Embed Size (px)
Citation preview
SECURING THE CLOUDERWIN GEIRNAERT
CO-FOUNDER ZION SECURITY
And everybody has to say something about cloud security, including me!
693.000.000 SEARCH RESULTS
Domain Name System (DNS)
25 YEARS OF CLOUD
SECURE CLOUD?
SECURE CLOUD?
WHAT’S IN A NAME
SECURE CLOUD
• Secure environment
• In an (external) datacenter
• Multi-tenant
• SLA
• Buy online
CLOUD SECURITY
• Security-as-a-service
• Mail security • Web security • Web application
security • Vulnerability
scanning• Anti-virus• Anti-malware
WHAT IS NOT CLOUD• Virtual version of hardware appliance
• Next Generation Hosting
Security Control & Compliance
CLOUD SECURITY ALLIANCE
SECURE CLOUD REQUIREMENTS
• Secure datacenter
• Secure network
• Secure infrastructure
• Secure OS
• Secure application
• Secure Keep-it-running
• Secure employees
• Secure logging
Which one is the best?
COMPARING CLOUDS
WHAT WE SEE• Traditional hosting providers still struggle to secure their classical hosting
environment
• Web site security offering = SSL certificates!• Shared hosting is bad for security but follow the same approach to setup
cloud• Hosting providers use other cloud providers services
• Without the client his knowledge• Without any legal binding contract• Without any SLA• In a different country
• Belgian Court has a lot of problems with non-Belgian hosting
• Inadequate logging of the cloud provider• Takes a lot of time to get the information with a court order• Most providers don’t give information or too late
• Insider threat: employees with a company credit card
• We found a cheap cloud provider in Russia called SpamEngine
WHAT IS NOT THE RIGHT WAY
The DIY approach is not leveraging the power of a secure cloud:
• Installing & configuring your virtual firewall
• Installing & configuring your web application firewall
• Install your Operating System
• Patching yourself
• Monitoring yourself
• Do your own software installations & upgrades
MALWARE ATTACKS• Most cloud-based applications and cloud administration require
only username/password
• Malware like ZeuS/SpyEye that attack homebanking also collect credentials
• Twitter/Facebook/…• Salesforce.com?• Amazon AWS?• Credentials are sold on Internet and automatically abused by
malware running in the cloud• Require from your cloud provider:
• Strong authentication• SSL VPN for remote management• IP blocking• Logging + logging + logging + logging
SECURE CLOUD INNOVATIONS
SOME THOUGHTS• FISA: Foreign Intelligence Surveillance Act
• Data stored in the US can be inspected and copied• Without telling you….• Just think about data encryption
• Where are the keys stored?• How are you sure it is really encrypted?
• Same for China:
• What is stored in China is copied!• A new U.S. intelligence report declares the most active
and persistent perpetrator of economic espionage is China• http://www.defensenews.com/story.php?
i=8160472&&s=TOP
WHAT YOU NEED• Moving to the cloud can be a security catalysator for your
existing infrastructure and applications!
• Moving is not copying your virtual machines!!!!!!!!!!!!!!!• Stay in the European Union with all your data
• Log everything to a different cloud provider or on-premise
• Do not trust the logo on the flashy web site, review the audit reports
• Monitor the SLA
• Classify data and locations
CIA Drone landed in IRAN - GPS SPOOFING
ADVANCED CLOUD HACKING
Music for Life 2011 – We do give a shit!
SECURITY FOR LIFE
