SlideShare a Scribd company logo
1 of 19
Governance and Security in
Cloud and Mobile Apps
http://privateers.in/9f

Security
Michael Scheidell, CISO
Priva(eers™
Bring Your
AGENDA Own Policy
Sub headline
Michael Scheidell, CISO

Security Priva(eers
@scheidell
561-948-1305 / michael@securityprivateers.com
http://www.securityprivateers.com

•
•
•
•

Corporate InfoSec Consultant
Certified CISO
Senior Member, IEEE
Founded Three South Florida
Tech Companies
© 2013 All Rights Reserved

• Privacy Expert
• Member ISSA, IAPP, ISACA, IEEE,
FBI InfraGard, PMI, SFTA, CSA
• Patents in Network Security
• Finalist EE Times ACE Innovator of
the year

Security Priva(eers
AGENDA
Sub headline

•

Common Risks
Desktop, Server, Cloud, Mobile

•

Platform Specific Issues
Android, iPhone

•

Governance
Privacy: Beyond regulations

•

Partly Cloudy with a chance of all hail
Any Device, Anywhere

•

Select Cloud Types
Shared, Private, Hybrid

•

Services to Protect
Authentication, Storage, Processing

© 2013 All Rights Reserved

Security Priva(eers
Spacely Sprockets
We make our Clients go NUTS(tm)
STOCKS ALLOCATED
CLOSE TO
CUSTOMER

SHORT
DELIVERY
TIME

ON LINE HELP
SERVICE CONSULTANS
CALL CENTER

CUSTOMER SUPPORT

SUPPLY CHAIN

FREE UPGRADE

NEW FEATURES
NICE DESIGN

BETTER PRODUCTS
VIRAL
MARKETING/USERS
TIP EACH OTHER

SALES & MARKETING

THINK GREEN IN THE
WHOLE VALUE CHAIN

ATTRACT THE BEST
SALES PEOPLE

SUSTAINABLE

PRICE
BE C02
NEUTRAL

CHEAP?

LUXARY?
AVERAGE?

BUILD RELATIONHIPS

ON LINE
ON AIR
ON TV
PRINT
We are NUTS(tm)

•Daily Scrum
•Daily Work

Sprint
Planning
meeting

PREPARATION
•Business case & funding
•Contractual agreement
•Vision
•Initial productbacklog
•Initial release plan
•Stakeholderbuy-in
•Assemble team

Update
product
backlog

Daily
Cycle

SCRUM PROCESS

Product
increment

RELEASE

Sprint
retrospective

Sprint review

Product Management
• Security / Privacy
• Compliance
• Legal

QA -> Production
• Beta Test
• Web App Test
• Source Code Review
Top 10 Vulnerabilities, Top 10 - 2013
AGENDA
Sub headline
Open Web Application Security Project (OWASP)

Common Vulnerabilities, Web, Mobile, Cloud
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

SQL Injection
Broken Authentication and Session Management
Cross-Site Scripting (XSS)
Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross-Site Request Forgery (CSRF)
Using Components with Known Vulnerabilities (dependencies?)
Unvalidated Redirects and Forwards
© 2013 All Rights Reserved, portions © OWASP
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Security Priva(eers
AGENDA

New Platform, Old Mistakes
Sub headline
Keep doing the same thing hoping for different results

Found in web, cloud and mobile

• SQL Injection
• Lack of Encryption
– Data at Rest, Data in Motion

• Least Access Privilege
– Authentication
– Permissions
© 2013 All Rights Reserved

Security Priva(eers
New Platform, Old Mistakes
AGENDA
Sub headline
Keep doing the same thing hoping for different results

Web, Cloud, Mobile Mistakes

• Data Storage
– DB (SQL[ite]) or flat files?
– Encrypt or not?
– Least Access Privilege

• Source Files
– Java
– Configuration Files
© 2013 All Rights Reserved

Security Priva(eers
New Problems
AGENDA
Sub headline
You didn’t learn this at FIU or Nova

Android Application Permissions

1

Each application lists the API’s they want to use,
• “camera”, (scan, flashlight)
• Fine Location (GPS), flashlight!
Use Android ‘Intent’ instead (if you want to take a picture)

Rooted / Jailbroken Phones

2

Application permissions mean nothing. Full Read/Write permissions, read passwords

Platform or User Backups

3

Google backup uses reversible encryption, backs up your Wifi, application data. Dropbox
uses reversible encryption.

