Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third...

1

[email protected]

V1.3b © 2012 by keyon (www.keyon.ch)

Experts in IT-Security and Software Engineering

About Keyon

2

Cloud Security –

The Notorious Nine

Cloud Computing Top Threats in 2013

https://cloudsecurityalliance.org/

Threats, risks and how to classify them

Cloud Computing Top Threats in 2013

Survey Results 2012


3

1.0 Top Threat: Data Breaches (Confidentiality)


The organization’s sensitive data falls into the hands of their competitors

or any foreign party.

Measures:

Accept the risk and trust to the cloud service provider

Data encryption, especially IRM

https://cloudsecurityalliance.org/topthreats/

Information Rights Management (IRM)

4


Information Rights Management (IRM)

With Information Rights Management, confidential data and e-mails

can be efficientely protected from unauthorized access.

In contrast to other protection technologies, the protection is tightly

bound to the data, which results in continual protection, transparent for

the user, independent of the location of the file and of other security

mechanisms in place.

Restriction of access to business data for IT-Administators

Dynamic and flexible

Substitution rules

Provides a time-restricted insight

Restricted e-mail forwarding

Restricted screenshots and copy-paste functionality


The ultimate goal of IRM is to prevent leakage of confidential information

Protection applies solely on the client side.

Protect information, no matter where is stored, no matter where it goes

CloudOrganization

Client Storage

Any Application

AD-RMS

Application / Storage

MS Exchange

5


Fully integrated

Fully integrated in Microsoft Office Suite and many third party products

(even on mobile devices)

Supports Office Files and any other files types

File- and Folder encryption

Server-side and client-side data protection

Bulk encryption / decryption services

Compliance accelerators (e.g. archival of plain email messages if

required)

Template driven

HR Template

Management Template

Finance Template

Organization (except IT)Template


IRM for Enterprises, on the Way and in the Cloud

Office Integration

6



Do not forward feature



PDF support

7



Office Integration




8


Corporate and non corporate access

Provide access to non corporate users using Windows Live ID

Provide access to trusted partners with AD-RMS trust relationship

Organization A Organization B

RMS Database

PC Client(Domain User)

ADRMS Server

Domain Controller

Active Directory

RMS Database ADRMS Server

Domain Controller

Active Directory

(3) GetUseLicense(RACPub)

RA

C{P

ub

,Pri

v}, C

LC

UseLicense

TRUST

(2)

Get

RA

C

2.0 Top Threat: Data Loss (Availability)

2.0 Top Threat: Data Loss (Availability)

For both consumers and businesses, the prospect of permanently losing

one’s data is terrifying.

Data stored in the cloud can be lost due to several reasons:

Accidental deletion by the cloud service provider;

Physical catastrophe such as a fire or earthquake;

In case of encrypted data: loss of encryption key


Measures:

Accept the risk and trust to the cloud service

provider

Local and / or distributed backup

9

3.0 Top Threat: Account or Service Traffic Hijacking

3.0 Top Threat: Account or Service Traffic Hijacking

Attack methods such as phishing still achieve results. Credentials and

passwords are often reused, which amplifies the impact of such attacks.

With stolen credentials, attackers can often access critical areas of

deployed cloud computing services, allowing them to compromise the

confidentiality, integrity and availability of those services.


Measures:


provider

Prohibit the sharing of account credentials between

users and services

Leverage strong two-factor authentication

techniques where possible

Monitoring

Identity and Access Management

10

IAM - General


Identities are managed locally inside the organization

Access right are managed

locally and provisioned to the cloud service provider

in the environment of the cloud service provider

CloudOrganization

Client Cloud Service 1

AD / LDAP

Cloud Application n

WES / AuthCloud Service

Any Auth Protocol

IDP

SAML

Auth Own Application n

IAAS, PAAS Management


Level 2 Authentication according ETSI

11

Central Signature

IAM – Level 2 Authentication according ETSI

On August 1st, 2011, the revised digital signature decree (VZertES) as

well as the technical and administrative regulations (TAV ZertES) went

into effect, which, in addition to smartcards, offer a central digital

signature service for the creation of qualified electronic signatures.

Similar, so-called «trustworthy services» are currently being

standardized at the level of an EU Regulation.

Central Signature Server - Architecture


Workflow / Application true-Sign

Signature Server

true-Sign

Remote

HSM

CSP

Service Provider Customer

12

Central Signature Server – Registration

Personal registration, similar to the

process used with conventional

SuisseIDs.

