hogan kusnadi - cloud computing secutity
TRANSCRIPT
Seminar Honeynet Indonesia 2013
Cloud Computing Security
By Hogan Kusnadi
CISSP-ISSAP, SSCP, CISA, CISM
18 June 2013
NIST
National Institute of Standards and Technology
This cloud model promotes
availability and is composed of
five essential characteristics:
– on-demand self-service
– broad network access
– resource pooling
– rapid elasticity
– measured service
Cloud Computing
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
• Storage as a service (SaaS)
• Communications as a service (Caas)
• Network as a service (NaaS)
• Monitoring as a service (MaaS)
• Etc
XaaS (anything as a service)
• Anything/Everything as a service (XaaS)
– The acronym refers to an increasing number of
services that are delivered over the Internet
rather than provided locally or on-site.
• XaaS is the essence of cloud computing
Benefit vs Risk of ICT
Multi Function
Flexible
Easy to use
Lower Cost Benefit
Database Application
Web Application
Client Server
Network Integration
Cloud Computing
Identity Theft
Information Theft
Industrial Espionage
Country Espionage
Denial of Service (DDOS)
Data / Information Sovereignty
Sabotage, Cyber Weapon, Cyber War
RiskConfidentiality
Integrity
Availability
Website Deface Attack Statistic
www.zone-h.org
18 April 2012
The Notorious NineCloud Computing Top Threats in 2013
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service
6. Malicious Insiders
7. Abuse of Cloud Services
8. Insufficient Due Diligence
9. Shared Technology Issues
About the Cloud Security Alliance
• Global, not-for-profit organization
• Building security best practices for next generation IT
• Research and Educational Programs
• Cloud Provider Certification
• User Certification
• Awareness and Marketing
• The globally authoritative source for Trust in the Cloud“To promote the use of best practices for providing security assurance
within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
CSA Fast Facts
• Founded in 2009
• 42,000 individual members, 66 chapters globally
• 200 corporate and affiliate members– Major cloud providers, tech companies, infosec leaders, DoD,
Coca-Cola, Bank of America and much more
• Regional hubs in Seattle USA, Singapore, Heraklion
Greece
• Over 30 research projects in 25 working groups
• Strategic partnerships with governments, research
institutions, professional associations and industry
Growing to serve the Industry • 2009
– CSA launch at RSA 2009 with Security
Guidance for Critical Areas of Focus in Cloud
Computing
– 6,000 members
• 2010– Launch Certificate of Cloud Security
Knowledge (CCSK)
– 15,000 members
• 2011– Launch CSA Security, Trust and Assurance
Registry (STAR)
– 27,000 members
• 2012– Launch CSA Mobile and Big Data research to
address emerging needs
– 42,000 members
North AmericaEMEA
APAC
0
10,000
20,000
30,000
40,000
50,000
Membership Growth
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Research PortfolioOur research includes
fundamental projects needed
to define and implement trust
within the future of
information technology
CSA continues to be
aggressive in producing
critical research, education
and tools
Sponsorship opportunities
Selected research projects in
following slides
Copyright © 2012 Cloud Security Alliance
Security as a Service
• Security as a Service– Research for gaining greater
understanding for how to deliver security solutions via cloud models.
• Information Security Industry Re-invented
• Identify Ten Categories within SecaaS
• Implementation Guidance for each SecaaS Category
• Align with international standards and other CSA research
• Industry Impact– Defined 10 Categories of Service and
Developed Domain 14 of CSA Guidance V.3
GRC StackGRC Stack
Family of 4 research projects
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative
(CAI)
Cloud Audit
Cloud Trust Protocol (CTP)
Impact to the Industry
Developed tools for
governance, risk and compliance
management in the cloud
Technical pilots
Provider certification through
STAR program Control
Requirements
Provider
Assertions
Private, Com
munity &
Public
Clouds
Smart Mobile
• Mobile– Securing application stores and other public
entities deploying software to mobile devices
– Analysis of mobile security capabilities and features of key mobile operating systems
– Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives
– Guidelines for the mobile device security framework and mobile cloud architectures
– Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device
– Best practices for secure mobile application development
CCSK – User Certification
Certificate of Cloud Security Knowledge (CCSK)
Benchmark of cloud security competency
Online web-based examination
www.cloudsecurityalliance.org/certifyme
Training partnerships
Developing new curriculum for audit, software development and architecture
CSA Conference
• Only multi-track, multi-day conference focused on cloud security
• Key venue for new research
• Primarily attended by enterprise end users
• 2013 CSA Congress Plans
– CSA Congress APAC, Singapore, May 15-16
– CSA Congress EMEA, Europe, September
– CSA Congress US, Orlando, November
CSA APAC
• Incorporated and based in Singapore
• Planned establishment of corporate HQ in Singapore
• Supported by key Singaporean ministries, led by Infocomm Development Authority
• Trend Micro as founding corporate office sponsor
• IDA support for research and standards functions
• Also private/public partnerships with gov’ts of Thailand and Hong Kong
• CSA chapters throughout APAC
www.cloudsecurityalliance.orgCopyright © 2012 Cloud Security Alliance
International Standardization Council
• Engage international standards bodies on behalf of CSA
• Propose key CSA research for standardization
• Liaison relationship with ITU-T
• Category A liaison with ISO/IEC SC27 & SC38
• Tracking key SDOs for 2013– DMTF
– IEEE
– IETF
– CCSA
– RAISE