SHOULD WE FEAR THE CLOUD?

(1)

5

SHOULD WE FEAR THE CLOUD?

It may be the key to security

EBOOK

0 COVER

(2)

TABLE OF CONTENT

INTRODUCTION:

IS CLOUD OUR GREATEST

SECURITY RISK OR OPPORTUNITY?

TODAY’S TOP 5 SECURITY THREATS

A NEW SECURITY PARADIGM

PUT THESE APPROACHES TO WORK

+

+ +

+

TABLE OF CONTENTS

3

^chapter

5

^chapter

NEXT-GENERATION CLOUD SECURITY +

1

chapter

2

^chapter

4

^chapter

6

^chapter

INNOVATIVE SECURITY APPROACHES +

0 TABLE OF CONTENTS

(3)

It’s a fear that many organizations have—

a major breach of security where sensitive customer data is compromised and the business faces not only serious liability but also loss of brand value. It could happen as an attack on a traditional data center, or it could happen as an attack on the cloud. However, the first is a more realistic scenario. While data breaches can happen on the cloud, attacks on traditional data centers are more common.

IS CLOUD OUR GREATEST SECURITY RISK OR

OPPORTUNITY?

IS THE CLOUD INSECURE? OR ARE WE?

WHAT IS THE REAL COST OF A DATA BREACH?

Introduction: Is cloud our greatest security risk or opportunity?

CHAPTER 1

1.1 INTRODUCTION (p.1)

(4)

OPPORTUNITY?

CHAPTER 1

The financial cost of a data breach is rising. The average total cost of a data breach has increased 15 percent in the past year—to USD3.5 million.¹

Data breaches often cause a loss of customers—and this abnormal churn rate is particularly acute in the pharmaceutical, financial services and healthcare industries.²

CLOSE X

$3.5

MILLION

1.2 INTRODUCTION - Cost of data breach

(5)

OPPORTUNITY?

CHAPTER 1

Of 250 senior IT and business decision makers interviewed in the United Kingdom, only 2 percent said they’d experienced a cloud-related security breach.³

CLOSE X

2^%

250 SENIOR IT AND BUSINESS DECISION MAKERS

EXPERIENCED A CLOUD- RELATED SECURITY BREACH.

}

3 The Cloud Industry Forum, “Cloud FUD fails to match up with experiences, says CIF,” press release, September 2014.

1.3 INTRODUCTION - Cloud insecure

(6)

When you’re planning to move to the cloud and manage a hybrid environment, security is a top concern. But cloud is not necessarily less secure than a traditional environment. In fact, it may be possible to deliver even greater security in a hybrid cloud environment because it offers new and advanced opportunities.

In this ebook, you’ll discover how hackers are using traditional tactics in new ways to attack the cloud. You’ll also find out how the cloud can help you increase security with innovative approaches designed to detect threats long before they threaten your enterprise.

CHAPTER 1

1.4 INTRODUCTION (p.2)

(7)

Our cloud security fears may have more basis in the changing threat landscape—

the botnets, advanced persistent threats and dynamic polymorphic malware of our world—than in cloud technology itself.

In fact, there’s nothing fundamental in the cloud that makes it any more vulnerable than a traditional environment. With each new innovation in computing, hackers have exploited new vulnerabilities to launch attacks, and the cloud is simply their newest target.

As more workloads move to the cloud, more data follows, and hackers go where the data is. Right now, they’re using traditional tactics in new ways to infiltrate a new environment.

FIVE TOP SECURITY THREATS:

old threats, new environment

5

Today’s top 5 security threats

CHAPTER 2

2.1 TOP FIVE

(8)

5

^CLOUD^THREATS

5

DATA

BREACHES

DATA LOSS

DENIAL-OF-SERVICE ATTACKS

INSECURE INTERFACE AND API

SERVICE TRAFFIC HIJACKING

We’ve compiled a list of the five top current cloud threats and provided tips on how to protect against each.

TOP

CHAPTER 2

01

02

03

04

05

+ + +

+

2.2 CLOUD THREATS

(9)

1

CHAPTER 2

DATA BREACHES

Your cloud provider may not alert you if your servers are breached

Hackers are using sophisticated tactics to steal data in the cloud just as they do in other environments, but they’re coming up against sophisticated, cloud-based security approaches. One way thieves steal data is if it’s encrypted for only one part of its cloud journey. However, this can be prevented if data is encrypted throughout its cloud journey until it’s been processed by the authorized application.