© 2013 All Rights Reserved

Security Priva(eers
New Problems
AGENDA
Sub headline
You didn’t learn this at FIU or Nova

Encrypt Data in Motion

4

17% of applications that use SSL are flawed and susceptible to MIM attacks.
AMX, Diners Club, Paypal, Twitter, Google, Yahoo, Microsoft Live ID
• Use Mallowdroid to check implementations

Source Code Review

5

• Design In Security:
• Whitelisting vs Blacklisting
• Automated Code Review (CheckMarx.com)

Privacy Statements

6

Write a privacy statement, approved by Legal, endorsed by Management. Follow it!

© 2013 All Rights Reserved

Security Priva(eers
Compliance
AGENDA / Regulations
Sub headline
HIPAA/HITECH/GLBA/SOX/FISMA/FFIEC/FERPA/NIST/ABC/123

Build in Compliance, Written Policies
1

Information Sensitivity Policy

2

Password Policy

3

Remote Access Policy

4

Software Development Policy

5

Licensing: GPL, aGPL, LGPL

© 2013 All Rights Reserved

Security Priva(eers
It’s getting Cloudy now

• SaaS (Applications)
• Office365
• Salesforce
• Google
• Microsoft Azure instances
• PaaS (Windows/LAMP)
• Amazon EC2
• Azure Platforms
• IaaS (Firewalls, Networks, Storage)
• Amazon
• Azure

What is the Cloud?

Where is the Cloud?

The cloud is many things to many
people
There is no cloud
Someone else’s mainframe and NAS

Where is your Data Stored?
Where is your Processing Done?
Where is the Data Flow?
Private, Public, Hybrid
It’s getting Cloudy now

• Public Cloud: SaaS
• Non regulated Data
• Standardized application
• Lots of users
• Incremental capacity
• PaaS: Software development
• Private Cloud: PaaS
• Regulated Data
• Strict Security and Control
• Large Company
• Non Standard/Custom Applications
• Hybrid Clouds: SaaS+PaaS
• PaaS for storage
• VPN to SaaS

What is the Cloud?

Where is the Cloud?

The cloud is many things to many
people.
There is no cloud.
Someone else’s mainframe and NAS

Where is your Data Stored?
Where is your Processing Done?
Where is the Data Flow?
Private, Public, Hybrid
It’s getting Cloudy now

•
•
•
•
•
•
•
•

Any Device, Anywhere
Storage
Authentication Services
Platform rollout
Geographic Redundancy
Development and Test
Disaster Recovery
Web and Mobile Apps

What is the Cloud?

Where is the Cloud?

Why is the Cloud

The cloud is many things to many
people.
There is no cloud.
Someone else’s mainframe and NAS

Where is your Data Stored?
Where is your Processing Done?
Where is the Data Flow?

What will you use the Cloud for?
Security
AGENDAGuidance for Critical Areas of Focus in Cloud Computing V3.0
Sub headline
Cloud Security Alliance

Risk Analysis
• Identify the Asset
• Data
• Applications
• Functions
• Processes
• Evaluate the Asset Liability
• Asset became widely public
• Cloud Provider Accessed Asset
• Process manipulated by outsider
• Function provided wrong results
• Data changed
• Denial of Service

© 2013 All Rights Reserved

Security Priva(eers
Compliance
AGENDA and Governance
Sub headline
We can keep you out of jail cheaper than break you out of jail

Governing in the Cloud
1

Enterprise Risk Management

2

Legal Issues: Contracts and E-Discovery

3

Compliance and Audit Management

4

Information Management and Data Security

5

Interoperability and Portability

© 2013 All Rights Reserved

Security Priva(eers
Compliance
AGENDA and Governance
Sub headline
We can keep you out of jail cheaper than break you out of jail

