Risks and Challenges

Transcription

1 Cloud and Mobile Security: Risks and Challenges Chong Sau Wei (CISM) associates.net General Manager Managed Security Services SCAN Associates Berhad Seminar e Kerajaan Negeri Pulau Pinang 14 Nov 2013

2 Agenda What is Cloud Computing? Cloud Security Risks and Challenges Mobile Security Risks and Challenges Securing Mobile & Cloud Implementations Conclusion References 2

3 What is Cloud Computing? What the H*LL is the cloud? Are we dead by cloud computing? Is Intel dead? There'd be no microprocessors in the cloud? Is Samsung dead? There'd be no memory in the cloud? Is Cisco dead because there's no networking in the cloud? Are we dead because there's no databases in the cloud, no applications in the cloud, no middleware in the cloud? The answer is no. All a cloud is computers in a network. We come in peace. We re the cloud people. We are the peaceful people. It s the democratization of computing 3

4 What is Cloud Computing? The delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility over a network (Internet) [wikipedia] Cloud an old new concept Parallel, distributed and grid computing have been around for a while: Scientists, governments, international organizations, military Urban planning, weather forecasts, economic modelling, etc. Now, cloud computingisa is commodity Who does not use the cloud nowadays? Ready to go services

5 What is Cloud Computing? 5

6 What is Cloud Computing? 6

7 Models of Cloud Services Software as a Service (SaaS): software CRM, , games, virtual desktops Google Apps, Salesforce CRM, Dropbox Platform as a Service (PaaS): computing or solution platform operating systems, databases, web servers Microsoft s Azure, Google s AppEngine. Infrastructure as a Service (IaaS): computers (physical/virtual), storage, firewalls or networks Amazon EC2, Rackspace Cloud

8 Cloud Services Providers

9 Security: Top Cloud Adoption Concerns Source: Oxford Economics Study: Protecting the Cloud

10 Cloud Security: Shared Responsibility On Premise On Premise (hosted) IaaS PaaS SaaS Application Application Application Application Application Services Services Services Services Services OS OS OS OS OS VM VM VM VM VM Server Server Server Server Server Storage Storage Storage Storage Storage Network Network Network Network Network Organization has Control Organization SharesControl with Vendor Vendor has Control

11 Cloud Security Advantages Shifting public data to a external cloud reduces the exposure of the internal sensitive ii data Cloud homogeneity makes security auditing/testing simpler Clouds enable automated security management Rd Redundancy d / Disaster Recovery 11

12 Cloud Security: Top Threats 2013 Based on survey results of industry experts by the Cloud Security Alliance (CSA) Data Breaches Data Loss Account Hijacking Insecure APIs Denial of Service Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology Issues

13 Cloud Security: Breach Methods Hacking Malware Physical Attacks Social Tactics Priviledge Misuse % of Breaches Source: 2012 Data Breach Investigations Report (Verizon/USSS)

14 Threat Evolution Source: 2012 Data Breach Investigations Report (Verizon/USSS)

15 Hacking Methods Default/guessable credentials Stolen login credentials Brute force/dictionary attacks Exploit backdoor Exploit insufficient authentication SQL Injection Remote file inclusion Abuse of functionality Unknown % of Breaches Source: 2012 Data Breach Investigations Report (Verizon/USSS)

16 Some Interesting Observations 97% Avoidable through simple or intermediate controls 96% Were not highly difficult 94% Of all data compromised involved servers 92% Were discovered by a third party 85% Took weeks or more to discover 79% Were targets of opportunity Source: 2012 Data Breach Investigations Report (Verizon/USSS)

17 Cloud Security Challenges Exposure of data to foreign governments and data subpoenas US PRISM program Trusting vendor s security implementations Customer inability to respond to audit findings Obtaining support for investigations Indirect administrator i t accountability Proprietary implementations can t be examined Loss of physical control 17

18 Mobile Security: Value & Risks The world is mobile and cloudy and will be getting more so Mobile applications i can create tremendous values: New classes of applications utilizing mobile capabilities: GPS, camera, etc Innovating applications for employees and citizens Mobile devices and mobile applications can create tremendous risks as well: Sensitive datainevitably stored onthedevice ( , contacts) Connect to a lot of untrusted networks (carrier, Wi Fi) Most developers are new to creating mobile applications and therefore not trained to develop secure mobile applications

19 Mobile Security: Top Threats Type of Threats Threat Level 1 Data loss from lost, stolen or decommissioned devices High 2 Information stealing mobile malware High 3 Unsecured Wi Fi, network access and rogue access High points 4 Unsecured or rogue app marketplaces High 5 Data loss and data leakage through vulnerable apps Medium 6 Vulnerabilities within devices, OS, design and thirdparty apps Medium 7 Insufficient i management tools, capabilities and access Mdi Medium to APIs 8 NFC and proximity based hacking Low

20 Mobile Security Challenges Explosion of mobile devices Mobile Apps Data Management Ownership How to control over the usage of How to keep track and manage the How to protect the data and the devices? installations? critical information from being leaked out? Who should monitor the use of mobile devices?

