Into the Cloud & Other Horror Stories

Michael F. Angelo - CISSP, CRISC

About Me…• Doing formalized Threat Modeling

• over 15 years • thousands of models

• Doing Threat and Security Analysis • over 30 years

• Doing security in some way shape and form• forever

Agenda• How we got here• Threats and models• Short Term Solutions• The World is Changing

How we got here

Need to optimize expenditures (reduce cost while increasing performance of technology).

Enter the Cloud• 90% of organizations are using a cloud service• Cloud services include Office 365 or G suite• AWS, Google Cloud and Azure

More Cloud Stats• Yahoo – 1 Billion• Equifax – 143 Million• LinkedIn – 167 million accounts• Dropbox – 68 million accounts• Home Depot – 56 million credit cards• Verizon – 14 million customer records• Accenture, Time Warner Cable, Uber

Threats Cloud Stats (EU Breaches)• Greenwich University• Cambridge Analytica

• APT15 target UK military contractor• Uber users compromised

• Equifax - 694 UK (14 million names / data of Birth UK)• Cash Converters

• London Bridge Plastic Surgery clinic• Deloitte

• CEX/WeBuy

• Wongo

Oopsss…

New Tech

Bug Fix Perf Bug Fix

Feature Bug Fix Perf Threat

Security Cycle

Threats and Models - Technology / Usage

Threat

mitigation

New threat

new mitigation

Threat

mitigation

New threat

new mitigation

Usage Change

Threat

Mitigation

New threat

New mitigation

Usage change

Threat Cycle

Threats to Cloud - CSA Top 12 1. Data Breaches2. Insufficient Identity,

Credential and Access Management

3. Insecure Interfaces and APIs

4. System Vulnerabilities5. Account Hijacking6. Malicious Insiders

7. Advanced Persistent Threats

8. Data Loss9. Insufficient Due Diligence10.Abuse and Nefarious Use

of Cloud Services11.Denial of Service12.Shared Technology

Vulnerabilities

https://cloudsecurityalliance.org/download/top-threats-cloud-computing-plus-industry-insights/ https://www.csoonline.com/article/3043030/security/12-top-cloud-security-threats-for-2018.html

TM - Storage as a Service

• Users put files on Cloud Service• Administrators, operators, and hackers could access files• Solution: Encrypt files before upload J

TM: Company Just moved to cloud

• Where is my cloud?• Can my cloud migrate?• Where can it migrate? • Who has access to my cloud?

TM: Company in the Cloud

TM: Software as a Service

• Software downloaded to your environment.

Request Software

Software

TM: Software as a Service

• Software started up• Send Data

Send Data

Visualize

TM: Truisms• After 12 years, 95% of all cloud issues can be taken care of

with basics (see CSA guidelines) • Don’t forget basic configuration!!

• Each cloud implementation has its own risks• Risks must be weighed vs potential harm to company

Short Term• When looking at the Cloud ask Questions• What do you mean by the Cloud?

• How do we set it up?• What type of cloud?• How is it Partitioned / Am I sharing the cloud?• Where is my [cloud,data,processing] located• Where can it [cloud,data,processing] migrate• Who is responsible for protecting it and how• Who is in control

• What are the risks?• Customer Data / Proprietary Information

The World is Changing - Cloud IoT• What could go wrong?

The World is Changing• Would you put data in the cloud?• GDPR

• Requires you to protect Employee & Customer PII• Cloud Act (US)

• Requires US Entities to hand over on government order

Getting there from here…

There

here

The Last Slide• Remember

• Security trumps privacy• Better, faster, cheaper trumps security. Until some one gets caught• Security incidents are not free

• Don’t be afraid to ask:• What can go wrong and how can it be mitigated

• Finally,• If you can’t mitigate it, think twice about doing it

I Lied..

Thank YouMichael F. Angelo

angelom@microfocus.com, mfa@peoplepc.com@mfa0007

more background look at "Michael F.Angelo" AND Security