Respond quickly

You have to respond quickly to a data breach—speed and skill are critical, and every minute counts. Yet because breach protection laws vary by state and country, your cloud provider may not be required to alert you to a security threat. To limit disruption to your operations, data leakage, compliance complications and damage to your corporate reputation, you need a data breach response plan that will quickly assess the source of the problem and immediately begin mitigating further damage.

One possible solution is a plan that deploys a unified data breach response system, in conjunction with consultants, to minimize the effect of a security incident and prevent data breaches in the future. This system should be monitoring your IT environment 24x7.

01

CLOSE X

databreaches

TIPS

2.2.A CLOUD THREATS (data breaches)

(10)

2

CHAPTER 2

CLOSE X

DATA LOSS

Data may be accidentally deleted

Given that companies can go out of business after a major data loss, the threat is understandably a big fear in most industries. In the cloud, the potential causes of data loss can be more expansive than in a traditional environment, where hardware or system malfunction are often culprits.

Data loss in the cloud may be caused by cloud service provider error, accidental deletion of virtual machines, file corruption and internal virtual disk corruption, among others.

Focus on endpoint security

To prevent this, you need a data loss prevention solution that focuses on improving endpoint security. The solution you choose should protect sensitive data at every point, whether it’s being accessed, stored or transmitted on your endpoint devices.

A solution that prevents data access when a device is lost or stolen, encrypts e-mail and instant messages, and blocks unauthorized and abusive behavior will give you significant protection.

02

data loss x

TIPS

2.2.B CLOUD THREATS (data loss)

(11)

3

CHAPTER 2

CLOSE X

SERVICE TRAFFIC HIJACKING

Your services can be compromised

A few years ago, a cross-site scripting (XSS) bug gave hackers a free pass to one website’s credentials, using the trust the company had gained to hurt its own customers. In the cloud, hackers can create chaos, manipu- lating data and redirecting customers to illicit sites.

A primary reason for XSS attacks like this is that developers trust users.

Developers may think that users will never perform malicious actions so they create applications without filtering user input to block them. Another reason for the frequency of these kinds of attacks is that they have so many variants. Sometimes, an application that properly tries to filter any malicious scripts gets confused and allows a script, opening the door to hijacking.

The solution: contextual output encoding or escaping

The primary defense against XSS is contextual output encoding or escaping.

Several escaping schemes can be used depending on where the untrusted string needs to be placed within an HTML document, including HTML entity encoding, JavaScript escaping, Cascading Style Sheets (CSS) escaping and URL (or percent) encoding. Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner.

Because encoding can be tricky, a security encoding library is recommended.

03

TIPS

service traffic hijacking

2.2.C CLOUD THREATS (service traffic hijacking)

(12)

4

INTERFACE APIs

CHAPTER 2

CLOSE X

INSECURE INTERFACE AND APIs

Malicious access on the cloud

If interfaces and application programming interfaces (APIs) aren’t secure, cloud services won’t be either. Here are just some of the security break- downs that can happen: malicious or unidentified access, improper authorizations, and reusable passwords.

You need a secure provider

Access to cloud services needs to be secure on the static and dynamic front, and that eventually boils down to choosing a secure cloud service provider. A provider should continuously capture—and provide the full chain of provenance for—access to any cloud service, starting with hardware root of trust for the runtime environment.

The secure access itself can be established through multilevel security (MLS), including mandatory access control (MAC).

04

insecure interface and APIs

TIPS

2.2.D CLOUD THREATS (insecured API)

(13)

5

CHAPTER 2

CLOSE X

TIPS

DENIAL-OF-SERVICE ATTACKS

The black cloud market

It’s not uncommon for cloud service providers to be compromised by distributed denial-of-service (DDoS) attacks that eat up customers’

time, resources and processing power. In the cloud, virtual machines are hijacked as zombies and used to launch the attacks. Hackers also run a “black cloud market” that offers DDoS as a service. One key to preventing these attacks is comprehensive workload monitoring.

Your best defense: intercept and circumvent

As soon as an attack happens, the outgoing DDoS and the incoming DDoS need to be intercepted and circumvented. This means providing continuous monitoring of the cloud environment and issuing early warnings for those bare metal systems and virtual machines that have been hijacked as zombies. A cloud service provider should also block the outgoing DDoS attack that might be launched by these hijacked machines (and suspend them after they have been detected).

