2. What is cloud?
involves computing over a network, where a program or application
may run on many connected computers at the same time. It specifically
refers to a computing hardware machine or group of computing
hardware machines commonly referred as a server connected through
a communication network such as the Internet, an intranet, a local area
network (LAN) or wide area network (WAN)
-Wikipedia

4. The Cloud Pyramid
Infrastructure as a Service
Platform as a Service
Software as a Service
Business Process as a Service

5. IBM Xforce Report
2012 Sampling of Security Incidents by Attack Type, Time and Impact
Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses

6. Coverage
20,000+ devices
under contract
3,700+ managed
clients worldwide
13B+ events
managed per day
133 monitored
countries (MSS)
1,000+ security
related patents
Depth
14B analyzed
web pages & images
40M spam &
phishing attacks
64K documented
vulnerabilities
Billions of intrusion
attempts daily
Millions of unique
malware samples

7. Security Challenges
• Virtual and Infrastructure
o NCloud Mapping
o Co-residence
o Side Channeling
• Data Management Issues
o Data Integrity
o Data Provenance
o Data Remanence
o Data Availability
• Users / People-ware
o Identity
o Policy Development

8. Applications
Web
Applications
Systems
Applications
Web 2.0 Mobile
Applications
Infrastructure
Datacenters PCs Laptops Mobile Cloud Non-traditional
Data At rest In motionUnstructuredStructured
People
Hackers Suppliers
Consultants Terrorists
Employees Outsourcers
Customers
Employees
Unstructured
Web 2.0Systems
Applications
Outsourcers
Structured In motion
Customers
Mobile
Applications
4 Dimensions of Security Challenge

9. Infrastructure
• Typical Datacenter

10. Virtualization
Typical Architecture Virtual Architecture

11. Virtual Machine Security Challenge
• Cloud Mapping
A plot of the internal IP
addresses assigned to
instances launched during the
initial mapping experiment
using Account A
A plot of the internal IP
address of instances launched
in Zone 3 by Account A, and
39 hours later, by Account B.
55 of the Account B IPs were
repeats of those assigned to
instances for Account A

12. Cloud Mapping Mitigation
• Mapping:
o Use a randomized scheme to allocate IP addresses
o Block some scanning tools/activities (nmap,traceroute)
• Co-residence checks:
o Prevent identification of dom0/hypervisor

13. Virtual Machine Security Challenge
• Co-residence
# of victims v # of probes p coverage
Zone 1
1 20 1/1
10 20 5/10
20 20 7/20
Zone 2
1 20 0/1
10 18 3/10
20 19 8/20
Zone 3
1 20 1/1
10 20 2/10
20 20 8/20
Results of launching p probes 5 minutes after the launch of v victims. The
rightmost column specifies success coverage: the number of victims for
which a probe instance was co-resident over the total number of victims.
Trial
Account
TotalA B
Midday 2/5 2/5 4/10
Afternoon 1/5 3/5 4/10
Night 2/5 2/5 4/10
The number of victims for which a probe achieved co-residence for three
separate runs of 10 repetitions of launching 1 victim instance and, 5
minutes later, 20 probe instances. Odd numbered repetition used Account
A; even-numbered repetitions used Account B

14. What can co-residence do?
• Co-Residency affords the ability to:
o Denial of Service
o Estimate victim's work load
• Cache
• Network Traffic
• Extract cryptographic keys via cache-based side
channels.
• Other cross-VM attacks

15. Co – residence Mitigation
• Not allow co-residence at all:
o Beneficial for cloud users
o Not efficient for cloud providers
o N-tier trust model?
• Information leakage:
o Prevent cache load attacks?

