Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (10)
Semelhante a Bil Harmer - Myths of Cloud Security Debunked!
Semelhante a Bil Harmer - Myths of Cloud Security Debunked! (20)
Mais de centralohioissa
Mais de centralohioissa (20)
Último
Último (20)
Bil Harmer - Myths of Cloud Security Debunked!
- 1. Cloud Insecurity? Myths of Cloud Security Debunked Bil Harmer Strategist, Office of the CISO
- 2. Cloud – Why all the Misunderstanding? "Cloud computing, by its very nature, is uniquely vulnerable to the risks of myths. It is all about capabilities delivered as a service, with a clear boundary between the provider of the service and the consumer. From a consumer perspective, 'in the cloud' means where the magic happens, where the implementation details are supposed to be hidden. So it should be no surprise that such an environment is rife with myths and misunderstandings." - David Mitchell Smith, VP and Gartner Fellow 1
- 3. Myth 1: We don’t really use the cloud • Shadow IT is an unstoppable force for most enterprises • Visibility is a challenge, much less control • Consumerization of IT has pushed personal cloud apps to the enterprise • Traditional enterprise apps are moving to the cloud (Office365) • Saying ‘no’ is no longer viable. IT must shift from ‘Block or Allow’ to ‘‘Manage and Monitor’. • Learn from your network data to better understand employee behavior and work to implement solutions that maintain productivity by permitting the use of desired resources in a manner that doesn't expose the company to 2
- 4. Myth 2: I lose control of my data when it goes to the cloud 3 • Control should not be tied to platform or location • Data residency and retention can and should be under enterprise control when necessary • Data portability should be a requirement, as data should remain under corporate ownership and remain accessible • Data storage practices must conform to regulatory compliance measures • Determine the level of control over data that is required, regardless of solution and identify cloud vendors that can meet your needs
- 5. Myth 3: Cloud is less secure than on-premise solutions 4 • Vast majority of recent data breaches involve data stored on local systems • Location has little to do with security – people, process and technology will determine security regardless of location • Cloud providers benefit from economies of scale when securing data • "Cloud computing is perceived as less secure. This is more of a trust issue than based on any reasonable analysis of actual security capabilities. To date, there have been very few security breaches in the public cloud — most breaches continue to involve on-
- 6. • Software/hardware vendors must also provide patches…but it’s your responsibility to apply them • Open source libraries commonly used in security appliances • Patching can be costly and time consuming • Functionality upgrades also force patching • Cloud vendors have incentive to expedite patching efforts Ghost FREAK POODLE Shellshock Heartbleed VENOM Myth 4: I’m at the mercy of cloud vendors for patching
- 7. Myth 5: Appliances provide greater control over scalability/performance • Appliances require planning for anticipated demand, while the cloud permits paying for actual consumption • Cloud elasticity places the burden of resource planning with the vendor • Sudden growth (acquisitions, mergers, etc.) does not necessitate major architectural changes • Appliance scalability will be impacted by features utilized • Appliances can only protect what they can see • Scaling appliances can add complexity to the overall architecture (i.e. load balancers, reporting engines, log aggregators, etc.) HQ Regional Office Acquisition Remote Employee s Cloud
- 8. Myth 6: Cloud security is more difficult to manage • Policies and reporting for numerous locations and remote employees can be managed via a single, web based console • The heavy lifting required for data consolidation is handled by the vendor • Data portability ensures that the cloud isn’t a silo and interacts with alternate security workflows • Patching and upgrades are handled by the cloud vendor • Adding new capabilities is a matter of enabling features as opposed to rearchitecting • Customers can focus on leveraging as opposed to maintaining solutions
- 9. Myth 7: Cloud resources are more exposed to attack • This myth ignores insider threats • Even custom enterprise applications are typically Internet facing to accommodate remote users • Local solutions are less likely to implement strong data security and monitoring • Enterprises often implement split tunnel VPNs to permit access to internal applications, exposing additional threats • Cloud infrastructure is typically far more resilient in the face of a DDoS attack • Economies of scale allow cloud vendors to invest in security people/processes/technologies
- 10. Myth 8: Multi-Tenant Clouds Expose Privacy Concerns • Hypervisor vulnerabilities are rare and successful attacks are even more so • Management interface should be isolated from customer resources • Customer data should be properly encrypted/encoded to further limit privacy threats – this is far less likely in a proprietary, on premise app
- 11. Myth 9: Cloud vendors lack transparency • Consumers of cloud security must demand transparency through online resources (e.g. trust.salesforce.com), SLAs, open policies/procedures and third party attestation • It is the responsibility of the consumer to ensure that the cloud vendor provides an overall security posture that meets/exceeds the on-premise security posture • Compliance does not equal security – it forms a baseline, but is not an endgame – customers must ask the right questions • Not all clouds are equal
- 12. Myth 10: Appliances are more reliable than the cloud • Most enterprises are not in the business of enterprise security or developing/maintaining IT solutions, which remain cost centers • Cloud security vendors benefit from economies of scale and can afford to invest in world class security, development and operations teams and resources • Cloud vendors live and die by their reputation • How many appliances offer reliability/uptime SLAs?
