cloud privacy and security (Risk Assessment)
ITC568 Cloud Privacy and Security
Risk assessment models and techniques
Week 4
Dr Peter White
Evaluate risks for data privacy and security
Analyse the legal, ethical & business concerns for data privacy and security
Evaluate risk management techniques
Agenda
© Peter White, 2017
2
Risk management is defined as:
“The identification, assessment and prioritization of risks followed by the coordinated and economical application of resources to minimize, monitor and control the probability and/or impact of unfortunate events” Hubbard, D. W. (2009). The Failure of Risk Management: Why It's Broken and How to Fix It. Somerset, NJ: John Wiley & Sons.
It can also be summed up as:
Being smart about taking chances
© Peter White, 2017
3
Risk management
Risk Management
© Peter White, 2017
4
Realistically, InfoSec is all about Risk Management:
You are applying some controls, or security measures, to reduce the risk of a threat occurring in your environment
Risk - The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring (NIST, 2010)
So, to be realistic about what controls or measure to apply, you need to be aware of what risk you face
You also need to be aware that applying controls can also create new risks:
Strong and imposing gates can also be a weak point
if the invaders have the right equipment, or find a way
to bypass them
A chokepoint can also be a single point of failure
Risk management is not just about assessing risk
It includes policies on:
The level of acceptable risk
Controls to minimise the risk
It also includes communication about the risk
© Peter White, 2017
5
Approaches
Risk Management is comprised of:
Risk Identification,
Risk Analysis,
Risk Evaluation,
Risk Treatment, and
Monitoring and Review
ISO/IEC 31010:2009 discusses a number of ways that we implement the identification, analysis, evaluation and monitoring of risks
© Peter White, 2017
6
A Basic Approach to Risk Management
Standards Australia. (2009). AS/NZS ISO 31000:2009 Risk management - Principles and guidelines Sydney: Standards Australia.
Risk Identification
Need to understand all the risks to the enterprise
Iterative process that could take up to 3 years, or more, to achieve!
Develop knowledge of threats to enterprise
Natural causes - storms, etc.
Man made threats
Technical & technology threats
Supply threats - water, sewer, electricity, communications, etc.
Identify the mitigation controls and recovery processes for each identified case of:
Natural causes
Man made threats
Technical and Technology threats
Supply threats
© Peter White, 2017
7
Basic Risk Assessment - Identification
Risk Analysis:
Asset inventory:
What are the assets?
What has to be protected?
Asset valuation
Identify protection priority (sensitivity value or other measure?)
Vulnerability analysis
What are the inherent weaknesses in our assets
Threat analysis:
What can hurt our assets
© Peter White, 2017
8
Basic Risk Assessment – Analysis
Risk Evaluation:
Evaluate likelihood and impact
Quantify the risk to the assets.
Evaluate possible preventative response and recovery controls:
What we do to stop the threats?
how do we reduce the impact of a threat if it occurs?
Cost evaluation and justification
What is the cost of the control vs benefit derived
Create risk assessment report
© Peter White, 2017
9
Basic Risk Assessment – Evaluation
Risk Management is:
The actions taken to manage the threats prudently
Management approves controls that are developed in the Risk Assessment:
The controls are based on Management’s tolerance for risk, their budget and other pressures;
The aim of the Risk Management treatment is to:
Mitigate, transfer or avoid risk
Controls are implemented and integrated:
Administrative, technical and physical controls
Controls are used to Prevent, Deter, Delay, Detect, Assess, Respond, Recover from Risk
It is essential that users are trained to use any new controls
Controls must be utilised, monitored, maintained and refined over time
Controls are evaluated for effectiveness over time using agreed metrics
The implemented Risk Management program becomes the new “normal” state of the enterprise security posture
© Peter White, 2017
10
Basic Risk Management – Treatment
Start with the standard TRA based on ISO/IEC 31000 Risk Management, then consider some cloud specific risks:
Compliance requirements
Shared roles and responsibilities in a cloud environment
Responsibility for assets
Access control
Segregation in shared computing environments
VM hardening
Changes to operational procedures
Changes to operational security
Logging and monitoring
Virtual network security management
Cryptography
Incident management
Endpoint security
Cloud Threat and Risk Assessment – ISO/IEC 27017: 2015
© Peter White, 2017
11
Data storage
Type of data
Mission critical data
Customer data
Identifiable
Transactional
Public access data
Ephemeral data (short lived)
Level of confidentiality required – classification?
