cloud privacy and security (Risk Assessment)

profileSangeeth08
ITC568_201860_Wk4_RiskManagement.pptx

ITC568 Cloud Privacy and Security

Risk assessment models and techniques

Week 4

Dr Peter White

Evaluate risks for data privacy and security

Analyse the legal, ethical & business concerns for data privacy and security

Evaluate risk management techniques

Agenda

© Peter White, 2017

2

Risk management is defined as:

“The identification, assessment and prioritization of risks followed by the coordinated and economical application of resources to minimize, monitor and control the probability and/or impact of unfortunate events” Hubbard, D. W. (2009). The Failure of Risk Management: Why It's Broken and How to Fix It. Somerset, NJ: John Wiley & Sons.

It can also be summed up as:

Being smart about taking chances

© Peter White, 2017

3

Risk management

Risk Management

© Peter White, 2017

4

Realistically, InfoSec is all about Risk Management:

You are applying some controls, or security measures, to reduce the risk of a threat occurring in your environment

Risk - The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring (NIST, 2010)

So, to be realistic about what controls or measure to apply, you need to be aware of what risk you face

You also need to be aware that applying controls can also create new risks:

Strong and imposing gates can also be a weak point

if the invaders have the right equipment, or find a way

to bypass them

A chokepoint can also be a single point of failure

Risk management is not just about assessing risk

It includes policies on:

The level of acceptable risk

Controls to minimise the risk

It also includes communication about the risk

© Peter White, 2017

5

Approaches

Risk Management is comprised of:

Risk Identification,

Risk Analysis,

Risk Evaluation,

Risk Treatment, and

Monitoring and Review

ISO/IEC 31010:2009 discusses a number of ways that we implement the identification, analysis, evaluation and monitoring of risks

© Peter White, 2017

6

A Basic Approach to Risk Management

Standards Australia. (2009). AS/NZS ISO 31000:2009 Risk management - Principles and guidelines Sydney: Standards Australia.

Risk Identification

Need to understand all the risks to the enterprise

Iterative process that could take up to 3 years, or more, to achieve!

Develop knowledge of threats to enterprise

Natural causes - storms, etc.

Man made threats

Technical & technology threats

Supply threats - water, sewer, electricity, communications, etc. 

Identify the mitigation controls and recovery processes for each identified case of:

Natural causes

Man made threats

Technical and Technology threats

Supply threats

© Peter White, 2017

7

Basic Risk Assessment - Identification

Risk Analysis:

Asset inventory:

What are the assets?

What has to be protected?

Asset valuation

Identify protection priority (sensitivity value or other measure?)

Vulnerability analysis

What are the inherent weaknesses in our assets

Threat analysis:

What can hurt our assets

© Peter White, 2017

8

Basic Risk Assessment – Analysis

Risk Evaluation:

Evaluate likelihood and impact

Quantify the risk to the assets.

Evaluate possible preventative response and recovery controls:

What we do to stop the threats?

how do we reduce the impact of a threat if it occurs?

Cost evaluation and justification

What is the cost of the control vs benefit derived

Create risk assessment report

© Peter White, 2017

9

Basic Risk Assessment – Evaluation

Risk Management is:

The actions taken to manage the threats prudently

Management approves controls that are developed in the Risk Assessment:

The controls are based on Management’s tolerance for risk, their budget and other pressures;

The aim of the Risk Management treatment is to:

Mitigate, transfer or avoid risk

Controls are implemented and integrated:

Administrative, technical and physical controls

Controls are used to Prevent, Deter, Delay, Detect, Assess, Respond, Recover from Risk

It is essential that users are trained to use any new controls

Controls must be utilised, monitored, maintained and refined over time

Controls are evaluated for effectiveness over time using agreed metrics

The implemented Risk Management program becomes the new “normal” state of the enterprise security posture

© Peter White, 2017

10

Basic Risk Management – Treatment

Start with the standard TRA based on ISO/IEC 31000 Risk Management, then consider some cloud specific risks:

Compliance requirements

Shared roles and responsibilities in a cloud environment

Responsibility for assets

Access control

Segregation in shared computing environments

VM hardening

Changes to operational procedures

Changes to operational security

Logging and monitoring

Virtual network security management

Cryptography

Incident management

Endpoint security

Cloud Threat and Risk Assessment – ISO/IEC 27017: 2015

© Peter White, 2017

11

Data storage

Type of data

Mission critical data

Customer data

Identifiable

Transactional

Public access data

Ephemeral data (short lived)

Level of confidentiality required – classification?

