YURY_CHEMERKIN_DeepIntel_2013_Conference.pdf
YuryChemerkin
14 views
45 slides
Jul 18, 2024
Slide 1 of 45
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
About This Presentation
This presentation discusses cloud security compliance and transparency issues. It covers topics like cloud taxonomy, security standards like CSA and NIST, and comparisons between different cloud providers' approaches to compliance.
Slide Content
COMPLIANCE AND TRANSPARENCY OF CLOUD
FEATURES vs. SECURITY STANDARDS
YURY CHEMERKIN
DeepIntel2013
FEATURES vs. SECURITY STANDARDS
YURY CHEMERKIN
DeepIntel2013
EXPERIENCED IN :
REVERSE ENGINEERING & AV
SOFTWARE PROGRAMMING & DOCUMENTATION
MOBILE SECURITY AND MDM
CYBER SECURITY & CLOUD SECURITY
COMPLIANCE & TRANSPARENCY
FORENSICS AND SECURITY WRITING
HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA
PARTICIPATION AT CONFERENCES
INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
DEFCONMOSCOW, HACTIVITY, HACKFEST
CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC,
ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY
[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkinhttp://[email protected]
REVERSE ENGINEERING & AV
SOFTWARE PROGRAMMING & DOCUMENTATION
MOBILE SECURITY AND MDM
CYBER SECURITY & CLOUD SECURITY
COMPLIANCE & TRANSPARENCY
FORENSICS AND SECURITY WRITING
HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA
PARTICIPATION AT CONFERENCES
INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
DEFCONMOSCOW, HACTIVITY, HACKFEST
CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC,
ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY
[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkinhttp://[email protected]
I. Opinions & Facts
Threats
Privacy
Compliance
Legal
Vendor lock-in
Open source / Open standards
Security
Abuse
IT governance
Ambiguity of terminology
Customization , security solutions
Crypto anarchism
CSA, ISO, PCI, SAS 70
Typically US Location
Platform, Data, Tools Lock-In
Top clouds are not open-source
Physical clouds more secured than Public
Botnets and Malware Infections/Misuse
Depends on organization needs
Reference to wide services, solutions, etc.
Cloud Issues
Known Issues Known Solutions/Opinions
Privacy
Compliance
Legal
Vendor lock-in
Open source / Open standards
Security
Abuse
IT governance
Ambiguity of terminology
Customization , security solutions
Crypto anarchism
CSA, ISO, PCI, SAS 70
Typically US Location
Platform, Data, Tools Lock-In
Top clouds are not open-source
Physical clouds more secured than Public
Botnets and Malware Infections/Misuse
Depends on organization needs
Reference to wide services, solutions, etc.
Cloud Issues
Known Issues Known Solutions/Opinions
TopcloudsarenotOpenSource
OpenStackisAPIscompatiblewithAmazonEC2
andAmazonS3andthusclientapplicationswritten
forAWScanbeusedwithOpenStackwithminimal
portingeffort,whileAzureisnot
Platformlock-in
ThereareImport/Exporttoolstomigratefrom/to
VMware,whileAzuredoesn’thave
DataLock-in
NativeAWSsolutionslinkedwithCiscoroutersto
upload,downloadandtunnelingaswellas3
rd
party
storagelikeSMEStorage(AWS,Azure,Dropbox,
Google,etc.)
ToolsLock-in
Longingforaninter-cloudmanagingtoolsthatare
industrialandbuiltwithcompliance
APIsLock-In
Longing for inter-cloud APIs, however there were
known inter-OS APIs for PC, MDM, Mobiles, etc.
NoTransparency
Weak compliance and transparency due to SAS 70
and NDA relationships between cloud vendor and
third party auditors and experts
Abuse
Abusing is not a new issue and is everywhere
AWS Vulnerability Bulletins as a kind of quick
response and stay tuned
What is about Public Clouds
Some known facts about AWS & Azurein order to issues mentioned above
OpenStackisAPIscompatiblewithAmazonEC2
andAmazonS3andthusclientapplicationswritten
forAWScanbeusedwithOpenStackwithminimal
portingeffort,whileAzureisnot
Platformlock-in
ThereareImport/Exporttoolstomigratefrom/to
VMware,whileAzuredoesn’thave
DataLock-in
NativeAWSsolutionslinkedwithCiscoroutersto
upload,downloadandtunnelingaswellas3
rd
party
storagelikeSMEStorage(AWS,Azure,Dropbox,
Google,etc.)
ToolsLock-in
Longingforaninter-cloudmanagingtoolsthatare
industrialandbuiltwithcompliance
APIsLock-In
Longing for inter-cloud APIs, however there were
known inter-OS APIs for PC, MDM, Mobiles, etc.
NoTransparency
Weak compliance and transparency due to SAS 70
and NDA relationships between cloud vendor and
third party auditors and experts
Abuse
Abusing is not a new issue and is everywhere
AWS Vulnerability Bulletins as a kind of quick
response and stay tuned
What is about Public Clouds
Some known facts about AWS & Azurein order to issues mentioned above
"AllYourCloudsareBelongtous–SecurityAnalysisof
CloudManagementInterfaces",3rdCCSW,October2011
A black box analysis methodology of AWS control
interfaces compromised via the XSS techniques,
HTML injections, MITM
[AWS]::“ReportedSOAPRequestParsingVulnerabilities”
Utilizing the SSL/HTTPS only with certificate
validation and utilizing API access mechanisms
like REST/Query instead of SOAP
Activating access via MFA and creating IAM
accounts limited in access, AWS credentials
rotation enhanced with Key pairs and X.509
Limiting IP access enhanced with API/SDK & IAM
“Themostdangerouscodeintheworld:validatingSSL
certificatesinnon-browsersoftware”,19thACM
ConferenceonComputerandCommunicationsSecurity,
October2012
Incorrect behavior in the SSL certificate validation
mechanisms of AWS SDK for EC2, ELB, and FPS
[AWS]::“ReportedSSLCertificateValidationErrorsinAPI
ToolsandSDKs”
Despite of that, AWS has updated all SDK (for all
services) to redress it
Clouds: Public vs. Private
Known security issues of Public Cloudsand significant researches on it as a POC
CloudManagementInterfaces",3rdCCSW,October2011
A black box analysis methodology of AWS control
interfaces compromised via the XSS techniques,
HTML injections, MITM
[AWS]::“ReportedSOAPRequestParsingVulnerabilities”
Utilizing the SSL/HTTPS only with certificate
validation and utilizing API access mechanisms
like REST/Query instead of SOAP
Activating access via MFA and creating IAM
accounts limited in access, AWS credentials
rotation enhanced with Key pairs and X.509
Limiting IP access enhanced with API/SDK & IAM
“Themostdangerouscodeintheworld:validatingSSL
certificatesinnon-browsersoftware”,19thACM
ConferenceonComputerandCommunicationsSecurity,
October2012
Incorrect behavior in the SSL certificate validation
mechanisms of AWS SDK for EC2, ELB, and FPS
[AWS]::“ReportedSSLCertificateValidationErrorsinAPI
ToolsandSDKs”
Despite of that, AWS has updated all SDK (for all
services) to redress it
Clouds: Public vs. Private
Known security issues of Public Cloudsand significant researches on it as a POC
[AWS]::“XenSecurityAdvisories”
There are known XEN attacks (Blue Pills, etc.)
