Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

dare to dream; care to win
Venkateswar Reddy Melachervu 2013. All rights reserved.
Venkateswar Reddy MelachervuAssociate Vice President IT
www.linkedin.com/in/vmelachervu
[email protected]
Cloud Computing and SafetyLets Secure Cloud!
20th July 2013
In God we trust; All others, we virus scan

2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards
- Unknown
Only the Paranoid Survive- Andy Grove, Former Chairman, Intel Inc.

Some of the generally available information in the cloud on computing and cloud security is the inspiration and source for few topics - for the fear of re-inventing the wheel. I hereby thankfully acknowledge those sources
Disclaimer

Agenda
Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks Modes and Types
The Notorious Nine Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways

In 1988 a "worm program Morris Worm -written by a college student - Robert T. Morris, Jr. of Cornell University - shut down about 10 percent of computers connected to the Internet. This was the beginning of the era of cyber/Cloud attacks
First National Bank of Chicago is the victim of $70-million computer theft
Cyber Crime The Beginning

Heartland Payment Systems
Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.
March 2008
Incident Few Years Back

2012 Global Cyber Attacks Stats

Revenue loss
Customer data loss and liabilities
Embarrassment to yourself and/or the University
Having to recreate lost data
Identity theft
Data corruption or destruction
Loss of patient, employee, and public trust
Costly reporting requirements and penalties
Disciplinary action (up to expulsion or termination)
Unavailability of vital data
Security Violation Consequences

Whats Computing Security?

Protection of computing systems and the data that they store or access
To prevent theft of or damage to the hardware, Software etc. - Confidentiality
To prevent theft of or damage to the information and to protect privacy Privacy and Integrity
To prevent disruption of service -Availability/Denial of Service
What Is Computing/IT Security?

Isnt this just an IT Problem?
Why Do I Need to Learn About Computer Security?
Everyone who uses a computer needs to understand how to keep his or her computer and data secure
IT Security is a not a product, but a process

No major operating system has ever worked perfectly
No OS vendor has dared offer a warranty against malfunctions
It is far easier to build a secure system than to build a correct system
You might be able to live in a house with a few holes in the walls, but you will not be able to keep burglars out
Securing a system has traditionally been a battle of wits
The problem is people/exploitation - not computers
Why Computers Are Not Secure?

Cloud Computing NIST Definition
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction
13

Cloud Computing - Business Definition
A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet

On demand computational services over web
Spiky compute needs of the scientists
Horizontal and dynamic scaling with no additional cost
Increased throughput
Multi-tenant
Accessed over a network
Only pay for what you use
Shared internally or with other customers
Resources - storage, computing, services, etc.
Internal network or Internet
Similar to Timesharing
Rent IT resources vs. buy
Cloud Computing Demystified

Multi-Tenancy
16

Cloud Service Layers and Models
17
IaaS
PaaS
SaaSModelsLayers
AutonomousMore Control/ Flexibility
IaaS PaaS

Conventional Data Centre

Cloud Modelled Data Centre

Public, Private, Hybrid Clouds
20

Cloud ComputingEnablers and Inhibitors

Why Cloud Computing Brings New Security Challenges?
Data, applications, resources are located with provider
User identity management is handled by the cloud provider
User access control rules, security policies and enforcement are managed by the cloud provider
Multi-tenancy
Consumer relies on provider to ensure Data security and privacy
Resource availability
Monitoring and repairing of services/resources
Self-managed or Private Clouds overcome most of the above new threats
22

Security Dimensions The CIA Triad
Secured
Hardware

Confidentiality
The need for keeping information secret Protecting proprietary designs from
competitors
Protecting a companys personnel records
Protecting personal financial/ID info against ID theft
Applies to resource hiding System configuration data
Resources - Systems, Equipment, Services etc.

