cloud security – implementation reality · cloud security – implementation reality . hoo chuan...
TRANSCRIPT
![Page 1: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/1.jpg)
Cloud Security – Implementation Reality
Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor, IBM Security
#CLOUDSEC
![Page 2: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/2.jpg)
Cloud is HERE to STAY
2
SETTING THE SCENE
ISC2
This ?...Clarity
• A new paradigm (secure if built correctly) • Cost saving • Business differentiator • Following the trend… • Security
• Last thing on anyone’s mind
![Page 3: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/3.jpg)
Good thing you have these experts around • Wake up call • Highlight the other side of the coin • Get REAL!!! (certifications)
3
WHERE ARE THE SECURITY FOLKS
ISC2
![Page 4: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/4.jpg)
Guidance • What standard do we adopt/follow?
• Don’t reinvent the wheel (unless your cloud is not a cloud),
adopt the existing… • CSA STAR (Security, Trust and Assurance Registry)
Certification • Singapore Standard 584 Multi-Tier Cloud Security
(MTCS)
4
WHERE DO WE START
ISC2
![Page 5: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/5.jpg)
Why the need for Guidance? • Provides the fundamental framework to build a
“SECURE CLOUD” • Systems security • Process security • People security
5
WHERE DO WE START
ISC2
![Page 6: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/6.jpg)
Responsive Security • Trigger points • Detective controls • Correlation • BCM/ITDRP
6
INFORMATION SECURITY MANAGEMENT
ISC2
Paranoid Wise
Naive Apathetic
Knowledge Bar
Attit
ude
Bar
Don’t Know
Know
Don
’t Ca
re
Care
Responsive Control
Irrelevant Control
No control
No control – taking risk
![Page 7: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/7.jpg)
SPOF (Single Point Of Failure) • Hypervisor security is a SPOF.
• Not proven but can imagine the potential impact • Hypervisor administrative/privileged access
• Managed as break-glass scenario. • Traditional security • 2FA?
7
POSSIBLE CONSIDERATIONS
ISC2
![Page 8: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/8.jpg)
Vulnerability/Patch Management • When and how
• Not a straightforward exercise • Application dependency • Quarterly Maintenance Window (QMW)
• Governance support • Grouping of applications
• Based on RTO & RPO
8
POSSIBLE CONSIDERATIONS
ISC2
![Page 9: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/9.jpg)
Standard Operating Environment (SOE) • Virtual machine (VM) sprawl.
• Any problem will be magnified in the virtual environment – more complex.
• SOE • Set the security controls/boundary • Set the configuration • Control-based approach
9
POSSIBLE CONSIDERATIONS
ISC2
![Page 10: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/10.jpg)
Many players and layers • Complex security environment
• Physical layer (multiple sites, same controls?) • Network layer (SDN, NFV, etc)
• Enterprise security architect • Individual (risk of silos of expertise) • Group • Understanding the risk context consistently?
• Ideal will be to have an enterprise security architect who can piece altogether (technology partner).
10
POSSIBLE CONSIDERATIONS
ISC2
![Page 11: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/11.jpg)
Double-edged sword • Virtualization layer
• Cloud can be used to attack others • Cloud itself can be attacked. • Going to be the next attackers’ front
• Management interfaces are often the weakest link – internal threat more likely.
• Proposed to implement 2FA to deter/control access from external and internal (Traditional security)
11
POSSIBLE CONSIDERATIONS
ISC2
Example: An attacker that compromises a web-based management interface can compromise all hosts on that server.
![Page 12: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/12.jpg)
How real is this DDoS? • Internal DDoS Concern
• Virtual systems are also vulnerable to DDoS attacks – Serious and very real! • It will disrupt service by consuming resources.
• Traditional mitigating solution might not work here • Mitigating controls – Traditional security
• Hardening • Access control • Data control • Incident response
12
POSSIBLE CONSIDERATIONS
ISC2
![Page 13: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/13.jpg)
Configuration Management Database • Dynamic environment.
• Do you have the updated inventory to start with? • Business requests to create, suspend and move VMs
around – how to control? • Change Management (Traditional security)
• SOE • Particularly useful in cloud computing
• Respective hardening guide (Traditional security)
13
POSSIBLE CONSIDERATIONS
ISC2
![Page 14: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/14.jpg)
IT Audit concerns • New technology compliance
• Audited using traditional security controls? • Yes and No
• Back to school for auditors • Un-scanned, unpatched VMs to become active in
the network without any knowledge. • CMDB failure – Change management is critical • Security Acceptance Test (SAT) and Operation
Acceptance Test (OAT) are the respective gates to address any unauthorized change.
14
SECURITY & COMPLIANCE
ISC2
![Page 15: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/15.jpg)
DevOps approach • Reality – multiple changes in 24 hours
• How to ensure proper SAT/OAT is in place before release?
• DevOps - is a software development method that emphasizes communication, collaboration, integration and automation. (SAT and OAT combined) • Cooperation between software developers,
Security and IT professionals is key • This is going to be difficult but achievable.
15
RELEASE MANAGEMENT
ISC2
![Page 16: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/16.jpg)
16
OPERATIONAL FRAMEWORK - RESPONSIVE
ISC2
Time
Ope
ratio
nal R
eadi
ness
Incident
Maturity
Det
ectiv
e co
ntro
ls Audit
findings
Corrective controls
T + 0 T + 1 T + 2 T + n
Responsive security = Correlation + Early Warning + BCM/ITDRP
![Page 17: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/17.jpg)
Adopt Responsive Security • Trigger points • Detective controls • Correlation
17
SOLUTION
ISC2
Paranoid Wise
Naive Apathetic
Knowledge Bar
Attit
ude
Bar
Don’t Know
Know
Don
’t Ca
re
Care
Responsive Control
Irrelevant Control
No control
No control – taking risk
![Page 18: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/18.jpg)
Trusted advisor • Look out for a technology partner who invests in
R&D, understands the implications and relevancy of having a relevant technology.
• Understands IT and Information security.
18
SOLUTION - TECHNOLOGY PARTNERSHIP
ISC2
![Page 19: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/19.jpg)
Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, ISC2 APAC Executive Security Advisor, IBM Security
![Page 20: Cloud Security – Implementation Reality · Cloud Security – Implementation Reality . Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, (ISC)2 APAC Executive Security Advisor,](https://reader033.vdocument.in/reader033/viewer/2022042810/5f9c181b934df13d0b5d293d/html5/thumbnails/20.jpg)
#CLOUDSEC
Hoo Chuan Wei CISSP, CISA, CFE, BCCE Technical Advisor, ISC2 APAC Executive Security Advisor, IBM Security