The document discusses various topics related to Internet of Things (IoT) and cloud security. It notes that IoT can be viewed as a network of networks connecting things, people and data. It also addresses the importance of security in cloud computing and IoT due to the sensitivity of the data and infrastructure involved. The document outlines some of the key risks to cloud security including loss of control, lack of trust and issues arising from multi-tenancy in third party managed clouds.
12. www.rapidstart.com.sg www.globalstf.org
12
WHAT IS IOT?
• THE INTERNET OF THINGS (IOT) IS THE NETWORK OF PHYSICAL OBJECTS ACCESSED
THROUGH THE INTERNET, AS DEFINED BY TECHNOLOGY ANALYSTS AND VISIONARIES
• THESE OBJECTS CONTAIN EMBEDDED TECHNOLOGY TO INTERACT WITH INTERNAL
STATES OR THE EXTERNAL ENVIRONMENT.
• THEY ARE BASICALLY UNIQUELY IDENTIFIABLE OBJECTS AND THEIR VIRTUAL
REPRESENTATIONS IN AN INTERNET-LIKE STRUCTURE.
28. www.rapidstart.com.sg www.globalstf.org
28
PRIVACY & SECURITY
• IOT RAISES IMPORTANT QUESTIONS AND INTRODUCES NEW CHALLENGES FOR THE
SECURITY OF SYSTEMS AND PROCESSES AND THE PRIVACY OF INDIVIDUALS.
• SOME IOT APPLICATIONS ARE TIGHTLY LINKED TO SENSITIVE INFRASTRUCTURES AND
STRATEGIC SERVICES SUCH AS THE DISTRIBUTION OF WATER AND ELECTRICITY AND THE
SURVEILLANCE OF ASSETS.
• OTHER APPLICATIONS HANDLE SENSITIVE INFORMATION ABOUT PEOPLE, SUCH AS
THEIR LOCATION AND MOVEMENTS, OR THEIR HEALTH AND PURCHASING
PREFERENCES.
• CONFIDENCE IN AND ACCEPTANCE OF IOT WILL DEPEND ON THE PROTECTION IT
PROVIDES TO PEOPLE’S PRIVACY AND THE LEVELS OF SECURITY IT GUARANTEES TO
SYSTEMS AND PROCESSES.
31. www.rapidstart.com.sg www.globalstf.org
31
POLICIES & LEGISLATIONS
• INTERNAL POLICIES, STATE LEGAL AND REGULATORY ISSUES ARE EXTREMELY IMPORTANT
WHEN BUILDING IOT SYSTEMS THAT HAVE SECURITY IMPLICATIONS.
• TO VERIFY THAT A SERVICE PROVIDER HAS STRONG POLICIES AND PRACTICES THAT
ADDRESS LEGAL AND REGULATORY ISSUES, EACH CUSTOMER MUST HAVE ITS LEGAL
AND REGULATORY EXPERTS INSPECT THE PROVIDER’S POLICIES AND PRACTICES TO
ENSURE THEIR ADEQUACY.
• THE ISSUES TO BE CONSIDERED IN THIS REGARD INCLUDE DATA SECURITY AND EXPORT,
COMPLIANCE, AUDITING, DATA RETENTION AND DESTRUCTION, AND LEGAL DISCOVERY.
• IN THE AREAS OF DATA RETENTION AND DELETION, TRUSTED STORAGE AND TRUSTED
PLATFORM MODULE ACCESS TECHNIQUES CAN PLAY A KEY ROLE IN LIMITING ACCESS
TO SENSITIVE AND CRITICAL DATA.
36. www.rapidstart.com.sg www.globalstf.org
36
DATA
• IF DATA QUALITY IS NOT GOOD, THEN NO MATTER WHAT CUTTING ANALYTICAL
LANDSCAPE AND STATE OF ART TECHNOLOGY YOU HAVE IT WOULD BE “GARBAGE IN
GARBAGE OUT”.
• SO BEFORE THE DATA ANALYTICS IS DONE YOU SHOULD FIND A PLACE WHERE ALL THE
DATA ARE CLEANSED, HARMONIZED AND ARE OF GOOD DATA QUALITY.
