COMPLIANCE AND TRANSPARENCY OF CLOUD

FEATURES vs. SECURITY STANDARDS

YURY CHEMERKIN
Cyber Intelligence Europe 2013
 [ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin http://sto-strategy.com yury.s@chemerkin.com

 EXPERIENCED IN :
 REVERSE ENGINEERING & AV
 SOFTWARE PROGRAMMING & DOCUMENTATION
 MOBILE SECURITY AND MDM
 CYBER SECURITY & CLOUD SECURITY
 COMPLIANCE & TRANSPARENCY
 FORENSICS AND SECURITY WRITING
 HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA
 PARTICIPATION AT CONFERENCES
 INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
 DEFCONMOSCOW, HACTIVITY, HACKFEST
 CYBERCRIME FORUM, DeepIntel/DeepSec,
 ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY
I. Opinions & Facts
 Cloud Issues
Known Issues Known Solutions/Opinions
 Threats  Customization , security solutions
 Privacy  Crypto anarchism
 Compliance  CSA, ISO, PCI, SAS 70
 Legal  Typically US Location
 Vendor lock-in  Platform, Data, Tools Lock-In
 Open source / Open standards  Top clouds are not open-source
 Security  Physical clouds more secured than Public
 Abuse  Botnets and Malware Infections/Misuse
 IT governance  Depends on organization needs
 Ambiguity of terminology  Reference to wide services, solutions, etc.
 What is about Public Clouds
Some known facts about AWS & Azure
 Top clouds are not OpenSource
 OpenStack is APIs compatible with Amazon EC2
and Amazon S3 and thus client applications written
for AWS can be used with OpenStack with minimal
porting effort, while Azure is not
 Platform lock-in
 There are Import/Export tools to migrate from/to
VMware, while Azure doesn’t have
 Data Lock-in
 Native AWS solutions linked with Cisco routers to
upload, download and tunneling as well as 3rd party
storage like SMEStorage (AWS, Azure, Dropbox,
Google, etc.)
in order to issues mentioned above
 Tools Lock-in
 Longing for an inter-cloud managing tools that are
industrial and built with compliance
 APIs Lock-In
 Longing for inter-cloud APIs, however there were
known inter-OS APIs for PC, MDM, Mobiles, etc.
 No Transparency
 Weak compliance and transparency due to SAS 70
and NDA relationships between cloud vendor and
third party auditors and experts
 Abuse
 Abusing is not a new issue and is everywhere
 AWS Vulnerability Bulletins as a kind of quick
response and stay tuned
 Clouds: Public vs. Private
Known security issues of Public Clouds
 "All Your Clouds are Belong to us – Security Analysis of
Cloud Management Interfaces", 3rd CCSW, October 2011
 A black box analysis methodology of AWS control
interfaces compromised via the XSS techniques,
HTML injections, MITM
 [AWS] :: “Reported SOAP Request Parsing Vulnerabilities”
 Utilizing the SSL/HTTPS only with certificate
validation and utilizing API access mechanisms
like REST/Query instead of SOAP
 Activating access via MFA and creating IAM
accounts limited in access, AWS credentials
rotation enhanced with Key pairs and X.509
 Limiting IP access enhanced with API/SDK & IAM
and significant researches on it as a POC
 “The most dangerous code in the world: validating SSL
certificates in non-browser software”, 19th ACM
Conference on Computer and Communications Security,
October 2012
 Incorrect behavior in the SSL certificate validation
mechanisms of AWS SDK for EC2, ELB, and FPS
 [AWS] :: “Reported SSL Certificate Validation Errors in API
Tools and SDKs”
 Despite of that, AWS has updated all SDK (for all
services) to redress it
 Clouds: Public vs. Private
It is generally known, that private clouds are most secure There is no a POC to prove a statement on public clouds