Are access controls imposed on the data?
© Peter White, 2017
12
Data issues - Storage
How & what data is being collected?
Customers
Requested Personally Identifiable Information (PII)
Requested non-identifiable information?
Can that be confirmed as non-identifiable?
How?
Can it become identifiable id it is aggregated?
Anonymous information
Unsolicited personal information
Corporate data
What data is requested from customers?
Crowd sourced data
Unsolicited data
Marketing data (website tracking, etc)
Can that data identify individual customers/users?
© Peter White, 2017
13
Data issues - Collection
Data may not intrinsically be regarded as private or in need of security
But, if data is aggregated:
Could that aggregation identify persons, issues or potential security problems?
Can the aggregated data be de-identified in such a way as to preclude subsequent identification?
Would the data mining of apparently unassociated data sets lead to identification of people?
© Peter White, 2017
14
Data issues - Aggregation
Does transactional data require privacy and security controls?
Consider:
Sales transactions from an online retailer
Financial transactions through a bank’s website
Record/licence transactions with a Government Agency – e.g. Renew your car registration
Complete a survey from an retailer/supplier that you deal with
© Peter White, 2017
15
Data issues – Transactional data
There may be a number of legal issues that come into play with data in the cloud.
We will look at these in the next two topics in more detail, but you will need to consider:
Business continuity and disaster recovery plans
Data location and retrieval
Legal and regulatory environment
Information governance and management
Privacy
Security
Licensing
© Peter White, 2017
16
Data issues - Legal
How are you going to secure your data in the Cloud?
Where will it be located?
How will it be stored?
Will it be encrypted?
At rest?
In transit?
How will it be securely updated?
How will it be securely delivered?
What about backups and archiving?
© Peter White, 2017
17
Data issues- Security
Who has access to your data in the cloud?
Internal access:
Who can access it?
Is the access appropriate?
What can they do it?
Who has elevated privilege access? Why?
Who loads/updates/deletes/backup/archives data? When?
External access:
Who can access it?
Is they access appropriate?
Is it through a secure channel?
What can they do with the data?
© Peter White, 2017
18
Data issues - Access
An alternative approach to risk assessment is to assess risk using attack vectors:
Source – the threat agent
Vector – method of operation
Vulnerability - the weakness that can be exploited
Target - the aim of the attack
Impact - Confidentiality, Integrity, Availability
Defence - how to close or defend the weakness
© Peter White, 2017
19
Attack Risk Assessment
This approach is based on the OWASP approach (https:// www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) and uses the following factors:
Threat Agents:
Skill level
Motive
Opportunity
Size
Vulnerability
Ease of discovery
Ease of exploit
Awareness
Intrusion detection
© Peter White, 2017
20
Attack Risk Assessment
Technical impact
Loss of confidentiality
Loss of integrity
Loss of availability
Loss of accountability
Business impact
Financial damage
Reputational damage
Non-compliance
Privacy violation
© Peter White, 2017
21
Attack Risk Assessment
© Peter White, 2017
22
Assessing severity
From: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
© Peter White, 2017
23
Assessing risk
From: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Read:
Juliadotter, N., Choo, K.. (2015). CATRA: Conceptual cloud attack taxonomy and risk assessment framework. In Ko, R., & Choo, K.(Eds.). (2015). The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues. Waltham, MA: Syngress. (Chapter 3)
Nidd, M., Ivanova, M., Probst, C., Tanner,A. (2015). Tool-based risk assessment of cloud infrastructures as socio-technical systems. In Ko, R., & Choo, K.(Eds.). (2015). The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues. Waltham, MA: Syngress. (Chapter 22)
National Institute of Standards and Technology. (2016). Risk Management Framework. Gaithersburg, MD: National Institute of Standards and Technology. Retrieved from http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework /
Amazon Web Services. (2014). Amazon Web Services: Risk and Compliance. Retrieved from http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf
Office of Finance and Services. (2014). OFS ICT Cloud Service Guidelines. Sydney: Office of Finance and Services, Department of Treasury. Retrieved from http://arp.nsw.gov.au/sites/default/files/Cloud%20Services%20Policy%20and%20Guidelines.pdf
OWASP, (2013). OWASP Risk Rating Methodology, Open Web Application Security Project, viewed 17 May 2017), https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
© Peter White, 2017
24
Tasks