SlideShare a Scribd company logo
Secure Cloud
Name of the Speaker : Amar Prusty
Company Name : DXC Technology
Place: Bangalore
Confidential – For Training Purposes Only
Speaker Experience
◆ Cloud & Data Center Architect
◆ Worked for Global Clients across Industry Verticals
◆ Been in IT 17+ years
◆ TOGAF, ITIL, CCNA, Cloud, Storage, Virtualization, EUC
◆ Interests - Security, DevOps, AI, IOT, Blockchain, Analytics
◆ Hobbies– Cooking, Cycling, Reading, Travelling
◆ https://www.linkedin.com/in/amar-prusty-07913028/
Confidential – For Training Purposes Only
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Defining Cloud
Cloud computing is a model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of configurable computing
resources that can be rapidly provisioned and released with minimal
management effort or service provider interaction. This cloud model is
composed of five essential characteristics, three service models, and
four deployment models.
Citation: Special Publication (NIST SP) - 800-145
– On-demand self-service
– Broad network access
– Resource pooling
– Rapid elasticity
– Measured service
Cloud Service Models
• Infrastructure as a Service (IaaS)
– Standardized, highly automated offering, where compute resources, complemented
by storage and networking capabilities are owned by a service provider and offered
to customers on-demand. Customers are able to self-provision the infrastructure.
• Platform as a Service (PaaS)
– Offering is a broad collection of application infrastructure (middleware) services
including application platform, integration, business process management and
database services.
• Software as a Service (SaaS)
– Software is owned, delivered and managed remotely by a provider. The provider
delivers software based on one set of common code and data definitions that is by
contracted customers on a pay-for-use basis or as a subscription.
Cloud Service Models
Facilities
Hardware
Integration
Middleware
Interfaces
Abstraction Layer
Connectivity/Network
Presentment
Application Programming Interfaces
Data Metadata
Applications/Software
Infrastructure as a
Service
Platform as a Service
Software as a Service
Cloud Deployment Models
• Public
Cloud infrastructure is available to the general public, owned by org selling cloud
services
• Private
Cloud infrastructure for single organization only, may be managed by the organization
or a 3rd party, on or off premise
• Hybrid
Cloud infrastructure shared by several organizations that have shared concerns,
managed by org or 3rd party
• Community
Combinations of clouds types
Chief Information Officers’ Cloud
Concerns
Security Availability Performance Costs Standards
Shared Security Responsibility
Application
Platform Architecture
Virtual Infrastructure
Hardware
Facility
Service Provider
Consumer
I
A
A
S
P
A
A
S
S
A
A
S
I
A
A
S
P
A
A
S
S
A
A
S
• Service Provider and Consumer roles, related to cloud model, are
inverse of each other.
Data Types and Compliance
• Data, being the key attribute of an information
technology system, is the driving force in
selecting the appropriate level of security.
• Develop detail data flows
• If security controls and approach is not
matched to the characterization of data then:
– The system will be more costly and utility reduced if over secured.
– The system and data will be vulnerable and could lead to a breach.
Risk = (Data Type + Breach Probability)/Data Security Profile
Public
Data
Sensitive Data
Public
Data
Confidential Data Restricted Data
Public
Data
Classification: Low Classification: HighClassification: Moderate
Data Security Profile 4
Integrity
Controls
Privacy Act FISMA HIPAA PCI-DSS FERPA Pub 1075 CJIS
Data Security
Profile 1
Data Security Profile 3Data Security Profile 2
NIST SP 800-53v4 SP 800-53v4, Pub 1075, CJIS-SP
Policies & Procedures Profile 4
Policies & Procedures Profile
3
Policies & Procedures Profile 2
Policies &
Procedures
Profile 1
Data Object
Security
Data Security Profile + Data Owner + Originating System + Data Integrity ConfidenceData Pedigree
Risk Profile
Risk= (Data Type * Breach Probability)/Security Profile
DoDM 5200, E.O. 13256
Data Classification Comparison:
Project - Federal Agency – National Security
Direct comparison is difficult because data classification is specific to mission, context, aggregation
and system.
Detailed review of data sets, usage and regulatory compliance yields appropriate classifications.
Data can transition up or down in classification levels based on certain factors.
Regulations, NIST SP 800-53v4, FIPS, PUB 1075, Agency Specific Guidance
Classification:
For Official Use
Only (FOUO)
Classification:
Secret
Classification:
Confidential
Classification:
Unclassified
Classification:
Top Secret
Limited
Damage
Serious
Damage
Damage
No Damage
Grave Damage
National Security/Dept.
of Defense Classifications
Integrity
Controls
Privacy Act
FISMA
HIPAA PCI-DSS
FERPA
Pub 1075 CJIS
Classification:
Low
Classification:
Moderate
Classification:
Public
Data Classifications
Classification:
Low
Classification:
High
Classification:
Moderate
Classification:
Public
Limited
Adverse Effect
Severe
Adverse Effect
Serious
Adverse Effect
No Adverse
Effect
Integrity
Controls
Privacy Act
FISMA
HIPAA PCI-DSS
FERPA, Pub
1075
CFR Title 28,
DOJ-BoPrisons
Federal Agency Classifications
Moderate +
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
What is Cloud Security?
• There is a lot of noise and distraction about cloud security.
• The truth is that security controls need to be implemented if you
use:
– Stand alone servers
– Physical servers in your data center
– Virtualization in your data center
– Cloud provided by a service provider
• There are few differences when identifying what controls
• Bottom line is that organizations feel vulnerability since they
believe they lose control
Endpoint Device Security
• Host based Intrusion Detection Systems (HIDS)
• Host based firewalls
• Application whitelisting
• Endpoint encryption
• Trusted platform module
• Mobile device management
• Sandboxing
Cloud Security
• TLS Encryption
• Network Firewalls/Web Application Firewall
• Data Encryption – FIPS 140-2
• Central Logging
• Authentication Layering
• Network Scanning
• Third Party Security Testing
– Vulnerability Assessments
– Penetration Testing
– Security Audit
• Statement on Standards for Attestation
Engagements (SSAE) 16 Compliant Data Center
Architectural Considerations
• Attack Surface.
– The hypervisor is an additional layer of software
between an operating system and hardware
platform. The hypervisor normally supports other
application programming interfaces to conduct
administrative operations, such as launching,
migrating, and terminating virtual machine
instances. This increases the attack surface.
• Complicated Architectures
– Virtual machines environments and their supportive
software are complicated. Implementing
organizational software in PaaS or IaaS creates
additional complications that have to managed
appropriately
Architectural Considerations
• Virtual Network Protection
– Most virtualization platforms have the ability to
create software-based switches and network
configurations as part of the virtual environment to
allow virtual machines on the same host to
communicate more directly and efficiently. Some
hypervisors’ network monitoring capabilities are not
as robust as physical network tools.
• Virtual Machine Images.
– IaaS cloud providers maintain repositories of virtual
machine images. A virtual machine image includes a
the software stack and speeds up the time to
implementation. These are often shared. Shared
virtual images must be validated and carefully
controlled to not implement problems.
Architectural Considerations
• Client-Side Protection
– Web browsers, a key element for many cloud
computing services, and the various plug-ins and
extensions are notorious for their security
problems. Security awareness is as important
when dealing with a cloud application as any
other alternately implemented application.
• Identify and Access Management
– Identification, authentication, authorization and
accounting are critical to implement, enforce
and monitor on any cloud based applications or
cloud management portals.
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Identity and Access Management
• Identity Management includes:
