8. “If the data breach involves the loss or theft of 100,000 or more customer records, instead of an
average cost of $2.37 million it could be as much as $5.32 million. Data breaches involving the theft of
high value information could increase from $2.99 million to $4.16 million
- From “Data Breach: The Cloud Multiplier Effect” conducted by Ponemon Institute LLC, June 2014
How Risky is the Cloud?
9. Gartner’s position that I strongly agree with:
Public clouds are usually a more secure starting point than in-house implementations.
Public cloud workloads can be more secure than in-house workloads.
SaaS applications can have security and continuity advantages.
Justification:
No evidence indicates that Cloud Providers have performed less securely than end-user organizations.
Tier 1 cloud providers have far more resources, capabilities and sophistated controls than most end-user
organizations.
It’s all about understanding that cloud security is a shared responsibility!
How Risky Really is the Cloud?
10. Practical Cloud Security Risks
● Unauthorized data exposure and leakage
Misconfigurations especially with AWS S3 buckets and EBS snapshots are becoming a huge concern
● Loss of critical system availability and data
● Legal, Regulatory and Sovereignty non-compliance
● Security events monitoring and Incident Response
● Inadequate Business Continuity and Disaster Recovery planning
● Third and Fourth party security failures
● Governance and Vendor-lock-ins
11. YEAR RELEVANT INCIDENTS
2014
• Code Spaces’ Amazon AWS account was compromised when it failed to protect the administrative console with multifactor
authentication. All the company’s assets were destroyed, putting it out of business.
• News aggregator, Feedly and note taking app, EverNote were knocked offline by DDoS attack in what looked like a series of
coordinated cyber-attacks. Intent was to extort money for resuming normal operations.
2015
• the US Internal Revenue Service (IRS) exposed over 700,000 sensitive records via a vulnerable API.
• BitDefender, an antivirus firm, had an undisclosed number of customer usernames and passwords stolen due to a security
vulnerability in its public cloud application hosted on AWS. The hacker responsible demanded a ransom of $15,000.
2016
• a medium-sized firm Children in film using cloud hosting services, had a ransomware infection on its 4000+ important files.
Recovery from backup took several days to be completed.
2017
• Between 2.2 million to 4 million Dow Jones customers’ sensitive financial and personal details were exposed due to wrong
privacy settings on AWS S3 bucket.
• 200 million US voters data was exposed to the Internet via AWS S3 buckets and could have been utilized for nefarious
purposes.
2018
• An unsecured Amazon S3 storage server exposed thousands of FedEx customer records, including civilian and military ID cards,
resumes, bills, and more.
References listed on last slide of the presentation
12. European Union Agency for Network and Information Security, Cloud Security Guide for SMEs
https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf
Top 11 Cloud Security Risks - ENISA
1. Data Breaches
2. Insufficient Identity, Credential and Access Mgmt
3. Account Hijacking
4. Insecure Interfaces and APIs
5. System Vulnerabilities
6. Malicious Insiders
7. Advanced Persistent Threats
8. Data Loss
9. Insufficient Due Diligence
10.Abuse and Nefarious use of cloud services
11.Denial of Service
12.Shared Technology Vulnerabilities
Cloud Security Alliance’s Treacherous 12
1. Software Security Vulnerabilities
2. Network Attacks
3. Social Engineering Attacks
4. Management GUI and API compromise
5. Device theft/loss
6. Physical Hazards
7. Overloads
8. Unexpected costs
9. Vendor lock-in
10.Administrative or legal outages
11.Foreign jurisdiction issues
14. Cloud Security Considerations
Understand Business requirements: Define use cases
Criticality and Sensitivity of information involved:
Data classification and corresponding security controls
Understand data sovereignty, privacy and records retention impact
Governance arrangements: clarity of responsibilities, incident management, cost over-runs, BCP/DR – account
for archiving to a different provider if the main organization goes out of business or vendor lock-in
Contracts: data delivery in agreed formats, supply chain risks, right to audit, standard security clauses, data
ownership, SLAs
Adopt a risk-based and data-centric approach
17. 1. Cloud Access Security Broker (CASB)
Popular Use Cases:
• Understanding and addressing Shadow IT
• Protecting Data uploaded to or created in the cloud
• Secure Cloud Collaboration such as external sharing
• Logging and Auditing visibility
20. 2. Data Loss Prevention
https://support.office.com/en-us/article/Overview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e?ui=en-US&rs=en-US&ad=US#locations
Sensitive data discovery
Protection against unauthorized information disclosure
24. 3. Information Rights Management
Persistent protection against unauthorized information access and distribution
Utilizes a combination of encryption, identity and authorization policies
Example of cloud based IRM utilizing Azure Rights Management
https://docs.microsoft.com/en-us/information-protection/understand-explore/how-does-it-work
25. IRM – Control in Action
https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-protection
26. • How do I get visibility in my Cloud environments?
CASBs, APIs and potentially security rating tools.
• How do I secure my users?
Identity and Access Management (MFA, SSO), Privileged Access Management, Adaptive
access controls.
• How do I secure and protect my data against threats?
DDoS protection including network redundancy, sensitive data monitoring, DLP, Encryption at rest
and in-transit, Information Rights Management, Anti-malware scanning, content sandbox and User
Entity Behavior Analytics (UEBA).
• How do I secure my applications/actions?
Transport Encryption, Usage reporting, Auditing, logging/alerting.
Practical Advice for Technical Controls
27. Thinking of AWS or Azure?
Get Identity and Access Management Right – Make sure MFA is enabled for all root and privileged
accounts!
Ensure secure configurations for instances
Encrypt data where practical – cloud-based Key Management Services are quite reliable
Enable inspection and segmentation of traffic to instances
Lots of apps in Office 365 and ever increasing AWS functionalities can turn into a scaling nightmare.
Establish governance around assessing apps that’ll be released
28. Identity is the New Perimeter and Humans are the New Firewalls
Gartner’s predictions:
● Strategic Planning Assumption: By 2020, 50% of enterprises will require an approved exception to
put new workloads in house.
● Strategic Planning Assumption: By 2022, we will stop referring to the exceptional scenario as "cloud
computing," and instead, will use "local computing" to describe the less common model.