• IT SOUNDS VERY SIMPLE, BUT IT’S THE MOST DIFFICULT THING AND MOST
ORGANIZATION SPEND LOT OF MONEY AND RESOURCE TO GET THIS CORRECT.
37. www.rapidstart.com.sg www.globalstf.org
37
INSIGHT VS. HINDSIGHT
ROI
Raw
data
Data
Cleansing &
Classification
Reports
& OLAP
Descriptive
modeling
Predictive
modeling
Data Information Knowledge Intelligence
Optimization
What will happen?
What is the best that
could happen?
EnterprisePerformance
Why did it happen?
Scenario modeling &
root cause analysis
What happened (hindsight)?
How can I act on
this insight?
43. www.rapidstart.com.sg www.globalstf.org
43
WHY SECURITY?
A survey commissioned by Microsoft on ‘Cloud computing
among business leaders and the general population’ states that:
58% of the general population and 86% of senior business leaders
are excited about the potential of cloud computing.
But, more than 90% of these same people are concerned about
the security, access and privacy of their own data in the cloud.
Source: Microsoft
49. www.rapidstart.com.sg www.globalstf.org
49
WHY IS CLOUD SECURITY IMPORTANT
Increasing Usage of Cloud Services in Non-traditional Sectors
Growing Adoption of Cloud Services in Government Departments
Rise in Cloud Service-specific Attacks
Growing Usage of Cloud Services for Critical Data Storage
Rise in Employee Mobility
50. www.rapidstart.com.sg www.globalstf.org
50
CLOUD COMPUTING PROBLEMS
Most security problems stem from:
Loss of control
Lack of trust
Multi-tenancy
These problems exist mainly in 3rd party management
models
Self-managed clouds still have security issues, but not
related to above
52. www.rapidstart.com.sg www.globalstf.org
52
TRENDS ASSOCIATED WITH CLOUD
SECURITY
Increasing Partnerships between CSPs and Security Solution Providers
Expected
Increasing Emergence of Cloud Service-specific Security Solution Providers
Identity Management and Encryption to Remain the Top Cloud Security
Solutions Offered
Increasing Availability of Cloud Security Solutions for Small and Medium-
sized Businesses (SMBs)
Emergence of Strong Cloud Security Standard and Guidelines
56. www.rapidstart.com.sg www.globalstf.org
56
SONY’S ATTACK
The Sony Pictures Entertainment hack was a release of confidential data
belonging to Sony Pictures Entertainment on November 24, 2014
On September 1, 2015, plaintiffs and Sony reached an agreement in principle
to settle all of the claims of the putative class against SPE (Sony Pictures
Entertainment)
57. www.rapidstart.com.sg www.globalstf.org
57
VERIZON CLOUD OUTAGE
Verizon (VZ) shut down its cloud infrastructure-as-a-service (IaaS) for roughly
40 hours in January 2015.
While a cloud provider's worst fear is a prolonged outage, Verizon
Communications stunned customers by scheduling to take its cloud offline
for some 40 hours over the weekend to implement a comprehensive system
maintenance project.
One reason for the upgrade of its cloud infrastructure, ironically, was to
prevent future outages.
While many customers were peeved their provider intentionally cut their
cloud service, some took solace knowing Verizon spent those 40 hours
adding seamless upgrade capabilities that would enable future upgrades to
be executed on live systems without disruptions, or even the need to be
reboot servers.
58. www.rapidstart.com.sg www.globalstf.org
58
GOOGLE COMPUTE ENGINE OUTAGE
Multiple zones of Google's IaaS offering went down just before midnight of
Feb 18th, 2015. After about an hour of downtime, service for most affected
customers returned around 1 a.m. the next morning.
While some connectivity issues lasted almost three hours, there were roughly
40 minutes during which most outbound data packets being sent by Google
Compute Engine virtual machines were ending up in the wind.
Google said the problem was "unacceptable" and apologized to users who
were affected.
59. www.rapidstart.com.sg www.globalstf.org
59
AOL OUTAGE
On 2015 February 19, apparently some people were actually affected when
AOL’s email service suffered a widespread outage beginning around 4 a.m.
Eastern.
The problem, which started in the U.K. and spread to the U.S., made it
impossible for many AOL users to log in to their accounts.