– Self-service
– Registration
– Password management
– Provisioning
• Access Management includes:
– Authentication
– Authorization
– Policy Management
– Federation
– Identity Repository
Identity and Access Management
• Identity repositories provide directory
services for the administration of user
accounts and their attributes.
• Common Directory Services:
– X.500 and LDAP
– Microsoft Active Directory
– Novell eDirectory
– Metadata replication and synchronization
– Directory as a Service
Federated Identity Management
• Provides the policies and processes that manage identity and
trusted access to systems across entities
• Like Kerberos, but for separate domains
• Federation Standards:
– Security Assertion Markup Language (SAML)
– WS-Federation
– OpenID Connect (based on OAuth 2.0)
– OAuth for web and mobile applications
• Federated Identity Providers
– Identity Provider – holds all the identities and generates a
token for known users
– Relying Party – the service provider who consumes these
tokens
Security Threats
• Malicious Code
–Ransomware
–Virus
–Worms
–Trojans
–Logic bombs
–Malware
–Botnet
• Malicious Code
Countermeasures
– Scanners
– IDS/IPS
– Security testing
– Anti-malware
– Code signing
– Sandboxing
– Appropriate
patching
Security Threats
• Malicious Activity
– Social
Engineering
–Spoofing
–Phishing
–Spam
–Botnets
• Malicious Activity
Countermeasures
– User Awareness
Training
– System Hardening
– Patching
– Sandboxing
– Policies and
Procedures
Security Threats
• Abuse and Nefarious use
– Hackers continue to leverage technologies to
improve their reach, avoid detection, and
improve the effectiveness of their activities.
– Cloud providers are actively being targeted,
partially because their relatively weak
registration systems facilitate anonymity, and
providers’ fraud detection capabilities are
limited.
• Countermeasures: Patching, intrusion
detection, security awareness training,
background checks
Security Threats
• Insecure interfaces and APIs
– Cloud providers strive to provide security and that it
is integrated into their service models.
– Consumers of services need to understand the
security implications associated with the usage,
management, orchestration and monitoring of cloud
services.
– Reliance on a weak set of interfaces and APIs
exposes organizations to a variety of security issues
related to confidentiality, integrity, availability and
accountability.
• Countermeasures: Architecture review, security
testing, patching schedules, Service Level
Agreements, legal agreements (BAA)
Security Threats
• Malicious insiders
– The impact that malicious insiders can have on an
organization is great because of their level of access
and understanding of data and information
technology assets.
– Theft, reputation damage and loss of productivity are
some examples of how malicious insider can affect
an operation.
– Organizations that adopt cloud services need to
understand the human element and that the
responsibility for a malicious insider is relevant for
staff of the cloud provider.
• Countermeasures: Background checks, policies
and procedures, non-repudiation, two man work,
security awareness training, least privilege
Security Threats
• Shared technology issues
– Attacks have surfaced in recent years that
target the shared technology inside cloud
computing environments.
– As a result, attackers focus on how to impact
the operations of other cloud customers, and
how to gain unauthorized access to data.
• Countermeasures: Patching, security
testing, monitoring, security awareness
training
Security Threats
• Data loss or leakage
– Data loss or leakage can have a devastating
impact on a business and its impact is directly
relevant to the type of data.
– Compliance violations, legal ramifications
– Loss of core intellectual property could have
competitive and financial implications.
• Countermeasures: Data Loss Prevention
Applications, encryption, security awareness
training, data classification, policies and
procedures, least privilege
Security Threats
• Account or service hijacking
– Account and service hijacking, usually with
stolen credentials, remains a top threat. With
stolen credentials, attackers can often access
critical cloud services, allowing them to
compromise the confidentiality, integrity and
availability of the services and the data.
• Countermeasures: Policies and
procedures, security awareness training,
enforced password life, complexity and
reuse
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Security Threats
• Unknown Risk Profile
– When adopting a cloud service, the features and functionality
may be well advertised, but one must understand the cloud
service security posture/risk profile.
– Understand the controls or compliance alignment
– Make sure you agree with the cloud providers internal security
procedures, configuration hardening, patching, auditing, and
logging
– Do they go through SSAE16 SOC2 audits or are FEDRamp
certified?
– Under what conditions can you have access to or be given an
extract of logs?
– Can you conduct vulnerability scanning or penetration testing
on “your” infrastructure; and/or will you receive the regular
reports of the results of their scanning and testing.
• Countermeasures: Research, agreements, and governance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Cloud Governance
• Cloud Governance by the Customer is Critical
– Extend organizational practices pertaining to the policies,
procedures, and standards implemented for users.
– Practices pertaining to policies, procedures and standards
implemented for application development and service
provisioning.
– Environment establishment such as development, testing,
staging, training, production and disaster recovery in
alignment with organizational standards.
– Put in place audit mechanisms and tools to ensure
organizational practices are followed such as log review
and reporting.
Cloud Governance
• Cloud Governance by the Customer is Critical
– Cloud Customers need to define cloud strategy before
entering into agreement with CSP
– Organizational assets agreed upon and assessed for
suitability for cloud
– Define suitable business units or functions
– Outline phased approach to cloud journey
– Document exceptions, restrictions, and risks
– List regulatory and compliance components
(addressed either jointly or by the provider)
– List business and system interdependencies.
Cloud Application Security
• Cloud development and applications must take into
consideration service models and deployment models
• Data sensitivity issues in cloud
• Use RESTful vs SOAP APIs
• Careful with multitenancy
• Appropriate cryptography
• Release management
Cloud Application Security
• On-premises does not always port
• Should follow appropriate Software Development
Lifecycle
• Not all applications are suitable for the cloud
• Users and developers must understand and have
appropriate security awareness
• Document cloud applications thoroughly
• Identify complexities of integration
• Code for 2019 OWASP TOP 10 in mind
• Code for ISO/IEC 27034-1 Information Technology –
Security Techniques
Cloud Application Security
• APIs are a very important part of cloud applications
• Primary access method
• Two of the possible formats for cloud APIs are:
– Representational State Transfer (REST)
• Uses HTTP
• Supports many data formats (e.g., JSON, XML, YAML, etc.)
• Good performance and scalability, uses caching
• Widely used
• Stateless
– Simple Object Access Protocol (SOAP)
• Uses SOAP envelope around HTTP, FTP, or SMTP
• Only supports XML
• Slower performance, complex scalability, no caching
• Used where REST is not possible
• Stateful
Cloud Operations & Maintenance
• It is critical to research the cloud operations and
maintenance of the cloud service provider to
ensure they are operating appropriately for
compliance and risk threshold.
• You cannot assume that because they say they
operate it appropriately they do.
– Ask for patching schedules.
– What type of continuous scanning is done and can
you have a summary report.
• And ensure the following:
Cloud Operations & Maintenance
• Fault management
• Problem management
• Equipment management
• Change management
• Release management
• Supplier management
• Prevention management
• Resource staffing
• Architectural/network topology documentation
