23 November 2013
Seminar Kriptografi dan Keamanan InformasiSekolah Tinggi Sandi Negara
Menara 165, JL TB Simatupang Kav 1, Cilandak, Jakarta Selatan
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
Managing Cloud Security Risksin your organization
Master of Information Technology
About me
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEIResearcher – Information Security Research Group and LecturerSwiss German UniversityCharles.lims [at] gmail.com and charles.lim [at] sgu.ac.idhttp://people.sgu.ac.id/charleslim
I am currently a doctoral student in University of Indonesia
Research InterestMalwareIntrusion DetectionVulnerability AnalysisDigital ForensicsCloud Security
CommunityIndonesia Honeynet Project - Chapter LeadAcademy CSIRT - member
Master of Information Technology
AGENDA
Cloud ComputingCloud SecurityCloud RisksCSA – Cloud Security AllianceCase Study – SSH decryptedSafe Cloud – is it possible?Related WorksConclusionReferences
3
Master of Information Technology
Cloud Computing – NIST DefinitionNIST define 5 essential characteristics, 3
Service models, 4 cloud deployment modelshttp://csrc.nist.gov/publications/nistpubs/800-
145/SP800-145.pdf
4
Master of Information Technology
Service Models
5
IaaS = Infrastructure as a Service
PaaS = Platform as a Service
SaaS = Software as a Service
XaaS = Anything as a Service (not included in NIST)
Master of Information Technology
Cloud Taxonomy
6
Master of Information Technology
Where are the risks?
7
Master of Information Technology
Cloud Computing Consideration
Master of Information Technology
Challenges and benefits
Master of Information Technology
public clouds
Extended Virtual Data Center
private clouds
cloud of users
Notional organizational
boundary• Dispersal of applications
• Dispersal of data
• Dispersal of users
• Dispersal of endpoint devices
The Hybrid enterprise
Master of Information Technology
Good Governance, Risk and ComplianceCompliance+ Audit
Industry recognized certificationCertification+ Standards
Secured and tested technologiesSecured Infrastructure
Data Security Lifecycle Data Security
Good Practice is the key
Master of Information Technology
Cloud Computing – Top Threats/Risks
Master of Information Technology
Shared Technologies Vulnerabilities
Master of Information Technology
Data Loss / Leakage
Master of Information Technology
Malicious Insiders
Master of Information Technology
Interception or Hijacking of traffic
Master of Information Technology
Insecure APIs
Master of Information Technology
Nefarious use of service
Master of Information Technology
Unknown Risk Profiles
Master of Information Technology
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
era
ting
in th
e C
lou
d
Governing the Cloud
CSA – Cloud Security Framework
Master of Information Technology
Governing in the Cloud
1. Governance & Risk Mgt
2. Legal and Electronic Discovery
3. Compliance & Audit
4. Information Lifecycle Mgt
5. Portability & Interoperability
Operating in the Cloud
1. Security, Business Continuity and Disaster Recovery
2. Data Center Operations
3. Incident Response
4. Application Security
5. Encryption & Key Mgt
6. Identity & Access Mgt
7. Virtualization
Understand Cloud Architecture
CSA – Cloud Security Framework Domain
Master of Information Technology
How Security Gets Integrated
Domain 2 Governance
and Enterprise
Risk Management
Domain 2 Governance
and Enterprise
Risk Management
Domain 4 Compliance
and Audit
Domain 5 Information Lifecycle
Management
Domain 6 Portability and Interoperability
Domain 6 Portability
and Interoperability
Domain 10Application
Security
Domain 6 Portability
and Interoperability
Domain 8 Data Center Operations
Domain3Legal and Electronic Discovery
Domain 7Traditional Security, Business Continuity,
and Disaster Recovery
Domain 7Traditional Security, Business Continuity,
and Disaster Recovery
Domain 9Incident Response,
Notification, and Remediation
Domain 11 Encryption and
Key Management
Domain 11 Encryption and Key
Management
Domain 12 Identity and Access
Management
Domain 12 Identity and
Access Management
Domain 13 Virtualization
Master of Information Technology
CSA – Cloud Assessment Framework
Master of Information Technology
