Cloud Security by Sanjay Willie

8/3/2019 Cloud Security by Sanjay Willie

1/44

Cloud Security

What you need to know

SanjayW (v1.1)


2/44

Cloud computingWhere were you when cloud

computing took over?


3/44

I was..

on


4/44

Agenda

Cloud The birth of..

Define cloud

The general fears and perceptions

Cloud security considerations Conclusion


5/44

When it existed? It existed long before the term

coined

Typical cloud examples Hosted (a lot of them are free) email Online applications

Office365

Salesforce.com Skype (VoIP) Social media (Youtube, Facebook,

Twitter)

File storage/storage hosting

Microsoft SkyDrive Dropbox

And.and.and


6/44

So this CLOUD ....

Is it repackaging?

Is it truly new?

Is this the future?

How does it differ,security wise..?


7/44

Hype or not?


8/44

Cloud is here to stay..

Its no longer in just a hype

BUT. Theres still a lot of work inprogress

Security is still a pressing thought Cloud computing is elusive..?

Old skool..infrastructure and security wise?

Fear of the unknown?


9/44

Ada udang di sebalik

awan


10/44

Gartners 7 top Cloud Security

Concerns/Considerations..

Privilege user access

Compliance

Data Location

Data Segregation Recovery

Support Long term factor (LTF)


11/44

Network stance Indifferent except

It may be hosted outside your environment

Probably better (quicker) scale factor

Takes away CAPEX quite a bit

It is as you would publish to WWW


12/44

Security on LAN is.. Physical

Network

Application

Legislation Etc


13/44

Security Stance It is (still) as strong as the weakest link

(yet again) It may as well ENHANCE security

Nonetheless, if its public facing raisesRED flag

Takes away CAPEX quite a bit


14/44

Security on LAN is..


15/44

Security on WAN is..(still) Physical

Network Application

Legislation

Etc

What are the factors that makes it different?Exposure/threat vectors


16/44

Security on WAN is..


17/44

Security on Cloud is.. Physical

Network Application

Legislation

Etc

What are the factors that makes it different?Responsibilities, threat vectors, control


18/44

Security on Cloud is..


19/44

Why? Fear ofknown unknowns

Fear ofnewunknowns

Lack of tangibility

Lack of visibilityTransparency of operations

Legislative factors

Policy changes


20/44

To love cloud is to know cloud


21/44

Cloud computing 101..


22/44

Lets break it down Software as a service

Platform as a service Infrastructure as a

service

Each, have their own

problems.. Lets analyze them


23/44

Lets break it down.. Public

Private Community

A combination of the above (hybrid)


24/44

Cloud security band wagon.. You inherit the benefits/problems of the

internet You inherit the benefits/problems of the

provider

You inherit the benefits/problems of therespective country/laws

You inherit the benefits/problems of yourneighbors (co-hosting)


25/44

Software As A Service - Problems You do not know what are they doing

Bad software or APIs Shared model could mean shared domain

security

You cannot dictate the software codes


26/44

Platform As A Service - Problems

Poorly developed middleware

May not work with your appsMay lead to a loophole to a good app sitting

above it

The case of one size do not fit all Flexible may not be good here means

room for errors


27/44

Infra As A Service - Problems Skill sets of programmers and infra guys

are unequal Most flexible. Again, not necessarily good

Possibly inherit the {insert good/bad} fromyour existing network


28/44

The responsibility hierarchy


29/44

Responsibility segregation SaaS Mostly them

PaaS You and moderately them

IaaS You and little them


30/44

A wise man once said..Its okay to believe, just as long

as you know!


31/44

Know!... Using {insert provider here}

Where they are deployedHow they are deployed

Type of built-in controls

Compliance

Where they are consumed?

Need for re-perimeterizationSure, love thy neighbor, not necessarily

trusting them..


32/44

The Models, are the same, theapplication is different..


33/44

Fear not the CLOUD..


34/44

Security and Privacy Considerations


35/44

Technical Factors Information/Data LifeCycle

Confidentiality, Integrity, Availability,Authenticity, Authorization, Authentication,and Non-Repudiation


36/44

Technical Factors Security, DR and BCP

Since cloud is relatively new, legacy securityimplementation should be used

See their network and security devices physically

See their NOC/team hierarchy

This also include legacy DR and BCP

Legacy includes physical security Go visit them


37/44

Technical Factors Data center

With cloud at a boom, come more Data Centers

They may have certification of compliance some sort But still request possibility of audit

Their cloud architecture and offering should be clearly defined

Compartmentalization

Network architecture

Resources redundancy

And. And.And

Customer service


38/44

Technical FactorsApplication security

SDLC Based Apps

Hardening of prebuilt OSes

Inter-host communication policy

Credential storage

Where logs are stored should have similar quality as theactual data itself

Backdoor accounts for support?

Auditing rightsBlackbox testing evasion

Vulnerability assessment


39/44

Technical FactorsEncryption and key management

Should we encrypt? Keep private keys out where possible (use your own)

Exposure of key files risk analysis in case keys cannot beseparated

Ensure the encryption complies to industrialstrengths and standards

Data transmitted should also be encrypted


40/44

Technical FactorsIdentity and access management

Proprietary solutions for provisioning i.e. do not use defaults

Authentication

Consider federation instead of decentralized Consider authentication means provided by the big

boys like LIVE-ID, Yahoo, OpenID etc..

Use VPNs as pre-authentication OATH compliance if you want to write your own..


41/44

Technical FactorsVirtualization

Identify the type, do your research Take advantage of quality VM platforms security and controls

Prebuilt VMs Identify their built in IDS/IPS, antivirus,vulnerability management

Get a compliancy for Secure by Default

Protect admin user/interfaces, use strong authentication

Validate VMs pedigree and integrity of the OS templates

Segment and group security boundaries, dmz servers vsdata servers


42/44

By the way, have we considered.. Legal

Risk Management

Compliance

Information Lifecycle Management

Portability and Interoperability


43/44

Conclusion Adopt cloud technology after much

research Use credible providers

You have the right to question

Do not compromise, instead write thecontracts of what you NEED

Plan, plan plan


44/44

Cloud security

Cloud Security by Sanjay Willie

Documents

Transcript of Cloud Security by Sanjay Willie