Operating in the Cloud
1

Traditional IS, BCP, DR

2

Application Security

3

Encryption and Key Management

4

Identity and Access Management

5

Security as a Service

© 2013 All Rights Reserved

Security Priva(eers
New Platform, Old Mistakes
AGENDA
Sub headline
Keep doing the same thing hoping for different results

•
•
•
•
•
•

Join ISSA http://www.sfissa.org/
Join CSA https://cloudsecurityalliance.org/
Join Infragard https://www.infragard.org/
Join OWASP https://www.owasp.org
Code Review http://checkmarx.com
Training / Conferences / Presentations

© 2013 All Rights Reserved

Security Priva(eers
Governance and Security in Cloud and Mobile Applications
AGENDA
Sub headline
Where to get Help

Security Priva(eers
@scheidell
561-948-1305 / michael@securityprivateers.com
http://www.securityprivateers.com
Call to set up an appointment for initial review

Policy Gap Analysis
Review current policies, compare
against best practices and current
government regulations.
© 2013 All Rights Reserved

•
•
•
•
•

OWASP Training
Web App Assessment
SDLC Review
Cloud Security Consulting
Mobile Application testing

Security Priva(eers

More Related Content

What's hot

What's hot (20)

Dissecting ssl threats
Dissecting ssl threatsDissecting ssl threats
Dissecting ssl threats
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
 
SOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsSOC Fundamental Roles & Skills
SOC Fundamental Roles & Skills
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 
Understanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarUnderstanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: Webinar
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
Rethinking Cybersecurity for the Digital Transformation Era
Rethinking Cybersecurity for the Digital Transformation EraRethinking Cybersecurity for the Digital Transformation Era
Rethinking Cybersecurity for the Digital Transformation Era
 
Virtualized Firewall: Is it the panacea to secure distributed enterprises?
Virtualized Firewall: Is it the panacea to secure distributed enterprises?Virtualized Firewall: Is it the panacea to secure distributed enterprises?
Virtualized Firewall: Is it the panacea to secure distributed enterprises?
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
 
Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security:  Can you afford not to switch?Cloud vs. On-Premises Security:  Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 
Maximize your cloud app control with Microsoft MCAS and Zscaler
Maximize your cloud app control with Microsoft MCAS and ZscalerMaximize your cloud app control with Microsoft MCAS and Zscaler
Maximize your cloud app control with Microsoft MCAS and Zscaler
 
Presd1 10
Presd1 10Presd1 10
Presd1 10
 
Webinar: Enable ServiceNow with Data Security, Visibility, and Compliance
Webinar: Enable ServiceNow with Data Security, Visibility, and ComplianceWebinar: Enable ServiceNow with Data Security, Visibility, and Compliance
Webinar: Enable ServiceNow with Data Security, Visibility, and Compliance
 
Security Challenges in Cloud
Security Challenges in CloudSecurity Challenges in Cloud
Security Challenges in Cloud
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscaler
 
(SACON) Vandana Verma - Living In A World of Zero Trust
(SACON) Vandana Verma - Living In A World of Zero Trust(SACON) Vandana Verma - Living In A World of Zero Trust
(SACON) Vandana Verma - Living In A World of Zero Trust
 

Similar to Governance and Security in Cloud and Mobile Apps

Shedding Light on Shadow IT for File Sharing
Shedding Light on Shadow IT for File SharingShedding Light on Shadow IT for File Sharing
Shedding Light on Shadow IT for File Sharing
CipherCloud
 
Cloud expo 10 myths rex wang oracle ss
Cloud expo 10 myths rex wang oracle ssCloud expo 10 myths rex wang oracle ss
Cloud expo 10 myths rex wang oracle ss
Rex Wang
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
DataWorks Summit
 
Oracle presentation at Tech Summit PR 2014
Oracle presentation at Tech Summit PR 2014Oracle presentation at Tech Summit PR 2014
Oracle presentation at Tech Summit PR 2014
Tech Summit PR 2014
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 
Managing Microsoft Applications with Vistara
Managing Microsoft Applications with VistaraManaging Microsoft Applications with Vistara
Managing Microsoft Applications with Vistara
Vistara
 

