managing cloud security risks in your organization

42
23 November 2013 Seminar Kriptografi dan Keamanan Informasi Sekolah Tinggi Sandi Negara Menara 165, JL TB Simatupang Kav 1, Cilandak, Jakarta Selatan Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI Managing Cloud Security Risks in your organization

Upload: charles-lim

Post on 02-Nov-2014

439 views

Category:

Technology


0 download

DESCRIPTION

Any Organization in the World need to prepare themselves before they move to the cloud, i.e. cloud security risk assessment. It is all about managing your risks if you accept to move to the cloud and understanding the risks and benefits should be essential part of any organization thinking to move to cloud infrastructure.

TRANSCRIPT

Page 1: Managing Cloud Security Risks in Your Organization

23 November 2013

Seminar Kriptografi dan Keamanan InformasiSekolah Tinggi Sandi Negara

Menara 165, JL TB Simatupang Kav 1, Cilandak, Jakarta Selatan

Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI

Managing Cloud Security Risksin your organization

Page 2: Managing Cloud Security Risks in Your Organization

Master of Information Technology

About me

Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEIResearcher – Information Security Research Group and LecturerSwiss German UniversityCharles.lims [at] gmail.com and charles.lim [at] sgu.ac.idhttp://people.sgu.ac.id/charleslim

I am currently a doctoral student in University of Indonesia

Research InterestMalwareIntrusion DetectionVulnerability AnalysisDigital ForensicsCloud Security

CommunityIndonesia Honeynet Project - Chapter LeadAcademy CSIRT - member

Page 3: Managing Cloud Security Risks in Your Organization

Master of Information Technology

AGENDA

Cloud ComputingCloud SecurityCloud RisksCSA – Cloud Security AllianceCase Study – SSH decryptedSafe Cloud – is it possible?Related WorksConclusionReferences

3

Page 4: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Cloud Computing – NIST DefinitionNIST define 5 essential characteristics, 3

Service models, 4 cloud deployment modelshttp://csrc.nist.gov/publications/nistpubs/800-

145/SP800-145.pdf

4

Page 5: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Service Models

5

IaaS = Infrastructure as a Service

PaaS = Platform as a Service

SaaS = Software as a Service

XaaS = Anything as a Service (not included in NIST)

Page 6: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Cloud Taxonomy

6

Page 7: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Where are the risks?

7

Page 8: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Cloud Computing Consideration

Page 9: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Challenges and benefits

Page 10: Managing Cloud Security Risks in Your Organization

Master of Information Technology

public clouds

Extended Virtual Data Center

private clouds

cloud of users

Notional organizational

boundary• Dispersal of applications

• Dispersal of data

• Dispersal of users

• Dispersal of endpoint devices

The Hybrid enterprise

Page 11: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Good Governance, Risk and ComplianceCompliance+ Audit

Industry recognized certificationCertification+ Standards

Secured and tested technologiesSecured Infrastructure

Data Security Lifecycle Data Security

Good Practice is the key

Page 12: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Cloud Computing – Top Threats/Risks

Page 13: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Shared Technologies Vulnerabilities

Page 14: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Data Loss / Leakage

Page 15: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Malicious Insiders

Page 16: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Interception or Hijacking of traffic

Page 17: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Insecure APIs

Page 18: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Nefarious use of service

Page 19: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Unknown Risk Profiles

Page 20: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management

Legal and Electronic DiscoveryLegal and Electronic Discovery

Compliance and AuditCompliance and Audit

Information Lifecycle ManagementInformation Lifecycle Management

Portability and InteroperabilityPortability and Interoperability

Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery

Data Center OperationsData Center Operations

Incident Response, Notification, RemediationIncident Response, Notification, Remediation

Application SecurityApplication Security

Encryption and Key ManagementEncryption and Key Management

Identity and Access ManagementIdentity and Access Management

VirtualizationVirtualization

Cloud ArchitectureCloud Architecture

Op

era

ting

in th

e C

lou

d

Governing the Cloud

CSA – Cloud Security Framework

Page 21: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Governing in the Cloud

