SMAC & Cloud Security

thanks everybody for letting me speak today this is my first time here I'm going to change things up a little bit my talk will be a little more conceptual and hopefully more entertaining so we'll see how that goes a little bit about myself I have infosec career experience spanning 20 years I've worked for fortune 50 companies I've worked for companies that had 10 employees and I've been in large IT organizations as an internal team member I've also been an external consultant and I have a multi security discipline skills across the areas of technical infrastructure design implementation assessment governance risk and compliance so my goals for this session I want to share some information that might be of interest to you

hopefully you'll learn something new and maybe we'll have some fun along the way as well so smack what is it is this it I might feel like that but smack is something else now show hands who who here is heard of smack in relation to cloud before anybody got one over here one over there okay Gardner calls this the nexus of forces what the hell does that mean nexus of forces doesn't mean anything to me but smack is social mobile analytics and cloud that means something so how big is smack well it's pretty damn big it's four galaxies in a universe big how important is it well about a year ago the CEO of Microsoft

decided he needed to change their go-to-market strategy the previous CEO was calling their new look and feel devices and services anybody remember that and now he said no that's not good enough it needs to be cloud first and mobile first cloud and mobile two parts of smack not sure how you get both of those to be first but I get the idea so let's break it down a little bit these are my definitions of these four areas social media it's represented by any number of public internet sites that facilitate personal interaction with a potentially unlimited audience so who hears heard of litterin that's right I haven't heard of it either because it doesn't exist it could exist because

it's the mash-up of Facebook LinkedIn and Twitter and just like this guy you know you can do a whole bunch of things at one time on flitter in all in one place and really when you come down to it the social part of smack is all about the Me's you know you got like me and I have to read this here it's a little small listen to me army watch me find me so all the B's all the Me's are part of the social part of smack every one of yous of me every one of you has different personas so it covers a lot of bases mobile anytime anywhere any device digital endpoint interactions on a

potentially unlimited scale so here's something that keeps people up at night we got the people walking up to the BYOD vending machine and then they go to IET and say hook me up and so there's a tendency to try and lock it down but that really doesn't work analytics also referred to as big data alludes to the mashup of data from a variety of sources that enables extended data mining that would produce comprehensive information not otherwise possible think about Big Data it's pretty scary you don't really know what you're going to get when you start mashing up data what once was a data that does not is not attributed to anybody or any person all of a sudden

becomes pH I or PII and again it's very stick it can be very scary stuff not only that if you take a tool like a doob which is or the poster child for analytics it takes unique skills it's expensive and the expectations for the outcomes are maybe a little too i but guess what we're going there cloud this is a reference for the classic internet-based third party resources that are generally engaging arm's length with a self-service model and just as absurd as this may seem cloud is the answer to everything that is the perception in many cases that it's the answer for every problem that exists so regardless of how ridiculous that is you better

embrace it because this could be you okay so here's a quick overview of the smack forces working together how they relate to each other so down in the bottom right we have the cloud which provides capacity to the mobile users and to the analytics backends the mobile devices provide social activity to the social network and in turn the social network provides social marketing back to the mobile user and analytics is the backend back in engine for all of this it provides feedback for the voice of the customer and the mobile activity is also another source of information into the analytics engine as well so what is smack matter well business is changing to a more collaborative customer centric

environment align with progressive business strategies so that means that smack forces will play a strategic role in meeting that change and new and emerging initiatives will likely be will likely leverage SMAP to get there but most importantly customers and consumers will demand it to be there so I would change the information tech landscape well new and unforced unforeseen security trends will emerge due to the contemporary variables at develop because of the new facets of those four things interacting with each other because of that traditional security controls will fail to keep pace and impacts to budget to IT security product selection and budgeting will be significant in order to keep up so this wheel moving around from northeast to

southwest is basically representing the notion that as you move around the wheel your governance control diminishes as you go from analytics where you can possibly have a lot of control through things like classification of data and data tagging and dlp and drm when you move to cloud you move a little bit further away from control you can certify your vendors through procurement processes as you move to social it starts to get a little more dicey as Telugu who does what when and how and as you get out to mobile now you're talking about any device somebody's at home with their xbox and they need to do something at work and you know all bets are off on

the platform so again in the square in the middle we talked about for social you can work on increasing your assurance levels for mobile you there are ways of addressing device and application management and you can do things like binding your mobile devices to your social identities to try and retain a little more visibility and control so what to do and in most cases as in life it becomes a question of balance anybody recognize this image here this happens to be it's an album cover it happens to be the movie blues from the early 70s I just happen to like the philosophy of a question of balance but it's definitely applicable here and you know the thing about security is I