Cloud Compliance
• Align compliance requirements developed from
regulations, standards, and organization mission
to create a framework for acceptable:
– Risk: Have risk management in place supported by
leadership
– Recovery Time Objective: How long can the system
or components be down?
– Recovery Point Objective: How much data can you
lose before reaching the unacceptable threshold
– Loss: Are there acceptable losses?
– Budget: For losses, fines or hopefully controls
– Controls: Dependent on identified risk and
vulnerabilities.
Cloud Compliance
• Customer chooses where to place data.
– Customer organization needs to understand
cloud computing.
• Cloud providers generally have regions
(AWS) that isolated by design
• Data is not replicated to other regions does
not move unless the customer chooses that
option
• Customers manage access to their data as
well as AWS services and resources
• Customers choose how their data is secured.
Cloud Compliance
Some Key Points
• Make sure you exercise due diligence when selecting a cloud
service provider.
• Make sure the cloud environment supports the regulatory
requirements of your industry and data.
• Conduct data classification to understand the sensitivity of your
data before moving to the cloud.
• Clearly define who owns the data and how it will be “returned” to
you and the timing in the event you cancel your agreement.
• Understand if you are leveraging the cloud in IaaS, PaaS, SaaS or
other model.
• Establish Service Level Agreements (SLAs) to ensure performance
• Engage Cloud specific legal advice before moving to the cloud.
Some Key Points
• Make sure your you schedule enough time to
move your application or data center to the
cloud.
• Make sure you budget a sufficient amount.
• Recognize that many organizational policies
and procedures will need to be updated.
• When using data provided by 3rd parties note
that you may need to notify and append
your agreement.
• Do not let the IT skill level, who understands
the business and your applications, weaken.
AWS Security Best Practices-CloudTrail
• Enable CloudTrail across all geographic regions and
AWS services to prevent activity monitoring gaps.
• Turn on CloudTrail log file validation so that any
changes made to the log file itself after it has been
delivered to the S3 bucket is trackable to ensure log
file integrity.
• Enable access logging for CloudTrail S3 bucket so that
you can track access requests and identify potentially
unauthorized or unwarranted access attempts.
• Turn on multifactor authenthication (MFA) to delete
CloudTrail S3 buckets, and encrypt all CloudTrail log
files in flight and at rest.
• Hackers disable Cloud Trail & Delete logs
AWS Security Best Practices-IAM
• When creating IAM policies, ensure that they’re attached to groups or
roles rather than individual users to minimize the risk of an individual user
getting excessive and unnecessary permissions or privileges by accident.
• Provision access to a resource using IAM roles instead of providing an
individual set of credentials for access to ensure that misplaced or
compromised credentials don’t lead to unauthorized access to the
resource.
• Ensure IAM users are given minimal access privileges to AWS resources
that still allows them to fulfill their job responsibilities.
• As a last line of defense against a compromised account, ensure all IAM
users have multifactor authentication activated for their individual
accounts, and limit the number of IAM users with administrative privileges.
• Rotate IAM access keys regularly and standardize on a selected number of
days for password expiration to ensure that data cannot be accessed with a
potential lost or stolen key.
• Enforce a strong password policy requiring minimum of 14 characters
containing at least one number, one upper case letter, and one symbol.
Apply a password reset policy that prevents users from using a password
they may have used in their last 24 password resets.
• Hackers try to crack IAM credentials to gain full access
AWS Security Best Practices-IAM
• AWS Identity and Access Management
(IAM) lets you define individual user
accounts with permissions across AWS
resources
• AWS Multi-Factor Authentication for
privileged accounts, including options for
hardware-based authenticators
• AWS Directory Service allows you to
integrate and federate with corporate
directories to reduce administrative
overhead and improve end-user experience
AWS Security Best Practices-
Monitoring
• Deep visibility into API calls through AWS
CloudTrail, including who, what, who, and from
where calls were made
• Log aggregation options, streamlining
investigations and compliance reporting
• Alert notifications through Amazon CloudWatch
when specific events occur or thresholds are
exceeded
• These tools and features give you the visibility you
need to spot issues before they impact the
business and allow you to improve security
posture, and reduce the risk profile, of your
environment.
AWS Security Best Practices-
Configuration
• A security assessment service, Amazon Inspector, that
automatically assesses applications for vulnerabilities or
deviations from best practices, including impacted networks,
OS, and attached storage
• Deployment tools to manage the creation and
decommissioning of AWS resources according to
organization standards
• Inventory and configuration management tools, including
AWS Config, that identify AWS resources and then track and
manage changes to those resources over time
• Template definition and management tools, including AWS
CloudFormation to create standard, preconfigured
environments
• Hackers try to take advantage of configuration drift
AWS Security Best Practices-KMS
• Flexible key management options, including AWS Key
Management Service, allowing you to choose whether to
have AWS manage the encryption keys or enable you to keep
complete control over your keys
• Encrypted message queues for the transmission of sensitive
data using server-side encryption (SSE) for Amazon SQS
• Dedicated, hardware-based cryptographic key storage using
AWS CloudHSM, allowing you to satisfy compliance
requirements
• In addition, AWS provides APIs for you to integrate
encryption and data protection with any of the services you
develop or deploy in an AWS environment.
AWS Security Best Practices-Infra
• Network firewalls built into Amazon VPC, and web
application firewall capabilities in AWS WAF let you
create private networks, and control access to your
instances and applications
• Customer-controlled encryption in transit with TLS
across all services
• Connectivity options that enable private, or
dedicated, connections from your office or on-
premises environment
• Automatic encryption of all traffic on the AWS global
and regional networks between AWS secured facilities
• Hackers try to crack AWS Infrastructure to gain access
AWS Security Best Practices- DB & S3
• Ensure that no S3 Buckets are publicly readable/writeable
unless required by the business.
• Turn on Redshift audit logging in order to support auditing
and post-incident forensic investigations for a given database.
• Encrypt data stored in EBS as an added layer of security.
• Encrypt Amazon RDS as an added layer of security.
• Enable require_ssl parameter in all Redshift clusters to
minimize the risk of man-in-the-middle attack.
• Restrict access to RDS instances to decrease the risk of
malicious activities such as brute force attacks, SQL
injections, or DoS attacks.
• Hackers try to gain full access into sensitive data stored in DB
& S3
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
AWS Cloud Shared Security
Cloud IT Security Breaches
94
Target Targeted
What happened? How it happened
Hackers used credentials
of 3rd party vendor to get
into Target’s network
The hackers installed
credit card number
stealing malware on POS
devices in all domestic
target stores
The credit card numbers
started flowing out of
Target’s network
Federal investigator
warned Target of a
massive data breach
Target confirmed and
eradicated the malware,
after 40 million credit card
numbers had been stolen
Impact
 Total of $153.9 million was paid towards legal settlements
 CEO and CIO had to resign after the breach
95
Adobe Creative Cloud Security Breach
What Happened?
In October 2013, Adobe said hackers
