3. Yusuf Hadiwinata Sutandar
Linux Geek, Opensource Enthusiast, Security Hobbies
RHCT, RHCSAv5-v7, RHCEv5-v7, RHCVA, RHCI, RHCX, RHCSA-
RHOS, RHCJA, CEI, CEH, CHFI, CND, EDRP
, CCNA, MCTCNA,
Security+, Network+, VCA, vExpert 2017-2018
VP Operation & Services – PT Biznet Gio Nusantara
Introduction
Disclaimer: All the information on this slide has been pass Legal & Compliance review on PT Biznet GIO
Nusantara or the resources is Public accessible on the Internet
4. “Cloud security is a discipline of cyber security
dedicated to securing cloud computing systems.”
“This includes keeping data private and safe across online-
based infrastructure, applications, and platforms. Securing
these systems involves the efforts of cloud providers and
the clientsthat use them, whether an individual, small to
medium business, or enterprise uses.”
“Its shared between the cloud provider and the customer.
There are basically three categories of responsibilities in the
Shared Responsibility Model”
What is
Cloud
Security
5. • Data security
• Identity and access management (IAM)
• Governance (policies on threat prevention, detection,
and mitigation)
• Data retention (DR) and business continuity (BC)
planning
• Legal compliance
At its Core,
Cloud
Security is
Composed of
the
Following
Categories
7. Shared
Responsibility
Varies by
Provider and
Service Type
In a traditional data center
model, Company are
responsible for security
across entire operating
environment, including
applications, physical
servers, user controls, and
even physical building
security. In a cloud
environment,
Cloud provider offers
valuable relief to
customer teams by taking
on a share of many
operational burdens,
including security.
8. Security-Centric Frameworks
• ISO 27001 : 2013
• ISO 27017 : 2015
• ISO 27018 : 2019
• ISO 27701 : 2019
Industry & Location-Specific Regulations
• Credit Card Payments: PCI DSS / PA DSS
• Healthcare: HIPAA
• Singapore: MAS-TRM
• Malaysia: BNM-RMiT
• Australia: APRA Prudential Practice Guide CPG 234
• EU: GDPR
• NIST Cybersecurity Framework
• CIS Controls
• CSA STAR - Cloud Security Alliance
(CSA) Security Trust And Risk
Assurance (STAR)
Regulation
and
Compliance
On Cloud
Security
9. The framework provides a foundation for building and improving Biznet
GIO Cloud deployments using four key principles:
• Operational excellence - Guidance on how to make design choices in the
cloud to improve your operational efficiency. These include approaches for
automating the build process, implementing monitoring and disaster
recovery planning.
• Security, privacy and compliance - Guidance on various security controls
can choose along with a list of products and features best suited to support
security needs for your deployments.
• Reliability - How to build reliable and highly available solutions.
Recommendations include defining reliability goals, improving Biznet
GIO approach to observability (including monitoring), establishing an
incident management function, and techniques to measure and reduce the
operational burden on Biznet GIO teams.
• Performance Cost Optimization - Suggestions on various available tools to
tune your applications for a better end-user experience and analyze the
cost of operation on Biznet GIO Cloud, while maintaining an acceptable
level of service.
Biznet GIO
Well-
Architected
Lenses
10. How Biznet GIO Choose the framework
• Discover: Use the framework as a discovery guide for Biznet GIO Cloud
Platform offerings and learn how the various pieces fit together to build
solutions.
• Evaluate: Use the design questions outlined in each section to guide
thought process while thinking about Biznet GIO system design.
• Review: If you’re already on Biznet GIO Cloud, use the
recommendations section to verify if you are following best practices or
as a pulse check to review before deploying to production.
Biznet GIO
Well-
Architected
Lenses
12. PCI Data
Security
Standard
Goal PCI DSS Requirements
Build and Maintain a
Secure Network and
Systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for all personnel
Source PCI-DSS
18. Install and
Maintain
Multi-Zone
Firewall
← WAF Protection Internal
Internal WAF Protection to mitigate
attack from Internal Network
← DDoS + WAF Protection
Layer 4/7 DDoS Protection to Scrub
DDoS Attack
← WAF Protection
Additional WAF Protection using
different Database Attack
Study Case Asiangames2018 - Copyright Yusuf Hadiwinata
19. Examine
Data-flow
Diagram and
Interview
Personnel to
Verify the
Diagram
"Data-flow diagrams identify the location
of all data that is stored, processed, or
transmitted within the network. Network
and cardholder data-flow diagrams help
an organization to understand and keep
track of the scope of their environment,
by showing how cardholder data flows
across networks and between individual
systems and devices."
