Cloud Security Alliance Congress Orlando 2012 pt2

CSA STAR – lessons from an early adopter – Microsoft Director of Trustworthy Computing

The Trustworthy Computing Initiative had its 10 year anniversary in 2012.  Encompasses; Security – Privacy – Reliability – Business Practices.

Managing risk at all layers..

Thoughts –

–          If I move to a CSP and they have the same level of security as me, and I am saving money then I am being efficient

–          If I move to a CSP and they have better security than me I am mitigating risk

Help adopters understand why!

–          Adoption rests on clear and simple ROI

Microsoft ‘Cloud Security Readiness Tool’

Trusted cloud initiative – not there to sell product, just to help organisations (possibly everyone?) to be safer and more secure in the cloud.

This tool addresses the 10 key Cloud Security Control Areas from the CSA guidance.

The tool also allows you to select your industry, then maps this back to the regulatory bodies that are likely to regulate your industry.  This then maps the specific regulations and controls you will need to meet.

Considerations to aid adoption;

–          Consult guidance from organisations such as the CSA

–          Require that provider has obtained their party certifications and audits such as ISO/IEC 27001:2005

–          Ensure clear understanding of security and compliance roles and responsibilities for delivered services

–          Know the value of your data and the security and compliance obligations you need to meet

–          Ensure as much transparency as possible e.g. through STAR ( – suppliers such as Amazon and Microsoft already registered here.

This talk was much more about the Microsoft Cloud readiness tool than the CSA STAR (Security, Trust, and Assurance Registry), but was still interesting and I can highly recommend both the STAR registry for CSPs and consumers, and the Microsoft tool.


Advanced Persistent Response – Tim Kellermann – Vice President of Cybersecurity – Trend Micro

How might organisations learn from elite hackers?


–          52% of companies failed to report or remediate a cyber-breach in 2011 (retains plausible deniability, but we all trade with these companies)

–          A new piece of malware is created every second

–          Trend Micro evaluations find over 90% of enterprise networks contain active malware!

Targeted attacks are becoming increasingly common.  Attackers take time to gain intelligence about you and your networks.

Offence Informs Defence: The Kill Chain;

1. Reconnaissance


3. Delivery

4. Exploitation

5. Command and Control

6. Propagation

7. Exfiltration

8. Maintenance

Advanced Malware examples include;

– IXESHE – The attackers behind this advanced malware use compromised hosts inside organisations networks to control other systems.

– Jacksbot – bot malware that is multi-platform across multiple O/Ss including mobile. (check)

We need to conduct more tests and assessments of our environments, using Zeus, BlackHole exploit kit, Metasploit, Spy Eye etc.

Tactical trends in Hacking;

–          Professionalism and Commoditisation of Exploit Kits

–          Man in the Browser attacks becoming more common

–          Android Framework for exploitation (BYOD = BYOM (Bring Your Own Malware)

–          Proximity attacks realised (Microphones turned on in laptops / phones / tablets, Bluetooth attacks)

–          Mobile malware proliferation

–          Application attacks

–          Botnets migrating from IRC to HTTP

–          Attacks against Macs

Cloud security issues / considerations;

–          Server and VM integrity (virtualisation attacks, Inter VM attacks, Instant on Gaps)

–          Network and Intrusion management and monitoring in a cloud / virtual environment

Custom attacks need intelligent and custom defences.  We must recognise that APTs are consistent and part of ongoing campaigns.

Risk management in 2012;

–          Has the cyber security posture of all third parties been audited?

–          Is access to all sensitive systems governed by 2-factor authentication?

–          Does a log inspection program exist?  How frequently are they reviewed?

–          Does file integrity monitoring exist?

–          Can vulnerabilities be virtually patched?

–          In MDM and mobile management software utilised?

–          Do you utilize DLP?

–          Can you migrate layered security into the cloud environment?

–          Do you maintain multi level, rule based event correlation?

–          Do you have access to global intelligence and information sharing?

There was a lot to think about in this presentation from Trend Micro, and it nicely builds on / reinforces the points made both here and at RSA – the attackers are getting increasingly more sophisticated and we need to work hard to not just keep up but to try and get ahead of them.  The closing points under the heading ‘Risk management in 2012‘ are well worth bearing in mind when thinking about your risk management process / strategy.


Aligning Your Cloud Security with the Business: A 12-Step Framework

This talk was actually very light, but I thought I would share the 12 points they covered as the points around creating business cases and defining value in business not IT terms are worthwhile;

Implementing data centric security in the cloud;

Key ingredients – Data, Users, Business Processes, Clouds, Controls, Compliance


  1. Define business relevance of each data set being moved to the cloud
  2. Classify each data set based on business impact – must be business driven, not IT
  3. Inventory data – technical and consultative.  Mentioned that DLP one of the best ways to discover and maintain data inventories.
  4. Destroy (or archive offline) any unnecessary data
  5. Inventory users – into user roles / role types (can do other things as well like geography)
  6. Associate data access with business processes, users, roles
  7. Determine standard control requirements for each data set
  8. Determine Feasible controls for each cloud environment e.g. you can implement far less of your own controls in a SaaS environment vs. IaaS
  9. For each data set, identify acceptable platform based on the required controls and security level of the data
  10. Ensure only users that need access to data have access to it, and that this access is at the appropriate level
  11. Identify and Implement appropriate controls across each cloud environment
  12. Validate and monitor control effectiveness

So to summarise the presentation;

Start with the business context, not the security controls

Classify based on the business value, not the IT value!