had stolen nearly 3 million encrypted
customer credit card records, as well
as login data for an undetermined
number of Adobe user accounts.
In addition to the credit card records
— tens of millions of user accounts
across various Adobe online
properties may have been
compromised in the break-in.
How it happened?
Weak password requirements made if possible for the hacker to brute
force into the Adobe infrastructure
Impact?
 Adobe pays US$1.2M plus
settlements to end 2013 breach
class action
96
Sony Cloud Breach
What Happened?
Hackers stole the computer
credentials of a system
administrator, which gave them
broad access to Sony’s computer
systems
After gaining access to the Sony IT
infrastructure, the hackers planted
a malware in the network to
collect data
The malware used Microsoft
Windows management and
network file sharing features to
spread, shut down the network,
and reboot computers
The GOP told Sony it had grabbed
private files, computer source
code files for software, and files
that held passwords for Oracle
and SQL databases, among other
documents.
the GOP grabbed data on movie
production schedules, emails,
financial documents and much
more and published much of it.
Impact
According to Reuters, the cyber attack on Sony’s movie studio cost the studio as much as
$100 million. Sony had to spend money on computer repairs and replacements. The
company also had to spend money on conducting an investigation into what happened,
and how to take steps to prevent a future attack.
97
Identification of Requirements
98
IaaS PaaS SaaS
What information to look for in cloud
provider
• Certifications & Standards
• Technologies & Service Roadmap
• Data Security, Data Governance and Business
policies
• Service Dependencies & Partnerships
• Contracts, Commercials & SLAs
• Reliability & Performance
• Migration Support, Vendor Lock in & Exit
Planning
• Business health & Company profile
99
Controls to look for with a Cloud
Service Provider
• Application Security
• Data Integrity and Security
• Audit Assurance & Compliance
• Information System Regulatory
Mapping
• Business Continuity
Management, Planning and
Testing
• Equipment Maintenance
• Impact Analysis
• Customer Access Requirement
• New Development and
Acquisition
 Data Security and Information Lifecycle
 Datacenter Security
 Encryption and Key Management
 Governance and Risk Management
 Human Resource Management
 Identity and Access Management
 Infrastructure and Virtualization
Security
 Security Incident Management, E-
Discovery & Cloud Forensics
 Threat and Vulnerability Management
100
Source: CSA
Why is SOC 2 Type 2 report important to evaluate
Cloud Providers?
103
The Type 2 SOC 2 report will not only
review the controls in question, but will
go into detail on the effectiveness of the
controls
 Security: Unauthorized access to systems
(both physical and logical) is prevented
through controls.
 Confidentiality: Sensitive information labeled
as confidential is protected with adequate
controls (customer data and systems would
likely fall into this category).
 Privacy: Personal information is collected and
managed in accordance with the AICPA
Generally Accepted Privacy Principles.
 Availability: Systems are designed with uptime
and availability in mind, and continuity of
system operations is maintained.
 Processing Integrity: All system processing
activities are accurate, authorized, complete
and authorized.
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Does Cloud add additional risk?
• Are highly portable devices captured during vulnerability
scans?
• Where is your network perimeter?
• Are consumer devices being used in areas – like health care –
where reliability is critical?
• Do users install device management software on other
computers? Is that another attack vector?
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Attacking Cloud
• Default, weak, and hardcoded credentials
• Difficult to update firmware and OS
• Lack of vendor support for repairing
vulnerabilities
• Vulnerable web interfaces (SQL injection, XSS)
• Coding errors (buffer overflow)
• Clear text protocols and unnecessary open ports
• DoS / DDoS
• Physical theft and tampering
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Why it Looks so Bad
• Breakers have a long history and robust tools
– Automated network attack tools
– Exploits for most segments of IoT stack
– Physical access and hardware hacking
• Builders are still searching for
– Secure toolkits
– Proven methodologies
– Successful models
• Result:
– Builders cobble together components
– Build very fragile full stack solutions
– No visibility into security or attack surface
– Attackers have a field day
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
OWASP Cloud Top 10
Category IoT Security Consideration Recommendations
I1: Insecure Web Interface •Ensure that any web interface coding is written to
prevent the use of weak passwords …
When building a web interface consider implementing
lessons learned from web application security. Employ a
framework that utilizes security …
I2: Insufficient
Authentication/Authorization
•Ensure that applications are written to require
strong passwords where authentication is needed …
Refer to the OWASP Authentication Cheat Sheet
I3: Insecure Network Services •Ensure applications that use network services don't
respond poorly to buffer overflow, fuzzing …
Try to utilize tested, proven, networking stacks and
interfaces that handle exceptions gracefully...
I4: Lack of Transport Encryption •Ensure all applications are written to make use of
encrypted communication between devices…
Utilize encrypted protocols wherever possible to protect
all data in transit…
I5: Privacy Concerns •Ensure only the minimal amount of personal
information is collected from consumers …
Data can present unintended privacy concerns when
aggregated…
I6: Insecure Cloud Interface •Ensure all cloud interfaces are reviewed for security
vulnerabilities (e.g. API interfaces and cloud-based
web interfaces) …
Cloud security presents unique security considerations, as
well as countermeasures. Be sure to consult your cloud
provider about options for security mechanisms…
I7: Insecure Mobile Interface •Ensure that any mobile application coding is
written to disallows weak passwords …
Mobile interfaces to IoT ecosystems require targeted
security. Consult the OWASP Mobile …
I8: Insufficient Security
Configurability
•Ensure applications are written to include
password security options (e.g. Enabling 20
character passwords or enabling two-factor
authentication)…
Security can be a value proposition. Design should take
into consideration a sliding scale of security
requirements…
I9: Insecure Software/Firmware •Ensure all applications are written to include
update capability and can be updated quickly …
Many IoT deployments are either brownfield and/or have
an extremely long deployment cycle...
I10: Poor Physical Security •Ensure applications are written to utilize a minimal
number of physical external ports (e.g. USB ports)
on the device…
Plan on having IoT edge devices fall into malicious hands...
Principles of Cloud Security
• Assume a hostile edge
• Test for scale
• Internet of lies
• Exploit autonomy
• Expect isolation
• Protect uniformly
• Encryption is tricky
• System hardening
• Limit what you can
• Lifecycle support
• Data in aggregate is
unpredictable
• Plan for the worst
• The long haul
• Attackers target weakness
• Transitive ownership
• N:N Authentication
Cloud Security Considerations
• Are communications encrypted?
• Is storage encrypted?
• How is logging performed?
• Is there an updating mechanism?
• Are there default passwords?
• What are the offline security features?
• Is transitive ownership addressed?
Example Gateway Considerations
• Is encryption interrupted?
• Is there replay and denial of service defensive
capabilities?
• Is there local storage? Is it encrypted?
• Is there anomaly detection capability?
• Is there logging and alerting?
Example Cloud Considerations
• Is there a secure web interface?
• Is there data classification and segregation?
• Is there security event reporting?
• How are 3rd party components tracked/updated?
• Is there an audit capability?
• Is there interface segregation?
• Is there complex, multifactor authentication
allowed?
132
Email: amarprusty@gmail.com
133

