COMPLIANCE AND TRANSPARENCY OF CLOUD FEATURES vs. SECURITY STANDARDS

YURY CHEMERKIN

Cyber Intelligence Europe 2013

EXPERIENCED IN :

REVERSE ENGINEERING & AV

SOFTWARE PROGRAMMING & DOCUMENTATION

MOBILE SECURITY AND MDM

CYBER SECURITY & CLOUD SECURITY

COMPLIANCE & TRANSPARENCY

FORENSICS AND SECURITY WRITING

HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA

PARTICIPATION AT CONFERENCES

INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,

DEFCONMOSCOW, HACTIVITY, HACKFEST

CYBERCRIME FORUM, DeepIntel/DeepSec,

ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY

[ YURY CHEMERKIN ]

www.linkedin.com/in/yurychemerkin http://sto-strategy.com yury.s@chemerkin.com

I. Opinions & Facts

Threats

Privacy

Compliance

Legal

Vendor lock-in

Open source / Open standards

Security

Abuse

IT governance

Ambiguity of terminology

Customization , security solutions

Crypto anarchism

CSA, ISO, PCI, SAS 70

Typically US Location

Platform, Data, Tools Lock-In

Top clouds are not open-source

Physical clouds more secured than Public

Botnets and Malware Infections/Misuse

Depends on organization needs

Reference to wide services, solutions, etc.

Cloud Issues

Known Issues Known Solutions/Opinions

Top clouds are not OpenSource

OpenStack is APIs compatible with Amazon EC2and Amazon S3 and thus client applications writtenfor AWS can be used with OpenStack with minimalporting effort, while Azure is not

Platform lock-in

There are Import/Export tools to migrate from/toVMware, while Azure doesn’t have

Data Lock-in

Native AWS solutions linked with Cisco routers toupload, download and tunneling as well as 3rd partystorage like SMEStorage (AWS, Azure, Dropbox,Google, etc.)

Tools Lock-in

Longing for an inter-cloud managing tools that areindustrial and built with compliance

APIs Lock-In

Longing for inter-cloud APIs, however there were known inter-OS APIs for PC, MDM, Mobiles, etc.

No Transparency

Weak compliance and transparency due to SAS 70 and NDA relationships between cloud vendor and third party auditors and experts

Abuse

Abusing is not a new issue and is everywhere

AWS Vulnerability Bulletins as a kind of quick response and stay tuned

What is about Public Clouds

Some known facts about AWS & Azure in order to issues mentioned above

"All Your Clouds are Belong to us – Security Analysis of

Cloud Management Interfaces", 3rd CCSW, October 2011

A black box analysis methodology of AWS control interfaces compromised via the XSS techniques, HTML injections, MITM

[AWS] :: “Reported SOAP Request Parsing Vulnerabilities”

Utilizing the SSL/HTTPS only with certificate validation and utilizing API access mechanisms like REST/Query instead of SOAP

Activating access via MFA and creating IAM accounts limited in access, AWS credentials rotation enhanced with Key pairs and X.509

Limiting IP access enhanced with API/SDK & IAM

“The most dangerous code in the world: validating SSL

certificates in non-browser software”, 19th ACM

Conference on Computer and Communications Security,

October 2012

Incorrect behavior in the SSL certificate validation mechanisms of AWS SDK for EC2, ELB, and FPS

[AWS] :: “Reported SSL Certificate Validation Errors in API

Tools and SDKs”

Despite of that, AWS has updated all SDK (for all services) to redress it

Clouds: Public vs. Private

Known security issues of Public Clouds and significant researches on it as a POC

[AWS] :: “Xen Security Advisories”

There are known XEN attacks (Blue Pills, etc.)

No one XEN vulnerability was not applied to the AWS, Azure or SaaS/PaaS services

Very customized clouds [CSA] :: “CSA The Notorious Nine Cloud Computing Top

Threats in 2013”

Replaced a document published in 2009

Such best practices provides a least security

No significant changes since 2009, even examples Top Threats Examples

“1.0. Threat: Data Breaches // Cross-VM Side Channels and Their Use to Extract private Keys”,

“7.0. Threat: Abuse of Cloud Services // Cross-VM Side Channels and Their Use to Extract private Keys”

“4.0. Threat: Insecurity Interfaces and APIs” Besides of Reality of CSA Threats

1.0 & 7.0 cases highlight how the public clouds e.g. AWS EC2 are vulnerable

1.0 & 7.0 cases are totally focused on a private cloud case (VMware and XEN), while there is no a known way to adopt it to AWS.

