Académique Documents
Professionnel Documents
Culture Documents
YURY CHEMERKIN
International Conference on Information Society (i-Society 2013)
[ Yury Chemerkin ]
www.linkedin.com/in/yurychemerkin http://sto-strategy.com yury.chemerkin@gmail.com
Experienced in : Reverse Engineering & AV Software Programming & Documentation Mobile Security and MDM Cyber Security & Cloud Security Compliance & Transparency and Security Writing Hakin9 Magazine, PenTest Magazine, eForensics Magazine, Groteck Business Media Participation at conferences InfoSecurityRussia, NullCon, AthCon, CONFidence, PHDAYS CYBERCRIME FORUM, Cyber Intelligence Europe/Intelligence-Sec ICITST, CyberTimes, ITA
Cloud Issues
Known Issues
Threats Privacy Compliance Legal Vendor lock-in Open source / Open standards Security Abuse IT governance Ambiguity of terminology
Known Solutions
Customization and best practices Crypto anarchism CSA, ISO, PCI, SAS 70 Typically US Location Platform, Data, Tools Lock-In Top clouds are not open-source Physical clouds more secured than Public Botnets and Malware Infections Depends on organization needs Reference to wide services, solutions, etc.
What to do Full rights and access to data An isolation data from other customers data A data encryption in transit/memory/storage, at rest An availability for recovery An Ability to securely destroy when no longer needed Who has access to data? A data access that logged and monitored regularly Are there processes and notifications in place for incidents (including breaches) that affect data?
An appropriate security and configuration control to data protection Patching for the latest vulnerabilities and exploits?
Abuse Abusing is not a new issue and is everywhere AWS Vulnerability Bulletins as a kind of quick response and stay tuned
[Elcomsoft] :: Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR
Serious performance problems regardless of where the trusted/untrusted control agents are Overloading the virtual OS with analyzing CPU commands and system calls Overloading is multiplied by known issues the best of all demonstrated in case of GPU (Elcomsoft, GPU Cracking)
Vendors general explanations multiplied by general standards recommendations are extremely far away from transparency Clouds call for specific levels of audit logging, activity reporting, security controlling and data retention It is often not a part of SLA offered by providers It is outside recommendations AWS often falls in details with their architecture documents AWS solutions are very well to be in compliance with old standards and specific local regulations such as Russian Law
It helps vendors to pass a compliance easier It helps not to have their solutions worked out in details and/or badly documented It helps to makes a lot of references on 3rd party reviewers under NDA (SOC 1 or SAS 70) Bad idea to let vendors fills such documents
They provide fewer public details They take it to NDA reports
It additionally need to use CLI, API/SDK to reduce third party solutions and implement national crypto It offers a PenTest opportunity
Information System Regulatory AWS falls in details to comply it that results of differences between CAIQ and CMM Mapping Handling / Labeling / Security Policy AWS falls in details what customers are allowed to do and how exactly while Azure does not
DIFF (AWS vs. AZURE) As opposed to AWS, Azure does not have a clearly defined statement whether their customers able to perform their own vulnerability test
Retention Policy
AWS points to the customers responsibility to manage data, exclude moving between Availability Zones inside one region; Azure ensures on validation and processing with it, and indicate about data historical auto-backup
Secure Disposal Information Leakage Policy, User Access, MFA Baseline Requirements Encryption, Encryption Key Management Vulnerability / Patch Management Nondisclosure Agreements, Party Agreements User ID Credentials (Non)Production Network Security Segmentation Mobile Code
Third AWS highlights that they does not leverage any 3rd party cloud providers to deliver AWS services to the customers. Azure points to the procedures, NDA undergone with ISO Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requirements while Azure addresses to the AD to perform these actions
environments, AWS provides more details how-to documents to having a compliance Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, while Azure points to features built in infrastructure on a vendor side AWS points their clients to be responsible to meet such requirements, while Azure points to build solutions tracked for mobile code
w/o CE AWS Access Control Policy and Procedures Y Account Management Y NAME Access Enforcement Y
w CE AWS None
Y exc. g
Compliance,
Y Y prebuilt
Use of External Information Systems Y Auditable Events Y Audit Review, Analysis, and Reporting Y Protection of Audit Information Security Function Isolation Denial of Service Protection Boundary Protection prebuilt Y t.internal
Transparency,
Elaboration
Y None t.internal
poss. t.internal
Y
Y t.internal
p.internal
poss. t.internal
p.internal
p.internal
p.internal
p.internal
prebuilt
prebuilt: 1-6, 11; prebuilt:1-6,11 exc. poss. 4c; prebuilt:7,8,9, N/A: 3-4, 8, 10, 17; 12,15,16; prebuilt:10 exc. N/A: iii, poss. 7, 9, 12, 15; t.internal:v;p.internal:13,14,17 p.internal: 13, 14, 17 prebuilt None None None t.internal None None None
Architecture & Provisioning for prebuilt Name/Address Resolution Service Honeypots poss. OS Independent Applications poss. Protection of data at Rest poss.
3,45
16,67 12,50 5,08 14,29 5,88 14,29 8,70 3,37 6,25 66,67 16,67
66,67
88,89
5,26 2,17 50,00 50,00 25,00 25,00 33,33
8,00
4,17
50,00
3,70
16,67 19,05
25,00 11,76
5,56
7,14
iOS 16 5 38,46 80
Android 4 4 10,26 16
Quantity of Groups
Totall permissions
CONCLUSION
THE VENDOR SECURITY VISION HAS NOTHING WITH REALITY AGGRAVATEDBY SIMPLICITY
The best Security & Permissions ruled by AWS among other clouds
Most cases are not clear in according to the roles and responsibilities of cloud vendors and their customers Some of such cases are not clear on background type: technical or non-technical
CSA put the cross references to other standards that impact on complexity & lack of clarity like NIST SP800-53
NIST is more details and well documented with cross references and AWS matches to the NIST more
Q&A
THANK YOU