More Related Content

What's hot

Data Center Security
Data Center SecurityData Center Security
Data Center Security
devalnaik
 

What's hot (20)

Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud Security
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 

Similar to Cloud Security

Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
Prince Chandu
 

Similar to Cloud Security (20)

talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
 
Azure Fundamentals Part 3
Azure Fundamentals Part 3Azure Fundamentals Part 3
Azure Fundamentals Part 3
 
Cloud Security_Module2.ppt
Cloud Security_Module2.pptCloud Security_Module2.ppt
Cloud Security_Module2.ppt
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspective
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services
 
Zero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptxZero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptx
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azure
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
 
Securing The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfSecuring The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdf
 
Subscribed 2015: Architecture, Security, Scalability
Subscribed 2015: Architecture, Security, ScalabilitySubscribed 2015: Architecture, Security, Scalability
Subscribed 2015: Architecture, Security, Scalability
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
 
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
 

More from AWS User Group Bengaluru

More from AWS User Group Bengaluru (20)

Demystifying identity on AWS
Demystifying identity on AWSDemystifying identity on AWS
Demystifying identity on AWS
 
AWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS Secrets for Best Practices
AWS Secrets for Best Practices
 
Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3
 
Medlife journey with AWS
Medlife journey with AWSMedlife journey with AWS
Medlife journey with AWS
 
Building Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSBuilding Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWS
 
Exploring opportunities with communities for a successful career
Exploring opportunities with communities for a successful careerExploring opportunities with communities for a successful career
Exploring opportunities with communities for a successful career
 
Slack's transition away from a single AWS account
Slack's transition away from a single AWS accountSlack's transition away from a single AWS account
Slack's transition away from a single AWS account
 
Log analytics with ELK stack
Log analytics with ELK stackLog analytics with ELK stack
Log analytics with ELK stack
 
Serverless Culture
Serverless CultureServerless Culture
Serverless Culture
 
Refactoring to serverless
Refactoring to serverlessRefactoring to serverless
Refactoring to serverless
 
Amazon EC2 Spot Instances Workshop
Amazon EC2 Spot Instances WorkshopAmazon EC2 Spot Instances Workshop
Amazon EC2 Spot Instances Workshop
 
Building Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSBuilding Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWS
 
Medlife's journey with AWS from 0(zero) orders to 6 digit mark
Medlife's journey with AWS from 0(zero) orders to 6 digit markMedlife's journey with AWS from 0(zero) orders to 6 digit mark
Medlife's journey with AWS from 0(zero) orders to 6 digit mark
 
AWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS Secrets for Best Practices
AWS Secrets for Best Practices
 
Exploring opportunities with communities for a successful career
Exploring opportunities with communities for a successful careerExploring opportunities with communities for a successful career
Exploring opportunities with communities for a successful career
 
Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3
 
Amazon EC2 Spot Instances
Amazon EC2 Spot InstancesAmazon EC2 Spot Instances
Amazon EC2 Spot Instances
 
Cost Optimization in AWS
Cost Optimization in AWSCost Optimization in AWS
Cost Optimization in AWS
 
Keynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practicedKeynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practiced
 
Decentralized enterprise architecture using Blockchain & AWS
Decentralized enterprise architecture using Blockchain & AWSDecentralized enterprise architecture using Blockchain & AWS
Decentralized enterprise architecture using Blockchain & AWS
 

Recently uploaded

Recently uploaded (20)

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Buy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdfBuy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdf
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 

