Cloud Security and Bring Your Own Device (BYOD) Security

Information Security 365/765, Fall Semester, 2016
Course Instructor, Nicholas Davis, CISA, CISSP
Lecture 11, Cloud Security and BYOD Security

Today’s Chocolate BarToday’s Chocolate Bar
100 Grand100 Grand
100 Grand Bar (formerly known as $100,000 Bar spoken as "hundred
thousand dollar bar" until the mid 1980s) is a candy bar produced by
Nestlé in the United States. The candy bar was created in 1966, and
named after a series of successful game shows. It weighs 1.5 ounces (42
grams) and includes chocolate, caramel and crisped rice. The bar
contains 190 calories; it is low in cholesterol and sodium, but high in
saturated fat and sugar. Its slogan is "That's Rich!“
The mini 100 Grand bars we are eating today in class, are 93 calories
each!
11/03/16 UNIVERSITY OF WISCONSIN 2

Today’s AgendaToday’s Agenda
• Exam 2, proposed date, November 17, instead
of Thanksgiving week.
• Turkey, stuffing, mashed potatoes and pie are
more important than an exam!
• However, you may make alternate
arrangements if November 17th
does not fit
well with your schedule. See me after class
• Cloud Security
• BYOD Security
• Written assignment #4 is assigned
• Distribution of list for team project work

Why are We Covering CloudWhy are We Covering Cloud
and BYOD Together?and BYOD Together?
Let’s Discuss the Technical SpecificsLet’s Discuss the Technical Specifics
of What Could Have Happenedof What Could Have Happened

In My OpinionIn My Opinion
• Probably NOT Huma’s primary computer
work computer, but rather, an un-inventoried
BYOD, long forgotten about
• Shared OS user account, Huma and Anthony
• Perhaps without password on the OS
• Full email client probably auto-launched in
background upon OS login, with cached
(memorized) password

In My OpinionIn My Opinion
(Educated Guess)(Educated Guess)

Meanwhile, on PrimaryMeanwhile, on Primary
Computer, No Sign of DuplicateComputer, No Sign of Duplicate
Remote Email Client LoginRemote Email Client Login

The CloudThe Cloud
Cloud computing describes a type of
outsourcing of computer services, similar to
the way in which electricity supply is
outsourced. Users can simply use it. They
do not need to worry where the computing
resource is from, how it is made, or
transported.
A subscription based service

Cloud SecurityCloud Security
Cloud Security refers to a
broad set of policies,
technologies, and
controls deployed to
protect data,
applications, and the
associated infrastructure
of cloud computing.

Cloud Service ModelsCloud Service Models
Software as a Service
Platform as a Service
Infrastructure as a Service

Three ModelsThree Models
of Cloud Computing SaaSof Cloud Computing SaaS
• Software as a Service
• “Consume”
• Web browser provides point of
access
• Software management is moved
to a third party
• Examples: Salesforce and Google
Apps

of Cloud Computing PaaSof Cloud Computing PaaS
• Platform as a Service
• “Host”
• Hardware is managed externally
• Operating System is managed externally
• Network is managed externally
• The customer builds, installs and manages
their specific applications
• Examples: Google App Engine, and Red
Hat’s OpenShift

of Cloud Computing IaaSof Cloud Computing IaaS
• Infrastructure as a Service
• “Build”
• Cloud servers and associated resources are
made available
• Customer controls architecture
• Customer controls OS
• Customer controls software applications
• Examples: Navisite and Exoscale

Cloud Deployment ModelsCloud Deployment Models
Private
Public
Hybrid

Private CloudPrivate Cloud
Private cloud is cloud
infrastructure operated
solely for a single
organization, whether
managed internally or by a
third-party, and hosted
either internally or
externally

Public CloudPublic Cloud
A cloud is called a "public cloud" when the
services are rendered over a network that is
open for public use.
Technically there may be little or no
difference between public and private cloud
architecture, however, security
consideration may be substantially different
for services (applications, storage, and
other resources) that are made available by
a service provider

Hybrid CloudHybrid Cloud
Hybrid cloud is a composition of two or
more clouds (private, community or
public) that remain distinct entities but are
bound together, offering the benefits of
multiple deployment models. Hybrid cloud
can also mean the ability to connect
collocation, managed and/or dedicated
services with cloud resources.

Provider vs CustomerProvider vs Customer
Security ConcernsSecurity Concerns
• Provider must make sure that proper
security controls are in place and that their
services are being correctly represented.
For example, HIPAA compliant from a
physical security perspective
• Customer must verify controls are up to
standards and ensure that portions for
which they have control, are securely
managed. For example, how they issue
login credentials to systems

Suggested ControlsSuggested Controls
For Cloud SecurityFor Cloud Security
• Gartner breaks it down into seven areas
• The Cloud Security Alliance has fourteen
• Nicholas Davis has 10 areas
“The nice thing about standards is that there are so
many to choose from” (Note the contradiction)
What really matters is that you take a
comprehensive approach, no matter how you
break it down into varying categories. Take
nothing for granted!