4.0 case presents issues raised by a SSO access not related to public clouds (except Dropbox, SkyDrive) and addressed to insecurity of APIs.

Clouds: Public vs. Private

It is generally known, that private clouds are most secure There is no a POC to prove a statement on public clouds

II. CSA Framework

• Compliance Model

• Enhanced Security Model

• Basic Security Model

• Cloud Model

CloudCSA

CAIQ

MappingCSA

CMM

II. NIST Framework

The consolidated framework over all NIST documents Logically clearly defined documents, e.g.

Categorization systems

Selecting control

FIPS

Forensics

Logging (SCAP)

Etc.Complementarity Interchangeability ExpansibilityDependenceMapping (NIST, ISO only)

NIST Framework

Complementarity

NIST Enhance Control

Your own security controlInterchangeability

Replacing basic controls by enhanced controlsExpansibility

impact or support the implementation of a particular security control or control enhancement

Your own way to improve a framework Mapping (NIST, ISO only)

NIST->ISO

ISO->NIST

NIST->Common Criteria (rev4 only)

NIST Framework

Basic controls aren’t applicable in case of

Information systems need to communicate with other systems across different policy APT Insiders Threats Mobility (mobile location, non-fixed) Single-User operations

Interchangeability

Replacing basic controls by enhanced controls

Expansibility

impact or support the implementation of a particular security control or control enhancement Your own way to improve a framework

Mapping (NIST, ISO only)

NIST->ISO ISO->NIST NIST->Common Criteria (rev4 only)

NIST Framework

Interchangeability

III. Clouds

Amazon Web Services

Generally IaaS

+SaaS, PaaSMicrosoft Azure

Generally PaaS

Recent changes – IaaSBlackBerry Enterprise Service

Separated

Integrated with Office365

SaaS as a MDM solution

Clouds

• Office

• Office365

• Cisco/VoIP

• Android, iOS

• Unified Management

• BlackBerry 4,5,6,7

• BlackBerry Z10/Q10,

• Playbook

BES 10 BES 5

Office integration

Unified Device

Platform

IV. Cloud & Compliance Specific

There is no one “cloud”

There is no one “standard”

What vision is adopted by cloud vendors?

What vision is adopted by cloud operators (3rd party)?

What is your way to use and manage cloud?

All of that reflected in the

There are many models and architectures

There are many ways to built cloud in alignment to…

Virtualizing of anything able to be virtualized

Data distribution, service distribution, unified management

Clear

compliance requirements

Cloud & Compliance Specific

The Goal is bringing a transparency of cloud controls and

features, especially security controls and features

Such documents have a claim to be up-to-date with

expert-level understanding of significant threats and

vulnerabilities

Unifying recommendations for all clouds

Up to now, it is the 3rd revision

All recommendations are linked with other standards

PCI DSS, ISO, COBIT

NIST, FEDRAMP

CSA’ own vision how it must be referred

Top known cloud vendors announced they are in

compliance with it

Some of reports are getting old by now

Customers have to control their environment by their

needs

Customers want to know whether it is in compliance in,

especially local regulations and how far

Customers want to know whether it makes clouds quite

transparency to let to build an appropriate

Cloud & Compliance Specific

There is no one “cloud”There is no one “standard”

There are many models and architectures

There are many ways to built cloud in alignment to…

CAIQ/CCM provides equivalent of recommendations over

several standards, CAIQ provides more details on security

and privacy but NIST more specific

CSA recommendations are pure with technical details

It helps vendors not to have their solutions worked out in details and/or badly documented

It helps them to put a lot of references on 3rd party reviewers under NDA (SOC 1 or SAS 70)

