SlideShare a Scribd company logo

Practical Security for the Cloud

Download as PPTX, PDF
Chirag Joshi, CISA, CISM, CRISC
Chirag Joshi, CISA, CISM, CRISC

Cloud Security

Technology
1 of 30
Practical Security Advice for the CloudPresented by Chirag Joshi, M.S., CISA, CISM, CRISC, MCTS
Brave New World https://www.domo.com/learn/data-never-sleeps-5
Agenda  Cutting through buzzwords, hype and complexities  Cloud Computing Overview  Security Risks  Governance Controls  Practical Technical Controls
What is Cloud Computing?
Source: Internet
Cloud Architecture Components Source: NIST SP 500-292
Security Risks Source: Internet
“If the data breach involves the loss or theft of 100,000 or more customer records, instead of an average cost of $2.37 million it could be as much as $5.32 million. Data breaches involving the theft of high value information could increase from $2.99 million to $4.16 million - From “Data Breach: The Cloud Multiplier Effect” conducted by Ponemon Institute LLC, June 2014 How Risky is the Cloud?
Gartner’s position that I strongly agree with:  Public clouds are usually a more secure starting point than in-house implementations.  Public cloud workloads can be more secure than in-house workloads.  SaaS applications can have security and continuity advantages. Justification:  No evidence indicates that Cloud Providers have performed less securely than end-user organizations.  Tier 1 cloud providers have far more resources, capabilities and sophistated controls than most end-user organizations.  It’s all about understanding that cloud security is a shared responsibility! How Risky Really is the Cloud?
Practical Cloud Security Risks ● Unauthorized data exposure and leakage  Misconfigurations especially with AWS S3 buckets and EBS snapshots are becoming a huge concern ● Loss of critical system availability and data ● Legal, Regulatory and Sovereignty non-compliance ● Security events monitoring and Incident Response ● Inadequate Business Continuity and Disaster Recovery planning ● Third and Fourth party security failures ● Governance and Vendor-lock-ins
YEAR RELEVANT INCIDENTS 2014 • Code Spaces’ Amazon AWS account was compromised when it failed to protect the administrative console with multifactor authentication. All the company’s assets were destroyed, putting it out of business. • News aggregator, Feedly and note taking app, EverNote were knocked offline by DDoS attack in what looked like a series of coordinated cyber-attacks. Intent was to extort money for resuming normal operations. 2015 • the US Internal Revenue Service (IRS) exposed over 700,000 sensitive records via a vulnerable API. • BitDefender, an antivirus firm, had an undisclosed number of customer usernames and passwords stolen due to a security vulnerability in its public cloud application hosted on AWS. The hacker responsible demanded a ransom of $15,000. 2016 • a medium-sized firm Children in film using cloud hosting services, had a ransomware infection on its 4000+ important files. Recovery from backup took several days to be completed. 2017 • Between 2.2 million to 4 million Dow Jones customers’ sensitive financial and personal details were exposed due to wrong privacy settings on AWS S3 bucket. • 200 million US voters data was exposed to the Internet via AWS S3 buckets and could have been utilized for nefarious purposes. 2018 • An unsecured Amazon S3 storage server exposed thousands of FedEx customer records, including civilian and military ID cards, resumes, bills, and more. References listed on last slide of the presentation
European Union Agency for Network and Information Security, Cloud Security Guide for SMEs https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf Top 11 Cloud Security Risks - ENISA 1. Data Breaches 2. Insufficient Identity, Credential and Access Mgmt 3. Account Hijacking 4. Insecure Interfaces and APIs 5. System Vulnerabilities 6. Malicious Insiders 7. Advanced Persistent Threats 8. Data Loss 9. Insufficient Due Diligence 10.Abuse and Nefarious use of cloud services 11.Denial of Service 12.Shared Technology Vulnerabilities Cloud Security Alliance’s Treacherous 12 1. Software Security Vulnerabilities 2. Network Attacks 3. Social Engineering Attacks 4. Management GUI and API compromise 5. Device theft/loss 6. Physical Hazards 7. Overloads 8. Unexpected costs 9. Vendor lock-in 10.Administrative or legal outages 11.Foreign jurisdiction issues
Governance Controls
Cloud Security Considerations  Understand Business requirements: Define use cases  Criticality and Sensitivity of information involved:  Data classification and corresponding security controls  Understand data sovereignty, privacy and records retention impact  Governance arrangements: clarity of responsibilities, incident management, cost over-runs, BCP/DR – account for archiving to a different provider if the main organization goes out of business or vendor lock-in  Contracts: data delivery in agreed formats, supply chain risks, right to audit, standard security clauses, data ownership, SLAs  Adopt a risk-based and data-centric approach