16. Virtual Machine Security Challenge
Results of executing 100 Prime+Trigger+Probe cache timing measurements for three pairs of m1.small instances, both when concurrently
making HTTP get requests and when not. Instances in Trial 1 and Trial 2 were co-resident on distinct physical machines. Instances in Trial 3
were not co-resident
• Side Channeling

17. Best Example of Side Channel Attack
Heart bleed

18. Side Channel Attack Mitigation
• Create better Encryption Technology
o Oblivious
• Work on large chunks
• Partition the encryption process into:
• A slow but short part: implemented securely
o Non – Colliding

19. Data Concerns in the Cloud
• Data Integrity
o Cloud Service Provider (CSP) Concerns
o Third Party Auditing (TPA)
o Encryption and Multitenancy
• Data Provenance
• Data Remanence
• Data Availability
o Elasticity
o CSP Related Downtime
o Malicious Attacks

20. Data Integrity
• Cloud Service Provider (CSP) Concerns
o CSP Security
• Data Transfer
• Data-at-Rest
o CSP Data Loss
• Unintentional
• Intentional
o Third Party Auditing
• The Auditor
• Support for Dynamic Data

21. Data Integrity
• Encryption & Multitenancy
o Multitenancy – Storage of data from multiple clients in a single repository
o Inability to use encryption in order to support indexing
o Encryption largely irrelevant if data is analyzed on the cloud, as analysis requires
decryption.

22. Data Provenance & Remanence
• Data Provenance – Calculation Accuracy
o Shared resources mean shared responsibility
o Difficulty / Impossibility in tracking involved machines
• Data Remanence – Data Cleansing
o “Ghost Data” – Left behind after deletion
o No remanence security plan for any major CSP

23. Availability
• Cloud Service Provider Concern
Total Downtime (HH:MM:SS)
Availability Per Day Per Month Per Year
99.999% 00:00:00.4 00:00:26 00:05:15
99.99% 00:00:08 00:04:22 00:52:35
99.9% 00:01:26 00:43:49 08:45:56
99% 00:14:23 07:18:17 87:39:29

24. Availability + Elasticity
• Distributed Denial of Service
(DDoS) Uses Port Flooding to Slow
Systems or Force Server Resets.
o External Attack Models
o Similar to Traditional Strikes
o Cloud Usage as Attacker
o Internal Attack Models
o Protection Responsibility Lies on the User
o CSP Would Need to Detect

25. An Example of DDOS Mitigation
• As used on Smarter Philippines Website
(smarterph.com)
Detect
Get
Request
Detect
Packet
Activity as
to Size
Detect
Activity
Pattern
Flag
Activities
1. Abnormal Packet Size
2. Abnormal Login
Request (Brute force)
3. Abnormal Get Request
Route Request to
127.0.0.1
Reverse Attacker’s IP
Track Attacker’s IP
Routing Scheme
Add Attacker’s IP to
Deny host

26. Solution
Key Themes
Security for
Mobile Devices
Provide security for and manage traditional endpoints
alongside mobile devices such as Apple iOS, Google
Android, Symbian, and Microsoft Windows Phone -
using a single platform
Expansion of
Security Content
Continued expansion of security configuration and
vulnerability content to increase coverage for
applications, operating systems, and industry best
practices
Security Intelligence Integration
Improved usage of analytics - providing valuable
insights to meet compliance and IT security objectives,
as well as further integration with SiteProtector and the
QRadar Security Intelligence Platform
Infrastructure Protection – Endpoint Vision

27. Knowing the User

28. Policy Development
• Challenges
o Define security policies and standards
o Measure actual security against policy
o Report violations to policy
o Correct violations to conform with policy
o Summarize policy compliance for the organization

29. Layers of Information Security - Revisited

30. Policies
• Purpose
Provide a framework for the
management of security
across the enterprise

31. Definitions
• Policies
o High level statements that provide guidance to workers
who must make present and future decision
• Standards
o Requirement statements that provide specific technical
specifications
• Guidelines
o Optional but recommended specifications

32. Security Policy
Access to
network resource
will be granted
through a unique
user ID and
passwordPasswords
should include
one non-alpha
and not found
in dictionary
Passwords
will be 8
characters
long

33. Elements of Policies
• Set the tone of Management
• Establish roles and responsibility
• Define asset classifications
• Provide direction for decisions
• Establish the scope of authority
• Provide a basis for guidelines and procedures
• Establish accountability
• Describe appropriate use of assets
• Establish relationships to legal requirements

34. Policies Should…
Clearly identify and define
the information
security goals and the goals
of the group, company or
the whole country

