13. www.rapidstart.com.sg www.globalstf.org
13
WHY IS CLOUD SECURITY IMPORTANT
Increasing Usage of Cloud Services in Non-traditional Sectors
Growing Adoption of Cloud Services in Government Departments
Rise in Cloud Service-specific Attacks
Growing Usage of Cloud Services for Critical Data Storage
Rise in Employee Mobility
14. www.rapidstart.com.sg www.globalstf.org
14
WHY SECURITY?
A survey commissioned by Microsoft on ‘Cloud computing
among business leaders and the general population’ states that:
58% of the general population and 86% of senior business leaders
are excited about the potential of cloud computing.
But, more than 90% of these same people are concerned about
the security, access and privacy of their own data in the cloud.
Source: Microsoft
19. www.rapidstart.com.sg www.globalstf.org
19
WHAT IS CLOUD SECURITY?
Cloud
Agility
Self-service
Scale
Automation
Security
Gate-keeper
Standards
Control
Centralized
Cloud Security is security principles applied to protect data, applications and
infrastructure associated within the Cloud Computing technology.
20. www.rapidstart.com.sg www.globalstf.org
20
CLOUD COMPUTING PROBLEMS
Most security problems stem from:
Loss of control
Lack of trust
Multi-tenancy
These problems exist mainly in 3rd party management
models
Self-managed clouds still have security issues, but not
related to above
21. www.rapidstart.com.sg www.globalstf.org
21
DEFINING SECURITY IN CLOUD
Confidentiality
Integrity
Audited code, Access
control and distributed
systems
Availability/
Assurance
Accountability
Identity, authentication
& access control
Resilience
Redundancy,
diversification, forensic
capacity
Source: NIST
25. www.rapidstart.com.sg www.globalstf.org
25
SONY’S ATTACK
The Sony Pictures Entertainment hack was a release of confidential data
belonging to Sony Pictures Entertainment on November 24, 2014
On September 1, 2015, plaintiffs and Sony reached an agreement in principle
to settle all of the claims of the putative class against SPE (Sony Pictures
Entertainment)
26. www.rapidstart.com.sg www.globalstf.org
26
VERIZON CLOUD OUTAGE
Verizon (VZ) shut down its cloud infrastructure-as-a-service (IaaS) for roughly
40 hours in January 2015.
While a cloud provider's worst fear is a prolonged outage, Verizon
Communications stunned customers by scheduling to take its cloud offline
for some 40 hours over the weekend to implement a comprehensive system
maintenance project.
One reason for the upgrade of its cloud infrastructure, ironically, was to
prevent future outages.
While many customers were peeved their provider intentionally cut their
cloud service, some took solace knowing Verizon spent those 40 hours
adding seamless upgrade capabilities that would enable future upgrades to
be executed on live systems without disruptions, or even the need to be
reboot servers.
27. www.rapidstart.com.sg www.globalstf.org
27
GOOGLE COMPUTE ENGINE OUTAGE
Multiple zones of Google's IaaS offering went down just before midnight of
Feb 18th, 2015. After about an hour of downtime, service for most affected
customers returned around 1 a.m. the next morning.
While some connectivity issues lasted almost three hours, there were roughly
40 minutes during which most outbound data packets being sent by Google
Compute Engine virtual machines were ending up in the wind.
Google said the problem was "unacceptable" and apologized to users who
were affected.
28. www.rapidstart.com.sg www.globalstf.org
28
AOL OUTAGE
On 2015 February 19, apparently some people were actually affected when
AOL’s email service suffered a widespread outage beginning around 4 a.m.
Eastern.
The problem, which started in the U.K. and spread to the U.S., made it
impossible for many AOL users to log in to their accounts.
While the AOL jokes come easy, there were real complaints online from
people still using the vintage email addresses. AOL said a network issue was
at fault.
29. www.rapidstart.com.sg www.globalstf.org
29
AMAZON OUTAGE #1
In April 2011, Amazon EC2 went offline due to a network configuration
problem.
Companies such as Foursquare, Quora, Reddit were offline for 12-48 hrs.
Companies that had invested in multiple availability zones were less affected
(e.g. Netflix).
Amazon provided 10 days credit to the companies as compensation.
30. www.rapidstart.com.sg www.globalstf.org
30
AMAZON OUTAGE #2
In August 2011, a lightning strike in Dublin caused a datacenter blackout for
24-48 hrs.
Due to the sudden failure, data in many servers was in an inconsistent state.
EBS (Elastic Block Storage) services were affected; but EC2 remained online so
this did not count as downtime under the SLA.
