Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Security: Critical Threats and Global Initiatives

Similar presentations


Presentation on theme: "Cloud Security: Critical Threats and Global Initiatives"— Presentation transcript:

1 Cloud Security: Critical Threats and Global Initiatives
Richard Zhao, Founder and Board Member of CSA-GCC Chief Strategy Officer, NSFOCUS Oct , Hangzhou

2 What is Cloud Computing?
Compute as a utility: third major era of computing Mainframe PC Client/Server Cloud computing: On demand model for allocation and consumption of computing Cloud enabled by Moore’s Law: Costs of compute & storage approaching zero Hyperconnectivity: Robust bandwidth from dotcom investments Service Oriented Architecture (SOA) Scale: Major providers create massive IT capabilities 2

3 Top Threats to Cloud Computing
Cloud Security Risks / Threats Shared Technology Vulnerabilities Data Loss/Data Leakage Malicious Insiders Account Service or Hijacking of Traffic Insecure APIs Nefarious Use of Service Unknown Risk Profile 3

4 Shared Technology Vulnerabilities
Description Exposed hardware, operating systems, middleware, application stacks and network components may posses known vulnerabilities Impact Successful exploitation could impact multiple customers Example Cloudburst - Kostya Kortchinksy (Blackhat 2009) Arbitrary code execution vulnerability identified in VMware SVGA II device, a virtualized PCI Display Adapter Vulnerable component present on VMware Workstation, VMware Player, VMware Server and VMware ESX 4

5 Data Loss / Data Leakage
Description Data compromise due to improper access controls or weak encryption Poorly secured data is at greater risk due to the multi-tenant architecture Impact Data integrity and confidentiality Example Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds (UCSD/MIT) Research detailing techniques to ensure that images are deployed on the same physical hardware as a victim and then leveraging cross-VM attacks to identify data leakage 5

6 Malicious Insiders Description
Employees of the cloud vendor may abuse privileges to access customer data/functionality Reduced visibility into internal processes may inhibit detection of the breach Impact Data confidentiality and integrity Reputational damage Legal repercussions Example According to 2010 Data Breach Investigations Report by Verizon, 48% of data breaches were caused by insiders. It might get worse at cloud computing environment. 6

7 Interception or Hijacking of Traffic
Description Intercept and/or redirect traffic destined for the clients or cloud Steal credentials to eavesdrop or manipulate account information / services Impact Confidentiality and integrity of data Damage to reputation Consequences (legal) from malicious use of resources Example Twitter DNS account compromise Zeus botnet C&Cs on compromised Amazon EC2 accounts 7

8 Insecure APIs 8 Description
APIs designed to permit access to functionality and data may be vulnerable or improperly utilized, exposing applications to attack Impact Data confidentiality and integrity Denial of service Example P0wning the Programmable Web (Websense – AusCERT 2009_ 80% of tested applications not using available security in APIs (e.g. unencrypted traffic and basic authentication) Demonstrated CSRF, MITM and data leakage attacks 8

9 Nefarious Use of Service
Description Attackers are drawn to the cloud for the same reasons as legitimate consumers – access to massive proceesing power at a low cost Impact Password cracking, DDoS, malware hosting, spam, C&C servers, CAPTCHA cracking, etc. Example Current search of MalwareDomainList.com for ‘amazonaws.com’ returns 21 results “In the past three years, ScanSafe has recorded 80 unique malware incidents involving amazonaws” – ScanSafe blog Amazon's EC2 Having Problems With Spam and Malware - Slashdot 9

10 Unknown Risk Profile Description Impact Example
A lack of visibility into security controls could leave cloud consumers exposed to unnecessary risk. Impact Significant data breaches could occur, possibly without the knowledge of the cloud consumer. Example Heartland Payment Systems was “willing to do only the bare minimum and comply with state laws instead of taking the extra effort to notify every single customer, regardless of law, about whether their data [had] been stolen.” 10

11 About the Cloud Security Alliance
Global, not-for-profit organization Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, etc. We believe Cloud Computing has a robust future, we want to make it better “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” 11

12 Membership 50+ Corporate Members 12 non-profit affiliations
10,500 individual members growing by 300/week Broad Geographical Distribution Working Group activities performed through individual membership class 12

13 CSA Research Projects Go to www. cloudsecurityalliance. org/Research
CSA Research Projects Go to for Research dashboard and Working Group signup 13

14 Major Research Initiatives at CSA

15 CSA Guidance Research Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud Popular best practices for securing cloud computing 13 Domains of concern – governing & operating groupings Foundation for CSA research The CSA Guidance is our flagship research that provides a broad catalog of best practices. It contains 13 domains to address both broad governance and specific operational issues. This Guidance is used as a foundation for the other research projects in the following slides that relate to compliance. Guidance > 100k downloads: cloudsecurityalliance.org/guidance 15

16 Securing the Cloud - Governance
Best opportunity to secure cloud engagement is before procurement – contracts, SLAs, architecture Know provider’s third parties, BCM/DR, financial viability, employee vetting Identify data location when possible Plan for provider termination & return of assets Preserve right to audit Reinvest provider cost savings into due diligence 16

