This document provides an overview of practical cloud security advice. It discusses security risks in cloud computing like unauthorized data exposure and loss of availability. It recommends technical controls like CASB for access monitoring, DLP for data protection, and IRM for persistent data protection. The document also stresses the importance of identity and access management, encryption, and secure configurations.

1. Practical Security Advice for the
CloudPresented by
Chirag Joshi, M.S., CISA, CISM, CRISC, MCTS

2. Brave New World
https://www.domo.com/learn/data-never-sleeps-5

3. Agenda
 Cutting through buzzwords, hype and complexities
 Cloud Computing Overview
 Security Risks
 Governance Controls
 Practical Technical Controls

4. What is Cloud Computing?

5. Source: Internet

6. Cloud Architecture Components
Source: NIST SP 500-292

7. Security Risks
Source: Internet

8. “If the data breach involves the loss or theft of 100,000 or more customer records, instead of an
average cost of $2.37 million it could be as much as $5.32 million. Data breaches involving the theft of
high value information could increase from $2.99 million to $4.16 million
- From “Data Breach: The Cloud Multiplier Effect” conducted by Ponemon Institute LLC, June 2014
How Risky is the Cloud?

9. Gartner’s position that I strongly agree with:
 Public clouds are usually a more secure starting point than in-house implementations.
 Public cloud workloads can be more secure than in-house workloads.
 SaaS applications can have security and continuity advantages.
Justification:
 No evidence indicates that Cloud Providers have performed less securely than end-user organizations.
 Tier 1 cloud providers have far more resources, capabilities and sophistated controls than most end-user
organizations.
 It’s all about understanding that cloud security is a shared responsibility!
How Risky Really is the Cloud?

10. Practical Cloud Security Risks
● Unauthorized data exposure and leakage
 Misconfigurations especially with AWS S3 buckets and EBS snapshots are becoming a huge concern
● Loss of critical system availability and data
● Legal, Regulatory and Sovereignty non-compliance
● Security events monitoring and Incident Response
● Inadequate Business Continuity and Disaster Recovery planning
● Third and Fourth party security failures
● Governance and Vendor-lock-ins

11. YEAR RELEVANT INCIDENTS
2014
• Code Spaces’ Amazon AWS account was compromised when it failed to protect the administrative console with multifactor
authentication. All the company’s assets were destroyed, putting it out of business.
• News aggregator, Feedly and note taking app, EverNote were knocked offline by DDoS attack in what looked like a series of
coordinated cyber-attacks. Intent was to extort money for resuming normal operations.
2015
• the US Internal Revenue Service (IRS) exposed over 700,000 sensitive records via a vulnerable API.
• BitDefender, an antivirus firm, had an undisclosed number of customer usernames and passwords stolen due to a security
vulnerability in its public cloud application hosted on AWS. The hacker responsible demanded a ransom of $15,000.
2016
• a medium-sized firm Children in film using cloud hosting services, had a ransomware infection on its 4000+ important files.
Recovery from backup took several days to be completed.
2017
• Between 2.2 million to 4 million Dow Jones customers’ sensitive financial and personal details were exposed due to wrong
privacy settings on AWS S3 bucket.
• 200 million US voters data was exposed to the Internet via AWS S3 buckets and could have been utilized for nefarious
purposes.
2018
• An unsecured Amazon S3 storage server exposed thousands of FedEx customer records, including civilian and military ID cards,
resumes, bills, and more.
References listed on last slide of the presentation

12. European Union Agency for Network and Information Security, Cloud Security Guide for SMEs
https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf
Top 11 Cloud Security Risks - ENISA
1. Data Breaches
2. Insufficient Identity, Credential and Access Mgmt
3. Account Hijacking
4. Insecure Interfaces and APIs
5. System Vulnerabilities
6. Malicious Insiders
7. Advanced Persistent Threats
8. Data Loss
9. Insufficient Due Diligence
10.Abuse and Nefarious use of cloud services
11.Denial of Service
12.Shared Technology Vulnerabilities
Cloud Security Alliance’s Treacherous 12
1. Software Security Vulnerabilities
2. Network Attacks
3. Social Engineering Attacks
4. Management GUI and API compromise
5. Device theft/loss
6. Physical Hazards
7. Overloads
8. Unexpected costs
9. Vendor lock-in
10.Administrative or legal outages
11.Foreign jurisdiction issues