Similar to Governance and Security in Cloud and Mobile Apps (20)

Shedding Light on Shadow IT for File Sharing
Shedding Light on Shadow IT for File SharingShedding Light on Shadow IT for File Sharing
Shedding Light on Shadow IT for File Sharing
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
 
Cloud expo 10 myths rex wang oracle ss
Cloud expo 10 myths rex wang oracle ssCloud expo 10 myths rex wang oracle ss
Cloud expo 10 myths rex wang oracle ss
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
 
itsMERocks Pitch Deck
itsMERocks Pitch DeckitsMERocks Pitch Deck
itsMERocks Pitch Deck
 
Redrawing the Cyber Defense Frontier
Redrawing the Cyber Defense FrontierRedrawing the Cyber Defense Frontier
Redrawing the Cyber Defense Frontier
 
Cloud Types and Security- Which one is right for you?
Cloud Types and Security- Which one is right for you?Cloud Types and Security- Which one is right for you?
Cloud Types and Security- Which one is right for you?
 
CipherCloud for Any App
CipherCloud for Any AppCipherCloud for Any App
CipherCloud for Any App
 
Oracle presentation at Tech Summit PR 2014
Oracle presentation at Tech Summit PR 2014Oracle presentation at Tech Summit PR 2014
Oracle presentation at Tech Summit PR 2014
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Cloud Visibility & Cloud Data Loss Prevention Approaches
 Cloud Visibility & Cloud Data Loss Prevention Approaches Cloud Visibility & Cloud Data Loss Prevention Approaches
Cloud Visibility & Cloud Data Loss Prevention Approaches
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
 
Managing Microsoft Applications with Vistara
Managing Microsoft Applications with VistaraManaging Microsoft Applications with Vistara
Managing Microsoft Applications with Vistara
 
How to Build Multi-disciplinary Analytics Applications on a Shared Data Platform
How to Build Multi-disciplinary Analytics Applications on a Shared Data PlatformHow to Build Multi-disciplinary Analytics Applications on a Shared Data Platform
How to Build Multi-disciplinary Analytics Applications on a Shared Data Platform
 
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving it
 

Recently uploaded

Presentation4 (2) survey responses clearly labelled
Presentation4 (2) survey responses clearly labelledPresentation4 (2) survey responses clearly labelled
Presentation4 (2) survey responses clearly labelled
CaitlinCummins3
 
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
ogawka
 
Shots fired Budget Presentation.pdf12312
Shots fired Budget Presentation.pdf12312Shots fired Budget Presentation.pdf12312
Shots fired Budget Presentation.pdf12312
LR1709MUSIC
 
RATINGS OF EACH VIDEO FOR UNI PROJECT IWDSFODF
RATINGS OF EACH VIDEO FOR UNI PROJECT IWDSFODFRATINGS OF EACH VIDEO FOR UNI PROJECT IWDSFODF
RATINGS OF EACH VIDEO FOR UNI PROJECT IWDSFODF
CaitlinCummins3
 

Recently uploaded (20)

Presentation4 (2) survey responses clearly labelled
Presentation4 (2) survey responses clearly labelledPresentation4 (2) survey responses clearly labelled
Presentation4 (2) survey responses clearly labelled
 
How to refresh to be fit for the future world
How to refresh to be fit for the future worldHow to refresh to be fit for the future world
How to refresh to be fit for the future world
 
WAM Corporate Presentation May 2024_w.pdf
WAM Corporate Presentation May 2024_w.pdfWAM Corporate Presentation May 2024_w.pdf
WAM Corporate Presentation May 2024_w.pdf
 
High Profile Bangalore Just VIP Brigade Road 100% Genuine at your Door Step
High Profile Bangalore Just VIP Brigade Road 100% Genuine at your Door StepHigh Profile Bangalore Just VIP Brigade Road 100% Genuine at your Door Step
High Profile Bangalore Just VIP Brigade Road 100% Genuine at your Door Step
 
