Today, in the Information Security survey course I teach at the University of Wisconsin-Madison, the lecture topics were Cloud Computing Security and Bring Your Own Device (BYOD) Security. Both of these topics are areas in which organizations continue to struggle, relative to identifying appropriate security controls. It is challenging to teach a class in which many of the students do not have an Information Technology background. My goal is assist them in seeing the big issues that they will face as managers, rather than focus on granular technical details. This presentation is intended to provide a survey view of background and challenges faced in these two areas.
Cloud Security and Bring Your Own Device (BYOD) Security
1. Information Security 365/765, Fall Semester, 2016
Course Instructor, Nicholas Davis, CISA, CISSP
Lecture 11, Cloud Security and BYOD Security
2. Today’s Chocolate BarToday’s Chocolate Bar
100 Grand100 Grand
100 Grand Bar (formerly known as $100,000 Bar spoken as "hundred
thousand dollar bar" until the mid 1980s) is a candy bar produced by
Nestlé in the United States. The candy bar was created in 1966, and
named after a series of successful game shows. It weighs 1.5 ounces (42
grams) and includes chocolate, caramel and crisped rice. The bar
contains 190 calories; it is low in cholesterol and sodium, but high in
saturated fat and sugar. Its slogan is "That's Rich!“
The mini 100 Grand bars we are eating today in class, are 93 calories
each!
11/03/16 UNIVERSITY OF WISCONSIN 2
3. Today’s AgendaToday’s Agenda
• Exam 2, proposed date, November 17, instead
of Thanksgiving week.
• Turkey, stuffing, mashed potatoes and pie are
more important than an exam!
• However, you may make alternate
arrangements if November 17th
does not fit
well with your schedule. See me after class
• Cloud Security
• BYOD Security
• Written assignment #4 is assigned
• Distribution of list for team project work
11/03/16 UNIVERSITY OF WISCONSIN 3
4. Why are We Covering CloudWhy are We Covering Cloud
and BYOD Together?and BYOD Together?
Let’s Discuss the Technical SpecificsLet’s Discuss the Technical Specifics
of What Could Have Happenedof What Could Have Happened
11/03/16 UNIVERSITY OF WISCONSIN 4
5. In My OpinionIn My Opinion
• Probably NOT Huma’s primary computer
work computer, but rather, an un-inventoried
BYOD, long forgotten about
• Shared OS user account, Huma and Anthony
• Perhaps without password on the OS
• Full email client probably auto-launched in
background upon OS login, with cached
(memorized) password
11/03/16 UNIVERSITY OF WISCONSIN 5
6. In My OpinionIn My Opinion
(Educated Guess)(Educated Guess)
11/03/16 UNIVERSITY OF WISCONSIN 6
7. Meanwhile, on PrimaryMeanwhile, on Primary
Computer, No Sign of DuplicateComputer, No Sign of Duplicate
Remote Email Client LoginRemote Email Client Login
11/03/16 UNIVERSITY OF WISCONSIN 7
8. The CloudThe Cloud
Cloud computing describes a type of
outsourcing of computer services, similar to
the way in which electricity supply is
outsourced. Users can simply use it. They
do not need to worry where the computing
resource is from, how it is made, or
transported.
A subscription based service
11/03/16 UNIVERSITY OF WISCONSIN 8
9. Cloud SecurityCloud Security
Cloud Security refers to a
broad set of policies,
technologies, and
controls deployed to
protect data,
applications, and the
associated infrastructure
of cloud computing.
11/03/16 UNIVERSITY OF WISCONSIN 9
10. Cloud Service ModelsCloud Service Models
Software as a Service
Platform as a Service
Infrastructure as a Service
11/03/16 UNIVERSITY OF WISCONSIN 10
11. Three ModelsThree Models
of Cloud Computing SaaSof Cloud Computing SaaS
• Software as a Service
• “Consume”
• Web browser provides point of
access
• Software management is moved
to a third party
• Examples: Salesforce and Google
Apps
11/03/16 UNIVERSITY OF WISCONSIN 11
12. Three ModelsThree Models
of Cloud Computing PaaSof Cloud Computing PaaS
• Platform as a Service
• “Host”
• Hardware is managed externally
• Operating System is managed externally
• Network is managed externally
• The customer builds, installs and manages
their specific applications
• Examples: Google App Engine, and Red
Hat’s OpenShift
11/03/16 UNIVERSITY OF WISCONSIN 12
13. Three ModelsThree Models
of Cloud Computing IaaSof Cloud Computing IaaS
• Infrastructure as a Service
• “Build”
• Cloud servers and associated resources are
made available
• Customer controls architecture
• Customer controls OS
• Customer controls software applications
• Examples: Navisite and Exoscale
11/03/16 UNIVERSITY OF WISCONSIN 13
15. Private CloudPrivate Cloud
Private cloud is cloud
infrastructure operated
solely for a single
organization, whether
managed internally or by a
third-party, and hosted
either internally or
externally
11/03/16 UNIVERSITY OF WISCONSIN 15
16. Public CloudPublic Cloud
A cloud is called a "public cloud" when the
services are rendered over a network that is
open for public use.
