SlideShare a Scribd company logo
SECURITY IN THE SKIES
                                           Mano ‘dash4rk’ Paul
      CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI

                          SecuRisk Solutions / Express Certifications
                            mano(dot)paul(at)securisksolutions(dot)com
                          mano(dot)paul@expresscertifications(dot)com




              © 2007-2012 - SecuRisk Solutions
2




Who am I? – The ABC’s
•  Author
   •  The 7 Qualities of Highly Secure Software (May 2012)
   •  Official (ISC)2 Guide to the CSSLPCM
   •  Information Security Management Handbook
•  Advisor – Software Assurance, (ISC)2
•  Biologist – Shark Researcher
•  Christian – HackFormers
•  CEO – SecuRisk Solutions &
          Express Certifications
…
•  VP – Education, Austin CSA

                           © 2007-2012 - SecuRisk Solutions
3




Awards and Recognition
   2010 President’s Award                   2011 Americas Information Security
                                              Leadership Award (Practitioner)




                        © 2007-2012 - SecuRisk Solutions
4




In the News – Feb 27, 2012




          Source: StratFor Emails Leaked by Wikileaks
                          http://www.myfoxaustin.com
5




What are we here to learn about?
•  Topic: Security in the Skies
    •  Concerns, Threats and Controls in Cloud Computing
    •  Dark Clouds (Concerns, Threats) and Silver Lining (Controls)
•  Agnostic
   •  Technology
   •  Vendor
•  Level:
   •  Snorkel / Mid-range / Deep sea
•  Tweet (@manopaul) / Blog




                            © 2007-2012 - SecuRisk Solutions
6




What is the Cloud?
7




CLOUD 3-4-5
        3 – Service Models
        4 – Deployment Models / Types
        5 – Characteristics

  IT delivered as a Standardized Service
              © 2007-2012 - SecuRisk Solutions
8




     3 – Cloud Service Models




     Networking,(Storage,(Servers,((             OS,(Middleware,((               Virtual(desktops,(Data,(Apps(…
        Virtual(machines((…                   Execu8on(Run8me,(…
                                                                             •  Use(the(provider’s(applica8ons(
•  Capability(for(consumer(            •  Consumer(deploys(to(cloud(
                                                                             •  Running(on(a(cloud(infrastructure(
   provisioning(of(Processing/(           infrastructure(
   Storage/(Networks/(Other(                                                 •  No(management(or(control(
                                       •  Consumer(created(or(acquired(
   resources(                             applica8ons(
•  Consumer(does(not(control(          •  Consumer(does(not(manage(or(
   underlying(cloud(infrastructure(       control(infrastructure(
((                                     •  Some(control(over(deployed(apps(
                                          and(app.(hos8ng(environment(
9




4 – Cloud Deployment Models / Types


  •  Organiza8on(specific(                        •  Shared(Infrastructure(–(Related(par8es(
  •  Managed(by(organiza8on(or(3rd(party(        •  Managed(by(organiza8on(or(3rd(party(
  •  On/Off(premise;(Mostly(On(                   •  On/Off(premise(




 •  Shared(Infrastructure(–(Unrelated(par8es(   •  A(composi8on(of(two(or(more(cloud(types(
 •  Owned/Managed(by(service(provider(          •  Bound(together(by(technology(to(enable(data(
 •  Off(premise(                                    and(applica8on(portability(
10




5 - Characteristics
Resource Pooling                                                                         WHO-ever
Providers computing resources are pooled and dynamically assigned to serve multiple consumers


Rapid Elasticity                                                                        WHAT-ever
Capabilities are rapidly and elastically provisioned, some automated, depending on requirements.


On-Demand Self Service                                                                  WHEN-ever
Consumer direct, automated provisioning with no human interaction at provider


Broad Network Access                                                                   WHERE-ever
Capabilities delivered over the network accessed through standard mechanisms


Measured Service
Cloud system automatically monitors, optimizes, controls and reports resource use transparently
11




Wherein LIES the Control?

