This presentation discuss how the Israeli banks should cope with the Israeli central bank cloud regulations. In the slide we examine different articles inside the cloud regulation and discuss the challenges and controls to be used.

1. Cloud Security
For financial sector
Moshe Ferber,
CCSK, CCSP
Onlinecloudsec.com
When the winds of change blow, some people
build walls and others build windmills.
- Chinese Proverb

2. #whoami
 Information security professional for over 20 years
 Founder, partner and investor at various cyber initiatives and startups
 Popular industry speaker & lecturer (DefCon, BlackHat, Infosec and more)
 Founding committee member for ISC2 CCSP certification.
 CCSK Certification lecturer for the Cloud Security Alliance.
 Member of the board at Macshava Tova – Narrowing societal gaps
 Chairman of the Board, Cloud Security Alliance, Israeli Chapter

3. About the Cloud Security Alliance
 Global, not-for-profit organization
 Building security best practices for next generation IT
 Research and Educational Programs
 Cloud providers & security professionals Certifications
 Awareness and Marketing
 The globally authoritative source for Trust in the Cloud
“To promote the use of best practices for providing security assurance
within Cloud Computing, and provide education on the uses of Cloud
Computing to help secure all other forms of computing”
CSA Israel:
Community of
security
professional
promoting
responsible
cloud adoption.

4. Cloud Computing
What the CIO think
about it?
How the CFO
see it?
How the End-User
feel regarding it?
And how the CISO
treat it?

5. Everyday Examples
“Moving to cloud will
expose our data to foreign
government”
“I got a virtualized
servers, so I already in the
cloud”
“I don’t trust the vendors”
“What about compliance?”
“Our regulator forbid
us from moving to the
cloud”
“Cloud lacks the visibility
we need”
“We use hosting, so
we are already in the
cloud.”
“We will loose control
over our assets”
“And What about the
NSA…?” “Cloud services are
not mature enough”

6. Cloud Services are very different in nature
SaaS
PaaS
IaaS
Private Hybrid Public

7. The shared responsibility model
Physical Security
Network & Data Center
Security
Hypervisors Security
Virtual Machines & OS
security
Data layer & development
platform
Application
Identity Management
DATA
Audit & Monitoring
IaaS PaaS SaaS
Consumer
responsibility
Provider
responsibility

8. Cloud
Focused
(Heavy use)
Cloud
Adopters
(2-3 apps in the cloud)
Cloud
Curious
(First projects)
Private
Cloud
(public Cloud avoiders)
National
Infrastructure
Cloud challenges varies depending on the market sector
Startups
Energy
SMB
Hi Tech
Government
Health
Military
Telecom
providers
Homeland &
Military industries
Utility
Retail
BanksFinancial
Services
Industry

9. The CISO Challenge
How to build secure
application
How to correctly
evaluate your provider
IaaS/PaaS SaaS

10. Step 1: Build your cloud security policy

11. Building a cloud strategy
Guidelines for
which
data/app can
migrate
Threats &
Risks to
consider
Evaluating
the provider
maturity and
operational
procedures.
Additional
controls that
should be
implemented
in the service.

12. Cloud Policy: what should move to cloud?
Public
Cloud
Integrity Availability
On
premise
Confidentiality
• Data exposed to public
• Applications that are currently neglected
• Test/Dev environments
• Mobile App backend
• Hardware/infrastructure intensive
application
Focus on how & where to move

13. Analyze the application
Identity
• Who are the
identities.
Number &
nature
Interfaces
• Are there
interfaces to
the
organization?
Data
• Laws &
regulations
• Sensitivity
level

14. Dealing with threats/risks

15. The most common threats
Data
breaches
Government
warrant
Malicious
insider
Unintentional
disclosure
Hacking
Account
hijacking
Loss of data
Unexpected
expanses
C, I, A
Reputation
Loss of
availability
Provider
outbreak
Communication
outbreak
Account
lockout/ Lock in
DDOS

16. Attack vectors
Cloud
Attack
Vectors
Provider
Administration
Management
Console
Multi tenancy &
Virtualization
Automation
& API
Chain of
supply
Side Channel
Attack
Insecure
Instances

17. The Challenge: Evaluating the providers

18. The Challenge: Evaluating the providers
• Could you do an audit?
• Should you do an audit?
In many cases you have to settle for 3rd party
attestation.

19. Compliance with BOI regulation
Encryption
• Encrypting data
at the cloud
provider (who
has the keys)?
Identity
Management
• Who control the
user store?
• Who is
responsible for
authentication?
Governance &
Audit
• Who does
what?
• Suspicious
events
detection
CASB - Cloud Access Security Brokers

20. Challenges - encryption
Data at motion:
• Usually users traffic is
encrypted. But what about
machine2machine interfaces?
Data at rest:
• Different encryption for
different purposes.
• Who got the key?
Storage encryption
OS Volume encryption
DB encryption (TDE)
File & Application level

21. Challenges – encryption (cont)
How to build in encryption
with your keys
Use of encryption
gateways
IaaS/PaaS SaaS

22. Challenges – identity management
Service
providerBank AD
• Identity federation is key
technology for controlling
user identities and
authentication.
• Federation is about use-
cases. Each use-case got
a matching federation
technology.

23. Challenges – Governance & Audit
Who does what?
Where my users
login from?
Who got public
files?
Who got credit
cards number in
their files
What kind of
cloud services
my users deploy?

24. Additional Challenges – portability
• In the cloud, sometimes the best control is to make
sure you are able to pack your data and go.

25. Questions?

26. To wrap Things Up
Join CSA Israel Facebook &
LinkedIn Forums in order
to stay updated regarding
latest technologies and
community meetups.
 Cloud can present an opportunity for the CISO.
 Trust your providers wisely. Make sure you are
monitoring them carefully and be prepare to move if
needed.
 Adopt different policies for IaaS / PaaS / SaaS

27. KEEP IN TOUCH
Cloud Security Course Schedule can be find at:
http://www.onlinecloudsec.com/course-schedule