Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunities and Plans

HTTPS://CLOUDSECURITYALLIANCE.ORG/
1
Cloud Security Alliance now in Ukraine.
Mission, opportunities and plans
Iurii Garasym
President, Cloud Security Alliance Lviv Chapter
February 10, 2018

2
Ukraine is cool!

3
Acknowledgements
Vitalii Yuryev
Nazar Tymoshyk
Sergey Seletsky
Yuriy Khoma
Ivan Horodyskyy
Mykhaylo Kropyva
Denys Kravchenko
Pavlo Bornia
Volodymyr Bielov
Pavlo Ivanishchin
Pavlo Khromchak
Yuriy Lakh
Nazar Garasym
Svitlana Chaplinska

4
Cloud Computing Model

5
Cloud Computing Service Models

6

7
Trust Issues
● Will my cloud provider be transparent about governance and operational issues?
● Will I be considered compliant?
● Do I know where my data is?
● Is my provider really better at security than me?
● Are the hackers waiting for me in the cloud?

8
Top Cloud-Related Risks
What is different with the (public) cloud?
What are the new risks?
How the breach / incident can occur differently then on premise?
● Off-premises: physical security, communications security (remote workload, mitm SSL/TLS), user
errors (certs). Big vs small CSP.
● Shared resources: resource sharing (DDoS on your neighbor / CSP, you, any other in between),
logical separation (multitenancy, is VLAN secure?), virtualization – performance vs security
● Automation: scalable attacks (issue cascading), exposed management interfaces (portals and
APIs)
● Standardization: templates (the same attacks for all), scalable attacks
● 3rd party operations: transparency, SLAs, NDAs, personnel security, processes, audits, business
sustainability etc.
● Exposure (Internet): default visibility of certain attack surfaces (API, authentication…). FW on
premisse can hide most of the gaps.

9
What Could Possibly Go Wrong? #1
● To login – federation – ticket – you are in
(critical vulnerability in the SAML
implementation)
● Having the credit card you become O365 tenant
● No authentication / authorization validation
(one principle is authenticated  other one is
performing actions)
● Substituting the entity you could be granted
access to eny O365 tenant
● Bypassing all authentication
● Software bug. It was there for „unknown amount
of time”. Becomes known just nowadays
● There are guys who search 0days – other buy.
No disclousure

10
● Another bug
● When you create the document the defauld
sharing option was set as „public” (security by
design vs security by default)
● Confidential documents, passwords and health
data have been inadvertently shared by firms
using Microsoft's Office 365 service
● The sensitive information was found via a
publicly available search engine that is part of
Office 365.
● The software giant initially reacted by removing
the search box from the main Docs.com page.
● Files were still cached in Google's search
results, as well as Microsoft's own search
engine, Bing

11
● Reverse proxy as a service / WAF as a Service
● Bug as well
● If you make a request to the webside protected
by WAF, it will response with random memory
dump of other customer website
● CloudFlare, 1.2 Million leaks. If there were
session cookies, they could be used to gain
access to a user account of an affected website
● And so far, no user passwords, credit card
information, health records or customer
encryption keys are known to have leaked
● No evidence a malicious hacker found the bug
before Google did

12
● The series of bugs and vulnerabilities (critical
and moderate) in its ESXi, VMware
Workstation, and VMware Fusion products
● Execute any code on any host
● Designed for performance

13
Who currently has 0-day cloud (fabric)
exploits?
● ShadowBrokers
● So much exploits and 0day [exploits] released at
one time
● Affected computers will remain vulnerable until
Microsoft releases patches for the zero-day
vulnerabilities and, more crucially, until their
owners then apply those patches.
● It’s literally a cyberweapon for hacking into
computers … people will be using these attacks
for years to come.

14
CSA Global
• The Cloud Security Alliance (CSA) is a global not-for-profit vendor neutral
organization. Founded in 2009
• Focused on research and standards, for adopting and implementing secure cloud
computing. Most are available for free download to anyone. Research and
standards are created through work groups, which are open for participation.
• Part of the CSA’s mission is to raise awareness of best practices.
• CSA collaborates with industry practitioners, associations, governments, and its
corporate and individual members to offer research, education, certification, events
and products.
CSA offers the most popular cloud security provider certification program, the CSA
Security, Trust & Assurance Registry (STAR), a three-tiered provider assurance program of
self assessment, 3rd party audit and continuous monitoring.
CSA launched the industry’s first cloud security user certification in 2010, the Certificate
of Cloud Security Knowledge (CCSK), the benchmark for professional competency in cloud
computing security.

