Some thoughts about cloud computing risks Andris Soroka 28 th of January, 2015 Riga, Latvia
Role of DSS in Cyber-security Development in Baltics Cyber-Security Awareness Raising Technology and knowledge transfer Cyber Security Portfolio Only Trusted Advisor to its Customers Game changer
DSS ITSEC 2014
Today s realities in the world Escalating Attacks Increasing Complexity Resource Constraints Designer Malware Spear Phishing Persistence Backdoors Increasingly sophisticated attack methods Disappearing perimeters Accelerating security breaches Constantly changing infrastructure Too many products from multiple vendors; costly to configure and manage Inadequate and ineffective tools Struggling security teams Too much data with limited manpower and skills to manage it all Managing and monitoring increasing compliance demands
In 2014 to date, roughly 1 in 7 people on the entire planet have been impacted by a data leak. Business has to worry..
Some key facts, statistics globally 70 % 614 % Mobile malware growth of security executives have cloud and mobile concerns 2013 IBM CISO Survey in just one year 2012-2013 Juniper Mobile Threat Report and traditional security practices are unsustainable 85 security 45 vendors tools from IBM client example 83 % of enterprises have difficulty finding the security skills they need 2012 ESG Research
Cyber security in the Baltic States Challenges of «C» Level excutives (business, IT etc.) Political (external and internal) Technological (risks, threats, fraud, attacks, leaks) Economical (budget reality, competition, costs ) Legal (compliances, regulations etc.) Professional (HR, information quantity) Psychological ( traditions / knowledge / trust)
Shift to Cloud security good or bad?
Shift to Cloud security
Cloud primary has the same ITSEC areas
IT Security controls - «to do» list Business part Business processes analysis from tech perspective Assessment and management of cyber security risks Related technological part Inventory of devices and software Secure configuration of everything (end-users, devices) Vulnerability assessment and management Malware defenses, application security, pen tests Wifi security Mobile security Data security Continuos skills training and learning Access control and visibility Audit, monitoring, analysis, incident response and more
But now everything connected to the cloud
Shift to Cloud security concerns... Psychology factor Trust we don t want to give our data away Latvia is small... Level of maturity of the cloud computing Any new technology needs time to proove itself Who wants to be a «testing sheep» and risk..and.. (50/50) Cyber-criminals Clouds are at risk because cybercriminals choose best ROI they attack «watering holes» and...clouds Legislation, responsibility, control International cooperation at world wide level is still a huge challenge, but how otherwise can you catch bad guys and solve problems...
Cloud of course has challenges... ENISA «Cloud Computing Risk Assessment» recent reseach describes at least 25 big, known cloud couputing major risks, issues..
Shift to Cloud security the Good
Economy of scale security perspective.. More security for same money.. Better security experts for same money Reduced costs of IT.. Near instant provisioning Service on demand Availability from any location Redundancy No down-time 24x7x365 And so on...
Shift to Cloud security the Risk perspective Insiders!!! Data risks location, transit Loss of control & governance Limited data available from cloud service provider (logs, location of data, responsibilities, 3rd parties..) External penetration tests not allowed Usually no forensics tools are available Outsourcing is not known or visible Audit not allowed, sometimes important to meet compliance criteria Lack of complince with international regulations (EU data protection regula, ENISA cloud certification, intelectual property rights etc.) 3rd party solutions (f.i. Encryption software) Overbooking or Isolation (DDoS attacks, not especially on you) Lock-in! It is sometimes not so easy to change cloud provider)
Some final slides about risks... Deployment Model Risk Profile Public Community Private Higher Likelihood of Data Security, Privacy, and Control Breach Lower
Some final slides about risks... Service Model Risk Profile IaaS PaaS SaaS Higher Impact of Loss of Control & Security Breach Lower
Some final slides...cont. Cloud Risk Ranking Example Attribute High (5) Med (3) Low (1) Deployment Model Public Community Private Service Model IaaS PaaS SaaS Data Security level Secret Restricted Unclassified Physical Hosting Site Undefined Int'l Location Domestic Location SOX Critical Yes No Dependent Apps Greater than 10 4 to 10 0 to 3 Recovery Time Region Supported 4 Hours Europe or Global 7 Days US 31 Days All other
Some final slides...cont. Deployment Model Considerations High Medium Low Deploy Model Public Community Private Public - Security and privacy are not a priority - Service level agreements may not exist - Private environments provide adequate security and privacy - Service level agreements should exist Private
Some final slides...cont. Service Model Considerations High Medium Low Service Model IaaS PaaS SaaS IaaS - Issues may impact all hosted applications and data - No control over foundational general controls - PaaS - Impact limited to outsourced platform - SaaS - Impact limited to applications and data SaaS
Some final slides...cont. Data Security Considerations High Medium Low Security Level Secret Restricted Unclassified Secret - Difficult to enforce security standards when outsourcing - Difficult to demonstrate compliance with regulations like GLBA - Security and privacy is not a concern (good candidate for cloud computing) Unclassified
Shift to Cloud security Dependent Applications Number of Apps High Medium Low Greater than 10 4 to 9 Less than 3 > 10 - Implies complexity and greater organizational significance - Implies simplicity and less organizational significance < 3
Conclusion... Cloud computing is not a new technology. Cloud computing is a new business model. It is a way of delivering computing resources and this is here to stay. Adopt it as soon as you can and make even more successful business. Before moving to cloud involve professionals to help to understand what part, how, when, where, by whom, why would be reasonable (by costs, risks, investment measures) to be moved to cloud. And which cloud. Like famous Latvian poet once said «One who d be able to change would also be able to continue exist!»
Think security first www.dss.lv andris@dss.lv +371 29162784
Think security first Credits to ENISA, ISACA papers and presentations, Dr Giles Hogben, Dr.Evangelos Ouzounis, Kiran Kumar, Matt McMillon, Donald Gallien and many others