AWS Community Day CPH - Three problems of Terraform
Information security stki summit 2012-shahar geiger maor
1. Trends In
Information Security
Tell me and I’ll forget STKI Summit 2012
Show me and I may remember
Shahar Geiger Maor,
Involve me and I’ll understand VP & Senior Analyst
2. Agenda
Endpoints Networking Security
DC Cloud
Post
Voice MDM
PC
Video Cyber
2
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
3. Presentation Visualization
MDM
Networking Security
ollaboration
3
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
4. End-To-End Security Project
Web Security Secure
WAF Browsing
Gateway
Application
Security
Information
DLP Laundering
Data
Security
Firewalls IPS NAC
Network
Security
Source: Taldor 4
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
5. TEAMS Project (A3)
Source: Malam-Team 5
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
6. The New Training Center-IDF
Source: Bynet 6
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
7. Presentation Visualization -Security
MDM
Networking Security
ollaboration
7
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
8. STKI Index-2011 –Top Security Queries
Mobile Sec., 25%
Access/Authentication, 13%
DB/DC Sec., 11%
GRC, 9%
Network Sec., 8%
Sec. Policy, 6%
Data Sec., 6%
SIEM/SOC, 4% SIs/Vendors/Products, 4%
Endpoint Sec., 4%
Fraud, 3%
“Cyber”, 2%
Market/Trends, 2%
Application Sec., 2%
Miscellaneous, 1%
8
GW Sec., 1%
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
9. Presentation Visualization-Cyber
MDM
Networking Security
ollaboration
9
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
10. New Buzz…..
10
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
11. Your Text here Your Text here
Shahar GeigerMaor’s work Copyright 2012 @STKI Do Do not remove source or attribution from any or portion of graphic of graphic
Shahar Maor’s work Copyright 2012 @STKI not remove source or attribution from any graphic graphic or portion 11
12. The Cyber Triangle
Cyber
Warfare
Cyber
Terror
Cyber
Crime
Private Information Command & Control Business Information
Systems
Source: ILITA. STKI modifications 12
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
13. The Cyber Triangle–Regulations
Director of Security
SOX of the Defense
Establishment
National
ISOIEC Information
27001 Security Authority
Israeli Law,
PCI-DSS Information and
Technology Authority
Bank of Israel
Ministry of Finance
ISOIEC ISOIEC
ISOIEC
ISOIEC PCI-DSS
SOX PCI-DSS SOX SOX
Private Information Command & Control Business Information
Systems
Source: ILITA. STKI modifications 13
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
14. Generic Cyber Attacks
1. IndividualsGroups
2. CriminalNationalistic
background
3. Lots of intervals
4. Lots of targets
5. Common tools
14
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
15. Distributed Denial Of Service (DDOS)
1. Targets websites,
internet lines etc.
2. Legitimate traffic
3. Many different
sources
4. From all over the
world
5. Perfect timing
15
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
16. DDOS Mitigation- Israeli Market Positioning 1Q12
Vendors to watch:
Andrisoft, Cloudshield, Correro,
GenieNRM, IntruGuard, Narus,
RioRey, Prolexic
Local Support
Player
Radware
Worldwide
Leader
Arbor F5
Networks Imperva
Foresight
Akamai
Market Presence
16
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
17. Advanced and Persistent Threat (APT)
1. Group/ Org./
State
2. Ideological/
Nationalistic
background
3. Multi-layered
attack
4. Targeted
5. Variety of
tools
6. Impossible to
detect in real
time(???)
