Home >Technology >Managing Cloud Security Risks in Your Organization

Managing Cloud Security Risks in Your Organization

Date post:02-Nov-2014
View:433 times
Download:0 times
Share this document with a friend
Any Organization in the World need to prepare themselves before they move to the cloud, i.e. cloud security risk assessment. It is all about managing your risks if you accept to move to the cloud and understanding the risks and benefits should be essential part of any organization thinking to move to cloud infrastructure.
  • 1. Managing Cloud Security Risks in your organization23 November 2013 Seminar Kriptografi dan Keamanan Informasi Sekolah Tinggi Sandi Negara Menara 165, JL TB Simatupang Kav 1, Cilandak, Jakarta Selatan Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI

2. About me Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI Researcher Information Security Research Group and Lecturer Swiss German University Charles.lims [at] gmail.com and charles.lim [at] sgu.ac.id http://people.sgu.ac.id/charleslim I am currently a doctoral student in University of Indonesia Research Interest Malware Intrusion Detection Vulnerability Analysis Digital Forensics Cloud Security Community Indonesia Honeynet Project - Chapter Lead Academy CSIRT - member Master of Information 3. AGENDA CloudComputing CloudSecurity CloudRisks CSA Cloud Security Alliance Case SafeStudy SSH decryptedCloud is it possible? RelatedWorks Conclusion References Master of Information3 4. Cloud Computing NIST Definition NISTdefine 5 essential characteristics, 3 Service models, 4 cloud deployment models http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdfMaster of Information4 5. Service Models IaaS= Infrastructure as a Service PaaS= Platform as a Service SaaS= Software as a Service XaaS= Anything as a Service (not included in NIST)Master of Information5 6. Cloud TaxonomyMaster of Information6 7. Where are the risks?Master of Information7 8. Cloud Computing ConsiderationMaster of Information 9. Challenges and benefitsMaster of Information 10. The Hybrid enterpriseprivate clouds public cloudsExtended Virtual Data Center Notional organizational boundaryDispersal of applications Dispersal of data Dispersal of users Dispersal of endpoint devicesMaster of Informationcloud of users 11. Good Practice is the keyCompliance + AuditCertification + StandardsGood Governance, Risk and ComplianceIndustry recognized certificationSecured InfrastructureSecured and tested technologiesData SecurityData Security LifecycleMaster of Information 12. Cloud Computing Top Threats/RisksMaster of Information 13. Shared Technologies VulnerabilitiesMaster of Information 14. Data Loss / LeakageMaster of Information 15. Malicious InsidersMaster of Information 16. Interception or Hijacking of trafficMaster of Information 17. Insecure APIsMaster of Information 18. Nefarious use of serviceMaster of Information 19. Unknown Risk ProfilesMaster of Information 20. CSA Cloud Security Framework Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle ManagementG o v e r n i n gPortability and InteroperabilitySecurity, Bus. Cont,, and Disaster RecoveryOperating in the CloudData Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management VirtualizationMaster of Informationt h e C l o u d 21. CSA Cloud Security Framework Domain Understand Cloud Architecture Governing in the Cloud 1. Governance & Risk Mgt2. Legal and Electronic Discovery 3. Compliance & Audit 4. Information Lifecycle Mgt 5. Portability & InteroperabilityOperating in the Cloud 1. Security, Business Continuity and Disaster Recovery 2. Data Center Operations 3. Incident Response 4. Application Security 5. Encryption & Key Mgt 6. Identity & Access Mgt 7. VirtualizationMaster of Information 22. Domain 2 Domain3 Governance Legal and and Enterprise Electronic Discovery Risk Management Domain 7 Traditional Domain 11 Domain 12 Security, Business Encryption and Identity and Continuity, and Key Access Disaster Recovery Management ManagementDomain 5 Information Lifecycle ManagementDomain 6 Portability andDomain Domain 7 11 Domain 12 Domain 9 Traditional Encryption and Key Identity and Access Security, Business Incident Management Management Continuity, and Response, Notificati Disaster Recovery on, and RemediationInteroperabilityDomain 10 Application SecurityDomain 13 VirtualizationDomain 6 Portability and InteroperabilityDomain 2 Governance and Enterprise Risk ManagementDomain 4 Domain 6 Domain 8 PortabilityData and Center Operations InteroperabilityMaster of InformationCompliance and AuditHow Security Gets Integrated 23. CSA Cloud Assessment FrameworkMaster of Information 24. Sample Assessment Governance Best opportunity to secure cloud engagement isbefore procurement contracts, SLAs, architecture Know providers third parties, BCM/DR, financial viability, employee vetting Identify data location when possible Plan for provider termination & return of assets Preserve right to audit where possible Reinvest provider cost savings into due diligenceMaster of Information 25. Sample Assessment OperationEncrypt data when possible, segregate key mgt from cloud provider Adapt secure software development lifecycleLogging, data exfiltration, granular customer segregation Hardened VM imagesUnderstand providers patching, provisioning, protectionAssess provider IdM integration, e.g. SAML, OpenIDMaster of Information 26. Cloud Control Matrix Tool Controls derived from guidance Rated as applicable to SP-I Customer vs Provider role Mapped to ISO 27001, COBIT, PCI, HIPA A Help bridge the cloud gap for IT & IT auditors Master of Information 27. Cloud Adoption - Challenges Market Perception toward cloudMaster of Information 28. Case Study SSH decrypted (VM) Based Keyon Brian Hay and Kara Nance paperMotivation: Malwareencrypted communication with C & C LawEnforcement capability to monitor deployed cloud and enterprise VM Novelty: Visibilityinto cryptographically protected data and communication channels Nomodifications to VMMaster of Information 29. Case Study SSH decrypted (VM) Approach: Identification(Processes of crypto lib and calls madeto the lib) Recovery(input to & output to crypto functions) Identification(crypto keys) Recovery(crypto keys above) Recoveryof plaintext (using recovered keys) Howto Minimumdescribed in the paper Keywords Xenplatform, libvirt, sebek techniquesMaster of Information 30. Case Study SSH decrypted (VM) SebekInstallation & Operation http://www.honeynet.org/project/sebek http://www.sans.org/reading-room/whitepapers/detection/turning-tables-loadablekernel-module-rootkits-deployed-honeypotenvironment-996 http://vimeo.com/11912850 Limitation Sebekmodules can be detected with rootkit detectiontools Master of Information 31. Case Study SSH decrypted (VM)Master of Information 32. Case Study SSH decrypted (VM)Master of Information 33. Case Study SSH decrypted (VM)Master of Information 34. Case Study SSH decrypted (VM)Master of Information 35. Safe Cloud is it possible? BigQuestion: Is it possible to have a safe cloud? (https://www.safeswisscloud.ch)Master of Information35 36. New Development Cloud Cryptohttps://itunes.apple.com/us/app/cloudcapsule/id673662021Master of Information36 37. Related Works RelatedWorks Lim et. al. , Risk Analysis and comparative study of Different Cloud Computing Providers In Indonesia," ICCCSN 2012Amanatullah et. al. "Toward Cloud Computing Reference Architecture: Cloud Service Management Perspective, ICISS 2013Master of Information 38. Other Security-related Publications RelatedWorks Lim et. al. , "Forensics Analysis of Corporate and Personal Information Remaining on Hard Disk Drives Sold on the Secondhand Market in Indonesia," Advanced Science Letters, 2014Suryajaya et. al. "PRODML Performance Evaluation as SOT Data Exchange Standard, IC3INA 2013Master of Information 39. Conclusion is no 100% security It is all about managing risks There Itall depends on single, exploitable vulnerability (the weakest link) Cloudgreatest risk is still the insiders CSARisk Assessment helps to bridge the gap between the Cloud model and compliance Uncoveringcrypto keys in the cloud is possible important to malware researchMaster of Information 40. References Cloud computing risk assessment (http://www.enisa.europa.eu/activities/riskmanagement/files/deliverables/cloudcomputing-risk-assessment) ENISA CloudSecurity Alliance (https://cloudsecurityalliance.org/) Hay,Brian, and Kara Nance. "Circumventing cryptography in virtualized environments." In Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on, pp. 32-38. IEEE, 2012.Master of Information 41. Thank You 42. QuestionsMaster of Information42

Popular Tags:

Click here to load reader

Embed Size (px)