ASD Certified Cloud Services List
Technical Controls Source: Internet
1. Cloud Access Security Broker (CASB) Popular Use Cases: • Understanding and addressing Shadow IT • Protecting Data uploaded to or created in the cloud • Secure Cloud Collaboration such as external sharing • Logging and Auditing visibility
6 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.  API Mode  Forward Proxy Mode  Reverse Proxy Mode Unsanctioned Cloud Apps Sanctioned Cloud Apps Cloud APIs Reverse Proxy Forward Proxy Existing SWG/FW API Mode Log Feed Managed Endpoints Unmanaged Endpoints 1 2 3 4 Policy  Agent  PAC file  DNS  SSO CASB DLP Encrypt User Activity Logging Device Mgmt Identity Threat Protect Source: Gartner CASB – Deployment and Integrations
CASB – Gartner Magic Quadrant Nov 2017
2. Data Loss Prevention https://support.office.com/en-us/article/Overview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e?ui=en-US&rs=en-US&ad=US#locations  Sensitive data discovery  Protection against unauthorized information disclosure
DLP - Location and Scope of Control
DLP - Rules
DLP - Control in Action
3. Information Rights Management  Persistent protection against unauthorized information access and distribution  Utilizes a combination of encryption, identity and authorization policies Example of cloud based IRM utilizing Azure Rights Management https://docs.microsoft.com/en-us/information-protection/understand-explore/how-does-it-work
IRM – Control in Action https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-protection
• How do I get visibility in my Cloud environments?  CASBs, APIs and potentially security rating tools. • How do I secure my users?  Identity and Access Management (MFA, SSO), Privileged Access Management, Adaptive access controls. • How do I secure and protect my data against threats?  DDoS protection including network redundancy, sensitive data monitoring, DLP, Encryption at rest and in-transit, Information Rights Management, Anti-malware scanning, content sandbox and User Entity Behavior Analytics (UEBA). • How do I secure my applications/actions?  Transport Encryption, Usage reporting, Auditing, logging/alerting. Practical Advice for Technical Controls
Thinking of AWS or Azure?  Get Identity and Access Management Right – Make sure MFA is enabled for all root and privileged accounts!  Ensure secure configurations for instances  Encrypt data where practical – cloud-based Key Management Services are quite reliable  Enable inspection and segmentation of traffic to instances  Lots of apps in Office 365 and ever increasing AWS functionalities can turn into a scaling nightmare. Establish governance around assessing apps that’ll be released
Identity is the New Perimeter and Humans are the New Firewalls Gartner’s predictions: ● Strategic Planning Assumption: By 2020, 50% of enterprises will require an approved exception to put new workloads in house. ● Strategic Planning Assumption: By 2022, we will stop referring to the exceptional scenario as "cloud computing," and instead, will use "local computing" to describe the less common model.
Useful Links and Resources ● https://www.asd.gov.au/publications/protect/cloud_computing_security_considerations.htm ● http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/WebHome ● https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security ● https://www.asd.gov.au/infosec/irap/certified_clouds.htm ● https://cloudsecurityalliance.org/guidance/#_overview ● https://www.nist.gov/publications/nist-cloud-computing-reference-architecture?pub_id=909505 ● http://go.netskope.com/rs/netskope/images/Ponemon-DataBreach-CloudMultiplierEffect-June2014.pdf ● http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access.html
References for Incidents ● https://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html ● https://techcrunch.com/2014/06/11/feedly-evernote-and-others-become-latest-victims-of-ddos-attacks/ ● https://threatpost.com/one-year-after-hack-irs-debuts-updated-get-transcript-service/ ● https://www.forbes.com/sites/thomasbrewster/2015/07/31/bitdefender-hacked/ ● https://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-too/ ● https://www.theregister.co.uk/2017/07/18/dow_jones_index_of_customers_not_prices_leaks_from_aws_repo/ ● https://www.symantec.com/connect/blogs/casb-rescue-story-data-exposure-aws-s3-buckets ● https://www.techrepublic.com/article/leaked-fedex-customer-data-was-stored-on-amazon-s3-server-with-no- password/

