SECURITY COMPLIANCE CHALLENGES ON CLOUDS

YURY CHEMERKIN
ITA 2013

[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin
EXPERIENCED IN :
REVERSE ENGINEERING & AV SOFTWARE PROGRAMMING & DOCUMENTATION MOBILE SECURITY AND MDM CYBER SECURITY & CLOUD SECURITY COMPLIANCE & TRANSPARENCY FORENSICS AND SECURITY WRITING HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA PARTICIPATION AT CONFERENCES INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS, DEFCONMOSCOW, HACTIVITY, HACKFEST CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, ICITST, CTICON (CYBERTIMES), DeepIntel/DeepSec, I-SOCIETY

http://sto-strategy.com

yury.s@chemerkin.com

I. Opinions & Facts

Cloud Issues
Known Issues
Threats Privacy Compliance Legal Vendor lock-in Open source / Open standards Security Abuse IT governance Ambiguity of terminology

Known Solutions/Opinions
Customization , security solutions Crypto anarchism CSA, ISO, PCI, SAS 70 Typically US Location Platform, Data, Tools Lock-In Top clouds are not open-source Physical clouds more secured than Public Botnets and Malware Infections/Misuse Depends on organization needs Reference to wide services, solutions, etc.

What is about Public Clouds

Some known facts about AWS & Azure
Top clouds are not OpenSource
OpenStack is APIs compatible with Amazon EC2 and Amazon S3 and thus client applications written for AWS can be used with OpenStack with minimal porting effort, while Azure is not Platform lock-in There are Import/Export tools to migrate from/to VMware, while Azure doesnt have Data Lock-in Native AWS solutions linked with Cisco routers to upload, download and tunneling as well as 3rd party storage like SMEStorage (AWS, Azure, Dropbox, Google, etc.)

in order to issues mentioned above

Tools Lock-in
Longing for an inter-cloud managing tools that are industrial and built with compliance APIs Lock-In Longing for inter-cloud APIs, however there were known inter-OS APIs for PC, MDM, Mobiles, etc. No Transparency Weak compliance and transparency due to SAS 70 and NDA relationships between cloud vendor and third party auditors and experts

Abuse Abusing is not a new issue and is everywhere AWS Vulnerability Bulletins as a kind of quick response and stay tuned

Clouds: Public vs. Private

Known security issues of Public Clouds
"All Your Clouds are Belong to us Security Analysis of Cloud Management Interfaces", 3rd CCSW, October 2011 A black box analysis methodology of AWS control interfaces compromised via the XSS techniques, HTML injections, MITM [AWS] :: Reported SOAP Request Parsing Vulnerabilities Utilizing the SSL/HTTPS only with certificate validation and utilizing API access mechanisms like REST/Query instead of SOAP Activating access via MFA and creating IAM accounts limited in access, AWS credentials rotation enhanced with Key pairs and X.509 Limiting IP access enhanced with API/SDK & IAM

and significant researches on it as a POC

The most dangerous code in the world: validating SSL certificates in non-browser software, 19th ACM Conference on Computer and Communications Security, October 2012 Incorrect behavior in the SSL certificate validation mechanisms of AWS SDK for EC2, ELB, and FPS [AWS] :: Reported SSL Certificate Validation Errors in API Tools and SDKs Despite of that, AWS has updated all SDK (for all services) to redress it

Clouds: Public vs. Private

It is generally known, that private clouds are most secure There is no a POC to prove a statement on public clouds
[AWS] :: Xen Security Advisories There are known XEN attacks (Blue Pills, etc.) No one XEN vulnerability was not applied to the AWS, Azure or SaaS/PaaS services Very customized clouds [CSA] :: CSA The Notorious Nine Cloud Computing Top Threats in 2013 Replaced a document published in 2009 Such best practices provides a least security No significant changes since 2009, even examples Top Threats Examples 1.0. Threat: Data Breaches // Cross-VM Side Channels and Their Use to Extract private Keys, 7.0. Threat: Abuse of Cloud Services // Cross-VM Side Channels and Their Use to Extract private Keys 4.0. Threat: Insecurity Interfaces and APIs Besides of Reality of CSA Threats 1.0 & 7.0 cases highlight how the public clouds e.g. AWS EC2 are vulnerable 1.0 & 7.0 cases are totally focused on a private cloud case (VMware and XEN), while there is no a known way to adopt it to AWS. 4.0 case presents issues raised by a SSO access not related to public clouds (except Dropbox, SkyDrive) and addressed to insecurity of APIs.