No one XEN vulnerability was not applied to the
AWS, Azure or SaaS/PaaSservices
Very customized clouds
[CSA]::“CSATheNotoriousNineCloudComputingTop
Threatsin2013”
Replaced a document published in 2009
Such best practices provides a least security
No significant changes since 2009, even examples
TopThreatsExamples
“1.0. Threat: Data Breaches // Cross-VM Side
Channels and Their Use to Extract private Keys”,
“7.0. Threat: Abuse of Cloud Services // Cross-VM
Side Channels and Their Use to Extract private
Keys”
“4.0. Threat: Insecurity Interfaces and APIs”
BesidesofRealityofCSAThreats
1.0 & 7.0 cases highlight how the public clouds
e.g. AWS EC2 are vulnerable
1.0 & 7.0 cases are totally focused on a private
cloud case (VMware and XEN), while there is no a
known way to adopt it to AWS.
4.0 case presents issues raised by a SSO access
not related to public clouds (except Dropbox,
SkyDrive) and addressed to insecurity of APIs.
Clouds: Public vs. Private
It is generally known, that private clouds are most secureThere is no a POC to prove a statement on public clouds
There are known XEN attacks (Blue Pills, etc.)
No one XEN vulnerability was not applied to the
AWS, Azure or SaaS/PaaSservices
Very customized clouds
[CSA]::“CSATheNotoriousNineCloudComputingTop
Threatsin2013”
Replaced a document published in 2009
Such best practices provides a least security
No significant changes since 2009, even examples
TopThreatsExamples
“1.0. Threat: Data Breaches // Cross-VM Side
Channels and Their Use to Extract private Keys”,
“7.0. Threat: Abuse of Cloud Services // Cross-VM
Side Channels and Their Use to Extract private
Keys”
“4.0. Threat: Insecurity Interfaces and APIs”
BesidesofRealityofCSAThreats
1.0 & 7.0 cases highlight how the public clouds
e.g. AWS EC2 are vulnerable
1.0 & 7.0 cases are totally focused on a private
cloud case (VMware and XEN), while there is no a
known way to adopt it to AWS.
4.0 case presents issues raised by a SSO access
not related to public clouds (except Dropbox,
SkyDrive) and addressed to insecurity of APIs.
Clouds: Public vs. Private
It is generally known, that private clouds are most secureThere is no a POC to prove a statement on public clouds
II. CSA Framework
•Compliance
Model
•Enhanced
Security
Model
•Basic
Security
Model
•Cloud
Model
Cloud
CSA
CAIQ
Mapping
CSA
CMM
Model
•Enhanced
Security
Model
•Basic
Security
Model
•Cloud
Model
Cloud
CSA
CAIQ
Mapping
CSA
CMM
II. NIST Framework
The consolidated framework over all NIST documents
Logically clearly defined documents, e.g.
Categorization systems
Selecting control
FIPS
Forensics
Logging (SCAP)
Etc.
Complementarity
Interchangeability
Expansibility
Dependence
Mapping (NIST, ISO only)
NIST Framework
Logically clearly defined documents, e.g.
Categorization systems
Selecting control
FIPS
Forensics
Logging (SCAP)
Etc.
Complementarity
Interchangeability
Expansibility
Dependence
Mapping (NIST, ISO only)
NIST Framework
Complementarity
NIST Enhance Control
Your own security control
Interchangeability
Replacing basic controls by enhanced controls
Expansibility
impact or support the implementation of a particular security control or control enhancement
Your own way to improve a framework
Mapping (NIST, ISO only)
NIST->ISO
ISO->NIST
NIST->Common Criteria (rev4 only)
NIST Framework
NIST Enhance Control
Your own security control
Interchangeability
Replacing basic controls by enhanced controls
Expansibility
impact or support the implementation of a particular security control or control enhancement
Your own way to improve a framework
Mapping (NIST, ISO only)
NIST->ISO
ISO->NIST
NIST->Common Criteria (rev4 only)
NIST Framework
Basic controls aren’t applicable in case of
Information systems need to communicate with other systems across different policy
APT
Insiders Threats
Mobility (mobile location, non-fixed)
Single-User operations
Interchangeability
Replacing basic controls by enhanced controls
Expansibility
impact or support the implementation of a particular security control or control enhancement
Your own way to improve a framework
Mapping (NIST, ISO only)
NIST->ISO
ISO->NIST
NIST->Common Criteria (rev4 only)
NIST Framework
Interchangeability
Information systems need to communicate with other systems across different policy
APT
Insiders Threats
Mobility (mobile location, non-fixed)
Single-User operations
Interchangeability
Replacing basic controls by enhanced controls
Expansibility
impact or support the implementation of a particular security control or control enhancement
Your own way to improve a framework
Mapping (NIST, ISO only)
NIST->ISO
ISO->NIST
NIST->Common Criteria (rev4 only)
NIST Framework
Interchangeability
III. Clouds
Amazon Web Services
Generally IaaS
+SaaS, PaaS
Microsoft Azure
Generally PaaS
Recent changes –IaaS
BlackBerry Enterprise Service
Separated
Integrated with Office365
SaaS as a MDM solution
Clouds
Generally IaaS
+SaaS, PaaS
Microsoft Azure
Generally PaaS
Recent changes –IaaS
BlackBerry Enterprise Service
Separated
Integrated with Office365
SaaS as a MDM solution
Clouds
•Office
•Office365
•Cisco/VoIP
•Android, iOS
•Unified
Management
•BlackBerry
4,5,6,7
•BlackBerry
Z10/Q10,
•Playbook
BES 10 BES 5
Office
integration
Unified
Device
Platform
•Office365
•Cisco/VoIP
•Android, iOS
•Unified
Management
•BlackBerry
4,5,6,7
•BlackBerry
Z10/Q10,
•Playbook
BES 10 BES 5
Office
integration
Unified
Device
Platform
IV. Cloud & Compliance Specific
There is no one “cloud”
There is no one “standard”
What vision is adopted by cloud vendors?
