5/13/2014
1
Security and the
CloudJoshua Fialkoff, TestVault
5/13/2014
2
About Me
● 18 years of programming and product management
for the web
● Master’s in computer
engineering
● Brain computer
interfacing research
● Technology consulting
● TestVaultJoshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
3
Disclaimer
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
a cloud-based data management system
5/13/2014
4
Why are you here?
Use the web
smarter
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
5
Overview
● What is the “cloud”?
● Cloud alternatives
● Cloud vs. cloud activity
● Pros and cons
● Cloud security
● Home/stand-alone security
● Questions
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
6
What is the “Cloud”
● Simply, the Internet● Technically:
o Distributedo Generally, off-site
o Generally, publicly accessible
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
7
“My cloud is private”
● There is no private on the internet.
● What is a private internet resource?o Password protection
o Firewall
o Obfuscation
o EncryptionJoshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
8
What are the alternatives?
● Stand-alone, but...
o cloud synchronization
o cloud storage
o other cloud access
o cloud accessible
o if you can access the internet, the internet can
access you.
● Cloud vs. Cloud Activity
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
9
Recognizing Cloud Activity
● Downloading lab results
● Electronic tax filing
● Report publishing
● Calendar synchronization
across devices
● Emailing
● Others?
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
10
Cloud Pros and Cons
● Pros
o accessible from anywhere
o and by any device
o easy to share data
o data safety
o no limit on resources
o no resources to maintain
o managed by security
experts
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
● Cons
o transmitted data
o centralized data
o requires an internet
connection
o subject to outages
o publicly accessible
o often sharing server space
5/13/2014
11
Cloud security (outline)
● Anatomy of a cloud
transaction
● Security measures
o Encryption
o Firewalls
o Physical security
o Policy
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
12
Cloud transaction
1. I ask for a web page
2. Look up address for server
3. Send request info
4. Received by application
server
5. Process request
6. Send response
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
13
Cloud security: Encryption
● HTTPS
o public/private key
● Data encryption
o 2-way
● Password encryption
o ideally 1-way
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
14
Encryption: Public/Private Key
1. Exchange public keys
2. Sender encrypts message with recipient’s public key.
3. Recipient receives data and
decrypts with private key.
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
15
Encryption: Data Encryption
1. Encrypt data with a key
stored somewhere else.
2. Decrypt data with that same
key when you need the
data.
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
16
Encryption: Password Encryption
1. When password is set,
encrypt it with a 1-way encryption algorithm
2. When logging in, encrypt
user’s input with same algorithm
3. Compare result from 2 to result from 1
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
17
Cloud transaction
1. I ask for a web page
2. Look up address for server
3. Send request info
4. Received by application
server
5. Process request
6. Send response
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
18
Cloud security (outline)
● Anatomy of a cloud
transaction
● Security measures
o Encryption
o Firewalls
o Physical security
o Policy
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
19
Cloud security: Firewalls
● Network
● Application
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
20
Firewalls: Network
● Where is the information coming from?
● What is the destination?
● Stateful
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
21
Firewalls: Application
● Protocol (e.g., http) specific
● Virus protection
● Website restriction
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
22
Cloud security (outline)
● Anatomy of a cloud
transaction
● Security measures
o Firewalls
o Encryption
o Physical security
o Policy
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
23
Cloud security: Physical
● Key-card/biometric
restricted entry
● Security personnel
● Video surveillance
● Alarm system
● Fire detection and suppression systems
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
24
Cloud security (outline)
● Anatomy of a cloud
transaction
● Security measures
o Firewalls
o Encryption
o Physical security
o Policy
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
25
Cloud security: Policy
● Risk management
● Employee background checking
● Access logging
● Employee departure
● Safeguarding passwords
● Log monitoring
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
26
Overview
● What is the “cloud”?
● Cloud alternatives
● Cloud vs. cloud activity
● Pros and cons
● Cloud security
● Home/stand-alone security
● Questions
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
27
What protects a stand-alone system?
● Obfuscation
● Little to gain (generally)
● Service provider firewall
● Home firewall
● Operating system firewall
● Restricted access
● Encryption?
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
28
Overview
● What is the “cloud”?
● Cloud alternatives
● Cloud vs. cloud activity
● Pros and cons
● Cloud security
● Home/stand-alone security
● Questions
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]
5/13/2014
29
Thank You
Joshua Fialkoff // TestVaultEmail: [email protected]
Phone: (212) 369-1263
LinkedIn: http://goo.gl/QTXW6U
Joshua Fialkoff // TestVault // (212) 369-1263 // [email protected]