15
CSA Lviv Chapter
We promote the secure adoption of cloud computing.

16
Benefits
Learn – Professional Education
• Latest cloud security technology,
trends, and solutions
• Industry challenges and work
with experts for resolutions
• Stay on top of emerging
technologies and their impact to
your business
• Build and maintain strong job
skills
• Attend CCSK certification and
CCM (chapter workshops
• Share common challenges and
best practices in cloud security
with local practitioners and
industry experts
• Learn about solutions in the
marketplace directly from the
providers
• Apply newly learned expertise to
your own workplace
Grow a Network
• Create a local community of
experts that you can interact with
routinely to solve challenges
• Access a large market of skilled
security experts across industries
• Grow your career and business
opportunities
Increase Influence & Visibility
• Help solve a security issue
impacting your organization
• Lead your field through direct
support of local research
initiatives: Gather, analyze, and
publish data, trends and research
about the field
• Influence security roadmaps
• Contribute to your field
• Educate the market on cloud
adoption and security
• Share expertise with others
• Manage cloud security risks vs
the tradeoff to company
goals/lost business opportunity
• Opportunity for chapter
leadership

17
CSA Lviv Chapter Plans For 2018
● Regular meetups (every 2-3 months) and build the community around cloud security topic –
call for papers / speakers
● Encourage professionals from related fields participate and contribute (Big Data, Data
Science, Healthcare, DevOps, Legal)
● Partnership and relationships with other professional communities, CSPs, universities
● Events – IT arena full day security stream
● CSA Lviv Chapter board - call for volunteers (Secretary, Membership Director, Treasurer,
Program Director, R&D, Partnership, Sponsorship, Marketing …)
● CCSK self preparation group (Q2-Q3 2018) - call for participants
● Cloud security consulting - call for volunteers
● Chapter as CCSK training partner – call for volunteers
● STAR Self Assessment for Ukrainian CSP - call for volunteers
● Workshop on STAR program CCM
● Lviv  Ukraine

18

20
Certificate of Cloud Security Knowledge
● CIO.com in 2017 listed CCSK at #2 on the list of
the most valuable cloud computing certifications.
● CCSK is rare and young cert.
● Free preparation materials. 2 attempts.
● No CPE, no recertification, no annual fees or
certificate maintenance, no experience
requirements, no expiration date. It’s vendor
independent
● Provide guidance for related technologies such
as DevOps, IoT, Mobile and Big Data
● CSA Security Guidance for Critical Areas of Focus
in Cloud Computing
● ENISA report Cloud Computing: Benefits, Risks
and Recommendations for Information Security

21
The Salary Survey 75, 2016

22
CSA Code of Conduct for GDPR
Goal
● Provide CSPs a tool to achieve EU data
protection compliance and demonstrate it
through certification
● Provide cloud customer with a tool to evaluate
the level of CSP data protection compliance
Scope & Methodology
● Deals with the 'b2b' scenario
● Aligned to the GDPR
● Strongly based on WP29 Opinions, ENISA
guidelines and ISO Standards
● Considers differences between CSP Controller
and CSP Processor

23
Privacy Code of Conduct: Controls

24
Cloud Control Matrix
● First ever baseline control
framework specifically
designed for cloud supply
chain risk management
● Provides a framework of 16
control domains
● Controls map to global
regulations and security
standards
● Participants: AICPA,
Microsoft, McKesson,
ISACA, Oracle
● Backbone of the Open
Certification Framework
and STAR

25
Security, Trust & Assurance Registry
● Launched in 2011
● Improvs transparency and assurance in the cloud
● Searchable registry to allow cloud customers to review the
security practices of providers, accelerating their due diligence
and leading to higher quality procurement experiences
● The STAR is a publicly accessible registry that documents the
security controls provided by cloud computing offerings
● Helps users to assess the security of cloud providers
● Currently 135+ Cloud Service Providers word wide have
decided to be part of the STAR Program
● That includes companies with either STAR Self Assessment
(102) or STAR Certification (30) or STAR Attestation (3)

26
Security, Trust & Assurance Registry

27
Research Areas

28

29

30

31
THANK YOU
Email: csalvivchapter@gmail.com
Facebook: @csalviv

QUESTIONS?
CONTACT CHAPTER SUPPORT WITH
ANY REQUESTS, QUESTIONS,
COMMENTS OR CONCERNS
csalvivchapter@gmail.com
Next CSA Global Chapter Meetings:
14.04.2018

Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunities and Plans

More Related Content

What's hot

Similar to Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunities and Plans

Recently uploaded

Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunities and Plans