Managing Cloud Security Risks in Your Organization


Published on

Any Organization in the World need to prepare themselves before they move to the cloud, i.e. cloud security risk assessment. It is all about managing your risks if you accept to move to the cloud and understanding the risks and benefits should be essential part of any organization thinking to move to cloud infrastructure.

Published in: Technology
1 Like
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing Cloud Security Risks in Your Organization

  1. 1. Managing Cloud Security Risks in your organization 23 November 2013 Seminar Kriptografi dan Keamanan Informasi Sekolah Tinggi Sandi Negara Menara 165, JL TB Simatupang Kav 1, Cilandak, Jakarta Selatan Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
  2. 2. About me Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI Researcher – Information Security Research Group and Lecturer Swiss German University Charles.lims [at] and charles.lim [at] I am currently a doctoral student in University of Indonesia Research Interest Malware Intrusion Detection Vulnerability Analysis Digital Forensics Cloud Security Community Indonesia Honeynet Project - Chapter Lead Academy CSIRT - member Master of Information
  3. 3. AGENDA  Cloud Computing  Cloud Security  Cloud Risks  CSA – Cloud Security Alliance  Case  Safe Study – SSH decrypted Cloud – is it possible?  Related Works  Conclusion  References Master of Information 3
  4. 4. Cloud Computing – NIST Definition  NIST define 5 essential characteristics, 3 Service models, 4 cloud deployment models  145/SP800-145.pdf Master of Information 4
  5. 5. Service Models  IaaS = Infrastructure as a Service  PaaS = Platform as a Service  SaaS = Software as a Service  XaaS = Anything as a Service (not included in NIST) Master of Information 5
  6. 6. Cloud Taxonomy Master of Information 6
  7. 7. Where are the risks? Master of Information 7
  8. 8. Cloud Computing Consideration Master of Information
  9. 9. Challenges and benefits Master of Information
  10. 10. The Hybrid enterprise private clouds public clouds Extended Virtual Data Center • • • • Notional organizational boundary Dispersal of applications Dispersal of data Dispersal of users Dispersal of endpoint devices Master of Information cloud of users
  11. 11. Good Practice is the key Compliance + Audit Certification + Standards Good Governance, Risk and Compliance Industry recognized certification Secured Infrastructure Secured and tested technologies Data Security Data Security Lifecycle Master of Information
  12. 12. Cloud Computing – Top Threats/Risks Master of Information
  13. 13. Shared Technologies Vulnerabilities Master of Information
  14. 14. Data Loss / Leakage Master of Information
  15. 15. Malicious Insiders Master of Information
  16. 16. Interception or Hijacking of traffic Master of Information
  17. 17. Insecure APIs Master of Information
  18. 18. Nefarious use of service Master of Information
  19. 19. Unknown Risk Profiles Master of Information
  20. 20. CSA – Cloud Security Framework Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management G o v e r n i n g Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Master of Information t h e C l o u d
  21. 21. CSA – Cloud Security Framework Domain Understand Cloud Architecture Governing in the Cloud 1. Governance & Risk Mgt 2. Legal and Electronic Discovery 3. Compliance & Audit 4. Information Lifecycle Mgt 5. Portability & Interoperability Operating in the Cloud 1. Security, Business Continuity and Disaster Recovery 2. Data Center Operations 3. Incident Response 4. Application Security 5. Encryption & Key Mgt 6. Identity & Access Mgt 7. Virtualization Master of Information
  22. 22. Domain 2 Domain3 Governance Legal and and Enterprise Electronic Discovery Risk Management Domain 7 Traditional Domain 11 Domain 12 Security, Business Encryption and Identity and Continuity, and Key Access Disaster Recovery Management Management Domain 5 Information Lifecycle Management Domain 6 Portability and Domain Domain 7 11 Domain 12 Domain 9 Traditional Encryption and Key Identity and Access Security, Business Incident Management Management Continuity, and Response, Notificati Disaster Recovery on, and Remediation Interoperability Domain 10 Application Security Domain 13 Virtualization Domain 6 Portability and Interoperability Domain 2 Governance and Enterprise Risk Management Domain 4 Domain 6 Domain 8 Portability Data and Center Operations Interoperability Master of Information Compliance and Audit How Security Gets Integrated