II. CSA Framework

 Cloud Model

Basic Security Model

Cloud

CSA CAIQ

CSA CMM
Enhanced Security Model

Mapping
Compliance Model

II. NIST Framework

NIST Framework
The consolidated framework over all NIST documents Logically clearly defined documents, e.g. Categorization systems Selecting control FIPS Forensics Logging (SCAP) Etc. Complementarity Interchangeability Expansibility Dependence Mapping (NIST, ISO only)

NIST Framework
Complementarity NIST Enhance Control Your own security control Interchangeability Replacing basic controls by enhanced controls Expansibility impact or support the implementation of a particular security control or control enhancement Your own way to improve a framework Mapping (NIST, ISO only) NIST->ISO ISO->NIST NIST->Common Criteria (rev4 only)

NIST Framework
Interchangeability
Basic controls arent applicable in case of Information systems need to communicate with other systems across different policy APT Insiders Threats Mobility (mobile location, non-fixed) Single-User operations Interchangeability Replacing basic controls by enhanced controls Expansibility impact or support the implementation of a particular security control or control enhancement Your own way to improve a framework Mapping (NIST, ISO only) NIST->ISO ISO->NIST NIST->Common Criteria (rev4 only)

III. Clouds

Clouds
Amazon Web Services Generally IaaS +SaaS, PaaS Microsoft Azure Generally PaaS Recent changes IaaS BlackBerry Enterprise Service Separated Integrated with Office365 SaaS as a MDM solution

 BlackBerry Z10/Q10, Playbook

BlackBerry 4,5,6,7

BES 10

BES 5

Unified Device Platform

Android, iOS Unified Management

Office integration
Office Office365 Cisco/VoIP

IV. Cloud & Compliance Specific

Cloud & Compliance Specific

There is no one cloud
There is no one standard

There are many models and architectures

There are many ways to built cloud in alignment to

What vision is adopted by cloud vendors?

What vision is adopted by cloud operators (3rd party)?

Virtualizing of anything able to be virtualized

Data distribution, service distribution, unified management

What is your way to use and manage cloud?

All of that reflected in the

Clear
compliance requirements

Cloud & Compliance Specific

There is no one cloud There is no one standard
The Goal is bringing a transparency of cloud controls and features, especially security controls and features Such documents have a claim to be up-to-date with expert-level understanding of significant threats and vulnerabilities Unifying recommendations for all clouds Up to now, it is the 3rd revision All recommendations are linked with other standards PCI DSS, ISO, COBIT NIST, FEDRAMP CSA own vision how it must be referred

There are many models and architectures There are many ways to built cloud in alignment to
Top known cloud vendors announced they are in compliance with it Some of reports are getting old by now Customers have to control their environment by their needs Customers want to know whether it is in compliance in, especially local regulations and how far Customers want to know whether it makes clouds quite transparency to let to build an appropriate

Cloud & Compliance Specific

Compliance, Transparency, Elaboration
CAIQ/CCM provides equivalent of recommendations over several standards, CAIQ provides more details on security and privacy but NIST more specific
CSA recommendations are pure with technical details

Vendors general explanations multiplied by general standards recommendations are extremely far away from transparency Clouds call for specific levels of audit logging, activity reporting, security controlling and data retention It is often not a part of SLA offered by providers It is outside recommendations AWS often falls in details with their architecture documents AWS solutions are very well to be in compliance with old standards and specific local regulations NIST 800-53, or even Russian security standards (however the Russian framework is out of cloud framework)

