Beruflich Dokumente
Kultur Dokumente
[ Yury Chemerkin ]
www.linkedin.com/in/yurychemerkin http://sto-strategy.com yury.chemerkin@gmail.com
Experienced in : Reverse Engineering & AV Software Programming & Documentation Mobile Security and MDM Cyber Security & Cloud Security Compliance & Transparency and Security Writing Hakin9 Magazine, PenTest Magazine, eForensics Magazine, Groteck Business Media Participation at conferences InfoSecurityRussia, NullCon, AthCon CYBERCRIME FORUM, Cyber Intelligence Europe/Intelligence-Sec ICITST, CyberTimes, EBW
Cloud Issues
Known Issues
Threats Privacy Compliance Legal Vendor lock-in Open source / Open standards Security Abuse IT governance Ambiguity of terminology
Known Solutions
Customization and best practices Cryptoanarchism CSA, ISO, PCI, SAS 70 US Location Platform, Data, Tools Lock-In Top clouds are not open-source Physical clouds more secured than Public Botnets and Malware Infections Depends on organization needs Reference to wide services, solutions, etc.
Native AWS solutions linked with Cisco routers to upload, download and tunneling as well as 3rd party storage like SMEStorage (AWS, Azure, Dropbox, Google, etc.)
[Elcomsoft] :: Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR
Serious performance problems regardless of where the trusted/untrusted control agents are
Ability to control clouds due the Intel AMT commands or else is applied for Vmware There were not known successful implementations for AWS, Azure, GAE or other clouds.
Overloading the virtual OS with analysing CPU commands and system calls Overloading is multiplied by known issues the best of all demonstrated in case of GPU (Elcomsoft, GPU Cracking)
CONCLUSION
THE VENDOR SECURITY VISION HAS NOTHING WITH REALITY AGGRAVATED BY SIMPLICITY
The best Security & Permissions ruled by AWS over other clouds
Most cases are not clear in according to the roles and responsibilities of cloud vendors and their customers
Some of such cases are not clear on background type: technical or non-technical Swapping responsibilities and shifting the vendor job on to customer shoulders
Referring to independent audits reports under NDA as many times as they can
All recommendations should be enhanced by independent analysis expert in certain areas CSA put the cross references to other standards that impact on complexity & lack of clarity like NIST SP800-53
NIST is more details and well documented with cross references and AWS matches to the NIST more
Q&A
THANK YOU