www.roedinfosec.com 02-06-2015 jens roed andersen principal consultant ”sikkerhed i skyen –...
Post on 18-Dec-2015
214 views
TRANSCRIPT
www.roedinfosec.com 18-04-23
JENS ROED ANDERSENPrincipal Consultant
””Sikkerhed i skyen – Cloud Sikkerhed i skyen – Cloud Computing”Computing”VIDA seminar 12. maj 2011VIDA seminar 12. maj 2011
• Me, myself & I…
• A helicopter view
• The future is now!
• What is Cloud Computing offering?
• Threat Scenario 2011: FUD (Fear, Uncertainty & Doubt)?
• How can we do it securely (or ”you cannot stop a tsunami”)?
• A process, not a product!
• Q&A
AGENDA
Me, Myself & I...
• More than 16 years experience from working with IT
• 8 years as Chief Information Security Oficer, Arla Foods amba
• Subject Matter Expert on security related to:
• Cloud computing, production IT/SCADA, outsourcing and Risk Management
• Member of the counsil for IT Security & Privacy, chairman for Danish IT Association (Aarhus branch)
• International experience from Information Security Forum, Cloud Security Alliance etc.
The world is changing…
Regulations, requirements
Evolving Threats
New Technologies and Solutions
Diverse Business Needs
Economic DownturnIncreased Criminal organizations
Less Investment
Money-driven professional criminals
Increased Zero-Days
Smarter Malware
Enhanced Rootkits
Mobile Malware
Web 2.0 attack vectors
Targeted Attacks
Virtualization
Software as a Service (SaaS)
Managed Security Services
Cloud Computing
Data Retention
Personal Identifiable Data Protection
Privacy
Digital Evidence
Monitorization
Delivering IT Services embedded with Managed Services
Communication to All Differentiated Security
De-perimeterization
End-user empowerment
Multi-Sourcing Environment
M&A, Investments, Divestments, JV
Forensics
SCADA attack vectors (Stuxnet)
Are you coming (or will you be staying behind)?
Some wellknown facts on paradigm shift since the 1970s
Mass productionMass production
Closed pyramidsClosed pyramids
Stable routinesStable routines
Human ResourcesHuman Resources
Fixed plansFixed plans
InternationalisationInternationalisation
Three tier marketsThree tier markets
Flexible productionFlexible production
Open networksOpen networks
Continous improvementContinous improvement
Human CapitalHuman Capital
Flexible strategiesFlexible strategies
GlobalisationGlobalisation
Highly segmented marketsHighly segmented markets
The Industrial Revolution (machines, factories and canals)The Industrial Revolution (machines, factories and canals)
A helicopter view on technological development
1771
Age of steel and heavy engineering (electrical, chemical, civil, navalAge of steel and heavy engineering (electrical, chemical, civil, naval
Age of automobile, oil, petrochemicals and mass productionAge of automobile, oil, petrochemicals and mass production
Age of information technology and telecommunicationsAge of information technology and telecommunications
Age of biotech, nanotech, bioelectronics (and new materials?)Age of biotech, nanotech, bioelectronics (and new materials?)
Age of steam, coal, iron and railwaysAge of steam, coal, iron and railways1829
1875
1908
1971
Source: Professor Carlota Perez, Universities of Cambridge, Tallinn and Sussex
20??
Time
De g
r ee
of d
iffu s
ion
o f t e
chno
logi
cal p
ote n
tial
”Uptake”
”maturity”
Installation period (20-30 years) Deployment period (20-30 years)
We are here
• ”Creative destruction”• Battle between paradigmes• Concentration of investment• Income polarisation• Led by financial capital• From irruption to bubble
collapseMajor Major
technology technology bubblebubble
• ”Creative construction”• Widespread application of new
paradigm for innovation and growth in the economy
• Spreading of social benefits• Led by production capital• From ”golden age” to maturity
Each surge is broken into two periods
Big Bang Next Big BangCollapse
Source: Professor Carlota Perez, Universities of Cambridge, Tallinn and Sussex
Rece
ssio
n s –
Ins ti
tutio
n al c
h ang
e s –
Rol
e sw
itch
Turning point ??
• Web 2.0/3.0 and Social Software• Children of the cloud/Digital natives:
– Mobbability (as opposed to organisation): Organisation and work in large virtual groups
– Influency (as opposed to accountability): Being able to get away with anything!
– Protovation (as opposed to innovation): Specific, iterative and very fast product development
– Open authorship (as opposed to IPR): Open content to outsiders– High ping quotient: Ready, set, answer…
The future is NOW!
