Cloud Security Alliance Congress Orlando 2012 pt1

This week I am at the Cloud Security Alliance (CSA) congress in Orlando.  The week has been pretty hectic with meeting people and receiving an award etc.  I have made some notes from a few of the talks so will share those here, although they are not as comprehensive as the notes I made at the RSA conference a few weeks ago.

Regarding the conference itself, this has been a bit of a busman’s holiday as I have had to take this week as annual leave due to it not being directly linked to my current day job and the fact it’s my third conference in a couple of months..  On a brighter note the CSA actually paid for me to come out here to receive my award, which was an extremely cool gesture.

It terms of organisation and content this one falls somewhere between the service technology symposium and the RSA conference, but much nearer the RSA end of the scale.  The conference is obviously a lot smaller than RSA, but was surprisingly well organised.  Content we also pretty good, a few too many vendor product focussed talks for my liking, but this is a new conference that has to be financially viable as well as interesting.  Overall I would definitely recommend coming to this next year if you have any interest in cloud security.

As with the previous conferences I’ll split the day’s notes into a couple of posts.  In order to get these up now rather than waiting until I get home and finding time to write things up, so please be understanding if some of them are not perfectly formatted or as fully explained as they could be.  I will be creating more detailed follow up posts for some of the key issues that have been discussed.

Opening Keynote 1 – The world is changing; we must change with it!

–          What do you do if you have a security incident in a faraway country?  Your Law enforcement / government has no jurisdiction.. eBay has directly indicted over 3000 people globally due to the security / incident response and investigation teams.

–          Have to create capabilities to share vital information globally

–          Computation is changing

  • Exponential data growth and big data

–          Adversary is professional, Global and Collaborative

  • We are all fighting alone

–          Threat continues to increase

–          Business environment is changing

–          Change the way you think!

  • Can we make attack data anonymous enough that is can be shared in a meaningful way to help others and improve overall understanding and security

–           Look at things like CloudCert

Computing is changing;

–          Cloud computing is just the beginning

  • Shared datacentres, networks, computers etc..

–          Driven by cost savings and need to be competitive in a global marketplace

–          Virtualisation – Mobile – BYOD (explosion of devices)

–          Increasing reliance on Browser

  • Secure Browser ‘App’ vs. URL  (Apps vs. things like HTML5)
  • Do we start building Apps / Browsers dedicated to specific tasks for critical / risky tasks such as banking, online shopping with card details etc.  This would stop XSS.

Exponential data growth – Big data

–          In 2010 humanities data passed 1 zettabyte – (1 with 21 zeros after it).

–          Estimated volume in 2015 – 7.9ZB

–          Number of servers expected to grow by 10* over the next 10 years.

Threat escalation;

  • Malware 26M in 2011 – 2.166M/mo. – 71,233/day.  73% Trojans.
  • Application lifecycle – how long will the legay apps you use be around?

–          Mobile

  • First attacks on O/S
  • First mobile drive by downloads
  • Malicious programs in App stores
  • First mass Android worm

–          Attacks built in the Cloud are invisible, and inexpensive

  • Role of cloud providers in detecting attack development – what are the implications of this – to prevent attacks CSPs would need some visibility around what you are doing..  Would you want this?

Business Environment Changes

–          Drive to innovate

  • Scrums, agile computing initiatives change the way we work
  • Security needs to work in a more agile way

–          Rapid delivery of features and functions

  • Build securely – not build and test

–          Impact of Intense, Global competition

–          SMBs are the foundation of US recovery but need help

–          Blurring of home/personal and work

Six Irrefutable Laws of information Security;

  1. Information wants to be free
  2. Code wants to be wrong
  3. Services want to be on
  4. Users want to click
  5. Even a security feature can be used for harm
  6. The efficacy of a control deteriorates with time

The implications for Cloud Security, shared infrastructures and platforms, virtualisation, the proliferation of mobile devices etc. are clear..

Even small or seemingly less interesting companies are now targets – criminals want as much information as they can get..  Again highlights the point that you will be hacked..

What do we need to do? – We need intelligence!

Director of Georgia Tech Information Security Centre, 2011 –

“We continue to witness cyber-attacks of unprecedented sophistication and reach, demonstrating that malicious actors have the ability to compromise and control millions of computers that belong to governments, private enterprises and ordinary citizens.”

We have limited resources so what should we spend our time and money on – malware defence? Mobile? Big Data?

What is needed to get where we need to be?

–          Global perspective

  • Not National
  • Not Government

–          Global Information Sharing

  • Sources
  • Solutions

–          Intelligence based security

  • Strategy and Budget

–          We MUST eliminate the obstacles!

Global Information Sharing

–          We have been trying for decades

–          How do we establish trust

  • Methods to make data anonymous
  • Attack data sharing

–          Who shares?

  • Needs of SMBs

–          Role of Governments (pass treaties around data sharing and cross boundary working)

–          Benefits go far beyond incident response

Incident response in the Cloud;

–          Where is your data (does it ever get moved due to problems, bursting within the CSPs infrastructure etc. – need very clear contracts)

–          Consider model you use – IaaS / PaaS / SaaS and what this means

–          Network control

–          Log correlation and analysis – where are these, who owns them, who can access them..

–          Roles and responsibilities

–          Access to event data, images etc.  When will you find out about issues and breaches?

–          Application functioning in the cloud – consider impacts of applications running is shared and / or very horizontally scalable environments.

–          Virtualisation benefits and issues

–          Capabilities and limitations of your provider

Get Involved!

–          CSA and Cloud CERT

  • Role critical
  • Participation
  • Partnerships

–          Government initiatives

  • US
  • EU

–          Private initiatives

Breaches can impact all of us, finding ways to work together and share data is critical.  Cloud is relatively new – we can make a difference and improve this moving forwards.

Recommendation to read the upcoming book from the CISO of Intel (Malcolm) around security that covers various areas including –  understanding the world and providing a reasonable level of protection (inc. BYOD, need to be agile etc.)

Summary;

–          Remove Obstacles

–          Build subject matter expertise

–          Global sharing is critical to success

  • Who will attack you, using what methods in 2013?
  • Where should you spend your time / money?
  • Intelligence based security

–          Security sophistication must keep pace with attack sophistication!

K