Cloud Security Alliance Congress Orlando 2012 pt1

This week I am at the Cloud Security Alliance (CSA) congress in Orlando.  The week has been pretty hectic with meeting people and receiving an award etc.  I have made some notes from a few of the talks so will share those here, although they are not as comprehensive as the notes I made at the RSA conference a few weeks ago.

Regarding the conference itself, this has been a bit of a busman’s holiday as I have had to take this week as annual leave due to it not being directly linked to my current day job and the fact it’s my third conference in a couple of months..  On a brighter note the CSA actually paid for me to come out here to receive my award, which was an extremely cool gesture.

It terms of organisation and content this one falls somewhere between the service technology symposium and the RSA conference, but much nearer the RSA end of the scale.  The conference is obviously a lot smaller than RSA, but was surprisingly well organised.  Content we also pretty good, a few too many vendor product focussed talks for my liking, but this is a new conference that has to be financially viable as well as interesting.  Overall I would definitely recommend coming to this next year if you have any interest in cloud security.

As with the previous conferences I’ll split the day’s notes into a couple of posts.  In order to get these up now rather than waiting until I get home and finding time to write things up, so please be understanding if some of them are not perfectly formatted or as fully explained as they could be.  I will be creating more detailed follow up posts for some of the key issues that have been discussed.

Opening Keynote 1 – The world is changing; we must change with it!

–          What do you do if you have a security incident in a faraway country?  Your Law enforcement / government has no jurisdiction.. eBay has directly indicted over 3000 people globally due to the security / incident response and investigation teams.

–          Have to create capabilities to share vital information globally

–          Computation is changing

  • Exponential data growth and big data

–          Adversary is professional, Global and Collaborative

  • We are all fighting alone

–          Threat continues to increase

–          Business environment is changing

–          Change the way you think!

  • Can we make attack data anonymous enough that is can be shared in a meaningful way to help others and improve overall understanding and security

–           Look at things like CloudCert

Computing is changing;

–          Cloud computing is just the beginning

  • Shared datacentres, networks, computers etc..

–          Driven by cost savings and need to be competitive in a global marketplace

–          Virtualisation – Mobile – BYOD (explosion of devices)

–          Increasing reliance on Browser

  • Secure Browser ‘App’ vs. URL  (Apps vs. things like HTML5)
  • Do we start building Apps / Browsers dedicated to specific tasks for critical / risky tasks such as banking, online shopping with card details etc.  This would stop XSS.

Exponential data growth – Big data

–          In 2010 humanities data passed 1 zettabyte – (1 with 21 zeros after it).

–          Estimated volume in 2015 – 7.9ZB

–          Number of servers expected to grow by 10* over the next 10 years.

Threat escalation;

  • Malware 26M in 2011 – 2.166M/mo. – 71,233/day.  73% Trojans.
  • Application lifecycle – how long will the legay apps you use be around?

–          Mobile

  • First attacks on O/S
  • First mobile drive by downloads
  • Malicious programs in App stores
  • First mass Android worm

–          Attacks built in the Cloud are invisible, and inexpensive

  • Role of cloud providers in detecting attack development – what are the implications of this – to prevent attacks CSPs would need some visibility around what you are doing..  Would you want this?

Business Environment Changes

–          Drive to innovate

  • Scrums, agile computing initiatives change the way we work
  • Security needs to work in a more agile way

–          Rapid delivery of features and functions

  • Build securely – not build and test

–          Impact of Intense, Global competition

–          SMBs are the foundation of US recovery but need help

–          Blurring of home/personal and work

Six Irrefutable Laws of information Security;

  1. Information wants to be free
  2. Code wants to be wrong
  3. Services want to be on
  4. Users want to click
  5. Even a security feature can be used for harm
  6. The efficacy of a control deteriorates with time

The implications for Cloud Security, shared infrastructures and platforms, virtualisation, the proliferation of mobile devices etc. are clear..

Even small or seemingly less interesting companies are now targets – criminals want as much information as they can get..  Again highlights the point that you will be hacked..

What do we need to do? – We need intelligence!

Director of Georgia Tech Information Security Centre, 2011 –

“We continue to witness cyber-attacks of unprecedented sophistication and reach, demonstrating that malicious actors have the ability to compromise and control millions of computers that belong to governments, private enterprises and ordinary citizens.”

We have limited resources so what should we spend our time and money on – malware defence? Mobile? Big Data?

What is needed to get where we need to be?

–          Global perspective

  • Not National
  • Not Government

–          Global Information Sharing

  • Sources
  • Solutions

–          Intelligence based security

  • Strategy and Budget

–          We MUST eliminate the obstacles!

Global Information Sharing

–          We have been trying for decades

–          How do we establish trust

  • Methods to make data anonymous
  • Attack data sharing

–          Who shares?

  • Needs of SMBs

–          Role of Governments (pass treaties around data sharing and cross boundary working)

–          Benefits go far beyond incident response

Incident response in the Cloud;

–          Where is your data (does it ever get moved due to problems, bursting within the CSPs infrastructure etc. – need very clear contracts)

–          Consider model you use – IaaS / PaaS / SaaS and what this means

–          Network control

–          Log correlation and analysis – where are these, who owns them, who can access them..

