Cryptography Protection (Encryption/Hashing)•  Cryptographic Agility•  Secure Data Disposal (Overwriting*)•  DLP technologies © 2007-2012 - SecuRisk Solutions
  18. 18. 18Dark Clouds / Silver Lining Access Controls / Account, Service & Traffic Hijacking•  Access Control Lists (ACLs) / RBACs•  Chinese Wall•  Session Management •  Eavesdropping •  Redirection Image Source: (ISC)2 Whitepaper © 2007-2012 - SecuRisk Solutions
  19. 19. 19Dark Clouds / Silver Lining Susceptibility to Cyber Attacks / Insecure Interfaces or APIs•  Vendor lock-in •  Understand dependency chain of APIs (Vendor lock-in) •  Perform ROI exercise for proprietary APIs•  Don’t use deprecated/insecure APIs•  Secure Authentication •  SSO (Weakest Link) Image Source: CloudAve © 2007-2012 - SecuRisk Solutions
  20. 20. 20Dark Clouds / Silver Lining Abuse or Nefarious Use / Shared Technology Issues•  Hardening & Sandboxing •  Platform/Hypervisor Exploits•  Cloud Isolation Technologies•  Secure Communications Image Source: apigee.com © 2007-2012 - SecuRisk Solutions
  21. 21. 21Dark Clouds / Silver Lining Cyber Forensics / Malicious Insiders / Unknown Risk Profile•  Identity Management •  Provisioning/De-provisioning•  Logging and Auditing •  Detective and Deterrent•  Trust but verify •  Don’t Trust AND Verify © 2007-2012 - SecuRisk Solutions
  22. 22. 22Some closing thoughts © 2007-2012 - SecuRisk Solutions
  23. 23. 23References•  Security in the Skies – (ISC)2 Whitepaper•  (ISC)2 Global Information Security Workforce Study (2011)•  CSA Top threats to Cloud Computing v1.0 (2010)•  7 Deadly Sins of Cloud Security (2010)•  OWASP Cloud 10 project (pre-alpha)•  ASIS/(ISC)2 Security Congress Cloud Security Panel (2011)•  Gartner/IEEE Publications © 2007-2012 - SecuRisk Solutions
  24. 24. 24THANK YOU Mano ‘dash4rk’ Paul CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI SecuRisk Solutions / Express Certifications mano(dot)paul(at)securisksolutions(dot)com mano(dot)paul(at)expresscertifications(dot)com © 2007-2011 - SecuRisk Solutions

×