Cloud Security and Bring Your Own Device (BYOD) Security

Information Security 365/765, Fall Semester, 2016

Course Instructor, Nicholas Davis, CISA, CISSPLecture 11, Cloud Security and BYOD Security

Today’s Chocolate BarToday’s Chocolate Bar100 Grand100 Grand

100 Grand Bar (formerly known as $100,000 Bar spoken as "hundred thousand dollar bar" until the mid 1980s) is a candy bar produced by Nestlé in the United States. The candy bar was created in 1966, and named after a series of successful game shows. It weighs 1.5 ounces (42 grams) and includes chocolate, caramel and crisped rice. The bar contains 190 calories; it is low in cholesterol and sodium, but high in saturated fat and sugar. Its slogan is "That's Rich!“

The mini 100 Grand bars we are eating today in class, are 93 calories each!

05/01/23 UNIVERSITY OF WISCONSIN 2

Today’s AgendaToday’s Agenda• Exam 2, proposed date, November 17,

instead of Thanksgiving week.• Turkey, stuffing, mashed potatoes and

pie are more important than an exam!• However, you may make alternate

arrangements if November 17th does not fit well with your schedule. See me after class

• Cloud Security• BYOD Security• Written assignment #4 is assigned• Distribution of list for team project

work05/01/23 UNIVERSITY OF WISCONSIN 3

Why are We Covering CloudWhy are We Covering Cloudand BYOD Together?and BYOD Together?

Let’s Discuss the Technical Let’s Discuss the Technical SpecificsSpecifics

of What Could Have Happenedof What Could Have Happened


In My OpinionIn My Opinion• Probably NOT Huma’s primary

computer work computer, but rather, an un-inventoried BYOD, long forgotten about

• Shared OS user account, Huma and Anthony

• Perhaps without password on the OS• Full email client probably auto-launched

in background upon OS login, with cached (memorized) password


In My OpinionIn My Opinion(Educated Guess)(Educated Guess)


Meanwhile, on PrimaryMeanwhile, on PrimaryComputer, No Sign of Computer, No Sign of

DuplicateDuplicateRemote Email Client LoginRemote Email Client Login


The CloudThe CloudCloud computing describes a type of outsourcing of computer services, similar to the way in which electricity supply is outsourced. Users can simply use it. They do not need to worry where the computing resource is from, how it is made, or transported.

A subscription based service05/01/23 UNIVERSITY OF WISCONSIN 8

Cloud SecurityCloud SecurityCloud Security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.


Cloud Service ModelsCloud Service ModelsSoftware as a ServicePlatform as a Service

Infrastructure as a Service


Three ModelsThree Modelsof Cloud Computing SaaSof Cloud Computing SaaS• Software as a Service• “Consume”• Web browser provides point

of access• Software management is

moved to a third party• Examples: Salesforce and

Google Apps


Three ModelsThree Modelsof Cloud Computing PaaSof Cloud Computing PaaS

• Platform as a Service• “Host”• Hardware is managed externally• Operating System is managed

externally• Network is managed externally• The customer builds, installs and

manages their specific applications• Examples: Google App Engine, and

Red Hat’s OpenShift05/01/23 UNIVERSITY OF WISCONSIN 12

Three ModelsThree Modelsof Cloud Computing IaaSof Cloud Computing IaaS

• Infrastructure as a Service• “Build”• Cloud servers and associated

resources are made available• Customer controls architecture• Customer controls OS• Customer controls software

applications• Examples: Navisite and Exoscale


Cloud Deployment ModelsCloud Deployment ModelsPrivatePublicHybrid


Private CloudPrivate CloudPrivate cloud is cloud infrastructure operated solely for a single organization, whether managed internally or by a third-party, and hosted either internally or externally


Public CloudPublic CloudA cloud is called a "public cloud" when the services are rendered over a network that is open for public use. Technically there may be little or no difference between public and private cloud architecture, however, security consideration may be substantially different for services (applications, storage, and other resources) that are made available by a service provider


Hybrid CloudHybrid CloudHybrid cloud is a composition of two or more clouds (private, community or public) that remain distinct entities but are bound together, offering the benefits of multiple deployment models. Hybrid cloud can also mean the ability to connect collocation, managed and/or dedicated services with cloud resources.


Provider vs CustomerProvider vs CustomerSecurity ConcernsSecurity Concerns

• Provider must make sure that proper security controls are in place and that their services are being correctly represented. For example, HIPAA compliant from a physical security perspective

• Customer must verify controls are up to standards and ensure that portions for which they have control, are securely managed. For example, how they issue login credentials to systems


Suggested ControlsSuggested ControlsFor Cloud SecurityFor Cloud Security

• Gartner breaks it down into seven areas• The Cloud Security Alliance has fourteen• Nicholas Davis has 10 areas

“The nice thing about standards is that there are so many to choose from” (Note the contradiction)

What really matters is that you take a comprehensive approach, no matter how you break it down into varying categories. Take nothing for granted!


CloudCloudPhysical SecurityPhysical Security

1. The location where the hardware and software resides must not be publicly accessible2. The location where the hardware and software reside must be access controlled in such a manner as to make all entry and exits attempts, successful or unsuccessful, logged and auditable3. The procedure for third party access to the physical facility must be documented and agreed to by the customer05/01/23 UNIVERSITY OF WISCONSIN 20

CloudCloudPhysical SecurityPhysical Security

4. All visitors to the secured area where the hardware and software reside must be accompanied by an authorized escort, agreed to by the customer5. All people accessing the secured area where the hardware and software reside, must have and display ID badges at all times6. The secured area must be monitored and recorded by video camera at all times


Employee and Computing Environment Reliability and

Integrity1. The cloud service provider must perform a criminal, work history, education history and credit history background check on all of its employees and produce the results for inspection by the customer2. The cloud service provider should be able to produce a recent SSAE 16 SOC II report of its facility, for inspection by the customer


Employee and Computing Environment Reliability and

Integrity3. The cloud service provider must be able to produce a copy of its latest vulnerability assessment and a list of security risks and gaps which have been addressed as a of the vulnerability assessment


Cloud Data PersistenceCloud Data Persistence1. List all locations where the customer’s data will reside (City, State, Country)2. Reference any legislation the company adheres to in terms of data transmission across organizational and geographic borders3. Describe both the on-site and off-site data backups of customer data the company performs


Cloud Data PersistenceCloud Data Persistence4. Does a subcontractor store data off-site? If so, please describe.5. Is the customer’s data encrypted in storage and backup? If so, please describe6. Describe how the company controls access to backup storage and media


CloudCloudBusiness ContinuityBusiness Continuity

1. Describe the company’s continuity plan for addressing critical service failures, such as power, heating, cooling, etc.2. Describe the company’s continuity plan for addressing natural disasters such as fire, tornadoes, flooding, etc.3. Describe the company’s response plan for information technology or human related security breaches of the facility


Cloud Network MonitoringCloud Network Monitoring1. Does the cloud provider log network traffic, file and server access? 2. All log files must be made available to the customer, upon demand


Cloud Network MonitoringCloud Network Monitoring3. Logs must record who accessed the system, by what means, and what if any data was accessed or changed4. Security event logs should be captured for all systems which are or which may potentially be used for accessing and/or managing customer data


Data Encryption and Entity Data Encryption and Entity AuthenticationAuthentication

1. Describe the specifics of how customer data is encrypted at rest as well as in transit2. Describe the authentication technologies used to control administrative access to all systems which may have access to customer


CloudCloudMulti TenancyMulti Tenancy

1. Is the cloud infrastructure of the service being considered by the customer multi-tenant or is it dedicated only to the customer’s system? Please describe the controls in place to protect customer data, if the environment is multi-tenant2. Is the cloud service segmented using virtual machines? If so, please describe the architecture


CloudCloudService UptimeService Uptime

1. What is the specified service uptime and availability of the cloud solution being considered by the customer?2. Does the cloud service have a fail over site? If so, describe its performance specifications/differences in comparison to the primary site



1. What is the specified service uptime and availability of the cloud solution being considered by the customer?2. Does the cloud service have a fail over site? If so, describe its performance specifications/differences in comparison to the primary site



3. Are the security controls in place at the fail over site different in any way from the security controls in place at the primary site? If so, please describe4. Does the cloud service provider provide an “active-active” consistent configuration between the primary and fail over site?


Policy ConsistencyPolicy ConsistencyAcross OrganizationsAcross Organizations

1. Will the cloud service provider adhere to applicable information security policies and procedures of the customer?2. Are there any customer IT security policies which the cloud provider cannot adhere to? If so, please describe


CloudCloudService Level AgreementService Level Agreement

Please provide a copy of the cloud service provider’s proposed Service Level Agreement (SLA) with the customer


Bring Your Own DeviceBring Your Own DeviceBYOD (bring your own device) is the increasing trend toward employee-owned devices within a business. Smartphones are the most common example but employees also take their own tablets, laptops and USB drives into the workplace.


BYOD Security, Flexibility, BYOD Security, Flexibility, Security, ViolationsSecurity, Violations

• Although the ability to allow staff to work at any time from anywhere and on any device provides real business benefits; it also brings significant risks.

• To ensure information does not end up in the wrong hands, it’s imperative for companies to put security measures in place.

• According to an IDG survey, more than half of 1,600 senior IT security and technology purchase decision-makers reported serious violations of personal mobile device use.


End Node ProblemEnd Node Problem• BYOD security relates strongly to

the end node problem, wherein a device is used to access both sensitive and risky networks/services

• Risk-averse organizations issue devices specifically for Internet use (this is termed Inverse-BYOD)


Lost Devices, Sold DevicesLost Devices, Sold DevicesMemorized PasswordsMemorized Passwords

• BYOD has resulted in data breaches. For example, if an employee uses a smartphone to access the company network and then loses that phone or sells that phone, untrusted parties could retrieve any unsecured data on the phone.

• Another type of security breach occurs when an employee leaves the company, they do not have to give back the device, so company applications and other data may still be present on their device

• If passwords are cached (remembered) by the phone, anyone who has access to the device can now access the password protected resources


Notable Statistics of Notable Statistics of ConcernConcern


Personal PrivacyPersonal PrivacyDrawing the LineDrawing the Line

IT Security departments that wish to monitor usage of personal devices must ensure that they only monitor work related activities or activities that accesses company data or information


Malware InfectionsMalware InfectionsOrganizations who wish to adopt a BYOD policy must also consider how they will ensure that the devices which connect to the organization’s network infrastructure to access sensitive information will be protected from malware.


Patching Many DifferentPatching Many DifferentModels of BYODsModels of BYODs

BYOD policy must be prepared to have the necessary systems and processes in place that will apply the patches to protect systems against the known vulnerabilities to the various devices that users may choose to use.


Mobile Device ManagementMobile Device ManagementSolutionsSolutions

Several market and policies have emerged to address BYOD security concerns, including mobile device management (MDM), containerization and app virtualization•Containerization•Virtualization


MDM May Result in PrivacyMDM May Result in Privacyand Usability Concernsand Usability Concerns

While MDM provides organizations with the ability to control applications and content on the device, research has revealed controversy related to employee privacy and usability issues that lead to resistance in some organizations


Phone NumberPhone NumberOwnershipOwnership

A key issue of BYOD which is often overlooked is BYOD's phone number problem, which raises the question of the ownership of the phone number. The issue becomes apparent when employees in sales or other customer-facing roles leave the company and take their phone number with them. Customers calling the number will then potentially be calling competitors which can lead to loss of business for BYOD enterprises


Lack of BYOD PolicyLack of BYOD Policy• Research reveals that only 20% of

employees have signed a BYOD policy

• Why not have them agree online, in order to gain network access? Offer them a carrot (network access) to agree.

• Businesses need to get out of the idea of using legacy paper forms for such things


BYOD InventoryBYOD InventoryFirms need an efficient inventory management system that keeps track of which devices employees are using, where the device is located, whether it is being used, and what software it is equipped with


Make Sure the Employees Make Sure the Employees KnowKnowIf sensitive, classified, or criminal data

lands on a U.S. government employee's device, the device is subject to confiscation


Scalability and CapabilityScalability and Capabilityof Corporate Networksof Corporate Networks

Many organizations today lack proper network infrastructure to handle the large traffic which will be generated when employees will start using different devices at the same time


Two Scenarios For the Two Scenarios For the FutureFuture

Personally Owned, Company Enabled (POCE)

Corporate Owned, Personally Enabled (COPE)


Personally Owned, Company Enabled (POCE)

The company will maintain management control and authorize the use of personally owned devices and shall develop guidelines to define which employees can use their own devices, the types of devices they can use, and which applications and data they can access, process, or store.


Corporate Owned, Corporate Owned, Personally Enabled (COPE)Personally Enabled (COPE)

As part of enterprise mobility, an alternative approach are corporate owned, personally enabled devices (COPE). With this policy the company purchases the devices to provide to their employees; the functionality of a private device is enabled to allow personal usage.


SummarySummary• Both Cloud and BYOD are relatively new

to organizations• Both Cloud and BYOD blur the lines of

where an organization’s control over data resides

• Both Cloud and BYOD extend the information assets beyond historic organizational geographic boundaries

• Both Cloud and BYOD are security concerns, in an attempt to maintain Confidentiality, Integrity and Availability


Cloud Security and Bring Your Own Device (BYOD) Security

Internet

Transcript of Cloud Security and Bring Your Own Device (BYOD) Security