05

denial-of-service attacks

2.2.E CLOUD THREATS (denial of service)

(14)

NEXT-GENERATION SECURITY FROM

THE CLOUD

Even though hackers are using traditional methods to attack the cloud, traditional security methods aren’t likely to stop the attacks. In the past, some cloud providers have applied static, perimeter-based

controls, such as firewalls and intrusion protection systems (IPSs), with additional layers of defense, assuming that multiple

Next-generation cloud security

CHAPTER 3

3.1 NEXT GENERATION SECURITY (p.1)

(15)

But this is the traditional security model, which may no longer provide the highest security possible because it is marred by three key vulnerabilities:

• Numerous security controls can lead to a fragmented security posture, overhead in security management and a never-ending stream of alerts.

• Security attacks are sophisticated and can more easily leapfrog the current generation of static security controls.

• Attackers are able to quickly exploit

platform shifts, such as software-defined environments, to their advantage.

Next-generation cloud security

CHAPTER 3

3.2 NEXT GENERATION SECURITY (p.2)

(16)

A NEW SECURITY PARADIGM

To truly combat today’s threats, you need security measures that eliminate these shortcomings. As you move high-value, industry-specific workloads to the cloud, you need to build in the right security from the start. Keeping track of who is accessing data governed by regulations will not only be critical for regulatory compliance but also for providing the security assurances you and your clients expect.

A new security paradigm

CHAPTER 4

4.1 NEW SECURITY PARADIGM (p.1)

(17)

New exposures

Public clouds also have certain exposures that new security approaches need to

take into account. These can raise security concerns:

• “Black box” sharing in clouds can reduce visibility and control and increase the risk of unauthorized access and disclosures.

• Limited compatibility with existing enterprise security infrastructure may limit adoption for mission-critical applications.

• Limited experience and low assurance can raise doubts over cloud reliability (operational availability, long-term perspective).

• Privacy and accountability regulations may prevent cloud adoption for certain data and in certain geographies.

A new security paradigm

CHAPTER 4

4.2 NEW SECURITY PARADIGM (p.2)

(18)

INNOVATIVE SECURITY APPROACHES

Three new and advanced security approaches can help you fortify your cloud environments against traditional and new security threats.

Together, fine-grained contextual security, provenance and the honey pot can provide greater visibility; track data, location and access; and support regulatory compliance.

3

Innovative security approaches

CHAPTER 5

5.1 INNOVATIVE SECURITY (p.1)

(19)

Fine-grained contextual security

FINE-GRAINED CONTEXTUAL SECURITY

HONEY POT

CHAPTER 5

360º

CLOSE X

+ +

PROVENANCE

HOW IT WORKS

Get a 360-degree view of your cloud threat landscape

Because many cloud security breaches may be the result of poorly monitored workloads, fine-grained contextual security, which is designed to provide a 360-degree view of the cloud workload and threat landscape, is critical to protecting your data in the cloud. Think of it as perimeter defense for the virtual environment.

HOW YOU CAN BENEFIT 5.2.A INNOVATIVE SECURITY (fine grained diagram)

(20)

Monitor and distill. Here, virtually all aspects of workloads are instrumented, including data, applications and business processes, to monitor and collect security-related data. These observations build a 360-degree view of the cloud workload.

Correlate and predict. The security posture is predicted based on this 360-degree view, the current threat environment, the service level agreements (SLAs) governing the cloud workload and assessment of response alternatives. Here, you use techniques such as data mining, machine learning and cognitive computing to aid security administra- tors with automated methods to build models, track normal behavior and flag anomalous activity.

Adapt and preempt. In this phase, security controls are inserted by leveraging the agility of software-defined compute, storage and networks to increase the workload of the attacker. This approach can raise the defender’s stakes in the security arms race.

PHASE 1

PHASE 2

PHASE 3

CHAPTER 5

CLOSE X

+ +

How it works

HOW IT WORKS

HOW YOU CAN BENEFIT 5.2.B INNOVATIVE SECURITY (fine grained - how it works)

(21)

• Gives you the security of communication across domains, knowing it can be trusted and fully logged and audited

• Facilitates fast workload migration with minimal disruption

• Enables you to react to SLA violations; identify long-term activities caused by low-and-slow threats; and isolate infrequent, unanticipated device activity

HONEY POT PROVENANCE

CHAPTER 5

CLOSE X

+ +

HOW IT WORKS

How can you benefit FINE-GRAINED CONTEXTUAL SECURITY

HOW YOU CAN BENEFIT 5.2.C INNOVATIVE SECURITY (fine grained - benefit)

(22)

Provenance

CHAPTER 5

CLOSE X

+ +

HOW IT WORKS

EXPLORE PROVENANCE

Close the loop on compliance threats

Provenance, a term borrowed from fine art, describes how an object came to be in its present state. For example, the provenance of the Mona Lisa establishes who painted it at what time, when it was scratched and restored, and which museums have held it. In technology, provenance is metadata that represents the ancestry of an application and shows where it was developed, when it was patched or updated, and who has used it for what purpose. It can also be the metadata for a piece of data in terms of when it was created as well as when, how, where and by whom it was altered.

