Cloud Security Alliance Congress Orlando 2012 pt1

This week I am at the Cloud Security Alliance (CSA) congress in Orlando.  The week has been pretty hectic with meeting people and receiving an award etc.  I have made some notes from a few of the talks so will share those here, although they are not as comprehensive as the notes I made at the RSA conference a few weeks ago.

Regarding the conference itself, this has been a bit of a busman’s holiday as I have had to take this week as annual leave due to it not being directly linked to my current day job and the fact it’s my third conference in a couple of months..  On a brighter note the CSA actually paid for me to come out here to receive my award, which was an extremely cool gesture.

It terms of organisation and content this one falls somewhere between the service technology symposium and the RSA conference, but much nearer the RSA end of the scale.  The conference is obviously a lot smaller than RSA, but was surprisingly well organised.  Content we also pretty good, a few too many vendor product focussed talks for my liking, but this is a new conference that has to be financially viable as well as interesting.  Overall I would definitely recommend coming to this next year if you have any interest in cloud security.

As with the previous conferences I’ll split the day’s notes into a couple of posts.  In order to get these up now rather than waiting until I get home and finding time to write things up, so please be understanding if some of them are not perfectly formatted or as fully explained as they could be.  I will be creating more detailed follow up posts for some of the key issues that have been discussed.

Opening Keynote 1 – The world is changing; we must change with it!

–          What do you do if you have a security incident in a faraway country?  Your Law enforcement / government has no jurisdiction.. eBay has directly indicted over 3000 people globally due to the security / incident response and investigation teams.

–          Have to create capabilities to share vital information globally

–          Computation is changing

  • Exponential data growth and big data

–          Adversary is professional, Global and Collaborative

  • We are all fighting alone

–          Threat continues to increase

–          Business environment is changing

–          Change the way you think!

  • Can we make attack data anonymous enough that is can be shared in a meaningful way to help others and improve overall understanding and security

–           Look at things like CloudCert

Computing is changing;

–          Cloud computing is just the beginning

  • Shared datacentres, networks, computers etc..

–          Driven by cost savings and need to be competitive in a global marketplace

–          Virtualisation – Mobile – BYOD (explosion of devices)

–          Increasing reliance on Browser

  • Secure Browser ‘App’ vs. URL  (Apps vs. things like HTML5)
  • Do we start building Apps / Browsers dedicated to specific tasks for critical / risky tasks such as banking, online shopping with card details etc.  This would stop XSS.

Exponential data growth – Big data

–          In 2010 humanities data passed 1 zettabyte – (1 with 21 zeros after it).

–          Estimated volume in 2015 – 7.9ZB

–          Number of servers expected to grow by 10* over the next 10 years.

Threat escalation;

  • Malware 26M in 2011 – 2.166M/mo. – 71,233/day.  73% Trojans.
  • Application lifecycle – how long will the legay apps you use be around?

–          Mobile

  • First attacks on O/S
  • First mobile drive by downloads
  • Malicious programs in App stores
  • First mass Android worm

–          Attacks built in the Cloud are invisible, and inexpensive

  • Role of cloud providers in detecting attack development – what are the implications of this – to prevent attacks CSPs would need some visibility around what you are doing..  Would you want this?

Business Environment Changes

–          Drive to innovate

  • Scrums, agile computing initiatives change the way we work
  • Security needs to work in a more agile way

–          Rapid delivery of features and functions

  • Build securely – not build and test

–          Impact of Intense, Global competition

–          SMBs are the foundation of US recovery but need help

–          Blurring of home/personal and work

Six Irrefutable Laws of information Security;

  1. Information wants to be free
  2. Code wants to be wrong
  3. Services want to be on
  4. Users want to click
  5. Even a security feature can be used for harm
  6. The efficacy of a control deteriorates with time

The implications for Cloud Security, shared infrastructures and platforms, virtualisation, the proliferation of mobile devices etc. are clear..

Even small or seemingly less interesting companies are now targets – criminals want as much information as they can get..  Again highlights the point that you will be hacked..

What do we need to do? – We need intelligence!

Director of Georgia Tech Information Security Centre, 2011 –

“We continue to witness cyber-attacks of unprecedented sophistication and reach, demonstrating that malicious actors have the ability to compromise and control millions of computers that belong to governments, private enterprises and ordinary citizens.”

We have limited resources so what should we spend our time and money on – malware defence? Mobile? Big Data?

What is needed to get where we need to be?

–          Global perspective

  • Not National
  • Not Government

–          Global Information Sharing

  • Sources
  • Solutions

–          Intelligence based security

  • Strategy and Budget

–          We MUST eliminate the obstacles!

Global Information Sharing

–          We have been trying for decades

–          How do we establish trust

  • Methods to make data anonymous
  • Attack data sharing

–          Who shares?