Technically there may be little or no
difference between public and private cloud
architecture, however, security
consideration may be substantially different
for services (applications, storage, and
other resources) that are made available by
a service provider
11/03/16 UNIVERSITY OF WISCONSIN 16
17. Hybrid CloudHybrid Cloud
Hybrid cloud is a composition of two or
more clouds (private, community or
public) that remain distinct entities but are
bound together, offering the benefits of
multiple deployment models. Hybrid cloud
can also mean the ability to connect
collocation, managed and/or dedicated
services with cloud resources.
11/03/16 UNIVERSITY OF WISCONSIN 17
18. Provider vs CustomerProvider vs Customer
Security ConcernsSecurity Concerns
• Provider must make sure that proper
security controls are in place and that their
services are being correctly represented.
For example, HIPAA compliant from a
physical security perspective
• Customer must verify controls are up to
standards and ensure that portions for
which they have control, are securely
managed. For example, how they issue
login credentials to systems
11/03/16 UNIVERSITY OF WISCONSIN 18
19. Suggested ControlsSuggested Controls
For Cloud SecurityFor Cloud Security
• Gartner breaks it down into seven areas
• The Cloud Security Alliance has fourteen
• Nicholas Davis has 10 areas
“The nice thing about standards is that there are so
many to choose from” (Note the contradiction)
What really matters is that you take a
comprehensive approach, no matter how you
break it down into varying categories. Take
nothing for granted!
11/03/16 UNIVERSITY OF WISCONSIN 19
20. CloudCloud
Physical SecurityPhysical Security
1. The location where the hardware and software
resides must not be publicly accessible
2. The location where the hardware and software
reside must be access controlled in such a manner as
to make all entry and exits attempts, successful or
unsuccessful, logged and auditable
3. The procedure for third party access to the
physical facility must be documented and agreed to
by the customer
11/03/16 UNIVERSITY OF WISCONSIN 20
21. CloudCloud
Physical SecurityPhysical Security
4. All visitors to the secured area where the
hardware and software reside must be accompanied
by an authorized escort, agreed to by the customer
5. All people accessing the secured area where the
hardware and software reside, must have and
display ID badges at all times
6. The secured area must be monitored and
recorded by video camera at all times
11/03/16 UNIVERSITY OF WISCONSIN 21
22. Employee and Computing
Environment Reliability and
Integrity
1. The cloud service provider must perform a
criminal, work history, education history and
credit history background check on all of its
employees and produce the results for
inspection by the customer
2. The cloud service provider should be able
to produce a recent SSAE 16 SOC II report of
its facility, for inspection by the customer
11/03/16 UNIVERSITY OF WISCONSIN 22
23. Employee and Computing
Environment Reliability and
Integrity
3. The cloud service provider must be
able to produce a copy of its latest
vulnerability assessment and a list of
security risks and gaps which have
been addressed as a of the vulnerability
assessment
11/03/16 UNIVERSITY OF WISCONSIN 23
24. Cloud Data PersistenceCloud Data Persistence
1. List all locations where the customer’s
data will reside (City, State, Country)
2. Reference any legislation the company
adheres to in terms of data transmission
across organizational and geographic borders
3. Describe both the on-site and off-site data
backups of customer data the company
performs
11/03/16 UNIVERSITY OF WISCONSIN 24
25. Cloud Data PersistenceCloud Data Persistence
4. Does a subcontractor store data off-site? If
so, please describe.
5. Is the customer’s data encrypted in storage
and backup? If so, please describe
6. Describe how the company controls access
to backup storage and media
11/03/16 UNIVERSITY OF WISCONSIN 25
26. CloudCloud
Business ContinuityBusiness Continuity
1. Describe the company’s continuity plan
for addressing critical service failures, such
as power, heating, cooling, etc.
2. Describe the company’s continuity plan
for addressing natural disasters such as fire,
tornadoes, flooding, etc.
