CSA STAR – lessons from an early adopter – Microsoft Director of Trustworthy Computing
The Trustworthy Computing Initiative had its 10 year anniversary in 2012. Encompasses; Security – Privacy – Reliability – Business Practices.
Managing risk at all layers..
– If I move to a CSP and they have the same level of security as me, and I am saving money then I am being efficient
– If I move to a CSP and they have better security than me I am mitigating risk
Help adopters understand why!
– Adoption rests on clear and simple ROI
Microsoft ‘Cloud Security Readiness Tool’
Trusted cloud initiative – not there to sell product, just to help organisations (possibly everyone?) to be safer and more secure in the cloud.
This tool addresses the 10 key Cloud Security Control Areas from the CSA guidance.
The tool also allows you to select your industry, then maps this back to the regulatory bodies that are likely to regulate your industry. This then maps the specific regulations and controls you will need to meet.
Considerations to aid adoption;
– Consult guidance from organisations such as the CSA
– Require that provider has obtained their party certifications and audits such as ISO/IEC 27001:2005
– Ensure clear understanding of security and compliance roles and responsibilities for delivered services
– Know the value of your data and the security and compliance obligations you need to meet
– Ensure as much transparency as possible e.g. through STAR (https://cloudsecurityalliance.org/star/) – suppliers such as Amazon and Microsoft already registered here.
This talk was much more about the Microsoft Cloud readiness tool than the CSA STAR (Security, Trust, and Assurance Registry), but was still interesting and I can highly recommend both the STAR registry for CSPs and consumers, and the Microsoft tool.
Advanced Persistent Response – Tim Kellermann – Vice President of Cybersecurity – Trend Micro
How might organisations learn from elite hackers?
– 52% of companies failed to report or remediate a cyber-breach in 2011 (retains plausible deniability, but we all trade with these companies)
– A new piece of malware is created every second
– Trend Micro evaluations find over 90% of enterprise networks contain active malware!
Targeted attacks are becoming increasingly common. Attackers take time to gain intelligence about you and your networks.
Offence Informs Defence: The Kill Chain;
5. Command and Control
Advanced Malware examples include;
– IXESHE – The attackers behind this advanced malware use compromised hosts inside organisations networks to control other systems.
– Jacksbot – bot malware that is multi-platform across multiple O/Ss including mobile. (check)
We need to conduct more tests and assessments of our environments, using Zeus, BlackHole exploit kit, Metasploit, Spy Eye etc.
Tactical trends in Hacking;
– Professionalism and Commoditisation of Exploit Kits
– Man in the Browser attacks becoming more common
– Android Framework for exploitation (BYOD = BYOM (Bring Your Own Malware)
– Proximity attacks realised (Microphones turned on in laptops / phones / tablets, Bluetooth attacks)
– Mobile malware proliferation
– Application attacks
– Botnets migrating from IRC to HTTP
– Attacks against Macs
Cloud security issues / considerations;
– Server and VM integrity (virtualisation attacks, Inter VM attacks, Instant on Gaps)
– Network and Intrusion management and monitoring in a cloud / virtual environment
Custom attacks need intelligent and custom defences. We must recognise that APTs are consistent and part of ongoing campaigns.
Risk management in 2012;
– Has the cyber security posture of all third parties been audited?
– Is access to all sensitive systems governed by 2-factor authentication?
– Does a log inspection program exist? How frequently are they reviewed?
– Does file integrity monitoring exist?
– Can vulnerabilities be virtually patched?
– In MDM and mobile management software utilised?
– Do you utilize DLP?
– Can you migrate layered security into the cloud environment?
– Do you maintain multi level, rule based event correlation?
– Do you have access to global intelligence and information sharing?
There was a lot to think about in this presentation from Trend Micro, and it nicely builds on / reinforces the points made both here and at RSA – the attackers are getting increasingly more sophisticated and we need to work hard to not just keep up but to try and get ahead of them. The closing points under the heading ‘Risk management in 2012‘ are well worth bearing in mind when thinking about your risk management process / strategy.
Aligning Your Cloud Security with the Business: A 12-Step Framework
This talk was actually very light, but I thought I would share the 12 points they covered as the points around creating business cases and defining value in business not IT terms are worthwhile;
Implementing data centric security in the cloud;
Key ingredients – Data, Users, Business Processes, Clouds, Controls, Compliance
- Define business relevance of each data set being moved to the cloud
- Classify each data set based on business impact – must be business driven, not IT
- Inventory data – technical and consultative. Mentioned that DLP one of the best ways to discover and maintain data inventories.
- Destroy (or archive offline) any unnecessary data
- Inventory users – into user roles / role types (can do other things as well like geography)
- Associate data access with business processes, users, roles
- Determine standard control requirements for each data set
- Determine Feasible controls for each cloud environment e.g. you can implement far less of your own controls in a SaaS environment vs. IaaS
- For each data set, identify acceptable platform based on the required controls and security level of the data
- Ensure only users that need access to data have access to it, and that this access is at the appropriate level
- Identify and Implement appropriate controls across each cloud environment
- Validate and monitor control effectiveness
So to summarise the presentation;
Start with the business context, not the security controls
Classify based on the business value, not the IT value!