Cloud Security

  • 1. Secure Cloud Name of the Speaker : Amar Prusty Company Name : DXC Technology Place: Bangalore Confidential – For Training Purposes Only
  • 2. Speaker Experience ◆ Cloud & Data Center Architect ◆ Worked for Global Clients across Industry Verticals ◆ Been in IT 17+ years ◆ TOGAF, ITIL, CCNA, Cloud, Storage, Virtualization, EUC ◆ Interests - Security, DevOps, AI, IOT, Blockchain, Analytics ◆ Hobbies– Cooking, Cycling, Reading, Travelling ◆ https://www.linkedin.com/in/amar-prusty-07913028/ Confidential – For Training Purposes Only
  • 3. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13. Defining Cloud Cloud computing is a model for enabling ubiquitous, convenient, on- demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Citation: Special Publication (NIST SP) - 800-145 – On-demand self-service – Broad network access – Resource pooling – Rapid elasticity – Measured service
  • 14. Cloud Service Models • Infrastructure as a Service (IaaS) – Standardized, highly automated offering, where compute resources, complemented by storage and networking capabilities are owned by a service provider and offered to customers on-demand. Customers are able to self-provision the infrastructure. • Platform as a Service (PaaS) – Offering is a broad collection of application infrastructure (middleware) services including application platform, integration, business process management and database services. • Software as a Service (SaaS) – Software is owned, delivered and managed remotely by a provider. The provider delivers software based on one set of common code and data definitions that is by contracted customers on a pay-for-use basis or as a subscription.
  • 15. Cloud Service Models Facilities Hardware Integration Middleware Interfaces Abstraction Layer Connectivity/Network Presentment Application Programming Interfaces Data Metadata Applications/Software Infrastructure as a Service Platform as a Service Software as a Service
  • 16. Cloud Deployment Models • Public Cloud infrastructure is available to the general public, owned by org selling cloud services • Private Cloud infrastructure for single organization only, may be managed by the organization or a 3rd party, on or off premise • Hybrid Cloud infrastructure shared by several organizations that have shared concerns, managed by org or 3rd party • Community Combinations of clouds types
  • 17. Chief Information Officers’ Cloud Concerns Security Availability Performance Costs Standards
  • 18. Shared Security Responsibility Application Platform Architecture Virtual Infrastructure Hardware Facility Service Provider Consumer I A A S P A A S S A A S I A A S P A A S S A A S • Service Provider and Consumer roles, related to cloud model, are inverse of each other.
  • 19. Data Types and Compliance • Data, being the key attribute of an information technology system, is the driving force in selecting the appropriate level of security. • Develop detail data flows • If security controls and approach is not matched to the characterization of data then: – The system will be more costly and utility reduced if over secured. – The system and data will be vulnerable and could lead to a breach.
  • 20. Risk = (Data Type + Breach Probability)/Data Security Profile Public Data Sensitive Data Public Data Confidential Data Restricted Data Public Data Classification: Low Classification: HighClassification: Moderate Data Security Profile 4 Integrity Controls Privacy Act FISMA HIPAA PCI-DSS FERPA Pub 1075 CJIS Data Security Profile 1 Data Security Profile 3Data Security Profile 2 NIST SP 800-53v4 SP 800-53v4, Pub 1075, CJIS-SP Policies & Procedures Profile 4 Policies & Procedures Profile 3 Policies & Procedures Profile 2 Policies & Procedures Profile 1 Data Object Security Data Security Profile + Data Owner + Originating System + Data Integrity ConfidenceData Pedigree Risk Profile Risk= (Data Type * Breach Probability)/Security Profile
  • 21. DoDM 5200, E.O. 13256 Data Classification Comparison: Project - Federal Agency – National Security Direct comparison is difficult because data classification is specific to mission, context, aggregation and system. Detailed review of data sets, usage and regulatory compliance yields appropriate classifications. Data can transition up or down in classification levels based on certain factors. Regulations, NIST SP 800-53v4, FIPS, PUB 1075, Agency Specific Guidance Classification: For Official Use Only (FOUO) Classification: Secret Classification: Confidential Classification: Unclassified Classification: Top Secret Limited Damage Serious Damage Damage No Damage Grave Damage National Security/Dept. of Defense Classifications Integrity Controls Privacy Act FISMA HIPAA PCI-DSS FERPA Pub 1075 CJIS Classification: Low Classification: Moderate Classification: Public Data Classifications Classification: Low Classification: High Classification: Moderate Classification: Public Limited Adverse Effect Severe Adverse Effect Serious Adverse Effect No Adverse Effect Integrity Controls Privacy Act FISMA HIPAA PCI-DSS FERPA, Pub 1075 CFR Title 28, DOJ-BoPrisons Federal Agency Classifications Moderate +
  • 22. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 23. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 24.
  • 25. What is Cloud Security? • There is a lot of noise and distraction about cloud security. • The truth is that security controls need to be implemented if you use: – Stand alone servers – Physical servers in your data center – Virtualization in your data center – Cloud provided by a service provider • There are few differences when identifying what controls • Bottom line is that organizations feel vulnerability since they believe they lose control
  • 26. Endpoint Device Security • Host based Intrusion Detection Systems (HIDS) • Host based firewalls • Application whitelisting • Endpoint encryption • Trusted platform module • Mobile device management • Sandboxing
  • 27. Cloud Security • TLS Encryption • Network Firewalls/Web Application Firewall • Data Encryption – FIPS 140-2 • Central Logging • Authentication Layering • Network Scanning • Third Party Security Testing – Vulnerability Assessments – Penetration Testing – Security Audit • Statement on Standards for Attestation Engagements (SSAE) 16 Compliant Data Center
  • 28. Architectural Considerations • Attack Surface. – The hypervisor is an additional layer of software between an operating system and hardware platform. The hypervisor normally supports other application programming interfaces to conduct administrative operations, such as launching, migrating, and terminating virtual machine instances. This increases the attack surface. • Complicated Architectures – Virtual machines environments and their supportive software are complicated. Implementing organizational software in PaaS or IaaS creates additional complications that have to managed appropriately
  • 29.
  • 30. Architectural Considerations • Virtual Network Protection – Most virtualization platforms have the ability to create software-based switches and network configurations as part of the virtual environment to allow virtual machines on the same host to communicate more directly and efficiently. Some hypervisors’ network monitoring capabilities are not as robust as physical network tools. • Virtual Machine Images. – IaaS cloud providers maintain repositories of virtual machine images. A virtual machine image includes a the software stack and speeds up the time to implementation. These are often shared. Shared virtual images must be validated and carefully controlled to not implement problems.
  • 31.
  • 32. Architectural Considerations • Client-Side Protection – Web browsers, a key element for many cloud computing services, and the various plug-ins and extensions are notorious for their security problems. Security awareness is as important when dealing with a cloud application as any other alternately implemented application. • Identify and Access Management – Identification, authentication, authorization and accounting are critical to implement, enforce and monitor on any cloud based applications or cloud management portals.
  • 33. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 34. Identity and Access Management • Identity Management includes: – Self-service – Registration – Password management – Provisioning • Access Management includes: – Authentication – Authorization – Policy Management – Federation – Identity Repository
  • 35. Identity and Access Management • Identity repositories provide directory services for the administration of user accounts and their attributes. • Common Directory Services: – X.500 and LDAP – Microsoft Active Directory – Novell eDirectory – Metadata replication and synchronization – Directory as a Service
  • 36. Federated Identity Management • Provides the policies and processes that manage identity and trusted access to systems across entities • Like Kerberos, but for separate domains • Federation Standards: – Security Assertion Markup Language (SAML) – WS-Federation – OpenID Connect (based on OAuth 2.0) – OAuth for web and mobile applications • Federated Identity Providers – Identity Provider – holds all the identities and generates a token for known users – Relying Party – the service provider who consumes these tokens
  • 37.
  • 38.
  • 39. Security Threats • Malicious Code –Ransomware –Virus –Worms –Trojans –Logic bombs –Malware –Botnet • Malicious Code Countermeasures – Scanners – IDS/IPS – Security testing – Anti-malware – Code signing – Sandboxing – Appropriate patching
  • 40.
  • 41.
  • 42.
  • 43.
  • 44. Security Threats • Malicious Activity – Social Engineering –Spoofing –Phishing –Spam –Botnets • Malicious Activity Countermeasures – User Awareness Training – System Hardening – Patching – Sandboxing – Policies and Procedures
  • 45.
  • 46.
  • 47.
  • 48.
  • 49. Security Threats • Abuse and Nefarious use – Hackers continue to leverage technologies to improve their reach, avoid detection, and improve the effectiveness of their activities. – Cloud providers are actively being targeted, partially because their relatively weak registration systems facilitate anonymity, and providers’ fraud detection capabilities are limited. • Countermeasures: Patching, intrusion detection, security awareness training, background checks
  • 50. Security Threats • Insecure interfaces and APIs – Cloud providers strive to provide security and that it is integrated into their service models. – Consumers of services need to understand the security implications associated with the usage, management, orchestration and monitoring of cloud services. – Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability. • Countermeasures: Architecture review, security testing, patching schedules, Service Level Agreements, legal agreements (BAA)
  • 51. Security Threats • Malicious insiders – The impact that malicious insiders can have on an organization is great because of their level of access and understanding of data and information technology assets. – Theft, reputation damage and loss of productivity are some examples of how malicious insider can affect an operation. – Organizations that adopt cloud services need to understand the human element and that the responsibility for a malicious insider is relevant for staff of the cloud provider. • Countermeasures: Background checks, policies and procedures, non-repudiation, two man work, security awareness training, least privilege