17 Securing the Cloud - Operating
Encrypt data when possible, segregate key mgt from cloud provider Adapt secure software development lifecycle Understand provider’s patching, provisioning, protection Logging, data exfiltration, granular customer segregation Hardened VM images Assess provider IdM integration, e.g. SAML, OpenID 17

18 CSA Guidance Research - Status
Ver 2.1 released Dec 2009 Ver 3 mid-2011 2010 focus Translations Wiki format Per domain whitepapers (not official guidance) Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud The CSA Guidance is our flagship research that provides a broad catalog of best practices. It contains 13 domains to address both broad governance and specific operational issues. This Guidance is used as a foundation for the other research projects in the following slides that relate to compliance. 18

19 Top Threats to Cloud Computing
Cloud Security Risks / Threats Shared Technology Vulnerabilities Data Loss/Data Leakage Malicious Insiders Account Service or Hijacking of Traffic Insecure APIs Nefarious Use of Service Unknown Risk Profile 19

20 Top Threats - Status Revisions Process
Top threats list will be updated 2x per year Process Recommended changes will be solicited from CSA participants Panel of judges will be established with representation from the security community, solution providers and cloud consumers Recommendations will be summarized and solicited to judges for review Judges will vote on any recommended changes Contact project team to recommend judges SecureCloud – ISACA, ENISA, IEEE & CSA 20

21 Cloud Controls Matrix Tool
Controls derived from guidance Rated as applicable to S-P-I Customer vs Provider role Mapped to ISO 27001, COBIT, PCI, HIPAA Help bridge the gap for IT & IT auditors

22 CSA Guidance Continuous Improvement
Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud CM is simple and an actionable representation of broad principles derived from guidance Continuous Improvement Projects complement each other in a continuous improvement loop 22

23 Consensus Assessments Initiative
CAI Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud Controls Matrix is a framework Consensus Assessments Initiative is a methodology & solution for testing for the presence of CM controls and Guidance best practices in cloud providers

24 Common Assurance Maturity Model (CAMM)
Mappings CAMM is a methodology & solution for creating an independent maturity model-based measurement of the maturity of a cloud provider’s security program Controls Matrix will map to CAMM’s internal assessment controls Providers can use Controls Matrix “provider-specific” controls to optimize their CAMM assessment scoring

25 CSA Cloud Metrics CSA Metrics Metrics Sources Metrics Sources
Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud CSA Metrics Metrics Sources Metrics Sources CSA Cloud Metrics is a catalogue of metrics to allow customers and cloud providers to measure their security capabilities CSA Cloud Metrics is creating a metric for each control in the Controls Matrix, and additional metrics inspired by the Guidance CSA Controls Metrics will potentially create surveys and collect metrics data from the industry for benchmarking

26 CSA Greater China Chapter
1 Geographically, promote the use of best practices in China, Hong Kong, Taiwan, etc. to provide security assurance within any Cloud Computing environment, and provide education on the use of Cloud Computing to help secure all other forms of computing 中国 汉语 2 To promote CSA initiatives within worldwide Chinese-speaking security professional communities. Website of the Chapter 3 Contribute to global CSA with localized industrial requirements and business cases

27 CSA-GCC Projects in Plan
Localization of officially released documents by CSA, including CCM, Top Threats, D12 IAM, etc. CSA发布的安全控制矩阵、云安全威胁、D12 IAM,组织小组抽时间翻译 Security controls recommendation targeted to providers and users at mainland China, HK, TW, referencing CCM 借鉴安全控制矩阵,组织小组进一步开发面向大中国地区的落地版本,更适合于定义需求 和选购云服务 Cloud Security Use Cases 收集、研究、汇编、分享当前主要云服务提供商和云安全服务商的业务场景和技术方案, 以及业务价值等,为业界提供借鉴 Co-development with CSA-JC on cloud audit for J-SOX 与日本分会CSA-JC合作开发关于J-SOX的云安全审计相关的框架 Security contract templates for cloud service providers and users 研究当前主要云服务提供商和云安全服务商的用户协议,评价其合理性,开发一个更为标 准通用的模板,定义安全相关的职责和权利,为业界提供借鉴 Other open project proposals from members 其它开放的项目机会 The Board will vote on the project plan based on opportunity significance, technological maturity, resource availability, etc. And communicate the final plan with the community. Proposals are welcome. 欢迎更多项目建议和参与

28 Current Work Groups

29 Contact www.cloudsecurityalliance.org info@cloudsecurityalliance.org
CSA-GCC General Info: Do visit the website Do join the LinkedIn Groups – you will receive regular updates 29

30 Thank you!

31 CSA-GCC Board Members Aloysius Cheang
Head of Security Services, Cable & Wireless Huamin Jin Director, Security Labs of China Telecom Hua Li Cofounder, GooAnn Jordan Pan Chief Strategy Officer, Venustech Richard Zhao Chief Strategy Officer, NSFOCUS


Download ppt "Cloud Security: Critical Threats and Global Initiatives"

Similar presentations


Ads by Google