4. Cloud Issues
Known Issues
Threats
Privacy
Compliance
Legal
Vendor lock-in
Open source / Open standards
Security
Abuse
IT governance
Ambiguity of terminology
Known Solutions/Opinions
Customization , security solutions
Crypto anarchism
CSA, ISO, PCI, SAS 70
Typically US Location
Platform, Data, Tools Lock-In
Top clouds are not open-source
Physical clouds more secured than Public
Botnets and Malware Infections/Misuse
Depends on organization needs
Reference to wide services, solutions, etc.
5. What is about Public Clouds
Some known facts about AWS & Azure
Top clouds are not OpenSource
OpenStack is APIs compatible with Amazon EC2
and Amazon S3 and thus client applications written
for AWS can be used with OpenStack with minimal
porting effort, while Azure is not
Platform lock-in
There are Import/Export tools to migrate from/to
VMware, while Azure doesn’t have
Data Lock-in
Native AWS solutions linked with Cisco routers to
upload, download and tunneling as well as 3rd party
storage like SMEStorage (AWS, Azure, Dropbox,
Google, etc.)
in order to issues mentioned above
Tools Lock-in
Longing for an inter-cloud managing tools that are
industrial and built with compliance
APIs Lock-In
Longing for inter-cloud APIs, however there were
known inter-OS APIs for PC, MDM, Mobiles, etc.
No Transparency
Weak compliance and transparency due to SAS 70
and NDA relationships between cloud vendor and
third party auditors and experts
Abuse
Abusing is not a new issue and is everywhere
AWS Vulnerability Bulletins as a kind of quick
response and stay tuned
6. Clouds: Public vs. Private
Known security issues of Public Clouds
"All Your Clouds are Belong to us – Security Analysis of
Cloud Management Interfaces", 3rd CCSW, October 2011
A black box analysis methodology of AWS control
interfaces compromised via the XSS techniques,
HTML injections, MITM
[AWS] :: “Reported SOAP Request Parsing Vulnerabilities”
Utilizing the SSL/HTTPS only with certificate
validation and utilizing API access mechanisms
like REST/Query instead of SOAP
Activating access via MFA and creating IAM
accounts limited in access, AWS credentials
rotation enhanced with Key pairs and X.509
Limiting IP access enhanced with API/SDK & IAM
and significant researches on it as a POC
“The most dangerous code in the world: validating SSL
certificates in non-browser software”, 19th ACM
Conference on Computer and Communications Security,
October 2012
Incorrect behavior in the SSL certificate validation
mechanisms of AWS SDK for EC2, ELB, and FPS
[AWS] :: “Reported SSL Certificate Validation Errors in API
Tools and SDKs”
Despite of that, AWS has updated all SDK (for all
services) to redress it
7. Clouds: Public vs. Private
It is generally known, that private clouds are most secure There is no a POC to prove a statement on public clouds
[AWS] :: “Xen Security Advisories”
There are known XEN attacks (Blue Pills, etc.)
No one XEN vulnerability was not applied to the
AWS, Azure or SaaS/PaaS services
Very customized clouds
[CSA] :: “CSA The Notorious Nine Cloud Computing Top
Threats in 2013”
Replaced a document published in 2009
Such best practices provides a least security
No significant changes since 2009, even examples
Top Threats Examples
“1.0. Threat: Data Breaches // Cross-VM Side
Channels and Their Use to Extract private Keys”,
“7.0. Threat: Abuse of Cloud Services // Cross-VM
Side Channels and Their Use to Extract private
Keys”
“4.0. Threat: Insecurity Interfaces and APIs”
Besides of Reality of CSA Threats
1.0 & 7.0 cases highlight how the public clouds
e.g. AWS EC2 are vulnerable
1.0 & 7.0 cases are totally focused on a private
cloud case (VMware and XEN), while there is no a
known way to adopt it to AWS.
4.0 case presents issues raised by a SSO access
not related to public clouds (except Dropbox,
SkyDrive) and addressed to insecurity of APIs.
