Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud security From Infrastructure to People-ware


Published on

Understand Cloud Security in every level from infrastructure to people ware via understanding threats, hardening your servers and creating policies that will users be guided on securing themselves.

Published in: Internet
  • Be the first to comment

Cloud security From Infrastructure to People-ware

  1. 1. What is cloud? involves computing over a network, where a program or application may run on many connected computers at the same time. It specifically refers to a computing hardware machine or group of computing hardware machines commonly referred as a server connected through a communication network such as the Internet, an intranet, a local area network (LAN) or wide area network (WAN) -Wikipedia
  2. 2. The Cloud Pyramid Infrastructure as a Service Platform as a Service Software as a Service Business Process as a Service
  3. 3. IBM Xforce Report 2012 Sampling of Security Incidents by Attack Type, Time and Impact Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses
  4. 4. Coverage 20,000+ devices under contract 3,700+ managed clients worldwide 13B+ events managed per day 133 monitored countries (MSS) 1,000+ security related patents Depth 14B analyzed web pages & images 40M spam & phishing attacks 64K documented vulnerabilities Billions of intrusion attempts daily Millions of unique malware samples
  5. 5. Security Challenges • Virtual and Infrastructure o NCloud Mapping o Co-residence o Side Channeling • Data Management Issues o Data Integrity o Data Provenance o Data Remanence o Data Availability • Users / People-ware o Identity o Policy Development
  6. 6. Applications Web Applications Systems Applications Web 2.0 Mobile Applications Infrastructure Datacenters PCs Laptops Mobile Cloud Non-traditional Data At rest In motionUnstructuredStructured People Hackers Suppliers Consultants Terrorists Employees Outsourcers Customers Employees Unstructured Web 2.0Systems Applications Outsourcers Structured In motion Customers Mobile Applications 4 Dimensions of Security Challenge
  7. 7. Infrastructure • Typical Datacenter
  8. 8. Virtualization Typical Architecture Virtual Architecture
  9. 9. Virtual Machine Security Challenge • Cloud Mapping A plot of the internal IP addresses assigned to instances launched during the initial mapping experiment using Account A A plot of the internal IP address of instances launched in Zone 3 by Account A, and 39 hours later, by Account B. 55 of the Account B IPs were repeats of those assigned to instances for Account A
  10. 10. Cloud Mapping Mitigation • Mapping: o Use a randomized scheme to allocate IP addresses o Block some scanning tools/activities (nmap,traceroute) • Co-residence checks: o Prevent identification of dom0/hypervisor
  11. 11. Virtual Machine Security Challenge • Co-residence # of victims v # of probes p coverage Zone 1 1 20 1/1 10 20 5/10 20 20 7/20 Zone 2 1 20 0/1 10 18 3/10 20 19 8/20 Zone 3 1 20 1/1 10 20 2/10 20 20 8/20 Results of launching p probes 5 minutes after the launch of v victims. The rightmost column specifies success coverage: the number of victims for which a probe instance was co-resident over the total number of victims. Trial Account TotalA B Midday 2/5 2/5 4/10 Afternoon 1/5 3/5 4/10 Night 2/5 2/5 4/10 The number of victims for which a probe achieved co-residence for three separate runs of 10 repetitions of launching 1 victim instance and, 5 minutes later, 20 probe instances. Odd numbered repetition used Account A; even-numbered repetitions used Account B
  12. 12. What can co-residence do? • Co-Residency affords the ability to: o Denial of Service o Estimate victim's work load • Cache • Network Traffic • Extract cryptographic keys via cache-based side channels. • Other cross-VM attacks
  13. 13. Co – residence Mitigation • Not allow co-residence at all: o Beneficial for cloud users o Not efficient for cloud providers o N-tier trust model? • Information leakage: o Prevent cache load attacks?
  14. 14. Virtual Machine Security Challenge Results of executing 100 Prime+Trigger+Probe cache timing measurements for three pairs of m1.small instances, both when concurrently making HTTP get requests and when not. Instances in Trial 1 and Trial 2 were co-resident on distinct physical machines. Instances in Trial 3 were not co-resident • Side Channeling
  15. 15. Best Example of Side Channel Attack Heart bleed
