SlideShare ist ein Scribd-Unternehmen logo

Security in the Skies

Glen Roberts, CISSP
Glen Roberts, CISSP

Security in the Skies, a presentation given at the Cloud Security Alliance, Austin Chapter meeting held on March 1, 2012.

TechnologieBusiness
1 von 24
Downloaden Sie, um offline zu lesen
SECURITY IN THE SKIES Mano ‘dash4rk’ Paul CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI SecuRisk Solutions / Express Certifications mano(dot)paul(at)securisksolutions(dot)com mano(dot)paul@expresscertifications(dot)com © 2007-2012 - SecuRisk Solutions
2 Who am I? – The ABC’s •  Author •  The 7 Qualities of Highly Secure Software (May 2012) •  Official (ISC)2 Guide to the CSSLPCM •  Information Security Management Handbook •  Advisor – Software Assurance, (ISC)2 •  Biologist – Shark Researcher •  Christian – HackFormers •  CEO – SecuRisk Solutions & Express Certifications … •  VP – Education, Austin CSA © 2007-2012 - SecuRisk Solutions
3 Awards and Recognition 2010 President’s Award 2011 Americas Information Security Leadership Award (Practitioner) © 2007-2012 - SecuRisk Solutions
4 In the News – Feb 27, 2012 Source: StratFor Emails Leaked by Wikileaks http://www.myfoxaustin.com
5 What are we here to learn about? •  Topic: Security in the Skies •  Concerns, Threats and Controls in Cloud Computing •  Dark Clouds (Concerns, Threats) and Silver Lining (Controls) •  Agnostic •  Technology •  Vendor •  Level: •  Snorkel / Mid-range / Deep sea •  Tweet (@manopaul) / Blog © 2007-2012 - SecuRisk Solutions
6 What is the Cloud?
7 CLOUD 3-4-5 3 – Service Models 4 – Deployment Models / Types 5 – Characteristics IT delivered as a Standardized Service © 2007-2012 - SecuRisk Solutions
8 3 – Cloud Service Models Networking,(Storage,(Servers,(( OS,(Middleware,(( Virtual(desktops,(Data,(Apps(… Virtual(machines((… Execu8on(Run8me,(… •  Use(the(provider’s(applica8ons( •  Capability(for(consumer( •  Consumer(deploys(to(cloud( •  Running(on(a(cloud(infrastructure( provisioning(of(Processing/( infrastructure( Storage/(Networks/(Other( •  No(management(or(control( •  Consumer(created(or(acquired( resources( applica8ons( •  Consumer(does(not(control( •  Consumer(does(not(manage(or( underlying(cloud(infrastructure( control(infrastructure( (( •  Some(control(over(deployed(apps( and(app.(hos8ng(environment(
9 4 – Cloud Deployment Models / Types •  Organiza8on(specific( •  Shared(Infrastructure(–(Related(par8es( •  Managed(by(organiza8on(or(3rd(party( •  Managed(by(organiza8on(or(3rd(party( •  On/Off(premise;(Mostly(On( •  On/Off(premise( •  Shared(Infrastructure(–(Unrelated(par8es( •  A(composi8on(of(two(or(more(cloud(types( •  Owned/Managed(by(service(provider( •  Bound(together(by(technology(to(enable(data( •  Off(premise( and(applica8on(portability(
10 5 - Characteristics Resource Pooling WHO-ever Providers computing resources are pooled and dynamically assigned to serve multiple consumers Rapid Elasticity WHAT-ever Capabilities are rapidly and elastically provisioned, some automated, depending on requirements. On-Demand Self Service WHEN-ever Consumer direct, automated provisioning with no human interaction at provider Broad Network Access WHERE-ever Capabilities delivered over the network accessed through standard mechanisms Measured Service Cloud system automatically monitors, optimizes, controls and reports resource use transparently
11 Wherein LIES the Control? (On- Infrastructure Platform Software Premises) as a Service as a Service as a Service You manage Application Application Application Application s s s s Data Data Data Data You manage Runtime Runtime Runtime Runtime You manage Middleware Middleware Middleware Middleware Other Manages OS OS OS OS Other Manages Virtualization Virtualization Virtualization Virtualization Other Manages Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking
12 Opportunity or Crisis? © 2007-2012 - SecuRisk Solutions
13 DARK CLOUDS Security Threats to Cloud Computing © 2007-2012 - SecuRisk Solutions
14 Top Threats – Lists/Publications •  (ISC)2 (GISWS 2011) – Top 7 •  OWASP (pre-alpha 2011) – Top 10 •  Unauthorized Disclosure •  Accountability and Data Ownership •  Data Loss/Leakage •  User Identity Federation •  Weak Access Controls •  Regulatory Compliance •  Susceptibility to Cyber Attacks •  Business Continuity and Resiliency •  Disruptions •  User Privacy and Secondary use of •  Inability to support compliance audit Data •  Inability to support forensic •  Service and Data Integration investigations •  Multi-tenancy and Physical security •  CSA v1.0 (2010) – 7 deadly sins •  Incidence analysis and Forensic •  Abuse and nefarious use of cloud Support computing •  Infrastructure Security •  Insecure APIs •  Non-production Environment •  Malicious Insider Exposure •  Shared Technology Vulnerabilities •  Data Loss/Leakage •  Account/Service & Traffic Hijacking •  Unknown Risk Profile
15 Top Threats to Cloud Computing Data Security / Loss / Leakage / Remanence Access Controls / Account, Service & Traffic Hijacking Susceptibility to Cyber Attacks / Insecure Interfaces or APIs Abuse or Nefarious Use / Shared Technology Issues Cyber Forensics / Unknown Risk Profile / Malicious Insiders Source:((ISC)2(Global(Informa8on(Security(Workforce(Study( CSA(Top(Threats(to(Cloud(Compu8ng(v(1.0( © 2007-2012 - SecuRisk Solutions
16 SILVER LINING “there’s a silver lining to every cloud that sails about the heavens if we could only see it” Marian or Young Maid’s Fortune, Dublin Magazine, 1840 “Hope is a good thing, maybe the best of things, and no good thing ever dies.” The Shawshank Redemption © 2007-2012 - SecuRisk Solutions
17 Dark Clouds / Silver Lining Data Security / Loss / Leakage• / Controls Remanence •  Cryptography Protection (Encryption/Hashing) •  Cryptographic Agility •  Secure Data Disposal (Overwriting*) •  DLP technologies © 2007-2012 - SecuRisk Solutions
18 Dark Clouds / Silver Lining Access Controls / Account, Service & Traffic Hijacking •  Access Control Lists (ACLs) / RBACs •  Chinese Wall •  Session Management •  Eavesdropping •  Redirection Image Source: (ISC)2 Whitepaper © 2007-2012 - SecuRisk Solutions
19 Dark Clouds / Silver Lining Susceptibility to Cyber Attacks / Insecure Interfaces or APIs •  Vendor lock-in •  Understand dependency chain of APIs (Vendor lock-in) •  Perform ROI exercise for proprietary APIs •  Don’t use deprecated/insecure APIs •  Secure Authentication •  SSO (Weakest Link) Image Source: CloudAve © 2007-2012 - SecuRisk Solutions
20 Dark Clouds / Silver Lining Abuse or Nefarious Use / Shared Technology Issues •  Hardening & Sandboxing •  Platform/Hypervisor Exploits •  Cloud Isolation Technologies •  Secure Communications Image Source: apigee.com © 2007-2012 - SecuRisk Solutions
21 Dark Clouds / Silver Lining Cyber Forensics / Malicious Insiders / Unknown Risk Profile •  Identity Management •  Provisioning/De-provisioning •  Logging and Auditing •  Detective and Deterrent •  Trust but verify •  Don’t Trust AND Verify © 2007-2012 - SecuRisk Solutions
22 Some closing thoughts © 2007-2012 - SecuRisk Solutions
23 References •  Security in the Skies – (ISC)2 Whitepaper •  (ISC)2 Global Information Security Workforce Study (2011) •  CSA Top threats to Cloud Computing v1.0 (2010) •  7 Deadly Sins of Cloud Security (2010) •  OWASP Cloud 10 project (pre-alpha) •  ASIS/(ISC)2 Security Congress Cloud Security Panel (2011) •  Gartner/IEEE Publications © 2007-2012 - SecuRisk Solutions
24 THANK YOU Mano ‘dash4rk’ Paul CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI SecuRisk Solutions / Express Certifications mano(dot)paul(at)securisksolutions(dot)com mano(dot)paul(at)expresscertifications(dot)com © 2007-2011 - SecuRisk Solutions