                 (On-                         Infrastructure                                  Platform                           Software
               Premises)                       as a Service                                  as a Service                          as a
                                                                                                                                 Service




                                                                                You manage
                Application                    Application                                   Application                      Application
                     s                              s                                             s                                s
                   Data                           Data                                          Data                             Data
                                 You manage




                  Runtime                        Runtime                                       Runtime                          Runtime
  You manage




                Middleware                     Middleware                                    Middleware                       Middleware




                                                                                                                                               Other Manages
                     OS                             OS                                            OS                               OS




                                                                                                              Other Manages
                Virtualization                 Virtualization                                Virtualization                   Virtualization
                                                                Other Manages




                  Servers                        Servers                                       Servers                          Servers

                  Storage                        Storage                                       Storage                          Storage

                Networking                     Networking                                    Networking                       Networking
12




Opportunity or Crisis?




              © 2007-2012 - SecuRisk Solutions
13




DARK CLOUDS
    Security Threats to Cloud Computing




         © 2007-2012 - SecuRisk Solutions
14




Top Threats – Lists/Publications
•  (ISC)2 (GISWS 2011) – Top 7                 •  OWASP (pre-alpha 2011) – Top 10
    •  Unauthorized Disclosure                    •  Accountability and Data Ownership
    •  Data Loss/Leakage                          •  User Identity Federation
    •  Weak Access Controls                       •  Regulatory Compliance
    •  Susceptibility to Cyber Attacks            •  Business Continuity and Resiliency
    •  Disruptions                                •  User Privacy and Secondary use of
    •  Inability to support compliance audit         Data
    •  Inability to support forensic              •  Service and Data Integration
       investigations                             •  Multi-tenancy and Physical security
•  CSA v1.0 (2010) – 7 deadly sins                •  Incidence analysis and Forensic
    •  Abuse and nefarious use of cloud              Support
       computing                                  •  Infrastructure Security
    •  Insecure APIs                              •  Non-production Environment
    •  Malicious Insider
                                                     Exposure
    •  Shared Technology Vulnerabilities
    •  Data Loss/Leakage
    •  Account/Service & Traffic Hijacking
    •  Unknown Risk Profile
15




Top Threats to Cloud Computing
           Data Security / Loss / Leakage / Remanence

      Access Controls / Account, Service & Traffic Hijacking

   Susceptibility to Cyber Attacks / Insecure Interfaces or APIs

       Abuse or Nefarious Use / Shared Technology Issues

    Cyber Forensics / Unknown Risk Profile / Malicious Insiders

                       Source:((ISC)2(Global(Informa8on(Security(Workforce(Study(
                                        CSA(Top(Threats(to(Cloud(Compu8ng(v(1.0(




                         © 2007-2012 - SecuRisk Solutions
16




SILVER LINING
 “there’s a silver lining to every cloud that sails about
 the heavens if we could only see it”
        Marian or Young Maid’s Fortune, Dublin Magazine, 1840


 “Hope is a good thing, maybe the best of things,
 and no good thing ever dies.”
                                                     The Shawshank Redemption



                  © 2007-2012 - SecuRisk Solutions
17




Dark Clouds / Silver Lining
             Data Security / Loss / Leakage• / Controls
                                               Remanence


•  Cryptography Protection (Encryption/Hashing)
•  Cryptographic Agility
•  Secure Data Disposal (Overwriting*)
•  DLP technologies




                           © 2007-2012 - SecuRisk Solutions
18




Dark Clouds / Silver Lining
         Access Controls / Account, Service & Traffic Hijacking


•  Access Control Lists (ACLs) / RBACs
•  Chinese Wall
•  Session Management
   •  Eavesdropping
   •  Redirection




                                                              Image Source: (ISC)2 Whitepaper


                           © 2007-2012 - SecuRisk Solutions
19




Dark Clouds / Silver Lining
        Susceptibility to Cyber Attacks / Insecure Interfaces or APIs


•  Vendor lock-in
   •  Understand dependency chain of APIs (Vendor lock-in)
   •  Perform ROI exercise for proprietary APIs
•  Don’t use deprecated/insecure APIs
•  Secure Authentication
   •  SSO (Weakest Link)




                                                                 Image Source: CloudAve

                              © 2007-2012 - SecuRisk Solutions
20




Dark Clouds / Silver Lining
            Abuse or Nefarious Use / Shared Technology Issues


•  Hardening & Sandboxing
   •  Platform/Hypervisor Exploits
•  Cloud Isolation Technologies
•  Secure Communications




