Any Organization in the World need to prepare themselves before they move to the cloud, i.e. cloud security risk assessment. It is all about managing your risks if you accept to move to the cloud and understanding the risks and benefits should be essential part of any organization thinking to move to cloud infrastructure.
Managing Cloud Security Risks in Your Organization
1. Managing Cloud Security Risks
in your organization
23 November 2013
Seminar Kriptografi dan Keamanan Informasi
Sekolah Tinggi Sandi Negara
Menara 165, JL TB Simatupang Kav 1,
Cilandak, Jakarta Selatan
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
2. About me
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
Researcher – Information Security Research Group and Lecturer
Swiss German University
Charles.lims [at] gmail.com and charles.lim [at] sgu.ac.id
http://people.sgu.ac.id/charleslim
I am currently a doctoral student in University of Indonesia
Research Interest
Malware
Intrusion Detection
Vulnerability Analysis
Digital Forensics
Cloud Security
Community
Indonesia Honeynet Project - Chapter Lead
Academy CSIRT - member
Master of Information
3. AGENDA
Cloud
Computing
Cloud
Security
Cloud
Risks
CSA
– Cloud Security Alliance
Case
Safe
Study – SSH decrypted
Cloud – is it possible?
Related
Works
Conclusion
References
Master of Information
3
4. Cloud Computing – NIST Definition
NIST
define 5 essential characteristics, 3
Service models, 4 cloud deployment models
http://csrc.nist.gov/publications/nistpubs/800-
145/SP800-145.pdf
Master of Information
4
5. Service Models
IaaS
= Infrastructure
as a Service
PaaS
= Platform as a
Service
SaaS
= Software as a
Service
XaaS
= Anything as a
Service (not included
in NIST)
Master of Information
5
10. The Hybrid enterprise
private clouds
public clouds
Extended Virtual Data Center
•
•
•
•
Notional
organizational
boundary
Dispersal of applications
Dispersal of data
Dispersal of users
Dispersal of endpoint devices
Master of Information
cloud of users
11. Good Practice is the key
Compliance
+ Audit
Certification
+ Standards
Good Governance, Risk and Compliance
Industry recognized certification
Secured
Infrastructure
Secured and tested technologies
Data Security
Data Security Lifecycle
Master of Information
20. CSA – Cloud Security Framework
Cloud Architecture
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
G
o
v
e
r
n
i
n
g
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Operating in the Cloud
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Master of Information
t
h
e
C
l
o
u
d
21. CSA – Cloud Security Framework Domain
Understand Cloud Architecture
Governing in the Cloud
1. Governance & Risk Mgt
2. Legal and Electronic
Discovery
3. Compliance & Audit
4. Information Lifecycle
Mgt
5. Portability &
Interoperability
Operating in the Cloud
1. Security, Business
Continuity and Disaster
Recovery
2. Data Center Operations
3. Incident Response
4. Application Security
5. Encryption & Key Mgt
6. Identity & Access Mgt
7. Virtualization
Master of Information
22. Domain 2
Domain3
Governance
Legal and
and
Enterprise
Electronic
Discovery
Risk
Management
Domain 7
Traditional
Domain 11
Domain 12
Security, Business
Encryption and
Identity and
Continuity, and
Key
Access
Disaster Recovery
Management
Management
Domain 5
Information
Lifecycle
Management
Domain 6
Portability and
Domain
Domain 7
11
Domain 12
Domain 9
Traditional
Encryption and Key
Identity and Access
Security, Business
Incident
Management
Management
Continuity, and
Response, Notificati
Disaster Recovery
on, and Remediation
Interoperability
Domain 10
Application
Security
Domain 13
Virtualization
Domain 6
Portability
and
Interoperability
Domain 2
Governance
and
Enterprise
Risk
Management
Domain 4
Domain 6
Domain 8
Portability
Data and
Center
Operations
Interoperability
Master of Information
Compliance
and Audit
How
Security
Gets
Integrated
23. CSA – Cloud Assessment Framework
Master of Information
24. Sample Assessment Governance
• Best opportunity to secure cloud engagement is