Empfohlen

NIC 2013 - Configure and Deploy Private Cloud
NIC 2013 - Configure and Deploy Private CloudNIC 2013 - Configure and Deploy Private Cloud
NIC 2013 - Configure and Deploy Private Cloud
Kristian Nese
 
Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1
Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1
Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1
Novell
 
Novell ZENworks Overview and Futures
Novell ZENworks Overview and FuturesNovell ZENworks Overview and Futures
Novell ZENworks Overview and Futures
Novell
 
20120620 moving to windows azure
20120620 moving to windows azure20120620 moving to windows azure
20120620 moving to windows azure
Luis Martins
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
AsmTrash
 
Adaptive Computing Using PlateSpin Orchestrate
Adaptive Computing Using PlateSpin OrchestrateAdaptive Computing Using PlateSpin Orchestrate
Adaptive Computing Using PlateSpin Orchestrate
Novell
 
Novell Success Stories: Collaboration in Education
Novell Success Stories: Collaboration in EducationNovell Success Stories: Collaboration in Education
Novell Success Stories: Collaboration in Education
Novell
 
Windows Azure UK Universities Bradford Uni
Windows Azure UK Universities Bradford UniWindows Azure UK Universities Bradford Uni
Windows Azure UK Universities Bradford Uni
Lee Stott
 

Empfohlen

NIC 2013 - Configure and Deploy Private Cloud
NIC 2013 - Configure and Deploy Private CloudNIC 2013 - Configure and Deploy Private Cloud
NIC 2013 - Configure and Deploy Private Cloud
Kristian Nese
 
Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1
Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1
Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1
Novell
 
Novell ZENworks Overview and Futures
Novell ZENworks Overview and FuturesNovell ZENworks Overview and Futures
Novell ZENworks Overview and Futures
Novell
 
20120620 moving to windows azure
20120620 moving to windows azure20120620 moving to windows azure
20120620 moving to windows azure
Luis Martins
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
AsmTrash
 
Adaptive Computing Using PlateSpin Orchestrate
Adaptive Computing Using PlateSpin OrchestrateAdaptive Computing Using PlateSpin Orchestrate
Adaptive Computing Using PlateSpin Orchestrate
Novell
 
Novell Success Stories: Collaboration in Education
Novell Success Stories: Collaboration in EducationNovell Success Stories: Collaboration in Education
Novell Success Stories: Collaboration in Education
Novell
 
Windows Azure UK Universities Bradford Uni
Windows Azure UK Universities Bradford UniWindows Azure UK Universities Bradford Uni
Windows Azure UK Universities Bradford Uni
Lee Stott
 
Lessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Lessons Learned: Novell Open Enterprise Server Upgrades Made EasyLessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Lessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Novell
 
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpePrivate cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Fabrizio Volpe
 
BOI 2011 - Be what's next
BOI 2011 - Be what's nextBOI 2011 - Be what's next
BOI 2011 - Be what's next
Tudor Damian
 
Integrating Novell Teaming within Your Existing Infrastructure
Integrating Novell Teaming within Your Existing InfrastructureIntegrating Novell Teaming within Your Existing Infrastructure
Integrating Novell Teaming within Your Existing Infrastructure
Novell
 
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
☁️Carl Nakamura [MSFT]☁️
 
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
Novell
 
Novell mobile collaboration
Novell mobile collaborationNovell mobile collaboration
Novell mobile collaboration
GWAVA
 
