Identity theft in the Cloud and       remedies       Giuseppe “Gippa” Paterno’Friday 26 October 12
My identity: Giuseppe “Gippa” Paternò       • Director Digital of GARL, the Swiss bank behind the         SecurePass servi...
Cloud, a buzzword with different means             IaaS                               SaaS           PaaS                ....
What is meant by “Cloud”           A set of services, usually “rented” from a service provider or internal IT           de...
The Cloud: IaaS                           • Renting a virtual infrastructure from                             a service pr...
The Cloud: SaaS                              •Renting a given application, usually                               web-based...
The Cloud: PaaS                              • Renting an “application environment” that                                ho...
Let’s make things complicated: BYOD                          • Yet another marketing buzzword :)                          ...
Famous victims of identity theft          ... and many others!Friday 26 October 12
Identity theft in numbers                              millions of victims of identity theft in USA in 2008 (Javelin      ...
Human factor, an example in aviation           An organization can minimize its vulnerability to human           error and...
Human factor in IT (in)security       •Human factor is the primary cause of intrusions        by hackers, foreign governme...
Best practices, why they don’t work       • Maybe the most adopted is BS/ISO 17799, that eventually became ISO 27001      ...
Identity theft remedies                                 This is not a                                   remedy!           ...
Identity theft remedies                                 ... and this                                   neither!           ...
Identity theft remedies           Security must be simple and transparent to the           end user, otherwise it will be ...
Intranet vs the Cloud and Trusted third party       • In a “traditional” world, Microsoft Active Directory         covers ...
A possible solution:       • SecurePass is a Unified Secure Access platform for Cloud, web         applications and securit...
Case Study: Moresi.Com                         • Housing / Swiss hosting provider with two                           data ...
Friday 26 October 12
Case Study: Insurance company                         • World’s second largest multinational                           ins...
Case Study: Automotive company                         • One of the top 5 automotive suppliers in the                     ...
SecurePass Contest 2012       • Integrate SecurePass and publish a story in a         blog or on-line magazine. Good excus...
Q&A                 Giuseppe Paternò                        gpaterno@gpaterno.com                           gpaterno@garl....
Upcoming SlideShare
Loading in …5
×

Identity theft in the Cloud and remedies

3,509 views

Published on

Cloud can provide great flexibility to IT, ensuring business continuity and optimizing costs. But what are the implications for IT security? Even big names such as IEEE, Apple and Samsung are among the victims of identity theft in the Cloud. If you choose to adopt virtual data center (IaaS) or on-line applications (SaaS), you shift the paradigm of security as it was conceived up to now. The presentation will examine the security implications of a Cloud infrastructure and possible remedies with practical examples.

