Bil Harmer - Myths of Cloud Security Debunked!

Editor's Notes

• #3: Why are there so many myths about the Cloud? Marketing. Everything today is called cloud. Take away “how” something works and focuses on the benefits. Example: flying an airplane. All the things needed to actually make sure the flight is good. We don’t care. We just want to get from point A to point B. We can do our own due diligence, check facts but once you establish that you just want the service.
• #4: Shadow IT has become an unstoppable force. Don’t need IT to get this going Runs on HTTP/HTTPS Visibility is the first thing they need. File storage – Box, Dropbox, OneDrive + Productivity – Office365, Google Apps + Sales – Salesforce + Development – GitHub Important for CISO to understand what’s being used and know what cloud based apps are in place. Caution against dictatorial response. Need to move away from being the office of “yes / no” and get to an “yes and here’s how” Manage and Monitor Controls and processes to help enable applications that support the users and to not substantially expand or alter the existing risk profile Gartner projects IaaS to reach an annual compound growth rate of 29.1% Cloud Analytics to grow from $7.5B in 2015 to $23.1B in 2020 According to Skyhigh’s Cloud Adoption and Risk Report the average company is using 923 Cloud services. Elastica found that, on average, 2,037 files per user are resident on cloud file sharing solutions
• #5: Contrast Office to Office365 client based to cloud base app. Still have control over your data. Location should not be defining your level of control Interoperability or some form of standard data export should be part of the tool in order to ensure portability. Regulatory requirements can be a deal breaker.
• #6: All have suffered in the last 24 months RAM scraping malware – Target, Home Depot, Michael's Stolen admin credentials – JP Morgan, OPM Trusted partner – Target (Fazio), OPM (Keypoint) Known Vulnerability – Home Depot “We sell hammers” – Home Depot One benefit of the cloud is the economies of scale. Cloud vendors can invest in much better security, higher level of security because they are in the business of securing data.
• #7: Patching is your responsibility Patches may not be available SSL Heartbleed – OpenSSL heartbeat information leakage 2048 bit SSL NIST mandated that all SSL certs issued after Jan. 1, 2014 offer no less than 2,048 bit encryption Impact Intensive processing cycles. A four fold increase in the load on the existing Web Security Appliance A noticeable decrease in network performance (4 fold performance hit) Requires additional hardware appliances POODLE - Padding Oracle On Downgraded Legacy Encryption – MiTM allows obtaining plain text from the intercepted TLS FREAK - Factoring RSA Export Keys - degrade the strength of the encryption used in SSL/TLS connections - VM VENOM – Virtualized Environment Neglected Operation Manipulation - QEMU vuln.in Floppy Disk Controller (FDC), allows a local guest user in affected virtualized platforms to escape from the virtual environment and execute code on the host BASH Shellshock - GNU Bash environment command injection Ghost - Ghost remote code execution in glibc – heap based BO
• #8: Cloud elasticity. One of the big benefits Yes, you can scale on-premise solutions by purchasing more and/or larger appliances, but doing so can be costly and complex. Plan for anticipated demand versus plan for actual consumption Peaks times versus usage Cloud you only pay for what you use. Growth on prem may need re-architecture, Loadbalancers, rerouting. Includes loaded costs, people, process to manage. Growth of a company, or remote locations and home users. Appliance vendors don’t just sell one thing.
• #9: Myth is driven by not having used the solutions. I would argue the exact opposite is true. Appliances are typically running in multiple locations, run by multiple people and it’s your responsibility to get all that information back into one place to manage. As a consumer you have one pane of glass into your data. Caution Ensure that that cloud doesn’t become a silo. Data Portability needs to be addressed. How do you get that data out so it can be included with alternate security workflows. Again you don’t have to manage the patching and maintenance of the solution Expanding capabilities: Add a box. What SSL Decrypt? Add another box, Sandbox? Add another box. Cloud – pay a license and have it turned on. Burden is on the vendor not you because they manage the solution Re-iterate: It allows you to shift from managing and maintaining to leveraging them.
• #10: Driven by the fact that it’s in the in cloud. If it’s on prem I can control who accesses it. You have to a have a bigger attack surface because you’re on the internet? Right? Verizon data breach report shows insider threat as the highest risk Onprem likely to have less security and no encryption. OPM Breach - Data was not encrypted Typically to address today;s workforce demands it gets exposed either through a web app or through a VPN or other remote access. VPN’s can create it’s own problems. Typically run split-tunnels and it puts the user ON the local LAN with full LAN access. Not typically restricted by port, protocol and address. Cloud vendors can better invest in security because of the economies of scale. Larger security teams, robust infrastructure because this is what they do
• #11: Multi-tenacy gives us the elasticity. Cost savings because we use everything, CPU, Storage, networks because multiple customers using the same physical resources. Theoretically you could break through the logical segmentation and see your neighbor's information. Hypervisor attacks are rare. No example that I can remember. More typically we are seeing attacks through more pedestrian ways. Admins with shared or compromised credentials, Known vulns are sent in spear phishing attacks If we are going to focus resources based on probability of attacks this not how they would get in. The other option would be to gain access to one tenant account and try to jump to another tenant. Potentially going through the management layer. It should be separate and managed appropriately. This is where a you as a consumer need to ask questions, need to validate what a vendor does. This is how trust gets established! What do you do? BGC’s? Who can see my data? Is the data encrypted?
• #12: Many ways to gain transparency. Just plugging an appliance into the wall doesn’t give you transparency. No access to source code etc. Location doesn’t equate to transparency. Online resources like trust.salesforce.com. Shows you everything about their clouds. We have our own version trust.zscaler.com See the status, outages, common vulns has it effected us, have we done anything about it? We want to be very open. This is how we establish trust. We want them to know that a node went down, they didn’t notice be want them to know. SLA’s also help. $$$ repercussions. Should be open about policies and procedures. BCG’s, ISO/SOC attestation. What do you have and what can you show me. Do not make the assumption because they are an established vendor you don’t have to ask these questions You cannot outsource RESPONSIBILITY! Certifications are the baseline. How would you expect the solution to be run in your environment? Use the cert as the baseline (could answer 80% but u need to ask the rest) You may need to have right to audit included in your contract or other conditions that help ensure you have transparency The environemnt must be equal or better to what you would have had in house.
• #13: Most enterprises are not in the business of building IT team or Security teams. They are cost centers. No unlimited $$$ Cloud bring economies of scale. A cloud vendor offline for 15 mins is devastating it is showing up on the front page of the paper.. A cloud vendor breached and the trust evaporates immediately No choice but to invest heavily in their security teams Cloud vendors live and die by their reputations. Security researchers aren’t cheap, trust me, there is scarce shortage of talent. A security vendor can afford to have that in their HR budget. If an appliance goes down one of the best and most expensive SLA you can get is replacement hardware in 4 hours. Imagine a Cloud vendor down for 4 hours. The only other option is to run enough capacity to allow something to fail without your user population seeing it. That also becomes very expensive. And again we’re back to the economies of scale. When was the last time you built an in-house solution and your IT team gave you an SLA?