Seminar Honeynet Indonesia 2013

Cloud Computing Security

By Hogan Kusnadi

CISSP-ISSAP, SSCP, CISA, CISM

hoganklim@gmail.com

18 June 2013

Peresmian SNI-ISO 20000 & 27001

Kominfo & BSN, Oktober 2009

Rapid Development of ICT(Information Communication Technology)

From LAN, WAN to Cloud Computing

NIST

National Institute of Standards and Technology

This cloud model promotes

availability and is composed of

five essential characteristics:

– on-demand self-service

– broad network access

– resource pooling

– rapid elasticity

– measured service

Cloud Computing

• Software as a Service (SaaS)

• Platform as a Service (PaaS)

• Infrastructure as a Service (IaaS)

• Storage as a service (SaaS)

• Communications as a service (Caas)

• Network as a service (NaaS)

• Monitoring as a service (MaaS)

• Etc

XaaS (anything as a service)

• Anything/Everything as a service (XaaS)

– The acronym refers to an increasing number of

services that are delivered over the Internet

rather than provided locally or on-site.

• XaaS is the essence of cloud computing

User vs Provider

Understanding Risk is Important

Two Sides of Technology

Benefit vs Risk of ICT

Multi Function

Flexible

Easy to use

Lower Cost Benefit

Database Application

Web Application

Client Server

Network Integration

Cloud Computing

Identity Theft

Information Theft

Industrial Espionage

Country Espionage

Denial of Service (DDOS)

Data / Information Sovereignty

Sabotage, Cyber Weapon, Cyber War

RiskConfidentiality

Integrity

Availability

Website Deface Attack Statistic

www.zone-h.org

18 April 2012

Data Loss Incidents (2004-2013*)

April

2013

Cloud Computing

and

Information Security

Incidents

How to Mitigate Risk

Enisa(European Network and Information Security Agency)

How Security Gets Integrated

Data Security Lifecycle

The Notorious NineCloud Computing Top Threats in 2013

1. Data Breaches

2. Data Loss

3. Account Hijacking

4. Insecure APIs

5. Denial of Service

6. Malicious Insiders

7. Abuse of Cloud Services

8. Insufficient Due Diligence

9. Shared Technology Issues

About the Cloud Security Alliance

• Global, not-for-profit organization

• Building security best practices for next generation IT

• Research and Educational Programs

• Cloud Provider Certification

• User Certification

• Awareness and Marketing

• The globally authoritative source for Trust in the Cloud“To promote the use of best practices for providing security assurance

within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

CSA Fast Facts

• Founded in 2009

• 42,000 individual members, 66 chapters globally

• 200 corporate and affiliate members– Major cloud providers, tech companies, infosec leaders, DoD,

Coca-Cola, Bank of America and much more

• Regional hubs in Seattle USA, Singapore, Heraklion

Greece

• Over 30 research projects in 25 working groups

• Strategic partnerships with governments, research

institutions, professional associations and industry

Growing to serve the Industry • 2009

– CSA launch at RSA 2009 with Security

Guidance for Critical Areas of Focus in Cloud

Computing

– 6,000 members

• 2010– Launch Certificate of Cloud Security

Knowledge (CCSK)

– 15,000 members

• 2011– Launch CSA Security, Trust and Assurance

Registry (STAR)

– 27,000 members

• 2012– Launch CSA Mobile and Big Data research to

address emerging needs

– 42,000 members

North AmericaEMEA

APAC

0

10,000

20,000

30,000

40,000

50,000

Membership Growth

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org

Research PortfolioOur research includes

fundamental projects needed

to define and implement trust

within the future of

information technology

CSA continues to be

aggressive in producing

critical research, education

and tools

Sponsorship opportunities

Selected research projects in

following slides

Copyright © 2012 Cloud Security Alliance

Security as a Service

• Security as a Service– Research for gaining greater

understanding for how to deliver security solutions via cloud models.

• Information Security Industry Re-invented

• Identify Ten Categories within SecaaS

• Implementation Guidance for each SecaaS Category

• Align with international standards and other CSA research

• Industry Impact– Defined 10 Categories of Service and

Developed Domain 14 of CSA Guidance V.3

GRC StackGRC Stack

Family of 4 research projects

Cloud Controls Matrix (CCM)

Consensus Assessments Initiative

(CAI)

Cloud Audit

Cloud Trust Protocol (CTP)

Impact to the Industry

Developed tools for

governance, risk and compliance

management in the cloud

Technical pilots

Provider certification through

STAR program Control

Requirements

Provider

Assertions

Private, Com

munity &

Public

Clouds

Smart Mobile

• Mobile– Securing application stores and other public

entities deploying software to mobile devices

– Analysis of mobile security capabilities and features of key mobile operating systems

– Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

– Guidelines for the mobile device security framework and mobile cloud architectures

– Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device

– Best practices for secure mobile application development

CCSK – User Certification

Certificate of Cloud Security Knowledge (CCSK)

Benchmark of cloud security competency

Online web-based examination

www.cloudsecurityalliance.org/certifyme

Training partnerships

Developing new curriculum for audit, software development and architecture

CSA Conference

• Only multi-track, multi-day conference focused on cloud security

• Key venue for new research

• Primarily attended by enterprise end users

• 2013 CSA Congress Plans

– CSA Congress APAC, Singapore, May 15-16

– CSA Congress EMEA, Europe, September

– CSA Congress US, Orlando, November

CSA APAC

• Incorporated and based in Singapore

• Planned establishment of corporate HQ in Singapore

• Supported by key Singaporean ministries, led by Infocomm Development Authority

• Trend Micro as founding corporate office sponsor

• IDA support for research and standards functions

• Also private/public partnerships with gov’ts of Thailand and Hong Kong

• CSA chapters throughout APAC

www.cloudsecurityalliance.orgCopyright © 2012 Cloud Security Alliance

International Standardization Council

• Engage international standards bodies on behalf of CSA

• Propose key CSA research for standardization

• Liaison relationship with ITU-T

• Category A liaison with ISO/IEC SC27 & SC38

• Tracking key SDOs for 2013– DMTF

– IEEE

– IETF

– CCSA

– RAISE