  • 52. Security Threats • Shared technology issues – Attacks have surfaced in recent years that target the shared technology inside cloud computing environments. – As a result, attackers focus on how to impact the operations of other cloud customers, and how to gain unauthorized access to data. • Countermeasures: Patching, security testing, monitoring, security awareness training
  • 53. Security Threats • Data loss or leakage – Data loss or leakage can have a devastating impact on a business and its impact is directly relevant to the type of data. – Compliance violations, legal ramifications – Loss of core intellectual property could have competitive and financial implications. • Countermeasures: Data Loss Prevention Applications, encryption, security awareness training, data classification, policies and procedures, least privilege
  • 54. Security Threats • Account or service hijacking – Account and service hijacking, usually with stolen credentials, remains a top threat. With stolen credentials, attackers can often access critical cloud services, allowing them to compromise the confidentiality, integrity and availability of the services and the data. • Countermeasures: Policies and procedures, security awareness training, enforced password life, complexity and reuse
  • 55. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 56. Security Threats • Unknown Risk Profile – When adopting a cloud service, the features and functionality may be well advertised, but one must understand the cloud service security posture/risk profile. – Understand the controls or compliance alignment – Make sure you agree with the cloud providers internal security procedures, configuration hardening, patching, auditing, and logging – Do they go through SSAE16 SOC2 audits or are FEDRamp certified? – Under what conditions can you have access to or be given an extract of logs? – Can you conduct vulnerability scanning or penetration testing on “your” infrastructure; and/or will you receive the regular reports of the results of their scanning and testing. • Countermeasures: Research, agreements, and governance
  • 57.
  • 58.
  • 59.
  • 60. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 61.
  • 62.
  • 63.
  • 64.
  • 65. Cloud Governance • Cloud Governance by the Customer is Critical – Extend organizational practices pertaining to the policies, procedures, and standards implemented for users. – Practices pertaining to policies, procedures and standards implemented for application development and service provisioning. – Environment establishment such as development, testing, staging, training, production and disaster recovery in alignment with organizational standards. – Put in place audit mechanisms and tools to ensure organizational practices are followed such as log review and reporting.
  • 66. Cloud Governance • Cloud Governance by the Customer is Critical – Cloud Customers need to define cloud strategy before entering into agreement with CSP – Organizational assets agreed upon and assessed for suitability for cloud – Define suitable business units or functions – Outline phased approach to cloud journey – Document exceptions, restrictions, and risks – List regulatory and compliance components (addressed either jointly or by the provider) – List business and system interdependencies.
  • 67. Cloud Application Security • Cloud development and applications must take into consideration service models and deployment models • Data sensitivity issues in cloud • Use RESTful vs SOAP APIs • Careful with multitenancy • Appropriate cryptography • Release management
  • 68. Cloud Application Security • On-premises does not always port • Should follow appropriate Software Development Lifecycle • Not all applications are suitable for the cloud • Users and developers must understand and have appropriate security awareness • Document cloud applications thoroughly • Identify complexities of integration • Code for 2019 OWASP TOP 10 in mind • Code for ISO/IEC 27034-1 Information Technology – Security Techniques
  • 69. Cloud Application Security • APIs are a very important part of cloud applications • Primary access method • Two of the possible formats for cloud APIs are: – Representational State Transfer (REST) • Uses HTTP • Supports many data formats (e.g., JSON, XML, YAML, etc.) • Good performance and scalability, uses caching • Widely used • Stateless – Simple Object Access Protocol (SOAP) • Uses SOAP envelope around HTTP, FTP, or SMTP • Only supports XML • Slower performance, complex scalability, no caching • Used where REST is not possible • Stateful
  • 70. Cloud Operations & Maintenance • It is critical to research the cloud operations and maintenance of the cloud service provider to ensure they are operating appropriately for compliance and risk threshold. • You cannot assume that because they say they operate it appropriately they do. – Ask for patching schedules. – What type of continuous scanning is done and can you have a summary report. • And ensure the following:
  • 71. Cloud Operations & Maintenance • Fault management • Problem management • Equipment management • Change management • Release management • Supplier management • Prevention management • Resource staffing • Architectural/network topology documentation
  • 72. Cloud Compliance • Align compliance requirements developed from regulations, standards, and organization mission to create a framework for acceptable: – Risk: Have risk management in place supported by leadership – Recovery Time Objective: How long can the system or components be down? – Recovery Point Objective: How much data can you lose before reaching the unacceptable threshold – Loss: Are there acceptable losses? – Budget: For losses, fines or hopefully controls – Controls: Dependent on identified risk and vulnerabilities.
  • 73. Cloud Compliance • Customer chooses where to place data. – Customer organization needs to understand cloud computing. • Cloud providers generally have regions (AWS) that isolated by design • Data is not replicated to other regions does not move unless the customer chooses that option • Customers manage access to their data as well as AWS services and resources • Customers choose how their data is secured.
  • 75. Some Key Points • Make sure you exercise due diligence when selecting a cloud service provider. • Make sure the cloud environment supports the regulatory requirements of your industry and data. • Conduct data classification to understand the sensitivity of your data before moving to the cloud. • Clearly define who owns the data and how it will be “returned” to you and the timing in the event you cancel your agreement. • Understand if you are leveraging the cloud in IaaS, PaaS, SaaS or other model. • Establish Service Level Agreements (SLAs) to ensure performance • Engage Cloud specific legal advice before moving to the cloud.
  • 76. Some Key Points • Make sure your you schedule enough time to move your application or data center to the cloud. • Make sure you budget a sufficient amount. • Recognize that many organizational policies and procedures will need to be updated. • When using data provided by 3rd parties note that you may need to notify and append your agreement. • Do not let the IT skill level, who understands the business and your applications, weaken.
  • 77. AWS Security Best Practices-CloudTrail • Enable CloudTrail across all geographic regions and AWS services to prevent activity monitoring gaps. • Turn on CloudTrail log file validation so that any changes made to the log file itself after it has been delivered to the S3 bucket is trackable to ensure log file integrity. • Enable access logging for CloudTrail S3 bucket so that you can track access requests and identify potentially unauthorized or unwarranted access attempts. • Turn on multifactor authenthication (MFA) to delete CloudTrail S3 buckets, and encrypt all CloudTrail log files in flight and at rest. • Hackers disable Cloud Trail & Delete logs
  • 78. AWS Security Best Practices-IAM • When creating IAM policies, ensure that they’re attached to groups or roles rather than individual users to minimize the risk of an individual user getting excessive and unnecessary permissions or privileges by accident. • Provision access to a resource using IAM roles instead of providing an individual set of credentials for access to ensure that misplaced or compromised credentials don’t lead to unauthorized access to the resource. • Ensure IAM users are given minimal access privileges to AWS resources that still allows them to fulfill their job responsibilities. • As a last line of defense against a compromised account, ensure all IAM users have multifactor authentication activated for their individual accounts, and limit the number of IAM users with administrative privileges. • Rotate IAM access keys regularly and standardize on a selected number of days for password expiration to ensure that data cannot be accessed with a potential lost or stolen key. • Enforce a strong password policy requiring minimum of 14 characters containing at least one number, one upper case letter, and one symbol. Apply a password reset policy that prevents users from using a password they may have used in their last 24 password resets. • Hackers try to crack IAM credentials to gain full access
  • 79. AWS Security Best Practices-IAM • AWS Identity and Access Management (IAM) lets you define individual user accounts with permissions across AWS resources • AWS Multi-Factor Authentication for privileged accounts, including options for hardware-based authenticators • AWS Directory Service allows you to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience
  • 80. AWS Security Best Practices- Monitoring • Deep visibility into API calls through AWS CloudTrail, including who, what, who, and from where calls were made • Log aggregation options, streamlining investigations and compliance reporting • Alert notifications through Amazon CloudWatch when specific events occur or thresholds are exceeded • These tools and features give you the visibility you need to spot issues before they impact the business and allow you to improve security posture, and reduce the risk profile, of your environment.
  • 81. AWS Security Best Practices- Configuration • A security assessment service, Amazon Inspector, that automatically assesses applications for vulnerabilities or deviations from best practices, including impacted networks, OS, and attached storage • Deployment tools to manage the creation and decommissioning of AWS resources according to organization standards • Inventory and configuration management tools, including AWS Config, that identify AWS resources and then track and manage changes to those resources over time • Template definition and management tools, including AWS CloudFormation to create standard, preconfigured environments • Hackers try to take advantage of configuration drift
