identity theft in the cloud and remedies

Identity theft in the Cloud and remediesGiuseppe “Gippa” Paterno’

Friday 26 October 12

My identity: Giuseppe “Gippa” Paternò

• Director Digital of GARL, the Swiss bank behind the SecurePass service

• EMEA Sales Engineer of Canonical, the company behind Ubuntu

• Security researcher, open source enthusiast, and friend of the “Penguin” since 1995

• Leisure pilot ... a good excuse to be back in an airport during the weekends :)

• Non-professional Chef (Ramsay, I challenge you :)

• Radio-amateur with passion for “strange” WiFi: my association has the world record of 304km link in WiFi!!


Cloud, a buzzword with different means

SaaSIaaS

PaaS ... what a MesS!Friday 26 October 12

What is meant by “Cloud”

A set of services, usually “rented” from a service provider or internal IT department (for large corporations), that enables:

• Flexibility: the ability of expanding or reducing our IT infrastructure based on the business needs

• Resiliency: high availability of IT services, ensuring business continuity in any event

• Accessibility: access to services anytime and anywhere on earth with a simple Internet connection

• Cost optimization: you truly have a pay-as-you use IT infrastructure without money wasting


The Cloud: IaaS

•Renting a virtual infrastructure from a service provider composed by virtual servers and virtual networks

•Example: Amazon Web Services, Moresi.Com, ecc....

•Security risk: total control of the IT infrastructure by an attacker with service disruption or silent data leaking (control panel is accessible from Internet)

IaaS=

Infrastructure asa Service


The Cloud: SaaS

•Renting a given application, usually web-based, from a service provider with high availability and accessible from anywhere

•Example: SalesForce.com, Office 360, etc...

•Security risk: compromising a single identity will lead to corporate data leaking by an attacker or competitor

SaaS=

Software asa Service


The Cloud: PaaS

• Renting an “application environment” that hosts YOUR application. If compared to IaaS, PaaS does not focus on operating system, but on “operating” the application environment (app server, languages, frameworks, databases, etc..)

• Example: Microsoft Azure, Google App Engine, CloudFoundry, etc....

• Security risk: total control of the application(s) by an attacker with service disruption (control panel accessible from Internet), corporate data leaking (users’ identity theft)

PaaS=

Platform asa Service


Let’s make things complicated: BYOD

• Yet another marketing buzzword :)

• BYOD = Bring Your Own Device

• Basically the use of a “consumer” device within a corporate environment: iPad/iPhone/Android/....

• Security risk: device lost or stolen means access to confidential data. Many apps for iOS/Android have a “static key” that get rid of the identification process.


Famous victims of identity theft

... and many others!Friday 26 October 12

Identity theft in numbers

10 millions of victims of identity theft in USA in 2008 (Javelin Strategy and Research, 2009)

221 billions dollars lost every year due to identity theft (Aberdeen Group)

5840 hours to correct damages due to identity theft, i.e. 2 years of a working resource (ITRC Aftermath Study, 2004).

35 billion corporate and government records compromised in 2010 (ITRC)

2is the factor of multiplication of the number of breaches from 2009 to 2010. The trend of data breaches due identity theft is doubling each year.


Human factor, an example in aviation

An organization can minimize its vulnerability to human error and reduce its risks by implementing human factors best practices [...] It contains guidance material which [...] should help reduce the risks associated with human error and human factors, and improve safety. It [...] concentrates upon risk and error management rather than risk and error elimination.

(EASA, JAR 145, Aviation Human Factors)


Human factor in IT (in)security

•Human factor is the primary cause of intrusions by hackers, foreign government agencies or competition. Two major issues:

•Password easy to guess or crack

•Social Engineering

•Hope is not a strategy!


Best practices, why they don’t work

• Maybe the most adopted is BS/ISO 17799, that eventually became ISO 27001

• Most best practices cover physical access, server hardening, network access and segregation, etc...

• they just don’t make sense anymore in a Cloud environment

• ... but they could be helpful to select our supplier

• What still makes sense is the access control:

• secure identification of a given user (identity management)

• check and log who’s doing what (auditing)

• permissions/rights to access a given piece of data or document (policy management)


Identity theft remedies

This is not a remedy!

:-)



... and this neither!

;-)



Security must be simple and transparent to the end user, otherwise it will be circumvented!

• Strong authentication of the users

• Identify from which country the user is connecting from (GeoIP)

• Patches, patches and ... patches!

• Secure application programming


Intranet vs the Cloud and Trusted third party

• In a “traditional” world, Microsoft Active Directory covers usually the identity management, auditing and policy role

• AD was not conceived to fit a Cloud environment and accessed from “outside” company boundaries (or firewalls)

• A distributed identity management system is needed, that implements something like Microsoft Active Directory for Cloud environments, is able to reduce “human errors” through strong authentication and is operated by a trusted third party.


A possible solution:

• SecurePass is a Unified Secure Access platform for Cloud, web applications and security devices (VPN, firewalls, ...)

• Strong authentication, with hardware tokens or software tokens on smartphones (iOS/Android/BlackBerry)

• Identity Management, with personnel’s information

• Web seamless Single Sign-On, to simplify user access (and avoid circumventions)

• Based on open protocols: LDAP, RADIUS and CAS

• Easy to integrate, protect your infrastructure and applications in few minutes.

• Guaranteed by a Swiss bank


Case Study: Moresi.Com

• Housing / Swiss hosting provider with two data centers, constantly expanding

• Highly selected customers, including banks and national and international companies

• Moving the focus from traditional housing / hosting to a cloud provider (VMware vCloud based)

• Each customer has access to a "virtual datacenter" that can orchestrate at his will

• Objective: establish a secure access to the virtual datacenters


Case Study: Insurance company

• World’s second largest multinational insurance company, 48 subsidiaries world-wide, each one with its board of directors, CEO, CFO

• All CxO level members are accessing documents and confidential on-the-move through any devices (laptop, tablet, smartphone) with high risk of data leaking

• Objective: provide secure access to their board of director classified documents and avoid information leaking through an ad-hoc secure java-based web application


Case Study: Automotive company

• One of the top 5 automotive suppliers in the world with over 120.000 employees

• Need to solve security issues connected to the BYOD (Bring Your Own Devices) from employees and top manager, in particular tablets and smartphones

• Objective: provide secure access to corporate resources from BYOD through SSL VPNs and ad-hoc portals


SecurePass Contest 2012

• Integrate SecurePass and publish a story in a blog or on-line magazine. Good excuse for:

• testing SecurePass for free

• learn something new

• letting your boss or your customers know that you care about security

• ... and win something ;-)

• http://www.secure-pass.net/contest2012


http://www.secure-pass.net/contest2012

http://www.secure-pass.net/contest2012

Giuseppe Paternò[email protected]

[email protected]

Web sites:www.gpaterno.com

www.secure-pass.net

Twitter: @gpaterno

Q&A


mailto:[email protected]




http://www.gpaterno.com

http://www.gpaterno.com

http://www.secure-pass.net

http://www.secure-pass.net

https://twitter.com/gpaterno

https://twitter.com/gpaterno

identity theft in the cloud and remedies

Technology

service infrastructure

service provider

service security risk

identity theft aberdeen

single identity

virtual infrastructure

corporate environment

corporate data leaking