Cloud Security: Critical Threats and Global Initiatives

Slides:



Advertisements
Similar presentations
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Advertisements

Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)
Copyright © 2011 Cloud Security Alliance Trusted Cloud Initiative Work Group Session.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Cloud Security Challenges Today and Tomorrow NameTitle February 2011.
Security Issues and Challenges in Cloud Computing
Security Controls – What Works
Web Services, SOA and Security May 11, 2009 Michael Burnett.
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1. 2 New Computing Models, and What They Mean to the Small and Mid Sized Business Consumer How your business can make practical decisions between “The.
Website Hardening HUIT IT Security | Sep
Security Framework For Cloud Computing -Sharath Reddy Gajjala.
© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.
© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.
Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.
PART THREE E-commerce in Action Norton University E-commerce in Action.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.
Dell Connected Security Solutions Simplify & unify.
Computer Science and Engineering 1 Cloud ComputingSecurity.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Cloud Security Alliance Research & Roadmap
Cloud Security Alliance Overview and Organizational Plans Jim Reavis, Co-founder & Executive Director August 5, 2009.
In the Cloud How to Address Security in the Cloud.
Copyright © 2011 Cloud Security Alliance Cloud Security Alliance Research & Roadmap Jim Reavis, Executive Director, CSA.
Cloud Security: Critical Threats and Global Initiatives Jim Reavis, Executive Director July, 2010.
Network security Product Group 2 McAfee Network Security Platform.
Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?
Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
Cloud Security By Mahendran R Zylog Systems Ltd 04 Aug 12.
Protect your Digital Enterprise
Law Firm Data Security: What In-house Counsel Need to Know
Securing Information Systems
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
CLOUD ARCHITECTURE Many organizations and researchers have defined the architecture for cloud computing. Basically the whole system can be divided into.
Deployment Planning Services
Basic Terms and Concepts – 1/3
Chapter 6: Securing the Cloud
Cloud Security: Critical Threats and Global Initiatives
Cyber Security Zafar Sadik
Cybersecurity - What’s Next? June 2017
Do you know who your employees are sharing their credentials with
Alina Oprea Associate Professor, CCIS Northeastern University
VIRTUALIZATION & CLOUD COMPUTING
Hot Topics:Mobility in the Cloud
Written by : Thomas Ristenpart, Eran Tromer, Hovav Shacham,
Current ‘Hot Topics’ in Information Security Governance Auditing
E-commerce Application Security
Securing Information Systems
Virtualization & Security real solutions
I have many checklists: how do I get started with cyber security?
Securing Your Digital Transformation
Securing Cloud-Native Applications Jason Schmitt CEO
Understanding IDENTITY Assurance
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Cloud Security: Critical Threats and Global Initiatives
Developing a Baseline On Cloud Security Jim Reavis, Executive Director
CONTENTS BACKGROUND CLOUD MODELS SECURITY CONSIDERATIONS MANAGING RISK.
Mastercard® Threat scan
Presentation slide for courses, classes, lectures et al.
Computer Science and Engineering
Cloud and Database Security
Microsoft Data Insights Summit
IT Management Services Infrastructure Services
IoT: Privacy and Security
Distributed and Cloud-based Network Defense System for NRENs (DCNDS)
Anatomy of a Common Cyber Attack
Presentation transcript:

Cloud Security: Critical Threats and Global Initiatives Jim Reavis, Executive Director July, 2010

What is Cloud Computing? Compute as a utility: third major era of computing Mainframe PC Client/Server Cloud computing: On demand model for allocation and consumption of computing Cloud enabled by Moore’s Law: Costs of compute & storage approaching zero Hyperconnectivity: Robust bandwidth from dotcom investments Service Oriented Architecture (SOA) Scale: Major providers create massive IT capabilities 2

Top Threats to Cloud Computing Cloud Security Risks / Threats Shared Technology Vulnerabilities Data Loss/Data Leakage Malicious Insiders Account Service or Hijacking of Traffic Insecure APIs Nefarious Use of Service Unknown Risk Profile 3

Shared Technology Vulnerabilities Description Exposed hardware, operating systems, middleware, application stacks and network components may posses known vulnerabilities Impact Successful exploitation could impact multiple customers Example Cloudburst - Kostya Kortchinksy (Blackhat 2009) Arbitrary code execution vulnerability identified in VMware SVGA II device, a virtualized PCI Display Adapter Vulnerable component present on VMware Workstation, VMware Player, VMware Server and VMware ESX 4