Source OpenIO
22. Hardening
Standard
Sources of industry-accepted system hardening standards
may include, but are not limited to:
• Center for Internet Security (CIS)
• International Organization for Standardization (ISO)
• SysAdmin Audit Network Security (SANS) Institute
• National Institute of Standards Technology (NIST).
• ISSAF (Information Systems Security Assessment
Framework)
30. BGP Hijacking Prevention and Notification
• Any of BGN prefixes loses visibility
• Any of BGN prefixes is hijacked
• BGN AS is announcing RPKI invalid prefixes
(e.g., not matching prefix length)
• BGN AS is announcing prefixes not covered
by ROAs
• ROAs covering your prefixes are no longer
reachable (e.g., TA malfunction)
• a ROA involving any of BGN prefixes or ASes
was deleted/added/edited
• BGN AS is announcing a new prefix that was
never announced before
• One of the AS paths used to reach BGN
prefix matches a specific condition defined
by you.
31. The CDN and Cloud Programme Actions
1. Prevent propagation of incorrect routing information
2. Prevent traffic with illegitimate source IP addresses
3. Facilitate global operational communication and
coordination
4. Facilitate validation of routing information on a global
scale
5. Encourage MANRS adoption
6. Provide monitoring and debugging tools to the peering
partners
https://www.manrs.org/cdn-cloud-providers/
Securing the
World
Routing
32. Implement RPKI On Network
https://www.manrs.org/about/testimonial/testimonial-from-pt-biznet-gio-nusantara/
Securing the
World
Routing
34. Database security is more than
just important: it is essential to
any company with any online
component. Sufficient database
security prevents data bring lost
or compromised, which may
have serious ramifications for
the company both in terms of
finances and reputation
Importance
of Database
Security and
Integrity
37. • Discover, classify and
prioritize the databases
containing your valuable
information whether cloud
based or on-premise
• Discover, Track and
Manage Your SQL Server
Inventory
• Manage known databases
on your network and in the
cloud; discover unknown
databases outside the
scope of current
compliance controls
Inventory
Data Sources
39. • Define and manage security
standards and compliance
policies to be used to assess
database security posture
• Schedule or run ad-hoc job-
based assessments to
quantify cloud based or on-
premise database adherence
to selected policies
Continuous
Testing
40. • Fix potentially harmful password configurations, table
access grants, user roles and other vulnerable areas
identified in assessment of database assets.
• Conduct regular and continuous assessments to identify
issues and ensure that they are remediated in a timely
manner.
Eliminates
Vulnerabilities
41. • Ensure employees and
applications have only the rights
needed to do their jobs
• Understand who has access to
what data and how they’ve been
granted that access
Key Point:
Analyze membership to powerful server roles and groups such as administrators,
systems administrators, and security administrators to ensure the level of access is
warranted. From a group, see the list of group members and select a member for
further analysis. From a user, see the group memberships and drill upwards to
view inherited permissions.
Enforce Least
Privileges
42. • Inspect database access
and activities for policy
violations and attempted
attacks
• Audit actions of known
privileged users as well as
administrative activity
Monitor for
Anomalies
44. • Deploy policy-based Activity Monitoring to create an easily
managed set of actionable security and compliance alerts.
• Transparent Data Encryption (TDE) to protect sensitive data
• Database Firewall acts as the first line of defense for
databases, helping prevent internal and external attacks
from reaching the database
Protecting
The Data
45. Data Leak
Monitoring
for Data Leak
Prevention
Logging and
monitor all the User
activity related to
Data Access or
sensitive document
46. Audit and Respond to suspicious activity and policy violations
in real time
• Send an alert to IT Security to prompt further investigation.
• Notify the SIEM system to correlate database activity with
web application logs.
• Initiate a malware scan to remove any injected code.
• Lockout the user’s account to prevent further attempts to
access sensitive data.
