Spoke on Securing Data in the Cloud at GISEC on 23rd May 2017. Touched on the trends, perceptions, and various controls to protect data. Finally, discussed various approaches to secure data in the cloud
Human Factors of XR: Using Human Factors to Design XR Systems
Securing Data in the Cloud - GISEC2017
1. Securing Data in the Cloud
By Sohaib Mahmood (CISSP, SABSA, CCSK, CRISC)
Lead Security Consultant
2. Founding Partners
• Alibaba Cloud was established in 2009, with R & D
centers and operations in Hangzhou, Beijing and
Silicon Valley. Alibaba Cloud is a strategic business unit
of Alibaba Group.
• Alibaba Cloud’s goal is to create the world's leading
cloud computing services platform. Alibaba Cloud is
committed to creating a public, open cloud computing
services platform.
• Alibaba Cloud provides a cloud platform for 20+
Alibaba business units in addition to serving over
2,300,000 customers.
• Meraas was established to make a positive
contribution to the National economy
• By creating a portfolio of investments in various
industry sectors, Meraas seeks to generate long term
wealth enhancement to the economic and social
development of Dubai.
• In order to capitalize on opportunities in Dubai and
beyond, Meraas is pioneering several initiatives in
various macroeconomic sectors including:
• Retail
• Leisure & Entertainment
• Hospitality
• Food & Beverage
•Healthcare
•Residential
•Technology
4. 01
Cloud SaaS
Software as
a Service
Application and information clouds.
Use provider’s applications over a network, cloud
provider examples are Google Apps, Salesforce
.
03
Cloud IaaS
Infrastructure
as a Service Infrastructure clouds.
Rent processing, storage, network capacity
Examples are Alibaba Cloud, AWS
02
Cloud PaaS
Platform as
a Service
Development clouds.
Deploy customer-created applications to a cloud,
cloud provider examples Windows Azure, Google
App Engine
Cloud Computing Models
5. Can Clouds be Secure?
“Public cloud workloads can be at least as
secure as those in your own data center,
likely better.”
Neil McDonald – Garter Security and Risk Management Summit
London Sept 2015
6. Cloud Security is a Shared Responsibility
Compute Storage Networking Cloud InfraCloud Infra
Data Security
Server Side
Encryption
Client-side
Encryption
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customers
Security and
compliance IN
the Cloud
Security OF the
Cloud
Cloud
Service
Provider
SaaS
•CSP owns application
•Client owns data and access
rights
IaaS/PaaS
• CSP owns network and
hypervisors
• Client owns “above the
hypervisor”
7. Treacherous 12 - Cloud Computing Top Threats
1. Data Breaches
2. Weak Identity, Credential and Access Management
3. Insecure APIs
4. System and Application Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
7. Advanced Persistent Threats (APTs)
8. Data Loss
9. Insufficient Due Diligence
10. Abuse and Nefarious Use of Cloud Services
11. Denial of Service
12. Shared Technology Issues
By Cloud Security Alliance
8. Trends in Cloud Data Security & Governance
Perception about Cloud Data
Governance
Courtesy: Gemalto Cloud Data Security Report 2016
In 2016, Survey was held globally from respondents who have adopted cloud in one form or another
9. Trends in Cloud Data Security & Governance
Primary Types of Data Stored in the cloud 2016 v 2014
Courtesy: Gemalto Cloud Data Security Report 2016
In 2016, Survey was held globally from respondents who have adopted cloud in one form or another
10. Trends in Cloud Data Security & Governance
How Data is protected in the cloud - 2016 v 2014
Courtesy: Gemalto Cloud Data Security Report 2016
In 2016, Survey was held globally from respondents who have adopted cloud in one form or another
11. Trends in Cloud Data Security & Governance
Use of Data De identification tools to secure data in the cloud
Courtesy: Gemalto Cloud Data Security Report 2016
In 2016, Survey was held globally from respondents who have adopted cloud in one form or another
12. Trends in Cloud Data Security & Governance
How Encryption is applied - 2016 v 2014
Courtesy: Gemalto Cloud Data Security Report 2016
In 2016, Survey was held globally from respondents who have adopted cloud in one form or another
13. Traditional Data States Apply in Clouds too…
TEXT HERE
Data At Rest
Cloud Storage Encryption. Different Cloud
Storage types will require different data at rest
encryption requirements
Data In Motion
When Data travels between cloud consumer
environment & service provider or WITHIN cloud
service provider environment .