Recommended

MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the Cloud
Kumar Goud
 
Microsoft Platform Security Briefing
Microsoft Platform Security BriefingMicrosoft Platform Security Briefing
Microsoft Platform Security Briefing
technext1
 
Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm
IJECEIAES
 
Clearswift f5 integration
Clearswift f5 integrationClearswift f5 integration
Clearswift f5 integration
Marco Essomba
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
Katherine Cola
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
Christopher Bennett
 
Law firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskLaw firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMask
CloudMask inc.
 
B2 - The History of Content Security: Part 2 - Adam Levithan
B2 - The History of Content Security: Part 2 - Adam LevithanB2 - The History of Content Security: Part 2 - Adam Levithan
B2 - The History of Content Security: Part 2 - Adam Levithan
SPS Paris
 

Recommended

MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the Cloud
Kumar Goud
 
Microsoft Platform Security Briefing
Microsoft Platform Security BriefingMicrosoft Platform Security Briefing
Microsoft Platform Security Briefing
technext1
 
Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm
IJECEIAES
 
Clearswift f5 integration
Clearswift f5 integrationClearswift f5 integration
Clearswift f5 integration
Marco Essomba
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
Katherine Cola
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
Christopher Bennett
 
Law firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskLaw firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMask
CloudMask inc.
 
B2 - The History of Content Security: Part 2 - Adam Levithan
B2 - The History of Content Security: Part 2 - Adam LevithanB2 - The History of Content Security: Part 2 - Adam Levithan
B2 - The History of Content Security: Part 2 - Adam Levithan
SPS Paris
 
6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins
Intronis MSP Solutions by Barracuda
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data security
Ulf Mattsson
 
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Symantec APJ
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...
Microsoft Österreich
 
Power Saturday 2019 E1 - Office 365 security
Power Saturday 2019 E1 - Office 365 securityPower Saturday 2019 E1 - Office 365 security
Power Saturday 2019 E1 - Office 365 security
PowerSaturdayParis
 
Arbel Zinger | Microsoft Advanced Threat Analytics
Arbel Zinger | Microsoft Advanced Threat AnalyticsArbel Zinger | Microsoft Advanced Threat Analytics
Arbel Zinger | Microsoft Advanced Threat Analytics
Microsoft Österreich
 
Emma Aubert | Information Protection
Emma Aubert | Information ProtectionEmma Aubert | Information Protection
Emma Aubert | Information Protection
Microsoft Österreich
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
Nicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterNicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security Center
Microsoft Österreich
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Seccuris Inc.
 
Cloud Insecurity and True Accountability - Guardtime Whitepaper
Cloud Insecurity and True Accountability - Guardtime WhitepaperCloud Insecurity and True Accountability - Guardtime Whitepaper
Cloud Insecurity and True Accountability - Guardtime Whitepaper
Martin Ruubel
 
The 15 best cloud security practices
The 15 best cloud security practices The 15 best cloud security practices
The 15 best cloud security practices
Cloudride LTD
 
Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...
Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...
Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...
Microsoft Österreich
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
SafeNet
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
Shankar Subramaniyan
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperKSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
Martin Ruubel
 
Enterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - IntelEnterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - Intel
Intel - API Security & Tokenization
 
MEKDA: Multi-Level ECC based Key Distribution and Authentication in Internet ...
MEKDA: Multi-Level ECC based Key Distribution and Authentication in Internet ...MEKDA: Multi-Level ECC based Key Distribution and Authentication in Internet ...
MEKDA: Multi-Level ECC based Key Distribution and Authentication in Internet ...
IJCNCJournal
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
SafeNet
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
Amazon Web Services
 