17
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
18. Iranian Intelligence Wants To Be Your Friend on LinkedIn
Source: http://www.guym.co.il/
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
19. Cyber Preparedness???
Country-by-country
stress tests
4.5
4
3.5
3
2.5
2
1.5
1
0.5
0
Italy
Mexico
Spain
USA
Poland
Denmark
Estonia
India
China
Sweden
Romania
Russia
France
Brazil
The Netherlands
Austria
Japan
Germany
United Kingdom
Israel
Finland
Australia
Canada
http://www.securitydefenceagenda.org/ 19
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
20. Your Text here Your Text here
Shahar GeigerMaor’s work Copyright 2012 @STKI Do Do not remove source or attribution from any or portion of graphic of graphic
Shahar Maor’s work Copyright 2012 @STKI not remove source or attribution from any graphic graphic or portion 20
21. bureaucracies live forever....
Space US Roman the rear
Shuttle’s standard war ends of
booster railroad chariots two war
rockets gauge horses
21
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
22. Israeli National Cyber Command (INCC)
Established: 07.08.2011
Goal:
• To lead the nation’s cyber strategy
• To establish a cyber defense policy
• To promote new initiatives and technologies in regards to cyber
security domains.
Means:
• Government budget
• Industryacademic knowledge sharing
22
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
23. On the INCC’s Agenda
• Mapping the national critical infrastructure
• Gap analysis for national critical infrastructure security controls
• Certifications: for vendors, for Sis, for consultants
• Authorizations: for businesses, institutes and any other entity
who keep privatepublic information
• Proactive defense by establishing professional forums
• Promotion of academic and industry research
• Promotion of specific fields of expertise (e.g: SCADA security)
• Establishment of national security lab
• Education and public awareness
23
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
24. Five Aspects of Government Intervention
1. Multi-system and system complexity: Resource pooling and
knowledge sharing
2. Joint venture: Cyber defense is a “game for large players”
3. National as well as International co-operation
4. Governmental incentives and programs (e.g: MAGNET, Yozma
initiative)
5. Regulation
…This is the planned State –Level Cyber Security Approach
24
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
25. An Example fo State-Level Cyber Security –IPv6
http://www.ccdcoe.org/publications/books/Strategic_Cyber_Security_K_Geers.PDF 25
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
26. Your Text here Your Text here
Shahar GeigerMaor’s work Copyright 2012 @STKI Do Do not remove source or attribution from any or portion of graphic of graphic
Shahar Maor’s work Copyright 2012 @STKI not remove source or attribution from any graphic graphic or portion 26
27. Your Text here Your Text here
Shahar GeigerMaor’s work Copyright 2012 @STKI Do Do not remove source or attribution from any or portion of graphic of graphic
Shahar Maor’s work Copyright 2012 @STKI not remove source or attribution from any graphic graphic or portion 27
28. Spotting the Unknown: Finding the “God Particle” of Security
One possible signature of a Higgs boson from
Large Hadron Collider (LHC) at CERN
http://commons.wikimedia.org/wiki/LHC 28
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
29. Big Data : Information Diet
• The modern human animal spends upwards of 11
hours out of every 24 in a state of constant
consumption of information from the net:
• we have grown obese on sugar, fat, and flour
• we become gluttons for texts, instant messages, emails,
RSS feeds, downloads, videos, status updates, and
tweets.
• Just as too much junk food can lead to obesity, too
much junk information can lead to cluelessness
• Big Data “should” help a company understand this
information glut and is essential in order to be
smart, productive, and sane.
29
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
30. Spotting the Unknown: Big Data At Your Service
SIEM
Applications
Data Warehouse
Business Process
Management
Business Intelligence
Detect, analyze and respond to
phenomena based on large volumes of
structured and unstructured information
Source: IBM
30 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
31. Spotting the Unknown: The Sandbox Approach
Source: http://www.fireeye.com/ 31
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
32. But…”The Contact Line Will Always be Breached”
Maginot Line Bar-Lev Line
http://en.wikipedia.org/wiki/File:Maginotline_ http://en.wikipedia.org/wiki/File:1973_sinai_w
organization.gif ar_maps.jpg
32
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
33. “Real-Time Forensic” -NetWitness
http://visualize.netwitness.com/Default.aspx?name=investigation
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
33
34. “Real-Time Forensic” -HBGary
http://hbgary.com/attachments/ad-datasheet.pdf 34
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
35. STKI Cyber Security Survey
This survey consists of two different parts:
• First part –CISOs and Infra managers from dozens leading
organizations.