RSA Conference Europe 2012 Keynotes; day one part two

Keynote 3 – Francis deSouza – Group president, Symantec – The art of cyber war, know thy enemy, know thyself

For many years IT was standardising on systems from the client to the server room.  Now we have BYOD, cloud etc.  IT is becoming more diverse with many more devices and data stored across multiple locations and hosting environments.

What does this mean for IT security?  What model do we need?

Historically IT security has been defence only and point / issue based. – you get viruses so install AV etc.

We need to look more holistically and look at how we defend against multi flanked attacks and advanced persistent threats.  Also consider how we can use the attack against the attacker or to catch the attacker (think Aikido).

What do we mean by multi flanked?  Attacks are now increasingly using multiple, seemingly independent attacks, many of which are just diversions so we miss the real attack.  When we are busy or focusing on a specific task we often miss obvious things.  Look up ‘how many times did the white team pass the ball’ for an example of this!

Phishing attacks are also getting much more advanced and sophisticated, these are now one of the primary ways attackers use to gain a foothold.

An example of this was a recent attack on a bank that used a phishing email to gain access to a bank.  The gang then launched a DDoS attack on the bank, while the bank was rushing around trying to keep their site up and prevent the attack being successful.  The gang then used the malware installed via the phishing email to steal bank and ATM details.  They then passed these to their monetising team who created ATM cards, distributed these to hired people who all went to ATMs, and withdrew cash.  This attack walked away with $9M in a couple of hours.

The attackers also do things like ensure they use cards in ways that look legitimate and at times customers (the legitimate card holders) are less likely to spot the use quickly.

How do these gangs create these massive data centres of compute power yet remain invisible to legal organisations such as Interpol, the FBI etc.  Sophisticated organisations sell ‘bulletproof’ solutions hosted in one country, managed in another, sold in yet another etc.  This is a real market where actual marketing is used, and there is great competition and price pressure – it is a lot cheaper than you think!

There is also the ‘democratisation’ of cyber warfare tools – this follows neatly from the previous talk – increasingly complex and advanced tools are available more and more readily.

On the other side of this is the huge increases in what we are trying to protect – we have more and more complex systems and every growing data volumes.  The volume of data stored is likely to increase by 40 times from today’s levels by 2020!

What does this mean for the security industry?

We need to improve our intelligence;

–          What do they want?

–          What are our key information assets?

–          Out of all of our data which is critical, and which is ‘garbage’?

–          What is happening in your organisation?

–          How are the criminals working and what attacks are they using?

–          Look holistically – what is the campaign they are using, and what are the weaknesses of their campaign?

–          Who are the actors in the campaign?

Our intelligence and security need to be more agile – we need to improve our understanding of what is happening and the unknowns and unexpected things we discover.  Is our security agile enough to change to deal with these new and unexpected things?

Brief comment on having powerful defences and AV (well this is Symantec..)  Good point on reputation based computing – if we have never seen this file before should we trust it?


Keynote 4 – Adrienne Hall – General Manager, trustworthy computing, Microsoft – Risks and Rewards in cloud adoption

Microsoft Security Intelligence Report release 13 is available for download as of today, and is available here;

A great overview of the report can be found here;

Microsoft has also released some very helpful, open source, security tools;

–          Attack Surface analyser

–          Anti-cross site scripting library

Microsoft recently commissioned a cloud computing survey.  This was carried out by an independent survey company so vendor neutral around current barriers and benefits.  The full results can be found here;

Unsurprisingly, perceived security risks are still the top barrier, however from those who have adopted the cloud 54% stated they have improved security along with 47% who managed to make cost savings on their overall security spend.  The perception and reality currently do not appear align..  How do we address these barriers?

Improve transparency;

–          Collaborate to share information and guidance e.g. Cloud Security Alliance (CSA)

–          Drive and support industry standards

–          Commit to transparency in cloud offerings

Microsoft has just released a cloud security readiness tool that can be found here;

This is a survey tool that will allow you to assess both the security of your current environment and your readiness for cloud adoption / migration.  This is a free tool that will help you plan a cloud migration regardless of the technologies or cloud providers you intend to use.  To ensure vendor neutrality this links in with and is based on the CSA Cloud Controls Matrix.

The output of this survey is a report for your organisation which understands controls relevant to your industry and regional location.

Talk summary – Stay informed; Embrace standards, best practices and transparency; Weigh the risks and rewards.

Overall this talk was lighter than the others and fairly Microsoft focused, but had some good points and highlighted some useful tools.

Note, at the time of writing the ‘aka.’ links are giving 404 errors, I have email Microsoft and asked for this to be resolved.


Keynote 5 – Herbert Thompson – Program committee chairman, RSA conference – Security the human: Our industries greatest challenge

In security we set up situations where people are designed to fail especially if they are not security savvy or paranoid.