More Related Content

What's hot

Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Symantec APJ
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
Cloud Insecurity and True Accountability - Guardtime Whitepaper
Cloud Insecurity and True Accountability - Guardtime WhitepaperCloud Insecurity and True Accountability - Guardtime Whitepaper
Cloud Insecurity and True Accountability - Guardtime Whitepaper
Martin Ruubel
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperKSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
Martin Ruubel
 
MEKDA: Multi-Level ECC based Key Distribution and Authentication in Internet ...
MEKDA: Multi-Level ECC based Key Distribution and Authentication in Internet ...MEKDA: Multi-Level ECC based Key Distribution and Authentication in Internet ...
MEKDA: Multi-Level ECC based Key Distribution and Authentication in Internet ...
IJCNCJournal
 

What's hot (20)

6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data security
 
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...
 
Power Saturday 2019 E1 - Office 365 security
Power Saturday 2019 E1 - Office 365 securityPower Saturday 2019 E1 - Office 365 security
Power Saturday 2019 E1 - Office 365 security
 
Arbel Zinger | Microsoft Advanced Threat Analytics
Arbel Zinger | Microsoft Advanced Threat AnalyticsArbel Zinger | Microsoft Advanced Threat Analytics
Arbel Zinger | Microsoft Advanced Threat Analytics
 
Emma Aubert | Information Protection
Emma Aubert | Information ProtectionEmma Aubert | Information Protection
Emma Aubert | Information Protection
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 
Nicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterNicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security Center
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective Strategies
 
Cloud Insecurity and True Accountability - Guardtime Whitepaper
Cloud Insecurity and True Accountability - Guardtime WhitepaperCloud Insecurity and True Accountability - Guardtime Whitepaper
Cloud Insecurity and True Accountability - Guardtime Whitepaper
 
The 15 best cloud security practices
The 15 best cloud security practices The 15 best cloud security practices
The 15 best cloud security practices
 
Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...
Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...
Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperKSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
 
Enterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - IntelEnterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - Intel
 
MEKDA: Multi-Level ECC based Key Distribution and Authentication in Internet ...
MEKDA: Multi-Level ECC based Key Distribution and Authentication in Internet ...MEKDA: Multi-Level ECC based Key Distribution and Authentication in Internet ...
MEKDA: Multi-Level ECC based Key Distribution and Authentication in Internet ...
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
 

Similar to Practical Security for the Cloud

Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Amazon Web Services
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Karim Vaes
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
Amazon Web Services
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
Valencell, Inc.
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloud
Ulf Mattsson
 
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
Amazon Web Services
 

Similar to Practical Security for the Cloud (20)

Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
 
Cloud Application Security Best Practices To follow.pdf
Cloud Application Security Best Practices To follow.pdfCloud Application Security Best Practices To follow.pdf
Cloud Application Security Best Practices To follow.pdf
 
Cloud Application Security Best Practices To follow.pdf
Cloud Application Security Best Practices To follow.pdfCloud Application Security Best Practices To follow.pdf
Cloud Application Security Best Practices To follow.pdf
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Securing the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and BeyondSecuring the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and Beyond
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
 
Global Security Certification for Governments
Global Security Certification for GovernmentsGlobal Security Certification for Governments
Global Security Certification for Governments
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
 
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdfUNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference Publication
 
Cloud computing risks
Cloud computing risksCloud computing risks
Cloud computing risks
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloud
 
A017130104
A017130104A017130104
A017130104
 
Identified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIdentified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud Computing
 
