www.roedinfosec.com 18-04-23

JENS ROED ANDERSENPrincipal Consultant

””Sikkerhed i skyen – Cloud Sikkerhed i skyen – Cloud Computing”Computing”VIDA seminar 12. maj 2011VIDA seminar 12. maj 2011

• Me, myself & I…

• A helicopter view

• The future is now!

• What is Cloud Computing offering?

• Threat Scenario 2011: FUD (Fear, Uncertainty & Doubt)?

• How can we do it securely (or ”you cannot stop a tsunami”)?

• A process, not a product!

• Q&A

AGENDA

Me, Myself & I...

• More than 16 years experience from working with IT

• 8 years as Chief Information Security Oficer, Arla Foods amba

• Subject Matter Expert on security related to:

• Cloud computing, production IT/SCADA, outsourcing and Risk Management

• Member of the counsil for IT Security & Privacy, chairman for Danish IT Association (Aarhus branch)

• International experience from Information Security Forum, Cloud Security Alliance etc.

The world is changing…

Regulations, requirements

Evolving Threats

New Technologies and Solutions

Diverse Business Needs

Economic DownturnIncreased Criminal organizations

Less Investment

Money-driven professional criminals

Increased Zero-Days

Smarter Malware

Enhanced Rootkits

Mobile Malware

Web 2.0 attack vectors

Targeted Attacks

Virtualization

Software as a Service (SaaS)

Managed Security Services

Cloud Computing

Data Retention

Personal Identifiable Data Protection

Privacy

Digital Evidence

Monitorization

Delivering IT Services embedded with Managed Services

Communication to All Differentiated Security

De-perimeterization

End-user empowerment

Multi-Sourcing Environment

M&A, Investments, Divestments, JV

Forensics

SCADA attack vectors (Stuxnet)

Are you coming (or will you be staying behind)?

Food for thought….

Source: Ericsson

Some wellknown facts on paradigm shift since the 1970s

Mass productionMass production

Closed pyramidsClosed pyramids

Stable routinesStable routines

Human ResourcesHuman Resources

Fixed plansFixed plans

InternationalisationInternationalisation

Three tier marketsThree tier markets

Flexible productionFlexible production

Open networksOpen networks

Continous improvementContinous improvement

Human CapitalHuman Capital

Flexible strategiesFlexible strategies

GlobalisationGlobalisation

Highly segmented marketsHighly segmented markets

The Industrial Revolution (machines, factories and canals)The Industrial Revolution (machines, factories and canals)

A helicopter view on technological development

1771

Age of steel and heavy engineering (electrical, chemical, civil, navalAge of steel and heavy engineering (electrical, chemical, civil, naval

Age of automobile, oil, petrochemicals and mass productionAge of automobile, oil, petrochemicals and mass production

Age of information technology and telecommunicationsAge of information technology and telecommunications

Age of biotech, nanotech, bioelectronics (and new materials?)Age of biotech, nanotech, bioelectronics (and new materials?)

Age of steam, coal, iron and railwaysAge of steam, coal, iron and railways1829

1875

1908

1971

Source: Professor Carlota Perez, Universities of Cambridge, Tallinn and Sussex

20??

Time

De g

r ee

of d

iffu s

ion

o f t e

chno

logi

cal p

ote n

tial

”Uptake”

”maturity”

Installation period (20-30 years) Deployment period (20-30 years)

We are here

• ”Creative destruction”• Battle between paradigmes• Concentration of investment• Income polarisation• Led by financial capital• From irruption to bubble

collapseMajor Major

technology technology bubblebubble

• ”Creative construction”• Widespread application of new

paradigm for innovation and growth in the economy

• Spreading of social benefits• Led by production capital• From ”golden age” to maturity

Each surge is broken into two periods

Big Bang Next Big BangCollapse

Source: Professor Carlota Perez, Universities of Cambridge, Tallinn and Sussex

Rece

ssio

n s –

Ins ti

tutio

n al c

h ang

e s –

Rol

e sw

itch

Turning point ??

• Web 2.0/3.0 and Social Software• Children of the cloud/Digital natives:

– Mobbability (as opposed to organisation): Organisation and work in large virtual groups

– Influency (as opposed to accountability): Being able to get away with anything!

– Protovation (as opposed to innovation): Specific, iterative and very fast product development

– Open authorship (as opposed to IPR): Open content to outsiders– High ping quotient: Ready, set, answer…

The future is NOW!

What is Cloud Computing really offering?

• Economies of scale in innovation!

The drivers of Cloud Computing

• Rising IT costs• Dependancy and complexity still going up• CAPEX!• Supply side: economies of scale• Demand side: constant fluctuations in demand

for IT• The success of the Internet• From CAPEX to OPEX

Summary: Economies of scale (at a large factor)

What is Cloud Computing really?