Bad idea to let vendors fills such documents

They provide fewer public details

They take it to NDA reports

Vendors general explanations multiplied by general

standards recommendations are extremely far away from

transparency

Clouds call for specific levels of audit logging, activity

reporting, security controlling and data retention

It is often not a part of SLA offered by providers

It is outside recommendations

AWS often falls in details with their architecture documents

AWS solutions are very well to be in compliance with old

standards and specific local regulations

NIST 800-53, or even Russian security standards (however the Russian framework is out of cloud framework)

Cloud & Compliance Specific

Compliance, Transparency, Elaboration

Compliance: from Cloud Vendor’s viewpoint

Compliance, Transparency, Elaboration

Description DIFFERENCE (AWS vs. AZURE)

Third Party Audits As opposed to AWS, Azure does not have a clearly defined statement whether their customers able to perform their own

vulnerability test

Information System Regulatory

Mapping

AWS falls in details to comply it that results of differences between CAIQ and CMM

Handling / Labeling / Security Policy AWS falls in details what customers are allowed to do and how exactly while Azure does not

Retention Policy AWS points to the customers’ responsibility to manage data, exclude moving between Availability Zones inside one region; Azure

ensures on validation and processing with it, and indicate about data historical auto-backup

Secure Disposal Not seriously, AWS relies on DoD 5220.22 additionally while Azure does NIST 800-88 only

Information Leakage AWS relies on AMI and EBS services, while Azure does on Integrity data

Policy, User Access, MFA No both have

Baseline Requirements AWS provides more high detailed how-to docs than Azure, allows to import trusted VM from VMware, Azure

Encryption, Encryption Key

Management

AWS offers encryption features for VM, storage, DB, networks while Azure does for XStore (Azure Storage)

Vulnerability / Patch Management AWS provides their customers to ask for their own pentest while Azure does not

Nondisclosure Agreements, Third

Party Agreements

AWS highlights that they does not leverage any 3rd party cloud providers to deliver AWS services to the customers. Azure points to

the procedures, NDA undergone with ISO

User ID Credentials Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requirements while Azure addresses to

the AD to perform these actions

(Non)Production environments,

Network Security

AWS provides more details how-to documents to having a compliance

Segmentation Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, while Azure points to features built in

infrastructure on a vendor side

Mobile Code AWS points their clients to be responsible to meet such requirements, while Azure points to build solutions tracked for mobile code

Consumer Relationship only

Everything except SA-13 “Location-aware technologies may be used to validate connection authentication integrity based on known equipment location”

Vendor Relationship only

Requirements include technical and management solutions Consumer Relationship shared with Vendor

Include non-technical solutions only

Such policies, roles, procedures, trainingAll requirements cover SaaS, PaaS, IaaS cloud typesGeneral requirements onlyMissing details (like DoD)

Compliance: from CSA’s viewpoint

Examination of CSA

Data Governance - Information Leakage (DG-07) .

Security mechanisms shall be implemented to prevent data leakage refer

AC-2 Account Management

AC-3 Access Enforcement

AC-4 Information Flow Enforcement

AC-6 Least Privilege (the most correct reference)

AC-11 Session Lock General requirements only

Security mechanisms shall be implemented to prevent data leakage missed in turn (no references at all)

AC-7 Unsuccessful Login Attempts

AC-8 System Use Notification

AC-9 Previous Logon (Access) Notification

AC-10 Concurrent Session Control

Compliance: from CSA’s viewpoint

Examination of CSA References NIST

Data Governance - Information Leakage (DG-07) .

Security mechanisms shall be implemented to prevent data leakage also refers to ISO

A.10.6.2 Security of network services

A.10.6.2 refers to NIST in turn

CA-3 Information System Connections

SA-9 External Information System Services

SC-8 Transmission Integrity

SC-9 Transmission Confidentiality

DG-07 should refer to PE-19 Information Leakage in fact

It could include the NIST requirement “AC-6. Least Privilege” too

A few of them applicable in case of Cloud MDM and should be extended by different toolkit

Compliance: from CSA’s viewpoint

Examination of CSA References ISO

Data Governance

NIST :: access control, media management, etc.

Ownership / Stewardship

Classification

Handling / Labeling / Security Policy

Retention Policy

Secure Disposal

Non-Production Data

Information Leakage

Risk Assessments

Azure’s vision - Distribution of information

CSA , ISO is better applicable than NIST

NIST is applicable as a custom controls’ collection

Best way is adopt NIST enhancements with CSA

Need to remap CSA->NIST rev4

Technical / Access Control / Security Attributes

Attribute Configuration

Permitted Attributes for Specified InfoSystems

Permitted Values and Ranges for Attributes

Cloud & Compliance Specifics. Example

CSA Cloud :: Azure

Access Control

Account, Session Management

Access / Information Flow Enforcement

Least Privilege, Security Attributes

Remote / Wireless Access

AWS’s Vision is not Data Distribution

NIST is better applicable than CSA

NIST is applicable as a custom controls’ collection

There are many enhancements to include (rev4)

Dynamic Account Creation

Restrictions on Use of Shared Groups -Accounts

Group Account Requests Appovals/Renewals

Account Monitoring - Atypical Usage

e.g. :: log-delivery-write for S3

Cloud & Compliance Specifics. Example

NIST Cloud :: AWS

AWS’s Vision is not Data Distribution, howeverCSA :: Data Governance is applicable from the

resource-based viewpoint

Resource based policy Attached to resource

AWS’s Vision is not Data Distribution, howeverNIST :: Access Control is applicable from the user-

based viewpoint

Account based policy Attached to users

define that policy for MDM users to access internal network resources

Combine with a mobile policy

Cloud & Compliance Specifics. Example

CSA / NIST Cloud :: AWS

Device diversityConfiguration managementSoftware DistributionDevice policy compliance & enforcementEnterprise ActivationLoggingSecurity SettingsSecurity Wipe, LockIAM

Make you sure to start managing security under uncertain terms without AI

Refers to NIST-800-53 and other

Sometimes missed requirements such as locking device, however it is in NIST-800-53

A bit details than CSANo statements on permission management

Make you sure to start managing security under uncertain terms without AI

COMPLIANCE AND MDM

CSA Mobile Device Management: Key Components NIST-124

𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀

𝛥 – set of OS permissions, 𝛢 – set of device permissions, 𝛣 – set

of MDM permissions, 𝛤 – set of missed permissions (lack of

controls), 𝜰 – set of rules are explicitly should be applied to gain

a compliance

𝚮 = 𝚬 + 𝚭 , 𝚬 ⊃ 𝚨 ∪ 𝚩

𝛨 – set of APIs , 𝛦 – set of APIs that interact with sensitive data,

𝛧 – set of APIs that do not interact with sensitive data

To get a mobile security designed with full granularity the set 𝛤

should be empty set to get 𝚬 ⊇ 𝚨 ∪ 𝚩 instead of 𝚬 ⊃ 𝚨 ∪ 𝚩, so

the matter how is it closer to empty. On another hand it should

find out whether assumptions 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 are true and if it is

possible to get ⊆ 𝐀.

Set of permissions < Set of activities efficiency is

typical case < 100%,

ability to control each API = 100%

More than 1 permission per APIs >100%

lack of knowledge about possible attacks

improper granularity

[ DEVICE MANAGEMENT ]

Concurrency over native & additional security features The situation is very serious

MDM features

AV, MDM, DLP,

VPN Non-app features

Permissions

Kernel protection

GOALS - MOBILE RESOURCES / AIM OF ATTACK

DEVICE RESOURCES

OUTSIDE-OF-DEVICE RESOURCES ATTACKS – SET OF ACTIONS UNDER THE THREAT APIs - RESOURCES WIDELY AVAILABLE TO CODERS SECURITY FEATURES

KERNEL PROTECTION , NON-APP FEATURES

PERMISSIONS - EXPLICITLY CONFIGURED

3RD PARTY

AV, FIREWALL, VPN, MDM COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY

IN ALIGNMENT WITH COMPLIANCE TO…

[ DEVICE MANAGEMENT ]

APPLICATION LEVEL ATTACK’S VECTOR

AV, MDM,

DLP, VPN

Goals

Attacks

APIs APIs

Permissions

Kernel

protection

Non-app

features

MDM features

[ BLACKBERRY. PERMISSIONS ]