• Second part –the insights of 9 leading security consultants who
cover most of the IT market in Israel.
Important notes:
• This survey refers to incidents during 2009-2011.
• Unreasonable results were removed.
• Results may have been subjected to wrong interpretation by the
Respondents and some of the incidents may have been
“dropped”.
35
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
36. Thank You Very Much For Your Contribution!
36
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
37. Number Of Security Incidents –Users’ Perspective
Average number of significant security incidents* in the past 3 years
50%
Market
40% Average:
30% 2
20% incidents
10%
0% "Cyber sector"**
No 1 "Soft Cyber sector"***
Incidents Incident 2-5
5-10
Incidents More
Incidents
Than 10
Incidents
*"Significant security incident" -One that caused direct loss in working hours andor money
**”Cyber sector” –large finance orgs., Infra, Telco, Gov, Defense…
***”Soft cyber sector” –All the others
37
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
38. Number Of Security Incidents –Consultants’ Perspective
Average number of significant security incidents during 2011
80%
60%
40%
20% Defense & Gov.
Finanace
0% Infra & Telecom
No 1 Rest of Industry
Incidents Incident 2-5
5-10
Incidents More
Incidents
Than 10
Incidents
38
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
39. What Kind Of Incidents? –Users’ Perspective
What was the nature of security incidents in the last 3 years?
Cyber sector Soft Cyber sector
Inside factor (Malicious, accidental,
64%
technical error) 20%
Known vulnerabilitiesthreats 41%
55%
No answer 40%
13%
Vulnerabilitiesthreats were unknown at 39%
the time 12%
We still don’t know 16%
0%
”Cyber sector” –large finance orgs., Infra, Telco, Gov, Defense…
“Soft cyber sector” –All the others
39
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
40. What Kind Of Incidents? –Consultants’ Perspective
What was the nature of security incidents in 2011?
6%
8%
5%
Known
vulnerabilitiesthreats
29% 36%
Vulnerabilitiesthreats
32% 32% 35%
47% were unknown at the time
30% 29% Inside factor (Malicious,
accidental, technical error)
15% We still don’t know
21%
34%
26%
15%
40
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
41. Once Again, The Human Factor. DLP Justification?
Have you encountered any malicious or non-malicious
activity by employees in the last 3 years?
Cyber sector Soft Cyber sector
17%
No 0%
23%
Yes, malicious 33%
70%
Yes,non-malicious 88%
”Cyber sector” –large finance orgs., Infra, Telco, Gov, Defense…
“Soft cyber sector” –All the others
41
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
42. Targeted Attacks –Users’ Perspective
Have you witnessed any targeted attacks in the last 3 years?
Soft Cyber sector Cyber sector
70%
66%
53%
47%
33%
18%
10% 11% 10%
8%
DOSDDOS Phishing Appweb attacks Malicious code No
”Cyber sector” –large finance orgs., Infra, Telco, Gov, Defense…
“Soft cyber sector” –All the others
42
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
43. Targeted Attacks –Consultants’ Perspective
Have you witnessed any targeted attacks toward one of
your clients in 2011?
(Not including Phishing and DOS attacks)
89%
56%
11%
Yes, Appweb attacks Yes, malicious code No
43
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
44. Lost of Working Hours
Approximately how many working hours did your organization lose due to
significant security incidents in the last 3 years?
Cyber sector Soft cyber sector
Don’t
Less than know
50 12%
Don’t 20%
know More
30% than 51 Less than
More than 33% 50
51 55%
50%
”Cyber sector” –large finance orgs., Infra, Telco, Gov, Defense…
“Soft cyber sector” –All the others
44
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
45. Impact on Revenue
How much money (% of total revenue, pre org. on average) has been lost due to
security incidents in the last three years?
