securing the cloud
TRANSCRIPT
WHAT’S IN A NAME
SECURE CLOUD
• Secure environment
• In an (external) datacenter
• Multi-tenant
• SLA
• Buy online
CLOUD SECURITY
• Security-as-a-service
• Mail security • Web security • Web application
security • Vulnerability
scanning• Anti-virus• Anti-malware
SECURE CLOUD REQUIREMENTS
• Secure datacenter
• Secure network
• Secure infrastructure
• Secure OS
• Secure application
• Secure Keep-it-running
• Secure employees
• Secure logging
WHAT WE SEE• Traditional hosting providers still struggle to secure their classical hosting
environment
• Web site security offering = SSL certificates!• Shared hosting is bad for security but follow the same approach to setup
cloud• Hosting providers use other cloud providers services
• Without the client his knowledge• Without any legal binding contract• Without any SLA• In a different country
• Belgian Court has a lot of problems with non-Belgian hosting
• Inadequate logging of the cloud provider• Takes a lot of time to get the information with a court order• Most providers don’t give information or too late
• Insider threat: employees with a company credit card
• We found a cheap cloud provider in Russia called SpamEngine
WHAT IS NOT THE RIGHT WAY
The DIY approach is not leveraging the power of a secure cloud:
• Installing & configuring your virtual firewall
• Installing & configuring your web application firewall
• Install your Operating System
• Patching yourself
• Monitoring yourself
• Do your own software installations & upgrades
MALWARE ATTACKS• Most cloud-based applications and cloud administration require
only username/password
• Malware like ZeuS/SpyEye that attack homebanking also collect credentials
• Twitter/Facebook/…• Salesforce.com?• Amazon AWS?• Credentials are sold on Internet and automatically abused by
malware running in the cloud• Require from your cloud provider:
• Strong authentication• SSL VPN for remote management• IP blocking• Logging + logging + logging + logging
SOME THOUGHTS• FISA: Foreign Intelligence Surveillance Act
• Data stored in the US can be inspected and copied• Without telling you….• Just think about data encryption
• Where are the keys stored?• How are you sure it is really encrypted?
• Same for China:
• What is stored in China is copied!• A new U.S. intelligence report declares the most active
and persistent perpetrator of economic espionage is China• http://www.defensenews.com/story.php?
i=8160472&&s=TOP
WHAT YOU NEED• Moving to the cloud can be a security catalysator for your
existing infrastructure and applications!
• Moving is not copying your virtual machines!!!!!!!!!!!!!!!• Stay in the European Union with all your data
• Log everything to a different cloud provider or on-premise
• Do not trust the logo on the flashy web site, review the audit reports
• Monitor the SLA
• Classify data and locations