14. NIST Framework
The consolidated framework over all NIST documents
Logically clearly defined documents, e.g.
Categorization systems
Selecting control
FIPS
Forensics
Logging (SCAP)
Etc.
Complementarity
Interchangeability
Expansibility
Dependence
Mapping (NIST, ISO only)
15. NIST Framework
Complementarity
NIST Enhance Control
Your own security control
Interchangeability
Replacing basic controls by enhanced controls
Expansibility
impact or support the implementation of a particular security control or control enhancement
Your own way to improve a framework
Mapping (NIST, ISO only)
NIST->ISO
ISO->NIST
NIST->Common Criteria (rev4 only)
16. NIST Framework
Interchangeability
Basic controls aren’t applicable in case of
Information systems need to communicate with other systems across different policy
APT
Insiders Threats
Mobility (mobile location, non-fixed)
Single-User operations
Interchangeability
Replacing basic controls by enhanced controls
Expansibility
impact or support the implementation of a particular security control or control enhancement
Your own way to improve a framework
Mapping (NIST, ISO only)
NIST->ISO
ISO->NIST
NIST->Common Criteria (rev4 only)
23. Cloud & Compliance Specific
There is no one “cloud”
There are many models and architectures
There is no one “standard”
There are many ways to built cloud in
alignment to…
What vision is adopted by cloud vendors?
Virtualizing of anything able to be virtualized
What vision is adopted by cloud operators
(3rd party)?
Data distribution, service distribution, unified
management
What is your way to use and manage cloud?
Clear
All of that reflected in the
compliance requirements
24. Cloud & Compliance Specific
There is no one “cloud”
There is no one “standard”
The Goal is bringing a transparency of cloud controls and
features, especially security controls and features
Such documents have a claim to be up-to-date with
expert-level understanding of significant threats and
vulnerabilities
Unifying recommendations for all clouds
Up to now, it is the 3rd revision
All recommendations are linked with other standards
PCI DSS, ISO, COBIT
NIST, FEDRAMP
CSA’ own vision how it must be referred
There are many models and architectures
There are many ways to built cloud in alignment to…
Top known cloud vendors announced they are in
compliance with it
Some of reports are getting old by now
Customers have to control their environment by their
needs
Customers want to know whether it is in compliance in,
especially local regulations and how far
Customers want to know whether it makes clouds quite
transparency to let to build an appropriate
25. Cloud & Compliance Specific
Compliance,
Transparency,
CAIQ/CCM provides equivalent of recommendations over
several standards, CAIQ provides more details on security
and privacy but NIST more specific
CSA recommendations are pure with technical details
It helps vendors not to have their solutions worked
out in details and/or badly documented
It helps them to put a lot of references on 3rd party
reviewers under NDA (SOC 1 or SAS 70)
Bad idea to let vendors fills such documents
They provide fewer public details
They take it to NDA reports
Elaboration
Vendors general explanations multiplied by general
standards recommendations are extremely far away from
transparency
Clouds call for specific levels of audit logging, activity
reporting, security controlling and data retention
It is often not a part of SLA offered by providers
It is outside recommendations
AWS often falls in details with their architecture documents
AWS solutions are very well to be in compliance with old
standards and specific local regulations
NIST 800-53, or even Russian security standards
(however the Russian framework is out of cloud
framework)
26. Description
Third Party Audits
DIFFERENCE (AWS vs. AZURE)
As opposed to AWS, Azure does not have a clearly defined statement whether their customers able to perform their own