                                                                Image Source: apigee.com




                             © 2007-2012 - SecuRisk Solutions
21




Dark Clouds / Silver Lining
        Cyber Forensics / Malicious Insiders / Unknown Risk Profile


•  Identity Management
    •  Provisioning/De-provisioning
•  Logging and Auditing
   •  Detective and Deterrent
•  Trust but verify
   •  Don’t Trust AND Verify




                               © 2007-2012 - SecuRisk Solutions
22




Some closing thoughts




             © 2007-2012 - SecuRisk Solutions
23




References
•  Security in the Skies – (ISC)2 Whitepaper
•  (ISC)2 Global Information Security Workforce Study (2011)
•  CSA Top threats to Cloud Computing v1.0 (2010)
•  7 Deadly Sins of Cloud Security (2010)
•  OWASP Cloud 10 project (pre-alpha)
•  ASIS/(ISC)2 Security Congress Cloud Security Panel (2011)
•  Gartner/IEEE Publications




                         © 2007-2012 - SecuRisk Solutions
24




THANK YOU
                                       Mano ‘dash4rk’ Paul
  CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI

                   SecuRisk Solutions / Express Certifications
                     mano(dot)paul(at)securisksolutions(dot)com
                   mano(dot)paul(at)expresscertifications(dot)com




                © 2007-2011 - SecuRisk Solutions

More Related Content

What's hot

Lessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Lessons Learned: Novell Open Enterprise Server Upgrades Made EasyLessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Lessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Novell
 
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpePrivate cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Fabrizio Volpe
 
BOI 2011 - Be what's next
BOI 2011 - Be what's nextBOI 2011 - Be what's next
BOI 2011 - Be what's next
Tudor Damian
 
Integrating Novell Teaming within Your Existing Infrastructure
Integrating Novell Teaming within Your Existing InfrastructureIntegrating Novell Teaming within Your Existing Infrastructure
Integrating Novell Teaming within Your Existing Infrastructure
Novell
 
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
☁️Carl Nakamura [MSFT]☁️
 
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
Novell
 
Novell mobile collaboration
Novell   mobile collaborationNovell   mobile collaboration
Novell mobile collaboration
GWAVA
 
Realizing the Promise of the Cloud
Realizing the Promise of the CloudRealizing the Promise of the Cloud
Realizing the Promise of the Cloud
Novell
 
IDC Says, Don't Move To The Cloud
IDC Says, Don't Move To The CloudIDC Says, Don't Move To The Cloud
IDC Says, Don't Move To The Cloud
Novell
 
Successfully Migrate Cisco Call Manager 4x To 7x With a Proven Framework
Successfully Migrate Cisco Call Manager 4x To 7x  With a Proven FrameworkSuccessfully Migrate Cisco Call Manager 4x To 7x  With a Proven Framework
Successfully Migrate Cisco Call Manager 4x To 7x With a Proven Framework
glamba
 
Architecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud ExpoArchitecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud Expo
smw355
 
Windows Azure Uzerinden Alinabilen Hizmetler
Windows Azure Uzerinden Alinabilen HizmetlerWindows Azure Uzerinden Alinabilen Hizmetler
Windows Azure Uzerinden Alinabilen Hizmetler
Mustafa
 
Finding Virtual Coins in the Couch
Finding Virtual Coins in the CouchFinding Virtual Coins in the Couch
Finding Virtual Coins in the Couch
Novell
 
Novell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access SolutionNovell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access Solution
Novell
 
Osac2012
Osac2012Osac2012
BSM201.pdf
BSM201.pdfBSM201.pdf
BSM201.pdf
Novell
 
Diagnosability versus The Cloud, Toronto 2011-04-21
Diagnosability versus The Cloud, Toronto 2011-04-21Diagnosability versus The Cloud, Toronto 2011-04-21
Diagnosability versus The Cloud, Toronto 2011-04-21
Cary Millsap
 
Brief about Windows Azure Platform
Brief about Windows Azure Platform Brief about Windows Azure Platform
Brief about Windows Azure Platform
K.Mohamed Faizal
 
Configuring and deploying a private cloud with system center 2012
Configuring and deploying a private cloud with system center 2012Configuring and deploying a private cloud with system center 2012
Configuring and deploying a private cloud with system center 2012
Microsoft TechNet - Belgium and Luxembourg
 