  16. 16. Side Channel Attack Mitigation • Create better Encryption Technology o Oblivious • Work on large chunks • Partition the encryption process into: • A slow but short part: implemented securely o Non – Colliding
  17. 17. Data Concerns in the Cloud • Data Integrity o Cloud Service Provider (CSP) Concerns o Third Party Auditing (TPA) o Encryption and Multitenancy • Data Provenance • Data Remanence • Data Availability o Elasticity o CSP Related Downtime o Malicious Attacks
  18. 18. Data Integrity • Cloud Service Provider (CSP) Concerns o CSP Security • Data Transfer • Data-at-Rest o CSP Data Loss • Unintentional • Intentional o Third Party Auditing • The Auditor • Support for Dynamic Data
  19. 19. Data Integrity • Encryption & Multitenancy o Multitenancy – Storage of data from multiple clients in a single repository o Inability to use encryption in order to support indexing o Encryption largely irrelevant if data is analyzed on the cloud, as analysis requires decryption.
  20. 20. Data Provenance & Remanence • Data Provenance – Calculation Accuracy o Shared resources mean shared responsibility o Difficulty / Impossibility in tracking involved machines • Data Remanence – Data Cleansing o “Ghost Data” – Left behind after deletion o No remanence security plan for any major CSP
  21. 21. Availability • Cloud Service Provider Concern Total Downtime (HH:MM:SS) Availability Per Day Per Month Per Year 99.999% 00:00:00.4 00:00:26 00:05:15 99.99% 00:00:08 00:04:22 00:52:35 99.9% 00:01:26 00:43:49 08:45:56 99% 00:14:23 07:18:17 87:39:29
  22. 22. Availability + Elasticity • Distributed Denial of Service (DDoS) Uses Port Flooding to Slow Systems or Force Server Resets. o External Attack Models o Similar to Traditional Strikes o Cloud Usage as Attacker o Internal Attack Models o Protection Responsibility Lies on the User o CSP Would Need to Detect
  23. 23. An Example of DDOS Mitigation • As used on Smarter Philippines Website ( Detect Get Request Detect Packet Activity as to Size Detect Activity Pattern Flag Activities 1. Abnormal Packet Size 2. Abnormal Login Request (Brute force) 3. Abnormal Get Request Route Request to Reverse Attacker’s IP Track Attacker’s IP Routing Scheme Add Attacker’s IP to Deny host
  24. 24. Solution Key Themes Security for Mobile Devices Provide security for and manage traditional endpoints alongside mobile devices such as Apple iOS, Google Android, Symbian, and Microsoft Windows Phone - using a single platform Expansion of Security Content Continued expansion of security configuration and vulnerability content to increase coverage for applications, operating systems, and industry best practices Security Intelligence Integration Improved usage of analytics - providing valuable insights to meet compliance and IT security objectives, as well as further integration with SiteProtector and the QRadar Security Intelligence Platform Infrastructure Protection – Endpoint Vision
  25. 25. Knowing the User
  26. 26. Policy Development • Challenges o Define security policies and standards o Measure actual security against policy o Report violations to policy o Correct violations to conform with policy o Summarize policy compliance for the organization
  27. 27. Layers of Information Security - Revisited
  28. 28. Policies • Purpose Provide a framework for the management of security across the enterprise
  29. 29. Definitions • Policies o High level statements that provide guidance to workers who must make present and future decision • Standards o Requirement statements that provide specific technical specifications • Guidelines o Optional but recommended specifications
  30. 30. Security Policy Access to network resource will be granted through a unique user ID and passwordPasswords should include one non-alpha and not found in dictionary Passwords will be 8 characters long
  31. 31. Elements of Policies • Set the tone of Management • Establish roles and responsibility • Define asset classifications • Provide direction for decisions • Establish the scope of authority • Provide a basis for guidelines and procedures • Establish accountability • Describe appropriate use of assets • Establish relationships to legal requirements
  32. 32. Policies Should… Clearly identify and define the information security goals and the goals of the group, company or the whole country
  33. 33. Policy Lifecycle Actions Cabinet Goals Policy Standards Procedures Guidelines Awareness IS Goals Info Security