Respond to
Incident
48. Example
Access Flow
to Critical
Infrastructure
Admin
From
Internet
VPN
Gateway
2fa
Authenticator
Directory
Service &
Audit
Privileged
Access
Management
or Jump/Step
Server
Server
Server
Server
Farm
Record desktop user activity, file
transfer, and command history
Sent log to Centralize log server
and analyze on SIEM
Alert and Notification
DMZ
Encrypted connection
7.1 Limit access to system components
and critical data to only those individuals
whose job requires such access.
49. Role Based
Access
Control
(RBAC)
7.1.1 Define access needs for each role, including:
• System components and data resources that each role needs to access for
their job function
• Level of privilege required (for example, user, administrator, etc.) for
accessing resources.
Source DNStuff
50. Attribute
Based
Access
Control
(ABAC)
ABAC is implemented to reduce risks due to unauthorized access, as it can control
security and access on a more fine-grained basis
7.2 Establish an access control system for systems components that restricts
access based on a user’s need to know, and is set to “deny all” unless
specifically allowed.
This access control system must include the following:
Source DNStuff
54. SIEM
Alerting and
Notification
Many breaches occur over days or months before being detected. Regular log reviews by
personnel or automated means can identify and proactively address unauthorized access
to the cardholder data environment. The log review process does not have to be manual.
The use of log harvesting, parsing, and alerting tools can help facilitate the process by
identifying log events that need to be reviewed.
64. Example
Policy need
to Provide
and Maintain
• Access Control Policy
• Application Security Sample report
• Change Management Process
• Clean Desk Policy
• Connected Entities
• Corporate Roles & Responsibilities
• Development Policy
• Disaster Recovery Process
• Document Generation
• Electronic Communication Policy
• Email Policy
• Incident Response Process
• Information Security Policy
• Internal Audit Procedure
• Internal Audit Report
• Malicious Code Policy
• Network Security Policy
• Operational Procedure
• Physical Access Policy
• Risk Assessment Methodology
• SOP Asset Management
• SOP Development
• SOP for SOP
65. Implement
Risk-
Assessment
Process
The main objective of Risk Assessment is to estimate the Risks
that affect the current Biznet GIO assets. This is done by
1. Identifying Biznet GIO Assets, and defining their value as
per the requirements of Confidentiality, Integrity and
Availability.
2. Identifying the Vulnerabilitiesin the system and their value.
3. Identifying the Threats that can exploit these Vulnerabilities.
4. Estimating the probability of a Threat.
5. Calculating the Risk and then sorting them as per their
relative significance.
6. Interpreting the results
66. Risk-
Assessment
Threat
Matrix
Example
No Threat Events Source
1 Natural Causes (Flood, Fire, Animals, etc.) External
2 Cyber Crime (DDoS, Flooding, Abuse Usage etc.) External
3 Social Engineering (Impersonation, Shoulder Surfing) External
4 Vendor Failure (ISP failure, Disgruntled Vendor, etc.) External
5 Theft (Theft of Data, Theft of Hardware, Hacking etc.) External
6 Change of Regulation External
7 Unauthorized Access (copying, manipulation of data, etc.) Internal
8 Loss/deletion of data (Loss Integrity, data deletion, human error etc.) Internal
9 Hardware Failure (UPS, Cable, Disk, Power, etc.) Internal
10 Software Failure (bug, virus, OS, etc) Internal
68. No Asset
Description of
Asset
Type of Threat Risk Owner Confidentiality Integrity Availability
Asset
Value
1 Resource Internal Issue
• Natural Causes
• Vendor Failure
• Theft
• Hardware Failure
• Software Failure
Top Management 3 2 2 7
2 Human Aspects Internal Issue
• Social Engineering
• Change of Regulation
Top Management 3 2 3 8
3 Managements Internal Issue
• Social Engineering
• Change of Regulation
Top Management 3 2 3 8
Risk Calculation Matrix Example
69. Risk
Treatment
Plan
No
Process/
Function
Asset Potential Failure
Severity
Level
Mitigation
1 MarketingMarketing's Asset Deletion of data Low
Use data recovery in the cloud,
disciplinary process
2 MarketingMarketing's Asset Unauthorized copying Low
Disciplinary Process, destroy the
copy
3 Sales
Customer related (list, tickets,
etc.)