Realizing the Promise of the Cloud
Realizing the Promise of the CloudRealizing the Promise of the Cloud
Realizing the Promise of the Cloud
Novell
 
IDC Says, Don't Move To The Cloud
IDC Says, Don't Move To The CloudIDC Says, Don't Move To The Cloud
IDC Says, Don't Move To The Cloud
Novell
 
Successfully Migrate Cisco Call Manager 4x To 7x With a Proven Framework
Successfully Migrate Cisco Call Manager 4x To 7x With a Proven FrameworkSuccessfully Migrate Cisco Call Manager 4x To 7x With a Proven Framework
Successfully Migrate Cisco Call Manager 4x To 7x With a Proven Framework
glamba
 
Architecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud ExpoArchitecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud Expo
smw355
 
Windows Azure Uzerinden Alinabilen Hizmetler
Windows Azure Uzerinden Alinabilen HizmetlerWindows Azure Uzerinden Alinabilen Hizmetler
Windows Azure Uzerinden Alinabilen Hizmetler
Mustafa
 
Finding Virtual Coins in the Couch
Finding Virtual Coins in the CouchFinding Virtual Coins in the Couch
Finding Virtual Coins in the Couch
Novell
 
Novell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access SolutionNovell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access Solution
Novell
 
Osac2012
Osac2012Osac2012
Osac2012
OpenCity Community
 
BSM201.pdf
BSM201.pdfBSM201.pdf
BSM201.pdf
Novell
 
Diagnosability versus The Cloud, Toronto 2011-04-21
Diagnosability versus The Cloud, Toronto 2011-04-21Diagnosability versus The Cloud, Toronto 2011-04-21
Diagnosability versus The Cloud, Toronto 2011-04-21
Cary Millsap
 
Brief about Windows Azure Platform
Brief about Windows Azure Platform Brief about Windows Azure Platform
Brief about Windows Azure Platform
K.Mohamed Faizal
 
Configuring and deploying a private cloud with system center 2012
Configuring and deploying a private cloud with system center 2012Configuring and deploying a private cloud with system center 2012
Configuring and deploying a private cloud with system center 2012
Microsoft TechNet - Belgium and Luxembourg
 
Demystifying System Center 2012
Demystifying System Center 2012Demystifying System Center 2012
Demystifying System Center 2012
C/D/H Technology Consultants
 
Open Cloud Interop Public
Open Cloud Interop PublicOpen Cloud Interop Public
Open Cloud Interop Public
rvanhoe
 
Nlgug grails in the cloud
Nlgug grails in the cloudNlgug grails in the cloud
Nlgug grails in the cloud
malderhout
 

Weitere ähnliche Inhalte

Was ist angesagt?

What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
☁️Carl Nakamura [MSFT]☁️
 
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
Novell
 
IDC Says, Don't Move To The Cloud
IDC Says, Don't Move To The CloudIDC Says, Don't Move To The Cloud
IDC Says, Don't Move To The Cloud
Novell
 
BSM201.pdf
BSM201.pdfBSM201.pdf
BSM201.pdf
Novell
 

Was ist angesagt? (20)

Lessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Lessons Learned: Novell Open Enterprise Server Upgrades Made EasyLessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Lessons Learned: Novell Open Enterprise Server Upgrades Made Easy
 
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpePrivate cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
 
BOI 2011 - Be what's next
BOI 2011 - Be what's nextBOI 2011 - Be what's next
BOI 2011 - Be what's next
 
Integrating Novell Teaming within Your Existing Infrastructure
Integrating Novell Teaming within Your Existing InfrastructureIntegrating Novell Teaming within Your Existing Infrastructure
Integrating Novell Teaming within Your Existing Infrastructure
 
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
 
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
 
Novell mobile collaboration
Novell mobile collaborationNovell mobile collaboration
Novell mobile collaboration
 
Realizing the Promise of the Cloud
Realizing the Promise of the CloudRealizing the Promise of the Cloud
Realizing the Promise of the Cloud
 
IDC Says, Don't Move To The Cloud
IDC Says, Don't Move To The CloudIDC Says, Don't Move To The Cloud
IDC Says, Don't Move To The Cloud
 