CloudCloud
Physical SecurityPhysical Security
1. The location where the hardware and software
resides must not be publicly accessible
2. The location where the hardware and software
reside must be access controlled in such a manner as
to make all entry and exits attempts, successful or
unsuccessful, logged and auditable
3. The procedure for third party access to the
physical facility must be documented and agreed to
by the customer

CloudCloud
Physical SecurityPhysical Security
4. All visitors to the secured area where the
hardware and software reside must be accompanied
by an authorized escort, agreed to by the customer
5. All people accessing the secured area where the
hardware and software reside, must have and
display ID badges at all times
6. The secured area must be monitored and
recorded by video camera at all times

Employee and Computing
Environment Reliability and
Integrity
1. The cloud service provider must perform a
criminal, work history, education history and
credit history background check on all of its
employees and produce the results for
inspection by the customer
2. The cloud service provider should be able
to produce a recent SSAE 16 SOC II report of
its facility, for inspection by the customer

Employee and Computing
Environment Reliability and
Integrity
3. The cloud service provider must be
able to produce a copy of its latest
vulnerability assessment and a list of
security risks and gaps which have
been addressed as a of the vulnerability
assessment

Cloud Data PersistenceCloud Data Persistence
1. List all locations where the customer’s
data will reside (City, State, Country)
2. Reference any legislation the company
adheres to in terms of data transmission
across organizational and geographic borders
3. Describe both the on-site and off-site data
backups of customer data the company
performs

Cloud Data PersistenceCloud Data Persistence
4. Does a subcontractor store data off-site? If
so, please describe.
5. Is the customer’s data encrypted in storage
and backup? If so, please describe
6. Describe how the company controls access
to backup storage and media

CloudCloud
Business ContinuityBusiness Continuity
1. Describe the company’s continuity plan
for addressing critical service failures, such
as power, heating, cooling, etc.
2. Describe the company’s continuity plan
for addressing natural disasters such as fire,
tornadoes, flooding, etc.
3. Describe the company’s response plan for
information technology or human related
security breaches of the facility

Cloud Network MonitoringCloud Network Monitoring
1. Does the cloud provider log network
traffic, file and server access?
2. All log files must be made available to the
customer, upon demand

Cloud Network MonitoringCloud Network Monitoring
3. Logs must record who accessed the
system, by what means, and what if any data
was accessed or changed
4. Security event logs should be captured for
all systems which are or which may
potentially be used for accessing and/or
managing customer data

Data Encryption and EntityData Encryption and Entity
AuthenticationAuthentication
1. Describe the specifics of how customer
data is encrypted at rest as well as in transit
2. Describe the authentication technologies
used to control administrative access to all
systems which may have access to customer

CloudCloud
Multi TenancyMulti Tenancy
1. Is the cloud infrastructure of the service
being considered by the customer multi-
tenant or is it dedicated only to the
customer’s system? Please describe the
controls in place to protect customer data, if
the environment is multi-tenant
2. Is the cloud service segmented using
virtual machines? If so, please describe the
architecture

CloudCloud
Service UptimeService Uptime
1. What is the specified service uptime and
availability of the cloud solution being
considered by the customer?
2. Does the cloud service have a fail over
site? If so, describe its performance
specifications/differences in comparison to
the primary site

CloudCloud
1. What is the specified service
uptime and availability of the cloud
solution being considered by the
customer?
2. Does the cloud service have a fail
over site? If so, describe its
performance
specifications/differences in
comparison to the primary site

CloudCloud
3. Are the security controls in
place at the fail over site different
in any way from the security
controls in place at the primary
site? If so, please describe
4. Does the cloud service provider
provide an “active-active”
consistent configuration between
the primary and fail over site?

Policy ConsistencyPolicy Consistency
Across OrganizationsAcross Organizations
1. Will the cloud service provider adhere to
applicable information security policies and
procedures of the customer?
2. Are there any customer IT security policies
which the cloud provider cannot adhere to? If
so, please describe

CloudCloud
Service Level AgreementService Level Agreement
Please provide a copy of the cloud service
provider’s proposed Service Level
Agreement (SLA) with the customer

Bring Your Own DeviceBring Your Own Device
BYOD (bring your own device) is the
increasing trend toward employee-owned
devices within a business. Smartphones are
the most common example but employees
also take their own tablets, laptops and USB
drives into the workplace.

BYOD Security, Flexibility,BYOD Security, Flexibility,
Security, ViolationsSecurity, Violations
• Although the ability to allow staff to work at any
time from anywhere and on any device provides
real business benefits; it also brings significant
risks.
• To ensure information does not end up in the
wrong hands, it’s imperative for companies to
put security measures in place.
• According to an IDG survey, more than half of
1,600 senior IT security and technology
purchase decision-makers reported serious
violations of personal mobile device use.