Beyond Numbers A Holistic Approach to Forensic Accounting
Beyond Numbers A Holistic Approach to Forensic AccountingBeyond Numbers A Holistic Approach to Forensic Accounting
Beyond Numbers A Holistic Approach to Forensic Accounting
 
South Africa's 10 Most Influential CIOs to Watch.pdf
South Africa's 10 Most Influential CIOs to Watch.pdfSouth Africa's 10 Most Influential CIOs to Watch.pdf
South Africa's 10 Most Influential CIOs to Watch.pdf
 
Understanding Financial Accounting 3rd Canadian Edition by Christopher D. Bur...
Understanding Financial Accounting 3rd Canadian Edition by Christopher D. Bur...Understanding Financial Accounting 3rd Canadian Edition by Christopher D. Bur...
Understanding Financial Accounting 3rd Canadian Edition by Christopher D. Bur...
 
MichaelStarkes_UncutGemsProjectSummary.pdf
MichaelStarkes_UncutGemsProjectSummary.pdfMichaelStarkes_UncutGemsProjectSummary.pdf
MichaelStarkes_UncutGemsProjectSummary.pdf
 
Unlocking Growth The Power of Outsourcing for CPA Firms
Unlocking Growth The Power of Outsourcing for CPA FirmsUnlocking Growth The Power of Outsourcing for CPA Firms
Unlocking Growth The Power of Outsourcing for CPA Firms
 
wagamamaLab presentation @MIT 20240509 IRODORI
wagamamaLab presentation @MIT 20240509 IRODORIwagamamaLab presentation @MIT 20240509 IRODORI
wagamamaLab presentation @MIT 20240509 IRODORI
 
Pay after result spell caster (,$+27834335081)@ bring back lost lover same da...
Pay after result spell caster (,$+27834335081)@ bring back lost lover same da...Pay after result spell caster (,$+27834335081)@ bring back lost lover same da...
Pay after result spell caster (,$+27834335081)@ bring back lost lover same da...
 
Most Visionary Leaders in Cloud Revolution, Shaping Tech’s Next Era - 2024 (2...
Most Visionary Leaders in Cloud Revolution, Shaping Tech’s Next Era - 2024 (2...Most Visionary Leaders in Cloud Revolution, Shaping Tech’s Next Era - 2024 (2...
Most Visionary Leaders in Cloud Revolution, Shaping Tech’s Next Era - 2024 (2...
 
Pitch Deck Teardown: Goodcarbon's $5.5m Seed deck
Pitch Deck Teardown: Goodcarbon's $5.5m Seed deckPitch Deck Teardown: Goodcarbon's $5.5m Seed deck
Pitch Deck Teardown: Goodcarbon's $5.5m Seed deck
 
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
 
Shots fired Budget Presentation.pdf12312
Shots fired Budget Presentation.pdf12312Shots fired Budget Presentation.pdf12312
Shots fired Budget Presentation.pdf12312
 
stock price prediction using machine learning
stock price prediction using machine learningstock price prediction using machine learning
stock price prediction using machine learning
 
The Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdf
The Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdfThe Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdf
The Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdf
 
hyundai capital 2023 consolidated financial statements
hyundai capital 2023 consolidated financial statementshyundai capital 2023 consolidated financial statements
hyundai capital 2023 consolidated financial statements
 
Global Internal Audit Standards 2024.pdf
Global Internal Audit Standards 2024.pdfGlobal Internal Audit Standards 2024.pdf
Global Internal Audit Standards 2024.pdf
 
RATINGS OF EACH VIDEO FOR UNI PROJECT IWDSFODF
RATINGS OF EACH VIDEO FOR UNI PROJECT IWDSFODFRATINGS OF EACH VIDEO FOR UNI PROJECT IWDSFODF
RATINGS OF EACH VIDEO FOR UNI PROJECT IWDSFODF
 

