Presentation is loading. Please wait.

Presentation is loading. Please wait.

VULNERABILITY SCANNING Cloud Security Policies… Andy Prow Managing Director Aura Information Security Cloud Security Summit 23-24 th May 2011.

Similar presentations


Presentation on theme: "VULNERABILITY SCANNING Cloud Security Policies… Andy Prow Managing Director Aura Information Security Cloud Security Summit 23-24 th May 2011."— Presentation transcript:

1 VULNERABILITY SCANNING Cloud Security Policies… Andy Prow Managing Director Aura Information Security Cloud Security Summit th May 2011

2 VULNERABILITY SCANNING My Interest… Security Consultants Pen-testing, security training, policies, risk assessments Wellington, Auckland, Sydney, London Electra Local Business of the Year Deloitte APAC Technology Fast 500 RedEye Managed Vulnerability Scanning Rapid 7 Partners PCI ASV Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

3 VULNERABILITY SCANNING What’s up in the… SaaS – Software As A Service – Xero – SalesForce.com – Workflow Max PaaS – Platform as a service – Azure – MobileMe – Google Apps – Mail/Docs Iaas – Amazon EC2 – Rackspace – Fronde – OneNet Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

4 VULNERABILITY SCANNING What’s up in the Clouds? Hosted Apps – Exchange – SharePoint – Google Docs – Office365 Data – Dropbox – FTP Services Services – Web Servers Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

5 VULNERABILITY SCANNING What’s up in the Clouds? Cloud Providers – Microsoft Azure (US) – Amazon EC2 (US, UK) – Rackspace US, UK, ASIA) – Fronde (NZ) – Iconz (NZ) – OneNet (NZ) – Google (US) Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

6 VULNERABILITY SCANNING What’s up in the Clouds? Hypervisors – Vmware Vsphere 4.1 – Microsoft Hyper-V – Citrix XenServer Cloud Framework Custom Framework code Exploitable from within? Documented? Any patching Load Balancing Transport Delivery Software Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

7 VULNERABILITY SCANNING The Good Benefits – You don’t have to manage the infrastructure – Economies of scale + skills – Patching – Monitoring – Instant scaling – Failover, HA and DR – Better Cost Management/Forecasting Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

8 VULNERABILITY SCANNING The Bad Issues / risks – Someone else has the keys – Reliant on their backup – Reliant on their patching – Reliant on their monitoring – Access to backups – Sovereignty of data – Ownership of data – Accessing backups – Intellectual Property Rights – Uptime and Scheduled outages Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

9 VULNERABILITY SCANNING The Ugly 21 April 2011 – PCMag Amazon Cloud Outage Takes Down Reddit, Quora, More “While many North American consumers slept through a large part of the outage, which started early on Thursday, Web users on other continents experienced the downtime during peak business hours… Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

10 VULNERABILITY SCANNING The Ugly 15 September 2010 – CNN Google Engineer Fired for Violating Internal Privacy Policies “Google has acknowledged that it fired an employee in July for allegedly accessing user accounts without authorization. David Barksdale, a Site Reliability Engineer, allegedly accessed Gmail and Google Voice accounts…… Google is "significantly increasing" log auditing to make sure privacy policies are being followed. Law enforcement authorities were not contacted about the incidents because one of the families has asked to remain anonymous. Barksdale is not the first Google engineer who was fired for privacy policy violations.” Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

11 VULNERABILITY SCANNING Who’s in the Examples of major cloud adopters? – NZ Post – Google Apps hosted by Fronde NZ – Microsoft – use azure services – Intergen – they have a cloud Exchange box – Viber – uses Amazon cloud servers – Ebay – First azure platform customer – NASA – Major Azure platform user – Xero - Rackspace Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

12 VULNERABILITY SCANNING Other Cloud Users… 14 May 2011 – forhacsec.com Amazon cloud used to mount Sony PSN attack “ The hackers who breached the security of Sony’s PlayStation network and gained access to sensitive data for 77 million subscribers used Amazon’s web services cloud to launch the attack, Bloomberg News reported. ” Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

13 VULNERABILITY SCANNING Other Cloud Services… 400 CPU cluster 135m in 20 mins WPA and Zip files Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

14 VULNERABILITY SCANNING Key Risks Loss of Governance Lock-In Isolation Failure Compliance Risks Management Interface Compromise Data Protection Insecure of Incomplete Data Deletion Malicious Insider Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

15 VULNERABILITY SCANNING Now they’re split You Provider Depends on services being hosted Relevant to your business Critical processes Data classifications User access Compliance Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

16 VULNERABILITY SCANNING Relevant to your business Critical processes Data classifications User access Compliance Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

17 VULNERABILITY SCANNING How can you assess Your business risks Planned Cloud Services Map services to risks = Sec Reqs Your checklist – are you ready? Vendor checklist = shortlist Vendor selection Ongoing management Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

