Hogan Kusnadi - Cloud Computing Secutity


Published on

Hogan Kusnadi - Cloud Computing Secutity

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hogan Kusnadi - Cloud Computing Secutity

  1. 1. Seminar Honeynet Indonesia 2013Cloud Computing SecurityBy Hogan KusnadiCISSP-ISSAP, SSCP, CISA, CISMhoganklim@gmail.com18 June 2013
  2. 2. Peresmian SNI-ISO 20000 & 27001Kominfo & BSN, Oktober 2009
  3. 3. Rapid Development of ICT(Information Communication Technology)
  4. 4. From LAN, WAN to Cloud Computing
  5. 5. NISTNational Institute of Standards and TechnologyThis cloud model promotesavailability and is composed offive essential characteristics:– on-demand self-service– broad network access– resource pooling– rapid elasticity– measured service
  6. 6. Cloud Computing• Software as a Service (SaaS)• Platform as a Service (PaaS)• Infrastructure as a Service (IaaS)• Storage as a service (SaaS)• Communications as a service (Caas)• Network as a service (NaaS)• Monitoring as a service (MaaS)• Etc
  7. 7. XaaS (anything as a service)• Anything/Everything as a service (XaaS)– The acronym refers to an increasing number ofservices that are delivered over the Internetrather than provided locally or on-site.• XaaS is the essence of cloud computing
  8. 8. User vs Provider
  9. 9. Understanding Risk is Important
  10. 10. Two Sides of Technology
  11. 11. Benefit vs Risk of ICTMulti FunctionFlexibleEasy to useLower Cost BenefitDatabase ApplicationWeb ApplicationClient ServerNetwork IntegrationCloud ComputingIdentity TheftInformation TheftIndustrial EspionageCountry EspionageDenial of Service (DDOS)Data / Information SovereigntySabotage, Cyber Weapon, Cyber WarRiskConfidentialityIntegrityAvailability
  12. 12. Website Deface Attack Statisticwww.zone-h.org18 April 2012
  13. 13. Data Loss Incidents (2004-2013*)April2013
  14. 14. Cloud ComputingandInformation SecurityIncidents
  15. 15. How to Mitigate Risk
  16. 16. Enisa(European Network and Information Security Agency)
  17. 17. How Security Gets Integrated
  18. 18. Data Security Lifecycle
  19. 19. The Notorious NineCloud Computing Top Threats in 20131. Data Breaches2. Data Loss3. Account Hijacking4. Insecure APIs5. Denial of Service6. Malicious Insiders7. Abuse of Cloud Services8. Insufficient Due Diligence9. Shared Technology Issues
  20. 20. About the Cloud Security Alliance• Global, not-for-profit organization• Building security best practices for next generation IT• Research and Educational Programs• Cloud Provider Certification• User Certification• Awareness and Marketing• The globally authoritative source for Trust in the Cloud“To promote the use of best practices for providing security assurancewithin Cloud Computing, and provide education on the uses ofCloud Computing to help secure all other forms of computing.”
  21. 21. CSA Fast Facts• Founded in 2009• 42,000 individual members, 66 chapters globally• 200 corporate and affiliate members– Major cloud providers, tech companies, infosec leaders, DoD,Coca-Cola, Bank of America and much more• Regional hubs in Seattle USA, Singapore, HeraklionGreece• Over 30 research projects in 25 working groups• Strategic partnerships with governments, researchinstitutions, professional associations and industry
  22. 22. Growing to serve the Industry• 2009– CSA launch at RSA 2009 with SecurityGuidance for Critical Areas of Focus in CloudComputing– 6,000 members• 2010– Launch Certificate of Cloud SecurityKnowledge (CCSK)– 15,000 members• 2011– Launch CSA Security, Trust and AssuranceRegistry (STAR)– 27,000 members• 2012– Launch CSA Mobile and Big Data research toaddress emerging needs– 42,000 membersNorthAmericaEMEAAPAC010,00020,00030,00040,00050,000Membership Growth
  23. 23. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgResearch PortfolioOur research includesfundamental projects neededto define and implement trustwithin the future ofinformation technologyCSA continues to beaggressive in producingcritical research, educationand toolsSponsorship opportunitiesSelected research projects infollowing slidesCopyright © 2012 Cloud Security Alliance
  24. 24. Security as a Service• Security as a Service– Research for gaining greaterunderstanding for how to deliver securitysolutions via cloud models.• Information Security Industry Re-invented• Identify Ten Categories within SecaaS• Implementation Guidance for eachSecaaS Category• Align with international standards andother CSA research• Industry Impact– Defined 10 Categories of Service andDeveloped Domain 14 of CSA Guidance V.3
  25. 25. GRC StackGRC StackFamily of 4 research projectsCloud Controls Matrix (CCM)Consensus Assessments Initiative(CAI)Cloud AuditCloud Trust Protocol (CTP)Impact to the IndustryDeveloped tools forgovernance, risk and compliancemanagement in the cloudTechnical pilotsProvider certification throughSTAR program ControlRequirementsProviderAssertionsPrivate, Community &PublicClouds
  26. 26. Smart Mobile• Mobile– Securing application stores and other publicentities deploying software to mobile devices– Analysis of mobile security capabilities andfeatures of key mobile operating systems– Cloud-based management, provisioning, policy,and data management of mobile devices toachieve security objectives– Guidelines for the mobile device securityframework and mobile cloud architectures– Solutions for resolving multiple usage rolesrelated to BYOD, e.g. personal and business useof a common device– Best practices for secure mobile applicationdevelopment
  27. 27. CCSK – User CertificationCertificate of Cloud SecurityKnowledge (CCSK)Benchmark of cloud security competencyOnline web-based examinationwww.cloudsecurityalliance.org/certifymeTraining partnershipsDeveloping new curriculum foraudit, software development andarchitecture
  28. 28. CSA Conference• Only multi-track, multi-day conferencefocused on cloud security• Key venue for new research• Primarily attended by enterprise end users• 2013 CSA Congress Plans– CSA Congress APAC, Singapore, May 15-16– CSA Congress EMEA, Europe, September– CSA Congress US, Orlando, November
  29. 29. CSA APAC• Incorporated and based in Singapore• Planned establishment of corporate HQ inSingapore• Supported by key Singaporean ministries, led byInfocomm Development Authority• Trend Micro as founding corporate office sponsor• IDA support for research and standards functions• Also private/public partnerships with gov’ts ofThailand and Hong Kong• CSA chapters throughout APAC
  30. 30. www.cloudsecurityalliance.orgCopyright © 2012 Cloud Security AllianceInternational Standardization Council• Engage international standards bodies on behalf of CSA• Propose key CSA research for standardization• Liaison relationship with ITU-T• Category A liaison with ISO/IEC SC27 & SC38• Tracking key SDOs for 2013– DMTF– IEEE– IETF– CCSA– RAISE