Data Loss / Data Leakage Description Data compromise due to improper access controls or weak encryption Poorly secured data is at greater risk due to the multi-tenant architecture Impact Data integrity and confidentiality Example Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds (UCSD/MIT) Research detailing techniques to ensure that images are deployed on the same physical hardware as a victim and then leveraging cross-VM attacks to identify data leakage 5

Malicious Insiders 6 Description Employees of the cloud vendor may abuse privileges to access customer data/functionality Reduced visibility into internal processes may inhibit detection of the breach Impact Data confidentiality and integrity Reputational damage Legal repercussions Example Google Investigates Insider Threat After China Hack (eWeek) “Google is investigating whether some of its own staff are behind the repeated attempts to hack into the Gmail accounts of Chinese human rights activists” 6

Interception or Hijacking of Traffic Description Intercept and/or redirect traffic destined for the clients or cloud Steal credentials to eavesdrop or manipulate account information / services Impact Confidentiality and integrity of data Damage to reputation Consequences (legal) from malicious use of resources Example Twitter DNS account compromise Zeus botnet C&Cs on compromised Amazon EC2 accounts 7

Insecure APIs 8 Description APIs designed to permit access to functionality and data may be vulnerable or improperly utilized, exposing applications to attack Impact Data confidentiality and integrity Denial of service Example P0wning the Programmable Web (Websense – AusCERT 2009_ 80% of tested applications not using available security in APIs (e.g. unencrypted traffic and basic authentication) Demonstrated CSRF, MITM and data leakage attacks 8

Nefarious Use of Service Description Attackers are drawn to the cloud for the same reasons as legitimate consumers – access to massive proceesing power at a low cost Impact Password cracking, DDoS, malware hosting, spam, C&C servers, CAPTCHA cracking, etc. Example Current search of MalwareDomainList.com for ‘amazonaws.com’ returns 21 results “In the past three years, ScanSafe has recorded 80 unique malware incidents involving amazonaws” – ScanSafe blog Amazon's EC2 Having Problems With Spam and Malware - Slashdot 9

Unknown Risk Profile Description Impact Example A lack of visibility into security controls could leave cloud consumers exposed to unnecessary risk. Impact Significant data breaches could occur, possibly without the knowledge of the cloud consumer. Example Heartland Payment Systems was “willing to do only the bare minimum and comply with state laws instead of taking the extra effort to notify every single customer, regardless of law, about whether their data [had] been stolen.” http://www.pcworld.com/article/158038/heartland_has_no_heart_for_violated_customers.html 10

How will Cloud Computing play out? Much investment in private clouds for 3-5 years Rise of mobile clouds Eventual 80/20 rule favoring public clouds Cloud assurance ecosystem being built Virtual private clouds compromise between public and private Long legacy of hybrid clouds Disruption to markets, IT, security best practices Challenges public policy and critical infrastructure

About the Cloud Security Alliance Global, not-for-profit organization 10,000+ individual members Fast growing – chapters, translations, alliances Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, etc We believe Cloud Computing has a robust future, we want to make it better “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” 12

CSA Research Projects Go to www. cloudsecurityalliance. org/Research CSA Research Projects Go to www.cloudsecurityalliance.org/Research.html for Research dashboard and Working Group signup 13

Released Research CSA Guidance for Critical areas of Focus Popular best practices V2.1 CSA Cloud Controls Matrix Security controls framework mapped to existing regulations and standards Top Threats Released 2x annually Identity & Access Management “Dom12” paper Supporting Trusted Cloud Initiative

Research & Initiatives in Progress Certificate of Cloud Security Knowledge (CCSK) Individual competency testing and certificate Trusted Cloud Initiative Interoperable IAM, reference models, cert criteria CSA Cloud Controls Matrix V2 Controls refinement, automation, increased mappings Consensus Assessments Initiative Common question sets to measure providers’ security capabilities

Research Initiatives being Scoped CloudCERT Best practices research for emergency response in Cloud Standardized processes Hosted Community Cloud Security Metrics Library of recommended measurements & surveys Cloud Security Use Cases Document real world lessons learned

Third Party Initiative Participation CloudAudit Common Assurance Maturity Model (CAMM) ENISA eGovernment Cloud-Standards.org NIST

Schedule CSA Summit at BlackHat, July 28-29, Las Vegas CSA Congress, Nov 16-17, Orlando CSA Summit at RSA 2011 (tentative), SF Participating in most major events Several chapter launch events Other Summits as research requires 18

Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.