What vision is adopted by cloud operators
(3
rd
party)?
What is your way to use and manage cloud?
All of that reflected in the
There are many models and architectures
There are many ways to built cloud in
alignment to…
Virtualizing of anything able to be virtualized
Data distribution, service distribution, unified
management
Clear
compliance requirements
Cloud & Compliance Specific
There is no one “standard”
What vision is adopted by cloud vendors?
What vision is adopted by cloud operators
(3
rd
party)?
What is your way to use and manage cloud?
All of that reflected in the
There are many models and architectures
There are many ways to built cloud in
alignment to…
Virtualizing of anything able to be virtualized
Data distribution, service distribution, unified
management
Clear
compliance requirements
Cloud & Compliance Specific
TheGoalisbringingatransparencyofcloudcontrolsand
features,especiallysecuritycontrolsandfeatures
Suchdocumentshaveaclaimtobeup-to-datewith
expert-levelunderstandingofsignificantthreatsand
vulnerabilities
Unifyingrecommendationsforallclouds
Uptonow,itisthe3
rd
revision
Allrecommendationsarelinkedwithotherstandards
PCI DSS, ISO, COBIT
NIST, FEDRAMP
CSA’ own vision how it must be referred
Topknowncloudvendorsannouncedtheyarein
compliancewithit
Someofreportsaregettingoldbynow
Customershavetocontroltheirenvironmentbytheir
needs
Customerswanttoknowwhetheritisincompliancein,
especiallylocalregulationsandhowfar
Customerswanttoknowwhetheritmakescloudsquite
transparencytolettobuildanappropriate
Cloud & Compliance Specific
There is no one “cloud”
There is no one “standard”
There are many models and architectures
There are many ways to built cloud in alignment to…
features,especiallysecuritycontrolsandfeatures
Suchdocumentshaveaclaimtobeup-to-datewith
expert-levelunderstandingofsignificantthreatsand
vulnerabilities
Unifyingrecommendationsforallclouds
Uptonow,itisthe3
rd
revision
Allrecommendationsarelinkedwithotherstandards
PCI DSS, ISO, COBIT
NIST, FEDRAMP
CSA’ own vision how it must be referred
Topknowncloudvendorsannouncedtheyarein
compliancewithit
Someofreportsaregettingoldbynow
Customershavetocontroltheirenvironmentbytheir
needs
Customerswanttoknowwhetheritisincompliancein,
especiallylocalregulationsandhowfar
Customerswanttoknowwhetheritmakescloudsquite
transparencytolettobuildanappropriate
Cloud & Compliance Specific
There is no one “cloud”
There is no one “standard”
There are many models and architectures
There are many ways to built cloud in alignment to…
CAIQ/CCMprovidesequivalentofrecommendationsover
severalstandards,CAIQprovidesmoredetailsonsecurity
andprivacybutNISTmorespecific
CSArecommendationsarepurewithtechnicaldetails
It helps vendors not to have their solutions worked
out in details and/or badly documented
It helps them to put a lot of references on 3
rd
party
reviewers under NDA (SOC 1 or SAS 70)
Badideatoletvendorsfillssuchdocuments
They provide fewer public details
They take it to NDA reports
Vendorsgeneralexplanationsmultipliedbygeneral
standardsrecommendationsareextremelyfarawayfrom
transparency
Cloudscallforspecificlevelsofauditlogging,activity
reporting,securitycontrollinganddataretention
It is often not a part of SLA offered by providers
It is outside recommendations
AWSoftenfallsindetailswiththeirarchitecturedocuments
AWSsolutionsareverywelltobeincompliancewithold
standardsandspecificlocalregulations
NIST 800-53, or even Russian security standards
(however the Russian framework is out of cloud
framework)
Cloud & Compliance Specific
Compliance, Transparency, Elaboration
severalstandards,CAIQprovidesmoredetailsonsecurity
andprivacybutNISTmorespecific
CSArecommendationsarepurewithtechnicaldetails
It helps vendors not to have their solutions worked
out in details and/or badly documented
It helps them to put a lot of references on 3
rd
party
reviewers under NDA (SOC 1 or SAS 70)
Badideatoletvendorsfillssuchdocuments
They provide fewer public details
They take it to NDA reports
Vendorsgeneralexplanationsmultipliedbygeneral
standardsrecommendationsareextremelyfarawayfrom
transparency
Cloudscallforspecificlevelsofauditlogging,activity
reporting,securitycontrollinganddataretention
It is often not a part of SLA offered by providers
It is outside recommendations
AWSoftenfallsindetailswiththeirarchitecturedocuments
AWSsolutionsareverywelltobeincompliancewithold
standardsandspecificlocalregulations
NIST 800-53, or even Russian security standards
(however the Russian framework is out of cloud
framework)
Cloud & Compliance Specific
Compliance, Transparency, Elaboration
Compliance: from Cloud Vendor’s viewpoint
Compliance, Transparency, Elaboration
Description DIFFERENCE(AWS vs. AZURE)
ThirdPartyAudits AsopposedtoAWS,Azuredoesnothaveaclearlydefinedstatementwhethertheircustomersabletoperformtheirown
vulnerabilitytest
InformationSystemRegulatory
Mapping
AWSfallsindetailstocomplyitthatresultsofdifferencesbetweenCAIQandCMM
Handling/Labeling/SecurityPolicyAWSfallsindetailswhatcustomersareallowedtodoandhowexactlywhileAzuredoesnot
RetentionPolicy AWSpointstothecustomers’responsibilitytomanagedata,excludemovingbetweenAvailabilityZonesinsideoneregion;Azure
ensuresonvalidationandprocessingwithit,andindicateaboutdatahistoricalauto-backup