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

Practical Security for the Cloud

  • 1. Practical Security Advice for the CloudPresented by Chirag Joshi, M.S., CISA, CISM, CRISC, MCTS
  • 3. Agenda  Cutting through buzzwords, hype and complexities  Cloud Computing Overview  Security Risks  Governance Controls  Practical Technical Controls
  • 4. What is Cloud Computing?
  • 8. “If the data breach involves the loss or theft of 100,000 or more customer records, instead of an average cost of $2.37 million it could be as much as $5.32 million. Data breaches involving the theft of high value information could increase from $2.99 million to $4.16 million - From “Data Breach: The Cloud Multiplier Effect” conducted by Ponemon Institute LLC, June 2014 How Risky is the Cloud?
  • 9. Gartner’s position that I strongly agree with:  Public clouds are usually a more secure starting point than in-house implementations.  Public cloud workloads can be more secure than in-house workloads.  SaaS applications can have security and continuity advantages. Justification:  No evidence indicates that Cloud Providers have performed less securely than end-user organizations.  Tier 1 cloud providers have far more resources, capabilities and sophistated controls than most end-user organizations.  It’s all about understanding that cloud security is a shared responsibility! How Risky Really is the Cloud?
  • 10. Practical Cloud Security Risks ● Unauthorized data exposure and leakage  Misconfigurations especially with AWS S3 buckets and EBS snapshots are becoming a huge concern ● Loss of critical system availability and data ● Legal, Regulatory and Sovereignty non-compliance ● Security events monitoring and Incident Response ● Inadequate Business Continuity and Disaster Recovery planning ● Third and Fourth party security failures ● Governance and Vendor-lock-ins
  • 11. YEAR RELEVANT INCIDENTS 2014 • Code Spaces’ Amazon AWS account was compromised when it failed to protect the administrative console with multifactor authentication. All the company’s assets were destroyed, putting it out of business. • News aggregator, Feedly and note taking app, EverNote were knocked offline by DDoS attack in what looked like a series of coordinated cyber-attacks. Intent was to extort money for resuming normal operations. 2015 • the US Internal Revenue Service (IRS) exposed over 700,000 sensitive records via a vulnerable API. • BitDefender, an antivirus firm, had an undisclosed number of customer usernames and passwords stolen due to a security vulnerability in its public cloud application hosted on AWS. The hacker responsible demanded a ransom of $15,000. 2016 • a medium-sized firm Children in film using cloud hosting services, had a ransomware infection on its 4000+ important files. Recovery from backup took several days to be completed. 2017 • Between 2.2 million to 4 million Dow Jones customers’ sensitive financial and personal details were exposed due to wrong privacy settings on AWS S3 bucket. • 200 million US voters data was exposed to the Internet via AWS S3 buckets and could have been utilized for nefarious purposes. 2018 • An unsecured Amazon S3 storage server exposed thousands of FedEx customer records, including civilian and military ID cards, resumes, bills, and more. References listed on last slide of the presentation
  • 12. European Union Agency for Network and Information Security, Cloud Security Guide for SMEs https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf Top 11 Cloud Security Risks - ENISA 1. Data Breaches 2. Insufficient Identity, Credential and Access Mgmt 3. Account Hijacking 4. Insecure Interfaces and APIs 5. System Vulnerabilities 6. Malicious Insiders 7. Advanced Persistent Threats 8. Data Loss 9. Insufficient Due Diligence 10.Abuse and Nefarious use of cloud services 11.Denial of Service 12.Shared Technology Vulnerabilities Cloud Security Alliance’s Treacherous 12 1. Software Security Vulnerabilities 2. Network Attacks 3. Social Engineering Attacks 4. Management GUI and API compromise 5. Device theft/loss 6. Physical Hazards 7. Overloads 8. Unexpected costs 9. Vendor lock-in 10.Administrative or legal outages 11.Foreign jurisdiction issues
  • 14. Cloud Security Considerations  Understand Business requirements: Define use cases  Criticality and Sensitivity of information involved:  Data classification and corresponding security controls  Understand data sovereignty, privacy and records retention impact  Governance arrangements: clarity of responsibilities, incident management, cost over-runs, BCP/DR – account for archiving to a different provider if the main organization goes out of business or vendor lock-in  Contracts: data delivery in agreed formats, supply chain risks, right to audit, standard security clauses, data ownership, SLAs  Adopt a risk-based and data-centric approach