- 13. Questions? Free Security Health Check Risk free evaluation of your security infrastructure Go to: http://securitypreview.zscaler.com/ Bil Harmer Strategist, Office of the CISO @wilharm3 bharmer@zscaler.com
Notas do Editor
- Why are there so many myths about the Cloud? Marketing. Everything today is called cloud. Take away “how” something works and focuses on the benefits. Example: flying an airplane. All the things needed to actually make sure the flight is good. We don’t care. We just want to get from point A to point B. We can do our own due diligence, check facts but once you establish that you just want the service.
- Shadow IT has become an unstoppable force. Don’t need IT to get this going Runs on HTTP/HTTPS Visibility is the first thing they need. File storage – Box, Dropbox, OneDrive + Productivity – Office365, Google Apps + Sales – Salesforce + Development – GitHub Important for CISO to understand what’s being used and know what cloud based apps are in place. Caution against dictatorial response. Need to move away from being the office of “yes / no” and get to an “yes and here’s how” Manage and Monitor Controls and processes to help enable applications that support the users and to not substantially expand or alter the existing risk profile Gartner projects IaaS to reach an annual compound growth rate of 29.1% Cloud Analytics to grow from $7.5B in 2015 to $23.1B in 2020 According to Skyhigh’s Cloud Adoption and Risk Report the average company is using 923 Cloud services. Elastica found that, on average, 2,037 files per user are resident on cloud file sharing solutions
- Contrast Office to Office365 client based to cloud base app. Still have control over your data. Location should not be defining your level of control Interoperability or some form of standard data export should be part of the tool in order to ensure portability. Regulatory requirements can be a deal breaker.
- All have suffered in the last 24 months RAM scraping malware – Target, Home Depot, Michael's Stolen admin credentials – JP Morgan, OPM Trusted partner – Target (Fazio), OPM (Keypoint) Known Vulnerability – Home Depot “We sell hammers” – Home Depot One benefit of the cloud is the economies of scale. Cloud vendors can invest in much better security, higher level of security because they are in the business of securing data.
- Patching is your responsibility Patches may not be available SSL Heartbleed – OpenSSL heartbeat information leakage 2048 bit SSL NIST mandated that all SSL certs issued after Jan. 1, 2014 offer no less than 2,048 bit encryption Impact Intensive processing cycles. A four fold increase in the load on the existing Web Security Appliance A noticeable decrease in network performance (4 fold performance hit) Requires additional hardware appliances POODLE - Padding Oracle On Downgraded Legacy Encryption – MiTM allows obtaining plain text from the intercepted TLS FREAK - Factoring RSA Export Keys - degrade the strength of the encryption used in SSL/TLS connections - VM VENOM – Virtualized Environment Neglected Operation Manipulation - QEMU vuln.in Floppy Disk Controller (FDC), allows a local guest user in affected virtualized platforms to escape from the virtual environment and execute code on the host BASH Shellshock - GNU Bash environment command injection Ghost - Ghost remote code execution in glibc – heap based BO
- Cloud elasticity. One of the big benefits Yes, you can scale on-premise solutions by purchasing more and/or larger appliances, but doing so can be costly and complex. Plan for anticipated demand versus plan for actual consumption Peaks times versus usage Cloud you only pay for what you use. Growth on prem may need re-architecture, Loadbalancers, rerouting. Includes loaded costs, people, process to manage. Growth of a company, or remote locations and home users. Appliance vendors don’t just sell one thing.
