Security & Risk Management Summit 2016 DGI Byen, den 3. november 2016 Premium partner: Partnere:
Understøttelse af IT sikkerhed i cloud-løsninger Peter Sindt Technical Team Manager 3. november 2016
Hvad er Cloud Computing?
Hvad er Cloud Computing? Cloud Computing? Cloud == Internet Det er blot outsourcing Det er virtualisering Hype og marketing Ikke noget nyt Cloud? Computing Cloud Computing En helt ny service model *aas = as a Service On-demand / Pay-as-you-go Fleksibelt og skalerbart Abstrakt ressourcebegreb Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. http://www.nist.gov/itl/cloud/ http://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.pdf NIST - Definition of Cloud Computing
IT Infrastructure evolution Past Servers are standalone Limited mobility Present Partly virtualization Partly mobile Future Cloud Computing Mobile Enterprise
Software as a Service (SaaS) Anvender udbyderens applikationer over netværket Eksempler Webmail, SalesForce, Google Docs Brugeren har ingen adgang til den underliggende cloud-infrastruktur Management Virtual Machines Hypervisor Servers Automatisering Storage Dine data Dit problem
Platform as a Service (PaaS) Brugerens applikationer afvikles på en cloud-infrastruktur Eksempler Google Engine, Windows Azure og VMforce Kræver at applikationerne er udviklet i værktøjer supporteret af leverandøren Brugeren har kun adgang til at administrere egne applikationer Management Virtual Machines Hypervisor Servers Storage Automatisering Din applikation Dit problem
Infrastructure as a Service (IaaS) Adgang til processor, storage og netværk Mulighed for selv at tildele og styre alle ressourcer brugeren kan afvikle vilkårlige operativsystemer og applikationer Eksempler Amazon Webservice og Microsof Azure Brugeren har ingen adgang til den underliggende cloud-infrastruktur, men kontrol over egne ressourcer Management Virtual Machines Hypervisor Servers Storage Automatisering Dine Servere Dit problem
Service Models shared responsibility Private (On-Premise) Infrastructure (as a Service) Platform (as a Service) Software (as a Service) Access control Access control Access control Access control lications lications lications lications Data Data Data Data Security & Integration Security & Integration Security & Integration Security & Integration Databases Databases Databases Databases Servers Servers Servers Servers Virtualization Virtualization Virtualization Virtualization Server HW Storage Networking Server HW Storage Networking Server HW Storage Networking Server HW Storage Networking Managed by you Managed by vendor
Cloud løsninger og teknologi. Platform as a Service (PaaS) Cloud sikkerhed Software as a Service (SaaS)
Out of sight out of mind 45%+ of Internet traffic is encrypted 50% of attacks will use encryption to bypass controls by 2017 80%+ of organisations with firewalls IPS, or UTM do not decrypt SSL traffic Source: NSS labs Source: Symantec LetsEncrypt.org makes SSL free & easier to use
Signaturer er ikke længere nok Network Breach Detection Systems help but miss traffic between off-network devices and SaaS services 90% of malware is used only once MS Office files with malware used in 60% targeted attacks 60%
Hvorfor har du brug for mere sikkerhed til Office 365? Exchange Online is designed and SLA backed to catch 100% known malware But 90% malware infects only 1 device. Only 10% malware is known. Every customer needs a strategy to deal with unknown malware If you bought a new home with a smoke detector guaranteed to detect 10% of fires would you supplement it?
Hvem er ansvarlig for sikkerheden i Office 365? Microsoft har ansvaret for at infrastrukturen omkring Offic365 sikres. Men du har selv ansvaret for dine brugere og det data som deles via Office365. Microsoft garantere ikke at din infrastruktur beskyttes imod ukendt malware. Vi anbefaler at du overvejer om de indbyggede sikkerhedsfunktioner i O365 opfylder dine krav og modsvarer din virksomheds risikovillighed.
Trend Micro Cloud Security Trend Micro Cloud Security is a new product which protects Office 365 email and file sharing. Advanced Threat Detection Finds zero-day and hidden threats Sandbox file analysis in the cloud Web reputation for URLs in email/files Data Loss Prevention (DLP) Discovery and visibility into confidential data usage. DLP enforcement for cloud file sharing 240 customizable templates Direct cloud-to-cloud integration using vendor API s. No user changes, email rerouting, or web proxy.
Trend Micro Cloud Security Architecture API s https DLP URL scan Malware scan / file risk assessment (Microsoft Azure datacenters) https Sandbox Analysis <2% of files (Trend Micro datacenters) Trend Micro Cloud Security All communications encrypted No email/files stored Quarantines located in customers accounts for Office 365, Box, Dropbox, Google Drive
Hvordan vil du tillade adgang til Office 365? Sikker adgang til cloud er en grundsten til en sikker løsning. Er brugernavn og password nok? 2-faktor godkendelse? Forskellige krav til adgang for forskellige brugere? Skal samme framework bruges både on-premise som i skyen?
Adaptive access control Kræve forskellige metoder for login ud fra definerede parametre: Hvornår logger brugeren ind? Hvorfra logger brugeren ind? Fra hvilken enhed logger brugeren ind?
Multi-Factor Authentication er allerede en del af Office 365 Er begrænset til kode via SMS, eller opkald. Virker kun med Office 365.
Cloud autentifikation
Enterprise autentifikation 2 faktor godkendelse Skal det gælde alle eller kun administratoren? Token, grid card, certifikat eller SMS?
Trend Micro Deep Security Intrusion Prevention Anti-malware Host Firewall Web Reputation Integrity Monitoring Log Inspection
MobileIron Access Control Mobile Devices for Safe Cloud access Cloud service Access Control Can enable access control to enterprise cloud services such as Box, Google s for Work, Office 365 and Salesforce Distribute Office 365 apps securely Configure the native email and PIM apps on mobile devices so they can connect to Office 365. Securely distribute Office 365 apps to mobile devices through the MobileIron s@work enterprise app store. Protect Office 365 data-at-rest on the device Enforce operating system containerization controls such as data separation, Open In restrictions, and selective wipe to protect Office 365 data on the mobile device.
Check Point vsec Advanced Cloud Security Enable a Check Point Virtual Gateway in the Azure Cloud Selected Desired Protection Levels
Udfordring med Shadow data i cloud applikationer Cloud Access Security Broker CASB løsninger Holder øje med cloud tjenester på tværs af løsninger Opdage Shadow IT Detektere farlig brugeradfærd Monitorering og log analyse DLP beskyttelse Cloud politikker Den nye EU-persondataforordning oplysningspligten gælder også Cloud
Blue Coat Cloud Data Protection User Experience Info Stored & Processed in the Cloud Authorized Users Blue Coat Cloud Data Protection Platform(s) Non-authorized Users Direct Connection to Salesforce.com ENCRYPT OR TOKENIZE DATA WITH STRONGEST TECHNIQUES PRESERVE NATIVE CLOUD APPLICATION FUNCTIONALITY
Hybrid web sikkerhed Hybrid integration til Blue Coat Cloud Services til sikring af mobile brugere, Laptops, mobile devices, I, Android.
Zscaler: Your security stack as a cloud service Zscaler built a perimeter around the Internet so you don t need to put a perimeter around every office. Internet and Cloud s Single policy console Define polices by user, group, location. Policy follows the user. Exploits Malware APT Botnets Connect Control Secure Nothing bad comes in, nothing good leaks Global, real-time reporting Gain visibility into all of the applications, users, threats, and botnet-infected machines. Zscaler Mobile employee HQ Remote offices Tunnel - GRE/IPsec Simply configure the router or endpoint device to forward traffic to Zscaler
CSA Top Threats for 2016 *Ranked in order of severity per survey results 1. Data Breaches 2. Weak Identity, Credential and Access Management 3. Insecure APIs 4. System and lication Vulnerabilities 5. Account Hijacking 6. Malicious Insiders 7. Advanced Persistent Threats (APTs) 8. Data Loss 9. Insufficient Due Diligence 10. Abuse and Nefarious Use of Cloud Services 11. Denial of Service 12. Shared Technology Issues Follow up to earlier research artifacts Top Threats research plays a crucial role in the CSA research ecosystem The report provides organizations with an up-todate, expert-informed understanding of cloud security concerns in order to make educated riskmanagement decisions regarding cloud adoption strategies. The report reflects the current consensus among security experts in the CSA community about the most significant security issues in the cloud.
Er cloud sikkert at bruge? Måske Hvem har ansvaret for din it-sikkerhed i cloud? Kan du opnå den ønskede sikkerhed og hvordan? Hvem kan og må tilgå dine data? Hvor vigtigt er det for dig at vide, hvor dine data befinder sig? Kan du overholde gældende compliance-krav? Sæt dig grundigt ind i udfordringer og begrænsninger i den enkelte løsning. Cloud er ikke en silver bullet i sig selv. Husk at din virksomhed selv er ansvarlig for at beskytte data for utilsigtet brug og deling. Vær forberedt! Brud på it sikkerheden sker, så ha en plan for incident response. Dubex A/S kan hjælpe med at udarbejde en risikovurdering inden du migrerer til en cloud service.
Hvad kan du gøre når du kommer hjem? På mandag Tænk over om I har den nødvendige sikkerhed og visibilitet i forhold til sikring af Cloud og mobile brugere. Næste uge Sikre at risikovurderingen dækker de konkrete løsninger som benyttes også SSL og brugen af cloudapplikationer og - funktioner Næste måned Find ud af om de mekanismer, som er beskrevet i risikovurderingen, afspejler den tekniske løsning og implementer løsninger hvis de mangler
Tak! Peter Sindt psi@dubex.dk