Successfully Migrate Cisco Call Manager 4x To 7x With a Proven Framework
Successfully Migrate Cisco Call Manager 4x To 7x With a Proven FrameworkSuccessfully Migrate Cisco Call Manager 4x To 7x With a Proven Framework
Successfully Migrate Cisco Call Manager 4x To 7x With a Proven Framework
 
Architecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud ExpoArchitecting a Private Cloud - Cloud Expo
Architecting a Private Cloud - Cloud Expo
 
Windows Azure Uzerinden Alinabilen Hizmetler
Windows Azure Uzerinden Alinabilen HizmetlerWindows Azure Uzerinden Alinabilen Hizmetler
Windows Azure Uzerinden Alinabilen Hizmetler
 
Finding Virtual Coins in the Couch
Finding Virtual Coins in the CouchFinding Virtual Coins in the Couch
Finding Virtual Coins in the Couch
 
Novell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access SolutionNovell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access Solution
 
Osac2012
Osac2012Osac2012
Osac2012
 
BSM201.pdf
BSM201.pdfBSM201.pdf
BSM201.pdf
 
Diagnosability versus The Cloud, Toronto 2011-04-21
Diagnosability versus The Cloud, Toronto 2011-04-21Diagnosability versus The Cloud, Toronto 2011-04-21
Diagnosability versus The Cloud, Toronto 2011-04-21
 
Brief about Windows Azure Platform
Brief about Windows Azure Platform Brief about Windows Azure Platform
Brief about Windows Azure Platform
 
Configuring and deploying a private cloud with system center 2012
Configuring and deploying a private cloud with system center 2012Configuring and deploying a private cloud with system center 2012
Configuring and deploying a private cloud with system center 2012
 
Demystifying System Center 2012
Demystifying System Center 2012Demystifying System Center 2012
Demystifying System Center 2012
 

Ähnlich wie Security in the Skies

Open Cloud Interop Public
Open Cloud Interop PublicOpen Cloud Interop Public
Open Cloud Interop Public
rvanhoe
 
Nlgug grails in the cloud
Nlgug grails in the cloudNlgug grails in the cloud
Nlgug grails in the cloud
malderhout
 
Moving To The Cloud
Moving To The CloudMoving To The Cloud
Moving To The Cloud
alamashfaque
 
Hanu cloud computing expertise
Hanu cloud computing expertiseHanu cloud computing expertise
Hanu cloud computing expertise
Hanu Software
 
Intro cloud-1
Intro cloud-1Intro cloud-1
Intro cloud-1
Studying
 
Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?
Intergen
 
OWD2011 - 7 - Uw datacentrum naar de cloud - Rogier Spoor
OWD2011 - 7 - Uw datacentrum naar de cloud - Rogier SpoorOWD2011 - 7 - Uw datacentrum naar de cloud - Rogier Spoor
OWD2011 - 7 - Uw datacentrum naar de cloud - Rogier Spoor
SURF Events
 
The Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated IndustriesThe Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated Industries
dirkbeth
 

Ähnlich wie Security in the Skies (20)

Open Cloud Interop Public
Open Cloud Interop PublicOpen Cloud Interop Public
Open Cloud Interop Public
 
Nlgug grails in the cloud
Nlgug grails in the cloudNlgug grails in the cloud
Nlgug grails in the cloud
 
Moving To The Cloud
Moving To The CloudMoving To The Cloud
Moving To The Cloud
 
Moving Web Apps to the Cloud - Iowa User Group Tour, Feb 2012
Moving Web Apps to the Cloud - Iowa User Group Tour, Feb 2012Moving Web Apps to the Cloud - Iowa User Group Tour, Feb 2012
Moving Web Apps to the Cloud - Iowa User Group Tour, Feb 2012
 
Cloud Computing by Dindo Fernando
Cloud Computing by Dindo FernandoCloud Computing by Dindo Fernando
Cloud Computing by Dindo Fernando
 