 [AWS] :: “Xen Security Advisories”
 There are known XEN attacks (Blue Pills, etc.)
 No one XEN vulnerability was not applied to the
AWS, Azure or SaaS/PaaS services
 Besides of Reality of CSA Threats
 Very customized clouds
 [CSA] :: “CSA The Notorious Nine Cloud Computing Top
Threats in 2013”
 Replaced a document published in 2009
 Such best practices provides a least security
 No significant changes since 2009, even examples
 Top Threats Examples
 “1.0. Threat: Data Breaches // Cross-VM Side
Channels and Their Use to Extract private Keys”,
 “7.0. Threat: Abuse of Cloud Services // Cross-VM
Side Channels and Their Use to Extract private
Keys”
 “4.0. Threat: Insecurity Interfaces and APIs”
 1.0 & 7.0 cases highlight how the public clouds
e.g. AWS EC2 are vulnerable
 1.0 & 7.0 cases are totally focused on a private
cloud case (VMware and XEN), while there is no a
known way to adopt it to AWS.
 4.0 case presents issues raised by a SSO access
not related to public clouds (except Dropbox,
SkyDrive) and addressed to insecurity of APIs.
II. CSA Framework
• Cloud • Basic
Model Security
Model

CSA
Cloud
CAIQ

CSA
Mapping
CMM
• Enhanced • Compliance
Security Model
Model
II. NIST Framework
 NIST Framework

 The consolidated framework over all NIST documents

 Logically clearly defined documents, e.g.
 Categorization systems
 Selecting control
 FIPS
 Forensics
 Logging (SCAP)
 Etc.
 Complementarity
 Interchangeability
 Expansibility
 Dependence
 Mapping (NIST, ISO only)
 NIST Framework

Complementarity
 NIST Enhance Control
 Your own security control
Interchangeability
 Replacing basic controls by enhanced controls
Expansibility
 impact or support the implementation of a particular security control or control enhancement
 Your own way to improve a framework
Mapping (NIST, ISO only)
 NIST->ISO
 ISO->NIST
 NIST->Common Criteria (rev4 only)
 NIST Framework
Interchangeability

 Basic controls aren’t applicable in case of

 Information systems need to communicate with other systems across different policy
 APT
 Insiders Threats
 Mobility (mobile location, non-fixed)
 Single-User operations
 Interchangeability
 Replacing basic controls by enhanced controls
 Expansibility
 impact or support the implementation of a particular security control or control enhancement
 Your own way to improve a framework
 Mapping (NIST, ISO only)
 NIST->ISO
 ISO->NIST
 NIST->Common Criteria (rev4 only)
III. Clouds
 Clouds

Amazon Web Services

 Generally IaaS
 +SaaS, PaaS
Microsoft Azure
 Generally PaaS
 Recent changes – IaaS
BlackBerry Enterprise Service
 Separated
 Integrated with Office365
 SaaS as a MDM solution
• BlackBerry • BlackBerry
Z10/Q10, 4,5,6,7
• Playbook

BES 10 BES 5

Unified
Office
Device
integration
Platform
• Android, iOS • Office
• Unified • Office365
Management • Cisco/VoIP
IV. Cloud & Compliance Specific
 Cloud & Compliance Specific

There is no one “cloud” There are many models and architectures

There is no one “standard” There are many ways to built cloud in

alignment to…

What vision is adopted by cloud vendors? Virtualizing of anything able to be virtualized

What vision is adopted by cloud operators Data distribution, service distribution, unified
(3rd party)? management

What is your way to use and manage cloud? Clear 

All of that reflected in the compliance requirements

 Cloud & Compliance Specific
There is no one “cloud”
There is no one “standard”
 The Goal is bringing a transparency of cloud controls and
features, especially security controls and features
 Such documents have a claim to be up-to-date with
expert-level understanding of significant threats and
vulnerabilities
 Unifying recommendations for all clouds
 Up to now, it is the 3rd revision
 All recommendations are linked with other standards
 PCI DSS, ISO, COBIT
 NIST, FEDRAMP
 CSA’ own vision how it must be referred
There are many models and architectures
There are many ways to built cloud in alignment to…
 Top known cloud vendors announced they are in
compliance with it
 Some of reports are getting old by now
 Customers have to control their environment by their
needs
 Customers want to know whether it is in compliance in,
especially local regulations and how far
 Customers want to know whether it makes clouds quite
transparency to let to build an appropriate
 Cloud & Compliance Specific
Compliance, Transparency,
 CAIQ/CCM provides equivalent of recommendations over
several standards, CAIQ provides more details on security
and privacy but NIST more specific
 CSA recommendations are pure with technical details
 It helps vendors not to have their solutions worked
out in details and/or badly documented
 It helps them to put a lot of references on 3rd party
reviewers under NDA (SOC 1 or SAS 70)
 Bad idea to let vendors fills such documents
 They provide fewer public details
 They take it to NDA reports
Elaboration
 Vendors general explanations multiplied by general
standards recommendations are extremely far away from
transparency
 Clouds call for specific levels of audit logging, activity
reporting, security controlling and data retention
 It is often not a part of SLA offered by providers
 It is outside recommendations
 AWS often falls in details with their architecture documents
 AWS solutions are very well to be in compliance with old
standards and specific local regulations
 NIST 800-53, or even Russian security standards
(however the Russian framework is out of cloud
framework)
Description DIFFERENCE (AWS vs. AZURE)
Third Party Audits As opposed to AWS, Azure does not have a clearly defined statement whether their customers able to perform their own

Information
Mapping
SystemCompliance: from Cloud Vendor’s viewpoint
vulnerability test
Regulatory AWS falls in details to comply it that results of differences between CAIQ and CMM

Handling / Labeling / Security Policy AWS falls in details what customers are allowed to do and how exactly while Azure does not

Retention Policy AWS points to the customers’ responsibility to manage data, exclude moving between Availability Zones inside one region; Azure
Compliance, Transparency, Elaboration
ensures on validation and processing with it, and indicate about data historical auto-backup

Secure Disposal Not seriously, AWS relies on DoD 5220.22 additionally while Azure does NIST 800-88 only

Information Leakage AWS relies on AMI and EBS services, while Azure does on Integrity data
Policy, User Access, MFA No both have
Baseline Requirements AWS provides more high detailed how-to docs than Azure, allows to import trusted VM from VMware, Azure
Encryption, Encryption Key AWS offers encryption features for VM, storage, DB, networks while Azure does for XStore (Azure Storage)
Management
Vulnerability / Patch Management AWS provides their customers to ask for their own pentest while Azure does not
Nondisclosure Agreements, Third AWS highlights that they does not leverage any 3rd party cloud providers to deliver AWS services to the customers. Azure points to
Party Agreements the procedures, NDA undergone with ISO
User ID Credentials Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requirements while Azure addresses to
the AD to perform these actions
(Non)Production environments, AWS provides more details how-to documents to having a compliance
Network Security
Segmentation Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, while Azure points to features built in
infrastructure on a vendor side
Mobile Code AWS points their clients to be responsible to meet such requirements, while Azure points to build solutions tracked for mobile code
 Compliance: from CSA’s viewpoint
Examinationof CSA

Consumer Relationship only

 Everything except SA-13 “Location-aware technologies may be used to validate connection
authentication integrity based on known equipment location”
Vendor Relationship only
 Requirements include technical and management solutions
Consumer Relationship shared with Vendor
 Include non-technical solutions only
 Such policies, roles, procedures, training
All requirements cover SaaS, PaaS, IaaS cloud types
General requirements only
Missing details (like DoD)
 Compliance: from CSA’s viewpoint
Examinationof CSA References NIST

Data Governance - Information Leakage (DG-07).

 Security mechanisms shall be implemented to prevent data leakage refer
 AC-2 Account Management
 AC-3 Access Enforcement
 AC-4 Information Flow Enforcement
 AC-6 Least Privilege (the most correct reference)
 AC-11 Session Lock General requirements only
 Security mechanisms shall be implemented to prevent data leakage missed in turn (no references at all)
 AC-7 Unsuccessful Login Attempts
 AC-8 System Use Notification
 AC-9 Previous Logon (Access) Notification
 AC-10 Concurrent Session Control
 Compliance: from CSA’s viewpoint
Examinationof CSA References ISO

Data Governance - Information Leakage (DG-07).