While the AOL jokes come easy, there were real complaints online from
people still using the vintage email addresses. AOL said a network issue was
at fault.
60. www.rapidstart.com.sg www.globalstf.org
60
AMAZON OUTAGE #1
In April 2011, Amazon EC2 went offline due to a network configuration
problem.
Companies such as Foursquare, Quora, Reddit were offline for 12-48 hrs.
Companies that had invested in multiple availability zones were less affected
(e.g. Netflix).
Amazon provided 10 days credit to the companies as compensation.
61. www.rapidstart.com.sg www.globalstf.org
61
AMAZON OUTAGE #2
In August 2011, a lightning strike in Dublin caused a datacenter blackout for
24-48 hrs.
Due to the sudden failure, data in many servers was in an inconsistent state.
EBS (Elastic Block Storage) services were affected; but EC2 remained online so
this did not count as downtime under the SLA.
These incidents raised serious doubts about the future of cloud.
62. www.rapidstart.com.sg www.globalstf.org
62
LESSONS LEARNED
Manage risks and prepare for failure just as you would with traditional IT.
Utilize multiple availability zones and multiple regions.
Design the SLAs carefully.
Do not take your provider’s assurances for granted.
Design for the cloud computing model and supplement the resilience of the
cloud provider.
63. www.rapidstart.com.sg www.globalstf.org
63
We need security at following levels:
Server Access Security
Internet Access Security
Database Access Security
Data privacy Security
Program access Sercurity
SECURITY AT DIFFERENT LEVELS
66. www.rapidstart.com.sg www.globalstf.org
66
What is Data security at Physical Layer?
What is Data Security at Network Layer?
What about investigation Support?
How much safe is data from Natural Disaster?
How much trusted is Encryption scheme of Service provider?
WE NEED TO ANSWER FOLLOWING
QUESTION
69. www.rapidstart.com.sg www.globalstf.org
69
CSA ENTERPRISE ARCHITECTURE
The Trusted Cloud Initiative Reference Architecture is both a methodology
and a set of tools that enables security architects, and risk management
professionals to leverage a common set of solutions.
These solutions fulfill a set of common requirements that risk managers must
assess regarding the operational status of internal IT security and cloud
provider controls.
77. www.rapidstart.com.sg www.globalstf.org
77
“No foreign nation, no hacker, should be able to shut down our networks, steal our
trade secrets, or invade the privacy of American families, especially our kids. We
are making sure our government integrates intelligence to combat cyber threats,
just as we have done to combat terrorism, and tonight, I urge this Congress to
finally pass the legislation we need to better meet the evolving threat of cyber-
attacks, combat identity theft, and protect our children’s information. If we don’t
act, we’ll leave our nation and our economy vulnerable. If we do, we can continue
to protect the technologies that have unleashed untold opportunities for people
around the globe”
78. www.rapidstart.com.sg www.globalstf.org
78
Date (2014) Company Number of records
exposed
Types of records
25 Jan Michael’s 2,600,000 Payment cards
6 Feb Home Depot 20,000 Employee info
14 Mar Sally Beauty Supply 25,000 Credit/debit card
17 Apr Aaron Brothers 400,000 Payment cards
22 Apr Lowa state University 48,729 Student social security
numbers
30 May Home depot 30,000 Credit/debit card
22 Jul Goodwill Industries 868,000 Payment systems
18 Aug Community Health Systems 4,500,000 Patient data
21 Aug United Postal Service 105,000 Credit/debit card
28 Aug JP Morgan Chase 1,000,000 Financial information
2 Sep Home Depot 56,000,000 Credit/debit card
2 Sep Viator/Trip Advisor 880,000 Payment cards
25 Sep Central Dermatology 76,258 Patient data
7 Nov Home Depot 53,000,000 Email addresses
10 Nov US Postal service 800,000 Personal data
18 Nov Staples 1.200,000 Credit/debit card
82. www.rapidstart.com.sg www.globalstf.org
82
SOME DEFINITIONS
According to the U.S. Dept of Commerce:
n. cybersecurity: See “information security”
n. information security: The protection of information against
unauthorized disclosure, transfer, modification, or destruction, whether
accidental or intentional.
