Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third...
Transcript of Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third...
![Page 1: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/1.jpg)
1
V1.3b © 2012 by keyon (www.keyon.ch)
Experts in IT-Security and Software Engineering
About Keyon
![Page 2: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/2.jpg)
2
Cloud Security –
The Notorious Nine
Cloud Computing Top Threats in 2013
https://cloudsecurityalliance.org/
Threats, risks and how to classify them
Cloud Computing Top Threats in 2013
Survey Results 2012
https://cloudsecurityalliance.org/
![Page 3: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/3.jpg)
3
1.0 Top Threat: Data Breaches (Confidentiality)
1.0 Top Threat: Data Breaches (Confidentiality)
The organization’s sensitive data falls into the hands of their competitors
or any foreign party.
Measures:
Accept the risk and trust to the cloud service provider
Data encryption, especially IRM
https://cloudsecurityalliance.org/topthreats/
Information Rights Management (IRM)
![Page 4: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/4.jpg)
4
1.0 Top Threat: Data Breaches (Confidentiality)
Information Rights Management (IRM)
With Information Rights Management, confidential data and e-mails
can be efficientely protected from unauthorized access.
In contrast to other protection technologies, the protection is tightly
bound to the data, which results in continual protection, transparent for
the user, independent of the location of the file and of other security
mechanisms in place.
Restriction of access to business data for IT-Administators
Dynamic and flexible
Substitution rules
Provides a time-restricted insight
Restricted e-mail forwarding
Restricted screenshots and copy-paste functionality
1.0 Top Threat: Data Breaches (Confidentiality)
The ultimate goal of IRM is to prevent leakage of confidential information
Protection applies solely on the client side.
Protect information, no matter where is stored, no matter where it goes
CloudOrganization
Client Storage
Any Application
AD-RMS
Application / Storage
MS Exchange
![Page 5: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/5.jpg)
5
1.0 Top Threat: Data Breaches (Confidentiality)
Fully integrated
Fully integrated in Microsoft Office Suite and many third party products
(even on mobile devices)
Supports Office Files and any other files types
File- and Folder encryption
Server-side and client-side data protection
Bulk encryption / decryption services
Compliance accelerators (e.g. archival of plain email messages if
required)
Template driven
HR Template
Management Template
Finance Template
Organization (except IT)Template
1.0 Top Threat: Data Breaches (Confidentiality)
IRM for Enterprises, on the Way and in the Cloud
Office Integration
![Page 6: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/6.jpg)
6
1.0 Top Threat: Data Breaches (Confidentiality)
IRM for Enterprises, on the Way and in the Cloud
Do not forward feature
1.0 Top Threat: Data Breaches (Confidentiality)
IRM for Enterprises, on the Way and in the Cloud
PDF support
![Page 7: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/7.jpg)
7
1.0 Top Threat: Data Breaches (Confidentiality)
IRM for Enterprises, on the Way and in the Cloud
Office Integration
1.0 Top Threat: Data Breaches (Confidentiality)
IRM for Enterprises, on the Way and in the Cloud
https://cloudsecurityalliance.org/
![Page 8: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/8.jpg)
8
1.0 Top Threat: Data Breaches (Confidentiality)
Corporate and non corporate access
Provide access to non corporate users using Windows Live ID
Provide access to trusted partners with AD-RMS trust relationship
Organization A Organization B
RMS Database
PC Client(Domain User)
ADRMS Server
Domain Controller
Active Directory
RMS Database ADRMS Server
Domain Controller
Active Directory
(3) GetUseLicense(RACPub)
RA
C{P
ub
,Pri
v}, C
LC
UseLicense
TRUST
(2)
Get
RA
C
2.0 Top Threat: Data Loss (Availability)
2.0 Top Threat: Data Loss (Availability)
For both consumers and businesses, the prospect of permanently losing
one’s data is terrifying.
Data stored in the cloud can be lost due to several reasons:
Accidental deletion by the cloud service provider;
Physical catastrophe such as a fire or earthquake;
In case of encrypted data: loss of encryption key
https://cloudsecurityalliance.org/topthreats/
Measures:
Accept the risk and trust to the cloud service
provider
Local and / or distributed backup
![Page 9: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/9.jpg)
9
3.0 Top Threat: Account or Service Traffic Hijacking
3.0 Top Threat: Account or Service Traffic Hijacking
Attack methods such as phishing still achieve results. Credentials and
passwords are often reused, which amplifies the impact of such attacks.