  • Needs of SMBs

–          Role of Governments (pass treaties around data sharing and cross boundary working)

–          Benefits go far beyond incident response

Incident response in the Cloud;

–          Where is your data (does it ever get moved due to problems, bursting within the CSPs infrastructure etc. – need very clear contracts)

–          Consider model you use – IaaS / PaaS / SaaS and what this means

–          Network control

–          Log correlation and analysis – where are these, who owns them, who can access them..

–          Roles and responsibilities

–          Access to event data, images etc.  When will you find out about issues and breaches?

–          Application functioning in the cloud – consider impacts of applications running is shared and / or very horizontally scalable environments.

–          Virtualisation benefits and issues

–          Capabilities and limitations of your provider

Get Involved!

–          CSA and Cloud CERT

  • Role critical
  • Participation
  • Partnerships

–          Government initiatives

  • US
  • EU

–          Private initiatives

Breaches can impact all of us, finding ways to work together and share data is critical.  Cloud is relatively new – we can make a difference and improve this moving forwards.

Recommendation to read the upcoming book from the CISO of Intel (Malcolm) around security that covers various areas including –  understanding the world and providing a reasonable level of protection (inc. BYOD, need to be agile etc.)

Summary;

–          Remove Obstacles

–          Build subject matter expertise

–          Global sharing is critical to success

  • Who will attack you, using what methods in 2013?
  • Where should you spend your time / money?
  • Intelligence based security

–          Security sophistication must keep pace with attack sophistication!

K

An Awarding Week!

I had planned a wrap up post around my thoughts from the RSA conference for this week, but it has been a very busy and surprisingly rewarding week..  A combination of some University coursework due Monday and some great news have meant little time for writing (well non university writing anyway).  There will still be a wrap up for the RSA, likely early next week, but I wanted to share some exciting news relating to the Security as a Service working group I help lead for the Cloud Security Alliance (CSA).

I found out this week that the CSA are giving me an award for the volunteer work I have done for them over the last year or so.  They are also assisting with getting me to their congress in Orlando from the 6th to 9th November, so I’ll be packing my bags and jetting off to the US for a few days!

The award is called the Ron Knode Service Award in honour of one of the early members of the CSA who passed away earlier this year.  For me this is a great piece of recognition as it is the first year these awards have been given out, and of the ~40000 members of the CSA, only 6 people have been recognised with this award!

Rather than continue on about it myself I thought I would include the emails I was sent confirming the reward as they probably cover if better than I could;

The first was from  Luciano (J.R.) Santos the CSA’s Global Research Director –

Dear Kevin,

It is my great pleasure to inform you that you have been selected to receive the 1st Annual Ron Knode Service Award recognizing excellence in volunteerism. On behalf of the Cloud Security Alliance, I would like to congratulate you on receiving this award for the EMEA Region.  Ron Knode was a information security expert and member of the Cloud Security Alliance family, who passed away on May 31, 2012. Ron was an innovative thinker and the author of the CSA Cloud Trust Protocol. Ron was a cherished member of CSA, with endless energy and humor to guide his volunteer contributions.  In Ron’s memory, the Cloud Security Alliance in 2012 instituted the annual Ron Knode Service Award, recognizing excellence in volunteerism for 6 honorees from the Americas, Asia-Pacific and EMEA regions.

At this time, the ceremonies are being planned, but exact dates and locations have not been confirmed.   Daniele will be in touch with you when additional details become available.  In the meantime, if you have any questions please don’t hesitate to contact me or Daniele.  Warmest thanks for all of your hard work and outstanding contributions as a member of the Cloud Security Alliance.  We recognize how much time and energy you put into our organization, and we deeply appreciate all of your efforts.  

 We are thrilled to present you with this award.  Our PR Manager Kari Walker will be reaching out to you as we put together a press release officially announcing the winners.  In addition, we’ll need you to send a current photo and bio to our webmaster Evan Scoboria.  Evan will be creating a section on the CSA main site honoring the winners of this award.  We value your volunteer contributions and believe that the devotion of volunteers like you will continue to lead CSA into the future.  Congratulations on a job well done!

 Best Regards,

 Luciano (J.R.) Santos

CSA Global | Research Director

———

The second email was from Jim Reavis, the CSA Executive Director

Thank you all for your efforts.  To narrow this list down to 6 globally
was a major chore and you should be proud. Volunteerism for the common
good is among the highest callings in our industry, and the CSA family
appreciates your outstanding contributions.  Please let us know if there
is anything that CSA can do for you.  As we continue to grow, we look
forward to working together and being able to do even more for you.

Best Regards,

Jim Reavis
Executive Director, Cloud Security Alliance

———

As you may have guessed, I am extremely pleased to be receiving this award, it really has helped make the work worthwhile, on top of the satisfaction of seeing it all published of course!

for those of you going to the CSA congress I look forward to seeing / meeting you in a couple of weeks, for everyone else, watch this space for the RSA conference wrap up and further writings on security and architecture.

K