3. Describe the company’s response plan for
information technology or human related
security breaches of the facility
11/03/16 UNIVERSITY OF WISCONSIN 26
27. Cloud Network MonitoringCloud Network Monitoring
1. Does the cloud provider log network
traffic, file and server access?
2. All log files must be made available to the
customer, upon demand
11/03/16 UNIVERSITY OF WISCONSIN 27
28. Cloud Network MonitoringCloud Network Monitoring
3. Logs must record who accessed the
system, by what means, and what if any data
was accessed or changed
4. Security event logs should be captured for
all systems which are or which may
potentially be used for accessing and/or
managing customer data
11/03/16 UNIVERSITY OF WISCONSIN 28
29. Data Encryption and EntityData Encryption and Entity
AuthenticationAuthentication
1. Describe the specifics of how customer
data is encrypted at rest as well as in transit
2. Describe the authentication technologies
used to control administrative access to all
systems which may have access to customer
11/03/16 UNIVERSITY OF WISCONSIN 29
30. CloudCloud
Multi TenancyMulti Tenancy
1. Is the cloud infrastructure of the service
being considered by the customer multi-
tenant or is it dedicated only to the
customer’s system? Please describe the
controls in place to protect customer data, if
the environment is multi-tenant
2. Is the cloud service segmented using
virtual machines? If so, please describe the
architecture
11/03/16 UNIVERSITY OF WISCONSIN 30
31. CloudCloud
Service UptimeService Uptime
1. What is the specified service uptime and
availability of the cloud solution being
considered by the customer?
2. Does the cloud service have a fail over
site? If so, describe its performance
specifications/differences in comparison to
the primary site
11/03/16 UNIVERSITY OF WISCONSIN 31
32. CloudCloud
Service UptimeService Uptime
1. What is the specified service
uptime and availability of the cloud
solution being considered by the
customer?
2. Does the cloud service have a fail
over site? If so, describe its
performance
specifications/differences in
comparison to the primary site
11/03/16 UNIVERSITY OF WISCONSIN 32
33. CloudCloud
Service UptimeService Uptime
3. Are the security controls in
place at the fail over site different
in any way from the security
controls in place at the primary
site? If so, please describe
4. Does the cloud service provider
provide an “active-active”
consistent configuration between
the primary and fail over site?
11/03/16 UNIVERSITY OF WISCONSIN 33
34. Policy ConsistencyPolicy Consistency
Across OrganizationsAcross Organizations
1. Will the cloud service provider adhere to
applicable information security policies and
procedures of the customer?
2. Are there any customer IT security policies
which the cloud provider cannot adhere to? If
so, please describe
11/03/16 UNIVERSITY OF WISCONSIN 34
35. CloudCloud
Service Level AgreementService Level Agreement
Please provide a copy of the cloud service
provider’s proposed Service Level
Agreement (SLA) with the customer
11/03/16 UNIVERSITY OF WISCONSIN 35
36. Bring Your Own DeviceBring Your Own Device
BYOD (bring your own device) is the
increasing trend toward employee-owned
devices within a business. Smartphones are
the most common example but employees
also take their own tablets, laptops and USB
drives into the workplace.
11/03/16 UNIVERSITY OF WISCONSIN 36
37. BYOD Security, Flexibility,BYOD Security, Flexibility,
Security, ViolationsSecurity, Violations
• Although the ability to allow staff to work at any
time from anywhere and on any device provides
real business benefits; it also brings significant
risks.
• To ensure information does not end up in the
wrong hands, it’s imperative for companies to
put security measures in place.
• According to an IDG survey, more than half of
1,600 senior IT security and technology
purchase decision-makers reported serious
violations of personal mobile device use.
11/03/16 UNIVERSITY OF WISCONSIN 37
38. End Node ProblemEnd Node Problem
• BYOD security relates strongly to the end
node problem, wherein a device is used to
access both sensitive and risky
networks/services
• Risk-averse organizations issue devices
specifically for Internet use (this is
termed Inverse-BYOD)
11/03/16 UNIVERSITY OF WISCONSIN 38
39. Lost Devices, Sold DevicesLost Devices, Sold Devices
Memorized PasswordsMemorized Passwords
• BYOD has resulted in data breaches. For example, if an
employee uses a smartphone to access the company
network and then loses that phone or sells that phone,
untrusted parties could retrieve any unsecured data on
the phone.