Sabotage, Tampering Medium
Gather the evidence and report to
authority
4 Sales
Customer related (list, tickets,
etc.)
Deletion of data Low Use data recovery in the cloud
5 Sales
Customer related (list, tickets,
etc.)
Unauthorized copying Medium
Disciplinary Process, destroy the
copy
6 Sales
Sales's confidential Asset
(contract, report, etc.)
Unauthorized copying Medium
Disciplinary Process, destroy the
copy
Risk Treatment Plan Example
71. NIST Cloud
Computing
Forensic
Science
Challenges
Various process models have been developed for digital forensics,
including the following distinctive steps and attributes
1. Search authority. Legal authority is required to conduct a search
and/or seizure of data.
2. Chain of custody. In legal contexts, chronological documentation of
access and handling of evidentiary items is required to avoid
allegations of evidence tampering or misconduct.
3. Imaging/hashing function. When items containing potential digital
evidence are found, each should be carefully duplicated and then
hashed to validate the integrity of the copy.
4. Validated tools. When possible, tools used for forensics should be
validated to ensure reliability and correctness.
5. Analysis. Forensic analysis is the execution of investigative and analy
tical techniques to examine, analyze, and interpret the evidentiary
artifacts retrieved
72. NIST Cloud
Computing
Forensic
Science
Challenges
Identification stage Challange
1. Access to evidence in logs
2. Physical inaccessibility
3. Volatile data
4. Client side identification
5. Dependence on cloud service provider - trust
Preservation Collection Stage
1. Integrity and stability - multi-tenancy and privacy
2. Imaging
3. Bandwidth limitation
4. Multi-jurisdiction distribution - collaboration
5. Dependence on cloud service provider - trust
Examination analysis stage
1. Lack of forensic tools
2. Volume of data
3. Encryption
4. Time synchronization—reconstruction
5. Unification of log formats
73. Cloud
Forensics
Tips
Disk Imaging and Acquisition tips
1. Rsync – Raw copy Virtualization disk
image (eg: qcow, vmdk, etc)
2. Using Clone or Snapshoot features on
Cloud provider portal to clone
instance
3. Using Suspends or Pause features on
Cloud provider portal to maintain
integrity
4. Take note the software and version for
future investigation on Lab
76. Connectivity
10 Gbps Local
1 Gbps International
Redundant with Same
Backup Link Capacity from
different Providers
MULTIPLE
AVAILABILITY
ZONES
& CLOUD
CONNECTIVITY
✓ Scalability & High Availability
✓ Business Continuity Planning
✓ Disaster Recovery Center
✓ Hybrid Cloud
Data Center 1
Technovillage
Cimanggis
JAWA BARAT
Data Center 2
MidPlaza
Sudirman
JAKARTA
Data Center 3
BANTEN
Inclusive Inter-DC Link for up to
10 Gbps
77. PRIVACY COMMITMENTAND SECURITY
SOC 2 Type 2
Service Organization Control
Report on Controls at a Service Organization Relevant to Security, Availability,
Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that need
detailed information and assurance about the controls at a service organization
relevant to security, availability, and processing integrity of the systemsthe service
organization uses to process users’ data and the confidentiality and privacy of the
information processed by these systems….
Type 2 report on management’s description of a service organization’s system
and the suitability of the design and operating effectiveness of controls; Type 1
report on management’s description of a service organization’s system and the
suitability of the design of controls. Use of these reports are restricted.
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2rep
ort.html
The First Local Cloud Service Provider with 3 Security
Certification
78. BIZNETGIO SERVICE ADVANTAGES
24 Hours
Local Support
Managed Service
Response Time
< 15 minutes
Uptime SLA
99.9%
Unlimited
Network Traffic
Bandwidth up to
10 Gbps
No Traffic Quota
Design, Implement to
Day to day Operations
81
79. Investigation Process on Biznet GIO
Mailing/e-Mail
Search Warrant
To Biznet GIO
Address
Biznet GIO
CEO
Biznet Legal
PIC and NDA
Signing
Subject
Matter
Expert
Evidence
Collection
Domain
Expert
Security
Expert
Evidence
Collection
Evidence
Collection
80. In today’s world, people put most everything on
computes/cloud. We need the forensics capability to go
in and retrieve that information off the company’s
networks - Earl Devaney
For any Inquiry related security : security@biznetgio.com