Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

“…dare to dream; care to win…”

Venkateswar Reddy MelachervuAssociate Vice President – IT

www.linkedin.com/in/vmelachervu

vmelachervu@gmail.com

Cloud Computing and SafetyLet’s Secure Cloud!

20th July 2013

In God we trust; All others, we virus scan

“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards”

- Unknown

Only the Paranoid Survive- Andy Grove, Former Chairman, Intel Inc.

“Some of the generally available information in the cloud on computing and cloud security is the inspiration and source for few topics - for the fear of re-inventing the wheel. I hereby thankfully acknowledge those sources”

Disclaimer

Agenda

Global Cyber Attacks Stats

What is Computing Security?

Cloud Computing, Models and Security Demystified

New Security Challenges of Cloud Computing

Security Dimensions – The CIA Triad

Scope of Cloud Computing Security

Security Challenge Eco-system

Vulnerabilities, Threats and Exposure Points

Attacks – Modes and Types

The Notorious Nine – Cloud Security Threats

Methods of Defence

Tenets of Security Control

Security Life Cycle

Cloud Security Components and Governance

Tiered Cloud Security Handling Framework

Bottom-line

Take-aways

In 1988 a "worm program“ – Morris Worm -written by a college student - Robert T. Morris, Jr. of Cornell University - shut down about 10 percent of computers connected to the Internet. This was the beginning of the era of cyber/Cloud attacks

First National Bank of Chicago is the victim of $70-million computer theft

Cyber Crime – The Beginning

Heartland Payment Systems

Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.

March 2008

Incident Few Years Back

2012 Global Cyber Attacks Stats

Revenue loss

Customer data loss and liabilities

Embarrassment to yourself and/or the University

Having to recreate lost data

Identity theft

Data corruption or destruction

Loss of patient, employee, and public trust

Costly reporting requirements and penalties

Disciplinary action (up to expulsion or termination)

Unavailability of vital data

Security Violation Consequences

What’s Computing Security?

Protection of computing systems and the data that they store or access

To prevent theft of or damage to the hardware, Software etc. - Confidentiality

To prevent theft of or damage to the information and to protect privacy –Privacy and Integrity

To prevent disruption of service -Availability/Denial of Service

What Is Computing/IT Security?

Isn’t this just an IT Problem?

Why Do I Need to Learn About Computer Security?

Everyone who uses a computer needs to understand how to keep his or her computer and data secure

IT Security is a not a product, but a process

No major operating system has ever worked perfectly

No OS vendor has dared offer a warranty against malfunctions

It is far easier to build a secure system than to build a correct system

You might be able to live in a house with a few holes in the walls, but you will not be able to keep burglars out

Securing a system has traditionally been a battle of wits

The problem is people/exploitation - not computers

Why Computers Are Not Secure?

Cloud Computing – NIST Definition

“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”

Cloud Computing - Business Definition

“A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet”

On demand computational services over web

Spiky compute needs of the scientists

Horizontal and dynamic scaling with no additional cost

Increased throughput

Multi-tenant

Accessed over a network

Only pay for what you use

Shared internally or with other customers

Resources - storage, computing, services, etc.

Internal network or Internet

Similar to Timesharing

Rent IT resources vs. buy

Cloud Computing Demystified

Multi-Tenancy

Cloud Service Layers and Models

SaaSModelsLayers

AutonomousMore Control/ Flexibility

IaaS PaaS

Conventional Data Centre

Cloud Modelled Data Centre

Public, Private, Hybrid Clouds

Cloud ComputingEnablers and Inhibitors

Why Cloud Computing Brings New Security Challenges?

Data, applications, resources are located with provider

User identity management is handled by the cloud provider

User access control rules, security policies and enforcement are managed by the cloud provider

Multi-tenancy

Consumer relies on provider to ensure Data security and privacy

Resource availability

Monitoring and repairing of services/resources

Self-managed or Private Clouds overcome most of the above new threats

Security Dimensions – The CIA Triad

Secured

Hardware

Confidentiality

The need for keeping information secret Protecting proprietary designs from

competitors

Protecting a company’s personnel records

Protecting personal financial/ID info against ID theft

Applies to resource hiding System configuration data

Resources - Systems, Equipment, Services etc.