vulnerability test
Compliance: from Cloud Vendor’s viewpoint
Information
System
Regulatory AWS falls in details to comply it that results of differences between CAIQ and CMM
Mapping
Handling / Labeling / Security Policy
AWS falls in details what customers are allowed to do and how exactly while Azure does not
Retention Policy
AWS points to the customers’ responsibility to manage data, exclude moving between Availability Zones inside one region; Azure
ensures on validation and processing with it, and indicate about data historical auto-backup
Compliance,
Transparency,
Elaboration
Secure Disposal
Not seriously, AWS relies on DoD 5220.22 additionally while Azure does NIST 800-88 only
Information Leakage
Policy, User Access, MFA
Baseline Requirements
Encryption,
Encryption
Key
Management
Vulnerability / Patch Management
AWS relies on AMI and EBS services, while Azure does on Integrity data
No both have
Nondisclosure Agreements,
Party Agreements
User ID Credentials
(Non)Production
Network Security
Segmentation
Mobile Code
AWS provides more high detailed how-to docs than Azure, allows to import trusted VM from VMware, Azure
AWS offers encryption features for VM, storage, DB, networks while Azure does for XStore (Azure Storage)
AWS provides their customers to ask for their own pentest while Azure does not
Third AWS highlights that they does not leverage any 3rd party cloud providers to deliver AWS services to the customers. Azure points to
the procedures, NDA undergone with ISO
Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requirements while Azure addresses to
the AD to perform these actions
environments, AWS provides more details how-to documents to having a compliance
Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, while Azure points to features built in
infrastructure on a vendor side
AWS points their clients to be responsible to meet such requirements, while Azure points to build solutions tracked for mobile code
27. Compliance: from CSA’s viewpoint
Examinationof CSA
Consumer Relationship only
Everything except SA-13 “Location-aware technologies may be used to validate connection
authentication integrity based on known equipment location”
Vendor Relationship only
Requirements include technical and management solutions
Consumer Relationship shared with Vendor
Include non-technical solutions only
Such policies, roles, procedures, training
All requirements cover SaaS, PaaS, IaaS cloud types
General requirements only
Missing details (like DoD)
28. Compliance: from CSA’s viewpoint
Examinationof CSA
References NIST
Data Governance - Information Leakage (DG-07).
Security mechanisms shall be implemented to prevent data leakage refer
AC-2
Account Management
AC-3
Access Enforcement
AC-4
Information Flow Enforcement
AC-6
Least Privilege (the most correct reference)
AC-11
Session Lock General requirements only
Security mechanisms shall be implemented to prevent data leakage missed in turn (no references at all)
AC-7
Unsuccessful Login Attempts
AC-8
System Use Notification
AC-9
Previous Logon (Access) Notification
AC-10
Concurrent Session Control
29. Compliance: from CSA’s viewpoint
Examinationof CSA
References ISO
Data Governance - Information Leakage (DG-07).
Security mechanisms shall be implemented to prevent data leakage also refers to ISO
A.10.6.2 Security of network services
A.10.6.2 refers to NIST in turn
CA-3
Information System Connections
SA-9
External Information System Services
SC-8
Transmission Integrity
SC-9
Transmission Confidentiality
DG-07 should refer to PE-19 Information Leakage in fact
It could include the NIST requirement “AC-6. Least Privilege” too
A few of them applicable in case of Cloud MDM and should be extended by different toolkit
30. Cloud & Compliance Specifics. Example
CSA
Data Governance
NIST :: access control, media
management, etc.
Ownership / Stewardship
Classification
Handling / Labeling / Security Policy
Retention Policy
Secure Disposal
Non-Production Data
Information Leakage
Risk Assessments
Cloud :: Azure
Azure’s vision - Distribution of information
CSA , ISO is better applicable than NIST
NIST is applicable as a custom controls’ collection
Best way is adopt NIST enhancements with CSA
Need to remap CSA->NIST rev4
Technical / Access Control / Security
Attributes
Attribute Configuration
Permitted Attributes for Specified
InfoSystems
Permitted Values and Ranges for Attributes
31. Cloud & Compliance Specifics. Example
NIST
Access Control
Account, Session Management
Access / Information Flow Enforcement
Least Privilege, Security Attributes
Remote / Wireless Access
Cloud :: AWS
AWS’s Vision is not Data Distribution
NIST is better applicable than CSA
NIST is applicable as a custom controls’ collection
There are many enhancements to include (rev4)
Dynamic Account Creation
Restrictions on Use of Shared Groups Accounts
Group Account Requests
Appovals/Renewals
Account Monitoring - Atypical Usage
e.g. :: log-delivery-write for S3
32. Cloud & Compliance Specifics. Example
CSA / NIST
AWS’s Vision is not Data Distribution, however
CSA :: Data Governance is applicable from the
resource-based viewpoint
Resource based policy Attached to
resource
AWS’s Vision is not Data Distribution, however
NIST :: Access Control is applicable from the userbased viewpoint
Account based policy Attached to users
define that policy for MDM users to
access internal network resources
Combine with a mobile policy
Cloud :: AWS
33. COMPLIANCE AND MDM
CSA Mobile Device Management: Key Components
Device diversity
Configuration management
Software Distribution
Device policy compliance & enforcement
Enterprise Activation
Logging
Security Settings
Security Wipe, Lock
IAM
Make you sure to start managing security under
uncertain terms without AI
NIST-124
Refers to NIST-800-53 and other
Sometimes missed requirements such as
locking device, however it is in NIST-800-53
A bit details than CSA
No statements on permission management
Make you sure to start managing security under
uncertain terms without AI
34. [ DEVICE MANAGEMENT ]
Concurrencyover native & additional security features
𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀
𝛥 – set of OS permissions, 𝛢 – set of device permissions, 𝛣 – set
of MDM permissions, 𝛤 – set of missed permissions (lack of
controls), 𝜰 – set of rules are explicitly should be applied to gain
a compliance
𝚮 = 𝚬+ 𝚭, 𝚬 ⊃ 𝚨∪ 𝚩
𝛨 – set of APIs , 𝛦 – set of APIs that interact with sensitive data,
𝛧 – set of APIs that do not interact with sensitive data
To get a mobile security designed with full granularity the set 𝛤
should be empty set to get 𝚬 ⊇ 𝚨 ∪ 𝚩 instead of 𝚬 ⊃ 𝚨 ∪ 𝚩, so
the matter how is it closer to empty. On another hand it should
find out whether assumptions 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 are true and if it is
possible to get ⊆ 𝐀.
The situationis very serious
Set of permissions < Set of activities efficiency is
typical case < 100%,
ability to control each API = 100%
More than 1 permission per APIs >100%
lack of knowledge about possible attacks
improper granularity
AV, MDM, DLP,
VPN
Non-app features
MDM features
Kernel protection
Permissions
35. [ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’SVECTOR
GOALS - MOBILE RESOURCES / AIM OF ATTACK
DEVICE RESOURCES
OUTSIDE-OF-DEVICE RESOURCES
ATTACKS – SET OF ACTIONS UNDER THE THREAT
APIs - RESOURCES WIDELY AVAILABLE TO CODERS
SECURITY FEATURES
KERNEL PROTECTION , NON-APP FEATURES
PERMISSIONS - EXPLICITLY CONFIGURED
3RD PARTY
AV, FIREWALL, VPN, MDM
COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY
IN ALIGNMENT WITH COMPLIANCE TO…
Goals
AV, MDM,
DLP, VPN
Non-app
features
MDM features
Kernel
protection
Permissions
APIs
Attacks
APIs
36. [ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK
Background processing
BlackBerry Messenger
Calendar, Contacts
Camera
Device identifying information
Email and PIN messages
GPS location
Internet
Location
Microphone
Narrow swipe up
Notebooks
Notifications
Player
Phone
Push
Shared files
Text messages
Volume
BB 10 AIR SDK
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
PB (NDK/AIR)
+
via invoke calls
+
+
via invoke calls
+
+
+
+
+
+
+
+
37. [ iOS. Settings ]
Component
Unit
Safari
