DOGFOODCON ‘16REDEFINING SECURITY IN A CLOUD-CENTRIC FUTURE

MIKE SPAULDING - DOGFOODCON - 2016

DISCLAIMER

My opinions, commentary, and discussion today are my own, not my employer(s)

My tweets are my own. If they offend you, then you probably shouldn’t follow me.

I will not discuss anything about my employer(s) in any detail or extent

MIKE SPAULDING - DOGFOODCON - 2016

HOW THE CLOUD WORKS

It’s simple: It really is someone else’s hard drive.

The hard drive sits in multiple countries and is shared by lots of people

You are placing your trust in the third party to do its job: keep your data separate from other people’s data.

Security is either sold softly (ie. ‘we’ve got you covered’) or it is a hard sale (ie. ‘buy this feature and this to feel safe’)

MIKE SPAULDING - DOGFOODCON - 2016

UNDERSTANDING YOUR CLOUD

• SalesForce • ServiceNow • Office365 • Kronos

It is estimated that most large companies are leveraging between 600 - 1000 SaaS Applications on a daily basis.

• Rackspace • MSFT Azure • IBM SmartCloud • SoftLayer • Amazon AWS

• MSFT Azure • IBM BlueMix • Cloud Foundry • Google AppEngine

Cloud AppsCloud Infrastructure Platforms(SaaS)(IaaS) (PaaS)

Owner: Business Relationship Manager

Owner: Historically Legacy Infrastructure Teams

Owner: Sometimes Developers, other times it is Infrastructure

• SalesForce • ServiceNow • Office365 • Kronos

MIKE SPAULDING - DOGFOODCON - 2016

CLOUD SECURITY RESPONSIBILITY

Applications

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Local/On Premise(Your Data Center)

Applications

Data

Runtime

Middleware

O/S

Virtualization

Storage

Networking

Infrastructure(IaaS)

Applications

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Platform Apps(PaaS)

Servers

Applications

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Cloud Apps(SaaS)

Your Co.

Vendor

Shared Responsible Party & Accountability

MIKE SPAULDING - DOGFOODCON - 2016

EXAMPLE: COMPARING YOUR CLOUD WITH PIZZA

MIKE SPAULDING - DOGFOODCON - 2016

UNDERSTANDING YOUR DATA IN THE CLOUD

• DropBox • Box • iCloud • Facebook

Information Sharing(SaaS)

Owner:Business Relationship Mgr.

Security Requirements

Authentication Authorization Confidentiality

Audit Non-Repudiation

Solutions

Company Modified PaaS Company Modified SaaS

Hybrid Cloud

Accountability

Business Owner Technical Owner Process Owner

Technical Requirements

Two-Factor Authentication Business Intelligence

Encryption Data Loss Prevention Verification Services

Business Requirements

Rights Management: Expiration Dates

Limited Distribution Ability to limit Users

Ability to Audit Activities

Stakeholders

Legal & Procurement Information Security

Architecture Infrastructure

Data Types

• PII • PHI • PCI • IP

MIKE SPAULDING - DOGFOODCON - 2016

SAAS RESPONSIBILITY CLARIFICATION

Applications

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Cloud Apps(SaaS)Cloud Apps have a shared

responsibility at the Application layer:

You are accountable for the user access functions, but overall app support (dev, MX, and MGMT) resides with the provider.

Administrative Tasks: • User Management • SOX • User Behavior Monitoring

Authentication

Authorization

Audit

Technical Tasks:

• Application Development • Application Upgrades • Application Management

Support

Your Co.

Vendor

Shared Responsible Party & Accountability

MIKE SPAULDING - DOGFOODCON - 2016

MULTITENANCY: HOW THEY MAKE THE CLOUD CHEAPER

A software architecture in which a single instance of software runs on a server and serves multiple tenants (or the sharing of a common cloud resource in our situation).

Risks: Data Leakage Insecure Configuration Crossover from other Tenants

Benefits: Lower Costs

Mitigation Strategy: Isolated Resources Security as a Foundation

MIKE SPAULDING - DOGFOODCON - 2016

API SECURITY (OR HOW MOST LARGE CLOUD HACKS HAPPEN)

These are application programming interfaces (APIs) used to build applications in the cloud computing market. Cloud APIs allow software to request data and computations from one or more services through a direct or indirect interface.

Risks Account or Service HiJacking Insecure APIs Known Vulnerabilities Lack of Control

Benefits Customizable Services Integration with Internal Systems

Mitigation Strategies Evaluate the type and strength of the API Security Features. Security as a foundation

MIKE SPAULDING - DOGFOODCON - 2016

CLOUD PORTABILITY

Cloud Portability and Continuity of Operations is a set of policies and procedures that help to assure that your services continue.