• Best opportunity to secure cloud engagement is before procurement – contracts, SLAs, architecture
• Know provider’s third parties, BCM/DR, financial viability, employee vetting
• Identify data location when possible
• Plan for provider termination & return of assets
• Preserve right to audit where possible
• Reinvest provider cost savings into due diligence
Sample Assessment Governance
Master of Information Technology
• Encrypt data when possible, segregate key mgt from cloud provider
• Adapt secure software development lifecycle
• Understand provider’s patching, provisioning, protection
• Logging, data exfiltration, granular customer segregation
• Hardened VM images
• Assess provider IdM integration, e.g. SAML, OpenID
Sample Assessment Operation
Master of Information Technology
Controls derived from guidance
Rated as applicable to S-P-I
Customer vs Provider role
Mapped to ISO 27001, COBIT, PCI, HIPAA
Help bridge the “cloud gap” for IT & IT auditors
Cloud Control Matrix Tool
Master of Information Technology
Market Perception toward cloud
Security issues of cloud
Bandwidth Availability (Local providers win)
Government support on Cloud
Sources: Frost & Sullivan Analysis 2010
Cloud Adoption - Challenges
Master of Information Technology
Case Study – SSH decrypted (VM)
Based on Brian Hay and Kara Nance paper
Key Motivation:Malware encrypted communication with C & CLaw Enforcement capability to monitor deployed
cloud and enterprise VM
Novelty:Visibility into cryptographically protected data and
communication channelsNo modifications to VM
Master of Information Technology
Case Study – SSH decrypted (VM)
Approach: Identification (Processes of crypto lib and calls made
to the lib)Recovery (input to & output to – crypto functions) Identification (crypto keys)Recovery (crypto keys above)Recovery of plaintext (using recovered keys)
How to Minimum described in the paper
Keywords Xen platform, libvirt, sebek techniques
Master of Information Technology
Case Study – SSH decrypted (VM)
Sebek Installation & Operationhttp://www.honeynet.org/project/sebekhttp://www.sans.org/reading-room/whitepapers/
detection/turning-tables-loadable-kernel-module-rootkits-deployed-honeypot-environment-996
http://vimeo.com/11912850
LimitationSebek modules can be detected with rootkit detection
tools
Master of Information Technology
Case Study – SSH decrypted (VM)
Master of Information Technology
Case Study – SSH decrypted (VM)
Master of Information Technology
Case Study – SSH decrypted (VM)
Master of Information Technology
Case Study – SSH decrypted (VM)
Master of Information Technology
Safe Cloud – is it possible?
Big Question: Is it possible to have a safe cloud? (https://www.safeswisscloud.ch)
35
Master of Information Technology
New Development – Cloud Crypto
36
https://itunes.apple.com/us/app/cloudcapsule/id673662021
Master of Information Technology
Related Works
Related Works
Lim et. al. , “Risk Analysis and comparative study ofDifferent Cloud Computing ProvidersIn Indonesia," ICCCSN 2012
Amanatullah et. al. "Toward Cloud Computing Reference Architecture: Cloud Service Management Perspective,” ICISS 2013
Master of Information Technology
Other Security-related Publications
Related Works
Lim et. al. , "Forensics Analysis of Corporate and Personal Information Remaining on Hard Disk Drives Sold on the Secondhand Market in Indonesia," Advanced Science Letters, 2014
Suryajaya et. al. "PRODML Performance Evaluation asSOT Data Exchange Standard,” IC3INA 2013
Master of Information Technology
Conclusion
There is no 100% security It is all about managing risks
It all depends on single, exploitable vulnerability (the weakest link)
Cloud greatest risk is still the insidersCSA Risk Assessment helps to bridge the gap
between the Cloud model and complianceUncovering crypto keys in the cloud is
possible important to malware research
Master of Information Technology
References
ENISA – Cloud computing risk assessment (http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment)
Cloud Security Alliance (https://cloudsecurityalliance.org/)
Hay, Brian, and Kara Nance. "Circumventing cryptography in virtualized environments." In Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on, pp. 32-38. IEEE, 2012.
Thank You
Master of Information Technology
Questions
42