Integrity

Preventing improper or unauthorized change or access

Data integrity and system integrity

Non-repudiation Example : Digital Cert of the Origin Source

Availability Reliability and system design

To prevent Denial of Service Attacks - The attempts to block the availability of systems or services

System designs usually assume a statistical model to analyze expected patterns of use

Example 1: C vs. I+A

Disconnect computer from Internet to increase confidentiality

Availability suffers, integrity suffers due to lost updates

Example 2: I vs. C+A

Have extensive data checks by different people/systems to increase integrity

Confidentiality suffers as more people see data, availability suffers due to locks on data under verification)

Need to Balance CIA Triad

Scope of Cloud Security

Data Center

LAN/WAN/Wifi/PLMN/

Cloud Eco-system

Security Challenge Eco-system

Environmental

Operational

Hardware Software

HumansData

Network

Vulnerability A weakness in a security system

Threat Circumstances that have a potential to

cause harm

Exposure Points External access points that can be taken

advantage compromising security by most advanced attacker

Attack - materialization of a vulnerability/threat/compromised exposure point or combination)

Attack may be: Successful a.k.a. an exploit - Resulting in

a breach of security, a system penetration, etc.

Unsuccessful - When controls block a threat trying to exploit a vulnerability

Vulnerabilities, Threats, and Exposure Points

Software Deletion Easy to delete needed software by mistake

To prevent this: use configuration management software

Software Modification Worms, Trojan Horses, Viruses, Logic

Bombs, Trapdoors, Information Leaks ...

Software Theft Unauthorized copying

via P2P, etc.

Software Vulnerabilities

Add or remove a hardware device Ex: Snooping, wiretapping

Ex: Modification, alteration of a system

Physical attacks on hardware Accidental or voluntary Theft / destruction

Damage the machine (spilled coffe, mice, realbugs)

Steal the machine

Hardware Vulnerabilities

Network/Web Vulnerabilities

Phishing An evil website pretends to be a trusted website

Example: You type, by mistake, “mibank.com” instead of

“mybank.com”

mibank.com designs the site to look like mybank.com so the user types in their info as usual

BAD! Now an evil person has your info!

SQL Injection

Cross Site Scripting Writing a complex Javascript program that steals

data left by other sites that you have visited in same browsing session

Kinds of Threats

Interception An unauthorized party (human or not) gains

access to an asset

Interruption an asset becomes lost, unavailable, or

unusable

Modification an unauthorized party changes the state of an

Fabrication an unauthorized party counterfeits an asset

Over the Internet

Over LAN

Locally

Offline

Deception

Modes of Attacks

Not all hackers are evil wrongdoers trying to steal your info

Classification 1 Amateurs

Opportunistic attackers (use a password theyfound)

Script kiddies

Hackers - nonmalicious In broad use beyond security community: also

malicious

Crackers – malicious

Career criminals

State-supported spies and information warriors

Classification 2 Recreational hackers / Institutional hackers

Organized criminals / Industrial spies / Terrorists

National intelligence gatherers / Info warriors

Types of Attackers

Common Attacks

Network Attacks Packet sniffing, man-in-the-middle, DNS

hacking

Web attacks Phishing, SQL Injection, Cross Site Scripting

OS, applications and software attacks Virus, Trojan, Worms, Rootkits, Buffer

Overflow

Network Attacks

Packet Sniffing Internet traffic consists of data “packets”, and these

can be “sniffed”

Leads to other attacks such aspassword sniffing, cookie stealing session hijacking, information stealing

Man in the Middle Insert a router in the path between client and server,

and change the packets as they pass through

DNS hijacking Insert malicious routes into DNS tables to send traffic

for genuine sites to malicious sites

Bacterium A specialized form of virus which does not attach to a specific file. Usage

obscure.

