Managing Cloud Security Risks in Your Organization

Managing Cloud Security Risks
in your organization

23 November 2013
Seminar Kriptografi dan Keamanan Informasi
Sekolah Tinggi Sandi Negara
Menara 165, JL TB Simatupang Kav 1,
Cilandak, Jakarta Selatan
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI

About me
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
Researcher – Information Security Research Group and Lecturer
Swiss German University
Charles.lims [at] gmail.com and charles.lim [at] sgu.ac.id
http://people.sgu.ac.id/charleslim
I am currently a doctoral student in University of Indonesia
Research Interest
Malware
Intrusion Detection
Vulnerability Analysis
Digital Forensics
Cloud Security
Community
Indonesia Honeynet Project - Chapter Lead
Academy CSIRT - member
Master of Information

AGENDA
 Cloud

Computing

 Cloud

Security

 Cloud

Risks

 CSA

– Cloud Security Alliance

 Case
 Safe

Study – SSH decrypted

Cloud – is it possible?

 Related

Works

 Conclusion

 References

3

Cloud Computing – NIST Definition
 NIST

define 5 essential characteristics, 3
Service models, 4 cloud deployment models

 http://csrc.nist.gov/publications/nistpubs/800-

145/SP800-145.pdf


4

Service Models
 IaaS

= Infrastructure
as a Service

 PaaS

= Platform as a
Service

 SaaS

= Software as a
Service

 XaaS

= Anything as a
Service (not included
in NIST)


5

Cloud Taxonomy


6

Where are the risks?


7

Cloud Computing Consideration


Challenges and benefits


The Hybrid enterprise

private clouds
public clouds

Extended Virtual Data Center
•
•
•
•

Notional
organizational
boundary

Dispersal of applications
Dispersal of data
Dispersal of users
Dispersal of endpoint devices


cloud of users

Good Practice is the key

Compliance
+ Audit

Certification
+ Standards

Good Governance, Risk and Compliance

Industry recognized certification

Secured
Infrastructure

Secured and tested technologies

Data Security

Data Security Lifecycle


Cloud Computing – Top Threats/Risks


Shared Technologies Vulnerabilities


Data Loss / Leakage


Malicious Insiders


Interception or Hijacking of traffic


Insecure APIs


Nefarious use of service


Unknown Risk Profiles


CSA – Cloud Security Framework
Cloud Architecture
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management

G
o
v
e
r
n
i
n
g

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Operating in the Cloud

Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization


t
h
e
C
l
o
u
d

CSA – Cloud Security Framework Domain
Understand Cloud Architecture
Governing in the Cloud
1. Governance & Risk Mgt

2. Legal and Electronic
Discovery
3. Compliance & Audit
4. Information Lifecycle
Mgt
5. Portability &
Interoperability

Operating in the Cloud
1. Security, Business
Continuity and Disaster
Recovery
2. Data Center Operations
3. Incident Response
4. Application Security
5. Encryption & Key Mgt
6. Identity & Access Mgt
7. Virtualization


Domain 2
Domain3
Governance
Legal and
and
Enterprise
Electronic
Discovery
Risk
Management
Domain 7
Traditional
Domain 11
Domain 12
Security, Business
Encryption and
Identity and
Continuity, and
Key
Access
Disaster Recovery
Management
Management

Domain 5
Information
Lifecycle
Management

Domain 6
Portability and

Domain
Domain 7
11
Domain 12
Domain 9
Traditional
Encryption and Key
Identity and Access
Security, Business
Incident
Management
Management
Continuity, and
Response, Notificati
Disaster Recovery
on, and Remediation

Interoperability

Domain 10
Application
Security

Domain 13
Virtualization

Domain 6
Portability
and
Interoperability

Domain 2
Governance
and
Enterprise
Risk
Management

Domain 4
Domain 6
Domain 8
Portability

Data and
Center
Operations
Interoperability


Compliance
and Audit

How
Security
Gets
Integrated

CSA – Cloud Assessment Framework


Sample Assessment Governance

• Best opportunity to secure cloud engagement is

before procurement – contracts, SLAs, architecture

• Know provider’s third parties, BCM/DR, financial
viability, employee vetting

•
•
•
•

Identify data location when possible
Plan for provider termination & return of assets
Preserve right to audit where possible
Reinvest provider cost savings into due diligence