End Node ProblemEnd Node Problem
• BYOD security relates strongly to the end
node problem, wherein a device is used to
access both sensitive and risky
networks/services
• Risk-averse organizations issue devices
specifically for Internet use (this is
termed Inverse-BYOD)

Lost Devices, Sold DevicesLost Devices, Sold Devices
Memorized PasswordsMemorized Passwords
• BYOD has resulted in data breaches. For example, if an
employee uses a smartphone to access the company
network and then loses that phone or sells that phone,
untrusted parties could retrieve any unsecured data on
the phone.
• Another type of security breach occurs when an employee
leaves the company, they do not have to give back the
device, so company applications and other data may still
be present on their device
• If passwords are cached (remembered) by the phone,
anyone who has access to the device can now access the
password protected resources

Notable Statistics of ConcernNotable Statistics of Concern

Personal PrivacyPersonal Privacy
Drawing the LineDrawing the Line
IT Security departments that
wish to monitor usage of
personal devices must
ensure that they only
monitor work related
activities or activities that
accesses company data or
information

Malware InfectionsMalware Infections
Organizations who wish to adopt a BYOD
policy must also consider how they will
ensure that the devices which connect to the
organization’s network infrastructure to
access sensitive information will be protected
from malware.

Patching Many DifferentPatching Many Different
Models of BYODsModels of BYODs
BYOD policy must be prepared
to have the necessary systems
and processes in place that will
apply the patches to protect
systems against the known
vulnerabilities to the various
devices that users may choose to
use.

Mobile Device ManagementMobile Device Management
SolutionsSolutions
Several market and policies have emerged
to address BYOD security concerns,
including mobile device management
(MDM), containerization and app
virtualization
•Containerization
•Virtualization

MDM May Result in PrivacyMDM May Result in Privacy
and Usability Concernsand Usability Concerns
While MDM provides organizations with
the ability to control applications and
content on the device, research has revealed
controversy related to employee privacy
and usability issues that lead to resistance
in some organizations

Phone NumberPhone Number
OwnershipOwnership
A key issue of BYOD which is often
overlooked is BYOD's phone number
problem, which raises the question of the
ownership of the phone number. The issue
becomes apparent when employees in sales
or other customer-facing roles leave the
company and take their phone number with
them. Customers calling the number will
then potentially be calling competitors
which can lead to loss of business for BYOD
enterprises

Lack of BYOD PolicyLack of BYOD Policy
• Research reveals that only 20% of
employees have signed a BYOD policy
• Why not have them agree online, in order
to gain network access? Offer them a
carrot (network access) to agree.
• Businesses need to get out of the idea of
using legacy paper forms for such things

BYOD InventoryBYOD Inventory
Firms need an efficient inventory
management system that keeps track of
which devices employees are using, where
the device is located, whether it is being
used, and what software it is equipped with

Make Sure the Employees KnowMake Sure the Employees Know
If sensitive, classified, or criminal data lands
on a U.S. government employee's device, the
device is subject to confiscation

Scalability and CapabilityScalability and Capability
of Corporate Networksof Corporate Networks
Many organizations today lack proper network
infrastructure to handle the large traffic which will
be generated when employees will start using
different devices at the same time

Two Scenarios For the FutureTwo Scenarios For the Future
Personally Owned, Company
Enabled (POCE)
Corporate Owned, Personally
Enabled (COPE)

Personally Owned, Company
Enabled (POCE)
The company will maintain management
control and authorize the use of personally
owned devices and shall develop guidelines
to define which employees can use their
own devices, the types of devices they can
use, and which applications and data they
can access, process, or store.

Corporate Owned, PersonallyCorporate Owned, Personally
Enabled (COPE)Enabled (COPE)
As part of enterprise mobility, an alternative
approach are corporate owned, personally
enabled devices (COPE). With this policy the
company purchases the devices to provide to
their employees; the functionality of a
private device is enabled to allow personal
usage.

SummarySummary
• Both Cloud and BYOD are relatively new to
organizations
• Both Cloud and BYOD blur the lines of where an
organization’s control over data resides
• Both Cloud and BYOD extend the information
assets beyond historic organizational geographic
boundaries
• Both Cloud and BYOD are security concerns, in
an attempt to maintain Confidentiality, Integrity
and Availability

Cloud Security and Bring Your Own Device (BYOD) Security

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (14)

Similar to Cloud Security and Bring Your Own Device (BYOD) Security

Similar to Cloud Security and Bring Your Own Device (BYOD) Security (20)

More from Nicholas Davis

More from Nicholas Davis (20)

Recently uploaded

Recently uploaded (20)

Cloud Security and Bring Your Own Device (BYOD) Security