Consultants Users
63%
58%
37%
13% 13% 13%
5%
0% 0% 0%
Les than 1% 5%-1% 10%-5% More than 10% Don’t know
45
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
46. Evolving to Combat Advanced Persistent Threats
Total Visibility Across the Enterprise:
• Host-Based Visibility
• Network-Based Visibility
• Log Aggregation: Internal DNS Server Logs, DHCP Logs, Enhanced
Microsoft Windows Event Audit Logs, Border Firewalls Logs with
Ingress/Egress TCP Header
• Information, External Webmail Access Logs, Internal Web Proxy
Logs, VPN Logs, Netflow Logs, Full Packet Capture Logs
• HIDS/HIPS
Actionable Threat Intelligence:
• Indicators of Compromise
http://www.mandiant.com/news_events/forms/m-trends_tech2011 46
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
47. Security Fundamentals Come First!
Establishing
After establishing a rigid and Cyber Security A new
continuous security policy, Policy
component
Check out this diagram:
Security Computer Cyber
education and Emergency
awareness Response Team Command
Center?
Internet policy Access policy System policy Standards
Access configuration Operating
System design
management management systems
Strong Patch
SDLC Mobile devices
authentication management
system
Testing Encryption(?)
hardening
47
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
48. Introducing: Cyber Command Center
Cooperation Research
Knowledge
with nation and
Sharing
CC Intelligence
Methodology
Mission
Duties &
Tools Reporting
responsibilities
Key
Drill & Legal
Success
simulation aspects
Criteria
Source: Sharon Mashhadi 48
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
49. Presentation Visualization-MDM
MDM
Networking Security
ollaboration
49
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
50. Mobile Device Management…
50
Source: Bent Objects
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
51. Critical Capabilities for Mobile Device Management
Policy Security and
Device Diversity Containerization
Enforcement Compliance
Inventory Software Administration IT Service
Management Distribution and Reporting Management
Network Service
Delivery Model
Management
http://www.gartner.com/technology/streamReprints.do?id=1-16U0UOL&ct=110801&st=sg 51
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
52. The Israeli Point of View
In your opinion, what are the Critical Capabilities for a MDM
solution?
16% 12%
8%
6% 13%
Source: STKI
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
52
53. MailCalendar Sync?
Does your organization’s policy allow for mobile devices to be synchronized to mailcalendar?
Not yet
13%
Of course!
87%
Source: STKI 53
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
54. (Don’t) Bring Your Own Device (Not yet)
Does your organization’s policy allow for private mobile devices to be synchronized to
mailcalendar?
Yes (to all...)
13%
Yes (Policy) No!
33% 54%
Source: STKI 54
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
55. MDM Strategy
What’s your mobile device management and security strategy?
5% Conducting a POCevaluation
8%
of solutions
Using an existing (non-specific)
13% security methodologysolutions
It's considered high priority,
53% but no actions were made yet
Already implemanting a
specific MDMsecurity solution
21% MDMsecurity is considered
low priority at the moment
Source: STKI 55
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
56. Data Leakage From Mobile Devices
How are you planning to tackle data leakage from mobile
devices (multiple answers)?