Instead a Smartcard, the user gets the

PIN Letter only (and the means for the

2-Factor Authentication)

Creation of digital signatures

Workflow / Application

true-Sign

Remote

HSM

CSP

true-Sign

Signature Server

Central Signature Server – Security

2-Factor authentication – Mapping of

signature keys (SuisseID)



true-Sign

Remote

HSM

true-Sign

Signature Server

CSP

Service Provider Customer

13

Central Signature Server – Security

2-Factor Authentication – Mapping to

signature keys (SuisseID)

End-to-End PIN Security



true-Sign

Remote

HSM

true-Sign

Signature Server

CSP

Signature creation process – Mobile Use

Through dedicated applications over web services

On mobile devices without smartcard / USB port


14

4.0 Top Threat: Insecure Interfaces and APIs

4.0 Top Threat: Insecure Interfaces and APIs

Cloud computing providers expose a set of software interfaces or APIs

that customers use to manage and interact with cloud services.

Provisioning, management, orchestration, and monitoring are all

performed using these interfaces (cloud service provider’s responsibility).


Measures:


provider

User Access Restriction/Authorization (cloud

service provider’s responsibility)

Application Security (customer’s responsibility)

5.0 Top Threat: Denial of Service (Availability)

5.0 Top Threat: Denial of Service (Availability)

By forcing the victim cloud service to consume inordinate amounts of

finite system resources such as processor power, memory, disk space or

network bandwidth, the attacker(s) causes an intolerable system

slowdown and leaves all of the legitimate service users confused and

angry as to why the service isn’t responding.


Measures:


provider

Application Security / Entry Services (cloud service

provider’s responsibility)

15

6.0 Top Threat: Malicious Insiders (Information disclosure)


A malicious insider (or public agency) can have access to potentially

sensitive information. From IaaS to PaaS and SaaS, the malicious insider

has increasing levels of access to more critical systems, and eventually to

data. Systems that depend solely on the cloud service provider (CSP) for

security are at great risk here.

Even if encryption is implemented, if the keys are not kept with the

customer and are only available at data-usage time, the system is still

vulnerable to malicious insider attack.


Measures:


provider


Monitoring

Third Party Audits


13.3033 – Interpellation

How can Swiss citizens’ personal data in the hands of American

enterprises be protected?

http://www.parlament.ch/d/suche/seiten/geschaefte.aspx?gesch_id=20133033

http://www.srf.ch/news/schweiz/bundesrat-mahnt-zu-vorsicht-in-der-cloud

16

7.0 Top Threat: Abuse of Cloud Services

7.0 Top Threat: Abuse of Cloud Services

Almost any customer can rent tens of thousands of servers from a cloud

computing provider. However, not everyone wants to use this power for

good. He might use that array of cloud servers to stage a DDoS attack,

serve malware or crack encryption keys.


Measures:

This threat is more of an issue for cloud service

providers than cloud consumers

8.0 Top Threat: Insufficient Due Diligence


Cloud computing has brought with it a gold rush of sorts, with many

organizations rushing into the promise of cost reductions, operational

efficiencies and improved security. While these can be realistic goals for

organizations that have the resources to adopt cloud technologies

properly, too many enterprises jump into the cloud without understanding

the full scope of the undertaking.


Organizations moving to the cloud must have capable

resources, and perform extensive internal and CSP

due-diligence to understand the risks.

Measures:


provider

Rating of cloud service providers

Comprehensive process model to rate the security

of systems and processes (security-equivalence)

17

Cloud Strategy

Rating of cloud service providers


Cloud Strategy - Offensichtlich

Reduction of business and acquisition costs

Consolidation and harmonization of the IT-Infrastructure

Shorter integration time of applications

Optimization of IT-Processes through outsorcing of system- and

application-management daily tasks and focus on IT core

competences

Increase of security and reliability through the adoption of standard

solutions and specialists

Mobile working

18


Cloud Strategy

Committee for evaluation and coordination of the cloud activities

Legal and regulatory specifications

Exit- and migartion stategie

SLA and liability

Systems and data which need to be protected should not be placed in

the cloud

Exclusive knowledge and compentences should not be outsourced to

the cloud

Periodical check of the cloud service provider

Consideration of the BSI security recommendations for cloud

computing providers

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindestanforderungen/Eckpunktep

apier-Sicherheitsempfehlungen-CloudComputing-Anbieter.pdf?__blob=publicationFile

9.0 Top Threat: Shared Technology Vulnerabilities

9.0 Top Threat: Shared Technology Vulnerabilities

Cloud service providers deliver their services in a scalable way by sharing

infrastructure, platforms, and applications.

A defensive in-depth strategy is recommended and should include

compute, storage, network, application and user security enforcement,

and monitoring. The key is that a single vulnerability or misconfiguration

can lead to a compromise across an entire provider’s cloud.


Measures:


provider


Monitoring

Third Party Audits

19

Summary

There are many organizational, technical and legal measures that can be

implemented for the use Cloud-Services in a secure manner.

I’m looking forward to the panel discussion

Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third...

Documents

Transcript of Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third...