  23. 23. CSA – Cloud Assessment Framework Master of Information
  24. 24. Sample Assessment Governance • Best opportunity to secure cloud engagement is before procurement – contracts, SLAs, architecture • Know provider’s third parties, BCM/DR, financial viability, employee vetting • • • • Identify data location when possible Plan for provider termination & return of assets Preserve right to audit where possible Reinvest provider cost savings into due diligence Master of Information
  25. 25. Sample Assessment Operation • Encrypt data when possible, segregate key mgt from cloud provider • • Adapt secure software development lifecycle • Logging, data exfiltration, granular customer segregation • • Hardened VM images Understand provider’s patching, provisioning, protection Assess provider IdM integration, e.g. SAML, OpenID Master of Information
  26. 26. Cloud Control Matrix Tool Controls derived from guidance Rated as applicable to SP-I Customer vs Provider role Mapped to ISO 27001, COBIT, PCI, HIPA A Help bridge the “cloud gap” for IT & IT auditors Master of Information
  27. 27. Cloud Adoption - Challenges Market Perception toward cloud Master of Information
  28. 28. Case Study – SSH decrypted (VM)  Based  Key on Brian Hay and Kara Nance paper Motivation:  Malware encrypted communication with C & C  Law Enforcement capability to monitor deployed cloud and enterprise VM  Novelty:  Visibility into cryptographically protected data and communication channels  No modifications to VM Master of Information
  29. 29. Case Study – SSH decrypted (VM)  Approach:  Identification (Processes of crypto lib and calls made to the lib)  Recovery (input to & output to – crypto functions)  Identification (crypto keys)  Recovery (crypto keys above)  Recovery of plaintext (using recovered keys)  How to  Minimum described in the paper  Keywords  Xen platform, libvirt, sebek techniques Master of Information
  30. 30. Case Study – SSH decrypted (VM)  Sebek Installation & Operation   room/whitepapers/detection/turning-tables-loadablekernel-module-rootkits-deployed-honeypotenvironment-996   Limitation  Sebek modules can be detected with rootkit detection tools Master of Information
  31. 31. Case Study – SSH decrypted (VM) Master of Information
  32. 32. Case Study – SSH decrypted (VM) Master of Information
  33. 33. Case Study – SSH decrypted (VM) Master of Information
  34. 34. Case Study – SSH decrypted (VM) Master of Information
  35. 35. Safe Cloud – is it possible?  Big Question: Is it possible to have a safe cloud? ( Master of Information 35
  36. 36. New Development – Cloud Crypto Master of Information 36
  37. 37. Related Works  Related Works Lim et. al. , “Risk Analysis and comparative study of Different Cloud Computing Providers In Indonesia," ICCCSN 2012 Amanatullah et. al. "Toward Cloud Computing Reference Architecture: Cloud Service Management Perspective,” ICISS 2013 Master of Information
  38. 38. Other Security-related Publications  Related Works Lim et. al. , "Forensics Analysis of Corporate and Personal Information Remaining on Hard Disk Drives Sold on the Secondhand Market in Indonesia," Advanced Science Letters, 2014 Suryajaya et. al. "PRODML Performance Evaluation as SOT Data Exchange Standard,” IC3INA 2013 Master of Information
  39. 39. Conclusion is no 100% security  It is all about managing risks  There  It all depends on single, exploitable vulnerability (the weakest link)  Cloud greatest risk is still the insiders  CSA Risk Assessment helps to bridge the gap between the Cloud model and compliance  Uncovering crypto keys in the cloud is possible  important to malware research Master of Information
  40. 40. References – Cloud computing risk assessment (  ENISA  Cloud Security Alliance (  Hay, Brian, and Kara Nance. "Circumventing cryptography in virtualized environments." In Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on, pp. 32-38. IEEE, 2012. Master of Information
  41. 41. Thank You
  42. 42. Questions Master of Information 42