Demystifying System Center 2012
Demystifying System Center 2012Demystifying System Center 2012
Demystifying System Center 2012
C/D/H Technology Consultants
 

What's hot (20)

Lessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Lessons Learned: Novell Open Enterprise Server Upgrades Made EasyLessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Lessons Learned: Novell Open Enterprise Server Upgrades Made Easy
 
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpePrivate cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
 
BOI 2011 - Be what's next
BOI 2011 - Be what's nextBOI 2011 - Be what's next
BOI 2011 - Be what's next
 
Integrating Novell Teaming within Your Existing Infrastructure
Integrating Novell Teaming within Your Existing InfrastructureIntegrating Novell Teaming within Your Existing Infrastructure
Integrating Novell Teaming within Your Existing Infrastructure
 
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
 
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
 
Novell mobile collaboration
Novell   mobile collaborationNovell   mobile collaboration
Novell mobile collaboration
 
Realizing the Promise of the Cloud
Realizing the Promise of the CloudRealizing the Promise of the Cloud
Realizing the Promise of the Cloud
 
IDC Says, Don't Move To The Cloud
IDC Says, Don't Move To The CloudIDC Says, Don't Move To The Cloud
IDC Says, Don't Move To The Cloud
 
Successfully Migrate Cisco Call Manager 4x To 7x With a Proven Framework
Successfully Migrate Cisco Call Manager 4x To 7x  With a Proven FrameworkSuccessfully Migrate Cisco Call Manager 4x To 7x  With a Proven Framework
Successfully Migrate Cisco Call Manager 4x To 7x With a Proven Framework
 
Architecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud ExpoArchitecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud Expo
 
Windows Azure Uzerinden Alinabilen Hizmetler
Windows Azure Uzerinden Alinabilen HizmetlerWindows Azure Uzerinden Alinabilen Hizmetler
Windows Azure Uzerinden Alinabilen Hizmetler
 
Finding Virtual Coins in the Couch
Finding Virtual Coins in the CouchFinding Virtual Coins in the Couch
Finding Virtual Coins in the Couch
 
Novell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access SolutionNovell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access Solution
 
Osac2012
Osac2012Osac2012
Osac2012
 
BSM201.pdf
BSM201.pdfBSM201.pdf
BSM201.pdf
 
Diagnosability versus The Cloud, Toronto 2011-04-21
Diagnosability versus The Cloud, Toronto 2011-04-21Diagnosability versus The Cloud, Toronto 2011-04-21
Diagnosability versus The Cloud, Toronto 2011-04-21
 
Brief about Windows Azure Platform
Brief about Windows Azure Platform Brief about Windows Azure Platform
Brief about Windows Azure Platform
 
Configuring and deploying a private cloud with system center 2012
Configuring and deploying a private cloud with system center 2012Configuring and deploying a private cloud with system center 2012
Configuring and deploying a private cloud with system center 2012
 
Demystifying System Center 2012
Demystifying System Center 2012Demystifying System Center 2012
Demystifying System Center 2012
 

Similar to Security in the Skies

Open Cloud Interop Public
Open Cloud Interop PublicOpen Cloud Interop Public
Open Cloud Interop Public
rvanhoe
 
Nlgug grails in the cloud
Nlgug grails in the cloudNlgug grails in the cloud
Nlgug grails in the cloud
malderhout
 
Moving To The Cloud
Moving To The CloudMoving To The Cloud
Moving To The Cloud
alamashfaque
 
Moving Web Apps to the Cloud - Iowa User Group Tour, Feb 2012
Moving Web Apps to the Cloud - Iowa User Group Tour, Feb 2012Moving Web Apps to the Cloud - Iowa User Group Tour, Feb 2012
Moving Web Apps to the Cloud - Iowa User Group Tour, Feb 2012
Eric D. Boyd
 
Cloud Computing by Dindo Fernando
Cloud Computing by Dindo FernandoCloud Computing by Dindo Fernando
Cloud Computing by Dindo Fernando
kristine1018
 
Windows azure uk universities overview march 2012
Windows azure uk universities overview march 2012Windows azure uk universities overview march 2012
Windows azure uk universities overview march 2012
Lee Stott
 