Camera, FaceTime
iTunes Store, iBookstore
Siri
Manage applications*
Manage applications*
Explicit Language (Siri)
Privacy*, Accounts*
Content Type Restrictions*
Restrictions :: Native application
Restrictions :: 3rd application
Unit subcomponents
Privacy :: Location
Privacy :: Private Info
Accounts
Content Type Restrictions
Game Center
Manage applications
Per each 3rd party app
For system services
Contacts, Calendar, Reminders, Photos
Bluetooth Sharing
Twitter, Facebook
Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts
Find My Friends
Volume limit
Ratings per country and region
Music and podcasts
Movies, Books, Apps, TV shows
In-app purchases
Require Passwords (in-app purchases)
Multiplayer Games
Adding Friends (Game Center)
Installing Apps
Removing Apps
38. [ Android. Permissions ]
List contains~150 permissions
I have ever seen that on old BlackBerry devices
ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,
OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC
RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS
ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM
TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_
,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH,
ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE,
PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE
SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION
ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_
ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P
,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P
MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT
ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK
ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S
TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET
GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T
ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA
,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE
OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_
TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR
VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL
PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN
ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C
PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_
MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_
REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET
PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY,
OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_
TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC
BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA
CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE
TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI
MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO
R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L
STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN
NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M
OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_
GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W
ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C
SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS,
RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY,
LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE
READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET
TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN
ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
39. [ Android. Permission Groups ]
But there only 30 permissions groups
ACCOUNTS
AFFECTS_BATTERY
APP_INFO
AUDIO_SETTINGS
BLUETOOTH_NETWORK
BOOKMARKS
CALENDAR
CAMERA
COST_MONEY
DEVELOPMENT_TOOLS
DEVICE_ALARMS
DISPLAY
HARDWARE_CONTROLS
I have ever seen that on old BlackBerry devices too
LOCATION
MESSAGES
MICROPHONE
NETWORK
PERSONAL_INFO
PHONE_CALLS
SCREENLOCK
SOCIAL_INFO
STATUS_BAR
STORAGE
SYNC_SETTINGS
SYSTEM_CLOCK
SYSTEM_TOOLS
USER_DICTIONARY
VOICEMAIL
WALLPAPER
WRITE_USER_DICTIONARY
40. MDM . Extend your device security capabilities
Android
CAMERA AND VIDEO
HIDE THE DEFAULT CAMERA APPLICATION
PASSWORD
DEFINE PASSWORD PROPERTIES
REQUIRE LETTERS (incl. case)
REQUIRE NUMBERS
REQUIRE SPECIAL CHARACTERS
DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
INCORRECT PASSWORD ATTEMPTS
DEVICE PASSWORD
ENABLE AUTO-LOCK
CONTROLLED FOUR GROUPS ONLY
LIMIT PASSWORD AGE
