YURY_CHEMERKIN__I-Society_2013_Conference.pdf
YuryChemerkin
26 views
16 slides
Jul 19, 2024
Slide 1 of 16
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
About This Presentation
This PDF is a paper presented by Yury Chemerkin at the International Conference on Information Society (i-Society 2013). It addresses the challenges of security compliance in cloud environments. The paper discusses various threats, privacy issues, compliance requirements, and the complexities of man...
Slide Content
Limitations of Security Standards against Public Clouds
YURY CHEMERKIN
International Conference on Information Society (i-Society 2013)
YURY CHEMERKIN
International Conference on Information Society (i-Society 2013)
Experienced in :
Reverse Engineering& AV
Software Programming& Documentation
Mobile Security and MDM
Cyber Security & Cloud Security
Compliance & Transparency
and Security Writing
Hakin9 Magazine, PenTestMagazine, eForensicsMagazine,
GroteckBusiness Media
Participation at conferences
InfoSecurityRussia, NullCon, AthCon, CONFidence, PHDAYS
CYBERCRIME FORUM, Cyber Intelligence Europe/Intelligence-Sec
ICITST, CyberTimes, ITA
[ Yury Chemerkin ]
www.linkedin.com/in/yurychemerkinhttp://[email protected]
Reverse Engineering& AV
Software Programming& Documentation
Mobile Security and MDM
Cyber Security & Cloud Security
Compliance & Transparency
and Security Writing
Hakin9 Magazine, PenTestMagazine, eForensicsMagazine,
GroteckBusiness Media
Participation at conferences
InfoSecurityRussia, NullCon, AthCon, CONFidence, PHDAYS
CYBERCRIME FORUM, Cyber Intelligence Europe/Intelligence-Sec
ICITST, CyberTimes, ITA
[ Yury Chemerkin ]
www.linkedin.com/in/yurychemerkinhttp://[email protected]
Threats
Privacy
Compliance
Legal
Vendor lock-in
Open source / Open standards
Security
Abuse
IT governance
Ambiguity of terminology
Customization and best practices
Crypto anarchism
CSA, ISO, PCI, SAS 70
Typically US Location
Platform, Data, Tools Lock-In
Top clouds are not open-source
Physical clouds more secured than Public
Botnets and Malware Infections
Depends on organization needs
Reference to wide services, solutions, etc.
Cloud Issues
Known Issues Known Solutions
Privacy
Compliance
Legal
Vendor lock-in
Open source / Open standards
Security
Abuse
IT governance
Ambiguity of terminology
Customization and best practices
Crypto anarchism
CSA, ISO, PCI, SAS 70
Typically US Location
Platform, Data, Tools Lock-In
Top clouds are not open-source
Physical clouds more secured than Public
Botnets and Malware Infections
Depends on organization needs
Reference to wide services, solutions, etc.
Cloud Issues
Known Issues Known Solutions
Common Security Recommendations for clouds
Object What to do
Data Ownership Full rights and access to data
Data Segmentation An isolation data from other customers’ data
Data Encryption A data encryption in transit/memory/storage, at rest
Backup/Recovery An availability for recovery
Data Destruction An Ability to securely destroy when no longer needed
Access Control Who has access to data?
Log Management A data access that logged and monitored regularly
Incident Response Are there processes and notifications in place for incidents
(including breaches) that affect data?
Security Controls An appropriate security and configuration control to data
protection
Patch Management Patching for the latest vulnerabilities and exploits?
Object What to do
Data Ownership Full rights and access to data
Data Segmentation An isolation data from other customers’ data
Data Encryption A data encryption in transit/memory/storage, at rest
Backup/Recovery An availability for recovery
Data Destruction An Ability to securely destroy when no longer needed
Access Control Who has access to data?
Log Management A data access that logged and monitored regularly
Incident Response Are there processes and notifications in place for incidents
(including breaches) that affect data?
Security Controls An appropriate security and configuration control to data
protection
Patch Management Patching for the latest vulnerabilities and exploits?
