Enterprise Global Security in an era of Hybrid Cloud and Smart Mobile

Transcription

1 Enterprise Global Security in an era of Hybrid Cloud and Smart Mobile M. Asif Riaz, CISM, CISSP, CEH

2 Agenda Users are demanding access to applications and services from wherever they are, whenever they like, necessitating that organisations facilitate that access in a secure and efficient manner Users to connect via mobile devices from wherever they are, Centralised in-house provisioning and control over on-premise applications is broken. What is needed is one central point of access control and user authentication that provides efficient, one-stop access to the resources that a user needs and also ensures that no sensitive or confidential information is accessed inappropriately.

3 CIOs Objective remains To enable the enterprise to manage computing based on the financial, cultural or operational goals of the enterprise. To turn enterprise computing into a fungible, ubiquitous commodity To understanding the current environment and the relationship between cloud computing, big data smart devices and enterprise goals To avoid pressure points, reduce risk, and optimize resources.

4 Mobile Devices Cloud Big data

5 Deployment Models of Cloud Computing Private Operated solely for an organization May be managed by the organization or a third party May exist on-premise or off-premise Community Shared by several organizations Supports a specific community that has shared mission or interest. May be managed by the organizations or a third party May reside on-premise or off-premise Public Made available to the general public or a large industry group Owned by an organization selling cloud services Hybrid A composition of two or more clouds (private, community or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)

6 Risks and Concerns Reputation, history and sustainability should all be factors to consider. Information handling and classification. Where information actually resides. When information retrieval is required, this may create delays. Third-party access to sensitive information Encrypted and signed data not protected at the time of processing. Secure Multiparty Computation and Homomorphic Encryption Legal advice to ensure that the contract specifies the liabilities for ramifications arising from potential issues. Information may not be immediately located in the event of a disaster. BCP / DRP well documented and tested. Role of provider in terms of backups, incident response and recovery. Recovery time objectives should be stated in the contract.

7 Security Solutions for Cloud Security Mechanisms SaaS PaaS IaaS Identity and Access Management DLP Web Security Security Security Assessment Intrusion Management SIEM Encryption BCP, DRP Network Security

8 Pitfalls and Solutions of BYOD Exposed Data Passwords in the Wild Declining Productivity Compatibility Bandwidth Overuse Device Management Wireless bottlenecks Autonomy overuse Virus infections

9 Important Considerations Balance between user preferences, organizational needs and information security requirements. Clearly defined platform support Stolen, misplaced and disposed devices Mind the transport Implicit authentication Always on and always online Choose applications wisely Determine tolerance for keeping data in the cloud Ensure service opt out Read the fine print SLAs, data ownership, 3 rd party access, withdrawal, backup/restore etc.

10 Impact on Data Center Moving from file repository to provide VDI-based desktops Servers to support Application Virtualisation Firewalling internal servers from hostile devices Common remote access needs to / from heterogeneous platforms Shift from support burden to application-driven focus. Loose control on hardware and software stack

11 Connectivity

12 Categorising the Devices

13 Risk Rating

14 No silver bullet to security Identity and access control systems break down as workers access applications outside enterprise identity management systems. With shadow IT, data that the enterprise would rather see protected is more likely to end up on systems that aren't as secure as they need to be, and visibility is lost into where highly confidential or regulated information is flowing. This obviously increases the chances of a data breach and regulatory fines. It also makes it difficult for the enterprises to optimize the value they're getting from their IT investments.

15 No silver bullet to security how to secure on-premise data center resources how to secure applications that burst to the public cloud how to secure data stored with multiple cloud service providers how to protect the virtualized underpinnings of your public and private clouds finally how to secure mobile devices that connect to your cloud infrastructure Advanced planning and prepare staffs for a bit of technological tweaking of its security policy and gear before the hybrid cloud goes live

16 No silver bullet to security How to set the right level of security on a application-specific, a process-specific or even a data-specific basis Don't lock your policy to your cloud provider have they guarded against having one of their guys being bribed by your competitor to pull down all of your sales data Ask for the proof of 2FA for all server management purposes Encryption and key management

17 Attack Landscape Web-based and network-based attacks Access to surfing history, logins, credit card numbers, passwords, etc., and may even be able to access other parts of the device (such as its calendar, the contact database, etc.). Malware iphoneos.ikee worm, Android.Pjapps threat, which enrolled infected Android devices in a hackercontrolled botnet. Social Engineering Social engineering attacks, such as phishing, Entice a user to install malware on a mobile device.

18 Attack Landscape cont Resource Abuse Spam s from compromised devices and Compromised devices to launch DoS perhaps on the mobile carrier s voice or data network. Data Loss Unintentional or malicious in nature. Office related data getting synced and backed-up on home PC Device stolen or lost.built-in memory cards mis-placed Data Integrity Threats Corrupt or modify data without permission Encrypt the user s data until the user pays a ransom fee Malicious code wipes the data or renders it non-useable, mis-leading

19 Security Principles or Models Traditional Access Control: Pass words and Idle-time screen locking. Application Provenance: Digitally Signed Apps Publisher analyzing the application for security risks before publication, Encryption: To address device loss or theft. Isolation: Limiting an application s ability to access the data / device Permissions-based access control: Allowing access within defined scope blocking the attempts to perform actions that exceed these permissions.