SecureDisposal Notseriously,AWSreliesonDoD5220.22additionallywhileAzuredoesNIST800-88only
InformationLeakage AWSreliesonAMIandEBSservices,whileAzuredoesonIntegritydata
Policy,UserAccess,MFA Nobothhave
BaselineRequirements AWSprovidesmorehighdetailedhow-todocsthanAzure,allowstoimporttrustedVMfromVMware,Azure
Encryption,Encryption Key
Management
AWSoffersencryptionfeaturesforVM,storage,DB,networkswhileAzuredoesforXStore(AzureStorage)
Vulnerability/PatchManagement AWSprovidestheircustomerstoaskfortheirownpentestwhileAzuredoesnot
NondisclosureAgreements,Third
PartyAgreements
AWShighlightsthattheydoesnotleverageany3
rd
partycloudproviderstodeliverAWSservicestothecustomers.Azurepointsto
theprocedures,NDAundergonewithISO
UserIDCredentials BesidestheAD(ActiveDirectory)AWSIAMsolutionarealignmentwithbothCAIQ,CMMrequirementswhileAzureaddressesto
theADtoperformtheseactions
(Non)Production environments,
NetworkSecurity
AWSprovidesmoredetailshow-todocumentstohavingacompliance
Segmentation Besidesvendorfeatures,AWSprovidesquitesimilarmechanisminalignmentCAIQ&CMM,whileAzurepointstofeaturesbuiltin
infrastructureonavendorside
MobileCode AWSpointstheirclientstoberesponsibletomeetsuchrequirements,whileAzurepointstobuildsolutionstrackedformobilecode
Compliance, Transparency, Elaboration
Description DIFFERENCE(AWS vs. AZURE)
ThirdPartyAudits AsopposedtoAWS,Azuredoesnothaveaclearlydefinedstatementwhethertheircustomersabletoperformtheirown
vulnerabilitytest
InformationSystemRegulatory
Mapping
AWSfallsindetailstocomplyitthatresultsofdifferencesbetweenCAIQandCMM
Handling/Labeling/SecurityPolicyAWSfallsindetailswhatcustomersareallowedtodoandhowexactlywhileAzuredoesnot
RetentionPolicy AWSpointstothecustomers’responsibilitytomanagedata,excludemovingbetweenAvailabilityZonesinsideoneregion;Azure
ensuresonvalidationandprocessingwithit,andindicateaboutdatahistoricalauto-backup
SecureDisposal Notseriously,AWSreliesonDoD5220.22additionallywhileAzuredoesNIST800-88only
InformationLeakage AWSreliesonAMIandEBSservices,whileAzuredoesonIntegritydata
Policy,UserAccess,MFA Nobothhave
BaselineRequirements AWSprovidesmorehighdetailedhow-todocsthanAzure,allowstoimporttrustedVMfromVMware,Azure
Encryption,Encryption Key
Management
AWSoffersencryptionfeaturesforVM,storage,DB,networkswhileAzuredoesforXStore(AzureStorage)
Vulnerability/PatchManagement AWSprovidestheircustomerstoaskfortheirownpentestwhileAzuredoesnot
NondisclosureAgreements,Third
PartyAgreements
AWShighlightsthattheydoesnotleverageany3
rd
partycloudproviderstodeliverAWSservicestothecustomers.Azurepointsto
theprocedures,NDAundergonewithISO
UserIDCredentials BesidestheAD(ActiveDirectory)AWSIAMsolutionarealignmentwithbothCAIQ,CMMrequirementswhileAzureaddressesto
theADtoperformtheseactions
(Non)Production environments,
NetworkSecurity
AWSprovidesmoredetailshow-todocumentstohavingacompliance
Segmentation Besidesvendorfeatures,AWSprovidesquitesimilarmechanisminalignmentCAIQ&CMM,whileAzurepointstofeaturesbuiltin
infrastructureonavendorside
MobileCode AWSpointstheirclientstoberesponsibletomeetsuchrequirements,whileAzurepointstobuildsolutionstrackedformobilecode
ConsumerRelationshiponly
Everything except SA-13 “Location-aware technologies may be used to validate connection
authentication integrity based on known equipment location”
VendorRelationshiponly
Requirements include technical and management solutions
ConsumerRelationshipsharedwithVendor
Include non-technical solutions only
Such policies, roles, procedures, training
AllrequirementscoverSaaS,PaaS,IaaScloudtypes
Generalrequirementsonly
Missingdetails(likeDoD)
Compliance: from CSA’s viewpoint
Examination of CSA
Everything except SA-13 “Location-aware technologies may be used to validate connection
authentication integrity based on known equipment location”
VendorRelationshiponly
Requirements include technical and management solutions
ConsumerRelationshipsharedwithVendor
Include non-technical solutions only
Such policies, roles, procedures, training
AllrequirementscoverSaaS,PaaS,IaaScloudtypes
Generalrequirementsonly
Missingdetails(likeDoD)
Compliance: from CSA’s viewpoint
Examination of CSA
DataGovernance-InformationLeakage(DG-07).
Security mechanisms shall be implemented to prevent data leakage refer
AC-2 Account Management
AC-3 Access Enforcement
AC-4 Information Flow Enforcement
AC-6 Least Privilege (the most correct reference)
AC-11 Session Lock General requirements only
Security mechanisms shall be implemented to prevent data leakagemissed in turn (no references at all)
AC-7 Unsuccessful Login Attempts
AC-8 System Use Notification
AC-9 Previous Logon (Access) Notification
AC-10 Concurrent Session Control
Compliance: from CSA’s viewpoint
Examination of CSA References NIST
Security mechanisms shall be implemented to prevent data leakage refer
AC-2 Account Management
AC-3 Access Enforcement
AC-4 Information Flow Enforcement
AC-6 Least Privilege (the most correct reference)
AC-11 Session Lock General requirements only
Security mechanisms shall be implemented to prevent data leakagemissed in turn (no references at all)
AC-7 Unsuccessful Login Attempts
AC-8 System Use Notification
AC-9 Previous Logon (Access) Notification
AC-10 Concurrent Session Control
Compliance: from CSA’s viewpoint
Examination of CSA References NIST
DataGovernance-InformationLeakage(DG-07).
Security mechanisms shall be implemented to prevent data leakage also refers to ISO
A.10.6.2Security of network services
A.10.6.2 refers to NIST in turn
CA-3 Information System Connections
SA-9 External Information System Services
SC-8 Transmission Integrity
SC-9 Transmission Confidentiality
DG-07 should refer to PE-19 Information Leakage in fact
It could include the NIST requirement “AC-6. Least Privilege” too
A few of them applicable in case of Cloud MDM and should be extended by different toolkit
Compliance: from CSA’s viewpoint
Examination of CSA References ISO
Security mechanisms shall be implemented to prevent data leakage also refers to ISO
A.10.6.2Security of network services
A.10.6.2 refers to NIST in turn
CA-3 Information System Connections
SA-9 External Information System Services
SC-8 Transmission Integrity
SC-9 Transmission Confidentiality
DG-07 should refer to PE-19 Information Leakage in fact
It could include the NIST requirement “AC-6. Least Privilege” too
A few of them applicable in case of Cloud MDM and should be extended by different toolkit
Compliance: from CSA’s viewpoint
Examination of CSA References ISO
DataGovernance
NIST :: access control, media
management, etc.
Ownership / Stewardship
Classification
Handling / Labeling / Security Policy
Retention Policy
Secure Disposal
Non-Production Data
Information Leakage
Risk Assessments
Azure’svision-Distributionofinformation
CSA , ISO is better applicable than NIST
NIST is applicable as a custom controls’ collection
Best way is adopt NIST enhancements with CSA
Need to remap CSA->NIST rev4
Technical / Access Control / Security
Attributes
Attribute Configuration
Permitted Attributes for Specified
InfoSystems
Permitted Values and Ranges for Attributes
Cloud & Compliance Specifics. Example
CSA Cloud :: Azure
NIST :: access control, media
management, etc.
Ownership / Stewardship
Classification
Handling / Labeling / Security Policy
Retention Policy
Secure Disposal
Non-Production Data
Information Leakage
Risk Assessments
Azure’svision-Distributionofinformation
CSA , ISO is better applicable than NIST
NIST is applicable as a custom controls’ collection
Best way is adopt NIST enhancements with CSA
Need to remap CSA->NIST rev4
Technical / Access Control / Security
Attributes
Attribute Configuration
Permitted Attributes for Specified
InfoSystems
Permitted Values and Ranges for Attributes
Cloud & Compliance Specifics. Example
CSA Cloud :: Azure
AccessControl
Account, Session Management
Access / Information Flow Enforcement
Least Privilege, Security Attributes
Remote / Wireless Access
AWS’sVisionisnotDataDistribution
NIST is better applicable than CSA
NIST is applicable as a custom controls’ collection
There are many enhancements to include (rev4)
Dynamic Account Creation
Restrictions on Use of Shared Groups -
Accounts
Group Account Requests
Appovals/Renewals
Account Monitoring -Atypical Usage
e.g. :: log-delivery-write for S3
Cloud & Compliance Specifics. Example
NIST Cloud :: AWS
Account, Session Management
Access / Information Flow Enforcement
Least Privilege, Security Attributes
Remote / Wireless Access
AWS’sVisionisnotDataDistribution
NIST is better applicable than CSA
NIST is applicable as a custom controls’ collection
There are many enhancements to include (rev4)
Dynamic Account Creation
Restrictions on Use of Shared Groups -
Accounts
Group Account Requests
Appovals/Renewals
Account Monitoring -Atypical Usage
e.g. :: log-delivery-write for S3
Cloud & Compliance Specifics. Example
NIST Cloud :: AWS
AWS’sVisionisnotDataDistribution,however
CSA::DataGovernanceisapplicablefromthe
resource-basedviewpoint
Resource based policy Attached to
resource
AWS’sVisionisnotDataDistribution,however
NIST::AccessControlisapplicablefromtheuser-
basedviewpoint
Account based policy Attached to users
define that policy for MDM users to
access internal network resources
Combine with a mobile policy
Cloud & Compliance Specifics. Example
CSA / NIST Cloud :: AWS
CSA::DataGovernanceisapplicablefromthe
resource-basedviewpoint
Resource based policy Attached to
resource
AWS’sVisionisnotDataDistribution,however
NIST::AccessControlisapplicablefromtheuser-
basedviewpoint
Account based policy Attached to users
define that policy for MDM users to
access internal network resources
Combine with a mobile policy
Cloud & Compliance Specifics. Example
CSA / NIST Cloud :: AWS
Device diversity
Configuration management
Software Distribution
Device policy compliance & enforcement
Enterprise Activation
Logging
Security Settings
Security Wipe, Lock
IAM
Make you sure to start managing security under
uncertain terms without AI
Refers to NIST-800-53 and other
Sometimes missed requirements such as
locking device, however it is in NIST-800-53
A bit details than CSA
No statements on permission management
Make you sure to start managing security under
uncertain termswithout AI
COMPLIANCE AND MDM
CSA Mobile Device Management: Key ComponentsNIST-124
Configuration management
Software Distribution
Device policy compliance & enforcement
Enterprise Activation
Logging
Security Settings
Security Wipe, Lock
IAM
Make you sure to start managing security under
uncertain terms without AI
Refers to NIST-800-53 and other
Sometimes missed requirements such as
locking device, however it is in NIST-800-53
A bit details than CSA
No statements on permission management
Make you sure to start managing security under
uncertain termswithout AI
COMPLIANCE AND MDM
CSA Mobile Device Management: Key ComponentsNIST-124
�=�∪�∪�∪??????, �⊂�, ??????⊆�, ??????⊂??????
�–set of OS permissions, �–set of device permissions, �–set
of MDM permissions, �–set of missed permissions (lack of
controls), ??????–set of rules are explicitly should be applied to gain
a compliance
�=�+�, �⊃�∪�
�–set of APIs , �–set of APIs that interact with sensitive data,
�–set of APIs that do not interact with sensitive data
To get a mobile security designed with full granularity the set�
should be empty set to get �⊇�∪�instead of �⊃�∪�, so
the matter how is it closer to empty. On another hand it should
find out whether assumptions ??????⊆�, ??????⊂??????are true and if it is
possible to get ⊆??????.
Set of permissions < Set of activities efficiency is
typical case < 100%,
ability to control each API = 100%
More than 1 permission per APIs >100%
lack of knowledge about possible attacks
improper granularity
[ DEVICE MANAGEMENT ]
Concurrency over native & additional security featuresThe situation is very serious MDM features
AV, MDM, DLP,
VPN
Non-app features
Permissions
Kernel protection
�–set of OS permissions, �–set of device permissions, �–set
of MDM permissions, �–set of missed permissions (lack of
controls), ??????–set of rules are explicitly should be applied to gain
a compliance
�=�+�, �⊃�∪�
�–set of APIs , �–set of APIs that interact with sensitive data,
�–set of APIs that do not interact with sensitive data
To get a mobile security designed with full granularity the set�
should be empty set to get �⊇�∪�instead of �⊃�∪�, so
the matter how is it closer to empty. On another hand it should
find out whether assumptions ??????⊆�, ??????⊂??????are true and if it is
possible to get ⊆??????.
Set of permissions < Set of activities efficiency is
typical case < 100%,
ability to control each API = 100%
More than 1 permission per APIs >100%
lack of knowledge about possible attacks
improper granularity
[ DEVICE MANAGEMENT ]
Concurrency over native & additional security featuresThe situation is very serious MDM features
AV, MDM, DLP,
VPN
Non-app features
Permissions
Kernel protection
GOALS -MOBILE RESOURCES / AIM OF ATTACK
DEVICE RESOURCES
OUTSIDE-OF-DEVICE RESOURCES
ATTACKS –SET OF ACTIONS UNDER THE THREAT
APIs -RESOURCES WIDELY AVAILABLE TO CODERS
SECURITY FEATURES
KERNEL PROTECTION , NON-APP FEATURES
PERMISSIONS -EXPLICITLY CONFIGURED
3
RD
PARTY
AV, FIREWALL, VPN, MDM
COMPLIANCE -RULES TO DESIGN A MOBILE SECURITY
IN ALIGNMENT WITH COMPLIANCE TO…
[ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’S VECTORAV, MDM,
DLP, VPN
Goals
Attacks
APIs
APIs
Permissions
Kernel
protection
Non-app
features
MDM features
DEVICE RESOURCES
OUTSIDE-OF-DEVICE RESOURCES
ATTACKS –SET OF ACTIONS UNDER THE THREAT
APIs -RESOURCES WIDELY AVAILABLE TO CODERS
SECURITY FEATURES
KERNEL PROTECTION , NON-APP FEATURES
PERMISSIONS -EXPLICITLY CONFIGURED
3
RD
PARTY
AV, FIREWALL, VPN, MDM
COMPLIANCE -RULES TO DESIGN A MOBILE SECURITY
IN ALIGNMENT WITH COMPLIANCE TO…
[ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’S VECTORAV, MDM,
DLP, VPN
Goals
Attacks
APIs
APIs
Permissions
Kernel
protection
Non-app
features
MDM features
[ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK BB 10 AIR SDK PB (NDK/AIR)
Background processing + +
BlackBerry Messenger - -
Calendar, Contacts + via invoke calls
Camera + +
Device identifying information + +
Email and PIN messages + via invoke calls
GPS location + +
Internet + +
Location + -
Microphone + +
Narrow swipe up - +
Notebooks + -
Notifications + +
Player - +
Phone + -
Push + -
Shared files + +
Text messages + -
Volume - +
BB 10 Cascades SDK BB 10 AIR SDK PB (NDK/AIR)
Background processing + +
BlackBerry Messenger - -
Calendar, Contacts + via invoke calls
Camera + +
Device identifying information + +
Email and PIN messages + via invoke calls
GPS location + +
Internet + +
Location + -
Microphone + +
Narrow swipe up - +
Notebooks + -
Notifications + +
Player - +
Phone + -
Push + -
Shared files + +
Text messages + -
Volume - +
[ iOS. Settings ]
Component Unit
Restrictions :: Native application
Safari
Camera, FaceTime
iTunes Store, iBookstore
Siri
Manage applications*
Restrictions :: 3
rd
application
Manage applications*
Explicit Language (Siri)
Privacy*, Accounts*
Content Type Restrictions*
Unit subcomponents
Privacy :: Location
Per each 3
rd
party app
For system services
Privacy :: Private Info
Contacts, Calendar, Reminders, Photos
Bluetooth Sharing
Twitter, Facebook
Accounts
Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts
Find My Friends
Volume limit
Content Type Restrictions
Ratings per country and region
Music and podcasts
Movies, Books, Apps, TV shows
In-app purchases
Require Passwords (in-app purchases)
Game Center
Multiplayer Games
Adding Friends (Game Center)
Manage applications
Installing Apps
Removing Apps
Component Unit
Restrictions :: Native application
Safari
Camera, FaceTime
iTunes Store, iBookstore
Siri
Manage applications*
Restrictions :: 3
rd
application
Manage applications*
Explicit Language (Siri)
Privacy*, Accounts*
Content Type Restrictions*
Unit subcomponents
Privacy :: Location
Per each 3
rd
party app
For system services
Privacy :: Private Info
Contacts, Calendar, Reminders, Photos
Bluetooth Sharing
Twitter, Facebook
Accounts
Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts
Find My Friends
Volume limit
Content Type Restrictions
Ratings per country and region
Music and podcasts
Movies, Books, Apps, TV shows
In-app purchases
Require Passwords (in-app purchases)
Game Center
Multiplayer Games
Adding Friends (Game Center)
Manage applications
Installing Apps
Removing Apps
ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,
ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM
ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE,
ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_
MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT
TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET
,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE
VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL
PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_
PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY,
BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA
MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO
NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M
ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C
LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE
TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN
OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC
TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_
PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE
ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P
ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK
GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T
OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_
PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN
MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_
OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_
CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE
R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L
OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_
SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS,
READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET
ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS
,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH,
SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION
,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P
ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S
ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA
TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR
ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C
REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET
TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC
TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI
STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN
GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W
RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY,
[ Android. Permissions ]
List contains ~150 permissionsI have ever seen that on old BlackBerry devices
ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM
ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE,
ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_
MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT
TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET
,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE
VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL
PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_
PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY,
BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA
MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO
NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M
ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C
LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE
TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN
OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC
TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_
PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE
ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P
ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK
GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T
OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_
PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN
MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_
OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_
CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE
R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L
OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_
SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS,
READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET
ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS
,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH,
SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION
,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P
ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S
ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA
TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR
ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C
REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET
TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC
TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI
STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN
GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W
RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY,
[ Android. Permissions ]
List contains ~150 permissionsI have ever seen that on old BlackBerry devices
ACCOUNTS
AFFECTS_BATTERY
APP_INFO
AUDIO_SETTINGS
BLUETOOTH_NETWORK
BOOKMARKS
CALENDAR
CAMERA
COST_MONEY
DEVELOPMENT_TOOLS
DEVICE_ALARMS
DISPLAY
HARDWARE_CONTROLS
LOCATION
MESSAGES
MICROPHONE
NETWORK
PERSONAL_INFO
PHONE_CALLS
SCREENLOCK
SOCIAL_INFO
STATUS_BAR
STORAGE
SYNC_SETTINGS
SYSTEM_CLOCK
SYSTEM_TOOLS
USER_DICTIONARY
VOICEMAIL
WALLPAPER
WRITE_USER_DICTIONARY
[ Android. Permission Groups ]
But there only 30 permissions groupsI have ever seen that on old BlackBerry devices too
AFFECTS_BATTERY
APP_INFO
AUDIO_SETTINGS
BLUETOOTH_NETWORK
BOOKMARKS
CALENDAR
CAMERA
COST_MONEY
DEVELOPMENT_TOOLS
DEVICE_ALARMS
DISPLAY
HARDWARE_CONTROLS
LOCATION
MESSAGES
MICROPHONE
NETWORK
PERSONAL_INFO
PHONE_CALLS
SCREENLOCK
SOCIAL_INFO
STATUS_BAR
STORAGE
SYNC_SETTINGS
SYSTEM_CLOCK
SYSTEM_TOOLS
USER_DICTIONARY
VOICEMAIL
WALLPAPER
WRITE_USER_DICTIONARY
[ Android. Permission Groups ]
But there only 30 permissions groupsI have ever seen that on old BlackBerry devices too
CAMERA AND VIDEO
HIDE THE DEFAULT CAMERA APPLICATION
PASSWORD
DEFINE PASSWORD PROPERTIES
REQUIRE LETTERS (incl. case)
REQUIRE NUMBERS
REQUIRE SPECIAL CHARACTERS
DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
INCORRECT PASSWORD ATTEMPTS
DEVICE PASSWORD
ENABLE AUTO-LOCK
LIMIT PASSWORD AGE
LIMIT PASSWORD HISTORY
RESTRICT PASSWORD LENGTH
MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
ENCRYPTION
APPLY ENCRYPTION RULES
ENCRYPT INTERNAL DEVICE STORAGE
TOUCHDOWN SUPPORT
MICROSOFT EXCHANGE SYNCHRONIZATION
EMAIL PROFILES
ACTIVESYNC
MDM . Extend your device security capabilities
Android CONTROLLED FOUR GROUPS ONLY
HIDE THE DEFAULT CAMERA APPLICATION
PASSWORD
DEFINE PASSWORD PROPERTIES
REQUIRE LETTERS (incl. case)
REQUIRE NUMBERS
REQUIRE SPECIAL CHARACTERS
DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
INCORRECT PASSWORD ATTEMPTS
DEVICE PASSWORD
ENABLE AUTO-LOCK
LIMIT PASSWORD AGE
LIMIT PASSWORD HISTORY
RESTRICT PASSWORD LENGTH
MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
ENCRYPTION
APPLY ENCRYPTION RULES
ENCRYPT INTERNAL DEVICE STORAGE
TOUCHDOWN SUPPORT
MICROSOFT EXCHANGE SYNCHRONIZATION
EMAIL PROFILES
ACTIVESYNC
MDM . Extend your device security capabilities
Android CONTROLLED FOUR GROUPS ONLY
BROWSER
DEFAULT APP,
AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
CAMERA, VIDEO, VIDEO CONF
OUTPUT, SCREEN CAPTURE, DEFAULT APP
CERTIFICATES (UNTRUSTED CERTs)
CLOUD SERVICES
BACKUP / DOCUMENT / PICTURE / SHARING
CONNECTIVITY
NETWORK, WIRELESS, ROAMING
DATA, VOICE WHEN ROAMING
CONTENT
CONTENT (incl. EXPLICIT)
RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
MESSAGING (DEFAULT APP)
BACKUP / DOCUMENT PICTURE / SHARING
ONLINE STORE
ONLINE STORES , PURCHASES, PASSWORD
DEFAULT STORE / BOOK / MUSIC APP
MESSAGING (DEFAULT APP)
PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)
PHONE AND MESSAGING (VOICE DIALING)
PROFILE & CERTs (INTERACTIVE INSTALLATION)
SOCIAL (DEFAULT APP)
SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
STORAGE AND BACKUP
DEVICE BACKUP AND ENCRYPTION
VOICE ASSISTANT (DEFAULT APP)
MDM . Extend your device security capabilities
iOS CONTROLLED 16 GROUPS ONLY
DEFAULT APP,
AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
CAMERA, VIDEO, VIDEO CONF
OUTPUT, SCREEN CAPTURE, DEFAULT APP
CERTIFICATES (UNTRUSTED CERTs)
CLOUD SERVICES
BACKUP / DOCUMENT / PICTURE / SHARING
CONNECTIVITY
NETWORK, WIRELESS, ROAMING
DATA, VOICE WHEN ROAMING
CONTENT
CONTENT (incl. EXPLICIT)
RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
MESSAGING (DEFAULT APP)
BACKUP / DOCUMENT PICTURE / SHARING
ONLINE STORE
ONLINE STORES , PURCHASES, PASSWORD
DEFAULT STORE / BOOK / MUSIC APP
MESSAGING (DEFAULT APP)
PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)
PHONE AND MESSAGING (VOICE DIALING)
PROFILE & CERTs (INTERACTIVE INSTALLATION)
SOCIAL (DEFAULT APP)
SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
STORAGE AND BACKUP
DEVICE BACKUP AND ENCRYPTION
VOICE ASSISTANT (DEFAULT APP)
MDM . Extend your device security capabilities
iOS CONTROLLED 16 GROUPS ONLY
GENERAL
MOBILE HOTSPOT AND TETHERING
PLANS APP, APPWORLD
PASSWORD (THE SAME WITH ANDROID, iOS)
BES MANAGEMENT (SMARTPHONES, TABLETS)
SOFTWARE
OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER
TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE
BBM VIDEO ACCESS TO WORK NETWORK
VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK
SECURITY
WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
VOICE CONTROL & DICTATION IN WORK & USER APPS
BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
PERSONAL SPACE DATA ENCRYPTION
NETWORK ACCESS CONTROL FOR WORK APPS
PERSONAL APPS ACCESS TO WORK CONTACTS
SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
EMAIL PROFILES
CERTIFICATES & CIPHERS & S/MIME
HASH & ENCRYPTION ALGS AND KEY PARAMS
TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC
WI-FI PROFILES
ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
PROXY PASSWORD/PORT/SERVER/SUBNET MASK
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS
TOKENS, IKE, IPSEC OTHER PARAMS
PROXY PORTS, USERNAME, OTHER PARAMS
MDM . Extend your device security capabilities
BlackBerry (new, 10, qnx) CONTROLLED 7 GROUPS ONLY
MOBILE HOTSPOT AND TETHERING
PLANS APP, APPWORLD
PASSWORD (THE SAME WITH ANDROID, iOS)
BES MANAGEMENT (SMARTPHONES, TABLETS)
SOFTWARE
OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER
TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE
BBM VIDEO ACCESS TO WORK NETWORK
VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK
SECURITY
WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
VOICE CONTROL & DICTATION IN WORK & USER APPS
BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
PERSONAL SPACE DATA ENCRYPTION
NETWORK ACCESS CONTROL FOR WORK APPS
PERSONAL APPS ACCESS TO WORK CONTACTS
SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
EMAIL PROFILES
CERTIFICATES & CIPHERS & S/MIME
HASH & ENCRYPTION ALGS AND KEY PARAMS
TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC
WI-FI PROFILES
ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
PROXY PASSWORD/PORT/SERVER/SUBNET MASK
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS
TOKENS, IKE, IPSEC OTHER PARAMS
PROXY PORTS, USERNAME, OTHER PARAMS
MDM . Extend your device security capabilities
BlackBerry (new, 10, qnx) CONTROLLED 7 GROUPS ONLY
THERE 55 GROUPS CONTROLLED IN ALL
EACH GROUP CONTAINSFROM 10 TO 30 UNITS
ARE CONTROLLED TOO
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs
INSTEADOF A WAY ‘DISABLE/ENABLED &
HIDE/UNHIDE’
EACH EVENT IS
CONTROLLED BY CERTAIN PERMISSION
ALLOWED TO CONTROL BY SIMILAR
PERMISSIONS TO BE MORE FLEXIBLE
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
MORE THAN OTHER DOCUMENTS
EACH UNIT CAN’T CONTROL ACTIVITY UNDER
ITSELF
‘CREATE, READ, WRITE/SAVE, SEND,
DELETE’ ACTIONS IN REGARDS TO
MESSAGES LEAD TO SPOOFING BY
REQUESTING A ‘MESSAGE’ PERMISSION
ONLY
SOME PERMISSIONS AREN’T REQUIRED (TO
DELETE ANY OTHER APP)
SOME PERMISSIONS ARE RELATED TO APP,
WHICH 3
RD
PARTY PLUGIN WAS EMBEDDED
IN, INSTEAD OF THAT PLUGIN
MDM . Extend your device security capabilities
Blackberry (old) Huge amount of permissions are MDM & device built-in
EACH GROUP CONTAINSFROM 10 TO 30 UNITS
ARE CONTROLLED TOO
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs
INSTEADOF A WAY ‘DISABLE/ENABLED &
HIDE/UNHIDE’
EACH EVENT IS
CONTROLLED BY CERTAIN PERMISSION
ALLOWED TO CONTROL BY SIMILAR
PERMISSIONS TO BE MORE FLEXIBLE
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
MORE THAN OTHER DOCUMENTS
EACH UNIT CAN’T CONTROL ACTIVITY UNDER
ITSELF
‘CREATE, READ, WRITE/SAVE, SEND,
DELETE’ ACTIONS IN REGARDS TO
MESSAGES LEAD TO SPOOFING BY
REQUESTING A ‘MESSAGE’ PERMISSION
ONLY
SOME PERMISSIONS AREN’T REQUIRED (TO
DELETE ANY OTHER APP)
SOME PERMISSIONS ARE RELATED TO APP,
WHICH 3
RD
PARTY PLUGIN WAS EMBEDDED
IN, INSTEAD OF THAT PLUGIN
MDM . Extend your device security capabilities
Blackberry (old) Huge amount of permissions are MDM & device built-in
The best Security & Permissions ruled by AWS
Most cases are not clear in according to the roles
and responsibilities of cloud vendors & customers
May happen swapping responsibilities and shifting
the vendor job on to customer shoulders
Referring to independent audits reports under
NDA as many times as they can
CSA put the cross references to other standards
that impact on complexity & lack of clarity more
than NIST SP800-53
CONCLUSION
Select
Security
Controls
Check
Scope
CSA
Define
Granularity
Apply
CSA as
common
Remap
to NIST
Improve
basic
CSA
NIST
enhanc.
Combine
custom
sets
Most cases are not clear in according to the roles
and responsibilities of cloud vendors & customers
May happen swapping responsibilities and shifting
the vendor job on to customer shoulders
Referring to independent audits reports under
NDA as many times as they can
CSA put the cross references to other standards
that impact on complexity & lack of clarity more
than NIST SP800-53
CONCLUSION
Select
Security
Controls
Check
Scope
CSA
Define
Granularity
Apply
CSA as
common
Remap
to NIST
Improve
basic
CSA
NIST
enhanc.
Combine
custom
sets
Q & A
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 14
- Slides 45
- Age 502 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
24 views