Transcript Silver Lining in Dark Clouds

SILVER LINING IN DARK
CLOUDS
Mano ‘dash4rk’ Paul
SecuRisk Solutions
mano(dot)paul(at)securisksolutions(dot)com
© 2007-2011 - SecuRisk Solutions
2
Who am I? – The ABC’s
• Author
• Official (ISC)2 Guide to the CSSLPCM
• Information Security Management Handbook
• Advisor – Software Assurance, (ISC)2
• Biologist – Shark Researcher
• Christian – Hidden Treasures
• CEO – SecuRisk Solutions & Express Certifications
…
• VP – Capitol of Texas ISSA chapter
© 2007-2011 - SecuRisk Solutions
3
Awards and Recognition
2010 (ISC)2 President’s Award
2011 Americas Information Security
Leadership Award (Practitioner)
© 2007-2011 - SecuRisk Solutions
4
What are we here to talk about?
“There's a silver lining to every cloud that sails about the
heavens if we could only see it.”
The Dublin Magazine, Volume 1, 1840
In review of Marian: or, a Young Maid's Fortunes
Security in Cloud Computing
• Security in the Skies with Dark Clouds and Silver Lining
© 2007-2011 - SecuRisk Solutions
5
CLOUD 3-4-5
3 – IaaS, PaaS, SaaS
4 – Private, Community, Public, Hybrid
5 – On-Demand Self Service, Broad Network Access,
Measured Service, Rapid Elasticity, Resource Pooling
IT delivered as a Standardized Service
© 2007-2011 - SecuRisk Solutions
6
Opportunity or Crisis?
© 2007-2011 - SecuRisk Solutions
7
DARK CLOUDS
Security Threats to Cloud Computing
© 2007-2011 - SecuRisk Solutions
8
Top App Sec Threats to Cloud Computing
Data Security / Loss / Leakage / Remanence
Access Controls / Account or Service Hijacking
Susceptibility to Cyber Attacks / Insecure Interfaces or APIs
Abuse or Nefarious Use / Shared Technology Issues
Cyber Forensics / Unknown Risk Profile / Malicious Insiders
Source: (ISC)2 Global Information Security Workforce Study
CSA Top Threats to Cloud Computing v 1.0
© 2007-2011 - SecuRisk Solutions
9
SILVER LINING
“Hope is a good thing, maybe
the best of things, and no good
thing ever dies.”
The Shawshank Redemption
© 2007-2011 - SecuRisk Solutions
10
Dark Clouds / Silver Lining
Data Security / Loss / Leakage• / Controls
Remanence
• Cryptography Protection (Encryption/Hashing)
• Data Classification
• Cryptography Agility
• Secure Data Disposal (Overwriting*)
• DLP technologies
© 2007-2011 - SecuRisk Solutions
11
Dark Clouds / Silver Lining
Access Controls / Account or Service Hijacking
• Access Control Lists (ACLs) / RBACs
• Chinese Wall
• Session Management
© 2007-2011 - SecuRisk Solutions
12
Dark Clouds / Silver Lining
Susceptibility to Cyber Attacks / Insecure Interfaces or APIs
• Understand dependency chain of APIs
• Deprecate Insecure APIs
• Perform ROI exercise for proprietary APIs
Image Source: CloudAve
© 2007-2011 - SecuRisk Solutions
13
Dark Clouds / Silver Lining
Abuse or Nefarious Use / Shared Technology Issues
• Strong Authentication
• SSO (Weakest Link)
• Secure Communications
• Hardening
• Sandboxing
Image Source: apigee.com
© 2007-2011 - SecuRisk Solutions
14
Dark Clouds / Silver Lining
Cyber Forensics / Malicious Insiders / Unknown Risk Profile
• Auditing / Logging
• Trust but verify
• Identity Management
© 2007-2011 - SecuRisk Solutions
15
Some closing thoughts
© 2007-2011 - SecuRisk Solutions
16
References
• Security in the Skies – (ISC)2 Whitepaper
• (ISC)2 Global Information Security Workforce Study
• CSA Top threats to Cloud Computing v1.0
© 2007-2011 - SecuRisk Solutions
17
THANK YOU
Mano ‘dash4rk’ Paul
SecuRisk Solutions
mano(dot)paul(at)securisksolutions(dot)com
© 2007-2011 - SecuRisk Solutions