  34. 34. Ten Step Approach
  35. 35. Collect Background Information • Obtain existing policies o Creighton's o Others • Identify what levels of control are needed • Identify who should write the policies
  36. 36. Perform Risk Assessment • Justify the Policies with Risk Assessment o Identify the critical functions o Identify the critical processes o Identify the critical data o Assess the vulnerabilities
  37. 37. Create a Policy Review Board • The Policy Development Process o Write the initial “Draft” o Send to the Review Board for Comments o Incorporate Comments o Resolve Issues Face-to-Face o Submit “Draft” Policy to Cabinet for Approval
  38. 38. Develop Information Security Plan • Establish goals • Define roles • Define responsibilities • Notify the User community as to the direction • Establish a basis for compliance, risk assessment, and audit of information security
  39. 39. Develop Security Policies, Standards, and Guidelines • Policies o High level statements that provide guidance to workers who must make present and future decision • Standards o Requirement statements that provide specific technical specifications • Guidelines o Optional but recommended specifications
  40. 40. Implement Policies and Standards • Distribute Policies. • Obtain agreement with policies before accessing Creighton Systems. • Implement controls to meet or enforce policies.
  41. 41. Awareness and Training • Makes users aware of the expected behavior • Teaches users How & When to secure information • Reduces losses & theft • Reduces the need for enforcement • On the Government, they publish it on leading newspaper
  42. 42. Monitor Compliance • Management is responsible for establishing controls • Management should REGULARLY review the status of controls • Enforce “User Contracts” (Code of Conduct) • Establish effective authorization approval • Establish an internal review process • Internal Audit Reviews
  43. 43. Evaluate Policy Effectiveness • Evaluate • Document • Report
  44. 44. Modify Policies Policies must be modified due to: o New Technology o New Threats o New or changed goals o Organizational changes o Changes in the Law o Ineffectiveness of the existing Policy
  45. 45. Policy Hierarchy Governance Policy Access Control Policy User ID Policy Access Control Authentication Standard Password Construction Standard User ID Naming Standard Strong Password Construction Guidelines
  46. 46. Solution IBM Identity and Access Management Vision Key Themes Standardized IAM and Compliance Management Expand IAM vertically to provide identity and access intelligence to the business; Integrate horizontally to enforce user access to data, app, and infrastructure Secure Cloud, Mobile, Social Interaction Enhance context-based access control for cloud, mobile and SaaS access, as well as integration with proofing, validation and authentication solutions Insider Threat and IAM Governance Continue to develop Privileged Identity Management (PIM) capabilities and enhanced Identity and Role management
  47. 47. Solution Key Themes Coverage for Mobile applications and new threats Continue to identify and reduce risk by expanding scanning capabilities to new platforms such as mobile, as well as introducing next generation dynamic analysis scanning and glass box testing Simplified interface and accelerated ROI New capabilities to improve customer time to value and consumability with out-of-the-box scanning, static analysis templates and ease of use features Security Intelligence Integration Automatically adjust threat levels based on knowledge of application vulnerabilities by integrating and analyzing scan results with SiteProtector and the QRadar Security Intelligence Platform Application Security Vision
  48. 48. Solution Endpoint Management vulnerabilities enrich QRadar’s vulnerability database AppScan Enterprise AppScan vulnerability results feed QRadar SIEM for improved asset risk assessment Tivoli Endpoint Manager Guardium Identity and Access Management IBM Security Network Intrusion Prevention System Flow data into QRadar turns NIPS devices into activity sensors Identity context for all security domains w/ QRadar as the dashboard Database assets, rule logic and database activity information Correlate new threats based on X-Force IP reputation feeds Hundreds of 3rd party information sources
  49. 49. Thank you for listening Tzar C. Umang President Tzar Enterprises email: