Security of End User based Cloud Services Sang Young

Similar documents
UFED Cloud Analyzer. Traces and changes. February Version 6.0

Cloud Computing. An introduction using MS Office 365, Google, Amazon, & Dropbox.

Keeping Important Data Safe and Secure Online. Norm Kaufman

Moving to computing are auditors ready for the security challenges? Albert Otete CPA CISA ISACA Uganda Workshop

Introduction to data centers

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

icloud History & Services Dr. Leon Chapman

How NOT To Get Hacked

SAAS: THE RDP ADVANTAGE FOR ISVS AND USERS

Alexa, what did I do last summer?

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

Quick Start: Creating a Video and Publishing in YouTube

Clouds in the Forecast. Factors to Consider for In-House vs. Cloud-Based Systems and Services

MOBILE SECURITY OVERVIEW. Tim LeMaster

ANDROID PRIVACY & SECURITY GUIDE ANDROID DEVICE SETTINGS

Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition

Secure, cloud-based workflow, alert, and notification platform built on top of Amazon Web Services (AWS)

BYOD. Bring your own device. ICT Support Office

Course Outline (version 2)

MSRS Roadmap. As of January 15, PJM 2019

Password & Tutorials Packet

FREQUENTLY ASKED QUESTIONS

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Cloud Computing 1. CSCI 4850/5850 High-Performance Computing Spring 2018

Password & Tutorials Packet

Using the Cloud Howard Verne 7/10/2013

G, William James. The smartphone & tablet have changed the course of real estate

SFC strengthens internet trading regulatory controls

CERTIFIED SECURE COMPUTER USER COURSE OUTLINE

Best Practices for Keeping Your Home Network Secure

Cloud Storage Vendors Wide Support and Security Key Features for Shifting Towards Business Perspective

VIEVU Solution App User Guide

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

CompTIA A+ Certification ( ) Study Guide Table of Contents

Cloud Computing Briefing Presentation. DANU

Make Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)

GUIDE TO KEEPING YOUR SOCIAL MEDIA ACCOUNTS SECURE

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

Measuring KSA Broadband

Embracing a Secure Cloud. Cloud & Network Virtualisation India 2017

Cloud & AWS Essentials Agenda. Introduction What is the cloud? DevOps approach Basic AWS overview. VPC EC2 and EBS S3 RDS.

CLOUD COMPUTING. A public cloud sells services to anyone on the Internet. The cloud infrastructure is made available to

PROTECTION SERVICE FOR BUSINESS. Datasheet

SECURE YOUR APPLICATIONS, SIMPLIFY AUTHENTICATION AND CONSOLIDATE YOUR INFRASTRUCTURE

EC-Council C EH. Certified Ethical Hacker. Program Brochure

Apple OS Deployment Guide for the Enterprise

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Toward Resilient Cloud Environment:

Jordan Levesque - Keeping your Business Secure

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Phil Schwan Technical

Jordan Levesque Making sure your business is PCI compliant

Multi-factor authentication enrollment guide for Deloitte practitioners

Security and Compliance at Mavenlink

Security Best Practices. For DNN Websites

Cloud FastPath: Highly Secure Data Transfer

WHITEPAPER. Security overview. podio.com

Reduce Data Usage. 01 Cellular Data for Certain Apps Go to Settings > Cellular. Dad s iphone Tips Version: 1/1/2018 6:43:00 AM

Dimensioning enterprise cloud platforms for Bring Your Own Devices (BYOD) BYOD Device Emulation and Policy Analysis

The Power of Prediction: Cloud Bandwidth and Cost Reduction

How to tell if you are being cyber stalked or hacked BCS, September 2017

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

Installing. Download the O365 suite including OneDrive for Business: 1. Open the Google Play Store on your Android device

Course 831 Certified Ethical Hacker v9

BlackBerry UEM Configuration Guide

Configuration Guide. BlackBerry UEM. Version 12.9

ipad Getting Started Guide

Mobile Device Support. Jeff Dove February

How To Sync Apple Iphone Contact To Gmail Without Itunes

Using HyperFIDO with a GitHub Account or GitHub Enterprise Account

Windows 10 Azure AD / EMS

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

THE KERNEL. Our in-house professional team is highly skilled in delivering cutting-edge solutions to our clients.

ipad Detail Process to Backup and Restore ipads

Launching a Highly-regulated Startup in the Cloud

SecureFactors. Copyright SecureFactors Corp ver 1.0a

The Cisco HCM-F Administrative Interface

CPM Quick Start Guide V2.2.0

March Using ShareFile. Darren Sandbach FA Learning

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

Frequently Asked Questions

Course 831 EC-Council Certified Ethical Hacker v10 (CEH)

Pass, No Record: An Android Password Manager

Certified Ethical Hacker (CEH)

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Instructions Hack Ipod Touch Password Without Losing Data

Web Systems. Lecture 1. An Overview of Web Systems

Ansible Tower Quick Setup Guide

Mobility, Security Concerns, and Avoidance

IBM Security Access Manager

3.1 Getting Software and Certificates

ITP 140 Mobile Technologies. Mobile Topics

Cloud Computing and Service-Oriented Architectures

This ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process.