Governance and Security in Cloud and Mobile Apps

  • 1. Governance and Security in Cloud and Mobile Apps http://privateers.in/9f Security Michael Scheidell, CISO Priva(eers™
  • 2. Bring Your AGENDA Own Policy Sub headline Michael Scheidell, CISO Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com • • • • Corporate InfoSec Consultant Certified CISO Senior Member, IEEE Founded Three South Florida Tech Companies © 2013 All Rights Reserved • Privacy Expert • Member ISSA, IAPP, ISACA, IEEE, FBI InfraGard, PMI, SFTA, CSA • Patents in Network Security • Finalist EE Times ACE Innovator of the year Security Priva(eers
  • 3. AGENDA Sub headline • Common Risks Desktop, Server, Cloud, Mobile • Platform Specific Issues Android, iPhone • Governance Privacy: Beyond regulations • Partly Cloudy with a chance of all hail Any Device, Anywhere • Select Cloud Types Shared, Private, Hybrid • Services to Protect Authentication, Storage, Processing © 2013 All Rights Reserved Security Priva(eers
  • 4. Spacely Sprockets We make our Clients go NUTS(tm) STOCKS ALLOCATED CLOSE TO CUSTOMER SHORT DELIVERY TIME ON LINE HELP SERVICE CONSULTANS CALL CENTER CUSTOMER SUPPORT SUPPLY CHAIN FREE UPGRADE NEW FEATURES NICE DESIGN BETTER PRODUCTS VIRAL MARKETING/USERS TIP EACH OTHER SALES & MARKETING THINK GREEN IN THE WHOLE VALUE CHAIN ATTRACT THE BEST SALES PEOPLE SUSTAINABLE PRICE BE C02 NEUTRAL CHEAP? LUXARY? AVERAGE? BUILD RELATIONHIPS ON LINE ON AIR ON TV PRINT
  • 5. We are NUTS(tm) •Daily Scrum •Daily Work Sprint Planning meeting PREPARATION •Business case & funding •Contractual agreement •Vision •Initial productbacklog •Initial release plan •Stakeholderbuy-in •Assemble team Update product backlog Daily Cycle SCRUM PROCESS Product increment RELEASE Sprint retrospective Sprint review Product Management • Security / Privacy • Compliance • Legal QA -> Production • Beta Test • Web App Test • Source Code Review
  • 6. Top 10 Vulnerabilities, Top 10 - 2013 AGENDA Sub headline Open Web Application Security Project (OWASP) Common Vulnerabilities, Web, Mobile, Cloud 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. SQL Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities (dependencies?) Unvalidated Redirects and Forwards © 2013 All Rights Reserved, portions © OWASP https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Security Priva(eers
  • 7. AGENDA New Platform, Old Mistakes Sub headline Keep doing the same thing hoping for different results Found in web, cloud and mobile • SQL Injection • Lack of Encryption – Data at Rest, Data in Motion • Least Access Privilege – Authentication – Permissions © 2013 All Rights Reserved Security Priva(eers
  • 8. New Platform, Old Mistakes AGENDA Sub headline Keep doing the same thing hoping for different results Web, Cloud, Mobile Mistakes • Data Storage – DB (SQL[ite]) or flat files? – Encrypt or not? – Least Access Privilege • Source Files – Java – Configuration Files © 2013 All Rights Reserved Security Priva(eers
  • 9. New Problems AGENDA Sub headline You didn’t learn this at FIU or Nova Android Application Permissions 1 Each application lists the API’s they want to use, • “camera”, (scan, flashlight) • Fine Location (GPS), flashlight! Use Android ‘Intent’ instead (if you want to take a picture) Rooted / Jailbroken Phones 2 Application permissions mean nothing. Full Read/Write permissions, read passwords Platform or User Backups 3 Google backup uses reversible encryption, backs up your Wifi, application data. Dropbox uses reversible encryption. © 2013 All Rights Reserved Security Priva(eers
  • 10. New Problems AGENDA Sub headline You didn’t learn this at FIU or Nova Encrypt Data in Motion 4 17% of applications that use SSL are flawed and susceptible to MIM attacks. AMX, Diners Club, Paypal, Twitter, Google, Yahoo, Microsoft Live ID • Use Mallowdroid to check implementations Source Code Review 5 • Design In Security: • Whitelisting vs Blacklisting • Automated Code Review (CheckMarx.com) Privacy Statements 6 Write a privacy statement, approved by Legal, endorsed by Management. Follow it! © 2013 All Rights Reserved Security Priva(eers