  • 82. AWS Security Best Practices-KMS • Flexible key management options, including AWS Key Management Service, allowing you to choose whether to have AWS manage the encryption keys or enable you to keep complete control over your keys • Encrypted message queues for the transmission of sensitive data using server-side encryption (SSE) for Amazon SQS • Dedicated, hardware-based cryptographic key storage using AWS CloudHSM, allowing you to satisfy compliance requirements • In addition, AWS provides APIs for you to integrate encryption and data protection with any of the services you develop or deploy in an AWS environment.
  • 83. AWS Security Best Practices-Infra • Network firewalls built into Amazon VPC, and web application firewall capabilities in AWS WAF let you create private networks, and control access to your instances and applications • Customer-controlled encryption in transit with TLS across all services • Connectivity options that enable private, or dedicated, connections from your office or on- premises environment • Automatic encryption of all traffic on the AWS global and regional networks between AWS secured facilities • Hackers try to crack AWS Infrastructure to gain access
  • 84. AWS Security Best Practices- DB & S3 • Ensure that no S3 Buckets are publicly readable/writeable unless required by the business. • Turn on Redshift audit logging in order to support auditing and post-incident forensic investigations for a given database. • Encrypt data stored in EBS as an added layer of security. • Encrypt Amazon RDS as an added layer of security. • Enable require_ssl parameter in all Redshift clusters to minimize the risk of man-in-the-middle attack. • Restrict access to RDS instances to decrease the risk of malicious activities such as brute force attacks, SQL injections, or DoS attacks. • Hackers try to gain full access into sensitive data stored in DB & S3
  • 85.
  • 86.
  • 87. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 88.
  • 89.
  • 90.
  • 91.
  • 92. AWS Cloud Shared Security
  • 93.
  • 94. Cloud IT Security Breaches 94
  • 95. Target Targeted What happened? How it happened Hackers used credentials of 3rd party vendor to get into Target’s network The hackers installed credit card number stealing malware on POS devices in all domestic target stores The credit card numbers started flowing out of Target’s network Federal investigator warned Target of a massive data breach Target confirmed and eradicated the malware, after 40 million credit card numbers had been stolen Impact  Total of $153.9 million was paid towards legal settlements  CEO and CIO had to resign after the breach 95
  • 96. Adobe Creative Cloud Security Breach What Happened? In October 2013, Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of Adobe user accounts. In addition to the credit card records — tens of millions of user accounts across various Adobe online properties may have been compromised in the break-in. How it happened? Weak password requirements made if possible for the hacker to brute force into the Adobe infrastructure Impact?  Adobe pays US$1.2M plus settlements to end 2013 breach class action 96
  • 97. Sony Cloud Breach What Happened? Hackers stole the computer credentials of a system administrator, which gave them broad access to Sony’s computer systems After gaining access to the Sony IT infrastructure, the hackers planted a malware in the network to collect data The malware used Microsoft Windows management and network file sharing features to spread, shut down the network, and reboot computers The GOP told Sony it had grabbed private files, computer source code files for software, and files that held passwords for Oracle and SQL databases, among other documents. the GOP grabbed data on movie production schedules, emails, financial documents and much more and published much of it. Impact According to Reuters, the cyber attack on Sony’s movie studio cost the studio as much as $100 million. Sony had to spend money on computer repairs and replacements. The company also had to spend money on conducting an investigation into what happened, and how to take steps to prevent a future attack. 97
  • 99. What information to look for in cloud provider • Certifications & Standards • Technologies & Service Roadmap • Data Security, Data Governance and Business policies • Service Dependencies & Partnerships • Contracts, Commercials & SLAs • Reliability & Performance • Migration Support, Vendor Lock in & Exit Planning • Business health & Company profile 99
  • 100. Controls to look for with a Cloud Service Provider • Application Security • Data Integrity and Security • Audit Assurance & Compliance • Information System Regulatory Mapping • Business Continuity Management, Planning and Testing • Equipment Maintenance • Impact Analysis • Customer Access Requirement • New Development and Acquisition  Data Security and Information Lifecycle  Datacenter Security  Encryption and Key Management  Governance and Risk Management  Human Resource Management  Identity and Access Management  Infrastructure and Virtualization Security  Security Incident Management, E- Discovery & Cloud Forensics  Threat and Vulnerability Management 100 Source: CSA
  • 101.
  • 102.
  • 103. Why is SOC 2 Type 2 report important to evaluate Cloud Providers? 103 The Type 2 SOC 2 report will not only review the controls in question, but will go into detail on the effectiveness of the controls  Security: Unauthorized access to systems (both physical and logical) is prevented through controls.  Confidentiality: Sensitive information labeled as confidential is protected with adequate controls (customer data and systems would likely fall into this category).  Privacy: Personal information is collected and managed in accordance with the AICPA Generally Accepted Privacy Principles.  Availability: Systems are designed with uptime and availability in mind, and continuity of system operations is maintained.  Processing Integrity: All system processing activities are accurate, authorized, complete and authorized.
  • 104. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 105. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 106. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 107. Does Cloud add additional risk? • Are highly portable devices captured during vulnerability scans? • Where is your network perimeter? • Are consumer devices being used in areas – like health care – where reliability is critical? • Do users install device management software on other computers? Is that another attack vector? Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 108. Attacking Cloud • Default, weak, and hardcoded credentials • Difficult to update firmware and OS • Lack of vendor support for repairing vulnerabilities • Vulnerable web interfaces (SQL injection, XSS) • Coding errors (buffer overflow) • Clear text protocols and unnecessary open ports • DoS / DDoS • Physical theft and tampering Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 109. Why it Looks so Bad • Breakers have a long history and robust tools – Automated network attack tools – Exploits for most segments of IoT stack – Physical access and hardware hacking • Builders are still searching for – Secure toolkits – Proven methodologies – Successful models • Result: – Builders cobble together components – Build very fragile full stack solutions – No visibility into security or attack surface – Attackers have a field day
  • 110. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 111. OWASP Cloud Top 10 Category IoT Security Consideration Recommendations I1: Insecure Web Interface •Ensure that any web interface coding is written to prevent the use of weak passwords … When building a web interface consider implementing lessons learned from web application security. Employ a framework that utilizes security … I2: Insufficient Authentication/Authorization •Ensure that applications are written to require strong passwords where authentication is needed … Refer to the OWASP Authentication Cheat Sheet I3: Insecure Network Services •Ensure applications that use network services don't respond poorly to buffer overflow, fuzzing … Try to utilize tested, proven, networking stacks and interfaces that handle exceptions gracefully... I4: Lack of Transport Encryption •Ensure all applications are written to make use of encrypted communication between devices… Utilize encrypted protocols wherever possible to protect all data in transit… I5: Privacy Concerns •Ensure only the minimal amount of personal information is collected from consumers … Data can present unintended privacy concerns when aggregated… I6: Insecure Cloud Interface •Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces) … Cloud security presents unique security considerations, as well as countermeasures. Be sure to consult your cloud provider about options for security mechanisms… I7: Insecure Mobile Interface •Ensure that any mobile application coding is written to disallows weak passwords … Mobile interfaces to IoT ecosystems require targeted security. Consult the OWASP Mobile … I8: Insufficient Security Configurability •Ensure applications are written to include password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication)… Security can be a value proposition. Design should take into consideration a sliding scale of security requirements… I9: Insecure Software/Firmware •Ensure all applications are written to include update capability and can be updated quickly … Many IoT deployments are either brownfield and/or have an extremely long deployment cycle... I10: Poor Physical Security •Ensure applications are written to utilize a minimal number of physical external ports (e.g. USB ports) on the device… Plan on having IoT edge devices fall into malicious hands...
  • 112. Principles of Cloud Security • Assume a hostile edge • Test for scale • Internet of lies • Exploit autonomy • Expect isolation • Protect uniformly • Encryption is tricky • System hardening • Limit what you can • Lifecycle support • Data in aggregate is unpredictable • Plan for the worst • The long haul • Attackers target weakness • Transitive ownership • N:N Authentication
  • 113. Cloud Security Considerations • Are communications encrypted? • Is storage encrypted? • How is logging performed? • Is there an updating mechanism? • Are there default passwords? • What are the offline security features? • Is transitive ownership addressed?
  • 114. Example Gateway Considerations • Is encryption interrupted? • Is there replay and denial of service defensive capabilities? • Is there local storage? Is it encrypted? • Is there anomaly detection capability? • Is there logging and alerting?
  • 115.
  • 116.
  • 117. Example Cloud Considerations • Is there a secure web interface? • Is there data classification and segregation? • Is there security event reporting? • How are 3rd party components tracked/updated? • Is there an audit capability? • Is there interface segregation? • Is there complex, multifactor authentication allowed?
  • 118.
  • 119.
  • 120.
  • 121.
  • 122.
  • 123.
  • 124.
  • 125.
  • 126.
  • 127.
  • 128.
  • 129.
  • 130.
  • 131.
  • 133. 133