1. Governance & Risk Mgt

2. Legal and Electronic Discovery

3. Compliance & Audit

4. Information Lifecycle Mgt

5. Portability & Interoperability

Operating in the Cloud

1. Security, Business Continuity and Disaster Recovery

2. Data Center Operations

3. Incident Response

4. Application Security

5. Encryption & Key Mgt

6. Identity & Access Mgt

7. Virtualization

Understand Cloud Architecture

CSA – Cloud Security Framework Domain

Page 22: Managing Cloud Security Risks in Your Organization

Master of Information Technology

How Security Gets Integrated

Domain 2 Governance

and Enterprise

Risk Management

Domain 2 Governance

and Enterprise

Risk Management

Domain 4 Compliance

and Audit

Domain 5 Information Lifecycle

Management

Domain 6 Portability and Interoperability

Domain 6 Portability

and Interoperability

Domain 10Application

Security

Domain 6 Portability

and Interoperability

Domain 8 Data Center Operations

Domain3Legal and Electronic Discovery

Domain 7Traditional Security, Business Continuity,

and Disaster Recovery

Domain 7Traditional Security, Business Continuity,

and Disaster Recovery

Domain 9Incident Response,

Notification, and Remediation

Domain 11 Encryption and

Key Management

Domain 11 Encryption and Key

Management

Domain 12 Identity and Access

Management

Domain 12 Identity and

Access Management

Domain 13 Virtualization

Page 23: Managing Cloud Security Risks in Your Organization

Master of Information Technology

CSA – Cloud Assessment Framework

Page 24: Managing Cloud Security Risks in Your Organization

Master of Information Technology

• Best opportunity to secure cloud engagement is before procurement – contracts, SLAs, architecture

• Know provider’s third parties, BCM/DR, financial viability, employee vetting

• Identify data location when possible

• Plan for provider termination & return of assets

• Preserve right to audit where possible

• Reinvest provider cost savings into due diligence

Sample Assessment Governance

Page 25: Managing Cloud Security Risks in Your Organization

Master of Information Technology

• Encrypt data when possible, segregate key mgt from cloud provider

• Adapt secure software development lifecycle

• Understand provider’s patching, provisioning, protection

• Logging, data exfiltration, granular customer segregation

• Hardened VM images

• Assess provider IdM integration, e.g. SAML, OpenID

Sample Assessment Operation

Page 26: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Controls derived from guidance

Rated as applicable to S-P-I

Customer vs Provider role

Mapped to ISO 27001, COBIT, PCI, HIPAA

Help bridge the “cloud gap” for IT & IT auditors

Cloud Control Matrix Tool

Page 27: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Market Perception toward cloud

Security issues of cloud

Bandwidth Availability (Local providers win)

Government support on Cloud

Sources: Frost & Sullivan Analysis 2010

Cloud Adoption - Challenges

Page 28: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Case Study – SSH decrypted (VM)

Based on Brian Hay and Kara Nance paper

Key Motivation:Malware encrypted communication with C & CLaw Enforcement capability to monitor deployed

cloud and enterprise VM

Novelty:Visibility into cryptographically protected data and

communication channelsNo modifications to VM

Page 29: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Case Study – SSH decrypted (VM)

Approach: Identification (Processes of crypto lib and calls made

to the lib)Recovery (input to & output to – crypto functions) Identification (crypto keys)Recovery (crypto keys above)Recovery of plaintext (using recovered keys)

How to Minimum described in the paper

Keywords Xen platform, libvirt, sebek techniques

Page 30: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Case Study – SSH decrypted (VM)

Sebek Installation & Operationhttp://www.honeynet.org/project/sebekhttp://www.sans.org/reading-room/whitepapers/

detection/turning-tables-loadable-kernel-module-rootkits-deployed-honeypot-environment-996

http://vimeo.com/11912850

LimitationSebek modules can be detected with rootkit detection

tools

Page 31: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Case Study – SSH decrypted (VM)

Page 32: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Case Study – SSH decrypted (VM)

Page 33: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Case Study – SSH decrypted (VM)

Page 34: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Case Study – SSH decrypted (VM)

Page 35: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Safe Cloud – is it possible?

Big Question: Is it possible to have a safe cloud? (https://www.safeswisscloud.ch)

35

Page 36: Managing Cloud Security Risks in Your Organization

Master of Information Technology

New Development – Cloud Crypto

36

https://itunes.apple.com/us/app/cloudcapsule/id673662021

Page 37: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Related Works

Related Works

Lim et. al. , “Risk Analysis and comparative study ofDifferent Cloud Computing ProvidersIn Indonesia," ICCCSN 2012

Amanatullah et. al. "Toward Cloud Computing Reference Architecture: Cloud Service Management Perspective,” ICISS 2013

Page 38: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Other Security-related Publications

Related Works

Lim et. al. , "Forensics Analysis of Corporate and Personal Information Remaining on Hard Disk Drives Sold on the Secondhand Market in Indonesia," Advanced Science Letters, 2014

Suryajaya et. al. "PRODML Performance Evaluation asSOT Data Exchange Standard,” IC3INA 2013

Page 39: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Conclusion

There is no 100% security It is all about managing risks

It all depends on single, exploitable vulnerability (the weakest link)

Cloud greatest risk is still the insidersCSA Risk Assessment helps to bridge the gap

between the Cloud model and complianceUncovering crypto keys in the cloud is

possible important to malware research

Page 40: Managing Cloud Security Risks in Your Organization

Master of Information Technology

References

ENISA – Cloud computing risk assessment (http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment)

Cloud Security Alliance (https://cloudsecurityalliance.org/)

Hay, Brian, and Kara Nance. "Circumventing cryptography in virtualized environments." In Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on, pp. 32-38. IEEE, 2012.

Page 41: Managing Cloud Security Risks in Your Organization

Thank You

Page 42: Managing Cloud Security Risks in Your Organization

Master of Information Technology

Questions

42