Windows azure uk universities overview march 2012
Windows azure uk universities overview march 2012Windows azure uk universities overview march 2012
Windows azure uk universities overview march 2012
 
Windows Azure Üzerinden Alınabilecek Hizmetler
Windows Azure Üzerinden Alınabilecek HizmetlerWindows Azure Üzerinden Alınabilecek Hizmetler
Windows Azure Üzerinden Alınabilecek Hizmetler
 
Cloud Xero #1 - Intro to Cloud Computing
Cloud Xero #1 - Intro to Cloud ComputingCloud Xero #1 - Intro to Cloud Computing
Cloud Xero #1 - Intro to Cloud Computing
 
Benefits of the cloud for Government
Benefits of the cloud for Government Benefits of the cloud for Government
Benefits of the cloud for Government
 
Hanu cloud computing expertise
Hanu cloud computing expertiseHanu cloud computing expertise
Hanu cloud computing expertise
 
The DevOps PaaS Infusion - May meetup
The DevOps PaaS Infusion - May meetupThe DevOps PaaS Infusion - May meetup
The DevOps PaaS Infusion - May meetup
 
Intro cloud-1
Intro cloud-1Intro cloud-1
Intro cloud-1
 
Intro cloud-1
Intro cloud-1Intro cloud-1
Intro cloud-1
 
Windows Azure Overview
Windows Azure OverviewWindows Azure Overview
Windows Azure Overview
 
Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!
 
Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
 
OWD2011 - 7 - Uw datacentrum naar de cloud - Rogier Spoor
OWD2011 - 7 - Uw datacentrum naar de cloud - Rogier SpoorOWD2011 - 7 - Uw datacentrum naar de cloud - Rogier Spoor
OWD2011 - 7 - Uw datacentrum naar de cloud - Rogier Spoor
 
Cloud taxonomy yong kigkeat
Cloud taxonomy yong kigkeatCloud taxonomy yong kigkeat
Cloud taxonomy yong kigkeat
 
The Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated IndustriesThe Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated Industries
 

Mehr von Glen Roberts, CISSP

Mehr von Glen Roberts, CISSP (7)

Collaborative Contingency in the Cloud
Collaborative Contingency in the CloudCollaborative Contingency in the Cloud
Collaborative Contingency in the Cloud
 
Cloud Security Alliance, Austin Chapter Meeting 2012-03-01
Cloud Security Alliance, Austin Chapter Meeting 2012-03-01Cloud Security Alliance, Austin Chapter Meeting 2012-03-01
Cloud Security Alliance, Austin Chapter Meeting 2012-03-01
 
Sharing the Cloud
Sharing the CloudSharing the Cloud
Sharing the Cloud
 
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
 
Cloud Security Alliance, Austin Chapter Meeting 2012-02-02
Cloud Security Alliance, Austin Chapter Meeting 2012-02-02Cloud Security Alliance, Austin Chapter Meeting 2012-02-02
Cloud Security Alliance, Austin Chapter Meeting 2012-02-02
 
Cloud Security Alliance, Austin Chapter - 2012-01-25 Meeting
Cloud Security Alliance, Austin Chapter - 2012-01-25 MeetingCloud Security Alliance, Austin Chapter - 2012-01-25 Meeting
Cloud Security Alliance, Austin Chapter - 2012-01-25 Meeting
 
Top 10 Cloud Computing Certifications
Top 10 Cloud Computing CertificationsTop 10 Cloud Computing Certifications
Top 10 Cloud Computing Certifications
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Security in the Skies