18 VULNERABILITY SCANNING CheckList for YOU Have you mapped your critical business processes? Have you mapped IT and systems to these processes? Have you considered the impact to you, your staff and your customers of: Unauthorised data access Lack of access to the live system Loss of historical data Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

19 VULNERABILITY SCANNING CheckList for YOU Do you need your own backups? Do you need to fully audit user access? What’s your authentication mechanism? SSO? 2FA? Same for provider admins? Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

20 VULNERABILITY SCANNING CheckList for Provider Are they compliant with any standards? Where are they physically located? Do they have to inform you of data relocation? Do they have back-end admin access? What’s their HR and staff management policy? Can you review their policies? Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

21 VULNERABILITY SCANNING CheckList for Provider When was their last security audit? Can you see confirmation? When was their last pen-test? Can you perform one of your own? Do they have ongoing monitoring in place? SIEM Vuln scanning Hosted malware detection Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

22 VULNERABILITY SCANNING Amazon Certs PCI DSS Level 1 ISO SAS 70 Type II HIPAA Identity and Access Management Multi-Factor Auth Key Rotation Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

23 VULNERABILITY SCANNING Standard Security Policies Identity and Access Management Acceptable Usage Data Retention Physical access Change Management / Patch Management Information Access HR – staff vetting, entry and exit Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

24 VULNERABILITY SCANNING Cloud Security Policies Identity and Access Management of Customer data Acceptable Usage of customer data Data Retention and Deletion Physical access by Provider and their suppliers Change Management / Patch Management Information Access – Data Mining HR – staff vetting, entry and exit – misuse disclosure Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

25 VULNERABILITY SCANNING Cloud Security Policies Hosting of Illegal Services Hacking activities from your platform Illegal business – stolen goods trading – CC Traders Storage of Illegal Content Objectionable Copyright Service and Data Ransom… Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

26 VULNERABILITY SCANNING Data Privacy Policy “We may disclose information about you if we determine that for national security, law enforcement, or other issues of public importance that disclosure of information is necessary.” Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

27 VULNERABILITY SCANNING Data Privacy Policy “We take reasonable precaution to protect Personal Information from misuse, loss and unauthorized access. Although we cannot guarantee that Personal Information will not be subject to unauthorized access, we have physical, electronic, and procedural safeguards to protect the Personal Information. Personal Information is stored on our servers and protected by secured networks to which access is limited to a few authorized employees and personnel. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure.” Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

28 VULNERABILITY SCANNING Data Privacy Policy “In the event that we go through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of our assets, Personal Information will likely be among the assets transferred. ” Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

29 VULNERABILITY SCANNING Data Privacy Policy “From time to time, we may revise this Policy. We reserve the right to update or modify this Policy, or any other of our policies or practices, at any time with or without notice. We will post the revised Policy on the Site, so that users can always be aware of what information we collect, how the information is used and under what circumstances such information may be disclosed. You agree to review the Policy periodically so that you are aware of any modifications. Your continued use of the Site indicates your assent to any changes and signifies your agreement to the terms of our Policy. If you do not agree with these terms, you should not use the Site, the Viber App, or any of the other Services” Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

30 VULNERABILITY SCANNING Incident Management RedEye - vuln scanner Endace Probe – packet capture Dejavu – full session reconstruction Joint solution enables: Onoing (daily) vuln scanning Data capture of vuln systems Ability to discern risk of attack to measurable breach Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

31 VULNERABILITY SCANNING Cyber Security Innovation Foundation Independent, Not for Profit, Focused industry led governance Public-Private Partnership –Industry and Industry Bodies –Government –Universities and Technical Institute Funding –Membership Tiers and Industry funding specific research projects –MSI funding for a 24x7 Cyber Security Innovation Centre (CSIC) for tertiary & commercial research –Self funding after 4 years Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

32 VULNERABILITY SCANNING Cyber Security Innovation Foundation The objectives of Cyber Security Innovation Foundation are: –Act as a focus for cyber security initiatives –Co-ordinate and promote the development of Cyber Security Skills –Provide research facilities for tertiary, government, and enterprise –Provide security monitoring for tertiary, CRI, Poly-Tech and Schools –Conduct specific research on behalf of Government and Industry –Provide networking opportunities in Security industry –Act as a secure middle-man in sensitive transactions Andy Prow - Cloud Services and Security Summit - 23/24 May 2011

33 VULNERABILITY SCANNING Questions… Andy Prow - Cloud Services and Security Summit - 23/24 May 2011 Andy Prow Managing Director Aura Information Security Skype: andyprow


Download ppt "VULNERABILITY SCANNING Cloud Security Policies… Andy Prow Managing Director Aura Information Security Cloud Security Summit 23-24 th May 2011."

Similar presentations


Ads by Google