Cloud Security ConcernsBy Chaiyakorn ApiwathanokulBy Chaiyakorn Apiwathanokul

C3O, S-Generation Co., Ltd.

• CSO ASEAN Award 2010 by International Data Group (IDG)

• 2010 Asia-Pacific Information Security Leadership Achievements (ISLA) by (ISC)2

• Security Sub-commission under Thailand Electronic Transaction Commission (ET Act B.E. 2544)

Name:

Title:Company:

Certificates:

Chaiyakorn Apiwathanokul ไชยกร อภวิัฒโนกุลChief Executive OfficerS-GENERATION Company LimitedS-FORENSICS Company LimitedCISSP, CSSLP, IRCA:ISMS (ISO27001), SANS:GCFA

1997 1999 2000 2004 2006 2011

• Security Sub-commission under Thailand Electronic Transaction Commission (ET Act B.E. 2544)

• Contribute to Thailand Cyber Crime Act B.E.2550

• Workgroup for CA service standard development

• Committee of national standard adoption of ISO27001/ISO27002

• Committee of Thailand Information Security Association (TISA)

• Committee of Cybersecurity workforce development, Division of Skill Development, Ministry of Labour

• Advisor to Department of Special Investigation (DSI)

• Advisor to Cybersecurity Monitoring Center, Ministry of Defense (MOD)

chai

yako

rna@

ho

tmai

l.co

m

CLOUD!How is it like?How is it like?

What do you think of when it

comes to CLOUD?comes to CLOUD?

Now!

Cheaper Cost Efficiency

Resiliency High Availability

Elasticity On-DemandElasticity On-Demand

Quick Deployment

Out-sourcing

Then what stop you?

GO!!! or NO GO?

What to worry about?

Surveys Show

SECURITY & PRIVACY SECURITY & PRIVACY

#1 Concern

Top Threats to Cloud Computing

Survey Results Update 2012

Top Threats to Cloud Computing

1. Abuse & Nefarious Use of Cloud Computing

2. Insecure Interfaces & APIs

3. Malicious Insiders

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

3. Malicious Insiders

4. Shared Technology Issues

5. Data Loss or Leakage

6. Account or Service Hijacking

7. Unknown Risk Profile

ENISA Cloud Risks

1. Loss of governance

2. Lock-in

3. Isolation failure

4. Compliance risks

15

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

4. Compliance risks

5. Management interface compromise

6. Data protection

7. Insecure or incomplete data deletion

8. Malicious insider

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

NIST SP800-144

Key Security and Privacy Issues

1 Governance

2 Compliance

3 Trust

4 Architecture

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

4 Architecture

5 Identity and Access Management

6 Software Isolation

7 Data Protection

8 Availability

9 Incident Response

Certificate of Cloud Security

Knowledge

• First certification on cloud computing security

• Most prestigious cloud computing certification

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

• Most prestigious cloud computing certification

• Measures mastery of CSA guidance and ENISA cloud risks whitepaper

• Understand cloud issues

• Look for the CCSKs at cloud providers, consulting partners

• Online web-based examination

• www.cloudsecurityalliance.org/certifyme

13 Domains of CCSK

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

0.5 Lifecycle considerations “Information”

Create

StoreDestroy

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

Process

Use

Transmit

20

0.5 Lifecycle considerations “Information

System”

Conceive Implement Use

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

Specify

Design Develop

Test Maintain

Dispose

21

Domain 5: Information Management &

Data Security

5.6 Data Security

5.6.1 Detecting and Preventing Data Migrations to The Cloud

5.6.2 Protecting Data Moving to (And Within) The Cloud

5.6.3 Protecting Data in The Cloud

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

5.6.3 Protecting Data in The Cloud

5.6.4 Data Lost Prevention

5.6.5 Database and File Activity Monitoring

5.6.6 Application Security

5.6.7 Privacy Preserving Storage

5.6.8 Digital Rights Management (DRM)

Back to The Basic

• Classify everything– Data

– Network

– Platform

– App

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

– App

– Provider

– Personnel involved

• Owner, who, R&R

• Custodian, who, R&R

Conclusion

• Cloud is here to stay

• Cloud help reduce capital and operational cost

• Cost of data breach is in question

• It’s not about go or no-go, it’s about how to go effectively

• We are not living in a business (only) world

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

• We are not living in a business (only) world

• There are underground economy, cyber criminal, terrorism, and state intelligence

• Secure development and secure operation

• Does cloud computing helps your operation more secure?

– Operation - may be

– Data security framework - ?

http://www. thailand.org

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

Happy New Year to ICTSEC

• Free web security health check

1 scan 1 report

• Promotion code:

ICTSEC@EGAT

© 2012 S-Generation Co., Ltd.© 2012 S-Generation Co., Ltd.

ICTSEC@EGAT

• Contact:

– Tel. 02-613-0500

– Mail. sales@s-generation.com

– http://www.EZWebSec.com

Start at 5,000 THB/month

T hank Y ou

Please visit

ht tp: / /www.S-GENERATION.comfor more information

27

T hank Y ou

Please visit

ht tp: / /www.S-FORENSICS.comfor more information