HOW YOU CAN BENEFIT 5.3.A INNOVATIVE SECURITY (provenance - diagram)

(23)

Provenance links log and audit data from all over the map to provide the complete history of an event. It tracks the data and processes that travel through your cloud so you can know the how, what, where, when, who and why of virtually any threat event.

CHAPTER 5

CLOSE X

+ +

PROVENANCE HONEY POT

HOW IT WORKS HOW YOU CAN BENEFIT

How it works EXPLORE PROVENANCE

5.3.B INNOVATIVE SECURITY (provenance- how it works)

(24)

• Empowers you to isolate the correct contextual information and tune out potential interference from adjacent workloads that have nothing to do with your workload

• Helps you manage and facilitate compliance because it gives you a clear, complete and fully authenticated audit trail

• In an environment where security regulations and standards change across states and countries, it can help you determine where your security is breaking down and where it’s holding up on the data journey

CHAPTER 5

CLOSE X

+ +

EXPLORE PROVENANCE

HOW IT WORKS HOW YOU CAN BENEFIT

How can you benefit

5.3.C INNOVATIVE SECURITY (provenance - benefit)

(25)

Honey pot

CHAPTER 5

CLOSE X

+ +

HOW IT WORKS

MEET THE HONEY POT

A decoy that tricks hackers

The honey pot is a decoy, a fake computing environment expressly set up for trapping hackers and new or unconventional hacking methods. It gives hackers a playground (that they believe is real) where they can unleash their threats, and reveal their methods and identities, before they reach your real computing environment. The result is effectively quarantined malware along with the less tangible satisfaction (and amusement) that comes from outwitting smug hackers.

HOW YOU CAN BENEFIT 5.4.A INNOVATIVE SECURITY (honey pot - diagram)

(26)

The honey pot reroutes traffic to a decoy within a well- controlled and quarantined environment. It then generates a detailed report designed to reveal the identity of the target, files, hackers and threat. Attacks delivered by email or in unexpected and unconventional ways (such as through a heating, ventilation and air-conditioning [HVAC] system) should never reach the network with a honey pot defense.

CHAPTER 5

CLOSE X

+ +

HOW IT WORKS

MEET THE HONEY POT

HOW YOU CAN BENEFIT

How it works

5.4.B INNOVATIVE SECURITY (honey pot - how it works)

(27)

• Gives you the peace of mind of knowing that malware should be quarantined before it reaches your infrastructure

• Makes you less vulnerable to unconventional hacking methods because this approach spots attacks that other approaches might not

• Helps you speed up threat analysis with precise information in an easy format

CHAPTER 5

CLOSE X

+ +

HOW IT WORKS

MEET THE HONEY POT

HOW YOU CAN BENEFIT

How can you benefit

5.4.C INNOVATIVE SECURITY (honey pot - benefit)

(28)

HOW TO PUT

THESE APPROACHES TO WORK FOR

YOUR ENTERPRISE

When you’re trying to determine which security approach is right for your enterprise, you’ll likely be better off by taking a value-at-risk approach, considering the value of the information and the value of the infrastructure. Assessment also needs to be conducted in terms of threat level.

To take advantage of these new approaches, you may also need to add new tools and skills, including:

• Risk and value assessment methodology and skills

• Provenance generation and capturing, integration, and fusion

• Proactive probing and monitoring; deep introspection;

and behavior modeling of system, user and workload

• Leveraging your software-defined environment to dynamically configure, quarantine and define

Put these approaches to work

CHAPTER 6

6.1 SECURITY APPROACHES (p.1)

(29)

For more information

Go to Steps to Cloud Expertise for more

information on other cloud topics and to start your journey.

ibm.com/cloud/expertise

For more information 7.1 FOR MORE INFORMATION

(30)

Software Group Route 100

Somers, NY 10589

Produced in the United States of America November 2014

IBM, the IBM logo, and ibm.com are trademarks of International Business Ma- chines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are war- ranted according to the terms and conditions of the agreements under which they are provided.

The client is responsible for ensuring compliance with laws and regulations applica- ble to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.

8.1 LEGAL