43% 40% 37%
30%
Our MDM We're usingwill Higher security We do not deal
solution shoud be using awareness with it
be the answer compensating
security controls
Source: STKI 56
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
57. Market Status: Waiting For “Something” To Happen
~17,000 MDM licenses have been sold in the Israeli market so far…
(STKI estimation, Feb 2012)
57
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
58. MDM Insights
-There is no single end-to-end solution
-Decision-maker’s position determines type of solution
CxOs /
Special Purpose
Pure
Security
MDM
Employees
58
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
59. Mobile Security
CxOs /
Special Purpose • AGAT- Active Sync
Protector
• Checkpoint -
Pointsec Mobile
Security
Pure • Juniper –Junos
Security
MDM Pulse Mobile
Security Suite
• LetMobile
• Trend Micro –
Mobile Security
Employees
59
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
60. Mobile Security Management -Israeli Market Positioning 1Q12
Local Support
AGAT Player
Checkpoint
Worldwide
Juniper Leader
LetMobile
Trend Micro
Market Presence
60
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
61. Mobile Device Management
CxOs /
• AirWatch Special Purpose
• BoxTone
• FancyFone –FAMOC
• Fiberlink-MaaS360
• Matrix-MMIS
• McAfee -Enterprise Pure
Mobility Security
Management
MDM
• MobileIron
• Symantec - Mobile
Management
• ZenPrise –Mobile
Manager Employees
61
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
62. Mobile Device Management -Israeli Market Positioning 1Q12
Mobile Iron
Local Support
Player
AirWatch
Worldwide
FancyFone Leader
McAfee
Fiberlink
Matrix
Zenprise Symantec
BoxTone
Market Presence
62
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
63. Mobile Containerization
• DME-Excitor
• Good Technologies
• Sybase-Afaria
CxOs /
Special Purpose
Pure
Security
MDM
Employees
63
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
64. Mobile Container Management -Israeli Market Positioning 1Q12
Local Support
Good Player
Technologies
Worldwide
Leader
Excitor
Sybase
Market Presence
64
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
65. Mobile Remote Control
CxOs /
Special Purpose
• Callup-Xcontrol
• Communitake
•
Pure
Mformation Security
• SOTI MDM
Employees
65
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
66. Mobile Remote Control-Israeli Market Positioning 1Q12
Local Support
Player
Mformation Communitake Worldwide
Leader
Xcontrol
SOTI
Market Presence
66
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
67. Presentation Visualization-Cloud Security
MDM
Networking Security
ollaboration
67
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
68. Cloud Flavors
Source: Changewave, a service of 451 Group 68
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
69. Super Hybrid Clouds : can IT handle it ?
IT’s challenge becomes:
• integration
• identity management
• data translation between the core and multitenant public cloud
• orchestration for processes connecting private and public clouds
69
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
70. Cloud Security is still A Major Concern
Source: Changewave, a service of 451 Group 70
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
71. Cloud Standards and Test Bed Groups
• Cloud Security Alliance (CSA)
• Distributed Management Task Force (DMTF)
• Storage Networking Industry Association (SNIA)
• Open Grid Forum (OGF)
• Open Cloud Consortium (OCC)
• Organization for the Advancement of Structured Information
Standards (OASIS)
• TM Forum
• Internet Engineering Task Force (IETF)
• International Telecommunications Union (ITU)
• European Telecommunications Standards Institute (ETSI)
• Object Management Group (OMG)
http://cloud-standards.org/wiki/index.php?title=Main_Page 71
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
72. Cloud Security Standards –Current Status
ISO
27001
SSAE 16
FedRAMP
(SAS 70)
ILITA Cloud IAM
(Israel) (access &
Security federation)
FISMA –
CSA
ATO
FIPS 140-
2
72
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
73. ISO 27001 (2005)
There is no particular focus on “cloud computing”.
(Reddit, HootSuite, Quora and Foursquare have suffered outages
even though AWS is ISO 27001 certified).
ISO 27001 relates to some cloud security issues:
• A.6.2.1 -Identification of risks related to external parties
• A.6.2.3 -Addressing security in third party agreements
• A.10.5.1 -Information back-up
• A.11 -Access control
• A.7.2.1 -Classification
So, what’s the point of being ISO 27001 certified? Lower risk.
ISO 27001 certification guarantees that the certified entity has
undertaken a comprehensive approach to resolve major risks.
73
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
74. SOC 1/SSAE 16/ISAE 3402
SSAE 16
is an enhancement to the current standard for
Reporting on Controls at a Service Organization
(SAS70).
