Into the Cloud & Other Horror Stories
Michael F. Angelo - CISSP, CRISC
About Me…• Doing formalized Threat Modeling
• over 15 years • thousands of models
• Doing Threat and Security Analysis • over 30 years
• Doing security in some way shape and form• forever
Agenda• How we got here• Threats and models• Short Term Solutions• The World is Changing
How we got here
Need to optimize expenditures (reduce cost while increasing performance of technology).
Enter the Cloud• 90% of organizations are using a cloud service• Cloud services include Office 365 or G suite• AWS, Google Cloud and Azure
More Cloud Stats• Yahoo – 1 Billion• Equifax – 143 Million• LinkedIn – 167 million accounts• Dropbox – 68 million accounts• Home Depot – 56 million credit cards• Verizon – 14 million customer records• Accenture, Time Warner Cable, Uber
Threats Cloud Stats (EU Breaches)• Greenwich University• Cambridge Analytica
• APT15 target UK military contractor• Uber users compromised
• Equifax - 694 UK (14 million names / data of Birth UK)• Cash Converters
• London Bridge Plastic Surgery clinic• Deloitte
• CEX/WeBuy
• Wongo
Oopsss…
New Tech
Bug Fix Perf Bug Fix
Feature Bug Fix Perf Threat
Security Cycle
Threats and Models - Technology / Usage
Threat
mitigation
New threat
new mitigation
Threat
mitigation
New threat
new mitigation
Usage Change
Threat
Mitigation
New threat
New mitigation
Usage change
Threat Cycle
Threats to Cloud - CSA Top 12 1. Data Breaches2. Insufficient Identity,
Credential and Access Management
3. Insecure Interfaces and APIs
4. System Vulnerabilities5. Account Hijacking6. Malicious Insiders
7. Advanced Persistent Threats
8. Data Loss9. Insufficient Due Diligence10.Abuse and Nefarious Use
of Cloud Services11.Denial of Service12.Shared Technology
Vulnerabilities
https://cloudsecurityalliance.org/download/top-threats-cloud-computing-plus-industry-insights/ https://www.csoonline.com/article/3043030/security/12-top-cloud-security-threats-for-2018.html
TM - Storage as a Service
• Users put files on Cloud Service• Administrators, operators, and hackers could access files• Solution: Encrypt files before upload J
TM: Company Just moved to cloud
• Where is my cloud?• Can my cloud migrate?• Where can it migrate? • Who has access to my cloud?
TM: Company in the Cloud
TM: Software as a Service
• Software downloaded to your environment.
Request Software
Software
TM: Software as a Service
• Software started up• Send Data
Send Data
Visualize
TM: Truisms• After 12 years, 95% of all cloud issues can be taken care of
with basics (see CSA guidelines) • Don’t forget basic configuration!!
• Each cloud implementation has its own risks• Risks must be weighed vs potential harm to company
Short Term• When looking at the Cloud ask Questions• What do you mean by the Cloud?
• How do we set it up?• What type of cloud?• How is it Partitioned / Am I sharing the cloud?• Where is my [cloud,data,processing] located• Where can it [cloud,data,processing] migrate• Who is responsible for protecting it and how• Who is in control
• What are the risks?• Customer Data / Proprietary Information
The World is Changing - Cloud IoT• What could go wrong?
The World is Changing• Would you put data in the cloud?• GDPR
• Requires you to protect Employee & Customer PII• Cloud Act (US)
• Requires US Entities to hand over on government order
Getting there from here…
There
here
The Last Slide• Remember
• Security trumps privacy• Better, faster, cheaper trumps security. Until some one gets caught• Security incidents are not free
• Don’t be afraid to ask:• What can go wrong and how can it be mitigated
• Finally,• If you can’t mitigate it, think twice about doing it
I Lied..
Thank YouMichael F. Angelo
[email protected], [email protected]@mfa0007
more background look at "Michael F.Angelo" AND Security