Are access controls imposed on the data?

© Peter White, 2017

12

Data issues - Storage

How & what data is being collected?

Customers

Requested Personally Identifiable Information (PII)

Requested non-identifiable information?

Can that be confirmed as non-identifiable?

How?

Can it become identifiable id it is aggregated?

Anonymous information

Unsolicited personal information

Corporate data

What data is requested from customers?

Crowd sourced data

Unsolicited data

Marketing data (website tracking, etc)

Can that data identify individual customers/users?

© Peter White, 2017

13

Data issues - Collection

Data may not intrinsically be regarded as private or in need of security

But, if data is aggregated:

Could that aggregation identify persons, issues or potential security problems?

Can the aggregated data be de-identified in such a way as to preclude subsequent identification?

Would the data mining of apparently unassociated data sets lead to identification of people?

© Peter White, 2017

14

Data issues - Aggregation

Does transactional data require privacy and security controls?

Consider:

Sales transactions from an online retailer

Financial transactions through a bank’s website

Record/licence transactions with a Government Agency – e.g. Renew your car registration

Complete a survey from an retailer/supplier that you deal with

© Peter White, 2017

15

Data issues – Transactional data

There may be a number of legal issues that come into play with data in the cloud.

We will look at these in the next two topics in more detail, but you will need to consider:

Business continuity and disaster recovery plans

Data location and retrieval

Legal and regulatory environment

Information governance and management

Privacy

Security

Licensing

© Peter White, 2017

16

Data issues - Legal

How are you going to secure your data in the Cloud?

Where will it be located?

How will it be stored?

Will it be encrypted?

At rest?

In transit?

How will it be securely updated?

How will it be securely delivered?

What about backups and archiving?

© Peter White, 2017

17

Data issues- Security

Who has access to your data in the cloud?

Internal access:

Who can access it?

Is the access appropriate?

What can they do it?

Who has elevated privilege access? Why?

Who loads/updates/deletes/backup/archives data? When?

External access:

Who can access it?

Is they access appropriate?

Is it through a secure channel?

What can they do with the data?

© Peter White, 2017

18

Data issues - Access

An alternative approach to risk assessment is to assess risk using attack vectors:

Source – the threat agent

Vector – method of operation

Vulnerability - the weakness that can be exploited

Target - the aim of the attack

Impact - Confidentiality, Integrity, Availability

Defence - how to close or defend the weakness

© Peter White, 2017

19

Attack Risk Assessment

This approach is based on the OWASP approach (https:// www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) and uses the following factors:

Threat Agents:

Skill level

Motive

Opportunity

Size

Vulnerability

Ease of discovery

Ease of exploit

Awareness

Intrusion detection

© Peter White, 2017

20

Attack Risk Assessment

Technical impact

Loss of confidentiality

Loss of integrity

Loss of availability

Loss of accountability

Business impact

Financial damage

Reputational damage

Non-compliance

Privacy violation

© Peter White, 2017

21

Attack Risk Assessment

© Peter White, 2017

22

Assessing severity

From: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

© Peter White, 2017

23

Assessing risk

From: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

Read:

Juliadotter, N., Choo, K.. (2015). CATRA: Conceptual cloud attack taxonomy and risk assessment framework. In Ko, R., & Choo, K.(Eds.). (2015). The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues. Waltham, MA: Syngress. (Chapter 3)

Nidd, M., Ivanova, M., Probst, C., Tanner,A. (2015). Tool-based risk assessment of cloud infrastructures as socio-technical systems. In Ko, R., & Choo, K.(Eds.). (2015). The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues. Waltham, MA: Syngress. (Chapter 22)

National Institute of Standards and Technology. (2016). Risk Management Framework. Gaithersburg, MD: National Institute of Standards and Technology. Retrieved from http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework / 

Amazon Web Services. (2014). Amazon Web Services: Risk and Compliance. Retrieved from http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf

Office of Finance and Services. (2014). OFS ICT Cloud Service Guidelines. Sydney: Office of Finance and Services, Department of Treasury. Retrieved from http://arp.nsw.gov.au/sites/default/files/Cloud%20Services%20Policy%20and%20Guidelines.pdf

OWASP, (2013). OWASP Risk Rating Methodology, Open Web Application Security Project, viewed 17 May 2017), https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

© Peter White, 2017

24

Tasks