Integrity
Preventing improper or unauthorized change or access
Data integrity and system integrity
Non-repudiation Example : Digital Cert of the Origin Source

Availability Reliability and system design
To prevent Denial of Service Attacks - The attempts to block the availability of systems or services
System designs usually assume a statistical model to analyze expected patterns of use

Example 1: C vs. I+A
Disconnect computer from Internet to increase confidentiality
Availability suffers, integrity suffers due to lost updates
Example 2: I vs. C+A
Have extensive data checks by different people/systems to increase integrity
Confidentiality suffers as more people see data, availability suffers due to locks on data under verification)
Need to Balance CIA Triad

Scope of Cloud Security
Cloud
Data Center
LAN/WAN/Wifi/PLMN/
PAN
LAN/WAN/Wifi/PLMN/
PAN
Cloud Eco-system
C
I
A C

Security Challenge Eco-system
Ph
ysi
cal L
og
ical
Environmental
Operational
Hardware Software
HumansData
Network

Vulnerability A weakness in a security system
Threat Circumstances that have a potential to
cause harm
Exposure Points External access points that can be taken
advantage compromising security by most advanced attacker
Attack - materialization of a vulnerability/threat/compromised exposure point or combination)
Attack may be: Successful a.k.a. an exploit - Resulting in
a breach of security, a system penetration, etc.
Unsuccessful - When controls block a threat trying to exploit a vulnerability
Vulnerabilities, Threats, and Exposure Points

Software Deletion Easy to delete needed software by mistake
To prevent this: use configuration management software
Software Modification Worms, Trojan Horses, Viruses, Logic
Bombs, Trapdoors, Information Leaks ...
Software Theft Unauthorized copying
via P2P, etc.
Software Vulnerabilities

Add or remove a hardware device Ex: Snooping, wiretapping
Ex: Modification, alteration of a system
Physical attacks on hardware Accidental or voluntary Theft / destruction
Damage the machine (spilled coffe, mice, realbugs)
Steal the machine
Hardware Vulnerabilities

Network/Web Vulnerabilities
Phishing An evil website pretends to be a trusted website
Example: You type, by mistake, mibank.com instead of
mybank.com
mibank.com designs the site to look like mybank.com so the user types in their info as usual
BAD! Now an evil person has your info!
SQL Injection
Cross Site Scripting Writing a complex Javascript program that steals
data left by other sites that you have visited in same browsing session

Kinds of Threats
Interception An unauthorized party (human or not) gains
access to an asset
Interruption an asset becomes lost, unavailable, or
unusable
Modification an unauthorized party changes the state of an
asset
Fabrication an unauthorized party counterfeits an asset

Over the Internet
Over LAN
Locally
Offline
Theft
Deception
Modes of Attacks

Not all hackers are evil wrongdoers trying to steal your info
Classification 1 Amateurs
Opportunistic attackers (use a password theyfound)
Script kiddies
Hackers - nonmalicious In broad use beyond security community: also
malicious
Crackers malicious
Career criminals
State-supported spies and information warriors
Classification 2 Recreational hackers / Institutional hackers
Organized criminals / Industrial spies / Terrorists
National intelligence gatherers / Info warriors
Types of Attackers

Common Attacks
Network Attacks Packet sniffing, man-in-the-middle, DNS
hacking
Web attacks Phishing, SQL Injection, Cross Site Scripting
OS, applications and software attacks Virus, Trojan, Worms, Rootkits, Buffer
Overflow

Network Attacks
Packet Sniffing Internet traffic consists of data packets, and these
can be sniffed
Leads to other attacks such aspassword sniffing, cookie stealing session hijacking, information stealing
Man in the Middle Insert a router in the path between client and server,
and change the packets as they pass through
DNS hijacking Insert malicious routes into DNS tables to send traffic
for genuine sites to malicious sites

Bacterium A specialized form of virus which does not attach to a specific file. Usage
obscure.
Logic bomb Malicious logic that activates when specified conditions are met. Usually
intended to cause denial of service or otherwise damage system resources.
Trapdoor A hidden computer flaw known to an intruder, or a hidden computer
mechanism (usually software) installed by an intruder, who can activate the trap door to gain access to the computer without being blocked by security services or mechanisms
Trojan horse A computer program that appears to have a useful function, but also has a
hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Malicious SW Attacks

Virus A hidden, self-replicating section of computer software, usually malicious logic,
that propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.
Worm A computer program that can run independently, can propagate a complete
working version of itself onto other hosts on a network, and may consume computer resources destructively.
Malicious SW Attacks

Data Breaches
Data Loss
Account Hijacking
Insecure APIs
Denial of Service
Malicious Insiders
Abuse of Cloud Services
Insufficient Due Diligence
Shared Technology Issues
The Notorious NineCloud Computing Top Threats in 2013
Source : Cloud Security Alliance