The drivers of Cloud Computing
• Rising IT costs• Dependancy and complexity still going up• CAPEX!• Supply side: economies of scale• Demand side: constant fluctuations in demand
for IT• The success of the Internet• From CAPEX to OPEX
Summary: Economies of scale (at a large factor)
What is Cloud Computing really?
• Advantages:– Efficiency– Elasticity– Innovation– Security
• Disadvantages:– Vendor lock-in– Security
• Infrastructure-as-a-Service (IaaS): Raw processing power!
• Platform-as-a-Service (PaaS): Rent a platform!
• Software-as-a-Service (SaaS): Pre-packaged software solutions delivered in the browser.
What is Cloud Computing really (2)?
Unified Communication & Collaboration
Traditional UC Enterprise 2.0
Communication: Collaboration:
UCCUCC
•TelephoneTelephone
•Push e-mailPush e-mail
•Call centreCall centre
•TeleconferenceTeleconference
•VideoconferenceVideoconference
•VoicemailVoicemail
•WikisWikis
•BlogBlog
•contentsharingcontentsharing
•Social softwareSocial software
•collaboration toolscollaboration tools
•Team workspacesTeam workspaces
•e-maile-mail
•UMUM
•Webconf.Webconf.
•IMIM
•PresencePresence
•DirectoryDirectory
Source: Gartner
The convergence of communication and collaboration
Collaboration
Communication
On premise As-a-Service
Threat Scenario 2010/11: The drivers (Gartner Group)
Growing Risk
Expectations
Regulators StakeholdersCustomers, employees& citizens
Technology
New DeliveryModels
CloudSaaS
OutsourcingRemote Access
ConsumerizationWireless Devices
Plug&Play StorageWeb Mashups
SaaS
BUDGET
Criminals
Malware
Cybercrime
TargettedBot Using
Data Stealing
FraudCorp Espionage
Pro CybercriminalsHactivism/Terror
CaaS
Summer of 2010: Stuxnet arrives…
Very advanced stuff, but nothing new from a technological point of view:
• USB
• 0-day
• Rootkit
• C&C
• Etc…
• A nuisance?• A showstopper?• An add-on to projects raising the
costs?
What is technology related security, traditionally?
An insurance….!
• Complex
• Regarded as tech stuff
• But includes almost all of a modern company
• Reveals any lack of governance or top management involvement
• Timeconsuming (current reporting and threat analysis)
• Many business execs does not find it businessoriented…
But why?
That will have to change!
2 MEGA-TRENDS:
1.Dependency
2.Complexity
Why do we need change?
Conclusion: Security is not at product you can buy, it is a process you will have to master
The Future?Problematic
History Unrealistic
SaaS
Tra
dit
ion
al
LA
N/W
AN
User Profile
Digital natives
Fully Compliant
Haa
SRem
ote
A
ccess
Delivery Model
Simpler S
ecurit
y Model
PaaS
IaaS
Salesforce.com
Google App Engine
Citrix, Terminal
Sevices etc.
VPNAmazon WS
MS Azure
New rules
• More of the same won’t do the job (no business case)
• The ”audience” is changing• Perimeter is gradually disappearing• Platform control (ie. computer clients)
will become more difficult and expensive
• Cybercrime has become big business• Poor usability = poor security• Hence the platform must be unsafe
Summary
• Basic rules of Confidentiality, Integrity & Availability is (of course) still the most important case
• It will be too difficult and hence, too expensive to protect the computer clients
• The Digital Natives will not put up with policies, rules and regulations
• Basically we want to protect the data
• Theoretical concept developed in cooperation with the Alexandra institute
• Practical implementation possible
Demand for a simpler approach
Primarily: Protect the data
Secure code on unsecure platform: ”If you love sombody…”
Preconditions:- Control the exceptions (Asset Management)- Harden Id-management (Authetication, usability, PW’s etc.)- Create and rely on a secure encrypted tunnel
Ignore the perimeter!
Slicing the elephant of security!
Phase 1: Analysis
•Assets/Inventory (what)
•State of inventory (how)
•Risks (how much)
Phase 2: State of security
•Business Impact
•Validation & threats
•Risk Apetite
•Prioritisation
Phase 3: Selection & implementation
•Choice (business case)
•Selection of remediation effort
•Implementation
•Iterative process
•Evaluation (business case)
• Realise that CC is coming (like it or not)!
• Create an innovative culture within your IT organisation and design an architecture for the future, not the past
• Strengthen Governance & process based Risk Management
• Create a policy/contract ”advisory service” for LoB
• Establish Dataclassification & Asset Management
• Manage the exceptions instead of the rule
• Tighten your controls using Governance, Risk & Control tools and monitor your systems and users continuously
• Bring in the lawyers!
What should I do?