Risks and Challenges

(1)

Cloud and Mobile Security:

Risks and Challenges

Chong Sau Wei (CISM)

chong@scan‐associates.net General Manager Managed Security Services SCAN Associates Berhad

Seminar e‐Kerajaan Negeri Pulau Pinang

(2)

(3)

What is Cloud Computing?

(4)

What is Cloud Computing?

• _{The delivery of computing as a service rather than a}

product, whereby shared resources, software, and

information are provided to computers and other

devices as a utility over a network (Internet)

[wikipedia]

Cl

d

ld

• _{Cloud ‐ an old new concept…}

–

Parallel, distributed and grid computing have been around

for a while:

• Scientists, governments, international organizations, military • Urban planning, weather forecasts, economic modelling, etc.

Now cloud computing is a commodity

–

Now, cloud computing is a commodity

• Who does not use the cloud nowadays?

(5)

What is Cloud Computing?

(6)

What is Cloud Computing?

(7)

Models of Cloud Services

• Software as a Service (SaaS): software

CRM email games irt al desktops

–

CRM, email, games, virtual desktops

–

Google Apps, Salesforce CRM, Dropbox

• Platform as a Service (PaaS): computing or solution

platform

–

operating systems, databases, web servers

–

Microsoft’s Azure, Google’s AppEngine.

• Infrastructure as a Service (IaaS): computers

(

)

p

(physical/virtual), storage, firewalls or networks

(8)

(9)

Security: Top Cloud Adoption Concerns

(10)

Cloud Security: Shared Responsibility

On‐Premise Application On‐Premise (hosted) Application IaaS Application PaaS Application SaaS Application Services Application Services Application Services Application Services Application Services Application VM OS VM OS VM OS VM OS VM OS Storage Server Storage Server Storage Server Storage Server Storage Server

Network Network Network Network Network

Organization Shares Control Organization Shares Control

with Vendor

(11)

(12)

(13)

(14)

Threat Evolution

(15)

(16)

Some Interesting Observations

97%

Avoidable through simple or intermediate

97%

Avoidable through simple or intermediate

controls

96%

Were not highly difficult

96%

Were not highly difficult

94%

Of all data compromised involved servers

92%

Were discovered by a third party

92%

Were discovered by a third party

85%

Took weeks or more to discover

79%

Were targets of opportunity

g

pp

y

(17)

Cloud Security Challenges

• Exposure of data to foreign governments and data

subpoenas US PRISM program

subpoenas – US PRISM program

• Trusting vendor’s security implementations

(18)

Mobile Security: Value & Risks

• The world is mobile and cloudy and will be getting

more so…

M bil

li

i

d

l

• Mobile applications can create tremendous values:

– New classes of applications utilizing mobile capabilities: GPS, camera, etc

Innovating applications for employees and citizens – Innovating applications for employees and citizens

• Mobile devices and mobile applications can create

tremendous risks as well:

– Sensitive data inevitably stored on the device (emailSensitive data inevitably stored on the device (email, contacts)

– Connect to a lot of untrusted networks (carrier, Wi‐Fi)

• Most developers are new to creating mobile

p

g

(19)

Mobile Security: Top Threats

Type of Threats Threat Level

1 Data loss from lost, stolen or decommissioned devices High

2 Information‐stealing mobile malware High

3 Unsecured Wi‐Fi network access and rogue access High

3 Unsecured Wi‐Fi, network access and rogue access points

High

4 Unsecured or rogue app marketplaces High

(20)

Mobile Security Challenges

Explosion of mobile devices Mobile Apps Data Management Ownership • How to control over the usage of • How to keep track and manage the • How to protect the data and • Who should monitor the use of mobile the devices? installations? critical

information from being leaked out?

devices?

(21)

What needs to be secured

Device

Data

Application

User

(22)

Security Threats Landscape

Security Threats

Human Non‐Human Natural Disaster

Malicious Non‐malicious

Hardware

Poorly Design, Software

Malware Bugs Fire, Flood etc

(23)

Securing Cloud & Mobile Implementations

Pl i f it S i f t t Enable compliance

1 6 7

(24)

(25)

2. Establish Policies And Standards

Establish organizational 2

P li i

d

d d i i

Establish organizational policies and standards

• Policies and standards is important as

guidance and ensuring compliance

• Adopt international security standards &

guidelines such as ISO27001 (ISMS), and

industry best practices

(26)

4. Mitigate the Risks & Threats

Mitigate the risks and

4

• Examples of security controls:

1. Encrypt data that rests or moves in and out of both clouds. Mitigate the risks and threats both clouds. 2. Control access by managing identities and manage API control points at the network edge edge 3. Establish trusted compute pools to secure datacentre infrastructure and protect clients. 4 Build higher assurance into compliance to 4. Build higher assurance into compliance to

(27)

(28)

6. Securing Infrastructure

Secure infrastructure

6

• Protect client, edge, and datacentre

systems:

Secure the clients to ensure that only

Secure infrastructure

– Secure the clients to ensure that only

authorized users can access the cloud and to guard endpoint devices against rootkit and other low‐level malware attacks

other low level malware attacks. – Protect edge systems at the API level where external software interacts with the cloud environment environment. – Create a secure datacentre infrastructure that establishes trust between servers and between servers and clients

(29)

(30)

(31)

Conclusion

• Understand the security advantages, threats and

challenges of cloud and mobile technology adoption

• Understand the legal ramifications

(32)

(33)

(34)

Cloud & Mobile Security Reality Check

(35)

(36)