With stolen credentials, attackers can often access critical areas of
deployed cloud computing services, allowing them to compromise the
confidentiality, integrity and availability of those services.
https://cloudsecurityalliance.org/topthreats/
Measures:
Accept the risk and trust to the cloud service
provider
Prohibit the sharing of account credentials between
users and services
Leverage strong two-factor authentication
techniques where possible
Monitoring
Identity and Access Management
![Page 10: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/10.jpg)
10
IAM - General
Identity and Access Management
Identities are managed locally inside the organization
Access right are managed
locally and provisioned to the cloud service provider
in the environment of the cloud service provider
CloudOrganization
Client Cloud Service 1
AD / LDAP
Cloud Application n
WES / AuthCloud Service
Any Auth Protocol
IDP
SAML
Auth Own Application n
IAAS, PAAS Management
Identity and Access Management
Level 2 Authentication according ETSI
![Page 11: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/11.jpg)
11
Central Signature
IAM – Level 2 Authentication according ETSI
On August 1st, 2011, the revised digital signature decree (VZertES) as
well as the technical and administrative regulations (TAV ZertES) went
into effect, which, in addition to smartcards, offer a central digital
signature service for the creation of qualified electronic signatures.
Similar, so-called «trustworthy services» are currently being
standardized at the level of an EU Regulation.
Central Signature Server - Architecture
IAM – Level 2 Authentication according ETSI
Workflow / Application true-Sign
Signature Server
true-Sign
Remote
HSM
CSP
Service Provider Customer
![Page 12: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/12.jpg)
12
Central Signature Server – Registration
Personal registration, similar to the
process used with conventional
SuisseIDs.
Instead a Smartcard, the user gets the
PIN Letter only (and the means for the
2-Factor Authentication)
Creation of digital signatures
Workflow / Application
true-Sign
Remote
HSM
CSP
true-Sign
Signature Server
Central Signature Server – Security
2-Factor authentication – Mapping of
signature keys (SuisseID)
IAM – Level 2 Authentication according ETSI
Workflow / Application
true-Sign
Remote
HSM
true-Sign
Signature Server
CSP
Service Provider Customer
![Page 13: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/13.jpg)
13
Central Signature Server – Security
2-Factor Authentication – Mapping to
signature keys (SuisseID)
End-to-End PIN Security
IAM – Level 2 Authentication according ETSI
Workflow / Application
true-Sign
Remote
HSM
true-Sign
Signature Server
CSP
Signature creation process – Mobile Use
Through dedicated applications over web services
On mobile devices without smartcard / USB port
IAM – Level 2 Authentication according ETSI
![Page 14: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/14.jpg)
14
4.0 Top Threat: Insecure Interfaces and APIs
4.0 Top Threat: Insecure Interfaces and APIs
Cloud computing providers expose a set of software interfaces or APIs
that customers use to manage and interact with cloud services.
Provisioning, management, orchestration, and monitoring are all
performed using these interfaces (cloud service provider’s responsibility).
https://cloudsecurityalliance.org/topthreats/
Measures:
Accept the risk and trust to the cloud service
provider
User Access Restriction/Authorization (cloud
service provider’s responsibility)
Application Security (customer’s responsibility)
5.0 Top Threat: Denial of Service (Availability)
5.0 Top Threat: Denial of Service (Availability)
By forcing the victim cloud service to consume inordinate amounts of
finite system resources such as processor power, memory, disk space or
network bandwidth, the attacker(s) causes an intolerable system
slowdown and leaves all of the legitimate service users confused and
angry as to why the service isn’t responding.
https://cloudsecurityalliance.org/topthreats/
Measures:
Accept the risk and trust to the cloud service
provider
Application Security / Entry Services (cloud service
provider’s responsibility)
![Page 15: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/15.jpg)
15
6.0 Top Threat: Malicious Insiders (Information disclosure)
6.0 Top Threat: Malicious Insiders (Information disclosure)
A malicious insider (or public agency) can have access to potentially
sensitive information. From IaaS to PaaS and SaaS, the malicious insider
has increasing levels of access to more critical systems, and eventually to
data. Systems that depend solely on the cloud service provider (CSP) for
security are at great risk here.