• Advantages:– Efficiency– Elasticity– Innovation– Security

• Disadvantages:– Vendor lock-in– Security

• Infrastructure-as-a-Service (IaaS): Raw processing power!

• Platform-as-a-Service (PaaS): Rent a platform!

• Software-as-a-Service (SaaS): Pre-packaged software solutions delivered in the browser.

What is Cloud Computing really (2)?

LARGE COMPANIES ACTING AS SMALL…

…AND SMALL COMPANIES ACTING AS LARGE

Unified Communication & Collaboration

Traditional UC Enterprise 2.0

Communication: Collaboration:

UCCUCC

•TelephoneTelephone

•Push e-mailPush e-mail

•Call centreCall centre

•TeleconferenceTeleconference

•VideoconferenceVideoconference

•VoicemailVoicemail

•WikisWikis

•BlogBlog

•contentsharingcontentsharing

•Social softwareSocial software

•collaboration toolscollaboration tools

•Team workspacesTeam workspaces

•e-maile-mail

•UMUM

•Webconf.Webconf.

•IMIM

•PresencePresence

•DirectoryDirectory

Source: Gartner

The convergence of communication and collaboration

Collaboration

Communication

On premise As-a-Service

THE THREAT SCENARIO

And then not….

AND NOW TO SOMETHING COMPLETELY DIFFERENT

Threat Scenario 2010/11: The drivers (Gartner Group)

Growing Risk

Expectations

Regulators StakeholdersCustomers, employees& citizens

Technology

New DeliveryModels

CloudSaaS

OutsourcingRemote Access

ConsumerizationWireless Devices

Plug&Play StorageWeb Mashups

SaaS

BUDGET

Criminals

Malware

Cybercrime

TargettedBot Using

Data Stealing

FraudCorp Espionage

Pro CybercriminalsHactivism/Terror

CaaS

Summer of 2010: Stuxnet arrives…

Very advanced stuff, but nothing new from a technological point of view:

• USB

• 0-day

• Rootkit

• C&C

• Etc…

• A nuisance?• A showstopper?• An add-on to projects raising the

costs?

What is technology related security, traditionally?

An insurance….!

• Complex

• Regarded as tech stuff

• But includes almost all of a modern company

• Reveals any lack of governance or top management involvement

• Timeconsuming (current reporting and threat analysis)

• Many business execs does not find it businessoriented…

But why?

That will have to change!

2 MEGA-TRENDS:

1.Dependency

2.Complexity

Why do we need change?

Conclusion: Security is not at product you can buy, it is a process you will have to master

The Future?Problematic

History Unrealistic

SaaS

Tra

dit

ion

al

LA

N/W

AN

User Profile

Digital natives

Fully Compliant

Haa

SRem

ote

A

ccess

Delivery Model

Simpler S

ecurit

y Model

PaaS

IaaS

Salesforce.com

Google App Engine

Citrix, Terminal

Sevices etc.

VPNAmazon WS

MS Azure

New rules

• More of the same won’t do the job (no business case)

• The ”audience” is changing• Perimeter is gradually disappearing• Platform control (ie. computer clients)

will become more difficult and expensive

• Cybercrime has become big business• Poor usability = poor security• Hence the platform must be unsafe

Summary

• Basic rules of Confidentiality, Integrity & Availability is (of course) still the most important case

• It will be too difficult and hence, too expensive to protect the computer clients

• The Digital Natives will not put up with policies, rules and regulations

• Basically we want to protect the data

• Theoretical concept developed in cooperation with the Alexandra institute

• Practical implementation possible

Demand for a simpler approach

Primarily: Protect the data

Secure code on unsecure platform: ”If you love sombody…”

Preconditions:- Control the exceptions (Asset Management)- Harden Id-management (Authetication, usability, PW’s etc.)- Create and rely on a secure encrypted tunnel

Ignore the perimeter!

Slicing the elephant of security!

Phase 1: Analysis

•Assets/Inventory (what)

•State of inventory (how)

•Risks (how much)

Phase 2: State of security

•Business Impact

•Validation & threats

•Risk Apetite

•Prioritisation

Phase 3: Selection & implementation

•Choice (business case)

•Selection of remediation effort

•Implementation

•Iterative process

•Evaluation (business case)

• Realise that CC is coming (like it or not)!

• Create an innovative culture within your IT organisation and design an architecture for the future, not the past

• Strengthen Governance & process based Risk Management

• Create a policy/contract ”advisory service” for LoB

• Establish Dataclassification & Asset Management

• Manage the exceptions instead of the rule

• Tighten your controls using Governance, Risk & Control tools and monitor your systems and users continuously

• Bring in the lawyers!

What should I do?

Learnings?

”What brought us here,

will not get us there…”

Carl-Henric Svanberg

ex-CEO, Ericsson

?