20 Risks or Threats Data leakage: a stolen or lost phone with unprotected memory Improper decommissioning: Improper disposal or transfer to another user Unintentional data disclosure: users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this. Phishing: collects user credentials using fake apps or (sms, ) messages Spyware: It does not include targeted surveillance software. Network spoofing attacks: rogue network access point and users connect to it

21 Risks or Threats cont Surveillance: spying on an individual with a targeted user s smartphone. Diallerware: makes hidden use of premium sms services or numbers. Financial malware: specifically designed for credit card numbers, online banking credentials or subverting online banking or ecommerce transactions. Network congestion: resource overload, network unavailability, DoS

22 Controls or counter-measures Sandboxing and capabilities: Controlled software distribution: Remote application removal: Backup and recovery: Extra authentication options: Extra encryption options: 3 rd party Apps offering encryption for voice calls, on top of the standard encryption provided by mobile network operators. Diversity: in terms of hardware and software, which makes it more difficult to attack a large group of users with one virus.

23 Enterprise Security Initiatives Understand the mobile devices in use by the enterprise, the data passing through these devices and the relative risk to the organization. Obtain a list of mobile devices in use. Security policy exists for mobile devices or not. Defines the data classification permitted on each type of mobile device and the control mechanisms required based on the data classification. Lists the types of permitted mobile devices List of approved applications by device based on data classification and data loss risk. Defines the authentication method for each mobile device based on the data classification policy. Whether enterprise-issued devices if the device receives enterprise data.

24 Enterprise Security Initiatives Centrally managed asset management system for appropriate devices. Prescribes authentication and encryption storage/transmission (data in transit or at rest) requirements. Risk assessment before a device or cloud service is approved for use and A risk assessment update at least annually to determine that new threats are assessed and new technologies considered for deployment.

25 Enterprise Security Initiatives Risk Assessment Provisioning / De-provisioning of devices and cloud service / provider Access Control Encryption Data Transfer Data Retention Malware Secure Connection Awareness Programs for C-level executives

26 Enterprise Security Initiatives Determine if devices are approved by an authorized manager based on the job function requirements. List of personal devices permitted through the exception policy. Determine if the appropriate justification for the exception and approval is documented. Determine if foreign mobile devices belonging to external personnel (contractors, individual employees, etc.) are permitted to receive enterprise data. Determine what authorizations are required by enterprise management prior to adding the foreign device to the enterprise mobile network. Obtain a list of foreign devices, and for a sample, trace the device to the authorization documents. Determine if there is a process for provisioning and deprovisioning employee smartphones upon hiring, transfer or termination.

27 Enterprise Security Initiatives Obtain a list of recent hires, transfers and terminations. Select a sample from this list, and determine that appropriate procedures were followed, including provisioning, deprovisioning, returning devices, etc. Access Control Determine the access control rules for each mobile device type. Determine if access control rules and access rights are established for each device by job function and applications installed. Determine if mobile devices containing network, infrared or Bluetooth technology have sharing configured according to policy, based on the classification of data stored or in transit to the device. Determine if access can be administered and disabled centrally.

28 Enterprise Security Initiatives Determine if mobile devices having storage, i.e. computers, smartphones, etc., have restrictions as to the applications that can be installed and the data content that can be stored on the devices. Determine if centrally controlled processes restrict data synchronization to mobile devices. Determine if mobile devices require disabling of USB, infrared, esata or firewire ports according to the data classification policy. Encryption Identify encryption technology has been applied to the devices based on the data classification of data at rest or in transit to and from the mobile device. If encryption is required, determine that it is appropriate for the device and data sensitivity and that it cannot be disabled. Determine if the encryption keys are secured and administered centrally.

29 Enterprise Security Initiatives Data Transfer Which data is permitted to be transferred to mobile devices by device type and the required access controls to protect the data. Monitoring procedures in effect to assure only authorized data may be transferred and if the required access controls are in effect. Data Retention Whether Data retention policy exists for applicable mobile devices. Data is destroyed according to policy once the retention period has expired. Retention processes are monitored and enforced.

30 Enterprise Security Initiatives Malware As appropriate, mobile devices are equipped with malware technology. Cannot be disabled, Definition files are updated regularly, Disc drives are routinely scanned, and Compliance with malware detection is centrally monitored and managed. Secure Connection Secure connections required for specific mobile devices based on the data classification policy and the data stored or transmitted to and from the mobile device. Determine if controls are in place to require use of the secure transmission.

31 Enterprise Security Initiatives Mobile Device Awareness Existence of mobile security awareness training programs. Topics within the awareness training are customized for the risks and policies associated with the specific device and its security components. Training programs revised to reflect current technologies and enterprise policies. Awareness training before receiving the device. Participation in training is documented, monitored and reviewed. Select a sample of mobile device assignments, and determine if the mobile device user has received appropriate initial and follow-up training.

32 Presenter: M. Asif Riaz Senior Manager