These incidents raised serious doubts about the future of cloud.
31. www.rapidstart.com.sg www.globalstf.org
31
LESSONS LEARNED
Manage risks and prepare for failure just as you would with traditional IT.
Utilize multiple availability zones and multiple regions.
Design the SLAs carefully.
Do not take your provider’s assurances for granted.
Design for the cloud computing model and supplement the resilience of the
cloud provider.
33. www.rapidstart.com.sg www.globalstf.org
33
TRENDS ASSOCIATED WITH CLOUD
SECURITY
Increasing Partnerships between CSPs and Security Solution Providers
Expected
Increasing Emergence of Cloud Service-specific Security Solution Providers
Identity Management and Encryption to Remain the Top Cloud Security
Solutions Offered
Increasing Availability of Cloud Security Solutions for Small and Medium-
sized Businesses (SMBs)
Emergence of Strong Cloud Security Standard and Guidelines
36. www.rapidstart.com.sg www.globalstf.org
36
CSA ENTERPRISE ARCHITECTURE
The Trusted Cloud Initiative Reference Architecture is both a methodology
and a set of tools that enables security architects, and risk management
professionals to leverage a common set of solutions.
These solutions fulfill a set of common requirements that risk managers must
assess regarding the operational status of internal IT security and cloud
provider controls.
38. www.rapidstart.com.sg www.globalstf.org
38
COMMERCIAL VENDOR SOLUTIONS
Trend Micro SecureCloud
AppRiver SaaS-based e-mail and Web security tools
Awareness Technologies
Barracuda Web Security Flex
CloudPassage Halo SVM and Halo Firewall
M86 Security - Secure Web Service Hybrid
Panda Cloud Protection
SafeNet's Trusted Cloud Fabric
Symantec. Cloud Services
39. www.rapidstart.com.sg www.globalstf.org
39
TREND MICRO - SECURITY AS A
SERVICE
Cloud-hosted security solutions from Trend Micro
With cloud-based security, you eliminate the cost and hassle of provisioning, managing, and
scaling security hardware and software. And you ensure fast, consistent delivery of the
newest security technologies and updates, helping you stay compliant and reduce risk.
Key Features:
Hosted Email Security
Intrusion Detection and Prevention
Firewall
Anti-Malware
Web Reputation
Log Inspection
Integrity Monitoring
Deep Security as a Service
40. www.rapidstart.com.sg www.globalstf.org
40
SYMANTEC PROTECTED CLOUDS
Symantec protects the cloud and gives you the confidence you need
in your cloud initiatives – whether you are directly consuming cloud
services, building your own cloud, or extending your IT operations to
include other clouds.
Key Features:
Symantec™ Email Security.cloud
Symantec™ Email Encryption.cloud
Symantec™ Instant Messaging Security.cloud
Symantec Enterprise Vault.cloud™
Symantec™ Email Continuity.cloud
Symantec Backup Exec.cloud™
41. www.rapidstart.com.sg www.globalstf.org
41
CLOUDPASSAGE HALO SVM
AND HALO FIREWALL
The industry's first server security and compliance products purpose-built for
elastic cloud environments. These products deliver fast, easy and highly accurate
server exposure assessment, configuration compliance monitoring and network
access control - automating the three most fundamental practices for securing
servers in public and hybrid clouds.
Key Features:
Configuration security monitoring
Multi-factor Authentication
Software Vulnerability Assessment
Workload Firewall Management
Server Access Management
File Integrity Monitoring
Event Logging & Alerting
43. www.rapidstart.com.sg www.globalstf.org
43
BARRACUDA WEB SECURITY
FLEX
Cloud-Based Web Content Filtering and Malware Protection
As a cloud-based service, Barracuda Web Security Service provides a
convenient option to deploy Barracuda's powerful web security
technology for organizations looking to leverage the scalability and
flexibility of the cloud. Ideal for safeguarding users on and off the
network, the solution unites award-winning spyware, malware, and virus
protection with a powerful policy and reporting engine.