Logic bomb Malicious logic that activates when specified conditions are met. Usually

intended to cause denial of service or otherwise damage system resources.

Trapdoor A hidden computer flaw known to an intruder, or a hidden computer

mechanism (usually software) installed by an intruder, who can activate the trap door to gain access to the computer without being blocked by security services or mechanisms

Trojan horse A computer program that appears to have a useful function, but also has a

hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

Malicious SW Attacks

Virus A hidden, self-replicating section of computer software, usually malicious logic,

that propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

Worm A computer program that can run independently, can propagate a complete

working version of itself onto other hosts on a network, and may consume computer resources destructively.

Malicious SW Attacks

Data Breaches

Data Loss

Account Hijacking

Insecure APIs

Denial of Service

Malicious Insiders

Abuse of Cloud Services

Insufficient Due Diligence

Shared Technology Issues

The Notorious NineCloud Computing Top Threats in 2013

Source : Cloud Security Alliance

Castle in Middle Ages

Location with natural obstacles

Surrounding moat

Drawbridge

Heavy walls

Strong gate

Guards

Computers Today Encryption

Software controls

Hardware controls

Policies and procedures

Multiple controls – physical and computational

System perimeter – defines inside/outside

Pre-emption – attacker scared away

Deterrence – attacker could not overcome defences

Faux environment – attack deflected towards a worthless target

Tenets of Security Defence and Control

Policy vs. Procedure

Policy: What is/what is not allowed

Procedure: How you enforce policy

Policy - must consider Alignment with users’ legal and ethical standards

Probability of use Inconvenient: 200 character password, change

password every week

Periodic reviews A given control usually becomess less effective with time

Need to replace ineffective/inefficient controls with better ones

Advantages of policy and procedural controls

Can replace hardware, software controls

Can be least expensive

Tenets of Security Control

Prevent attack Block attack / Close vulnerability

Deter attack Make attack harder (can’t make

it impossible )

Detect attack During or after

Deflect attack Make another target more

attractive than this target

Recover from attack

Security

Methods of Defence

IT Defense consists of:

Encryption

Software controls

Hardware controls

Policies

Physical controls

Security Life Cycle

Analyze Threats

Policy

Specification

Design

Implementation

Operation and Maintenance

Security Analysis Process

Identify Assets Which assets are we trying to protect?

What properties of these assets must be maintained?

Identify Threats What attacks can be mounted?

What other threats are there (natural disasters, etc.)?

Identify Countermeasures How can we counter those attacks?

Independent Analysis

Cloud Provisioning Services

Cloud Data Storage Services

Cloud Processing Infrastructure

Cloud Support Services

Cloud Network and Perimeter Security

Elastic Elements: Storage, Processing, and Virtual Networks

Cloud Security Components

Organize Threats – STRIDE Model

Spoofing identity

Tampering with data

Repudiation

Information disclosure

Denial of service

Elevation of privilege

Functional Which functions & services in the Cloud have

legal implications for both parties

Jurisdictional Which governments administer laws and

regulations impacting services, stakeholders, data assets

Contractual Terms & conditions

Governance

Identify, implement process, controls to maintain effective governance, risk mgt, compliance

Provider security governance should be assessed for sufficiency, maturity, consistency

Tiered Cloud Security Handling Framework

Physical Infrastructure

Tenant #2

Virtual Infrastructure

Physical Infrastructure

Cloud Provider

Virtual Infrastructure

Tenant #1

Insulate information from cloud providers’

employees

Insulate information from other

tenants

Insulate infrastructure from Malware, Trojans

and cybercriminals

Segregate and control user

access

Control and isolate VM in the

virtual infrastructure

Federate identities with public clouds

Identity federation

Virtual network security

Access Mgmt

Cybercrime intelligence

Strong authentication

Data loss prevention

Encryption & key mgmt

Tokenization

Governance

Anti-malware

Enable end to end view of security events and compliance and control across infrastructures