Windows Azure Üzerinden Alınabilecek Hizmetler
Windows Azure Üzerinden Alınabilecek HizmetlerWindows Azure Üzerinden Alınabilecek Hizmetler
Windows Azure Üzerinden Alınabilecek Hizmetler
MSHOWTO Bilisim Toplulugu
 
Cloud Xero #1 - Intro to Cloud Computing
Cloud Xero #1 - Intro to Cloud ComputingCloud Xero #1 - Intro to Cloud Computing
Cloud Xero #1 - Intro to Cloud Computing
Craig Walker
 
Benefits of the cloud for Government
Benefits of the cloud for Government Benefits of the cloud for Government
Benefits of the cloud for Government
USAID CEED II Project Moldova
 
Hanu cloud computing expertise
Hanu cloud computing expertiseHanu cloud computing expertise
Hanu cloud computing expertise
Hanu Software
 
The DevOps PaaS Infusion - May meetup
The DevOps PaaS Infusion - May meetupThe DevOps PaaS Infusion - May meetup
The DevOps PaaS Infusion - May meetup
Norm Leitman
 
Intro cloud-1
Intro cloud-1Intro cloud-1
Intro cloud-1
Studying
 
Intro cloud-1
Intro cloud-1Intro cloud-1
Intro cloud-1
Studying
 
Windows Azure Overview
Windows Azure OverviewWindows Azure Overview
Windows Azure Overview
Stefano Paluello
 
Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!
Vikas Gupta
 
Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?
Intergen
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
Soumow Dollon
 
OWD2011 - 7 - Uw datacentrum naar de cloud - Rogier Spoor
OWD2011 - 7 - Uw datacentrum naar de cloud - Rogier SpoorOWD2011 - 7 - Uw datacentrum naar de cloud - Rogier Spoor
OWD2011 - 7 - Uw datacentrum naar de cloud - Rogier Spoor
SURF Events
 
Cloud taxonomy yong kigkeat
Cloud taxonomy yong kigkeatCloud taxonomy yong kigkeat
Cloud taxonomy yong kigkeat
Microsoft Singapore
 
The Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated IndustriesThe Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated Industries
dirkbeth
 

Similar to Security in the Skies (20)

Open Cloud Interop Public
Open Cloud Interop PublicOpen Cloud Interop Public
Open Cloud Interop Public
 
Nlgug grails in the cloud
Nlgug grails in the cloudNlgug grails in the cloud
Nlgug grails in the cloud
 
Moving To The Cloud
Moving To The CloudMoving To The Cloud
Moving To The Cloud
 
Moving Web Apps to the Cloud - Iowa User Group Tour, Feb 2012
Moving Web Apps to the Cloud - Iowa User Group Tour, Feb 2012Moving Web Apps to the Cloud - Iowa User Group Tour, Feb 2012
Moving Web Apps to the Cloud - Iowa User Group Tour, Feb 2012
 
Cloud Computing by Dindo Fernando
Cloud Computing by Dindo FernandoCloud Computing by Dindo Fernando
Cloud Computing by Dindo Fernando
 
Windows azure uk universities overview march 2012
Windows azure uk universities overview march 2012Windows azure uk universities overview march 2012
Windows azure uk universities overview march 2012
 
Windows Azure Üzerinden Alınabilecek Hizmetler
Windows Azure Üzerinden Alınabilecek HizmetlerWindows Azure Üzerinden Alınabilecek Hizmetler
Windows Azure Üzerinden Alınabilecek Hizmetler
 
Cloud Xero #1 - Intro to Cloud Computing
Cloud Xero #1 - Intro to Cloud ComputingCloud Xero #1 - Intro to Cloud Computing
Cloud Xero #1 - Intro to Cloud Computing
 
Benefits of the cloud for Government
Benefits of the cloud for Government Benefits of the cloud for Government
Benefits of the cloud for Government
 
Hanu cloud computing expertise
Hanu cloud computing expertiseHanu cloud computing expertise
Hanu cloud computing expertise
 
The DevOps PaaS Infusion - May meetup
The DevOps PaaS Infusion - May meetupThe DevOps PaaS Infusion - May meetup
The DevOps PaaS Infusion - May meetup
 
Intro cloud-1
Intro cloud-1Intro cloud-1
Intro cloud-1
 
Intro cloud-1
Intro cloud-1Intro cloud-1
Intro cloud-1
 
Windows Azure Overview
Windows Azure OverviewWindows Azure Overview
Windows Azure Overview
 
Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!
 
Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
 
OWD2011 - 7 - Uw datacentrum naar de cloud - Rogier Spoor
OWD2011 - 7 - Uw datacentrum naar de cloud - Rogier SpoorOWD2011 - 7 - Uw datacentrum naar de cloud - Rogier Spoor
OWD2011 - 7 - Uw datacentrum naar de cloud - Rogier Spoor
 
Cloud taxonomy yong kigkeat
Cloud taxonomy yong kigkeatCloud taxonomy yong kigkeat
Cloud taxonomy yong kigkeat
 
The Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated IndustriesThe Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated Industries
 

More from Glen Roberts, CISSP

Collaborative Contingency in the Cloud
Collaborative Contingency in the CloudCollaborative Contingency in the Cloud
Collaborative Contingency in the Cloud
Glen Roberts, CISSP
 
Cloud Security Alliance, Austin Chapter Meeting 2012-03-01
Cloud Security Alliance, Austin Chapter Meeting 2012-03-01Cloud Security Alliance, Austin Chapter Meeting 2012-03-01
Cloud Security Alliance, Austin Chapter Meeting 2012-03-01
Glen Roberts, CISSP
 
Sharing the Cloud
Sharing the CloudSharing the Cloud
Sharing the Cloud
Glen Roberts, CISSP
 
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Glen Roberts, CISSP
 
Cloud Security Alliance, Austin Chapter Meeting 2012-02-02
Cloud Security Alliance, Austin Chapter Meeting 2012-02-02Cloud Security Alliance, Austin Chapter Meeting 2012-02-02
Cloud Security Alliance, Austin Chapter Meeting 2012-02-02
Glen Roberts, CISSP
 
Cloud Security Alliance, Austin Chapter - 2012-01-25 Meeting
Cloud Security Alliance, Austin Chapter - 2012-01-25 MeetingCloud Security Alliance, Austin Chapter - 2012-01-25 Meeting
Cloud Security Alliance, Austin Chapter - 2012-01-25 Meeting
Glen Roberts, CISSP
 
Top 10 Cloud Computing Certifications
Top 10 Cloud Computing CertificationsTop 10 Cloud Computing Certifications
Top 10 Cloud Computing Certifications
Glen Roberts, CISSP
 

More from Glen Roberts, CISSP (7)

Collaborative Contingency in the Cloud
Collaborative Contingency in the CloudCollaborative Contingency in the Cloud
Collaborative Contingency in the Cloud
 
Cloud Security Alliance, Austin Chapter Meeting 2012-03-01
Cloud Security Alliance, Austin Chapter Meeting 2012-03-01Cloud Security Alliance, Austin Chapter Meeting 2012-03-01
Cloud Security Alliance, Austin Chapter Meeting 2012-03-01
 
Sharing the Cloud
Sharing the CloudSharing the Cloud
Sharing the Cloud
 
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
 
Cloud Security Alliance, Austin Chapter Meeting 2012-02-02
Cloud Security Alliance, Austin Chapter Meeting 2012-02-02Cloud Security Alliance, Austin Chapter Meeting 2012-02-02
Cloud Security Alliance, Austin Chapter Meeting 2012-02-02
 
Cloud Security Alliance, Austin Chapter - 2012-01-25 Meeting
Cloud Security Alliance, Austin Chapter - 2012-01-25 MeetingCloud Security Alliance, Austin Chapter - 2012-01-25 Meeting
Cloud Security Alliance, Austin Chapter - 2012-01-25 Meeting
 
Top 10 Cloud Computing Certifications
Top 10 Cloud Computing CertificationsTop 10 Cloud Computing Certifications
Top 10 Cloud Computing Certifications
 

Recently uploaded

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 

Recently uploaded (20)

