ITRC Forum 2014 萬 雲 皆 有 險 : 雲 計 算 的 安 全 怎 影 響 你 的 管 理 概 念

ITRC Forum 2014

萬雲皆有險

:

雲計算的安全怎影響你的管理概念

How Cloud Computing Can Rain on Your IT Management Strategy By Roger Lee

Presentation for ITRC Forum 2014 11 Dec 2014 (Thu)

Agenda



Response to recent Anonymous Operation Hong

Kong



Challenges with Securing Clouds



Traditional Defense and management model fails



Cloud Security Defense in Depth



What should you do? 4 Key Ways of Management

Concepts to Reduce Risk



Some Specific Technologies Recommendations to

Response to recent Anonymous

Operation Hong Kong

DDoS

•

Targeting mostly Government and Political parties.

•

Most attacks do not last more than a few hours. Impacted

website are brought offline and some of those (.gov.hk sites)

have shown successful mitigation.

Recent Anonymous Operation Hong Kong

Defacement (DNS hijack / admin leakage)

•

Websites got DNS hijacked, or leaked DNS admin account,

redirect to youtube link with Anonymous message

•

All were under admin of ONE Hosting provider:

http://2pitech.com/

Recent Anonymous Operation Hong Kong

Injection attacks

•

Hackers using known SQL / MySQL injections to insert

message to webpages.

•

Admin can easily delete the item, patch it

Recent Anonymous Operation Hong Kong

Challenges with Securing Clouds



_Elastic



Multi-Tenant



_{Application-Centric}



Elsewhere



_Leased

Challenges with Securing Clouds

Traditional Defense and management

model fails

Fundamental Risk Differences

•

Differences Between Traditional IT and Cloud Computing



Risk ‘Ownership’

_{When computing assets are owned by your}

organization, you own the risk

_{When computing assets are purchased as-a-service,}

uncertain



_{Control Vs Governance}

_{Traditional IT: directly manages IT controls around}

risk tolerance (Control over network, system, and application configuration)

_{Cloud Computing: indirectly manages risk through}

governance (governance based on transparency, exposed controls, “stacked defenses”)

Fundamental Risk Differences

•

Differences Between Traditional IT and Cloud Computing



Perimeter-based Vs Application-based

Traditional: network-based defenses

Cloud Computing: Application designed with security



_{Controls are rarely customer-exposed}

_{laaS – vendor controls network configuration,}

security

_{PaaS – vendor controls network and server}

configuration, security

_{SaaS – vendor controls all aspects of security}

What should you do?

4 Key Ways of Management Concepts to

Reduce Risk

4 Key Ways of Management Concepts

1. Architect for the cloud

2. Robust Identity, Access Management

3. Confirm Legal, Compliance obligations, Due

diligence

(1) Architect for the Cloud

•

New Compute Paradigms

•

From Server to Service

•

Running on top of software virtualization

•

New Applications or services

•

Defense not dependent on the perimeter

•

Self-defending applications and services

•

Rethinking authorization & authentication

•

Resiliency across cloud(s) and traditional

(1) Architect for the Cloud

•

Existing Applications or Services



Does the Security model of the application fit cloud?



Considerations for legacy applications or services

•

Security



_{Management of Security through ‘Security Groups’}



Traffic shaping, IPS, monitoring devices must move to

virtual platforms

(1) Architect for the Cloud

•

Security



‘Build Security In’ Applications



Inter-application/service communication



_{Self-defending applications and services}



_{Rethinking authorization & authentication}

(1) Architect for the Cloud

•

Risk Revolves Around Data



Data Fundamentals

•

Strong Data Classification practice

•

Data Custodian



Data at rest

•

Store only what is necessary, for as little time as possible

•

Encryption



Data in use

•

Be usable by intended application or services



_{Data in transit}

(2) Robust Identity, Access Management

•

Cloud Identity Management

•

Federation of identity

•

Governance and monitoring

•

System/Service-level authentication

•

Certainty in machine-machine transactions at scale

•

Management of digital certificates, stores in the cloud

•

Administration of Systems – Understanding oversight

of privileged administrators and the controls over

their access

•

Vetting the people who operates your cloud(s) –

(3) Confirm Legal, Compliance Obligations,

Due Diligence

•

Data Sovereignty

 _{Must meet laws governing ‘location’ of citizen’s data}  _{Can your data be seized without notice?}

•

Cloud is borderless, law is not

 _{Privacy, security law and regulations vary by region – which to comply}

with?

 _{If your data is in a foreign nation, what rights do you have?}

 _{If your data is international, how is evidence, prosecution handled?}

•

Legal liability for security risk-related issues

 _{Who is liable in a cloud breach?}  _laaS

(3) Confirm Legal, Compliance Obligations,

Due Diligence

•

Compliance mechanisms

 _{‘Compliant clouds’ – what assurance mechanisms do you have}  _{Is auditability allowed, or allowances made for testing}

 _{Does CSP keep up with latest regulations}

•

Vendor due diligence to consider

 _{Vendor Security Posture, willingness to share details with customer}  _{Open platform (OpenStack) which won’t lock you in}

 _{Security by default, or as add-on}

(4) Clear Responsibility

• Customer, CSP, or both?

• How much transparency/intelligence does CSP provide?

 Do you have visibility into your cloud environment (at least in logging level)?  Does CSP monitor intra-cloud, and extra-cloud activity for security issues?

 _{Tenant-tenant hacking/intrusions}

 _{Tenant-Internet hacking, mis-use, intrusions}

• Incidents in the cloud

 _{In an incident, who is responsible for…}

 Notifications

 _{Incident-response}  _{Investigations}

 Does CSP have response capability?

 _{In the case of DDoS or other flood}

 _{Are there stops on metering and billing?}  Is there any proof of capability?

Some Specific Technologies

Recommendations to be more secure and

efficient management

Cloud Based Attack Mitigation

Slide 27

Protected Online Services DefensePro AppWall Protected organization DefensePipe Scrubbing Center DefensePros Defense Messaging

Includes traffic baselines

ISP

Volumetric DDoS attack that blocks the Internet

pipe

ERT with the customer decide to divert the traffic

Clean traffic

Pipe Saturation Alert

includes essential information for attack

mitigation On-premises AMS

mitigates the attack

SSL based attacks Application level attacks

Low & slow attacks Network flood attacks

Known vulnerabilities Egress traffic attacks

ERT monitors and controls both cloud and on-premises devices

28

Content-Aware DLP Solutions

Outbound Content (E-mail, Web, FTP,

Print, etc.) 0x9678A 0x59A06 Detection: Extract Algorithmic Conversion 01011100 11010011 00001011 00 100100 One-way Mathematical Representation 0x1678A 0x461BD 0x66A1A 0x6678A 0x4D181 0xB678A 010111001 101001100 00101100 100100 1000111 011101010 110101101 10011 0111101 Database Record or

Document

Algorithmic

Conversion Mathematical One-way Representation Fingerprint: 0xB6751 0xB61C1 0x37CB2 0x5BD41 0x190C1 0x93005 0x590A9

0xA0001 _0xB6751 0xB61C1 0x37CB2 0x5BD41 0x190C1 0x93005 0x590A9 0xA0001 Extract Fingerprint Storage & Indexing 0x5BD41 0x190C1 0x93005 Fingerprint Creation Real-Time Fingerprint Comparison PreciseID Fingerprint Repository