before procurement – contracts, SLAs, architecture
• Know provider’s third parties, BCM/DR, financial
viability, employee vetting
•
•
•
•
Identify data location when possible
Plan for provider termination & return of assets
Preserve right to audit where possible
Reinvest provider cost savings into due diligence
Master of Information
25. Sample Assessment Operation
•
Encrypt data when possible, segregate key mgt from
cloud provider
•
•
Adapt secure software development lifecycle
•
Logging, data exfiltration, granular customer
segregation
•
•
Hardened VM images
Understand provider’s patching, provisioning,
protection
Assess provider IdM integration, e.g. SAML, OpenID
Master of Information
26. Cloud Control Matrix Tool
Controls derived from
guidance
Rated as applicable to SP-I
Customer vs Provider role
Mapped to ISO
27001, COBIT, PCI, HIPA
A
Help bridge the “cloud
gap” for IT & IT auditors
Master of Information
27. Cloud Adoption - Challenges
Market Perception toward cloud
Master of Information
28. Case Study – SSH decrypted (VM)
Based
Key
on Brian Hay and Kara Nance paper
Motivation:
Malware
encrypted communication with C & C
Law
Enforcement capability to monitor deployed
cloud and enterprise VM
Novelty:
Visibility
into cryptographically protected data and
communication channels
No
modifications to VM
Master of Information
29. Case Study – SSH decrypted (VM)
Approach:
Identification
(Processes of crypto lib and calls made
to the lib)
Recovery
(input to & output to – crypto functions)
Identification
(crypto keys)
Recovery
(crypto keys above)
Recovery
of plaintext (using recovered keys)
How
to
Minimum
described in the paper
Keywords
Xen
platform, libvirt, sebek techniques
Master of Information
30. Case Study – SSH decrypted (VM)
Sebek
Installation & Operation
http://www.honeynet.org/project/sebek
http://www.sans.org/reading-
room/whitepapers/detection/turning-tables-loadablekernel-module-rootkits-deployed-honeypotenvironment-996
http://vimeo.com/11912850
Limitation
Sebek
modules can be detected with rootkit detection
tools
Master of Information
31. Case Study – SSH decrypted (VM)
Master of Information
32. Case Study – SSH decrypted (VM)
Master of Information
33. Case Study – SSH decrypted (VM)
Master of Information
34. Case Study – SSH decrypted (VM)
Master of Information
35. Safe Cloud – is it possible?
Big
Question: Is it possible to have a safe
cloud? (https://www.safeswisscloud.ch)
Master of Information
35
36. New Development – Cloud Crypto
https://itunes.apple.com/us/app/cloudcapsule/id673662021
Master of Information
36
37. Related Works
Related
Works
Lim et. al. ,
“Risk Analysis and comparative study of
Different Cloud Computing Providers
In Indonesia,"
ICCCSN 2012
Amanatullah et. al.
"Toward Cloud Computing Reference
Architecture: Cloud Service Management
Perspective,”
ICISS 2013
Master of Information
38. Other Security-related Publications
Related
Works
Lim et. al. ,
"Forensics Analysis of Corporate and Personal Information Remaining
on Hard Disk Drives Sold on the Secondhand Market in Indonesia,"
Advanced Science Letters, 2014
Suryajaya et. al.
"PRODML Performance Evaluation as
SOT Data Exchange Standard,”
IC3INA 2013
Master of Information
39. Conclusion
is no 100% security It is all about
managing risks
There
It
all depends on single, exploitable
vulnerability (the weakest link)
Cloud
greatest risk is still the insiders
CSA
Risk Assessment helps to bridge the gap
between the Cloud model and compliance
Uncovering
crypto keys in the cloud is
possible important to malware research
Master of Information
40. References
– Cloud computing risk assessment
(http://www.enisa.europa.eu/activities/riskmanagement/files/deliverables/cloudcomputing-risk-assessment)
ENISA
Cloud
Security Alliance
(https://cloudsecurityalliance.org/)
Hay,
Brian, and Kara Nance. "Circumventing
cryptography in virtualized environments." In
Malicious and Unwanted Software
(MALWARE), 2012 7th International
Conference on, pp. 32-38. IEEE, 2012.
Master of Information