TopcloudsarenotOpenSource
OpenStackisAPIscompatiblewithAmazonEC2
andAmazonS3andthusclientapplicationswritten
forAWScanbeusedwithOpenStackwithminimal
portingeffort,whileAzureisnot
Platformlock-in
BesideofOpenStack,thereareImport/Exporttools
tomigratefrom/toVMware,whileAzureisnot
DataLock-in
NativeAWSsolutionslinkedwithCiscoroutersto
upload,downloadandtunnelingaswellas3
rd
party
storagelikeSMEStorage(AWS,Azure,Dropbox,
Google,etc.),whileAzureisnot
ToolsLock-in
Longingforaninter-cloudmanagingtoolsthatare
industrialandbuiltwithcompliance
APIsLock-In
Longing for inter-cloud APIs, however there were
known inter-OS APIs for PC, MDM, Mobiles, etc.
NoTransparency
Weak compliance and transparency due to SAS 70
and NDA relationships between cloud vendor and
third party auditors and experts
Abuse
Abusing is not a new issue and is everywhere
AWS Vulnerability Bulletins as a kind of quick
response and stay tuned
What is about Public Clouds
Some known facts about AWS & Azurein order to issues mentioned above
OpenStackisAPIscompatiblewithAmazonEC2
andAmazonS3andthusclientapplicationswritten
forAWScanbeusedwithOpenStackwithminimal
portingeffort,whileAzureisnot
Platformlock-in
BesideofOpenStack,thereareImport/Exporttools
tomigratefrom/toVMware,whileAzureisnot
DataLock-in
NativeAWSsolutionslinkedwithCiscoroutersto
upload,downloadandtunnelingaswellas3
rd
party
storagelikeSMEStorage(AWS,Azure,Dropbox,
Google,etc.),whileAzureisnot
ToolsLock-in
Longingforaninter-cloudmanagingtoolsthatare
industrialandbuiltwithcompliance
APIsLock-In
Longing for inter-cloud APIs, however there were
known inter-OS APIs for PC, MDM, Mobiles, etc.
NoTransparency
Weak compliance and transparency due to SAS 70
and NDA relationships between cloud vendor and
third party auditors and experts
Abuse
Abusing is not a new issue and is everywhere
AWS Vulnerability Bulletins as a kind of quick
response and stay tuned
What is about Public Clouds
Some known facts about AWS & Azurein order to issues mentioned above
"AllYourCloudsareBelongtous–SecurityAnalysisof
CloudManagementInterfaces",3rdCCSW,October2011
A black box analysis methodology of AWS control
interfaces compromised via the XSS techniques,
HTML injections, MITM
[AWS]::“ReportedSOAPRequestParsingVulnerabilities”
Utilizing the SSL/HTTPS only with certificate
validation and utilizing API access mechanisms
like REST/Query instead of SOAP
Activating access via MFA and creating IAM
accounts limited in access, AWS credentials
rotation enhanced with Key pairs and X.509
Limiting IP access enhanced with API/SDK & IAM
“Themostdangerouscodeintheworld:validatingSSL
certificatesinnon-browsersoftware”,19thACM
ConferenceonComputerandCommunicationsSecurity,
October2012
Incorrect behavior in the SSL certificate validation
mechanisms of AWS SDK for EC2, ELB, and FPS
[AWS]::“ReportedSSLCertificateValidationErrorsinAPI
ToolsandSDKs”
Despite of that, AWS has updated all SDK (for all
services) to redress it
Clouds: Public against Private
Known security issues of Public Cloudsand significant researches on it as a POC
CloudManagementInterfaces",3rdCCSW,October2011
A black box analysis methodology of AWS control
interfaces compromised via the XSS techniques,
HTML injections, MITM
[AWS]::“ReportedSOAPRequestParsingVulnerabilities”
Utilizing the SSL/HTTPS only with certificate
validation and utilizing API access mechanisms
like REST/Query instead of SOAP
Activating access via MFA and creating IAM
accounts limited in access, AWS credentials
rotation enhanced with Key pairs and X.509
Limiting IP access enhanced with API/SDK & IAM
“Themostdangerouscodeintheworld:validatingSSL
certificatesinnon-browsersoftware”,19thACM
ConferenceonComputerandCommunicationsSecurity,
October2012
Incorrect behavior in the SSL certificate validation
mechanisms of AWS SDK for EC2, ELB, and FPS
[AWS]::“ReportedSSLCertificateValidationErrorsinAPI
ToolsandSDKs”
Despite of that, AWS has updated all SDK (for all
services) to redress it
Clouds: Public against Private
Known security issues of Public Cloudsand significant researches on it as a POC
[Intel]::“TheEssentialIntelligentClient”
Applied are known for VMware
Ability to control clouds due the Intel
AMT commands or else is applied for
VMware
There were not known successful
implementations for AWS, Azure, GAE or
other clouds.
[Elcomsoft]::“CrackingPasswordsintheCloud:
BreakingPGPonEC2withEDPR”
Serious performance problems regardless
of where the trusted/untrusted control
agents are
Overloading the virtual OS with analyzing
CPU commands and system calls
Overloading is multiplied by known issues
the best of all demonstrated in case of
GPU (Elcomsoft, GPU Cracking)
Clouds: Public against Private
Longing for managing CPU, Memory and other closed resources
Applied are known for VMware
Ability to control clouds due the Intel
AMT commands or else is applied for
VMware
There were not known successful
implementations for AWS, Azure, GAE or
other clouds.
[Elcomsoft]::“CrackingPasswordsintheCloud:
BreakingPGPonEC2withEDPR”
Serious performance problems regardless
of where the trusted/untrusted control
agents are
Overloading the virtual OS with analyzing
CPU commands and system calls
Overloading is multiplied by known issues
the best of all demonstrated in case of
GPU (Elcomsoft, GPU Cracking)
Clouds: Public against Private
Longing for managing CPU, Memory and other closed resources
[AWS]::“XenSecurityAdvisories”
There are known XEN attacks (Blue Pills, etc.)
No one XEN vulnerability was not applied to the
AWS services
Very customized clouds
[CSA]::“CSATheNotoriousNineCloudComputingTop
Threatsin2013”
Replaced a document published in 2009
Such best practices provides a least security
No significant changes since 2009, even examples
TopThreatsExamples
“1.0. Threat: Data Breaches // Cross-VM Side
Channels and Their Use to Extract private Keys”,
“7.0. Threat: Abuse of Cloud Services // Cross-VM
Side Channels and Their Use to Extract private
Keys”
“4.0. Threat: Insecurity Interfaces and APIs”
BesidesofRealityofCSAThreats
1.0 & 7.0 cases highlight how the public clouds
e.g. AWS EC2 are vulnerable
1.0 & 7.0 cases are totally focused on a private
cloud case (VMware and XEN), while there is no a
known way to adopt it to AWS.
4.0 case presents issues raised by a SSO access
not related to public clouds (except Dropbox,
SkyDrive) and addressed to insecurity of APIs.
Clouds: Public against Private
It is generally known, that private clouds are most secureThere is no a POC to prove a statement on public clouds
There are known XEN attacks (Blue Pills, etc.)
No one XEN vulnerability was not applied to the
AWS services
Very customized clouds
[CSA]::“CSATheNotoriousNineCloudComputingTop
Threatsin2013”
Replaced a document published in 2009
Such best practices provides a least security
No significant changes since 2009, even examples
TopThreatsExamples
“1.0. Threat: Data Breaches // Cross-VM Side
Channels and Their Use to Extract private Keys”,
“7.0. Threat: Abuse of Cloud Services // Cross-VM
Side Channels and Their Use to Extract private
Keys”
“4.0. Threat: Insecurity Interfaces and APIs”
BesidesofRealityofCSAThreats
1.0 & 7.0 cases highlight how the public clouds
e.g. AWS EC2 are vulnerable
1.0 & 7.0 cases are totally focused on a private
cloud case (VMware and XEN), while there is no a
known way to adopt it to AWS.
4.0 case presents issues raised by a SSO access
not related to public clouds (except Dropbox,
SkyDrive) and addressed to insecurity of APIs.
Clouds: Public against Private
It is generally known, that private clouds are most secureThere is no a POC to prove a statement on public clouds
TheGoalisbringingatransparencyofcloudcontrolsand
features,especiallysecuritycontrolsandfeatures
Suchdocumentshaveaclaimtobeup-to-datewith
expert-levelunderstandingofsignificantthreatsand
vulnerabilities
Unifyingrecommendationsforallclouds
Uptonow,itisathirdrevision
Allrecommendationsarelinkedwithotherstandards
PCI DSS
ISO
NIST
COBIT
FEDRAMP
Topknowncloudvendorsannouncedtheyarein
compliancewithit
Someofreportsaregettingoldbynow
Customershavetocontroltheirenvironmentbytheir
needs
Customerswanttoknowwhetheritisincompliancein,
especiallylocalregulationsandhowfar
Customerswanttoknowwhetheritmakescloudsquite
transparencytolettobuildanappropriate
Compliance: from CSA’s viewpoint
On CSA side On vendors and customers side
features,especiallysecuritycontrolsandfeatures
Suchdocumentshaveaclaimtobeup-to-datewith
expert-levelunderstandingofsignificantthreatsand
vulnerabilities
Unifyingrecommendationsforallclouds
Uptonow,itisathirdrevision
Allrecommendationsarelinkedwithotherstandards
PCI DSS
ISO
NIST
COBIT
FEDRAMP
Topknowncloudvendorsannouncedtheyarein
compliancewithit
Someofreportsaregettingoldbynow
Customershavetocontroltheirenvironmentbytheir
needs
Customerswanttoknowwhetheritisincompliancein,
especiallylocalregulationsandhowfar
Customerswanttoknowwhetheritmakescloudsquite
transparencytolettobuildanappropriate
Compliance: from CSA’s viewpoint
On CSA side On vendors and customers side
CAIQ/CCMprovidesequivalentofrecommendationsover
severalstandards,CAIQprovidesmoredetailsonsecurity
andprivacybutNISTmorespecific
CSArecommendationsarepurewithtechnicaldetails
It helps vendors to pass a compliance easier
It helps not to have their solutions worked out in
details and/or badly documented
It helps to makes a lot of references on 3
rd
party
reviewers under NDA (SOC 1 or SAS 70)
Badideatoletvendorsfillssuchdocuments
They provide fewer public details
They take it to NDA reports
Vendorsgeneralexplanationsmultipliedbygeneral
standardsrecommendationsareextremelyfarawayfrom
transparency
Cloudscallforspecificlevelsofauditlogging,activity
reporting,securitycontrollinganddataretention
It is often not a part of SLA offered by providers
It is outside recommendations
AWSoftenfallsindetailswiththeirarchitecturedocuments
AWSsolutionsareverywelltobeincompliancewithold
standardsandspecificlocalregulationssuchasRussianLaw
It additionally need to use CLI, API/SDK to reduce
third party solutions and implement national crypto
It offers a PenTestopportunity
Compliance: from Cloud Vendor’s viewpoint
Compliance, Transparency, Elaboration
severalstandards,CAIQprovidesmoredetailsonsecurity
andprivacybutNISTmorespecific
CSArecommendationsarepurewithtechnicaldetails
It helps vendors to pass a compliance easier
It helps not to have their solutions worked out in
details and/or badly documented
It helps to makes a lot of references on 3
rd
party
reviewers under NDA (SOC 1 or SAS 70)
Badideatoletvendorsfillssuchdocuments
They provide fewer public details
They take it to NDA reports
Vendorsgeneralexplanationsmultipliedbygeneral
standardsrecommendationsareextremelyfarawayfrom
transparency
Cloudscallforspecificlevelsofauditlogging,activity
reporting,securitycontrollinganddataretention
It is often not a part of SLA offered by providers
It is outside recommendations
AWSoftenfallsindetailswiththeirarchitecturedocuments
AWSsolutionsareverywelltobeincompliancewithold
standardsandspecificlocalregulationssuchasRussianLaw
It additionally need to use CLI, API/SDK to reduce
third party solutions and implement national crypto
It offers a PenTestopportunity
Compliance: from Cloud Vendor’s viewpoint
Compliance, Transparency, Elaboration
Compliance: from Cloud Vendor’s viewpoint
Compliance, Transparency, Elaboration
Description DIFF (AWS vs. AZURE)
ThirdPartyAudits AsopposedtoAWS,Azuredoesnothaveaclearlydefinedstatementwhethertheircustomersabletoperformtheirown
vulnerabilitytest
InformationSystemRegulatory
Mapping
AWSfallsindetailstocomplyitthatresultsofdifferencesbetweenCAIQandCMM
Handling/Labeling/SecurityPolicyAWSfallsindetailswhatcustomersareallowedtodoandhowexactlywhileAzuredoesnot
RetentionPolicy AWSpointstothecustomers’responsibilitytomanagedata,excludemovingbetweenAvailabilityZonesinsideoneregion;Azure
ensuresonvalidationandprocessingwithit,andindicateaboutdatahistoricalauto-backup
SecureDisposal Noserious,AWSreliesonDoD5220.22additionallywhileAzuredoesNIST800-88only
InformationLeakage AWSreliesonAMIandEBSservices,whileAzuredoesonIntegritydata
Policy,UserAccess,MFA Nobothhave
BaselineRequirements AWSprovidesmorehighdetailedhow-todocsthanAzure,allowstoimporttrustedVMfromVMware,Azure
Encryption,Encryption Key
Management
AWSoffersencryptionfeaturesforVM,storage,DB,networkswhileAzuredoesforXStore(AzureStorage)
Vulnerability/PatchManagement AWSprovidestheircustomerstoaskfortheirownpentestwhileAzuredoesnot
NondisclosureAgreements,Third
PartyAgreements
AWShighlightsthattheydoesnotleverageany3
rd
partycloudproviderstodeliverAWSservicestothecustomers.Azurepointsto
theprocedures,NDAundergonewithISO
UserIDCredentials BesidestheAD(ActiveDirectory)AWSIAMsolutionarealignmentwithbothCAIQ,CMMrequirementswhileAzureaddressesto
theADtoperformtheseactions
(Non)Production environments,
NetworkSecurity
AWSprovidesmoredetailshow-todocumentstohavingacompliance
Segmentation Besidesvendorfeatures,AWSprovidesquitesimilarmechanisminalignmentCAIQ&CMM,whileAzurepointstofeaturesbuiltin
infrastructureonavendorside
MobileCode AWSpointstheirclientstoberesponsibletomeetsuchrequirements,whileAzurepointstobuildsolutionstrackedformobilecode
Compliance, Transparency, Elaboration
Description DIFF (AWS vs. AZURE)
ThirdPartyAudits AsopposedtoAWS,Azuredoesnothaveaclearlydefinedstatementwhethertheircustomersabletoperformtheirown
vulnerabilitytest
InformationSystemRegulatory
Mapping
AWSfallsindetailstocomplyitthatresultsofdifferencesbetweenCAIQandCMM
Handling/Labeling/SecurityPolicyAWSfallsindetailswhatcustomersareallowedtodoandhowexactlywhileAzuredoesnot
RetentionPolicy AWSpointstothecustomers’responsibilitytomanagedata,excludemovingbetweenAvailabilityZonesinsideoneregion;Azure
ensuresonvalidationandprocessingwithit,andindicateaboutdatahistoricalauto-backup
SecureDisposal Noserious,AWSreliesonDoD5220.22additionallywhileAzuredoesNIST800-88only
InformationLeakage AWSreliesonAMIandEBSservices,whileAzuredoesonIntegritydata
Policy,UserAccess,MFA Nobothhave
BaselineRequirements AWSprovidesmorehighdetailedhow-todocsthanAzure,allowstoimporttrustedVMfromVMware,Azure
Encryption,Encryption Key
Management
AWSoffersencryptionfeaturesforVM,storage,DB,networkswhileAzuredoesforXStore(AzureStorage)
Vulnerability/PatchManagement AWSprovidestheircustomerstoaskfortheirownpentestwhileAzuredoesnot
NondisclosureAgreements,Third
PartyAgreements
AWShighlightsthattheydoesnotleverageany3
rd
partycloudproviderstodeliverAWSservicestothecustomers.Azurepointsto
theprocedures,NDAundergonewithISO
UserIDCredentials BesidestheAD(ActiveDirectory)AWSIAMsolutionarealignmentwithbothCAIQ,CMMrequirementswhileAzureaddressesto
theADtoperformtheseactions
(Non)Production environments,
NetworkSecurity
AWSprovidesmoredetailshow-todocumentstohavingacompliance
Segmentation Besidesvendorfeatures,AWSprovidesquitesimilarmechanisminalignmentCAIQ&CMM,whileAzurepointstofeaturesbuiltin
infrastructureonavendorside
MobileCode AWSpointstheirclientstoberesponsibletomeetsuchrequirements,whileAzurepointstobuildsolutionstrackedformobilecode
Compliance: from Cloud Vendor’s viewpoint
Compliance, Transparency, Elaboration
NAME
w/o CE w CE
AWS Azure AWS Azure
AccessControlPolicyandProceduresY Y None None
AccountManagement Y Yexc.g Y:1,4,6,7;prebuilt:2,5a-b;poss.3,5c,5d Y:1-4,5a,6,7;N/A:5b-d
AccessEnforcement
Y Y Y:1,2;prebuilt:3-6 Yexc.3(partially)
InformationFlowEnforcement Y Y prebuilt:1-8,10-17;N/A:9 Yexc.N/A:12-15
LeastPrivilege Y Y Y Y
SecurityAttributes
prebuilt
prebuiltexc.
N/A:5
None None
UseofExternalInformationSystemsY Y Y Y
AuditableEvents Y Y None None
AuditReview,Analysis,andReporting
Y Y p.internal t.internal
ProtectionofAuditInformation Y Y poss. poss.
SecurityFunctionIsolation
t.internalt.internalt.internal t.internal
DenialofServiceProtection
p.internalp.internalp.internal p.internal
BoundaryProtection
prebuiltprebuilt
prebuilt:1-6,11exc.poss.4c;prebuilt:7,8,9,
12,15,16;prebuilt:10exc.N/A:iii,
t.internal:v;p.internal:13,14,17
prebuilt:1-6,11;
N/A:3-4,8,10,17;
poss.7,9,12,15;
p.internal:13,14,17
Architecture&Provisioningfor
Name/AddressResolutionService
prebuiltt.internalprebuilt t.internal
Honeypots poss. poss. None None
OSIndependentApplications poss. poss. None None
ProtectionofdataatRest poss. poss. None None
VirtualizationTechniques
t.internalt.internalt.internal t.internal
Compliance, Transparency, Elaboration
NAME
w/o CE w CE
AWS Azure AWS Azure
AccessControlPolicyandProceduresY Y None None
AccountManagement Y Yexc.g Y:1,4,6,7;prebuilt:2,5a-b;poss.3,5c,5d Y:1-4,5a,6,7;N/A:5b-d
AccessEnforcement
Y Y Y:1,2;prebuilt:3-6 Yexc.3(partially)
InformationFlowEnforcement Y Y prebuilt:1-8,10-17;N/A:9 Yexc.N/A:12-15
LeastPrivilege Y Y Y Y
SecurityAttributes
prebuilt
prebuiltexc.
N/A:5
None None
UseofExternalInformationSystemsY Y Y Y
AuditableEvents Y Y None None
AuditReview,Analysis,andReporting
Y Y p.internal t.internal
ProtectionofAuditInformation Y Y poss. poss.
SecurityFunctionIsolation
t.internalt.internalt.internal t.internal
DenialofServiceProtection
p.internalp.internalp.internal p.internal
BoundaryProtection
prebuiltprebuilt
prebuilt:1-6,11exc.poss.4c;prebuilt:7,8,9,
12,15,16;prebuilt:10exc.N/A:iii,
t.internal:v;p.internal:13,14,17
prebuilt:1-6,11;
N/A:3-4,8,10,17;
poss.7,9,12,15;
p.internal:13,14,17
Architecture&Provisioningfor
Name/AddressResolutionService
prebuiltt.internalprebuilt t.internal
Honeypots poss. poss. None None
OSIndependentApplications poss. poss. None None
ProtectionofdataatRest poss. poss. None None
VirtualizationTechniques
t.internalt.internalt.internal t.internal
Out of paper example (MDM) : Efficiency of activities
16,67
19,05
60,00
5,88
14,29
5,56
16,67
66,67
11,76
66,67
25,00
50,00
25,0025,00
50,00
33,33
50,00
250,00
7,14
16,67
3,45
12,50
5,08
14,29
3,37
6,25
8,70
4,26
66,67
9,09
66,67
5,26
2,17
88,89
4,17
8,00
250,00
3,70
0,00
50,00
100,00
150,00
200,00
250,00
% m+a activity vs perm% m+a derived activity vs perm
16,67
19,05
60,00
5,88
14,29
5,56
16,67
66,67
11,76
66,67
25,00
50,00
25,0025,00
50,00
33,33
50,00
250,00
7,14
16,67
3,45
12,50
5,08
14,29
3,37
6,25
8,70
4,26
66,67
9,09
66,67
5,26
2,17
88,89
4,17
8,00
250,00
3,70
0,00
50,00
100,00
150,00
200,00
250,00
% m+a activity vs perm% m+a derived activity vs perm
Out of paper example (MDM) : Efficiency of activities
BlackBerry Old iOS BlackBerry QNX Android
Quantity of Groups 55 16 7 4
Average perm per group 20 5 7 4
Efficiency 80,00 38,46 31,82 10,26
Totall permissions 1100 80 49 16
55
16
7 4
20
5 7 4
80,00
38,46
31,82
10,26
1100
80
49
16
0
200
400
600
800
1000
1200
0
10
20
30
40
50
60
70
80
90
100
Quantity of Groups Average perm per group Efficiency Totall permissions
BlackBerry Old iOS BlackBerry QNX Android
Quantity of Groups 55 16 7 4
Average perm per group 20 5 7 4
Efficiency 80,00 38,46 31,82 10,26
Totall permissions 1100 80 49 16
55
16
7 4
20
5 7 4
80,00
38,46
31,82
10,26
1100
80
49
16
0
200
400
600
800
1000
1200
0
10
20
30
40
50
60
70
80
90
100
Quantity of Groups Average perm per group Efficiency Totall permissions
The best Security & Permissions ruled by AWS among other clouds
Most cases are not clear in according to the roles and responsibilities of cloud vendors and their customers
Some of such cases are not clear on background type: technical or non-technical
Swapping responsibilities and shifting the vendor job on to customer shoulders
Referring to independent audits reports under NDA as many times as they can
All recommendations should be enhanced by independent analysis expert in certain areas
CSA put the cross references to other standards that impact on complexity & lack of clarity like NIST SP800-53
NIST is more details and well documented with cross references and AWS matches to the NIST more
CONCLUSION
THE VENDOR SECURITY VISIONHAS NOTHING WITH REALITYAGGRAVATED BY SIMPLICITY
Most cases are not clear in according to the roles and responsibilities of cloud vendors and their customers
Some of such cases are not clear on background type: technical or non-technical
Swapping responsibilities and shifting the vendor job on to customer shoulders
Referring to independent audits reports under NDA as many times as they can
All recommendations should be enhanced by independent analysis expert in certain areas
CSA put the cross references to other standards that impact on complexity & lack of clarity like NIST SP800-53
NIST is more details and well documented with cross references and AWS matches to the NIST more
CONCLUSION
THE VENDOR SECURITY VISIONHAS NOTHING WITH REALITYAGGRAVATED BY SIMPLICITY
Q&A THANK YOU
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 26
- Slides 16
- Age 521 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
85 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
79 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
76 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
62 views
21
Know for Certain
DaveSinNM
36 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
41 views