We live in interesting times, at least from computer technology point of view. In the last couple years we change the way our backend systems function (Cloud Computing) and the way consume our front end interfaces (Mobility, the Internet of thing). It is safe to say that the technology changes we are now experiencing – will revolutionize the way we consume technology.
But the described changes are being held back, and mostly because of information security. The root cause of the slow adoption of cloud among enterprises is Trust. Challenges around transparency, compliance, standardization and immature technologies are causing lack of trust between cloud stakeholders. And this lack of trust is the number one obstacle facing cloud computing.
So it is time for innovation. There is great demand for new, innovative solutions that will fuel the engines of the industry. Cloud Computing technologies can be innovative and ground breaking, this has been proved before. Today there are many areas where innovative solution can change the way we think and provide security.
In the presentation we will discuss the future of technologies like Identity Management, Encryption, API security and Big Data platforms and evaluate where we should improve the current technologies.
Regarding encryption - we know that current technologies are limited in our options to safe guard keys in virtual environments and that we don’t have solutions for using encryption as a method to increase real multi tenancy, audit and access controls, for all data types. Encryption technology must improve at all levels, starting from key management, file level encryption (IRM solutions) and other new technologies such as Homomorfic encryptions should be developed further to be effective.
2. • Moshe Ferber, 37, lives in Israel (+2).
• Information security professional for over 15 years.
• Managed the security department for Ness Technologies.
• Founded Cloud7, Israel based MSSP (currently owned by Matrix).
• Shareholder at Clarisite – Your customer’s eye view
• Shareholder at FortyCloud – Make your public cloud private
• Member of the board at Macshava Tova - Narrowing societal gaps
through technology
• Certified instructor for the Cloud Security Alliance
• Instructor for the See-Security Cyber Warfare college.
2
5. •A CSA research analyzing Cloud breakdowns in the
last 5 years:
o Number of Online Cloud articles reviewed: 11,491
o Total Number of Cloud Vulnerability Incidents: 172
29
25
10 8.5
0
5
10
15
20
25
30
35
Insecure
Interfaces &
APIs
Data Loss &
Leakage
Hardware
Failure
Others
Full report: https://cloudsecurityalliance.org/csa-news/white-paper-cloud-vulnerability-released/
6.
7. • Transparency and visibility of Cloud Providers.
• Different laws and different jurisdictions.
• Incomplete standards.
• Data Governance.
• Lack of true multi tenant technologies
• Lack of mature Identity Management tools and
methodologies.
Source: Jim Reavis, CSA CEO
8.
9. • Transparency is a major step toward trust.
• Legislation and standards are placing more and more
responsibilities on the provider and consumer.
• Cloud Providers now understand that transparency is
business advantage.
10. • EU new data protection draft contain new directives:
Cloud Provider and consumer will have to perform risk
analysis together and take appropriate measures according
to the risk.
Cloud consumer must actively monitor provider.
• Federal regulations and standard also call for actively
assessing and monitor the cloud provider services.
11. • We lack tools that enable interaction between cloud provider
and consumer regarding assessment and audit of services.
• We need a framework that will enable consumers and cloud
providers to efficiently perform risk assessment, take
appropriate controls and continuously monitor them.
12. • In a world of Cloud Computing, mobile and the “Internet of
Things” – Everything is API
• Cloud automation, Cloud chaining, mobile application, 3rd
party developments are all dependent on API.
• Enterprise inspire to be open and connected.
• Open API are considered great farming ground for innovation.
• According to CSA research: 29% of cloud breakdowns occur
due to insecure interfaces and API.
Source: open API state of market, John Musser
13.
14. • The API are the new frontend for many applications.
• The market is shifting from “secured & Complicated”
SOAP to “unsecured but simple” REST API.
• We don’t have the right technology yet for securing
hundreds and
• Innovation is required on encryption, authentication,
authorization, data leakage and intrusion prevention.
API are the new
frontend
15. • The network is the last layer that is not virtualized yet.
• In the next two years we will the beginning of software
based data center – virtualization from the network to the
applications.
• Currently standards are being developed in order to allow
SDN and NFV to mature.
Better SLA IPv6
Better
visibility and
management
Flexibility
No more
“sitting ducks”
Faster
development
Insights on
performance
18. • SDN can change the way we think of network security.
• SDN currently lacks any eco-system that enable security,
monitoring, governance or automation.
• Innovation is require to develop technologies that will
utilize SDN features for security.
19. • Encryption is key factor for cloud computing.
• Encryption enable us to create trust and comply to
regulations.
• New innovations allow us to keep keys on software, and to
encrypt data in/out of the cloud.
• But we are still lacking…
Crypto
Shredding
Enabling trust
in non trusted
situation
Regulations
Logical
separation
Security Audit
20. • Better key management
• Elevating encryption as classifications, access control &
audit mechanism.
• Homomorphic encryption, Nearest Neighbor Data
Substitution, bit splitting and data obfuscation will enable
us to process encrypted data and safely guard keys.
• There is also great potential for tokenization, masking and
ammonization services.
21. • Big Data technologies got a potential to change the world we
live in.
• Big Data got great potential to change also security landscape
(e-mail / web / file reputation i.e).
• But Big Data currently lacks security methodology, standards
and tools.
22. Source: CLOUD SECURITY ALLIANCE Expanded Top Ten Big Data Security and Privacy
Challenges, April 2013
• Big Data require security innovation across the board.
• Threats are coming from unsecured sources, lack of collection,
transportation and storage standard.
• NO-SQL databases got immature security controls.
23. Identity is the new perimeter
• In the cloud based world, the traditional perimeter is
dead. The only thing that matter is who you are.
• We are facing identity challenges on every aspect –
privacy, accountability and repudiation, authentication,
authorization and more.
• The market has not find the appropriate balance between
privacy, anonymity and efficiency.
• There are many new standards but we still lack mature
identity solutions.
24. • Identity market lacks trust between all players.
• Integrating identities –Governments, Enterprises & Identity
Provider should find their role in the eco-system.
• Identities providers should develop and integrate also
devices, applications and services.
• authentication – when will we see the end of password?
25. Across different
cloud providers
Rely more on
hosts level
security
Replicates current
enterprise tools
Ability to adjust
when instance
moves
Identity based
tools rather them
network
Improves cloud
functionality
Data is in the
center
26. Procurement
process becomes
central
Cloud brokerages
are growing
In IaaS you integrate security
In SaaS you Outsource it
Community and
social tools will be
a factor for
decision
Transparency will
be critical
IT will allow
services but not
manage them
Expect questions
about SDLC and
Operations
27.
28. • Cloud Security Alliance research.
• Jim Reavis, Cloud Security Alliance CEO.
• open API state of market, John Musser
• The NIST Definition of Cloud Computing
• NIST Cloud Security Architecture (Draft)
• Securosis Blog and Research database
29. • Moshe Ferber
• moshe@onlinecloudsec.com
• www.onlinecloudsec.com
• http://il.linkedin.com/in/MosheFerber
Cloud Security classes schedule can be find at:
http://www.onlinecloudsec.com/course-schedule