It helps vendors not to have their solutions worked out in details and/or badly documented It helps them to put a lot of references on 3rd party reviewers under NDA (SOC 1 or SAS 70) Bad idea to let vendors fills such documents They provide fewer public details They take it to NDA reports

Description Third Party Audits

Information System Regulatory AWS falls in details to comply it that results of differences between CAIQ and CMM Mapping Handling / Labeling / Security Policy AWS falls in details what customers are allowed to do and how exactly while Azure does not

Compliance: from Cloud Vendors viewpoint

Compliance, Transparency, Elaboration
Not seriously, AWS relies on DoD 5220.22 additionally while Azure does NIST 800-88 only AWS relies on AMI and EBS services, while Azure does on Integrity data No both have AWS provides more high detailed how-to docs than Azure, allows to import trusted VM from VMware, Azure AWS offers encryption features for VM, storage, DB, networks while Azure does for XStore (Azure Storage) AWS provides their customers to ask for their own pentest while Azure does not

DIFFERENCE (AWS vs. AZURE) As opposed to AWS, Azure does not have a clearly defined statement whether their customers able to perform their own vulnerability test

Retention Policy

AWS points to the customers responsibility to manage data, exclude moving between Availability Zones inside one region; Azure ensures on validation and processing with it, and indicate about data historical auto-backup

Secure Disposal Information Leakage Policy, User Access, MFA Baseline Requirements Encryption, Encryption Key Management Vulnerability / Patch Management Nondisclosure Agreements, Party Agreements User ID Credentials (Non)Production Network Security Segmentation Mobile Code

Third AWS highlights that they does not leverage any 3rd party cloud providers to deliver AWS services to the customers. Azure points to the procedures, NDA undergone with ISO Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requirements while Azure addresses to the AD to perform these actions

environments, AWS provides more details how-to documents to having a compliance Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, while Azure points to features built in infrastructure on a vendor side AWS points their clients to be responsible to meet such requirements, while Azure points to build solutions tracked for mobile code

Compliance: from CSAs viewpoint

Examinationof CSA
Consumer Relationship only Everything except SA-13 Location-aware technologies may be used to validate connection authentication integrity based on known equipment location Vendor Relationship only Requirements include technical and management solutions Consumer Relationship shared with Vendor Include non-technical solutions only Such policies, roles, procedures, training All requirements cover SaaS, PaaS, IaaS cloud types General requirements only Missing details (like DoD)

Compliance: from CSAs viewpoint

Examinationof CSA References NIST
Data Governance - Information Leakage (DG-07). Security mechanisms shall be implemented to prevent data leakage refer AC-2 Account Management AC-3 Access Enforcement AC-4 Information Flow Enforcement AC-6 Least Privilege (the most correct reference) AC-11 Session Lock General requirements only Security mechanisms shall be implemented to prevent data leakage missed in turn (no references at all) AC-7 Unsuccessful Login Attempts AC-8 System Use Notification AC-9 Previous Logon (Access) Notification AC-10 Concurrent Session Control

Compliance: from CSAs viewpoint

Examinationof CSA References ISO
Data Governance - Information Leakage (DG-07). Security mechanisms shall be implemented to prevent data leakage also refers to ISO A.10.6.2 Security of network services A.10.6.2 refers to NIST in turn CA-3 Information System Connections SA-9 External Information System Services SC-8 Transmission Integrity SC-9 Transmission Confidentiality DG-07 should refer to PE-19 Information Leakage in fact It could include the NIST requirement AC-6. Least Privilege too A few of them applicable in case of Cloud MDM and should be extended by different toolkit

Cloud & Compliance Specifics. Example

CSA
Data Governance NIST :: access control, media management, etc. Ownership / Stewardship Classification Handling / Labeling / Security Policy Retention Policy Secure Disposal Non-Production Data Information Leakage Risk Assessments

Cloud :: Azure
Azures vision - Distribution of information CSA , ISO is better applicable than NIST NIST is applicable as a custom controls collection Best way is adopt NIST enhancements with CSA Need to remap CSA->NIST rev4 Technical / Access Control / Security Attributes Attribute Configuration Permitted Attributes for Specified InfoSystems Permitted Values and Ranges for Attributes