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 

Security in the Skies

  • 1. SECURITY IN THE SKIES Mano ‘dash4rk’ Paul CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI SecuRisk Solutions / Express Certifications mano(dot)paul(at)securisksolutions(dot)com mano(dot)paul@expresscertifications(dot)com © 2007-2012 - SecuRisk Solutions
  • 2. 2 Who am I? – The ABC’s •  Author •  The 7 Qualities of Highly Secure Software (May 2012) •  Official (ISC)2 Guide to the CSSLPCM •  Information Security Management Handbook •  Advisor – Software Assurance, (ISC)2 •  Biologist – Shark Researcher •  Christian – HackFormers •  CEO – SecuRisk Solutions & Express Certifications … •  VP – Education, Austin CSA © 2007-2012 - SecuRisk Solutions
  • 3. 3 Awards and Recognition 2010 President’s Award 2011 Americas Information Security Leadership Award (Practitioner) © 2007-2012 - SecuRisk Solutions
  • 4. 4 In the News – Feb 27, 2012 Source: StratFor Emails Leaked by Wikileaks http://www.myfoxaustin.com
  • 5. 5 What are we here to learn about? •  Topic: Security in the Skies •  Concerns, Threats and Controls in Cloud Computing •  Dark Clouds (Concerns, Threats) and Silver Lining (Controls) •  Agnostic •  Technology •  Vendor •  Level: •  Snorkel / Mid-range / Deep sea •  Tweet (@manopaul) / Blog © 2007-2012 - SecuRisk Solutions
  • 6. 6 What is the Cloud?
  • 7. 7 CLOUD 3-4-5 3 – Service Models 4 – Deployment Models / Types 5 – Characteristics IT delivered as a Standardized Service © 2007-2012 - SecuRisk Solutions
  • 8. 8 3 – Cloud Service Models Networking,(Storage,(Servers,(( OS,(Middleware,(( Virtual(desktops,(Data,(Apps(… Virtual(machines((… Execu8on(Run8me,(… •  Use(the(provider’s(applica8ons( •  Capability(for(consumer( •  Consumer(deploys(to(cloud( •  Running(on(a(cloud(infrastructure( provisioning(of(Processing/( infrastructure( Storage/(Networks/(Other( •  No(management(or(control( •  Consumer(created(or(acquired( resources( applica8ons( •  Consumer(does(not(control( •  Consumer(does(not(manage(or( underlying(cloud(infrastructure( control(infrastructure( (( •  Some(control(over(deployed(apps( and(app.(hos8ng(environment(
  • 9. 9 4 – Cloud Deployment Models / Types •  Organiza8on(specific( •  Shared(Infrastructure(–(Related(par8es( •  Managed(by(organiza8on(or(3rd(party( •  Managed(by(organiza8on(or(3rd(party( •  On/Off(premise;(Mostly(On( •  On/Off(premise( •  Shared(Infrastructure(–(Unrelated(par8es( •  A(composi8on(of(two(or(more(cloud(types( •  Owned/Managed(by(service(provider( •  Bound(together(by(technology(to(enable(data( •  Off(premise( and(applica8on(portability(
  • 10. 10 5 - Characteristics Resource Pooling WHO-ever Providers computing resources are pooled and dynamically assigned to serve multiple consumers Rapid Elasticity WHAT-ever Capabilities are rapidly and elastically provisioned, some automated, depending on requirements. On-Demand Self Service WHEN-ever Consumer direct, automated provisioning with no human interaction at provider Broad Network Access WHERE-ever Capabilities delivered over the network accessed through standard mechanisms Measured Service Cloud system automatically monitors, optimizes, controls and reports resource use transparently
  • 11. 11 Wherein LIES the Control? (On- Infrastructure Platform Software Premises) as a Service as a Service as a Service You manage Application Application Application Application s s s s Data Data Data Data You manage Runtime Runtime Runtime Runtime You manage Middleware Middleware Middleware Middleware Other Manages OS OS OS OS Other Manages Virtualization Virtualization Virtualization Virtualization Other Manages Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking
  • 12. 12 Opportunity or Crisis? © 2007-2012 - SecuRisk Solutions
  • 13. 13 DARK CLOUDS Security Threats to Cloud Computing © 2007-2012 - SecuRisk Solutions