35. Policy Lifecycle
Actions
Cabinet
Goals
Policy
Standards Procedures Guidelines
Awareness
IS Goals
Info Security

36. Ten Step Approach

37. Collect Background Information
• Obtain existing policies
o Creighton's
o Others
• Identify what levels of control are needed
• Identify who should write the policies

38. Perform Risk Assessment
• Justify the Policies with Risk Assessment
o Identify the critical functions
o Identify the critical processes
o Identify the critical data
o Assess the vulnerabilities

39. Create a Policy Review Board
• The Policy Development Process
o Write the initial “Draft”
o Send to the Review Board for Comments
o Incorporate Comments
o Resolve Issues Face-to-Face
o Submit “Draft” Policy to Cabinet for Approval

40. Develop Information Security Plan
• Establish goals
• Define roles
• Define responsibilities
• Notify the User community as to the direction
• Establish a basis for compliance, risk assessment, and
audit of information security

41. Develop Security Policies, Standards, and Guidelines
• Policies
o High level statements that provide guidance to workers
who must make present and future decision
• Standards
o Requirement statements that provide specific technical
specifications
• Guidelines
o Optional but recommended specifications

42. Implement Policies and Standards
• Distribute Policies.
• Obtain agreement with policies before accessing
Creighton Systems.
• Implement controls to meet or enforce policies.

43. Awareness and Training
• Makes users aware of the expected behavior
• Teaches users How & When to secure information
• Reduces losses & theft
• Reduces the need for enforcement
• On the Government, they publish it on leading
newspaper

44. Monitor Compliance
• Management is responsible for establishing controls
• Management should REGULARLY review the status of
controls
• Enforce “User Contracts” (Code of Conduct)
• Establish effective authorization approval
• Establish an internal review process
• Internal Audit Reviews

45. Evaluate Policy Effectiveness
• Evaluate
• Document
• Report

46. Modify Policies
Policies must be modified due to:
o New Technology
o New Threats
o New or changed goals
o Organizational changes
o Changes in the Law
o Ineffectiveness of the existing Policy

47. Policy Hierarchy
Governance
Policy
Access
Control
Policy
User ID
Policy
Access
Control
Authentication
Standard
Password
Construction
Standard
User ID
Naming
Standard
Strong
Password
Construction
Guidelines

48. Solution
IBM Identity and Access Management Vision
Key Themes
Standardized IAM
and Compliance Management
Expand IAM vertically to provide identity and
access intelligence to the business; Integrate
horizontally to enforce user access to data,
app, and infrastructure
Secure Cloud, Mobile, Social
Interaction
Enhance context-based access control for
cloud, mobile and SaaS access, as well as
integration with proofing, validation and
authentication solutions
Insider Threat
and IAM Governance
Continue to develop Privileged Identity
Management (PIM) capabilities and enhanced
Identity and Role management

49. Solution
Key Themes
Coverage for Mobile applications and
new threats
Continue to identify and reduce risk by
expanding scanning capabilities to new platforms
such as mobile, as well as introducing next
generation dynamic analysis scanning and glass
box testing
Simplified interface and accelerated
ROI
New capabilities to improve customer time to
value and consumability with out-of-the-box
scanning, static analysis templates and ease of
use features
Security Intelligence
Integration
Automatically adjust threat levels based on
knowledge of application vulnerabilities by
integrating and analyzing scan results with
SiteProtector and the QRadar Security
Intelligence Platform
Application Security Vision

50. Solution
Endpoint Management
vulnerabilities enrich QRadar’s
vulnerability database
AppScan Enterprise
AppScan vulnerability results feed
QRadar SIEM for improved
asset risk assessment
Tivoli Endpoint Manager
Guardium Identity and Access Management
IBM Security Network
Intrusion Prevention System
Flow data into QRadar turns NIPS
devices into activity sensors
Identity context for all security
domains w/ QRadar as the dashboard
Database assets, rule logic and
database activity information
Correlate new threats based on
X-Force IP reputation feeds
Hundreds of 3rd party
information sources

51. Thank you for listening
Tzar C. Umang
President
Tzar Enterprises
email: tzarumang@gmail.com
fb.com/tzarumang
twitter.com/definitelytzar