Cloud & Compliance Specifics. Example

NIST
Access Control Account, Session Management Access / Information Flow Enforcement Least Privilege, Security Attributes Remote / Wireless Access

Cloud :: AWS
AWSs Vision is not Data Distribution NIST is better applicable than CSA NIST is applicable as a custom controls collection There are many enhancements to include (rev4) Dynamic Account Creation Restrictions on Use of Shared Groups Accounts Group Account Requests Appovals/Renewals Account Monitoring - Atypical Usage e.g. :: log-delivery-write for S3

Cloud & Compliance Specifics. Example

CSA / NIST
AWSs Vision is not Data Distribution, however CSA :: Data Governance is applicable from the resource-based viewpoint Resource based policy Attached to resource AWSs Vision is not Data Distribution, however NIST :: Access Control is applicable from the userbased viewpoint Account based policy Attached to users define that policy for MDM users to access internal network resources Combine with a mobile policy

Cloud :: AWS

COMPLIANCE AND MDM

CSA Mobile Device Management: Key Components
Device diversity Configuration management Software Distribution Device policy compliance & enforcement Enterprise Activation Logging Security Settings Security Wipe, Lock IAM Make you sure to start managing security under uncertain terms without AI

NIST-124
Refers to NIST-800-53 and other Sometimes missed requirements such as locking device, however it is in NIST-800-53 A bit details than CSA No statements on permission management
Make you sure to start managing security under uncertain terms without AI

[ DEVICE MANAGEMENT ]
Concurrencyover native & additional security features
= , , , set of OS permissions, set of device permissions, set of MDM permissions, set of missed permissions (lack of controls), set of rules are explicitly should be applied to gain a compliance = + , set of APIs , set of APIs that interact with sensitive data, set of APIs that do not interact with sensitive data To get a mobile security designed with full granularity the set should be empty set to get instead of , so the matter how is it closer to empty. On another hand it should find out whether assumptions , are true and if it is possible to get .

The situationis very serious

Set of permissions < Set of activities efficiency is typical case < 100%, ability to control each API = 100% More than 1 permission per APIs >100%
lack of knowledge about possible attacks improper granularity
AV, MDM, DLP, VPN
MDM features

Non-app features

Kernel protection Permissions

[ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACKSVECTOR
GOALS - MOBILE RESOURCES / AIM OF ATTACK DEVICE RESOURCES OUTSIDE-OF-DEVICE RESOURCES ATTACKS SET OF ACTIONS UNDER THE THREAT APIs - RESOURCES WIDELY AVAILABLE TO CODERS SECURITY FEATURES KERNEL PROTECTION , NON-APP FEATURES PERMISSIONS - EXPLICITLY CONFIGURED 3RD PARTY AV, FIREWALL, VPN, MDM COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY IN ALIGNMENT WITH COMPLIANCE TO

Goals AV, MDM, DLP, VPN Non-app features

MDM features

Kernel protection

Permissions APIs APIs

Attacks

[ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK Background processing BlackBerry Messenger Calendar, Contacts Camera Device identifying information Email and PIN messages GPS location Internet Location Microphone Narrow swipe up Notebooks Notifications Player Phone Push Shared files Text messages Volume BB 10 AIR SDK + + + + + + + + + + + + + + + PB (NDK/AIR) + via invoke calls + + via invoke calls + + + + + + + +

[ iOS. Settings ]
Component Restrictions :: Native application Restrictions :: 3rd application Unit subcomponents Privacy :: Location Per each 3rd party app For system services Contacts, Calendar, Reminders, Photos Bluetooth Sharing Twitter, Facebook Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts Find My Friends Volume limit Ratings per country and region Music and podcasts Movies, Books, Apps, TV shows In-app purchases Require Passwords (in-app purchases) Multiplayer Games Adding Friends (Game Center) Installing Apps Removing Apps Unit Safari Camera, FaceTime iTunes Store, iBookstore Siri Manage applications* Manage applications* Explicit Language (Siri) Privacy*, Accounts* Content Type Restrictions*