  • 14. 14 Top Threats – Lists/Publications •  (ISC)2 (GISWS 2011) – Top 7 •  OWASP (pre-alpha 2011) – Top 10 •  Unauthorized Disclosure •  Accountability and Data Ownership •  Data Loss/Leakage •  User Identity Federation •  Weak Access Controls •  Regulatory Compliance •  Susceptibility to Cyber Attacks •  Business Continuity and Resiliency •  Disruptions •  User Privacy and Secondary use of •  Inability to support compliance audit Data •  Inability to support forensic •  Service and Data Integration investigations •  Multi-tenancy and Physical security •  CSA v1.0 (2010) – 7 deadly sins •  Incidence analysis and Forensic •  Abuse and nefarious use of cloud Support computing •  Infrastructure Security •  Insecure APIs •  Non-production Environment •  Malicious Insider Exposure •  Shared Technology Vulnerabilities •  Data Loss/Leakage •  Account/Service & Traffic Hijacking •  Unknown Risk Profile
  • 15. 15 Top Threats to Cloud Computing Data Security / Loss / Leakage / Remanence Access Controls / Account, Service & Traffic Hijacking Susceptibility to Cyber Attacks / Insecure Interfaces or APIs Abuse or Nefarious Use / Shared Technology Issues Cyber Forensics / Unknown Risk Profile / Malicious Insiders Source:((ISC)2(Global(Informa8on(Security(Workforce(Study( CSA(Top(Threats(to(Cloud(Compu8ng(v(1.0( © 2007-2012 - SecuRisk Solutions
  • 16. 16 SILVER LINING “there’s a silver lining to every cloud that sails about the heavens if we could only see it” Marian or Young Maid’s Fortune, Dublin Magazine, 1840 “Hope is a good thing, maybe the best of things, and no good thing ever dies.” The Shawshank Redemption © 2007-2012 - SecuRisk Solutions
  • 17. 17 Dark Clouds / Silver Lining Data Security / Loss / Leakage• / Controls Remanence •  Cryptography Protection (Encryption/Hashing) •  Cryptographic Agility •  Secure Data Disposal (Overwriting*) •  DLP technologies © 2007-2012 - SecuRisk Solutions
  • 18. 18 Dark Clouds / Silver Lining Access Controls / Account, Service & Traffic Hijacking •  Access Control Lists (ACLs) / RBACs •  Chinese Wall •  Session Management •  Eavesdropping •  Redirection Image Source: (ISC)2 Whitepaper © 2007-2012 - SecuRisk Solutions
  • 19. 19 Dark Clouds / Silver Lining Susceptibility to Cyber Attacks / Insecure Interfaces or APIs •  Vendor lock-in •  Understand dependency chain of APIs (Vendor lock-in) •  Perform ROI exercise for proprietary APIs •  Don’t use deprecated/insecure APIs •  Secure Authentication •  SSO (Weakest Link) Image Source: CloudAve © 2007-2012 - SecuRisk Solutions
  • 20. 20 Dark Clouds / Silver Lining Abuse or Nefarious Use / Shared Technology Issues •  Hardening & Sandboxing •  Platform/Hypervisor Exploits •  Cloud Isolation Technologies •  Secure Communications Image Source: apigee.com © 2007-2012 - SecuRisk Solutions
  • 21. 21 Dark Clouds / Silver Lining Cyber Forensics / Malicious Insiders / Unknown Risk Profile •  Identity Management •  Provisioning/De-provisioning •  Logging and Auditing •  Detective and Deterrent •  Trust but verify •  Don’t Trust AND Verify © 2007-2012 - SecuRisk Solutions
  • 22. 22 Some closing thoughts © 2007-2012 - SecuRisk Solutions
  • 23. 23 References •  Security in the Skies – (ISC)2 Whitepaper •  (ISC)2 Global Information Security Workforce Study (2011) •  CSA Top threats to Cloud Computing v1.0 (2010) •  7 Deadly Sins of Cloud Security (2010) •  OWASP Cloud 10 project (pre-alpha) •  ASIS/(ISC)2 Security Congress Cloud Security Panel (2011) •  Gartner/IEEE Publications © 2007-2012 - SecuRisk Solutions
  • 24. 24 THANK YOU Mano ‘dash4rk’ Paul CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI SecuRisk Solutions / Express Certifications mano(dot)paul(at)securisksolutions(dot)com mano(dot)paul(at)expresscertifications(dot)com © 2007-2011 - SecuRisk Solutions