 Security mechanisms shall be implemented to prevent data leakage also refers to ISO
 A.10.6.2 Security of network services
 A.10.6.2 refers to NIST in turn
 CA-3 Information System Connections
 SA-9 External Information System Services
 SC-8 Transmission Integrity
 SC-9 Transmission Confidentiality
 DG-07 should refer to PE-19 Information Leakage in fact
 It could include the NIST requirement “AC-6. Least Privilege” too
 A few of them applicable in case of Cloud MDM and should be extended by different toolkit
 Cloud & Compliance Specifics. Example
CSA Cloud :: Azure

 Data Governance  Azure’s vision - Distribution of information

 NIST :: access control, media  CSA , ISO is better applicable than NIST
management, etc.  NIST is applicable as a custom controls’ collection
 Ownership / Stewardship  Best way is adopt NIST enhancements with CSA
 Classification  Need to remap CSA->NIST rev4
 Handling / Labeling / Security Policy  Technical / Access Control / Security
 Retention Policy Attributes
 Secure Disposal  Attribute Configuration
 Non-Production Data  Permitted Attributes for Specified
 Information Leakage InfoSystems
 Risk Assessments  Permitted Values and Ranges for Attributes
 Cloud & Compliance Specifics. Example
NIST
 Access Control
 Account, Session Management
 Access / Information Flow Enforcement
 Least Privilege, Security Attributes
 Remote / Wireless Access
Cloud :: AWS
 AWS’s Vision is not Data Distribution
 NIST is better applicable than CSA
 NIST is applicable as a custom controls’ collection
 There are many enhancements to include (rev4)
 Dynamic Account Creation
 Restrictions on Use of Shared Groups -
Accounts
 Group Account Requests
Appovals/Renewals
 Account Monitoring - Atypical Usage
 e.g. :: log-delivery-write for S3
 Cloud & Compliance Specifics. Example
CSA / NIST Cloud :: AWS

AWS’s Vision is not Data Distribution, however

CSA :: Data Governance is applicable from the
resource-based viewpoint
 Resource based policy  Attached to
resource
AWS’s Vision is not Data Distribution, however
NIST :: Access Control is applicable from the user-
based viewpoint
 Account based policy  Attached to users
 define that policy for MDM users to
access internal network resources
 Combine with a mobile policy
 COMPLIANCE AND MDM
CSA Mobile Device Management: Key Components NIST-124

Device diversity Refers to NIST-800-53 and other

Configuration management  Sometimes missed requirements such as
Software Distribution locking device, however it is in NIST-800-53
Device policy compliance & enforcement A bit details than CSA
Enterprise Activation No statements on permission management
Logging
Security Settings Make you sure to start managing security under
Security Wipe, Lock uncertain terms without AI 
IAM

Make you sure to start managing security under

uncertain terms without AI 
 [ DEVICE MANAGEMENT ]
Concurrencyover native & additional security features The situationis very serious 

𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 Set of permissions < Set of activities  efficiency is

𝛥 – set of OS permissions, 𝛢 – set of device permissions, 𝛣 – set  typical case < 100%,
of MDM permissions, 𝛤 – set of missed permissions (lack of  ability to control each API = 100%
controls), 𝜰 – set of rules are explicitly should be applied to gain  More than 1 permission per APIs >100%
a compliance  lack of knowledge about possible attacks
𝚮 = 𝚬+𝚭,𝚬 ⊃ 𝚨∪𝚩  improper granularity
𝛨 – set of APIs , 𝛦 – set of APIs that interact with sensitive data,
𝛧 – set of APIs that do not interact with sensitive data AV, MDM, DLP,
VPN
To get a mobile security designed with full granularity the set 𝛤 Non-app features
MDM features
should be empty set to get 𝚬 ⊇ 𝚨 ∪ 𝚩 instead of 𝚬 ⊃ 𝚨 ∪ 𝚩, so
the matter how is it closer to empty. On another hand it should
find out whether assumptions 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 are true and if it is
Kernel protection
possible to get ⊆ 𝐀.
Permissions
 [ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’SVECTOR

 GOALS - MOBILE RESOURCES / AIM OF ATTACK

 DEVICE RESOURCES Goals
 OUTSIDE-OF-DEVICE RESOURCES AV, MDM,
DLP, VPN Non-app
 ATTACKS – SET OF ACTIONS UNDER THE THREAT features

 APIs - RESOURCES WIDELY AVAILABLE TO CODERS

 SECURITY FEATURES MDM features Kernel
 KERNEL PROTECTION , NON-APP FEATURES protection