  • 1. SECURITY IN THE SKIES Mano ‘dash4rk’ Paul CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI SecuRisk Solutions / Express Certifications mano(dot)paul(at)securisksolutions(dot)com mano(dot)paul@expresscertifications(dot)com © 2007-2012 - SecuRisk Solutions
  • 2. 2 Who am I? – The ABC’s •  Author •  The 7 Qualities of Highly Secure Software (May 2012) •  Official (ISC)2 Guide to the CSSLPCM •  Information Security Management Handbook •  Advisor – Software Assurance, (ISC)2 •  Biologist – Shark Researcher •  Christian – HackFormers •  CEO – SecuRisk Solutions & Express Certifications … •  VP – Education, Austin CSA © 2007-2012 - SecuRisk Solutions
  • 3. 3 Awards and Recognition 2010 President’s Award 2011 Americas Information Security Leadership Award (Practitioner) © 2007-2012 - SecuRisk Solutions
  • 4. 4 In the News – Feb 27, 2012 Source: StratFor Emails Leaked by Wikileaks http://www.myfoxaustin.com
  • 5. 5 What are we here to learn about? •  Topic: Security in the Skies •  Concerns, Threats and Controls in Cloud Computing •  Dark Clouds (Concerns, Threats) and Silver Lining (Controls) •  Agnostic •  Technology •  Vendor •  Level: •  Snorkel / Mid-range / Deep sea •  Tweet (@manopaul) / Blog © 2007-2012 - SecuRisk Solutions
  • 6. 6 What is the Cloud?
  • 7. 7 CLOUD 3-4-5 3 – Service Models 4 – Deployment Models / Types 5 – Characteristics IT delivered as a Standardized Service © 2007-2012 - SecuRisk Solutions
  • 8. 8 3 – Cloud Service Models Networking,(Storage,(Servers,(( OS,(Middleware,(( Virtual(desktops,(Data,(Apps(… Virtual(machines((… Execu8on(Run8me,(… •  Use(the(provider’s(applica8ons( •  Capability(for(consumer( •  Consumer(deploys(to(cloud( •  Running(on(a(cloud(infrastructure( provisioning(of(Processing/( infrastructure( Storage/(Networks/(Other( •  No(management(or(control( •  Consumer(created(or(acquired( resources( applica8ons( •  Consumer(does(not(control( •  Consumer(does(not(manage(or( underlying(cloud(infrastructure( control(infrastructure( (( •  Some(control(over(deployed(apps( and(app.(hos8ng(environment(
  • 9. 9 4 – Cloud Deployment Models / Types •  Organiza8on(specific( •  Shared(Infrastructure(–(Related(par8es( •  Managed(by(organiza8on(or(3rd(party( •  Managed(by(organiza8on(or(3rd(party( •  On/Off(premise;(Mostly(On( •  On/Off(premise( •  Shared(Infrastructure(–(Unrelated(par8es( •  A(composi8on(of(two(or(more(cloud(types( •  Owned/Managed(by(service(provider( •  Bound(together(by(technology(to(enable(data( •  Off(premise( and(applica8on(portability(
  • 10. 10 5 - Characteristics Resource Pooling WHO-ever Providers computing resources are pooled and dynamically assigned to serve multiple consumers Rapid Elasticity WHAT-ever Capabilities are rapidly and elastically provisioned, some automated, depending on requirements. On-Demand Self Service WHEN-ever Consumer direct, automated provisioning with no human interaction at provider Broad Network Access WHERE-ever Capabilities delivered over the network accessed through standard mechanisms Measured Service Cloud system automatically monitors, optimizes, controls and reports resource use transparently
  • 11. 11 Wherein LIES the Control? (On- Infrastructure Platform Software Premises) as a Service as a Service as a Service You manage Application Application Application Application s s s s Data Data Data Data You manage Runtime Runtime Runtime Runtime You manage Middleware Middleware Middleware Middleware Other Manages OS OS OS OS Other Manages Virtualization Virtualization Virtualization Virtualization Other Manages Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking
  • 12. 12 Opportunity or Crisis? © 2007-2012 - SecuRisk Solutions
  • 13. 13 DARK CLOUDS Security Threats to Cloud Computing © 2007-2012 - SecuRisk Solutions