take a different approach I think to most people I think of security first as an enabler so you know really the mission here is to enable business on a secure and resilient foundation rather than security being the moat or you know the protection I want to look at it as something that you can use to launch further beyond where you are today so what are some examples of proactive activities that can reduce smack risk so in the social realm it comes down to mostly identity i believe and so identity assurance levels become a truss point for utilizing this element and some examples out there in the world today are mystic which is a government private sector avocent advocacy group

consortium that was formed in 2011 to trust framework for Federation and an ecosystem for IDs phyto is another example fast identity online it's a 2013 industry consortium with a specification for a full range of multi tech factor authentication and I just read this week that mystic joined the phyto alliance so I thought that was a fairly significant event in that particular realm in the mobile realm as i mentioned device and application management or effective methods for increasing the value in reducing the risk of mobile devices also binding the mobile device to an assured persona ID aka device pinning can take trust to a higher level that's what i was referring to in the previous slide

analytics again we talked about data centric technologies and controls to provide tools to minimize exposure and uncertainty and damage examples are data classification leaked data DLP drm all tied to a relevant access controls and in the cloud space ox supplier certification making sure at the cloud vendors have a good program in place and cloud government cloud governance platform that's a name that I coined myself remember that we'll be talking about that in a minute or two the cgp can provide the visibility and data control over cloud service that the vendor may not be able to provide otherwise so let's do a quick shallow dive into what cloud computing is there's five essential characteristics the first one is on demand service

second one is broad network access and again anytime anywhere anyplace any device resource pulling so resources are not dedicated to any one particular task they're used on demand as needed there's rapid elects elasticity so 5 10 servers and I have a big event I can ramp up to 100 servers very quickly by just pushing a few configuration buttons and be on my way and finally it's a measured service so that i only pay what i use pay for what i use so this is the nist model of cloud computing and on the top layer those are the five characteristics that i just covered in the middle we have the service delivery models so software as a

service platform as a service infrastructure as a service and then at the bottom we have deployment models we've got public-private hybrid and community so just for the sake of argument what are the examples of service delivery models Wells salesforce com is the poster child for software as a service amazon AWS is the platform as a service that everybody knows about verizon terremark is the infrastructure as a service and then if we look at the deployment models we got public that would be AWS again as an example private will be an enterprise cloud hyper would be the combination of the AWS and the enterprise cloud and a community would be customized public cloud subset okay so this is a graph that to me is sort of

a spectrum as you go left to right here and you know that the yellow represents the subscribing 10 identity or the enterprise and the blue is the vendor the cloud service provider so on the right hand side we see software as a service and we see that the vendor has complete control over everything and the organization has very little control in most cases so as you move across to the left platform as a service you start to share a little bit of responsibility and visibility and control infrastructure you give up a little you gag you gain a little bit more when you get over to the far right now you have you have complete control because you're within the

enterprise environment the point here is that the boundaries matter and where you make the compromise to give up control and visibility will matter in the end and as my previous speaker as the previous speaker mentioned in his talk the cloud vendors usually will not take responsibility for your data so when you're over on the far right-hand side it's up to you to take action that they're not going to so just for industry trends the drumbeat of cloud computing just keeps getting stronger and here's a graph that's a little bit dated but it's still trending true IT spending on cloud is going to triple between 2011 and 2017 so it's really an unstoppable force so cloud governance /

platform I talked about this a little bit earlier I'm going to deep dive into it a little further now a cloud governments platform is a tool that you can leverage from a third party vendor that would sit in between your application in the cloud and your users it could either be on premise or in the cloud itself and it gives you control analysis and discovery over the usual suspects suspects which are the items over in the right hand cloud there with box and office 365 and Salesforce and so on so whether your users are at home in your enterprise mo whatever this platform is going to give you visibility that you didn't have otherwise mobile users even if they

don't come through your enterprise still can have you can still have visibility and control over their activities and again Gardner has another term for this they call it a cloud access security book a little too wordy for me but there you go so the part about the mobile user that's pretty significant because otherwise your mobile users running box.com app on their on their smartphone you lose complete visibility without a cloud governments platform whether you have tools in your enterprise it's it's pretty much gone out the door so let's talk about two use cases for cloud data control and visibility strategic initiatives cloud governance platform for box calm and cloud governance platform for salesforce com so in in an

enterprise setting for box typically what happens is you may invoke sam'l assertion a single sign-on to box from your enterprise and you basically tell your users okay there it is go ahead and use box and for me the real value add in boxes collaboration the fact that you can just drop files in in the Box cloud is okay but the fact that you can collaborate those files with other people especially third parties outside of your organization is really where the value is well without a cloud governance platform you really don't know much about what's going on out there in the Box cloud but with a cloud governance platform here's an example of 12 file vents that you will have real-time

monitoring and logging of all these activities that occur and what's really most important here for me are these two in the right hand column share and invite collaborator so now you have more visibility about what's actually going on so you can tell your users okay we're going to allow you to share regulated data with third parties but owning with the parties that we have quality-assured through our own kind of governance function to make sure that they're HIPAA compliant or PCI compliant or whatever if you don't do that we're going to know about it we're going to get alerts we're going to take action on those things so this particular kind of platform can actually either be in line or it can be offline

meaning that it's it's off to the side and through an API it's looking at the box file activities without even being in line with the user to give you back that control and visibility and feedback so what additional features can i leverage with those 12 functions I can do policy-based pre cloud storage encryption if I like so that I don't have to trust box calm to handle my data any particular way because I'm encrypting it myself I can invoke DLP independent of the cloud service and I can optionally integrate it with my own existing enterprise DLP policy engines I can retain enterprise based granule or access controls completely independent of what the cloud vendor provides and

again a big win here is the mobile device coverage for BYOD and extra enterprise source devices as well so somebody fires up the browser on their xbox then they go to box they have credentials to get in you're still be it you're still being able to monitor what they're doing through that kind of a session even though they're not on your enterprises they're not even on a sanctioned piece of equipment so what features can we leverage in order to support sharing of pH I and PII regulated data with third parties we can have live audit log and event access monitoring we can in real time out DLP anomaly detection and instant notification again we can have coverage

for native mobile in order to end or desktop clients and we can also do something interesting like a scheduled scan for discovering interesting content so even if you put up a policy it says yours here's the rules of engagement here's the things you're allowed to do even if you're not looking for specific things in those policies you can define regex queries and other kinds of unstructured data in inquiries into the data in the entire store to understand what other kinds of activities are going on within that environment so here's an example of a log file from the DLP engine that occurred in box and in the third column from the right we see the anomaly value

so we have a couple credit cards some social security numbers a HIPAA member ID and we we will immediately see the user that was involved in that particular event some other attributes time and date stamp that occurred this is our actionable information if there's there's a policy violation for example okay moving on to Salesforce claw governance platform here's the model for Salesforce think that's key to this particular architecture is the fact that it is specifically in line so we're doing a little DNS manipulation here we're doing CRM ABC com on the right-hand side on the left hand side we're actually going to ABC dot cells for comm the real URL but more to the point of the the encryption that is

being invoked within the cloud vendor the keys the session Keys the store for those keys is handling is being handled on the enterprise over there on the on the right hand side the vault key server is on-premise it could be any particular kind of key server doesn't have to come from the cloud governance platform vendor through the km IP protocol key management interoperability protocol the premise key agent can query the key server for session Keys push them out to the cloud and even the cloud vendor is not really going to have a knowledge of those keys and how they're derived so now you still maintain control of that data and all the data to get that gets

stored in Salesforce is still under your domain and control so in this particular case we have a transparent in line proxy with an API interface to salesforce com providing field level encryption and dlp scanning according to your enterprise policies this slide here is actually a little bit overlapping with the previous discussion the graph on the on the upper half if you go across the horizontal axis you're looking at preserving functionality in your encryption selection type if you go across the vertical axis you're talking about the encryption strength so we got seven different kinds of encryption techniques here to be able to protect your data in order to strike a balance between preserving functionality that data such

as searching and indexing those kinds of things and the encryption strength that you would be able to affect and then the bottom half are basically some academic papers probably from the same realm as the previous speaker and the heavy matha cos into those those theories that go into those papers but the product of that research are these seven different encryption types so this particular slide here is a screen grab from a tool that you might use to configure the encryption types for your salesforce.com application it's a little fuzzy but you know the first column represents the name of the field the second column is the API name so every time that that particular field is in a particular

application or record you're identifying it by the API name rather than just the field name the third column represents the occurrences of that API within the application and then the fourth column represents the type of encryption of those seven types that you want to apply to that particular piece of data in order to strike that balance again between functionality and encryption strengths so final word cloud computing is just going to keep exploding it's something that you really can't push off to the side it's going to be there it's going to come at you from every which way and that's all I have any questions

i blinded them with science