 PERMISSIONS - EXPLICITLY CONFIGURED

Permissions
 3RD PARTY
APIs
 AV, FIREWALL, VPN, MDM APIs

 COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY

Attacks
IN ALIGNMENT WITH COMPLIANCE TO…
 [ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK BB 10 AIR SDK PB (NDK/AIR)
Background processing + +
BlackBerry Messenger - -
Calendar, Contacts + via invoke calls
Camera + +
Device identifying information + +
Email and PIN messages + via invoke calls
GPS location + +
Internet + +
Location + -
Microphone + +
Narrow swipe up - +
Notebooks + -
Notifications + +
Player - +
Phone + -
Push + -
Shared files + +
Text messages + -
Volume - +
 [ iOS. Settings ]
Component Unit
Safari
Camera, FaceTime
Restrictions :: Native application iTunes Store, iBookstore
Siri
Manage applications*
Manage applications*
Explicit Language (Siri)
Restrictions :: 3rd application
Privacy*, Accounts*
Content Type Restrictions*
Unit subcomponents
Per each 3rd party app
Privacy :: Location
For system services
Contacts, Calendar, Reminders, Photos
Privacy :: Private Info Bluetooth Sharing
Twitter, Facebook
Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts
Accounts Find My Friends
Volume limit
Ratings per country and region
Music and podcasts
Content Type Restrictions Movies, Books, Apps, TV shows
In-app purchases
Require Passwords (in-app purchases)
Multiplayer Games
Game Center
Adding Friends (Game Center)
Installing Apps
Manage applications
Removing Apps
 [ Android. Permissions ]
List contains~150 permissions I have ever seen that on old BlackBerry devices

ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION, OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS

ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_ ,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH,

ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE, PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION

ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_ ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P ,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P
MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S

TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA

,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_ TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR
VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C

PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_ MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_ REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET

PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY, OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_ TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC
BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI

MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN

NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_ GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W
ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS, RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY,

LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET
TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
 [ Android. Permission Groups ]
But there only 30 permissions groups I have ever seen that on old BlackBerry devices too

 ACCOUNTS  LOCATION  USER_DICTIONARY

 AFFECTS_BATTERY  MESSAGES  VOICEMAIL
 APP_INFO  MICROPHONE  WALLPAPER
 AUDIO_SETTINGS  NETWORK  WRITE_USER_DICTIONARY
 BLUETOOTH_NETWORK  PERSONAL_INFO
 BOOKMARKS  PHONE_CALLS
 CALENDAR  SCREENLOCK
 CAMERA  SOCIAL_INFO
 COST_MONEY  STATUS_BAR
 DEVELOPMENT_TOOLS  STORAGE
 DEVICE_ALARMS  SYNC_SETTINGS
 DISPLAY  SYSTEM_CLOCK
 HARDWARE_CONTROLS  SYSTEM_TOOLS
 MDM . Extend your device security capabilities
Android CONTROLLED FOUR GROUPS ONLY

 CAMERA AND VIDEO  LIMIT PASSWORD AGE

 HIDE THE DEFAULT CAMERA APPLICATION
 PASSWORD
 DEFINE PASSWORD PROPERTIES
 REQUIRE LETTERS (incl. case)
 REQUIRE NUMBERS
 REQUIRE SPECIAL CHARACTERS
 DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
 INCORRECT PASSWORD ATTEMPTS
 DEVICE PASSWORD
 ENABLE AUTO-LOCK
 LIMIT PASSWORD HISTORY
 RESTRICT PASSWORD LENGTH
 MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
 ENCRYPTION
 APPLY ENCRYPTION RULES
 ENCRYPT INTERNAL DEVICE STORAGE
 TOUCHDOWN SUPPORT
 MICROSOFT EXCHANGE SYNCHRONIZATION
 EMAIL PROFILES
 ACTIVESYNC
 MDM . Extend your device security capabilities
iOS
 BROWSER
 DEFAULT APP,
 AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
 CAMERA, VIDEO, VIDEO CONF
 OUTPUT, SCREEN CAPTURE, DEFAULT APP
 CERTIFICATES (UNTRUSTED CERTs)
 CLOUD SERVICES
 BACKUP / DOCUMENT / PICTURE / SHARING
 CONNECTIVITY
 NETWORK, WIRELESS, ROAMING
 DATA, VOICE WHEN ROAMING
 CONTENT
 CONTENT (incl. EXPLICIT)
 RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
 DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
CONTROLLED 16 GROUPSONLY
 MESSAGING (DEFAULT APP)
 BACKUP / DOCUMENT PICTURE / SHARING
 ONLINE STORE
 ONLINE STORES , PURCHASES, PASSWORD
 DEFAULT STORE / BOOK / MUSIC APP
 MESSAGING (DEFAULT APP)
 PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)
 PHONE AND MESSAGING (VOICE DIALING)
 PROFILE & CERTs (INTERACTIVE INSTALLATION)
 SOCIAL (DEFAULT APP)
 SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
 DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
 STORAGE AND BACKUP
 DEVICE BACKUP AND ENCRYPTION
 VOICE ASSISTANT (DEFAULT APP)
 MDM . Extend your device security capabilities
BlackBerry (new, 10, qnx) CONTROLLED 7 GROUPSONLY

