Cloud can provide great flexibility to IT, ensuring business continuity and optimizing costs. But what are the implications for IT security? Even big names such as IEEE, Apple and Samsung are among the victims of identity theft in the Cloud. If you choose to adopt virtual data center (IaaS) or on-line applications (SaaS), you shift the paradigm of security as it was conceived up to now. The presentation will examine the security implications of a Cloud infrastructure and possible remedies with practical examples.
1. Identity theft in the Cloud and
remedies
Giuseppe “Gippa” Paterno’
Friday 26 October 12
2. My identity: Giuseppe “Gippa” Paternò
• Director Digital of GARL, the Swiss bank behind the
SecurePass service
• EMEA Sales Engineer of Canonical, the company behind
Ubuntu
• Security researcher, open source enthusiast, and friend
of the “Penguin” since 1995
• Leisure pilot ... a good excuse to be back in an airport
during the weekends :)
• Non-professional Chef (Ramsay, I challenge you :)
• Radio-amateur with passion for “strange” WiFi: my
association has the world record of 304km link in WiFi!!
Friday 26 October 12
3. Cloud, a buzzword with different means
IaaS SaaS
PaaS ... what a MesS!
Friday 26 October 12
4. What is meant by “Cloud”
A set of services, usually “rented” from a service provider or internal IT
department (for large corporations), that enables:
• Flexibility: the ability of expanding or reducing our IT infrastructure based on the
business needs
• Resiliency: high availability of IT services, ensuring business continuity in any
event
• Accessibility: access to services anytime and anywhere on earth with a simple
Internet connection
• Cost optimization: you truly have a pay-as-you use IT infrastructure without
money wasting
Friday 26 October 12
5. The Cloud: IaaS
• Renting a virtual infrastructure from
a service provider composed by
virtual servers and virtual networks
IaaS
• Example: Amazon Web Services,
= Moresi.Com, ecc....
Infrastructure as
• Security risk: total control of the IT
a Service infrastructure by an attacker with
service disruption or silent data
leaking (control panel is accessible
from Internet)
Friday 26 October 12
6. The Cloud: SaaS
•Renting a given application, usually
web-based, from a service provider
with high availability and
SaaS accessible from anywhere
= •Example: SalesForce.com, Office
Software as 360, etc...
a Service
•Security risk: compromising a
single identity will lead to
corporate data leaking by an
attacker or competitor
Friday 26 October 12
7. The Cloud: PaaS
• Renting an “application environment” that
hosts YOUR application. If compared to IaaS,
PaaS does not focus on operating system, but
on “operating” the application environment
PaaS (app server, languages, frameworks,
databases, etc..)
=
Platform as • Example: Microsoft Azure, Google App Engine,
CloudFoundry, etc....
a Service
• Security risk: total control of the application(s)
by an attacker with service disruption (control
panel accessible from Internet), corporate data
leaking (users’ identity theft)
Friday 26 October 12
8. Let’s make things complicated: BYOD
• Yet another marketing buzzword :)
• BYOD = Bring Your Own Device
• Basically the use of a “consumer” device
within a corporate environment: iPad/
iPhone/Android/....
• Security risk: device lost or stolen means
access to confidential data. Many apps for
iOS/Android have a “static key” that get rid of
the identification process.
Friday 26 October 12
9. Famous victims of identity theft
... and many others!
Friday 26 October 12
10. Identity theft in numbers
millions of victims of identity theft in USA in 2008 (Javelin
10 Strategy and Research, 2009)
billions dollars lost every year due to identity theft (Aberdeen
221 Group)
hours to correct damages due to identity theft, i.e. 2 years
5840 of a working resource (ITRC Aftermath Study, 2004).
billion corporate and government records compromised in
35 2010 (ITRC)
is the factor of multiplication of the number of breaches
2 from 2009 to 2010. The trend of data breaches due identity
theft is doubling each year.