83. www.rapidstart.com.sg www.globalstf.org
83
SOME DEFINITIONS
According to H.R. 4246 “Cyber Security Information Act”:
cybersecurity: “The vulnerability of any computing system, software
program, or critical infrastructure to, or their ability to resist, intentional
interference, compromise, or incapacitation through the misuse of, or by
unauthorized means of, the Internet, public or private telecommunications
systems or other similar conduct that violates Federal, State, or international
law, that harms interstate commerce of the United States, or that threatens
public health or safety.”
84. www.rapidstart.com.sg www.globalstf.org
84
SOME DEFINITIONS
According to S. 1901 “Cybersecurity Research and Education Act of 2002”:
cybersecurity: “information assurance, including scientific, technical, management, or any other relevant
disciplines required to ensure computer and network security, including, but not limited to, a discipline
related to the following functions:
(A) Secure System and network administration and operations.
(B) Systems security engineering.
(C) Information assurance systems and product acquisition.
(D) Cryptography.
(E) Threat and vulnerability assessment, including risk management.
(F) Web security.
(G) Operations of computer emergency response teams.
(H) Cybersecurity training, education, and management.
(I) Computer forensics.
(J) Defensive information operations.
85. www.rapidstart.com.sg www.globalstf.org
85
SOME DEFINITIONS
According to S. 1900 “Cyberterrorism Preparedness Act of 2002 ”:
cybersecurity: “information assurance, including information security,
information technology disaster recovery, and information privacy.”
91. www.rapidstart.com.sg www.globalstf.org
91
cybersecurity = security of information systems and
networks with the goal of protecting operations and
assets
security in the face of
attacks, accidents and
failures
ONE WAY TO THINK ABOUT IT
93. www.rapidstart.com.sg www.globalstf.org
93
cybersecurity = security of information systems and
networks in the face of attacks, accidents and failures with
the goal of protecting operations and assets
availability, integrity
and secrecy
ONE WAY TO THINK ABOUT IT
94. www.rapidstart.com.sg www.globalstf.org
94
cybersecurity = availability, integrity and secrecy of
information systems and networks in the face of attacks,
accidents and failures with the goal of protecting operations
and assets
(Still a work in progress.)
ONE WAY TO THINK ABOUT IT
95. www.rapidstart.com.sg www.globalstf.org
95
IN CONTEXT
corporate cybersecurity = availability, integrity and secrecy
of information systems and networks in the face of attacks,
accidents and failures with the goal of protecting a
corporation’s operations and assets
national cybersecurity = availability, integrity and secrecy of
the information systems and networks in the face of attacks,
accidents and failures with the goal of protecting a nation’s
operations and assets
97. www.rapidstart.com.sg www.globalstf.org
97
INCREASING DEPENDENCE
We are increasingly dependent on the Internet:
Directly
Communication (Email, IM, VoIP)
Commerce (business, banking, e-commerce, etc)
Control systems (public utilities, etc)
Information and entertainment
Sensitive data stored on the Internet
Indirectly
Biz, Edu, Gov have permanently replaced physical/manual
processes with Internet-based processes
Source: CalTech
99. www.rapidstart.com.sg www.globalstf.org
99
CYBERSECURITY ROADBLOCKS
Not enough metrics to measure security
Internet is inherently international
Private sector owns most of the infrastructure
“Cybersecurity Gap”: a cost/incentive disconnect?
Businesses will pay to meet business imperatives
Who’s going to pay to meet national security imperatives?
101. www.rapidstart.com.sg www.globalstf.org
101
IOT - EVERYTHING CAN BE
HACKED!
Any device with an operating system can
be hacked, be it a thermostat, TV or even
a toilet.
In recent years, consumers have generally
been wise enough to protect their
computers from cybercriminals and
harmful software.
But their household electronics are
woefully unprepared for the next wave of
cyber attacks.
Consumers are inviting whole new wave
of security risks into their homes even
without realizing it.
104. www.rapidstart.com.sg www.globalstf.org
104
RISKS ARE CONTEXT-AWARE
AND SITUATIONAL
Concerning the identification of privacy, data protection and
security risks, it depends on the context and the purpose of
the objects that are considered (E.g. Health, Geo Location).