  • 14. 14 Top Threats – Lists/Publications •  (ISC)2 (GISWS 2011) – Top 7 •  OWASP (pre-alpha 2011) – Top 10 •  Unauthorized Disclosure •  Accountability and Data Ownership •  Data Loss/Leakage •  User Identity Federation •  Weak Access Controls •  Regulatory Compliance •  Susceptibility to Cyber Attacks •  Business Continuity and Resiliency •  Disruptions •  User Privacy and Secondary use of •  Inability to support compliance audit Data •  Inability to support forensic •  Service and Data Integration investigations •  Multi-tenancy and Physical security •  CSA v1.0 (2010) – 7 deadly sins •  Incidence analysis and Forensic •  Abuse and nefarious use of cloud Support computing •  Infrastructure Security •  Insecure APIs •  Non-production Environment •  Malicious Insider Exposure •  Shared Technology Vulnerabilities •  Data Loss/Leakage •  Account/Service & Traffic Hijacking •  Unknown Risk Profile
  • 15. 15 Top Threats to Cloud Computing Data Security / Loss / Leakage / Remanence Access Controls / Account, Service & Traffic Hijacking Susceptibility to Cyber Attacks / Insecure Interfaces or APIs Abuse or Nefarious Use / Shared Technology Issues Cyber Forensics / Unknown Risk Profile / Malicious Insiders Source:((ISC)2(Global(Informa8on(Security(Workforce(Study( CSA(Top(Threats(to(Cloud(Compu8ng(v(1.0( © 2007-2012 - SecuRisk Solutions
  • 16. 16 SILVER LINING “there’s a silver lining to every cloud that sails about the heavens if we could only see it” Marian or Young Maid’s Fortune, Dublin Magazine, 1840 “Hope is a good thing, maybe the best of things, and no good thing ever dies.” The Shawshank Redemption © 2007-2012 - SecuRisk Solutions
  • 17. 17 Dark Clouds / Silver Lining Data Security / Loss / Leakage• / Controls Remanence •  Cryptography Protection (Encryption/Hashing) •  Cryptographic Agility •  Secure Data Disposal (Overwriting*) •  DLP technologies © 2007-2012 - SecuRisk Solutions
  • 18. 18 Dark Clouds / Silver Lining Access Controls / Account, Service & Traffic Hijacking •  Access Control Lists (ACLs) / RBACs •  Chinese Wall •  Session Management •  Eavesdropping •  Redirection Image Source: (ISC)2 Whitepaper © 2007-2012 - SecuRisk Solutions
  • 19. 19 Dark Clouds / Silver Lining Susceptibility to Cyber Attacks / Insecure Interfaces or APIs •  Vendor lock-in •  Understand dependency chain of APIs (Vendor lock-in) •  Perform ROI exercise for proprietary APIs •  Don’t use deprecated/insecure APIs •  Secure Authentication •  SSO (Weakest Link) Image Source: CloudAve © 2007-2012 - SecuRisk Solutions
  • 20. 20 Dark Clouds / Silver Lining Abuse or Nefarious Use / Shared Technology Issues •  Hardening & Sandboxing •  Platform/Hypervisor Exploits •  Cloud Isolation Technologies •  Secure Communications Image Source: apigee.com © 2007-2012 - SecuRisk Solutions
  • 21. 21 Dark Clouds / Silver Lining Cyber Forensics / Malicious Insiders / Unknown Risk Profile •  Identity Management •  Provisioning/De-provisioning •  Logging and Auditing •  Detective and Deterrent •  Trust but verify •  Don’t Trust AND Verify © 2007-2012 - SecuRisk Solutions
  • 22. 22 Some closing thoughts © 2007-2012 - SecuRisk Solutions
  • 23. 23 References •  Security in the Skies – (ISC)2 Whitepaper •  (ISC)2 Global Information Security Workforce Study (2011) •  CSA Top threats to Cloud Computing v1.0 (2010) •  7 Deadly Sins of Cloud Security (2010) •  OWASP Cloud 10 project (pre-alpha) •  ASIS/(ISC)2 Security Congress Cloud Security Panel (2011) •  Gartner/IEEE Publications © 2007-2012 - SecuRisk Solutions
  • 24. 24 THANK YOU Mano ‘dash4rk’ Paul CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA, AMBCI SecuRisk Solutions / Express Certifications mano(dot)paul(at)securisksolutions(dot)com mano(dot)paul(at)expresscertifications(dot)com © 2007-2011 - SecuRisk Solutions