Published in: Technology

Identity theft in the Cloud and remedies

  1. 1. Identity theft in the Cloud and remedies Giuseppe “Gippa” Paterno’Friday 26 October 12
  2. 2. My identity: Giuseppe “Gippa” Paternò • Director Digital of GARL, the Swiss bank behind the SecurePass service • EMEA Sales Engineer of Canonical, the company behind Ubuntu • Security researcher, open source enthusiast, and friend of the “Penguin” since 1995 • Leisure pilot ... a good excuse to be back in an airport during the weekends :) • Non-professional Chef (Ramsay, I challenge you :) • Radio-amateur with passion for “strange” WiFi: my association has the world record of 304km link in WiFi!!Friday 26 October 12
  3. 3. Cloud, a buzzword with different means IaaS SaaS PaaS ... what a MesS!Friday 26 October 12
  4. 4. What is meant by “Cloud” A set of services, usually “rented” from a service provider or internal IT department (for large corporations), that enables: • Flexibility: the ability of expanding or reducing our IT infrastructure based on the business needs • Resiliency: high availability of IT services, ensuring business continuity in any event • Accessibility: access to services anytime and anywhere on earth with a simple Internet connection • Cost optimization: you truly have a pay-as-you use IT infrastructure without money wastingFriday 26 October 12
  5. 5. The Cloud: IaaS • Renting a virtual infrastructure from a service provider composed by virtual servers and virtual networks IaaS • Example: Amazon Web Services, = Moresi.Com, ecc.... Infrastructure as • Security risk: total control of the IT a Service infrastructure by an attacker with service disruption or silent data leaking (control panel is accessible from Internet)Friday 26 October 12
  6. 6. The Cloud: SaaS •Renting a given application, usually web-based, from a service provider with high availability and SaaS accessible from anywhere = •Example: SalesForce.com, Office Software as 360, etc... a Service •Security risk: compromising a single identity will lead to corporate data leaking by an attacker or competitorFriday 26 October 12
  7. 7. The Cloud: PaaS • Renting an “application environment” that hosts YOUR application. If compared to IaaS, PaaS does not focus on operating system, but on “operating” the application environment PaaS (app server, languages, frameworks, databases, etc..) = Platform as • Example: Microsoft Azure, Google App Engine, CloudFoundry, etc.... a Service • Security risk: total control of the application(s) by an attacker with service disruption (control panel accessible from Internet), corporate data leaking (users’ identity theft)Friday 26 October 12
  8. 8. Let’s make things complicated: BYOD • Yet another marketing buzzword :) • BYOD = Bring Your Own Device • Basically the use of a “consumer” device within a corporate environment: iPad/ iPhone/Android/.... • Security risk: device lost or stolen means access to confidential data. Many apps for iOS/Android have a “static key” that get rid of the identification process.Friday 26 October 12
  9. 9. Famous victims of identity theft ... and many others!Friday 26 October 12
  10. 10. Identity theft in numbers millions of victims of identity theft in USA in 2008 (Javelin 10 Strategy and Research, 2009) billions dollars lost every year due to identity theft (Aberdeen 221 Group) hours to correct damages due to identity theft, i.e. 2 years 5840 of a working resource (ITRC Aftermath Study, 2004). billion corporate and government records compromised in 35 2010 (ITRC) is the factor of multiplication of the number of breaches 2 from 2009 to 2010. The trend of data breaches due identity theft is doubling each year.Friday 26 October 12
  11. 11. Human factor, an example in aviation An organization can minimize its vulnerability to human error and reduce its risks by implementing human factors best practices [...] It contains guidance material which [...] should help reduce the risks associated with human error and human factors, and improve safety. It [...] concentrates upon risk and error management rather than risk and error elimination. (EASA, JAR 145, Aviation Human Factors)Friday 26 October 12
  12. 12. Human factor in IT (in)security •Human factor is the primary cause of intrusions by hackers, foreign government agencies or competition. Two major issues: •Password easy to guess or crack •Social Engineering •Hope is not a strategy!Friday 26 October 12
  13. 13. Best practices, why they don’t work • Maybe the most adopted is BS/ISO 17799, that eventually became ISO 27001 • Most best practices cover physical access, server hardening, network access and segregation, etc... • they just don’t make sense anymore in a Cloud environment • ... but they could be helpful to select our supplier • What still makes sense is the access control: • secure identification of a given user (identity management) • check and log who’s doing what (auditing) • permissions/rights to access a given piece of data or document (policy management)Friday 26 October 12
  14. 14. Identity theft remedies This is not a remedy! :-)Friday 26 October 12
  15. 15. Identity theft remedies ... and this neither! ;-)Friday 26 October 12
  16. 16. Identity theft remedies Security must be simple and transparent to the end user, otherwise it will be circumvented! • Strong authentication of the users • Identify from which country the user is connecting from (GeoIP) • Patches, patches and ... patches! • Secure application programmingFriday 26 October 12
  17. 17. Intranet vs the Cloud and Trusted third party • In a “traditional” world, Microsoft Active Directory covers usually the identity management, auditing and policy role • AD was not conceived to fit a Cloud environment and accessed from “outside” company boundaries (or firewalls) • A distributed identity management system is needed, that implements something like Microsoft Active Directory for Cloud environments, is able to reduce “human errors” through strong authentication and is operated by a trusted third party.Friday 26 October 12
  18. 18. A possible solution: • SecurePass is a Unified Secure Access platform for Cloud, web applications and security devices (VPN, firewalls, ...) • Strong authentication, with hardware tokens or software tokens on smartphones (iOS/Android/BlackBerry) • Identity Management, with personnel’s information • Web seamless Single Sign-On, to simplify user access (and avoid circumventions) • Based on open protocols: LDAP, RADIUS and CAS • Easy to integrate, protect your infrastructure and applications in few minutes. • Guaranteed by a Swiss bankFriday 26 October 12
  19. 19. Case Study: Moresi.Com • Housing / Swiss hosting provider with two data centers, constantly expanding • Highly selected customers, including banks and national and international companies • Moving the focus from traditional housing / hosting to a cloud provider (VMware vCloud based) • Each customer has access to a "virtual datacenter" that can orchestrate at his will • Objective: establish a secure access to the virtual datacentersFriday 26 October 12
  20. 20. Friday 26 October 12
  21. 21. Case Study: Insurance company • World’s second largest multinational insurance company, 48 subsidiaries world- wide, each one with its board of directors, CEO, CFO • All CxO level members are accessing documents and confidential on-the-move through any devices (laptop, tablet, smartphone) with high risk of data leaking • Objective: provide secure access to their board of director classified documents and avoid information leaking through an ad-hoc secure java-based web applicationFriday 26 October 12
  22. 22. Case Study: Automotive company • One of the top 5 automotive suppliers in the world with over 120.000 employees • Need to solve security issues connected to the BYOD (Bring Your Own Devices) from employees and top manager, in particular tablets and smartphones • Objective: provide secure access to corporate resources from BYOD through SSL VPNs and ad-hoc portalsFriday 26 October 12
  23. 23. SecurePass Contest 2012 • Integrate SecurePass and publish a story in a blog or on-line magazine. Good excuse for: • testing SecurePass for free • learn something new • letting your boss or your customers know that you care about security • ... and win something ;-) • http://www.secure-pass.net/contest2012Friday 26 October 12
  24. 24. Q&A Giuseppe Paternò gpaterno@gpaterno.com gpaterno@garl.ch Web sites: www.gpaterno.com www.secure-pass.net Twitter: @gpaternoFriday 26 October 12

×