The more the individuals are involved in the process, the
more it becomes difficult to identify and assess.
For example, in Smart Home and Smart Grid applications,
how to ensure that some principles of privacy and data
protection, like informed consent and data minimization,
can survive in an automated and open environment.
105. www.rapidstart.com.sg www.globalstf.org
105
TRACEABILITY, PROFILING OR
UNLAWFUL PROCESSING
The increased collection of data may raise issues of
authentication and trust in the objects.
By using information collected about and from multiple
objects related to a single person, that person may become
more easily identifiable and better known.
106. www.rapidstart.com.sg www.globalstf.org
106
INDIVIDUAL’S PRIVACY VIOLATION
The natural characteristic of IoT environment is the prevalence of such
devices which have potential to collect multiplicity of data types and huge
amount of data from users in cloud.
This leads to automatic identification of persons, as well as their habits,
interests, locations etc.
In combination with data available from other services or sources, data
mining activities might even create new knowledge on individuals that might
not be revealed by separately examining the underlying datasets.
Example: Implementation of contactless credit cards, from which the name
and card number can be read without any authentication. With this data it is
possible for attackers to purchase the goods with the identity and bank
account of the card holder.
107. www.rapidstart.com.sg www.globalstf.org
107
LOSS OF USER CONTROL
The main goals of IoT is to give some autonomy to the objects and to enable
automated decisions over cloud.
It leads to loss of control leading to serious impact on many aspects of
individual's everyday lives.
IoT will help elderly or disabled people to stay longer at home and in control
of their own lives, but their control of certain “fine-grained decisions” might
become limited.
Decisions taken automatically by devices or applications, based on this huge
set of sensed data might not be transparent to the data subjects and
therefore create the sense of loss of control.
108. www.rapidstart.com.sg www.globalstf.org
108
REPURPOSING OF DATA
Due to explosion of increased amount of data in cloud-based IoT
environment, the data will be used for some other additional purposes too,
other than those originally specified.
Repurposing of data can be in the cards even before data collection begins
This is not only a violation of individual right to privacy but also it may impact
on wider social and public acceptance.
109. www.rapidstart.com.sg www.globalstf.org
109
HEALTH RELATED IMPLICATIONS
High dependability on the cloud, big data technologies in eHealth creates
significant security and privacy risks.
There are risks with respect to patient identification and reliability of
collected information.
The information gathered from the cloud system/database used in a health
application could also reveal that the person suffers from specific diseases
and this could be used for physically attacking this person.
110. www.rapidstart.com.sg www.globalstf.org
110
WHAT IS CYBER CRIME?
Crime committed using a computer and the internet to steal a person’s
identity or illegal imports or malicious programs.
Cybercrime is nothing but where the computer used as an object or subject
of crime.
112. www.rapidstart.com.sg www.globalstf.org
112
TYPES OF CYBER ATTACKS
Financial fraud: 11%
Sabotage of data/networks: 17%
Theft of proprietary information: 20%
System penetration from the outside: 25%
Denial of service: 27%
Unauthorized access by insiders: 71%
Employee abuse of internet privileges: 79%
Viruses: 85%
Source: FBI
113. www.rapidstart.com.sg www.globalstf.org
113
CYBER CRIME
“ If you experienced computer system intrusions by someone from outside
your organization, indicate the type of activity performed by the intruder.”
Manipulate data integrity 6.8%
Installed a sniffer 6.6%
Stole password files 5.6%
Proving/scanning systems 14.6%
Trojan logons 5.8%
IP spoofing 4.8%
Introduced virus 10.6%
Denied use of services 6.3%
Source: FBI
116. www.rapidstart.com.sg www.globalstf.org
116
SAFETY TIPS TO CYBER CRIME
Use antivirus software
Insert firewalls
Uninstall unnecessary software
Maintain backup
Check security settings
Stay anonymous - choose a genderless screen name
Never give your full name or address to strangers
117. www.rapidstart.com.sg www.globalstf.org
117
Learn ‘Etiquette' - follow it and expect it from
others
Don't respond to harassing or negative
messages (flames)
Get out of uncomfortable or hostile situations
quickly
Save offending messages
Learn more about Internet privacy
SAFETY TIPS TO CYBER CRIME