More Related Content

Similar to Cloud security innovation - Cloud Security Alliance East Europe Congress 2013(20)


Cloud security innovation - Cloud Security Alliance East Europe Congress 2013

  1. Moshe Ferber, Entrepreneur and Investor Innovation in Cloud Security
  2. • Moshe Ferber, 37, lives in Israel (+2). • Information security professional for over 15 years. • Managed the security department for Ness Technologies. • Founded Cloud7, Israel based MSSP (currently owned by Matrix). • Shareholder at Clarisite – Your customer’s eye view • Shareholder at FortyCloud – Make your public cloud private • Member of the board at Macshava Tova - Narrowing societal gaps through technology • Certified instructor for the Cloud Security Alliance • Instructor for the See-Security Cyber Warfare college. 2
  3. Louis CK on cloud Disclaimer
  4. •A CSA research analyzing Cloud breakdowns in the last 5 years: o Number of Online Cloud articles reviewed: 11,491 o Total Number of Cloud Vulnerability Incidents: 172 29 25 10 8.5 0 5 10 15 20 25 30 35 Insecure Interfaces & APIs Data Loss & Leakage Hardware Failure Others Full report:
  5. • Transparency and visibility of Cloud Providers. • Different laws and different jurisdictions. • Incomplete standards. • Data Governance. • Lack of true multi tenant technologies • Lack of mature Identity Management tools and methodologies. Source: Jim Reavis, CSA CEO
  6. • Transparency is a major step toward trust. • Legislation and standards are placing more and more responsibilities on the provider and consumer. • Cloud Providers now understand that transparency is business advantage.
  7. • EU new data protection draft contain new directives: Cloud Provider and consumer will have to perform risk analysis together and take appropriate measures according to the risk. Cloud consumer must actively monitor provider. • Federal regulations and standard also call for actively assessing and monitor the cloud provider services.
  8. • We lack tools that enable interaction between cloud provider and consumer regarding assessment and audit of services. • We need a framework that will enable consumers and cloud providers to efficiently perform risk assessment, take appropriate controls and continuously monitor them.
  9. • In a world of Cloud Computing, mobile and the “Internet of Things” – Everything is API • Cloud automation, Cloud chaining, mobile application, 3rd party developments are all dependent on API. • Enterprise inspire to be open and connected. • Open API are considered great farming ground for innovation. • According to CSA research: 29% of cloud breakdowns occur due to insecure interfaces and API. Source: open API state of market, John Musser
  10. • The API are the new frontend for many applications. • The market is shifting from “secured & Complicated” SOAP to “unsecured but simple” REST API. • We don’t have the right technology yet for securing hundreds and • Innovation is required on encryption, authentication, authorization, data leakage and intrusion prevention. API are the new frontend
  11. • The network is the last layer that is not virtualized yet. • In the next two years we will the beginning of software based data center – virtualization from the network to the applications. • Currently standards are being developed in order to allow SDN and NFV to mature. Better SLA IPv6 Better visibility and management Flexibility No more “sitting ducks” Faster development Insights on performance
  12. July 2012 SEP 2012 NOV 2012 DEC 2012 Feb 2013
  13. • SDN can change the way we think of network security. • SDN currently lacks any eco-system that enable security, monitoring, governance or automation. • Innovation is require to develop technologies that will utilize SDN features for security.
  14. • Encryption is key factor for cloud computing. • Encryption enable us to create trust and comply to regulations. • New innovations allow us to keep keys on software, and to encrypt data in/out of the cloud. • But we are still lacking… Crypto Shredding Enabling trust in non trusted situation Regulations Logical separation Security Audit
  15. • Better key management • Elevating encryption as classifications, access control & audit mechanism. • Homomorphic encryption, Nearest Neighbor Data Substitution, bit splitting and data obfuscation will enable us to process encrypted data and safely guard keys. • There is also great potential for tokenization, masking and ammonization services.
  16. • Big Data technologies got a potential to change the world we live in. • Big Data got great potential to change also security landscape (e-mail / web / file reputation i.e). • But Big Data currently lacks security methodology, standards and tools.
  17. Source: CLOUD SECURITY ALLIANCE Expanded Top Ten Big Data Security and Privacy Challenges, April 2013 • Big Data require security innovation across the board. • Threats are coming from unsecured sources, lack of collection, transportation and storage standard. • NO-SQL databases got immature security controls.
  18. Identity is the new perimeter • In the cloud based world, the traditional perimeter is dead. The only thing that matter is who you are. • We are facing identity challenges on every aspect – privacy, accountability and repudiation, authentication, authorization and more. • The market has not find the appropriate balance between privacy, anonymity and efficiency. • There are many new standards but we still lack mature identity solutions.
  19. • Identity market lacks trust between all players. • Integrating identities –Governments, Enterprises & Identity Provider should find their role in the eco-system. • Identities providers should develop and integrate also devices, applications and services. • authentication – when will we see the end of password?
  20. Across different cloud providers Rely more on hosts level security Replicates current enterprise tools Ability to adjust when instance moves Identity based tools rather them network Improves cloud functionality Data is in the center
  21. Procurement process becomes central Cloud brokerages are growing In IaaS you integrate security In SaaS you Outsource it Community and social tools will be a factor for decision Transparency will be critical IT will allow services but not manage them Expect questions about SDLC and Operations
  22. • Cloud Security Alliance research. • Jim Reavis, Cloud Security Alliance CEO. • open API state of market, John Musser • The NIST Definition of Cloud Computing • NIST Cloud Security Architecture (Draft) • Securosis Blog and Research database
  23. • Moshe Ferber • • • Cloud Security classes schedule can be find at: