myths and realities of cloud data security

© 2012

Myths & Realitiesof Cloud Data Security

Michael J. KrouzeChief Technology OfficerCharter Solutions, Inc.

Copyright © 2013, Charter Solutions, Inc. 2.

“The first step toward change is awareness. The second step is acceptance.”

- Nathaniel Branden

“All our knowledge has its origins in our perceptions.”

- Leonardo da Vinci

“The thing about quotes on the internet is you can not confirm their validity.”

- Abraham Lincoln

Copyright © 2013, Charter Solutions, Inc. 3.

We don’t use the cloud.

Copyright © 2013, Charter Solutions, Inc. 4.

Copyright © 2013, Charter Solutions, Inc. 5.

• Files are encrypted at rest• Files are encrypted during transit• Provide “business” version that

allows multiple user access control• Strict policy and technical access

controls that prohibit employee access

• Users can have weak passwords• Files are ‘synced’ to multiple

devices• API allows programs to access

your files (with permission)

• Always use strong passwords• Encrypt files before you put them there and only share key with the other

people who should see that file• Never give permission for API access

Copyright © 2013, Charter Solutions, Inc. 6.

Yes, your organization uses the cloud… you just may not know it.

Copyright © 2013, Charter Solutions, Inc. 7.

The cloud simply cannot be secure.

My provider has my security covered.

The cloud isn't safe.If it's on the Internet, it's more vulnerable to hackers.

Private cloud computing is secure by default.

Data stored in the cloud is more vulnerable.

Copyright © 2013, Charter Solutions, Inc. 8.

Security is a Shared ResponsibilityOn-Premise

Network

Storage

Server

VM

OS

Services

Application

On-Premise(hosted)

Network

Storage

Server

VM

OS

Services

Application

IaaS

Network

Storage

Server

VM

OS

Services

Application

PaaS

Network

Storage

Server

VM

OS

Services

Application

SaaS

Network

Storage

Server

VM

OS

Services

Application

Organization Shares Control with VendorOrganization has Control Vendor has Control

Copyright © 2013, Charter Solutions, Inc. 9.

Industry Groups Targeted

Other

Information

Health Care and Social Assistance

Finance and Insurance

Retail Trade

Accommodation and Food Services

0 10 20 30 40 50 60

% of Breaches

Source: 2012 Data Breach Investigations Report (Verizon/USSS)

Copyright © 2013, Charter Solutions, Inc. 10.

Who’s Behind Data Breaches?

Business Partners

Internal Employees

External Agents

0 10 20 30 40 50 60 70 80 90 100

% of Breaches

Source: 2012 Data Breach Investigations Report (Verizon/USSS)

Copyright © 2013, Charter Solutions, Inc. 11.

Threat Agent Change Over Time

'04-'07 2008 2009 2010 20110

10

20

30

40

50

60

70

80

90

100

External Internal Partner

% o

f Bre

ache

s

Source: 2012 Data Breach Investigations Report (Verizon/USSS)

Copyright © 2013, Charter Solutions, Inc. 12.

How Do Breaches Occur?

Priviledge Misuse

Social Tactics

Physical Attacks

Malware

Hacking

0 10 20 30 40 50 60 70 80 90 100

% of BreachesSource: 2012 Data Breach Investigations Report (Verizon/USSS)

Copyright © 2013, Charter Solutions, Inc. 13.

Attack Commonalities

97% Avoidable through simple or intermediate controls

96% Were not highly difficult94% Of all data compromised involved

servers92% Were discovered by a third party85% Took weeks or more to discover79% Were targets of opportunity

Source: 2012 Data Breach Investigations Report (Verizon/USSS)

Copyright © 2013, Charter Solutions, Inc. 14.

Hacking Methods

Unknown

Abuse of functionality

Remote file inclusion

SQL Injection

Exploit insufficient authentication

Exploit backdoor

Brute force/dictionary attacks

Stolen login credentials

Default/guessable credentials

0 10 20 30 40 50 60

% of Breaches

Source: 2012 Data Breach Investigations Report (Verizon/USSS)

Copyright © 2013, Charter Solutions, Inc. 15.

Not Just About Data Encryption

Application

Database

OS File System

Storage System

Public Network

Private Network

SSL Encrypted

Encrypted at Rest

Clear Text Data

Copyright © 2013, Charter Solutions, Inc. 16.

It’s not that the cloud isn’t secure…

It’s that you need to think differently about how to secure it

Copyright © 2013, Charter Solutions, Inc. 17.

My datacenter is more secure than the cloud.

Copyright © 2013, Charter Solutions, Inc. 18.

A little obvious after the last myth

Security is often taken for granted behind the firewall

Copyright © 2013, Charter Solutions, Inc. 19.

Data Breaches by Hosting Location

Mobile

Co-located

External

Internal

0 10 20 30 40 50 60 70 80 90

% of Breaches

Source: 2012 Data Breach Investigations Report (Verizon/USSS)

Copyright © 2013, Charter Solutions, Inc. 20.

Your datacenter (on-premise or cloud) is only as secure as you make it!

Both can be equally secure or insecure.

Copyright © 2013, Charter Solutions, Inc. 21.

Concluding thoughts…

Copyright © 2013, Charter Solutions, Inc. 22.

Understand your data risks & security needs

Establish a set of cloud-specific security processes / policies

Copyright © 2013, Charter Solutions, Inc. 23.

Review cloud vendors closely to ensure their sphere of control aligns with your cloud-specific processes / policies

Implement, monitor, react, review, improve

Copyright © 2013, Charter Solutions, Inc. 24.

Thank You!

michael.krouze@chartersolutions.comhttp://www.linkedin.com/in/mjkrouze

@mjkrouze