Data In Use
Most critical area of the lot as it poses privacy,
compliance and security challenges. Typical
Application usages are Banking Application,
advanced data analytics CRM etc.
Data In
Motion
14. Cloud Concerns in Data Context
Oversharing of sensitive data
Administrative Oversight
Compliance & Regulated Data
Data Sovereignty
Cloud Sprawl (Cloud to Cloud Sharing)
15. Data At Rest
There are various Encryption controls available with pros and cons
File/Folder Encryption
Full Disk Encryption
Full Virtual Machine Encryption
Special Encryption (DB, Email)
16. Data In Motion
Encryption of Data in Motion needs to be considered in two places
• Between Cloud Service Provide & Consumer Environment
• Within CSP internal environment
Various Controls Available
TLS/SSL
VPN
Virtual Private Computing (VPC)
17. Data In Use
Most challenging case because of the nature of cloud and processing applications
Need to satisfy compliance, data residency and sovereignty requirements
Controls Available
Encryption (Format Preserving Encryption)
Tokenization
Masking
18. Approaches to Data Governance, Security & Privacy
Ask your service Provider lots of questions. Due Diligence
Data Classification
Evolving traditional Data Controls like DLP & Data Access Governance to
protect Cloud Data making use of emerging technologies like CASB
Policies Enforcement
Leverage mitigating controls like Access Controls (MFA) to cater for Cloud data
Data De-identification
Compliance Enforcement
User Awareness & Coaching
19. What Future Holds?
Mobile Device Accessing Cloud Data
Internet of Things Data
Smart Cities
Cyber incidents (Ransomware) impacting cloud adoption
4 years ago in meetings we were being told the cloud was insecure, very boring
Lets change this quote around “If you do it right, the public cloud can be more secure than your own datacentre”
That is the key, that is what today is about – how do you do it right
All of these threats affect Data directly or indirectly. Some affect availability, some integrity and some confidentiality
Oversharing - Users may accidentally share sensitive content such as source code, confidential information, or client records too broadly (i.e., with the whole company or publicly). Users may also re-share content with unexpected consequences, leading to risky exposure, and financial liability for the organization.
Administrative Oversight - Due to the challenges of managing data repositories, organizations may inadvertently share data with employees or contractors who have left the company or discover inherited folder permissions that are inappropriate. Without proper monitoring, such oversights can risk data exposure.
Compliance & Regulated data - Cloud apps pose a special concern with compliance regulated data. Are users uploading customer or employee personally identifiable information (PII) or consumer payment card information (PCI) into cloud apps? If so, how is this content being shared and secured? Inappropriate sharing of such content may lead to compliance violations and financial penalties.
Data Sovereignty - Corporations with a global footprint increasingly find themselves grappling with strict data residency and sovereignty challenges that require certain types of data to remain within a defined geographic border. How do organizations ensure use of this restricted data is not violating corporate policies or applicable regulations? Smart Cities Example
Cloud Sprawl - In addition to tracking what users are uploading or downloading from cloud apps, there are also cloud-to-cloud transactions that may expose corporations to liability. Box and office 365 example
There are pros and cons of each control and method Processing Speed, Cost (Talk about Format Preserving Encryption FPE),
Many Cloud Security Provider provide basic encryption.
P
There are pros and cons of each control and method Processing Speed, Cost (Talk about Format Preserving Encryption FPE),
Many Cloud Security Provider provide basic encryption.
P
Data in motion and at rest have provided cornerstone for encryption solution but encryption in use go against the basic premise of the first two. Data has to stay protected