Risks Denial of Service Vendor Lock-In Un-Exportable Services

Benefits Peace of Mind Structured Approach to BCP/DR

Mitigation Strategies Develop Business Continuity Plan Develop an Exit Strategy

MIKE SPAULDING - DOGFOODCON - 2016

CLOUD RELIABILITY

Cloud Architecture is more complex and abstract than traditional on-premise computing architectures.

Risks Denial of Service Risk is outside of your control Skills Atrophy

Benefits Higher Level of Service at a Lower Cost Redundancy, Load Balancing, Network Security

Mitigation Strategies Hybrid Cloud Option Documentation

MIKE SPAULDING - DOGFOODCON - 2016

DATA ENCRYPTION

Protecting your data both at rest and in-transit.

Risks Vendor Lock-In Un-Retrievable Data Proprietary Tooling

Benefits Minimized Potential for Data Loss Structured Approach for Data Management

Mitigation Strategies Establish an Independent Key Management Service Develop a Data Security Strategy/Standard

MIKE SPAULDING - DOGFOODCON - 2016

SECURITY AS A SERVICE (CASB)

Cloud providers are beginning to offer Security capabilities as a service. These services are both traditional (AAA) and non-traditional (cloud to cloud security)

Risks Improperly Positioned Services Skills Atrophy Proprietary Tooling

Benefits Higher Security Capability with lower barrier Ability to have a single security context across multiple vendors

Mitigation Strategies Security as a Foundation Security Auditing

MIKE SPAULDING - DOGFOODCON - 2016

TRADITIONAL SECURITY MIGRATED TO THE CLOUD

Leveraging Virtualized Software, many traditional security vendors have created cloud-based firewalls, IPS, reverse proxies, web application firewalls, and malware detection tools into many of the most popular cloud services.

Risks Improperly Positioned Services False Sense of Security

Benefits Easier transition to cloud services for current staff Ability to understand/visualize security posture

Mitigation Strategies Security as a Foundation Security Fundamentals

MIKE SPAULDING - DOGFOODCON - 2016

INTERNATIONAL PRIVACY/COMPLIANCE RISKS

The Data in the cloud is still YOUR DATA. Liability of the data is not transferred away, ultimately, YOU ARE responsible for how the data is handled.

Risks EU, Non-US resident data co-mingled Data residing within countries which do not have treaties with EU, Canada, etc.

Mitigation Strategies Ensure that Location specific services are enabled and that specific data centers are used for meeting international privacy compliance (make sure that German data stays on German servers) Leverage data centers that can handle both US and EU Data Privacy requirements, such as Canadian servers.

MIKE SPAULDING - DOGFOODCON - 2016

LEGALLY YOURS

REMEMBER: It is your data, how you use it is at your discretion.

No cloud provider will ever sign on as being 100% liable for your data and you must prove how they failed.

You will only get your portion of your money back (think of something like tires or a mattress). The warranty is limited to unused services only.

The model of the cloud is on shared services, so no respecting cloud provider will sign away their rights to you. Liability is limited and at most they go out of business and walk away from the mess. You will own the mess, not them.

YOUR DATA IS YOUR RESPONSIBILITY!

MIKE SPAULDING - DOGFOODCON - 2016

SO WHERE DO WE GO FROM HERE?

Everything is moving to the cloud - it is really hard to find an industry that has no cloud presence. Don’t fight the kool aid now!

Containerization and portability will be the next big wave for enterprises in the cloud.

Although infrastructure in the cloud is becoming very mainstream, we have yet to see the cloud ‘killer’ app. If we look at things like Facebook, SalesForce, or Box what we find is that we made it easier for a large number of people to do something that would previously be more complex or cumbersome.

Automation is already hitting the cloud, but we have not truly embraced it.

Machine learning will make coding in the cloud even easier for the less technical and sharing data will be almost too easy or simple.

MIKE SPAULDING - DOGFOODCON - 2016

THE SINGLE, BIGGEST QUESTION TO ASK YOUR CLOUD VENDOR

Where does your security end and my security begin?

MIKE SPAULDING - DOGFOODCON - 2016

THANK YOU

I appreciate your time today during this session.

If you need to reach me, try here:

https://www.linkedin.com/in/therealfatherofmaddog

@fatherofmaddog

Columbus BSides Security Conference - January 16th, 2017

Due to my work/personal schedule, I cannot work for you (at least right now). Maybe some time down the road. Who knows.

I need to thank - John Sanders (Ent. Architect/CIO), the guys at Secure Idea, and the person that created Pizza as a Service - Albert Barron.