Cloud and Mobile Security - Portal Rasmi Kerajaan Negeri Pulau

Cloud and Mobile Security: Cloud
and Mobile Security:
Risks and Challenges
Chong Sau Wei (CISM)
chong@scan‐associates.net
General Manager
Managed Security Services
SCAN Associates Berhad
Seminar e‐Kerajaan Negeri Pulau Pinang
14 N 2013
14 Nov 2013
Agenda
•
•
•
•
•
•
What is Cloud Computing?
Cloud Security – Risks and Challenges
Mobile Security – Risks and Challenges
Securing Mobile & Cloud Implementations
Conclusion
References
2
What is Cloud Computing?
What the H*LL
What the H
LL is the cloud?
is the cloud?
Are we dead by cloud computing? Is Intel dead? There'd be no microprocessors in the cloud? Is Samsung dead? There'd be no memory in the cloud? Is Cisco dead because there's no networking in the cloud? Are we dead because there's no databases in the cloud, no applications in the cloud, no middleware in the cloud? The answer is no. All a cloud is computers in a network.
“We
We come in peace. come in peace.
We’re the cloud people. We are the peaceful people.”
It’s the democratization of computing
3
What is Cloud Computing?
• The delivery of computing as a service rather than a product, whereby shared resources, software, and
product, whereby shared resources, software, and information are provided to computers and other devices as a utility over a network (Internet) [wikipedia]
• Cloud ‐
Cl d an old new concept…
ld
– Parallel, distributed and grid computing have been around for a while:
• Scientists, governments, international organizations, military • Urban planning, weather forecasts, economic modelling, etc. – Now, cloud computing is a commodity
Now cloud computing is a commodity
• Who does not use the cloud nowadays? – Ready‐to‐go services
What is Cloud Computing?
5
What is Cloud Computing?
6
Models of Cloud Services
• Software as a Service (SaaS): software – CRM, email, games, virtual desktops CRM email games irt al desktops
– Google Apps, Salesforce CRM, Dropbox
• Platform
Platform as a Service (PaaS): computing or solution as a Service (PaaS): computing or solution
platform – operating systems, databases, web servers operating systems, databases, web servers
– Microsoft’s Azure, Google’s AppEngine. • Infrastructure as a Service (IaaS): computers (
)
p
(physical/virtual), storage, firewalls or networks – Amazon EC2, Rackspace Cloud
Cloud Services Providers
Security: Top Cloud Adoption Concerns
Source: Oxford Economics Study: Protecting the Cloud
Cloud Security: Shared Responsibility
On‐Premise
On‐Premise
(hosted)
IaaS
PaaS
SaaS
Application
Application
Application
Application
Application
Services
Services
Services
Services
Services
OS
OS
OS
OS
OS
VM
VM
VM
VM
VM
Server
Server
Server
Server
Server
Storage
Storage
Storage
Storage
Storage
Network
Network
Network
Network
Network
Organization has Control
Organization Shares Control Organization
Shares Control
with Vendor
Vendor has Control
Cloud Security Advantages
• Shifting public data to a external cloud reduces the exposure of the internal sensitive data
f h i
l
ii d
• Cloud homogeneity makes security auditing/testing simpler
i l
• Clouds enable automated security management
• Redundancy / Disaster Recovery
R d d
/ Di t R
11
Cloud Security: Top Threats 2013
•
Based on survey results of industry experts by the Cl d S
Cloud Security Alliance i Alli
(CSA)
Data Breaches
Data Loss
Account Hijacking
Insecure APIs
Denial of Service
Malicious Insiders
Abuse of Cloud Services
Insufficient Due Diligence
Shared Technology Issues
Shared Technology Issues
Cloud Security: Breach Methods
Hackingg
Malware
Physical Attacks
Social Tactics
Priviledge Misuse
0
20
40
60
80
100
% of Breaches
Source: 2012 Data Breach Investigations Report (Verizon/USSS)
Threat Evolution
Source: 2012 Data Breach Investigations Report (Verizon/USSS)
Hacking Methods
Default/guessable credentials
Stolen login credentials
Brute force/dictionary attacks
Exploit backdoor
Exploit backdoor
Exploit insufficient authentication
SQL Injection