Even if encryption is implemented, if the keys are not kept with the
customer and are only available at data-usage time, the system is still
vulnerable to malicious insider attack.
https://cloudsecurityalliance.org/topthreats/
Measures:
Accept the risk and trust to the cloud service
provider
Data encryption, especially IRM
Monitoring
Third Party Audits
6.0 Top Threat: Malicious Insiders (Information disclosure)
13.3033 – Interpellation
How can Swiss citizens’ personal data in the hands of American
enterprises be protected?
http://www.parlament.ch/d/suche/seiten/geschaefte.aspx?gesch_id=20133033
http://www.srf.ch/news/schweiz/bundesrat-mahnt-zu-vorsicht-in-der-cloud
![Page 16: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/16.jpg)
16
7.0 Top Threat: Abuse of Cloud Services
7.0 Top Threat: Abuse of Cloud Services
Almost any customer can rent tens of thousands of servers from a cloud
computing provider. However, not everyone wants to use this power for
good. He might use that array of cloud servers to stage a DDoS attack,
serve malware or crack encryption keys.
https://cloudsecurityalliance.org/topthreats/
Measures:
This threat is more of an issue for cloud service
providers than cloud consumers
8.0 Top Threat: Insufficient Due Diligence
8.0 Top Threat: Insufficient Due Diligence
Cloud computing has brought with it a gold rush of sorts, with many
organizations rushing into the promise of cost reductions, operational
efficiencies and improved security. While these can be realistic goals for
organizations that have the resources to adopt cloud technologies
properly, too many enterprises jump into the cloud without understanding
the full scope of the undertaking.
https://cloudsecurityalliance.org/topthreats/
Organizations moving to the cloud must have capable
resources, and perform extensive internal and CSP
due-diligence to understand the risks.
Measures:
Accept the risk and trust to the cloud service
provider
Rating of cloud service providers
Comprehensive process model to rate the security
of systems and processes (security-equivalence)
![Page 17: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/17.jpg)
17
Cloud Strategy
Rating of cloud service providers
8.0 Top Threat: Insufficient Due Diligence
Cloud Strategy - Offensichtlich
Reduction of business and acquisition costs
Consolidation and harmonization of the IT-Infrastructure
Shorter integration time of applications
Optimization of IT-Processes through outsorcing of system- and
application-management daily tasks and focus on IT core
competences
Increase of security and reliability through the adoption of standard
solutions and specialists
Mobile working
![Page 18: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/18.jpg)
18
8.0 Top Threat: Insufficient Due Diligence
Cloud Strategy
Committee for evaluation and coordination of the cloud activities
Legal and regulatory specifications
Exit- and migartion stategie
SLA and liability
Systems and data which need to be protected should not be placed in
the cloud
Exclusive knowledge and compentences should not be outsourced to
the cloud
Periodical check of the cloud service provider
Consideration of the BSI security recommendations for cloud
computing providers
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindestanforderungen/Eckpunktep
apier-Sicherheitsempfehlungen-CloudComputing-Anbieter.pdf?__blob=publicationFile
9.0 Top Threat: Shared Technology Vulnerabilities
9.0 Top Threat: Shared Technology Vulnerabilities
Cloud service providers deliver their services in a scalable way by sharing
infrastructure, platforms, and applications.
A defensive in-depth strategy is recommended and should include
compute, storage, network, application and user security enforcement,
and monitoring. The key is that a single vulnerability or misconfiguration
can lead to a compromise across an entire provider’s cloud.
https://cloudsecurityalliance.org/topthreats/
Measures:
Accept the risk and trust to the cloud service
provider
Data encryption, especially IRM
Monitoring
Third Party Audits
![Page 19: Experts in IT-Security and Software Engineering...Data encryption, especially IRM Monitoring Third Party Audits 6.0 Top Threat: Malicious Insiders (Information disclosure) 13.3033](https://reader036.fdocuments.in/reader036/viewer/2022081405/5f0af4357e708231d42e27fd/html5/thumbnails/19.jpg)
19
Summary
There are many organizational, technical and legal measures that can be
implemented for the use Cloud-Services in a secure manner.
I’m looking forward to the panel discussion