–          Links in emails – how do we know which are real and which are malicious?

–          What do we do about site certificate errors?

–          What do we do when a site wants us to download a file?

Security currently treats everyone the same regardless of knowledge or talent.  One size does not fit all.  Think of car insurance; you have to answer many questions, and the outcome is an insurance quote tailored to your risk profile.

We need to be the people that help the business understand the risk; enable them to make decisions and embrace change with a full understanding of the risks of doing so.

Very light talk, but great point around understanding and managing risk appropriately.


Malware everywhere, even on Apples..

Various sources have been reporting on the recent Java hole that enabled malicious individuals to infect upwards of 600,000 Apple Macs that were running the latest, fully patched version of the O/S.

This Java vulnerability was actually known about sometime last year and has been patched on other systems.  Apple in it’s continued, and frankly misguided, belief that it’s systems are safe and don’t need protection like anti-virus software chose not to patch the hole until 100s of thousands of it’s customers had been infected.

The reality is that all consumer computer systems have vulnerabilities and it should be the expected duty of vendors to patch these as quickly as possible to protect their customers and their privacy.

We have all knocked companies like Microsoft for the amount of vulnerabilities and attacks that have occurred against their software, but the reality is that over the last few years Microsoft has made huge progress in producing more secure software, patching in a very timely manner, providing free tools like anti-virus, and working with law enforcement to bring down criminal bot nets.

Apple has avoided many exploits being created as it has historically been such a niche player.  Why create an exploit for a few machines when you can create one for orders of magnitude more?  As Apple has become more successful and there has been an increased uptake of it’s products in office it has become a more interesting and valuable target for criminals to try and exploit any vulnerabilities.

It is time for Apple to pull it’s socks up from a security stand point, and to become both more proactive and transparent in how it deals with issues and helps protect it’s customers.

For us users of any operating system it’s yet another reminder that we should keep our systems patched and run software to protect us from viruses etc.  Oh and not to trust vendors when then tell us their systems are safe and don’t need further protection.

Some detail and commentary on this issue can be found here at the links below;


Homomorphic Encryption – Saviour of the cloud? Ready for prime time?

Homomorphic encryption has been around for a while (in fact it has been debated for around 30 years), but most systems that are Homomorphic are only partially homomorphic thus limiting their use in enabling real world distributed, including cloud based, systems.

I’ll start by briefly describing what the term homomorphic means when used to describe a cryptosystem.  If a mathematical operation can be performed on the encrypted data to produce an encrypted output that when decrypted gives the same result as if the operation had been performed on the plaintext.

I’m sure you can see how this removes one of the main barriers to the adoption of cloud computing.  If an efficient, proven and thoroughly tested homomorphic encryption system would potentially revolutionise the view of cloud computing security.  Currently it is easy to send data to and from the cloud in a secure encrypted manner, however if any computation is to be carried out in this data it has to be unencrypted at some point.  When the data is unencrypted in the cloud the risk that employees of the cloud provider, and potentially other customers, could access the data becomes a real concern.  It is this risk that is one of the key road blocks to companies moving their data to the cloud.

Additionally some legal / regulatory rules prevent certain unencrypted data types, such as personally identifiable information (PII), leaving countries / regions such as the EU.  A system that enabled data to remain encrypted would potentially get around these regulatory issues and allow data to be housed in the cloud (many cloud providers have data centres located in various global locations and can’t guarantee where data will reside.   In fact this is one of the benefits of the cloud – the high level of redundancy and resilience provided by multiple data centres in geographically diverse locations).

Some existing algorithms are partially homomorphic, this means that they are homomorphic with regards to one or maybe a couple of operations.  For example the RSA algorithm is homomorphic with regards to multiplication.

IBM has published some research in this area in 2009 they proposed fully homomorphic systems that are linked to from here;

Currently fully homomorphic systems are too new and not yet practical enough to be implemented for production systems.  For any cryptographic algorithm to be recommended it requires considerably more time to be peer reviewed and tested by security and encryption researchers to allow a reasonable level of assurance that there are not attacks that could be used to unencrypt the data.  In terms of practicality currently proposed homomorphic encryption systems, the complexity of the system grows enormously as the number of actions you need to perform on the encrypted data increases.  This leads to a massive increase in the computational power required to run the system, this is a non-trivial increase that will not be solved by Moore’s law anytime in the near future.

So homomorphic encryption has now been proven to be possible which is a huge step forwards, and the work done by people like Craig Gentry and the guys at IBM and MIT must be hugely applauded.

Microsoft researchers published a paper in May of this year (2011) titled ‘Can Homomorphic Encyption be Practical’ that can be found here;

This provides an overview of a proposed partially homomorphic implementation along with thoughts on how it could be made fully homomorphic and how the efficiency could be improved.  The page also contains some useful links to cloud and lattice based cryptography.

However the reality is that we need several more years for a broader range of cryptographers to examine the cryptosystem to be assured it is secure, and for further work to go into making the system much more efficient.

These are definitely interesting times, and over the next few years I would hope to see homomorphic cryptosystems removing some of today’s key barriers to the adoption of cloud computing services!