CCSK - Cloud Security Alliance Certifications

CISSP – (ISC)2

CPTC – Certified Penetration Testing Consultant

CPTE – Certified Penetration Testing Engineer

CompTIA – Security+

CSTA – Certified Security Testing Associate

GPEN – GIAC Certified Penetration Tester

OSCP – Offensive Security Certified Professional

CEH – Certified Ethical Hacker

ECSA – EC-Council Certified Security Analyst

CEPT – Certified Expert Penetration Tester

Security Certifications

Source : http://www.concise-courses.com/security/certifications-list/

Bottom Line

Engage in full risk management process for each case

For small and medium organizations Cloud security may be a big improvement!

Cost savings may be large (economies of scale)

For large organizations Already have large, secure data centers

Main sweet spots: Elastic services

Internet-facing services

Employ countermeasures

Take-Aways

Policy defines security and mechanisms enforce security Confidentiality

Integrity

Availability

Trust and knowing assumptions

Importance of assurance

The human factor

Cloud Computing and SafetyLet’s Secure Cloud!

20th July 2013

Venkateswar Reddy MelachervuAssociate Vice President – IT

www.linkedin.com/in/vmelachervu

vmelachervu@gmail.com

In God we trust; All others, we virus scan

Thank You

“…dare to dream; care to win…”

Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

Business

Transcript of Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

Trust in, and value from, Cloud Computing - ISACA VALENCIA

ISACA AND IT GOVERNANCE INSTITUTE 2014 ANNUAL REPORTm.isaca.org/About-ISACA/annual-report/Documents/2014-isaca-annual... · ISACA ® AND IT GOVERNANCE INSTITUTE ® ANNUAL REPORT 2014

ISACA Karachi Chapter · This bimonthly newsletter focuses on ISACA Karachi Chapter’s activities, ... ISACA Virtual Conferences ... BS 25999 Business Continuity Management Standard"

NIST Cloud Computing Reference Architecture - ISACA · deployment, service orchestration, cloud service management, ... NIST SP 500-292 NIST Cloud Computing Reference Architecture

Security Issues in Cloud Computing · Jennifer L Bayuk, LLC . Security Issues in Cloud Computing . For NJ ISACA . April 18, 2013 . By: Jennifer Bayuk . 1

ISACA CISM - isecprep.com

ISACA Cloud Computing Risks

IIIT, Hyderabad Cloud Computing for E-Governancesearch.iiit.ac.in/uploads/CloudComputingForEGovernance.pdf · Cloud computing provides a new service consumption and delivery model

ISACA For Student. Agenda- “Move yourself Forward” About ISACA –Professions served –Certifications available ISACA Student Membership –Student Benefits.

ISACA NL Chapter

VIIT ISACA Student Group · VIIT -ISACA Student Group About ISACA As an independent, nonprofit, global association, ISACA engages in the development, adoption and use of globally

ISACA/CSA CLOUD COMPUTING - Cloud Security … ISACA CLOUD VISION SERIES WHITE PAPER Due to its exponential growth, cloud computing can no longer be considered an emerging technology,

February – May 2019 ISACA Certification Exam Candidate Guide · ISACA Certification Exam Candidate Guide February – May 2019 Exam Prep by ISACA Exam Prep by ISACA Exam Prep by

ISACA@India Newsletter

Isaca final

ISACA Update - ISACA Central Ohio Chapter

BITS PILANI HYDERABAD CAMPUS LIBRARY (28 … 2803November2019_V1.pdfBITS Pilani, Hyderabad Campus Acc.No : 38167 CallNo : 004.6782 SIN-S Cloud Computing is a textbook designed for

Cloud Computing Legal issues - ISACA · PDF fileCloud Computing Legal issues Patrick Van Eecke ... Microsoft PowerPoint - Patrick Van Eecke ISPA Cloud [Compatibility Mode] Author:

Cloud computing with amazon web services (aws) training hyderabad , chennai, delhi, bangalore india

business_intelligence_overview.ppt - ISACA