 GENERAL  NETWORK ACCESS CONTROL FOR WORK APPS

 PERSONAL APPS ACCESS TO WORK CONTACTS
 MOBILE HOTSPOT AND TETHERING
 SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
 PLANS APP, APPWORLD
 WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
 PASSWORD (THE SAME WITH ANDROID, iOS)
 EMAIL PROFILES
 BES MANAGEMENT (SMARTPHONES, TABLETS)
 CERTIFICATES & CIPHERS & S/MIME
 SOFTWARE  HASH & ENCRYPTION ALGS AND KEY PARAMS
 OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER  TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC
 TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE  WI-FI PROFILES
 BBM VIDEO ACCESS TO WORK NETWORK
 ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
 VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK
 PROXY PASSWORD/PORT/SERVER/SUBNET MASK
 SECURITY
 VPN PROFILES
 WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
 PROXY, SCEP, AUTH PROFILE PARAMS
 VOICE CONTROL & DICTATION IN WORK & USER APPS
 TOKENS, IKE, IPSEC OTHER PARAMS
 BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
 PROXY PORTS, USERNAME, OTHER PARAMS
 PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
 PERSONAL SPACE DATA ENCRYPTION
 MDM . Extend your device security capabilities
Blackberry (old)
 THERE 55 GROUPS CONTROLLED IN ALL
 EACH GROUP CONTAINS FROM 10 TO 30 UNITS
ARE CONTROLLED TOO
 EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs
INSTEAD OF A WAY ‘DISABLE/ENABLED &
HIDE/UNHIDE’
 EACH EVENT IS
 CONTROLLED BY CERTAIN PERMISSION
 ALLOWED TO CONTROL BY SIMILAR
PERMISSIONS TO BE MORE FLEXIBLE
 DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
MORE THAN OTHER DOCUMENTS
Huge amount of permissions are MDM & device built-in
 EACH UNIT CAN’T CONTROL ACTIVITY UNDER
ITSELF
 ‘CREATE, READ, WRITE/SAVE, SEND,
DELETE’ ACTIONS IN REGARDS TO
MESSAGES LEAD TO SPOOFING BY
REQUESTING A ‘MESSAGE’ PERMISSION
ONLY
 SOME PERMISSIONS AREN’T REQUIRED (TO
DELETE ANY OTHER APP)
 SOME PERMISSIONS ARE RELATED TO APP,
WHICH 3RD PARTY PLUGIN WAS EMBEDDED
IN, INSTEAD OF THAT PLUGIN
 CONCLUSION
Select
Security
 The best Security & Permissions ruled by AWS Controls
 Most cases are not clear in according to the roles
and responsibilities of cloud vendors & customers
 May happen swapping responsibilities and shifting CSA
the vendor job on to customer shoulders
 Referring to independent audits reports under Check Define
NDA as many times as they can Scope Granularity
 CSA put the cross references to other standards
that impact on complexity & lack of clarity more
than NIST SP800-53 NIST
Remap
to NIST enhanc.

Apply Improve Combine

CSA as basic custom
common CSA sets
Q&A