21 What needs to be secured Device Data Application User Lock Encryption File Protection Rogue Applications Profiling Wipe Data leakages Visibility on Applications Locate Authentication Management policies Controls over Applications Location of the User

22 Security Threats Landscape Security Threats Human Non Human Natural Disaster Malicious Non malicious Hardware Poorly Design, Backdoor Software Malware, Bugs Fire, Flood etc Outsider Hackers, Script Kiddies, Spy Insider Disgruntled staff

23 Securing Cloud & Mobile Implementations Planning for security Secure infrastructure t Enable compliance monitoring Choose the right cloud Establish organizational Protect data service provider/mobile policies and standards management solutions. 3 4 Identify risks and threats (as discussed) Mitigate the risks and threats

24 1. Security Planning 1 Planning for security Consider the followings during planning stage: 1. What are the business priorities? 2. Which workloads do you want to move to the cloud? 3. How sensitive is the data? 4. What cloud delivery model works best? 5. What about compliance? 6. How will the data flow? 7. How will users access data and applications?

25 2. Establish Policies And Standards 2 Establish organizational policies and standards Policies i and standards d is important as guidance and ensuring compliance Adopt international security standards & guidelines such as ISO27001 (ISMS), and industry best practices Establish a Bring Your Own Device (BYOD) policies for mobile devices

26 4. Mitigate the Risks & Threats 4 Mitigate the risks and threats Examples of security controls: 1. Encrypt data that rests or moves in and out of both clouds. 2. Control access by managing identities and manage API control points at the network edge 3. Establish trusted compute pools to secure datacentre infrastructure and protect clients. 4. Build higher assurance into compliance to streamline auditing and increase visibility into the cloud.

27 5. Implement Data Protection 5 Protect data Safeguard data throughout the Cloud by: Accelerate and strengthen encryption usage pervasive encryption Establish secure connections for transferring encrypted data. Reduce data loss through data loss prevention (DLP) policies and implementations

28 6. Securing Infrastructure 6 Secure infrastructure Protect client, edge, and datacentre systems: Secure the clients to ensure that only authorized users can access the cloud and to guard endpoint devices against rootkit and otherlow level level malware attacks. Protect edge systems at the API level where external software interacts with the cloud environment. Create a secure datacentre infrastructure that establishes trust between servers and between servers and clients.

29 7. Enable Compliance Monitoring 7 Enable compliance monitoring Build higher assurance into compliance: Build a trusted pools of servers, which form the foundation for compliance in both public and private clouds. Ensure the continued trustworthy status of the server pools with routine security assessments. Support audit and security management by making assessment results available to policy management, security information and event manager (SIEM), governance, risk management, and compliance solutions.

30 8. Choosing the Provider/Solution 8 Choose the right cloud service provider/mobile management solutions Make security a key aspect of service provider/solution evaluation criteria: Ensure that data and platform security are built into any offering. Seek evidence of data and platform protections (i.e. compliance) for the services/solutions offered Establish measurable, enforceable service level agreements (SLAs) for verification.

31 Conclusion Understand the security advantages, threats and challenges of cloud and mobile technology adoption Understand the legal ramifications Establish organizational security policies Implement security processes Monitoring i for compliance Train the System Administrators and Software Developers Choose the right strategy and solutions for the business objectives 31

32 Conclusion It should take only 20% of your efforts to secure 80% of your infrastructure t Security is never just about technology (hardware/software) or solution deployment alone, but also involves: policies (compliance), processes (assessment & monitoring), awareness, skills and knowledge (people).

33 Recent High Profile Security Breaches

34 Cloud & Mobile Security Reality Check In the era of cloud and mobile computing, prevention is crucial, and we shouldn t lose sight of that goal BUT we must accept the fact that no barrier is impenetrable, and detection/response represents an extremely critical line of df defence. Therefore we should stop treating ti it (detection/response) like a backup plan if things go wrong, and start making it a core part of the plan.

35 Terima Kasih. Questions? SCAN Associates Bhd associates.net The first step toward change is awareness. The second step is acceptance. Nth Nathaniel ilbranden

36 Useful References p// / / / htt // i t i / / t / d t b h breachinvestigations report 2012_en_xg.pdf