  • 11. Compliance AGENDA / Regulations Sub headline HIPAA/HITECH/GLBA/SOX/FISMA/FFIEC/FERPA/NIST/ABC/123 Build in Compliance, Written Policies 1 Information Sensitivity Policy 2 Password Policy 3 Remote Access Policy 4 Software Development Policy 5 Licensing: GPL, aGPL, LGPL © 2013 All Rights Reserved Security Priva(eers
  • 12. It’s getting Cloudy now • SaaS (Applications) • Office365 • Salesforce • Google • Microsoft Azure instances • PaaS (Windows/LAMP) • Amazon EC2 • Azure Platforms • IaaS (Firewalls, Networks, Storage) • Amazon • Azure What is the Cloud? Where is the Cloud? The cloud is many things to many people There is no cloud Someone else’s mainframe and NAS Where is your Data Stored? Where is your Processing Done? Where is the Data Flow? Private, Public, Hybrid
  • 13. It’s getting Cloudy now • Public Cloud: SaaS • Non regulated Data • Standardized application • Lots of users • Incremental capacity • PaaS: Software development • Private Cloud: PaaS • Regulated Data • Strict Security and Control • Large Company • Non Standard/Custom Applications • Hybrid Clouds: SaaS+PaaS • PaaS for storage • VPN to SaaS What is the Cloud? Where is the Cloud? The cloud is many things to many people. There is no cloud. Someone else’s mainframe and NAS Where is your Data Stored? Where is your Processing Done? Where is the Data Flow? Private, Public, Hybrid
  • 14. It’s getting Cloudy now • • • • • • • • Any Device, Anywhere Storage Authentication Services Platform rollout Geographic Redundancy Development and Test Disaster Recovery Web and Mobile Apps What is the Cloud? Where is the Cloud? Why is the Cloud The cloud is many things to many people. There is no cloud. Someone else’s mainframe and NAS Where is your Data Stored? Where is your Processing Done? Where is the Data Flow? What will you use the Cloud for?
  • 15. Security AGENDAGuidance for Critical Areas of Focus in Cloud Computing V3.0 Sub headline Cloud Security Alliance Risk Analysis • Identify the Asset • Data • Applications • Functions • Processes • Evaluate the Asset Liability • Asset became widely public • Cloud Provider Accessed Asset • Process manipulated by outsider • Function provided wrong results • Data changed • Denial of Service © 2013 All Rights Reserved Security Priva(eers
  • 16. Compliance AGENDA and Governance Sub headline We can keep you out of jail cheaper than break you out of jail Governing in the Cloud 1 Enterprise Risk Management 2 Legal Issues: Contracts and E-Discovery 3 Compliance and Audit Management 4 Information Management and Data Security 5 Interoperability and Portability © 2013 All Rights Reserved Security Priva(eers
  • 17. Compliance AGENDA and Governance Sub headline We can keep you out of jail cheaper than break you out of jail Operating in the Cloud 1 Traditional IS, BCP, DR 2 Application Security 3 Encryption and Key Management 4 Identity and Access Management 5 Security as a Service © 2013 All Rights Reserved Security Priva(eers
  • 18. New Platform, Old Mistakes AGENDA Sub headline Keep doing the same thing hoping for different results • • • • • • Join ISSA http://www.sfissa.org/ Join CSA https://cloudsecurityalliance.org/ Join Infragard https://www.infragard.org/ Join OWASP https://www.owasp.org Code Review http://checkmarx.com Training / Conferences / Presentations © 2013 All Rights Reserved Security Priva(eers
  • 19. Governance and Security in Cloud and Mobile Applications AGENDA Sub headline Where to get Help Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com Call to set up an appointment for initial review Policy Gap Analysis Review current policies, compare against best practices and current government regulations. © 2013 All Rights Reserved • • • • • OWASP Training Web App Assessment SDLC Review Cloud Security Consulting Mobile Application testing Security Priva(eers