Friday 26 October 12
11. Human factor, an example in aviation
An organization can minimize its vulnerability to human
error and reduce its risks by implementing human
factors best practices [...] It contains guidance material
which [...] should help reduce the risks associated with
human error and human factors, and improve safety. It
[...] concentrates upon risk and error management
rather than risk and error elimination.
(EASA, JAR 145, Aviation Human Factors)
Friday 26 October 12
12. Human factor in IT (in)security
•Human factor is the primary cause of intrusions
by hackers, foreign government agencies or
competition. Two major issues:
•Password easy to guess or crack
•Social Engineering
•Hope is not a strategy!
Friday 26 October 12
13. Best practices, why they don’t work
• Maybe the most adopted is BS/ISO 17799, that eventually became ISO 27001
• Most best practices cover physical access, server hardening, network access and segregation, etc...
• they just don’t make sense anymore in a Cloud environment
• ... but they could be helpful to select our supplier
• What still makes sense is the access control:
• secure identification of a given user (identity management)
• check and log who’s doing what (auditing)
• permissions/rights to access a given piece of data or document (policy management)
Friday 26 October 12
16. Identity theft remedies
Security must be simple and transparent to the
end user, otherwise it will be circumvented!
• Strong authentication of the users
• Identify from which country the user is connecting from (GeoIP)
• Patches, patches and ... patches!
• Secure application programming
Friday 26 October 12
17. Intranet vs the Cloud and Trusted third party
• In a “traditional” world, Microsoft Active Directory
covers usually the identity management, auditing
and policy role
• AD was not conceived to fit a Cloud environment
and accessed from “outside” company
boundaries (or firewalls)
• A distributed identity management system is
needed, that implements something like
Microsoft Active Directory for Cloud
environments, is able to reduce “human errors”
through strong authentication and is operated by
a trusted third party.
Friday 26 October 12
18. A possible solution:
• SecurePass is a Unified Secure Access platform for Cloud, web
applications and security devices (VPN, firewalls, ...)
• Strong authentication, with hardware tokens or software tokens
on smartphones (iOS/Android/BlackBerry)
• Identity Management, with personnel’s information
• Web seamless Single Sign-On, to simplify user access (and avoid
circumventions)
• Based on open protocols: LDAP, RADIUS and CAS
• Easy to integrate, protect your infrastructure and applications in
few minutes.
• Guaranteed by a Swiss bank
Friday 26 October 12
19. Case Study: Moresi.Com
• Housing / Swiss hosting provider with two
data centers, constantly expanding
• Highly selected customers, including banks
and national and international companies
• Moving the focus from traditional housing /
hosting to a cloud provider (VMware vCloud
based)
• Each customer has access to a "virtual
datacenter" that can orchestrate at his will
• Objective: establish a secure access to the
virtual datacenters
Friday 26 October 12
21. Case Study: Insurance company
• World’s second largest multinational
insurance company, 48 subsidiaries world-
wide, each one with its board of directors,
CEO, CFO
• All CxO level members are accessing
documents and confidential on-the-move
through any devices (laptop, tablet,
smartphone) with high risk of data leaking
• Objective: provide secure access to their
board of director classified documents and
avoid information leaking through an ad-hoc
secure java-based web application
Friday 26 October 12
22. Case Study: Automotive company
• One of the top 5 automotive suppliers in the
world with over 120.000 employees
• Need to solve security issues connected to
the BYOD (Bring Your Own Devices) from
employees and top manager, in particular
tablets and smartphones
• Objective: provide secure access to
corporate resources from BYOD through SSL
VPNs and ad-hoc portals
Friday 26 October 12
23. SecurePass Contest 2012
• Integrate SecurePass and publish a story in a
blog or on-line magazine. Good excuse for:
• testing SecurePass for free
• learn something new
• letting your boss or your customers know
that you care about security
• ... and win something ;-)
• http://www.secure-pass.net/contest2012
Friday 26 October 12
24. Q&A
Giuseppe Paternò
gpaterno@gpaterno.com
gpaterno@garl.ch
Web sites:
www.gpaterno.com
www.secure-pass.net
Twitter: @gpaterno
Friday 26 October 12