ISAE 3402
SSAE 16 was built upon the ISAE 3402
framework.
SOC 1
A SOC 1 Report (Service Organization Controls Report) is a
report on Controls at a Service Organization which are relevant
to user entities’ internal control over financial reporting. The
SOC1 Report is what you would have previously considered to be
the standard SAS70, complete with a Type I and Type II reports,
but falls under the SSAE 16 guidance.
http://www.ssae-16.com/ 74
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
75. SOC 1/SSAE 16/ISAE 3402
Who Needs an SSAE 16 (SOC 1) Audit?
If your Company (the ‘Service Organization’)
performs outsourced services that affect the
financial statements of another Company (the
‘User Organization’), you will more than likely
be asked to provide an SSAE16 Type II Report,
especially if the User Organization is publicly
traded.
Some example industries include:
* Payroll Processing
* Loan Servicing
* Data Center/Co-Location/Network
Monitoring Services
* Software as a Service (SaaS)
* Medical Claims Processors
http://www.ssae-16.com/ 75
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
76. FIPS 140-2 Certification –For CSP Trust
1. Federal Information Processing Standard (FIPS) Publication 140-2
2. Specifies the security requirements of cryptographic modules
used to protect sensitive information
3. Notice: There are four levels of encryption under FIPS 140-2
http://www.gore.com/en_xx/products/electronic/anti-tamper/security-standards.html 76
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
77. PCI DSS –Vital For Cloud Service Providers
PCI DSS was set up by the major credit card companies to try and improve the Information
Security of financial transactions related to credit and debit cards. It essentially pushes the
responsibility of looking after card data onto merchants who may store, process and transmit
this type of data.
Protect Cardholder Data
Implement Strong
Access Control Measures
Regularly
Monitor and
Test Networks
Maintain an Information
Security Policy
Maintain a Vulnerability Management Program
http://phoenix-consultancy.com/pci_dss.html 77
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
78. Access Control And Federation
http://blogs.forrester.com/eve
_maler/12-03-12-
a_new_venn_of_access_contr
ol_for_the_api_economy
78
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
79. Cloud Security Alliance
(Join the Israeli chapter here: http://www.linkedin.com/groups?gid=3050440&trk=hb_side_g)
• Security Guidance for Critical Areas of Focus in Cloud
Computing (Released November 14, 2011)
• Innovation Initiative -created to foster secure innovation in
information technology. (Released February 24, 2012)
• GRC Stack -a toolkit to assess both private and public clouds
against industry established best practices, standards and critical
compliance requirements.
• Consensus Assessments Initiative -Research tools to perform
consistent measurements of cloud providers (Released
September 1, 2011)
• Cloud Controls Matrix (CCM) -Released August 26, 2011
• Cloud Metrics - Metrics designed for Cloud Controls Matrix and
CSA Guidance.
• CloudTrust Protocol (See next slides…)
79
https://cloudsecurityalliance.org/research/
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
80. Cloud Trust Protocol (CTP) Transparency as a Service
SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI DSS, CFATS, DIACAP, Responding to
NIST 800-53, ISO27001, CAG, ENISA, CSA V2.3, … all elements of
transparency TaaS
Enterprise CSC Trusted Community
Cloud
Cloud Trust
CTP Response
Manager (CRM)
TaaS
Dashboard CTP
TaaS CTP
Private Trusted Cloud CTP
CTP
Cloud Responding to
Trust all elements of
Agent transparency CTP
Using reclaimed visibility into the cloud •
Downstream to confirm security and create digital •
compliance trust CTP •
processing
Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp , & CSA
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
81. Digital Trust and Value Creation
http://assets1.csc.com/financial_services/downloads/DigitalTrustForLifeReport.pdf
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
81
82. Federal Information Security Management Act (FISMA, 2002)
FISMA ATO for CSP (Low, Moderate, High)
• Part of NIST’s Computer Security Division
• Issues an authorization to operate for cloud service providers
• It doesn’t require certification of products or services. It sets security
requirements for federal IT systems.