LIMIT PASSWORD HISTORY
RESTRICT PASSWORD LENGTH
MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
ENCRYPTION
APPLY ENCRYPTION RULES
ENCRYPT INTERNAL DEVICE STORAGE
TOUCHDOWN SUPPORT
MICROSOFT EXCHANGE SYNCHRONIZATION
EMAIL PROFILES
ACTIVESYNC
41. MDM . Extend your device security capabilities
iOS
BROWSER
CONTROLLED 16 GROUPSONLY
DEFAULT APP,
AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
MESSAGING (DEFAULT APP)
BACKUP / DOCUMENT PICTURE / SHARING
ONLINE STORE
CAMERA, VIDEO, VIDEO CONF
CERTIFICATES (UNTRUSTED CERTs)
MESSAGING (DEFAULT APP)
CLOUD SERVICES
PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)
PHONE AND MESSAGING (VOICE DIALING)
CONNECTIVITY
OUTPUT, SCREEN CAPTURE, DEFAULT APP
BACKUP / DOCUMENT / PICTURE / SHARING
ONLINE STORES , PURCHASES, PASSWORD
DEFAULT STORE / BOOK / MUSIC APP
PROFILE & CERTs (INTERACTIVE INSTALLATION)
NETWORK, WIRELESS, ROAMING
DATA, VOICE WHEN ROAMING
SOCIAL (DEFAULT APP)
CONTENT (incl. EXPLICIT)
RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
CONTENT
DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
STORAGE AND BACKUP
SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
DEVICE BACKUP AND ENCRYPTION
VOICE ASSISTANT (DEFAULT APP)
42. MDM . Extend your device security capabilities
BlackBerry (new, 10, qnx)
CONTROLLED 7 GROUPSONLY
GENERAL
MOBILE HOTSPOT AND TETHERING
PLANS APP, APPWORLD
PASSWORD (THE SAME WITH ANDROID, iOS)
BES MANAGEMENT (SMARTPHONES, TABLETS)
SOFTWARE
OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER
TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE
BBM VIDEO ACCESS TO WORK NETWORK
VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK
SECURITY
CERTIFICATES & CIPHERS & S/MIME
HASH & ENCRYPTION ALGS AND KEY PARAMS
TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC
WI-FI PROFILES
WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
VOICE CONTROL & DICTATION IN WORK & USER APPS
BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
PERSONAL SPACE DATA ENCRYPTION
EMAIL PROFILES
NETWORK ACCESS CONTROL FOR WORK APPS
PERSONAL APPS ACCESS TO WORK CONTACTS
SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
PROXY PASSWORD/PORT/SERVER/SUBNET MASK
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS
TOKENS, IKE, IPSEC OTHER PARAMS
PROXY PORTS, USERNAME, OTHER PARAMS
43. MDM . Extend your device security capabilities
Blackberry (old)
THERE 55 GROUPS CONTROLLED IN ALL
EACH GROUP CONTAINS FROM 10 TO 30 UNITS
ARE CONTROLLED TOO
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs
INSTEAD OF A WAY ‘DISABLE/ENABLED &
HIDE/UNHIDE’
EACH EVENT IS
CONTROLLED BY CERTAIN PERMISSION
ALLOWED TO CONTROL BY SIMILAR
PERMISSIONS TO BE MORE FLEXIBLE
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
MORE THAN OTHER DOCUMENTS
Huge amount of permissions are MDM & device built-in
EACH UNIT CAN’T CONTROL ACTIVITY UNDER
ITSELF
‘CREATE, READ, WRITE/SAVE, SEND,
DELETE’ ACTIONS IN REGARDS TO
MESSAGES LEAD TO SPOOFING BY
REQUESTING A ‘MESSAGE’ PERMISSION
ONLY
SOME PERMISSIONS AREN’T REQUIRED (TO
DELETE ANY OTHER APP)
SOME PERMISSIONS ARE RELATED TO APP,
WHICH 3RD PARTY PLUGIN WAS EMBEDDED
IN, INSTEAD OF THAT PLUGIN
44. CONCLUSION
The best Security & Permissions ruled by AWS
Most cases are not clear in according to the roles
and responsibilities of cloud vendors & customers
May happen swapping responsibilities and shifting
the vendor job on to customer shoulders
Referring to independent audits reports under
NDA as many times as they can
CSA put the cross references to other standards
that impact on complexity & lack of clarity more
than NIST SP800-53
Apply
CSA as
common
Select
Security
Controls
CSA
Check
Scope
Define
Granularity
Remap
to NIST
NIST
enhanc.
Improve
basic
CSA
Combine
custom
sets
![[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin
http://sto-strategy.com
EXPERIENCED IN :
REVERSE ENGINEERING & AV
SOFTWARE PROGRAMMING & DOCUMENTATION
MOBILE SECURITY AND MDM
CYBER SECURITY & CLOUD SECURITY
COMPLIANCE & TRANSPARENCY
FORENSICS AND SECURITY WRITING
HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA
PARTICIPATION AT CONFERENCES
INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
DEFCONMOSCOW, HACTIVITY, HACKFEST
CYBERCRIME FORUM, DeepIntel/DeepSec,
ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY
yury.s@chemerkin.com](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)