Remote file inclusion
Abuse of functionality
Unknown
0
10
20
30
40
50
60
% of Breaches
Source: 2012 Data Breach Investigations Report (Verizon/USSS)
Some Interesting Observations
97%
96%
94%
Avoidable through simple or intermediate through simple or intermediate
controls
Were not highly difficult
Were not highly difficult
Of all data compromised involved servers
92%
85%
79%
Were discovered by a third
Were
discovered by a third party
Took weeks or more to discover
Were targets of opportunity
g
pp
y
Source: 2012 Data Breach Investigations Report (Verizon/USSS)
Cloud Security Challenges
• Exposure of data to foreign governments and data subpoenas US PRISM program
subpoenas –
US PRISM program
• Trusting vendor’s security implementations
• Customer inability to respond to audit findings
Customer inability to respond to audit findings
• Obtaining support for investigations
• Indirect administrator accountability
I di t d i i t t
t bilit
• Proprietary implementations can’t be examined
• Loss of physical control
L
f h i l
t l
17
Mobile Security: Value & Risks
• The world is mobile and cloudy and will be getting more so…
• Mobile applications can create tremendous values:
M bil
li i
d
l
– New classes of applications utilizing mobile capabilities: GPS, camera, etc
– Innovating applications for employees and citizens
Innovating applications for employees and citizens
• Mobile devices and mobile applications can create tremendous risks as well:
– Sensitive
Sensitive data inevitably stored on the device (email, data inevitably stored on the device (email
contacts)
– Connect to a lot of untrusted networks (carrier, Wi‐Fi)
• Most developers are new to creating mobile p
g
applications and therefore not trained to develop secure mobile applications
Mobile Security: Top Threats
Type of Threats
Threat Level
1
Data loss from lost, stolen or decommissioned devices
High
2
Information‐stealing mobile malware
High
3
Unsecured Wi‐Fi, network access and rogue access Unsecured
Wi‐Fi network access and rogue access
points
High
4
Unsecured or rogue app marketplaces
High
5
Data loss and data leakage through vulnerable apps
Data loss and data leakage through vulnerable apps
Medium
6
Vulnerabilities within devices, OS, design and third‐
party apps
Medium
7
IInsufficient management tools, capabilities and access ffi i t
tt l
biliti
d
to APIs
M di
Medium
8
NFC and proximity‐based hacking
Low
Mobile Security Challenges
Explosion of mobile devices
Mobile Apps
• How to control over the usage of the devices?
• How to keep track and manage the installations?
Data Management
• How to protect the data and critical information from being leaked out?
leaked out?
Ownership
• Who should monitor the use of mobile devices?
What needs to be secured Device
Lock
Data
Application
pp
Encryption
Rogue Applications
File Protection
Wipe
Data leakages
Management policies
policies Profiling
Visibility on Applications
Authentication
Locate
User
Controls over Applications
Location of the User
Security Threats Landscape
Security Threats
Human
Malicious
Outsider
p
Hackers, Script Kiddies, Spy
Insider
Di
Disgruntled staff
l d ff
Non‐Human
Non‐malicious
Hardware
Poorly Design, Backdoor
Software
Malware Bugs
Malware, Bugs
Natural Disaster
Fire, Flood etc
Securing Cloud & Mobile Implementations
1
6
Pl
Planning for security
i f
it
2
7
S
Secure infrastructure
i f t t
5
Establish organizational policies and standards
Protect data
4
3
Identify risks and threats (as discussed)
Mitigate the risks and threats
Enable compliance monitoring
8
Choose the right cloud service provider/mobile management solutions
management solutions.
1. Security Planning
1
Planning for security
• Consider the followings during planning stage:
1.
2.
3.
4.
5.
6.
7.
What are the business priorities?
Which workloads do you want to move to the cloud?
How sensitive is the data?
What cloud delivery model works best?
p
What about compliance?
How will the data flow?
How will users access data and applications?