• Another type of security breach occurs when an employee
leaves the company, they do not have to give back the
device, so company applications and other data may still
be present on their device
• If passwords are cached (remembered) by the phone,
anyone who has access to the device can now access the
password protected resources
11/03/16 UNIVERSITY OF WISCONSIN 39
40. Notable Statistics of ConcernNotable Statistics of Concern
11/03/16 UNIVERSITY OF WISCONSIN 40
41. Personal PrivacyPersonal Privacy
Drawing the LineDrawing the Line
IT Security departments that
wish to monitor usage of
personal devices must
ensure that they only
monitor work related
activities or activities that
accesses company data or
information
11/03/16 UNIVERSITY OF WISCONSIN 41
42. Malware InfectionsMalware Infections
Organizations who wish to adopt a BYOD
policy must also consider how they will
ensure that the devices which connect to the
organization’s network infrastructure to
access sensitive information will be protected
from malware.
11/03/16 UNIVERSITY OF WISCONSIN 42
43. Patching Many DifferentPatching Many Different
Models of BYODsModels of BYODs
BYOD policy must be prepared
to have the necessary systems
and processes in place that will
apply the patches to protect
systems against the known
vulnerabilities to the various
devices that users may choose to
use.
11/03/16 UNIVERSITY OF WISCONSIN 43
44. Mobile Device ManagementMobile Device Management
SolutionsSolutions
Several market and policies have emerged
to address BYOD security concerns,
including mobile device management
(MDM), containerization and app
virtualization
•Containerization
•Virtualization
11/03/16 UNIVERSITY OF WISCONSIN 44
45. MDM May Result in PrivacyMDM May Result in Privacy
and Usability Concernsand Usability Concerns
While MDM provides organizations with
the ability to control applications and
content on the device, research has revealed
controversy related to employee privacy
and usability issues that lead to resistance
in some organizations
11/03/16 UNIVERSITY OF WISCONSIN 45
46. Phone NumberPhone Number
OwnershipOwnership
A key issue of BYOD which is often
overlooked is BYOD's phone number
problem, which raises the question of the
ownership of the phone number. The issue
becomes apparent when employees in sales
or other customer-facing roles leave the
company and take their phone number with
them. Customers calling the number will
then potentially be calling competitors
which can lead to loss of business for BYOD
enterprises
11/03/16 UNIVERSITY OF WISCONSIN 46
47. Lack of BYOD PolicyLack of BYOD Policy
• Research reveals that only 20% of
employees have signed a BYOD policy
• Why not have them agree online, in order
to gain network access? Offer them a
carrot (network access) to agree.
• Businesses need to get out of the idea of
using legacy paper forms for such things
11/03/16 UNIVERSITY OF WISCONSIN 47
48. BYOD InventoryBYOD Inventory
Firms need an efficient inventory
management system that keeps track of
which devices employees are using, where
the device is located, whether it is being
used, and what software it is equipped with
11/03/16 UNIVERSITY OF WISCONSIN 48
49. Make Sure the Employees KnowMake Sure the Employees Know
If sensitive, classified, or criminal data lands
on a U.S. government employee's device, the
device is subject to confiscation
11/03/16 UNIVERSITY OF WISCONSIN 49
50. Scalability and CapabilityScalability and Capability
of Corporate Networksof Corporate Networks
Many organizations today lack proper network
infrastructure to handle the large traffic which will
be generated when employees will start using
different devices at the same time
11/03/16 UNIVERSITY OF WISCONSIN 50
51. Two Scenarios For the FutureTwo Scenarios For the Future
Personally Owned, Company
Enabled (POCE)
Corporate Owned, Personally
Enabled (COPE)
11/03/16 UNIVERSITY OF WISCONSIN 51
52. Personally Owned, Company
Enabled (POCE)
The company will maintain management
control and authorize the use of personally
owned devices and shall develop guidelines
to define which employees can use their
own devices, the types of devices they can
use, and which applications and data they
can access, process, or store.
11/03/16 UNIVERSITY OF WISCONSIN 52
53. Corporate Owned, PersonallyCorporate Owned, Personally
Enabled (COPE)Enabled (COPE)
As part of enterprise mobility, an alternative
approach are corporate owned, personally
enabled devices (COPE). With this policy the
company purchases the devices to provide to
their employees; the functionality of a
private device is enabled to allow personal
usage.
11/03/16 UNIVERSITY OF WISCONSIN 53
54. SummarySummary
• Both Cloud and BYOD are relatively new to
organizations
• Both Cloud and BYOD blur the lines of where an
organization’s control over data resides
• Both Cloud and BYOD extend the information
assets beyond historic organizational geographic
boundaries
• Both Cloud and BYOD are security concerns, in
an attempt to maintain Confidentiality, Integrity
and Availability
11/03/16 UNIVERSITY OF WISCONSIN 54