Castle in Middle Ages Location with natural
obstacles
Surrounding moat
Drawbridge
Heavy walls
Strong gate
Tower
Guards
Computers Today Encryption
Software controls
Hardware controls
Policies and procedures
Multiple controls physical and computational
System perimeter defines inside/outside
Pre-emption attacker scared away
Deterrence attacker could not overcome defences
Faux environment attack deflected towards a worthless target
Tenets of Security Defence and Control

Policy vs. Procedure
Policy: What is/what is not allowed
Procedure: How you enforce policy
Policy - must consider Alignment with users legal and ethical standards
Probability of use Inconvenient: 200 character password, change
password every week
Periodic reviews A given control usually becomess less effective with time
Need to replace ineffective/inefficient controls with better ones
Advantages of policy and procedural controls
Can replace hardware, software controls
Can be least expensive
Tenets of Security Control

Prevent attack Block attack / Close vulnerability
Deter attack Make attack harder (cant make
it impossible )
Detect attack During or after
Deflect attack Make another target more
attractive than this target
Recover from attack
Security
Methods of Defence
IT Defense consists of:
Encryption
Software controls
Hardware controls
Policies
Physical controls

Security Life Cycle
Analyze Threats
Policy
Specification
Design
Implementation
Operation and Maintenance
Go
ve
rna
nce

Security Analysis Process
Identify Assets Which assets are we trying to protect?
What properties of these assets must be maintained?
Identify Threats What attacks can be mounted?
What other threats are there (natural disasters, etc.)?
Identify Countermeasures How can we counter those attacks?
Independent Analysis
46

Cloud Provisioning Services
Cloud Data Storage Services
Cloud Processing Infrastructure
Cloud Support Services
Cloud Network and Perimeter Security
Elastic Elements: Storage, Processing, and Virtual Networks
Cloud Security Components

Organize Threats STRIDE Model
Spoofing identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege
48

Legal
Functional Which functions & services in the Cloud have
legal implications for both parties
Jurisdictional Which governments administer laws and
regulations impacting services, stakeholders, data assets
Contractual Terms & conditions
49

Governance
Identify, implement process, controls to maintain effective governance, risk mgt, compliance
Provider security governance should be assessed for sufficiency, maturity, consistency
50

Tiered Cloud Security Handling Framework
Physical Infrastructure
Tenant #2
APP
OS
APP
OS
Virtual Infrastructure
Physical Infrastructure
Cloud Provider
APP
OS
APP
OS
Virtual Infrastructure
Tenant #1
Insulate information from cloud providers
employees
Insulate information from other
tenants
Insulate infrastructure from Malware, Trojans
and cybercriminals
Segregate and control user
access
Control and isolate VM in the
virtual infrastructure
Federate identities with public clouds
Identity federation
Virtual network security
Access Mgmt
Cybercrime intelligence
Strong authentication
Data loss prevention
Encryption & key mgmt
Tokenization
Governance
Anti-malware
Enable end to end view of security events and compliance and control across infrastructures

CCSK - Cloud Security Alliance Certifications
CISSP (ISC)2
CPTC Certified Penetration Testing Consultant
CPTE Certified Penetration Testing Engineer
CompTIA Security+
CSTA Certified Security Testing Associate
GPEN GIAC Certified Penetration Tester
OSCP Offensive Security Certified Professional
CEH Certified Ethical Hacker
ECSA EC-Council Certified Security Analyst
CEPT Certified Expert Penetration Tester
Security Certifications
Source : http://www.concise-courses.com/security/certifications-list/

Bottom Line
Engage in full risk management process for each case
For small and medium organizations Cloud security may be a big improvement!
Cost savings may be large (economies of scale)
For large organizations Already have large, secure data centers
Main sweet spots: Elastic services
Internet-facing services
Employ countermeasures
53

Take-Aways
Policy defines security and mechanisms enforce security Confidentiality
Integrity
Availability
Trust and knowing assumptions
Importance of assurance
The human factor

Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Computing and SafetyLets Secure Cloud!
20th July 2013
Venkateswar Reddy MelachervuAssociate Vice President IT
www.linkedin.com/in/vmelachervu
[email protected]
In God we trust; All others, we virus scan
Thank You
dare to dream; care to win

Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

safetylets

unauthorized

secure system

security challenges

prevent theft

cloud computing

rights reserved

vmelachervuvmelachervugmail

Text of Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

NIST Cloud Computing Reference Architecture - ISACA · deployment, service orchestration, cloud service management, ... NIST SP 500-292 NIST Cloud Computing Reference Architecture

Isaca final

ISACA Kenya Chapter Annual Conference 2019/Conference Presentations/ISACA... · ISACA Kenya Chapter Annual Conference. Now in its 50th anniversary year, ISACA is a global association

Cloud Computing – An Auditor’s Perspective - ISACA · Cloud Computing – An Auditor’s Perspective 2. ... Not limited to basic hosting of websites ... Cloud computing has tangible

Feature - ISACA

BITS PILANI HYDERABAD CAMPUS LIBRARY (28 … 2803November2019_V1.pdfBITS Pilani, Hyderabad Campus Acc.No : 38167 CallNo : 004.6782 SIN-S Cloud Computing is a textbook designed for

Isaca Crisc

VIIT ISACA Student Group · VIIT -ISACA Student Group About ISACA As an independent, nonprofit, global association, ISACA engages in the development, adoption and use of globally

Introduction to - isaca-kc.org Meetings/ISACA... · 9/8/2010 · Introduction to COBIT Presentation for the ISACA Kansas City Chapter 10/12/2008. ISACA Kansas City Chapter Presentation

Von ISACA für ISACA · PDF file2 Von ISACA für ISACA Fachvorträge für alle Mitglieder Bietet CMMI einen Mehrwert zu CobiT ? Oliver Wildenstein Fachgruppe CobiT-CMMI 11. März 2011

ISACA Update - ISACA Central Ohio Chapter

Estandares ISACA

ISACA – Buenos Aires Chapter – ISACA - Presentación de … · 2020. 10. 14. · El logo de ISACA IBEROAMERICA es una marca de ISACA, objeto de uso bajo licencia El logotipo de

Security Issues in Cloud Computing · Jennifer L Bayuk, LLC . Security Issues in Cloud Computing . For NJ ISACA . April 18, 2013 . By: Jennifer Bayuk . 1

Cloud computing with amazon web services (aws) training hyderabad , chennai, delhi, bangalore india

WELCOME TO ISACA - Isaca Romaisacaroma.it/pdf/150416-17/Intro to ISACA April 2015 - CILLI - nc.pdf · WELCOME TO ISACA 2015 Claudio CILLI, CISA, ... local business community and the

Symbiosis Among Cryptography, Coding Theory, Distributed Algorithms and Quantum Computing Kannan Srinathan IIIT Hyderabad

Apache Spark - Lightning Fast Cluster Computing - Hyderabad Scalability Meetup

February – May 2019 ISACA Certification Exam Candidate Guide · ISACA Certification Exam Candidate Guide February – May 2019 Exam Prep by ISACA Exam Prep by ISACA Exam Prep by

ISACA Cloud Computing Risks

ISACA Karachi The Enlighten Online · The Enlighten Online March – April 2008 Edition ... ISACA Member Benefits This workshop has been endorsed by ISACA. ISACA offered 7 CPE hours

business_intelligence_overview.ppt - ISACA

AOrel-ISACA Security v 1 - CSA CEE Summit · 2018. 2. 22. · ISACA CSX Security Considerations for Cloud Computing Andrej Orel Marand d.o.o. & ISACA Slovenia Chapter. ... functions

© Centre for Development of Advanced Computing, Hyderabad

ISACA AND IT GOVERNANCE INSTITUTE 2014 ANNUAL REPORTm.isaca.org/About-ISACA/annual-report/Documents/2014-isaca-annual... · ISACA ® AND IT GOVERNANCE INSTITUTE ® ANNUAL REPORT 2014

Cybersecurity isaca

Isaca presentation

GUEST LECTURE ON “CLOUD COMPUTING · (Approved by AICTE, Affiliated to JNTU, Hyderabad) KANDLAKOYA (V), MEDCHAL ROAD, HYDERABAD-501401 DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

432 9-9-10 Cloud Computing Discussion - IsACA NTX

Программы сертификации ISACA/цикл мастер-классов по программам сертификации ISACA