U.S. Government Cloud Computing Technology Roadmap
(http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeI-2.pdf)
Its aim is:
“…to make it substantially easier to buy, sell, interconnect and use
cloud environments in the government”.
82
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
83. Federal Risk and Authorization Management Program
FedRAMP is the result of close collaboration with cybersecurity and cloud experts from:
83
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
84. Federal Risk and Authorization Management Program (FedRAMP)
• established on December 8, 2011
• The FedRAMP security controls are based on NIST SP 800-53 R3 /
53 A, controls
• Establishes US Federal policy for the protection of Federal
information in cloud services
• Describes the key components and its operational capabilities
• Defines Executive department and agency responsibilities in
developing, implementing, operating, and
maintaining the program
• Defines the requirements for Executive
departments and agencies using the
program in the acquisition of cloud
services
84
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
85. How Will Cloud Services Be Prioritized For FedRAMP Review?
• “FedRAMP will prioritize the review of cloud systems with
the objective to assess and authorize cloud systems that can
be leveraged government-wide”.
• FedRAMP will prioritize Secure Infrastructure as a Service
(IaaS) solutions, contract vehicles for commodity services, and
shared services.
(1) Cloud systems with existing Federal agency’s authority-to-
operates (ATOs) get first priority
(2) Cloud systems without an existing Federal agency ATO get
second priority
85
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
86. FedRAMP – Deliverables For Cloud Computing Service Providers
A. Develop Plan of Action & Milestones: (POAM)
B. Assemble Security authorization Package
(SAP)
C. Determine Risk
D. Determine the Acceptability of Risk
E. Obtain Security Authorization Decision
(yes/no)
86
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
87. FedRAMP - Third Party Assessment Organizations (3PAOs)
• Perform initial and periodic assessment of CSP systems per
FedRAMP requirement
• provide evidence of compliance, and play an on-going role in
ensuring CSPs meet requirements.
• FedRAMP provisional authorizations must include an assessment
by an accredited 3PAO to ensure a consistent assessment process.
• Independent assessors of whether a cloud service provider has
met the 297 agreed upon FedRAMP security controls (604 pages)
so they can get an authority to operate (ATO).
• Companies cannot be 3PAOs and cloud service providers (CSP) at
the same time for same contracts (MOU, etc.,)
87
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
88. Cloud Guidelines in Israel By ILITA (Start: 19.5.2012)
• Primal check of outsourcing legitimacy
1
• Meticulous definition of purpose and use of outsourced data
2
• Alignment of security and privacy controls in accordance to existing regulations and
3 standards (ISO 27001, 357, 257)
• Transparency and obedience to privacy laws
4
• Defining the means of privacy enforcement and monitoring
5
• Ensuring data deletion upon ending of contract
6
http://www.justice.gov.il/MOJHeb/ILITA/News/mikurhuts.htm 88
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
89. Decrease The Risk Of Cloud Computing
• Do a thorough check on the potential provider – not only its performance record,
but also the background of its management, have they implemented the
information security and business continuity policies and procedures, financial
stability, legal risks etc.
• Write very specific security clauses in your agreement with the provider, where
the biggest emphasis will be on issues that have raised the highest concerns
during risk assessment.
• Keep a backup copy of your information locally – although a cloud computing
provider will (probably) do regular backup, it is always a good idea to have direct
control of your information. (e.g. banking regulators in some countries have
imposed regulations to local banks to keep the backup copy inside the country
specifically because of this risk.)
• Develop your strategy on how to return the information processing/archiving back
to your company (re-insourcing) in case of problems with your cloud computing
provider – you should know exactly which steps are needed, as well as which
resources.
• An exit strategy might also be to have an alternative cloud computing provider
standing by, ready to jump in if your existing partner performs badly.