–          Roles and responsibilities

–          Access to event data, images etc.  When will you find out about issues and breaches?

–          Application functioning in the cloud – consider impacts of applications running is shared and / or very horizontally scalable environments.

–          Virtualisation benefits and issues

–          Capabilities and limitations of your provider

Get Involved!

–          CSA and Cloud CERT

  • Role critical
  • Participation
  • Partnerships

–          Government initiatives

  • US
  • EU

–          Private initiatives

Breaches can impact all of us, finding ways to work together and share data is critical.  Cloud is relatively new – we can make a difference and improve this moving forwards.

Recommendation to read the upcoming book from the CISO of Intel (Malcolm) around security that covers various areas including –  understanding the world and providing a reasonable level of protection (inc. BYOD, need to be agile etc.)

Summary;

–          Remove Obstacles

–          Build subject matter expertise

–          Global sharing is critical to success

  • Who will attack you, using what methods in 2013?
  • Where should you spend your time / money?
  • Intelligence based security

–          Security sophistication must keep pace with attack sophistication!

K

Cloud computing is complex..

Recently came across an excellent article around the complexity of cloud here;

http://blog.theloosecouple.com/2012/01/10/cloud-complexity-its-a-wrench/

If you just use / consume cloud computing the concept seems simple enough, and on the surface it is.  However if you are implementing a cloud type service whether a huge public cloud or a smaller private cloud the work involved is considerably more complex.

The cloud concept is to deliver IT services as a utility much like power or other utilities.  From a consumer viewpoint this makes the consumption of the services a simple idea.  The provision of these services in a reliable, location independent, scalable manner is far from simple.  Many larger businesses are either implementing or at least considering the idea of a private cloud, if you are in this camp, or just interested in the complexities of implementing cloud computing then this article makes a great read!

K

PCI-DSS Virtualisation Guidance

In what was obviously a response to my recent blog post stating
more detailed guidance would be helpful (yes I am that influential!) the ‘PCI
Security Standards Council Virtualisation Special Interest Group’ have just
released the ‘PCI DSS Virtualisation Guidelines’ Information Supplement.

This can be found here;

https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf

This is a welcome addition to the PCI-DSS as it makes the
requirements for handling card data in a virtual environment much more clear.
The use of the recommendations in this document along with the reference
architecture linked to in my previous post will provide a solid basis for
designing PCI-DSS compliant virtual environment.

The document itself is in 3 main sections. These comprise;

– ‘Virtualisation Overview’ which outlines the various components
of a virtual environment such as hosts, hypervisor, guests etc. and under what
circumstances they become in scope of the PCI-DSS

– ‘Risks for Virtualised Environments’ outlines the key risks
associated with keeping data safe in a virtual environment including the
increased attack surface or having a hypervisor, multiple functions per system,
in memory data potentially being saved to disk, Guests of different trust
levels on the same host etc. along with procedural issues such as a potential
lack of separation of duties.

– ‘Recommendations’; This section is the meat of the document that
will be of main interest to most of the audience as it details the PCI’s recommended
actions and best practices to meet the DSS requirements. This is split into 4
sections;

– General –
Covering broad topics such as evaluating risk, understanding the standard,
restricting physical access, defence in depth, hardening etc.   There is also a recommendation to review other guidance such as that from NIST (National Institute of Standards Technology), SANS (SysAdmin Audit Network Security) etc. – this is generally
good advice for any situation where a solid understanding of how to secure a
system is required.

– Recommendations for Mixed Mode Environments –

This is a key section for most businesses as the reality for most of us is that being able to run a mixed mode environment, (where guests in scope of PCI-DSS and guests not hosting card data are able to reside on the same hosts and virtual environment via acceptable logical separation), are the best option in order to gain the maximum benefits from virtualisation.  This section is rather shorter than expected with little detail other than many warnings about how difficult true separation can be.  On a bright note it does clearly
say that as long as separation of PCI-DSS guests and none PCI-DSS guests can be configured and I would imagine audited then this mode of operating is permitted.  Thus by separating the Virtual networks and segregating the guests into separate resource pools, along with the use of virtual IPS appliances and likely some sort of auditing (e.g. a netflow monitoring tool) it should be very possible to meet the DSS requirements in a mixed mode virtual environment.

– Recommendations for Cloud Computing Environments –

This section outlines various cloud scenarios such as Public / Private / Hybrid along with the different service offerings such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service), SaaS (Software as a Service).  Overall it is highlighted that in many cloud scenarios it may not be possible to meet PCI-DSS requirements due to the complexities around understanding where the data resides at all times and multi tenancy etc.

– Guidance for Assessing Risks in Virtual Environments –

This is a brief section outlining areas to consider when performing a risk assessment, these are fairly standard and include Defining the environment, Identifying threats and vulnerabilities.

Overall this is a useful step forward for the PCI-DSS as it clearly shows that the PCI are moving with the times and understanding that the use of virtual environments can indeed be secure providing it is well managed, correctly configured and audited.

If you want to make use of virtualisation for the benefits of consolidation, resilience and management etc. and your environment handles card data this along with the aforementioned reference architecture should be high on your reading list.

K