Key Features:
Spyware and Virus Protection
Barracuda Central
Application Control
46. www.rapidstart.com.sg www.globalstf.org
46
“No foreign nation, no hacker, should be able to shut down our networks, steal our
trade secrets, or invade the privacy of American families, especially our kids. We
are making sure our government integrates intelligence to combat cyber threats,
just as we have done to combat terrorism, and tonight, I urge this Congress to
finally pass the legislation we need to better meet the evolving threat of cyber-
attacks, combat identity theft, and protect our children’s information. If we don’t
act, we’ll leave our nation and our economy vulnerable. If we do, we can continue
to protect the technologies that have unleashed untold opportunities for people
around the globe”
48. www.rapidstart.com.sg www.globalstf.org
48
Date (2014) Company Number of records
exposed
Types of records
25 Jan Michael’s 2,600,000 Payment cards
6 Feb Home Depot 20,000 Employee info
14 Mar Sally Beauty Supply 25,000 Credit/debit card
17 Apr Aaron Brothers 400,000 Payment cards
22 Apr Lowa state University 48,729 Student social security
numbers
30 May Home depot 30,000 Credit/debit card
22 Jul Goodwill Industries 868,000 Payment systems
18 Aug Community Health Systems 4,500,000 Patient data
21 Aug United Postal Service 105,000 Credit/debit card
28 Aug JP Morgan Chase 1,000,000 Financial information
2 Sep Home Depot 56,000,000 Credit/debit card
2 Sep Viator/Trip Advisor 880,000 Payment cards
25 Sep Central Dermatology 76,258 Patient data
7 Nov Home Depot 53,000,000 Email addresses
10 Nov US Postal service 800,000 Personal data
18 Nov Staples 1.200,000 Credit/debit card
56. www.rapidstart.com.sg www.globalstf.org
56
cybersecurity = security of information systems and
networks with the goal of protecting operations and
assets
security in the face of
attacks, accidents and
failures
ONE WAY TO THINK ABOUT IT
57. www.rapidstart.com.sg www.globalstf.org
57
cybersecurity = security of information systems and
networks in the face of attacks, accidents and failures with
the goal of protecting operations and assets
availability, integrity
and secrecy
ONE WAY TO THINK ABOUT IT
58. www.rapidstart.com.sg www.globalstf.org
58
IN CONTEXT
corporate cybersecurity = availability, integrity and secrecy
of information systems and networks in the face of attacks,
accidents and failures with the goal of protecting a
corporation’s operations and assets
national cybersecurity = availability, integrity and secrecy of
the information systems and networks in the face of attacks,
accidents and failures with the goal of protecting a nation’s
operations and assets
60. www.rapidstart.com.sg www.globalstf.org
60
INCREASING DEPENDENCE
We are increasingly dependent on the Internet:
Directly
Communication (Email, IM, VoIP)
Commerce (business, banking, e-commerce, etc)
Control systems (public utilities, etc)
Information and entertainment
Sensitive data stored on the Internet
Indirectly
Biz, Edu, Gov have permanently replaced physical/manual
processes with Internet-based processes
Source: CalTech
62. www.rapidstart.com.sg www.globalstf.org
62
CYBERSECURITY ROADBLOCKS
Not enough metrics to measure security
Internet is inherently international
Private sector owns most of the infrastructure
“Cybersecurity Gap”: a cost/incentive disconnect?
Businesses will pay to meet business imperatives
Who’s going to pay to meet national security imperatives?
64. www.rapidstart.com.sg www.globalstf.org
64
IOT - EVERYTHING CAN BE
HACKED!
Any device with an operating system can
be hacked, be it a thermostat, TV or even
a toilet.
In recent years, consumers have generally
been wise enough to protect their
computers from cybercriminals and
harmful software.
But their household electronics are
woefully unprepared for the next wave of
cyber attacks.
Consumers are inviting whole new wave
of security risks into their homes even
without realizing it.
65. www.rapidstart.com.sg www.globalstf.org
65
RISKS ARE CONTEXT-AWARE
AND SITUATIONAL
Concerning the identification of privacy, data protection and
security risks, it depends on the context and the purpose of
the objects that are considered (E.g. Health, Geo Location).
The more the individuals are involved in the process, the
more it becomes difficult to identify and assess.
For example, in Smart Home and Smart Grid applications,
how to ensure that some principles of privacy and data
protection, like informed consent and data minimization,
can survive in an automated and open environment.
66. www.rapidstart.com.sg www.globalstf.org
66
TRACEABILITY, PROFILING OR
UNLAWFUL PROCESSING
The increased collection of data may raise issues of
authentication and trust in the objects.
By using information collected about and from multiple
objects related to a single person, that person may become
more easily identifiable and better known.
67. www.rapidstart.com.sg www.globalstf.org
67
HEALTH RELATED IMPLICATIONS
High dependability on the cloud, big data technologies in eHealth creates
significant security and privacy risks.
There are risks with respect to patient identification and reliability of
collected information.
The information gathered from the cloud system/database used in a health
application could also reveal that the person suffers from specific diseases
and this could be used for physically attacking this person.