13. Governance Controls

14. Cloud Security Considerations
 Understand Business requirements: Define use cases
 Criticality and Sensitivity of information involved:
 Data classification and corresponding security controls
 Understand data sovereignty, privacy and records retention impact
 Governance arrangements: clarity of responsibilities, incident management, cost over-runs, BCP/DR – account
for archiving to a different provider if the main organization goes out of business or vendor lock-in
 Contracts: data delivery in agreed formats, supply chain risks, right to audit, standard security clauses, data
ownership, SLAs
 Adopt a risk-based and data-centric approach

15. ASD Certified Cloud Services List

16. Technical Controls
Source: Internet

17. 1. Cloud Access Security Broker (CASB)
Popular Use Cases:
• Understanding and addressing Shadow IT
• Protecting Data uploaded to or created in the cloud
• Secure Cloud Collaboration such as external sharing
• Logging and Auditing visibility

18. 6 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
 API Mode
 Forward Proxy Mode
 Reverse Proxy Mode
Unsanctioned
Cloud Apps
Sanctioned
Cloud Apps
Cloud APIs
Reverse
Proxy
Forward
Proxy
Existing
SWG/FW
API Mode
Log Feed
Managed Endpoints
Unmanaged Endpoints
1
2
3
4
Policy
 Agent
 PAC file
 DNS
 SSO
CASB
DLP
Encrypt
User
Activity
Logging
Device
Mgmt
Identity
Threat
Protect
Source: Gartner
CASB – Deployment and Integrations

19. CASB – Gartner Magic Quadrant Nov 2017

20. 2. Data Loss Prevention
https://support.office.com/en-us/article/Overview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e?ui=en-US&rs=en-US&ad=US#locations
 Sensitive data discovery
 Protection against unauthorized information disclosure

21. DLP - Location and Scope of Control

22. DLP - Rules

23. DLP - Control in Action

24. 3. Information Rights Management
 Persistent protection against unauthorized information access and distribution
 Utilizes a combination of encryption, identity and authorization policies
Example of cloud based IRM utilizing Azure Rights Management
https://docs.microsoft.com/en-us/information-protection/understand-explore/how-does-it-work

25. IRM – Control in Action
https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-protection

26. • How do I get visibility in my Cloud environments?
 CASBs, APIs and potentially security rating tools.
• How do I secure my users?
 Identity and Access Management (MFA, SSO), Privileged Access Management, Adaptive
access controls.
• How do I secure and protect my data against threats?
 DDoS protection including network redundancy, sensitive data monitoring, DLP, Encryption at rest
and in-transit, Information Rights Management, Anti-malware scanning, content sandbox and User
Entity Behavior Analytics (UEBA).
• How do I secure my applications/actions?
 Transport Encryption, Usage reporting, Auditing, logging/alerting.
Practical Advice for Technical Controls

27. Thinking of AWS or Azure?
 Get Identity and Access Management Right – Make sure MFA is enabled for all root and privileged
accounts!
 Ensure secure configurations for instances
 Encrypt data where practical – cloud-based Key Management Services are quite reliable
 Enable inspection and segmentation of traffic to instances
 Lots of apps in Office 365 and ever increasing AWS functionalities can turn into a scaling nightmare.
Establish governance around assessing apps that’ll be released

28. Identity is the New Perimeter and Humans are the New Firewalls
Gartner’s predictions:
● Strategic Planning Assumption: By 2020, 50% of enterprises will require an approved exception to
put new workloads in house.
● Strategic Planning Assumption: By 2022, we will stop referring to the exceptional scenario as "cloud
computing," and instead, will use "local computing" to describe the less common model.

29. Useful Links and Resources
● https://www.asd.gov.au/publications/protect/cloud_computing_security_considerations.htm
● http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/WebHome
● https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security
● https://www.asd.gov.au/infosec/irap/certified_clouds.htm
● https://cloudsecurityalliance.org/guidance/#_overview
● https://www.nist.gov/publications/nist-cloud-computing-reference-architecture?pub_id=909505
● http://go.netskope.com/rs/netskope/images/Ponemon-DataBreach-CloudMultiplierEffect-June2014.pdf
● http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access.html

30. References for Incidents
● https://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html
● https://techcrunch.com/2014/06/11/feedly-evernote-and-others-become-latest-victims-of-ddos-attacks/
● https://threatpost.com/one-year-after-hack-irs-debuts-updated-get-transcript-service/
● https://www.forbes.com/sites/thomasbrewster/2015/07/31/bitdefender-hacked/
● https://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-too/
● https://www.theregister.co.uk/2017/07/18/dow_jones_index_of_customers_not_prices_leaks_from_aws_repo/
● https://www.symantec.com/connect/blogs/casb-rescue-story-data-exposure-aws-s3-buckets
● https://www.techrepublic.com/article/leaked-fedex-customer-data-was-stored-on-amazon-s3-server-with-no-
password/