  • 15. ASD Certified Cloud Services List
  • 17. 1. Cloud Access Security Broker (CASB) Popular Use Cases: • Understanding and addressing Shadow IT • Protecting Data uploaded to or created in the cloud • Secure Cloud Collaboration such as external sharing • Logging and Auditing visibility
  • 18. 6 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.  API Mode  Forward Proxy Mode  Reverse Proxy Mode Unsanctioned Cloud Apps Sanctioned Cloud Apps Cloud APIs Reverse Proxy Forward Proxy Existing SWG/FW API Mode Log Feed Managed Endpoints Unmanaged Endpoints 1 2 3 4 Policy  Agent  PAC file  DNS  SSO CASB DLP Encrypt User Activity Logging Device Mgmt Identity Threat Protect Source: Gartner CASB – Deployment and Integrations
  • 19. CASB – Gartner Magic Quadrant Nov 2017
  • 20. 2. Data Loss Prevention https://support.office.com/en-us/article/Overview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e?ui=en-US&rs=en-US&ad=US#locations  Sensitive data discovery  Protection against unauthorized information disclosure
  • 21. DLP - Location and Scope of Control
  • 23. DLP - Control in Action
  • 24. 3. Information Rights Management  Persistent protection against unauthorized information access and distribution  Utilizes a combination of encryption, identity and authorization policies Example of cloud based IRM utilizing Azure Rights Management https://docs.microsoft.com/en-us/information-protection/understand-explore/how-does-it-work
  • 25. IRM – Control in Action https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-protection
  • 26. • How do I get visibility in my Cloud environments?  CASBs, APIs and potentially security rating tools. • How do I secure my users?  Identity and Access Management (MFA, SSO), Privileged Access Management, Adaptive access controls. • How do I secure and protect my data against threats?  DDoS protection including network redundancy, sensitive data monitoring, DLP, Encryption at rest and in-transit, Information Rights Management, Anti-malware scanning, content sandbox and User Entity Behavior Analytics (UEBA). • How do I secure my applications/actions?  Transport Encryption, Usage reporting, Auditing, logging/alerting. Practical Advice for Technical Controls
  • 27. Thinking of AWS or Azure?  Get Identity and Access Management Right – Make sure MFA is enabled for all root and privileged accounts!  Ensure secure configurations for instances  Encrypt data where practical – cloud-based Key Management Services are quite reliable  Enable inspection and segmentation of traffic to instances  Lots of apps in Office 365 and ever increasing AWS functionalities can turn into a scaling nightmare. Establish governance around assessing apps that’ll be released
  • 28. Identity is the New Perimeter and Humans are the New Firewalls Gartner’s predictions: ● Strategic Planning Assumption: By 2020, 50% of enterprises will require an approved exception to put new workloads in house. ● Strategic Planning Assumption: By 2022, we will stop referring to the exceptional scenario as "cloud computing," and instead, will use "local computing" to describe the less common model.
  • 29. Useful Links and Resources ● https://www.asd.gov.au/publications/protect/cloud_computing_security_considerations.htm ● http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/WebHome ● https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security ● https://www.asd.gov.au/infosec/irap/certified_clouds.htm ● https://cloudsecurityalliance.org/guidance/#_overview ● https://www.nist.gov/publications/nist-cloud-computing-reference-architecture?pub_id=909505 ● http://go.netskope.com/rs/netskope/images/Ponemon-DataBreach-CloudMultiplierEffect-June2014.pdf ● http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access.html
  • 30. References for Incidents ● https://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html ● https://techcrunch.com/2014/06/11/feedly-evernote-and-others-become-latest-victims-of-ddos-attacks/ ● https://threatpost.com/one-year-after-hack-irs-debuts-updated-get-transcript-service/ ● https://www.forbes.com/sites/thomasbrewster/2015/07/31/bitdefender-hacked/ ● https://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-too/ ● https://www.theregister.co.uk/2017/07/18/dow_jones_index_of_customers_not_prices_leaks_from_aws_repo/ ● https://www.symantec.com/connect/blogs/casb-rescue-story-data-exposure-aws-s3-buckets ● https://www.techrepublic.com/article/leaked-fedex-customer-data-was-stored-on-amazon-s3-server-with-no- password/