• Perform regular checks of your provider to find out whether they are complying
with the security clauses in the agreement
Source: http://blog.iso27001standard.com/# 89
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
90. Market Data
Source: http://xkcd.com/657/large/ 90
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
91. Information Security Staffing
1 Security Personnel 25’th percentile 50’th percentile 75’th percentile Average
For how many
employees? 500 1167 1600 1582
For how many IT staff?
33 42 61 55
For how many
desktops? 397 750 1172 951
For how many
endpoints? 522 1130 1779 1314
For how many WIN
servers? 119 200 270 194
Source: STKI 91
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
92. Security Consultants -Israeli Market View 1Q12 (Partial List)
*DataSec, **Oasis-Tech
Source: STKI 92
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
93. Security System Integrators -Israeli Market View 1Q12 (Partial List)
*Netcom, **Spider, ***We, ^Oasis-Tech, ^^Decimus
Source: STKI 93
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
94. Networking Budget ~ 10% of IT OpEx
Source: The Corporate Executive Board Company 94
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
95. Constant Staffing Mix Within IT
Source: The Corporate Executive Board Company 95
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
96. Positioning Methodology
Israeli vendor rating – Market positioning is focused on the enterprise
sector (not SMB)
X axis: Market penetration (sales + installed base+ clients
perspective)
Y axis: localization, support, Local R&D center, number and
quality of SIs, etc.
Worldwide leaders are marked based on global positioning
Vendors to watch: Israeli market newcomers
STKI positioning represents the current Israeli market and not necessarily
what we recommend to our clients
96
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
97. xxx- Israeli Market Positioning 1Q12
Vendor B
Local Support
Player
Worldwide
Leader
Vendor A
Market Presence
97
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
98. Data Leakage Prevention -Israeli Market Positioning 1Q12
Websense
Local Support
Symantec Player
Verdasys Worldwide
Fidelis Leader
GTB McAfee
CA Safend
Checkpoint
EMC
Market Presence
98
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
99. Database Protection -Israeli Market Positioning 1Q12
McAfee
Local Support
Player
GreenSQL Imperva
Worldwide
Brillix Leader
Informatica
Oracle IBM
Safenet
SAP
Fortinet
Market Presence
99
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
100. Network Encryption -Israeli Market Positioning 1Q12
Safenet
Local Support
Fortinet Player
Thales
Worldwide
Leader
Cisco
Market Presence
100
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
101. Enterprise Network Firewall -Israeli Market Positioning 1Q12
Checkpoint
PaloAlto
Fortinet
Local Support
Juniper
Player
Microsoft Cisco
Worldwide
Leader
HP McAfee
F5
SonicWall
Barracuda
Market Presence
101
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
102. Secure Remote Access-Israeli Market Positioning 1Q12
Juniper
Checkpoint
Cisco
Local Support
Player
F5
Worldwide
Leader
Citrix Microsoft
Fortinet
SonicWall
Market Presence
102
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
103. Intrusion Prevention Systems -Israeli Market Positioning 1Q12
McAfee
IBM Checkpoint
Local Support
Juniper
Radware Player
PaloAlto
Worldwide
Barracuda Leader
Fortinet
Cisco
HP
SourceFire
SonicWall
Market Presence
103
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
104. Network Access Control-Israeli Market Positioning 1Q12
Access Layers
Local Support
Cisco ForeScout Player
Juniper
Checkpoint Worldwide
McAfee Leader
(Insightix)
HP Wise-Mon
Symantec
Microsoft
Enterasys
Market Presence
104
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
105. Secure Web Gateway-Israeli Market Positioning 1Q12
Websense
BlueCoat
Local Support
Mcafee Cisco
Player
Symantec Safenet
Clear Swift
Worldwide
Zscaler Leader
Fortinet
Sonicwall
Trend Micro
Microsoft
PineApp
Barracuda
Market Presence
105
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic