ORLANDO, Fla. -- Organizations engaging a cloud-based service need to consider how robust the data protection mechanisms are in place and demand a minimum level of security before signing a contract, according to a noted security expert.
To sustain the cloud and the future of the Internet, you have to look at it not from a resiliency perspective, but from a straight up defense-in-depth perspective.
Tom Kellermann, vice president of cybersecurity, Trend Micro Inc.
Risk mitigation must be part of the contract negotiations, said Tom Kellermann, vice president of cybersecurity at Trend Micro Inc. Kellermann is advocating enterprises to consult the 20 Critical Security Controls outlined by the National Security Agency (NSA) and updated by the newly created Consortium for Cybersecurity Action (CCA).
"If I was a business person actually negotiating these deals I would never move forward without those basic, bare bones minimums," Kellermann said in a recent interview with SearchSecurity.com conducted at the 2012 Cloud Security Alliance Congress. "To sustain the cloud and the future of the Internet, you have to look at it not from a resiliency perspective, but from a straight up defense-in-depth perspective. It's not just about uptime."
Kellermann, who served on The Commission on Cyber Security for the 44th Presidency, said the 20 Critical Controls list is based on information derived from forensics experts and penetration testers who see the vulnerabilities and configuration weaknesses perpetual in many environments and the attack patterns consistently used by cybercriminals. The 20 controls address application security, wireless weaknesses and data protection. It also addresses network monitoring, access control and incident response.
In this interview, Kellermann explains how the controls should be addressed in cloud environments and how a defense-in-depth strategy must incorporate attacker methodology.
How difficult will it be to provide data security in the cloud as adoption of cloud-based services and hosting increases?
Tom Kellermann: There's a land rush going on for this cloud phenomenon. As you create these centralized, consolidated data sources, like a watering hole in South Africa, the crocodiles and lions are still there, but you are creating these slower cows that go drink from that water. The predators are getting more bang for the buck by targeting these fat cows. To sustain the cloud and the future of the Internet, you have to look at it not from a resiliency perspective, but from a straight up defense-in-depth perspective. It's not just about uptime. I think the Cloud Security Alliance has a huge role to play starting with helping people write contracts with a standard template that will allow them to deal with a cloud provider that is being difficult in that they won't allow you to impose your standards of cybersecurity in their environment. It's highly problematic.
What should be among the standard security controls to protect critical data in the cloud?
Kellermann: It's not like when you buy a house or buy a car. You really don't have the upper hand as a consumer in a cloud environment to purchase the type of environment that you want. The assumption is being made that you are cheap and trying to save costs. I don't know whether or not that is just the arrogance of the community, but you have to empower your general counsel to be able to ask the right questions and write contracts based on risk management. The bare bones basics of cloud security go beyond antivirus and firewalls. Intrusion protection systems, file integrity monitoring and virtual patching. Encryption should be used, but you should manage your own keys. If the [cloud provider] gets popped and its managing the keys then the hacker has the keys to the kingdom. Most importantly is monitoring logs. If I was a business person actually negotiating these deals I would never move forward without those basic, bare bones minimums. I would also want to conduct a penetration test of the environment prior to migrating the data there. I would want the [cloud provider] to manage any critical attack pass or vulnerabilities that are identified.
You have said that there are some cloud providers that are serious about helping enterprises create a "walled garden." Can you explain what they are doing?
Kellermann: The hardest thing for the hacker is to get the data out in real time. It's also not just the data, but the credentials. Most sophisticated networks have two-factor authentication and time-based credential systems to access sensitive stuff, so you have to be there in real time to hand those credentials off, pass the hash and steal the data. So it's about creating more mechanisms to make it more difficult to get data out of the system. In modern architecture, it's like how you build a better prison. Especially when you think about Inter-VM attacks and how those are flourishing now. Hypervisor attacks are rising in interest. We're not paying enough respect to the underground and the shadow economy itself and the tactics that are being utilized when we try to develop defense-in-depth security. If you look at the underground supply and demand curves on Safari, it's $75,000 for a zero-day for Safari. It's $80,000 for a Windows 8 zero-day. A VMware hypervisor zero-day vulnerability in the underground is about $90,000.
Some experts say that the issue of attribution is a serious problem that hasn't yet been solved. Do you agree?
Kellermann: No. It's not anymore. The holy grail of cyber right now is attribution. It's going to be all about leveraging global threat intelligence to correlate with cyber kill chains that may or may not have manifested themselves within your network or your partner networks. Your partner networks are like the shallow end of the pool and your network is the deep end, so you can't ignore your partner networks. If you have a large enough presence in the world you can see telltale patterns in the kill chain. Of the stages of the kill chain, there's a maintenance stage used by attackers. They pass the holes that they exploit and clean the boxes that they compromise because they don't want other hackers having a presence. How they propagate, how they exfiltrate, how they maintain the system, how they conduct reconnaissance on you, remain the same. But there is an associated modus operandi associated with an actor. Eastern Europeans like to use custom crafted attack code that has a specialized purpose. They like to use their own hosting and bullet proof hosting. Whereas the East Asians like to use code that has worked before and they don't necessarily care if the hosting is there. These types of distinctions can now be made and understood in the wild as well as how that code was developed and who developed it coupled with the command and control itself.