Sample Assessment Operation

•

Encrypt data when possible, segregate key mgt from
cloud provider

•
•

Adapt secure software development lifecycle

•

Logging, data exfiltration, granular customer
segregation

•
•

Hardened VM images

Understand provider’s patching, provisioning,
protection

Assess provider IdM integration, e.g. SAML, OpenID


Cloud Control Matrix Tool
Controls derived from
guidance
Rated as applicable to SP-I
Customer vs Provider role
Mapped to ISO
27001, COBIT, PCI, HIPA
A
Help bridge the “cloud
gap” for IT & IT auditors

Cloud Adoption - Challenges
Market Perception toward cloud


Case Study – SSH decrypted (VM)
 Based

 Key

on Brian Hay and Kara Nance paper

Motivation:

 Malware

encrypted communication with C & C

 Law

Enforcement capability to monitor deployed
cloud and enterprise VM

 Novelty:
 Visibility

into cryptographically protected data and
communication channels

 No

modifications to VM


 Approach:
 Identification

(Processes of crypto lib and calls made

to the lib)
 Recovery

(input to & output to – crypto functions)

 Identification

(crypto keys)

 Recovery

(crypto keys above)

 Recovery

of plaintext (using recovered keys)

 How

to

 Minimum

described in the paper

 Keywords
 Xen

platform, libvirt, sebek techniques


 Sebek

Installation & Operation

 http://www.honeynet.org/project/sebek

 http://www.sans.org/reading-

room/whitepapers/detection/turning-tables-loadablekernel-module-rootkits-deployed-honeypotenvironment-996
 http://vimeo.com/11912850

 Limitation
 Sebek

modules can be detected with rootkit detection

tools

Safe Cloud – is it possible?
 Big

Question: Is it possible to have a safe
cloud? (https://www.safeswisscloud.ch)


35

New Development – Cloud Crypto

https://itunes.apple.com/us/app/cloudcapsule/id673662021


36

Related Works
 Related

Works
Lim et. al. ,
“Risk Analysis and comparative study of
Different Cloud Computing Providers
In Indonesia,"
ICCCSN 2012

Amanatullah et. al.
"Toward Cloud Computing Reference
Architecture: Cloud Service Management
Perspective,”
ICISS 2013


Other Security-related Publications
 Related

Works
Lim et. al. ,
"Forensics Analysis of Corporate and Personal Information Remaining
on Hard Disk Drives Sold on the Secondhand Market in Indonesia,"
Advanced Science Letters, 2014

Suryajaya et. al.
"PRODML Performance Evaluation as
SOT Data Exchange Standard,”
IC3INA 2013


Conclusion
is no 100% security  It is all about
managing risks

 There

 It

all depends on single, exploitable
vulnerability (the weakest link)

 Cloud

greatest risk is still the insiders

 CSA

Risk Assessment helps to bridge the gap
between the Cloud model and compliance

 Uncovering

crypto keys in the cloud is
possible  important to malware research


References
– Cloud computing risk assessment
(http://www.enisa.europa.eu/activities/riskmanagement/files/deliverables/cloudcomputing-risk-assessment)

 ENISA

 Cloud

Security Alliance
(https://cloudsecurityalliance.org/)

 Hay,

Brian, and Kara Nance. "Circumventing
cryptography in virtualized environments." In
Malicious and Unwanted Software
(MALWARE), 2012 7th International
Conference on, pp. 32-38. IEEE, 2012.


Questions


42

Managing Cloud Security Risks in Your Organization

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Managing Cloud Security Risks in Your Organization

Similar a Managing Cloud Security Risks in Your Organization (20)

Más de Charles Lim

Más de Charles Lim (10)

Último

Último (20)

Managing Cloud Security Risks in Your Organization