- Myth is driven by not having used the solutions. I would argue the exact opposite is true. Appliances are typically running in multiple locations, run by multiple people and it’s your responsibility to get all that information back into one place to manage. As a consumer you have one pane of glass into your data. Caution Ensure that that cloud doesn’t become a silo. Data Portability needs to be addressed. How do you get that data out so it can be included with alternate security workflows. Again you don’t have to manage the patching and maintenance of the solution Expanding capabilities: Add a box. What SSL Decrypt? Add another box, Sandbox? Add another box. Cloud – pay a license and have it turned on. Burden is on the vendor not you because they manage the solution Re-iterate: It allows you to shift from managing and maintaining to leveraging them.
- Driven by the fact that it’s in the in cloud. If it’s on prem I can control who accesses it. You have to a have a bigger attack surface because you’re on the internet? Right? Verizon data breach report shows insider threat as the highest risk Onprem likely to have less security and no encryption. OPM Breach - Data was not encrypted Typically to address today;s workforce demands it gets exposed either through a web app or through a VPN or other remote access. VPN’s can create it’s own problems. Typically run split-tunnels and it puts the user ON the local LAN with full LAN access. Not typically restricted by port, protocol and address. Cloud vendors can better invest in security because of the economies of scale. Larger security teams, robust infrastructure because this is what they do
- Multi-tenacy gives us the elasticity. Cost savings because we use everything, CPU, Storage, networks because multiple customers using the same physical resources. Theoretically you could break through the logical segmentation and see your neighbor's information. Hypervisor attacks are rare. No example that I can remember. More typically we are seeing attacks through more pedestrian ways. Admins with shared or compromised credentials, Known vulns are sent in spear phishing attacks If we are going to focus resources based on probability of attacks this not how they would get in. The other option would be to gain access to one tenant account and try to jump to another tenant. Potentially going through the management layer. It should be separate and managed appropriately. This is where a you as a consumer need to ask questions, need to validate what a vendor does. This is how trust gets established! What do you do? BGC’s? Who can see my data? Is the data encrypted?
- Many ways to gain transparency. Just plugging an appliance into the wall doesn’t give you transparency. No access to source code etc. Location doesn’t equate to transparency. Online resources like trust.salesforce.com. Shows you everything about their clouds. We have our own version trust.zscaler.com See the status, outages, common vulns has it effected us, have we done anything about it? We want to be very open. This is how we establish trust. We want them to know that a node went down, they didn’t notice be want them to know. SLA’s also help. $$$ repercussions. Should be open about policies and procedures. BCG’s, ISO/SOC attestation. What do you have and what can you show me. Do not make the assumption because they are an established vendor you don’t have to ask these questions You cannot outsource RESPONSIBILITY! Certifications are the baseline. How would you expect the solution to be run in your environment? Use the cert as the baseline (could answer 80% but u need to ask the rest) You may need to have right to audit included in your contract or other conditions that help ensure you have transparency The environemnt must be equal or better to what you would have had in house.
- Most enterprises are not in the business of building IT team or Security teams. They are cost centers. No unlimited $$$ Cloud bring economies of scale. A cloud vendor offline for 15 mins is devastating it is showing up on the front page of the paper.. A cloud vendor breached and the trust evaporates immediately No choice but to invest heavily in their security teams Cloud vendors live and die by their reputations. Security researchers aren’t cheap, trust me, there is scarce shortage of talent. A security vendor can afford to have that in their HR budget. If an appliance goes down one of the best and most expensive SLA you can get is replacement hardware in 4 hours. Imagine a Cloud vendor down for 4 hours. The only other option is to run enough capacity to allow something to fail without your user population seeing it. That also becomes very expensive. And again we’re back to the economies of scale. When was the last time you built an in-house solution and your IT team gave you an SLA?