2. Establish Policies And Standards
2
Establish organizational Establish
organizational
policies and standards
• P
Policies and standards is important as li i
d
d d i i
guidance and ensuring compliance
• Adopt international security standards & guidelines such as ISO27001 (ISMS), and industry best practices
• Establish a Bring
Establish a Bring‐Your‐Own‐Device
Your Own Device (BYOD) (BYOD)
policies for mobile devices
4. Mitigate the Risks & Threats
4
Mitigate the risks and Mitigate
the risks and
threats
•
Examples of security controls:
1.
Encrypt data that rests or moves in and out of both clouds.
both clouds.
2.
Control access by managing identities and manage API control points at the network edge
3.
Establish trusted compute pools to secure datacentre infrastructure and protect clients.
4
4.
Build higher assurance into compliance to Build
higher assurance into compliance to
streamline auditing and increase visibility into the cloud.
5. Implement Data Protection
5
Protect data
• Safeguard data throughout the Cloud by:
– Accelerate and strengthen encryption usage –
pervasive encryption
i
i
– Establish secure connections for transferring encrypted data.
– Reduce data loss through data loss prevention (DLP) policies and implementations
6. Securing Infrastructure
6
Secure infrastructure
Secure infrastructure
• Protect client, edge, and datacentre systems:
– Secure
Secure the clients to ensure that only the clients to ensure that only
authorized users can access the cloud and to guard endpoint devices against rootkit and other low‐level
other low
level malware attacks.
malware attacks
– Protect edge systems at the API level where external software interacts with the cloud environment.
environment
– Create a secure datacentre infrastructure that establishes trust between servers and between servers and clients
servers and clients.
7. Enable Compliance Monitoring
7
Enable compliance monitoring
• Build higher assurance into compliance:
– Build a trusted pools of servers, which form the f
foundation for compliance in both public and d i f
li
i b h bli
d
private clouds.
– Ensure the continued trustworthy status of the server pools with routine security assessments.
l
h
– Support audit and security management by making assessment results available to policy management, security information and event manager (SIEM), governance, risk management, and compliance solutions.
8. Choosing the Provider/Solution
8
Choose the right cloud service provider/mobile
service provider/mobile management solutions
• Make security a key aspect of service provider/solution evaluation criteria:
– Ensure that data and platform security are built into any offering.
– Seek evidence of data and platform protections (i.e. compliance) for the services/solutions offered
– Establish measurable, enforceable service level agreements (SLAs) for verification.
Conclusion
• Understand the security advantages, threats and challenges of cloud and mobile technology adoption
challenges of cloud and mobile technology adoption
• Understand the legal ramifications
• Establish organizational security policies
Establish organizational security policies
• Implement security processes
• Monitoring for compliance
M it i f
li
• Train the System Administrators and Software Developers
• Choose the “right” strategy and solutions for the business objectives
business objectives
31
Conclusion
• It should take only 20% of your efforts to secure 80% of your infrastructure
80% f
i f t t
• Security is never just about technology (hardware/software) or solution deployment alone, but also involves:
– policies (compliance), – processes (assessment & monitoring), – awareness, skills and knowledge (people).
Recent High Profile Security Breaches
Cloud & Mobile Security Reality Check
In the era of cloud and mobile computing, prevention is crucial and we shouldn’tt lose prevention is crucial, and we shouldn
lose
sight of that goal… BUT we must accept the fact that no barrier is impenetrable, and detection/response
represents an extremely critical line of defence. t
t
l iti l li
fd f
Therefore we should stop treating it Th
f
h ld t t ti it
(detection/response) like a backup plan if things go wrong, and start making it a core part of the plan
of the plan.
TTerima
i
K ih
Kasih.
Questions?
SCAN Associates Bhd
http://www.scan‐associates.net
“Thefirststeptowardchangeisawareness.Thesecond
stepisacceptance.”
‐ Nathaniel Branden
N th i l B d
Useful References
•
https://cloudsecurityalliance.org/
•
http://www.nist.gov/itl/cloud/
p //
g / /
/
•
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
•
https://www.intel.com/cloudsecurity
•
http://www.verizonenterprise.com/resources/reports/rp_data‐breach‐
htt
//
i
t
i
/
/
t/ d t b
h
investigations‐report‐2012_en_xg.pdf