Find out how to print from: computers on campus, your own laptop, mobile device, or home computer. your laptop/ desktop computer

Copyright

Information Security for Neuropsychologists AACN Conference 6/10/16

Testing Cloud Services: SaaS, PaaS and IaaS. Kees Blokland Jeroen Mengerink

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Introduction to Cloud Computing

Transcription:

Security of End User based Cloud Services Sang Young Chairman, Mobile SIG Professional Information Security Association sang.young@pisa.org.hk

Cloud Services you can choose Social Media Business Applications Productivity Applications Email Agile Infrastructure Website Hosting Mobile Enablement Storage Centralized Reference: http://cloud.cio.gov

Graphic Source: http://upload.wikimedia.org/wikipedia/commons/thumb/b/b5/cloud_computing.svg/848px-cloud_computing.svg.png

Cloud Services Characteristics Zero capital investments Zero maintenance cost On demand self service Rapid elasticity and scalability Ubiquitous network access

Well known Cloud Service Dropbox Evernote Google Services Microsoft Office 365 Apple icloud etc

Threats in Using Cloud Service Client Tool Authentication Data Transmission Data Storage Avaliability

Cloud Service Clients Web Browser Customized Client (Windows, MacOS X, Linux etc) dropbox evernote Mobile Apps

Security depends on Web Browser Operating System Security Patches Level Microsoft Windows, MacOS X, Linux User Privilege on the PC Administrators, Power Users, Users Which Browser? Chrome, Firefox, IE, Safari Browser version & Security Patches level Browser Configuration

Security Depends on Customized Clients Operating System Patches Level User Privilege on the PC Client Configuration Vulnerabilities in Cloud Services Client e.g. the issue of %APPDATA%\Dropbox\config.db in DropBox. e.g. weakness that let hacker stole all username & password in Evernote

Mobile Apps Security Depends On Platform ios vs Android Jailbreak or Rooted Any vulnerabilities in Apps? Dropbox for Android allows other apps to access its content database allowing attackers to upload your files to the public

Authentication Authentication Methods Password based may become insufficient The evil of Save Password Automatic login how secure the credentials stored in client computer?

Data Transmission Protection in data transmission Communication encryption HTTPS check the Web Browser when using Cloud Service How about Client Application? How about Mobile Apps?

Security Controls Encryption Type of encryption? Key Management? Data Storage Does Encryption enable?

Communication Availability The reliability of your network connection Dial up Broadband Wi Fi GPRS/EDGE/3G/HSDPA/HSPA+/LTE/LTE A Bandwidth Consideration Latency Consideration

Service Providers Availability Technical Problems Network outage Servers down Storage system down Services malfunction Information Security Incident Out of Business Can you migrate an accounting data from one provider to another? (hint: there is not standard data format in cloud computing world)

Availability in cloud based infrastructure is Feb 2009: Gmail outage for 2.5 hours Mar 2009: Microsoft Azure outage for a day Jun 2009: Amazon EC2 outage for 4 hours Apr 2011: Amazon EC2 outage for 3 hours

Availability of Microsoft Office 365 Sep 2011: includes Microsoft Office 365, Hotmail, Skydrive and Live Services

Availability of Apple icloud Nov 2011: Apple icloud service is not available for some users

Availability of Apple icloud Nov 2011: Apple icloud service is not available for some users

Security Incident of Cloud Services Oct 2009: T Mobile, lost customer all sidekick data Apr 2011: Epsilon, customer data were stolen by hacker Jun 2011: Dropbox, allowed any password to be used to access any user account

Security Incident of Cloud Services Nov 2013: Instagram, photo sharing services had an outage Facebook, partial outage that affected timeline & page contents WhatsApp, change of Daylight Savings time crashed the platform More incidents in: http://cloutage.org

Cloud Incidents Categories AutoFail DataLoss Hack Outage Vulnerability

Countermeasures Authentication: Using two setup verification

Data Transmission Countermeasures Encrypted Channel (e.g. Using Secure Wi Fi Only) HTTPS

Data Leakage Encrypt before upload (e.g. password protected a file using Zip) Countermeasures Slide 27

Leverage Security Controls Difference among cloud services providers Providers give you security functions and features, not help you to configure it. You should take primary responsibilities to secure it

AWS Checklist Published by Amazon http://media.amazonwebservices.com/aws_a uditing_security_checklist.pdf

Conclusion Cloud Services is still in stone age Encrypt your data, if possible, before uploading to cloud service provider Encrypt your communication traffic HTTPS / VPN Local copy of data for backup purpose Contingency if Internet connection outage Provider services suspend Reputation of Providers Keep up to date of your cloud service clients Password

About PISA A not for profit organization for local information security professionals. Focus on developing the local information security market with a global presence in the industry

Mission to facilitate knowledge and information sharing among the PISA members to promote the highest quality of technical and ethical standards to the information security profession, to promote best practices in information security control, to promote security awareness to the IT industry and general public in Hong Kong

Web Site: Contact PISA http://www.pisa.org.hk Membership Information: http://www.pisa.org.hk/membership/member.htm

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback