The Cloud Security Alliance held its 2013 Congress here in Edinburgh – and I had the privilege of attending the pre-conference symposium on 24 September which focussed on the specific risks that exist within the public and private sectors in the UK. The event aimed to integrate activities and to outline the opportunities and risks that exist within Cloud infrastructures.
This is quick and dirty blog post that summarises my notes, so bear with me. These are my notes – and may reflect my misunderstanding of what the speaker was saying. If something sounds wrong, it’ll be my mistake.
I’ll just run through the speakers in turn. If I’ve got anything wrong – please tell me and I’ll make the fixes! Or post a comment…
Cloud: the future, risks and training
First up was Bill Buchanan (@billatnapier), Professor of Computing at Edinburgh Napier University.
Bill introduced the day by talking about the evolution of the cloud from standalone technology, and the new security issues it raises. He praised the strength of the IS sector in Scotland.
He sees issues arising from the emerging ecology of mobile, cloud, personal cloud, identity provision devices and services – and the big data resources that these create. Companies have to be aware of the risks involved – and how they would be managed and balanced against requirements: new cloud-based risks include exposure to international criminals and also hacktivism (for controversial companies).
However, security training is still weak – as often is engagement from industry and law enforcement bodies, often due to lack of access to resources. This is why Edinburgh Napier University is looking at creating a community cloud which can allow sharing of application licenses for training in cloud security – and which would also allow remote training. Funding for Edinburgh Napier to provide this is coming – more announcements soon.
During questions, discussion turned onto ethics: to Bill, part of developing the students is to change attitudes from the idea of being a “hacker”, to an awareness of the need to work within clear boundaries.
Security: are we in the cloud
DI Eamonn Keane of Police Scotland explained that the police are working in the context of difficulties obtaining evidence to support criminal prosecutions – for blackmail or robbery. Two recent great examples of the need for this are the Santander and Barclays cyber-raids.
It’s important to be clear about the distinction between cybercrime – crime focussed on the technology, ie manipulating equipment or systems – and cyber-enabled crimes, which use technology to assist what have always been crimes such as robbery and blackmail – and child abuse. In an environment of shrinking budgets, there’s competition for resource with colleagues dealing with ongoing conventional law and order issues – such as street crime.
A big challenge for policing is organised crime – this is no longer (just) local drug dealers but international fraud or attacks. Cloud is relevant here: Cybercrime as a Service is starting to emerge. There is also still a feeling that the police are playing catch-up with the new generation of digital natives (a “lost generation”) in teaching them the values that help them navigate the online world safely and lawfully.
On the other hand, from the point of view of the police, it is not all bad: Facebook can provide key information to help investigations. And (importantly) big companies are now starting to work with the police.
Police Scotland is working with Edinburgh Napier University and other bodies to encourage employability and soft skills – eg running Cyber Security Challenge in Scotland; apart from anything else, this helps promote Scotland PLC.
Cloud security and privacy
Alan Jewsbury focussed on the areas that had not yet been covered. He started by discussing the implications of the trust of third parties that’s inherent in Cloud services – these networks of interactions create new areas of uncertainty and risk.
One (probably the most sensible?) business response is to operate in an “assumed state of compromise” – the question is then, how is this managed and the risks contained. Both technical and business processes have to be considered.
A key stat: Half of organisations with externally hosted services believe these are critical – and still need controlled. But instead of having direct access to the system, management now has to be through a contract – which means businesses don’t have direct management of the controls over their key information assets and have to resort to legal/administrative processes.
Clearly, information security can’t be an excuse to block or stop development but at the same time, risk management is needed and should cover the four areas of commercial risks, information security risks, governance risks and (this is new) risks from the transition of data to/from the home network.
This often implies a blurred line and loss of control. There is a lot of unstructured, uncontrolled (and shared) data out there in an organisation – never mind in the cloud. How to manage uncontrolled cloud sprawl? How to manage the legal issues?
A different approach to assurance is needed – and it needs to work for SMEs as well as the corporates. (I guess more risk-based).
Update 7 October:
- Alan has now sent us a PDF of his presentation which can be downloaded: Alan Jewsbury – Cloud security and privacy.
- Another useful resource: the PwC Global Information Security Survey 2014
Cloud security – exploring the risks associated with use of the Cloud
- Availability (can you connect, are you at risk of DoS/blackmail)
- (who does but shouldn’t have) access (eg to maliciously create chargeable activity)
- Location, jurisdiction and legal issues (Interesting aside: do Americans appreciate the legal implications of transferring data from EU to the USA?)
- Ensuring destruction of old data.
As an example of the issues that can arise, David discussed a model of a private cloud service that automatically scales up to use Amazon EC2. Although easy to write, this sort of application doesn’t take into account risks with data or app being served – such as confidentiality or EU Data Protection/Safe Harbor issues.
Another good example of the sorts of issues that cloud services raise: Dropbox has very recently been demonstrated to be scanning all uploaded Word documents; this is only for producing document thumbnails they say, but the implications are obvious. It is possible to encrypt files (eg using BoxCryptor) but businesses should also be aware of implications from filenaming convention. (This is similar to Gmail reading by Google for advertising purposes – Google bans encrypted content from its free services).
For me, the highlight of the talk was was David demonstrating the result of a scan of GitHub for private keys (they found 216000!) – and then using them (potentially) to access AWS servers: malicious exploitations could range from bring up/tear down scripts to create huge fees for the target to (worse). GitHub could also be exploited by backdooring the development code though unauthorised submissions.
Update 4 October: David Stubley has blogged on contents of his talk on the 7Elements site here.
Insider threat detection authentication and other novel applications of computer usage data
He started by talking about the fallout from Snowdon’s NSA leaks. From the NSA’s corporate perspective, Snowdon was a security-cleared consultant working as a contractor for an outsourced Booz Allen company. He was given sysadmin rights and broke the trust placed in him. Similarly Bradley/Chelsea Manning had misused access to diplomatic cables as a result of post-2011 Total Information Awareness decision and removal of controls over access to data.
I would argue that leaks and whistleblowers are inevitable (eventually) in organistions that operate in an ethics- and compliance-free environment (both leaks were motivated by a desire to highlight illegal activity). But this wasn’t the point John was trying to make. John sees whistleblowers in terms of “insider threats” not ethical or governance failures. But back to the plot:
Anyway, some stats: two thirds of security failures are due to insiders, around half of the failures are accidental – but half are malicious – and it takes average of 416 days to find the breach (2010, US Secret Service).
So what to do to find these malicious insiders (in a US context at least)? Polygraph is not the answer – people can be trained to fool it – and it’s fooled by stimulants like caffeine! Tech solutions like log analysis don’t work either, except for post-hoc forensics investigation into what went wrong.
Polygraph tests are very expensive (4 hours long) so in effect used once only: once you’re employed. Background checks are generally not repeated, even at risk points (such as promotion).
Howie’s answer: the ADMIT project which monitors a user’s mousing behaviour while answering an online quiz – which gives companies benefits in reduced costs and risks from employees.
A possibly more interesting extension of the idea is as a continuous authentication tool: a users’ interaction with computer can uniquely identify individuals – detection takes about 1 week before level of certainty is high enough. The tool can also pick up deviations from normal behaviour, though John admitted it is difficult to distinguish stealing data from coming out of a bad meeting. There are medical opportunities too: for instance, it is possible to pick up early stages of a motor-neuron disease or diabetes insulin shock.
In questions, John confirmed that this technology is seen as similar to polygraphs, so raising no new ethical questions. I’m not so sure.
IPv6 security in the cloud
Neil Anderson of Farrpoint (@NeilTAnderson) talked about a long-brewing issue (it’s up there with climate change). Although most operating systems are now IPv6 aware, the internet is still (after almost 20 years!) in the early days of the migration, with individual nodes moving to IPv6 based on their business requirements. At some point though, IPv4 will cease to be the default, and cloud infrastructures need to be prepared for this.
Growth of IPv6 in the UK is very low – especially in comparison to Germany, France and the USA. This is down to lack of (UK) government support and low interest by service providers. The result is it’s difficult to get native IPv6 connectivity – even for large consumers like the Scottish Government which has been trying to procure a IPv6-based WAN. Instead of moving to IPv6, ISPs are moving to carrier grade NAT which allows thousands of users to share a single IPv4 address – unfortunately it can appear like a DoS attack to the serving.
Cloud providers such as Amazon don’t support IPv6 either. People are nervous because the internet is now business critical and venders are afraid of failure.
Security toolsets are now being developed for IPv6, which has support for IPSec and related security standards. Meantime, IPv4 tunnelling has (security) performance impact as data needs to be inspected twice.
There is one positive IPv6 cloud-related story: it’s possible to use virtual networks to test management of IPv6 configurations.
Confession: if I skipped over some of the more technical points Neil was making, put that down to my ignorance of TCP/IP.
Update 26 September: Farrpoint have now posted their own version of this here.
PDF of the presentation: Neil Anderson – IPv6 Enabled Clouds – Security Considerations and Opportunities
Looking beyond the silver lining: a pragmatic look at cloud security
The final talk was by Rafe Pilling of Dell SecureWorks. I had run out of typing mojo by this time, but some points:
- One impact of the integration of cloud services is the disappearance of the network perimeter: As organisations outsource the ownership and operation of hardware and software stacks they need to place primary focus on securing and protecting their data. Moving from a hard shell / soft centre (Armadillo) model to a soft shell / hard centre model (Avocadoes)
- Consider the Cloud a less than benign place and think about how your data is and should be protected. That is, cloud adoption moves places even greater emphasis on risk assessment, auditing, secure development and security testing to allow organisations to gain assurance that their data is safe.
- Incident response and digital forensics can be significantly more challenging with Cloud providers in the mix and this should be thought out and explored before an incident arises
- Bad guys use Cloud as much as enterprises. Cloud provides a whole range of opportunities from Cyber-crime business models to Cyber-espionage and Intellectual Property theft.
- By compromising corporate email accounts bad guys can gain access to a range of Cloud SaaS offerings using password resets. Light touch on the victim organisations infrastructure means there is a very limited opportunity to detect this before it is too late.
- Bad guys over SaaS models for exploit hosting and delivery, malware distribution, web traffic delivery, botnets, spam distribution and DDoS attacks
- Prevention means focusing on the vulnerabilities and exposures in how the enterprise uses cloud services. Being aware of blind spots and taking steps to collaborate with cloud provides to ensure security is addressed at all layers of the stack.
Rafe pointed out that Amazon sets a good example for security testing of cloud services: it allows use of most tools other than DoS or other resource exhausting tests. It just needs a simple form to be completed in advance.
PDF of presentation: Rafe Pilling – Clouds beyond silver lining
This section was updated with content from Rafe on 4 October.
Every talk had something new or challenging for me to consider. I came away from the seminar with two major thoughts:
First: there is clearly a need for a whole new sets of ways of thinking about risks in the that confront the issues the transition to and from the cloud. Everyone has their own framework… students will need to be able to navigate the language and concepts involved.
Second: is the importance of ethics – not just for individuals (students transforming into responsible professionals) but at the corporate level – creating an organisation with a secure environment implies that the stakeholders have to share common positive (ethical) values.
I hope the main congress is as interesting. I wish I had the free time to attend!
Update 4 October: There related IIDI news item has some further links.