BB 10 Cascades SDK BB 10 AIR SDK PB (NDK/AIR)Background processing + +BlackBerry Messenger - -

Calendar, Contacts + via invoke callsCamera + +

Device identifying information + +Email and PIN messages + via invoke calls

GPS location + +Internet + +Location + -

Microphone + +Narrow swipe up - +

Notebooks + -Notifications + +

Player - +Phone + -Push + -

Shared files + +Text messages + -

Volume - +

[ iOS. Settings ]Component Unit

Restrictions :: Native application

SafariCamera, FaceTime

iTunes Store, iBookstoreSiri

Manage applications*

Restrictions :: 3rd application

Manage applications*Explicit Language (Siri)

Privacy*, Accounts*Content Type Restrictions*

Unit subcomponents

Privacy :: LocationPer each 3rd party app

For system services

Privacy :: Private InfoContacts, Calendar, Reminders, Photos

Bluetooth SharingTwitter, Facebook

AccountsDisables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts

Find My FriendsVolume limit

Content Type Restrictions

Ratings per country and regionMusic and podcasts

Movies, Books, Apps, TV showsIn-app purchases

Require Passwords (in-app purchases)

Game CenterMultiplayer Games

Adding Friends (Game Center)

Manage applicationsInstalling AppsRemoving Apps

ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,

ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM

ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE,

ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_

MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT

TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET

,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE

VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL

PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_

PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY,

BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA

MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO

NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M

ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C

LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE

TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN

OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC

TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_

PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE

ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P

ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK

GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T

OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_

PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN

MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_

OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_

CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE

R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L

OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_

SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS,

READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET

ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO

RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS

,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH,

SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION

,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P

ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S

ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA

TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR

ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C

REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET

TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC

TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI

STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN

GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W

RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY,

[ Android. Permissions ]

List contains ~150 permissions I have ever seen that on old BlackBerry devices

ACCOUNTS

AFFECTS_BATTERY

APP_INFO

AUDIO_SETTINGS

BLUETOOTH_NETWORK

BOOKMARKS

CALENDAR

CAMERA

COST_MONEY

DEVELOPMENT_TOOLS

DEVICE_ALARMS

DISPLAY

HARDWARE_CONTROLS

LOCATION

MESSAGES

MICROPHONE

NETWORK

PERSONAL_INFO

PHONE_CALLS

SCREENLOCK

SOCIAL_INFO

STATUS_BAR

STORAGE

SYNC_SETTINGS

SYSTEM_CLOCK

SYSTEM_TOOLS

USER_DICTIONARY

VOICEMAIL

WALLPAPER

WRITE_USER_DICTIONARY

[ Android. Permission Groups ]

But there only 30 permissions groups I have ever seen that on old BlackBerry devices too

CAMERA AND VIDEO

HIDE THE DEFAULT CAMERA APPLICATION PASSWORD

DEFINE PASSWORD PROPERTIES

REQUIRE LETTERS (incl. case)

REQUIRE NUMBERS

REQUIRE SPECIAL CHARACTERS

DELETE DATA AND APPLICATIONS FROM THE DEVICE AFTER

INCORRECT PASSWORD ATTEMPTS

DEVICE PASSWORD

ENABLE AUTO-LOCK

LIMIT PASSWORD AGE

LIMIT PASSWORD HISTORY

RESTRICT PASSWORD LENGTH

MINIMUM LENGTH FOR THE DEVICE PASSWORD THAT IS ALLOWED

ENCRYPTION

APPLY ENCRYPTION RULES

ENCRYPT INTERNAL DEVICE STORAGE TOUCHDOWN SUPPORT

MICROSOFT EXCHANGE SYNCHRONIZATION

EMAIL PROFILES

ACTIVESYNC

MDM . Extend your device security capabilities

Android CONTROLLED FOUR GROUPS ONLY

BROWSER

DEFAULT APP,

AUTOFILL, COOKIES, JAVASCRIPT, POPUPS

CAMERA, VIDEO, VIDEO CONF

OUTPUT, SCREEN CAPTURE, DEFAULT APP

CERTIFICATES (UNTRUSTED CERTs)

