Into the Cloud & Other Horror Stories. Michael F. Angelo - CISSP, CRISC

Transcription

1 Into the Cloud & Other Horror Stories Michael F. Angelo - CISSP, CRISC

2 About Me Doing formalized Threat Modeling over 15 years thousands of models Doing Threat and Security Analysis over 30 years Doing security in some way shape and form forever

3 Agenda How we got here Threats and models Short Term Solutions The World is Changing

4 How we got here Need to optimize expenditures (reduce cost while increasing performance of technology).

5 Enter the Cloud 90% of organizations are using a cloud service Cloud services include Office 365 or G suite AWS, Google Cloud and Azure

6 More Cloud Stats Yahoo 1 Billion Equifax 143 Million LinkedIn 167 million accounts Dropbox 68 million accounts Home Depot 56 million credit cards Verizon 14 million customer records Accenture, Time Warner Cable, Uber

7 Threats Cloud Stats (EU Breaches) Greenwich University Cambridge Analytica APT15 target UK military contractor Uber users compromised Equifax UK (14 million names / data of Birth UK) Cash Converters London Bridge Plastic Surgery clinic Deloitte CEX/WeBuy Wongo

8 Oopsss

9 Threats and Models - Technology / Usage New Tech Bug Fix Perf Bug Fix Feature Bug Fix Perf Threat Security Cycle

10 Threat Cycle Threat Usage change mitigation New mitigation New threat New threat new mitigation Mitigation Threat Threat mitigation Usage Change New threat new mitigation

11 Threats to Cloud - CSA Top Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities 5. Account Hijacking 6. Malicious Insiders 7. Advanced Persistent Threats 8. Data Loss 9. Insufficient Due Diligence 10.Abuse and Nefarious Use of Cloud Services 11.Denial of Service 12.Shared Technology Vulnerabilities

12 TM - Storage as a Service Users put files on Cloud Service Administrators, operators, and hackers could access files Solution: Encrypt files before upload J

13 TM: Company Just moved to cloud Where is my cloud? Can my cloud migrate? Where can it migrate? Who has access to my cloud?

14 TM: Company in the Cloud

15 TM: Software as a Service Request Software Software Software downloaded to your environment.

16 TM: Software as a Service Send Data Visualize Software started up Send Data

17 TM: Truisms After 12 years, 95% of all cloud issues can be taken care of with basics (see CSA guidelines) Don t forget basic configuration!! Each cloud implementation has its own risks Risks must be weighed vs potential harm to company

18 Short Term When looking at the Cloud ask Questions What do you mean by the Cloud? How do we set it up? What type of cloud? How is it Partitioned / Am I sharing the cloud? Where is my [cloud,data,processing] located Where can it [cloud,data,processing] migrate Who is responsible for protecting it and how Who is in control What are the risks? Customer Data / Proprietary Information

19 The World is Changing - Cloud IoT What could go wrong?

20 The World is Changing Would you put data in the cloud? GDPR Requires you to protect Employee & Customer PII Cloud Act (US) Requires US Entities to hand over on government order

21 Getting there from here here There

22 The Last Slide Remember Security trumps privacy Better, faster, cheaper trumps security. Until some one gets caught Security incidents are not free Don t be afraid to ask: What can go wrong and how can it be mitigated Finally, If you can t mitigate it, think twice about doing it

23 I Lied..

24 Thank You Michael F. Angelo @mfa0007 more background look at "Michael F.Angelo" AND Security