ITRC Forum 2014 萬 雲 皆 有 險 : 雲 計 算 的 安 全 怎 影 響 你 的 管 理 概 念

Transcription

1 ITRC Forum 2014 萬 雲 皆 有 險 : 雲 計 算 的 安 全 怎 影 響 你 的 管 理 概 念 How Cloud Computing Can Rain on Your IT Management Strategy By Roger Lee Presentation for ITRC Forum Dec 2014 (Thu)

2 Agenda Response to recent Anonymous Operation Hong Kong Challenges with Securing Clouds Traditional Defense and management model fails Cloud Security Defense in Depth What should you do? 4 Key Ways of Management Concepts to Reduce Risk Some Specific Technologies Recommendations to be more secure and efficient management

3 Response to recent Anonymous Operation Hong Kong

4 Anonymous Operation Hong Kong

5 Recent Anonymous Operation Hong Kong DDoS Targeting mostly Government and Political parties. Most attacks do not last more than a few hours. Impacted website are brought offline and some of those (.gov.hk sites) have shown successful mitigation. 5

6 Recent Anonymous Operation Hong Kong Defacement (DNS hijack / admin leakage) Websites got DNS hijacked, or leaked DNS admin account, redirect to youtube link with Anonymous message All were under admin of ONE Hosting provider: 6

7 Recent Anonymous Operation Hong Kong Injection attacks Hackers using known SQL / MySQL injections to insert message to webpages. Admin can easily delete the item, patch it 7

8 Challenges with Securing Clouds 8

9 Challenges with Securing Clouds Elastic Multi-Tenant Application-Centric Elsewhere Leased 9

10 Traditional Defense and management model fails 10

11

12 Fundamental Risk Differences Differences Between Traditional IT and Cloud Computing Risk Ownership When computing assets are owned by your organization, you own the risk When computing assets are purchased as-a-service, uncertain Control Vs Governance Traditional IT: directly manages IT controls around risk tolerance (Control over network, system, and application configuration) Cloud Computing: indirectly manages risk through governance (governance based on transparency, exposed controls, stacked defenses )

13 Fundamental Risk Differences Differences Between Traditional IT and Cloud Computing Perimeter-based Vs Application-based Traditional: network-based defenses Cloud Computing: Application designed with security Controls are rarely customer-exposed laas vendor controls network configuration, security PaaS vendor controls network and server configuration, security SaaS vendor controls all aspects of security including the application

14 Cloud Security Defense in Depth

15 Cloud Security Defense in Depth

16 What should you do? 4 Key Ways of Management Concepts to Reduce Risk

17 4 Key Ways of Management Concepts 1. Architect for the cloud 2. Robust Identity, Access Management 3. Confirm Legal, Compliance obligations, Due diligence ( 應 有 的 注 意, 盡 職 調 查 ) 4. Clear Responsibility

18 (1) Architect for the Cloud New Compute Paradigms From Server to Service Running on top of software virtualization New Applications or services Defense not dependent on the perimeter Self-defending applications and services Rethinking authorization & authentication Resiliency across cloud(s) and traditional environments

19 (1) Architect for the Cloud Existing Applications or Services Does the Security model of the application fit cloud? Considerations for legacy applications or services Security Management of Security through Security Groups Traffic shaping, IPS, monitoring devices must move to virtual platforms Host-based IPS on each VM

20 (1) Architect for the Cloud Security Build Security In Applications Inter-application/service communication Self-defending applications and services Rethinking authorization & authentication Resiliency across cloud and traditional environments

21 (1) Architect for the Cloud Risk Revolves Around Data Data Fundamentals Strong Data Classification practice Data Custodian Data at rest Store only what is necessary, for as little time as possible Encryption Data in use Be usable by intended application or services Data in transit Encrypted in transit

22 (2) Robust Identity, Access Management Cloud Identity Management Federation of identity Governance and monitoring System/Service-level authentication Certainty in machine-machine transactions at scale Management of digital certificates, stores in the cloud Administration of Systems Understanding oversight of privileged administrators and the controls over their access Vetting the people who operates your cloud(s) Understanding hiring process

23 (3) Confirm Legal, Compliance Obligations, Due Diligence Data Sovereignty Must meet laws governing location of citizen s data Can your data be seized without notice? Cloud is borderless, law is not Privacy, security law and regulations vary by region which to comply with? If your data is in a foreign nation, what rights do you have? If your data is international, how is evidence, prosecution handled? Legal liability for security risk-related issues Who is liable in a cloud breach? laas

24 (3) Confirm Legal, Compliance Obligations, Due Diligence Compliance mechanisms Compliant clouds what assurance mechanisms do you have Is auditability allowed, or allowances made for testing Does CSP keep up with latest regulations Vendor due diligence to consider Vendor Security Posture, willingness to share details with customer Open platform (OpenStack) which won t lock you in Security by default, or as add-on Vendor Strategy for handling incidents, outages

25 (4) Clear Responsibility Customer, CSP, or both? How much transparency/intelligence does CSP provide? Do you have visibility into your cloud environment (at least in logging level)? Does CSP monitor intra-cloud, and extra-cloud activity for security issues? Tenant-tenant hacking/intrusions Tenant-Internet hacking, mis-use, intrusions Incidents in the cloud In an incident, who is responsible for Notifications Incident-response Investigations Does CSP have response capability? In the case of DDoS or other flood Are there stops on metering and billing? Is there any proof of capability?

26 Some Specific Technologies Recommendations to be more secure and efficient management

27 Cloud Based Attack Mitigation Low & slow attacks Network flood attacks SSL based attacks Application level attacks Known vulnerabilities Egress traffic attacks ISP ERT with the customer decide to divert the traffic Volumetric On-premises DDoS AMS attack that mitigates blocks the Internet attack pipe Clean traffic DefensePros ERT monitors and controls both cloud and onpremises devices DefensePro AppWall Protected Online Services Defense Messaging Includes traffic baselines Pipe Saturation Alert includes essential information for attack mitigation DefensePipe Scrubbing Center Protected organization Slide 27

28 Content-Aware DLP Solutions Fingerprint: Database Record or Document Detection: Extract Algorithmic Conversion One-way Mathematical Representation 0xB6751 0xB61C1 0x37CB2 0x5BD41 0x190C1 0x x590A9 0xA0001 Fingerprint Storage & Indexing PreciseID Fingerprint Repository 0x59A06 0x66A1A 0x1678A 0x461BD 0x6678A 0x4D181 0xB678A 0x9678A 0xB6751 0xB61C1 0x37CB2 0x5BD41 0x190C1 0x x590A9 0xA0001 Extract x5BD41 0x190C1 0x93005 Real-Time Fingerprint Comparison Outbound Content ( , Web, FTP, Print, etc.) Algorithmic Conversion One-way Mathematical Representation Fingerprint Creation 28

29 Thank You!