CLOUD SERVICES

BACKUP / DOCUMENT / PICTURE / SHARING

CONNECTIVITY

NETWORK, WIRELESS, ROAMING

DATA, VOICE WHEN ROAMING

CONTENT

CONTENT (incl. EXPLICIT)

RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS

DIAGNOSTICS AND USAGE (SUBMISSION LOGS)

MESSAGING (DEFAULT APP)

BACKUP / DOCUMENT PICTURE / SHARING

ONLINE STORE

ONLINE STORES , PURCHASES, PASSWORD

DEFAULT STORE / BOOK / MUSIC APP

MESSAGING (DEFAULT APP)

PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)

PHONE AND MESSAGING (VOICE DIALING)

PROFILE & CERTs (INTERACTIVE INSTALLATION)

SOCIAL (DEFAULT APP)

SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER

DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS

STORAGE AND BACKUP

DEVICE BACKUP AND ENCRYPTION

VOICE ASSISTANT (DEFAULT APP)

MDM . Extend your device security capabilities

iOS CONTROLLED 16 GROUPS ONLY

GENERAL

MOBILE HOTSPOT AND TETHERING

PLANS APP, APPWORLD

PASSWORD (THE SAME WITH ANDROID, iOS)

BES MANAGEMENT (SMARTPHONES, TABLETS)

SOFTWARE

OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER

TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE

BBM VIDEO ACCESS TO WORK NETWORK

VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK

SECURITY

WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE

VOICE CONTROL & DICTATION IN WORK & USER APPS

BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE

PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)

PERSONAL SPACE DATA ENCRYPTION

NETWORK ACCESS CONTROL FOR WORK APPS

PERSONAL APPS ACCESS TO WORK CONTACTS

SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING

WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS

EMAIL PROFILES

CERTIFICATES & CIPHERS & S/MIME

HASH & ENCRYPTION ALGS AND KEY PARAMS

TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC

WI-FI PROFILES

ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS

PROXY PASSWORD/PORT/SERVER/SUBNET MASK

VPN PROFILES

PROXY, SCEP, AUTH PROFILE PARAMS

TOKENS, IKE, IPSEC OTHER PARAMS

PROXY PORTS, USERNAME, OTHER PARAMS

MDM . Extend your device security capabilities

BlackBerry (new, 10, qnx) CONTROLLED 7 GROUPS ONLY

THERE 55 GROUPS CONTROLLED IN ALL EACH GROUP CONTAINS FROM 10 TO 30 UNITS

ARE CONTROLLED TOO EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs

INSTEAD OF A WAY ‘DISABLE/ENABLED & HIDE/UNHIDE’

EACH EVENT IS

CONTROLLED BY CERTAIN PERMISSION

ALLOWED TO CONTROL BY SIMILAR PERMISSIONS TO BE MORE FLEXIBLE

DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME MORE THAN OTHER DOCUMENTS

EACH UNIT CAN’T CONTROL ACTIVITY UNDER ITSELF

‘CREATE, READ, WRITE/SAVE, SEND, DELETE’ ACTIONS IN REGARDS TO MESSAGES LEAD TO SPOOFING BY REQUESTING A ‘MESSAGE’ PERMISSION ONLY

SOME PERMISSIONS AREN’T REQUIRED (TO DELETE ANY OTHER APP)

SOME PERMISSIONS ARE RELATED TO APP, WHICH 3RD PARTY PLUGIN WAS EMBEDDED IN, INSTEAD OF THAT PLUGIN

MDM . Extend your device security capabilities

Blackberry (old) Huge amount of permissions are MDM & device built-in

The best Security & Permissions ruled by AWS Most cases are not clear in according to the roles

and responsibilities of cloud vendors & customers May happen swapping responsibilities and shifting

the vendor job on to customer shoulders Referring to independent audits reports under

NDA as many times as they can CSA put the cross references to other standards

that impact on complexity & lack of clarity more than NIST SP800-53

CONCLUSION

Select Security Controls

Check Scope

CSA

Define Granularity

Apply CSA as

common

Remap to NIST

Improve basic CSA

NIST enhanc.

Combine custom

sets

Q & A