Privacy :: Private Info

Accounts

Content Type Restrictions

Game Center
Manage applications

[ Android. Permissions ]
List contains~150 permissions
ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,
ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE, ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_ MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT

I have ever seen that on old BlackBerry devices

OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC
TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_ PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK

RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS
,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH, SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION ,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S

TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET
,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_ PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY, BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN

GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T
OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_ PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_ OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_ CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_ SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS, READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO

ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA
TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY,

[ Android. Permission Groups ]

But there only 30 permissions groups
ACCOUNTS AFFECTS_BATTERY APP_INFO AUDIO_SETTINGS BLUETOOTH_NETWORK BOOKMARKS CALENDAR CAMERA COST_MONEY DEVELOPMENT_TOOLS DEVICE_ALARMS DISPLAY HARDWARE_CONTROLS LOCATION MESSAGES MICROPHONE NETWORK PERSONAL_INFO PHONE_CALLS SCREENLOCK SOCIAL_INFO STATUS_BAR STORAGE SYNC_SETTINGS SYSTEM_CLOCK SYSTEM_TOOLS

I have ever seen that on old BlackBerry devices too

USER_DICTIONARY VOICEMAIL WALLPAPER WRITE_USER_DICTIONARY

MDM . Extend your device security capabilities

Android
CAMERA AND VIDEO HIDE THE DEFAULT CAMERA APPLICATION PASSWORD DEFINE PASSWORD PROPERTIES REQUIRE LETTERS (incl. case) REQUIRE NUMBERS REQUIRE SPECIAL CHARACTERS DELETE DATA AND APPLICATIONS FROM THE DEVICE AFTER INCORRECT PASSWORD ATTEMPTS DEVICE PASSWORD ENABLE AUTO-LOCK

CONTROLLED FOUR GROUPS ONLY

LIMIT PASSWORD AGE LIMIT PASSWORD HISTORY RESTRICT PASSWORD LENGTH MINIMUM LENGTH FOR THE DEVICE PASSWORD THAT IS ALLOWED ENCRYPTION APPLY ENCRYPTION RULES ENCRYPT INTERNAL DEVICE STORAGE TOUCHDOWN SUPPORT MICROSOFT EXCHANGE SYNCHRONIZATION EMAIL PROFILES ACTIVESYNC

MDM . Extend your device security capabilities

iOS
BROWSER
DEFAULT APP, AUTOFILL, COOKIES, JAVASCRIPT, POPUPS OUTPUT, SCREEN CAPTURE, DEFAULT APP

CONTROLLED 16 GROUPSONLY

MESSAGING (DEFAULT APP)

BACKUP / DOCUMENT PICTURE / SHARING ONLINE STORES , PURCHASES, PASSWORD DEFAULT STORE / BOOK / MUSIC APP ONLINE STORE

CAMERA, VIDEO, VIDEO CONF CERTIFICATES (UNTRUSTED CERTs) CLOUD SERVICES BACKUP / DOCUMENT / PICTURE / SHARING NETWORK, WIRELESS, ROAMING DATA, VOICE WHEN ROAMING CONTENT (incl. EXPLICIT) RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS CONNECTIVITY

MESSAGING (DEFAULT APP) PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES) PHONE AND MESSAGING (VOICE DIALING) PROFILE & CERTs (INTERACTIVE INSTALLATION) SOCIAL (DEFAULT APP) SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS DEVICE BACKUP AND ENCRYPTION

CONTENT

STORAGE AND BACKUP VOICE ASSISTANT (DEFAULT APP)

DIAGNOSTICS AND USAGE (SUBMISSION LOGS)

MDM . Extend your device security capabilities

BlackBerry (new, 10, qnx)
GENERAL
MOBILE HOTSPOT AND TETHERING PLANS APP, APPWORLD

CONTROLLED 7 GROUPSONLY

PASSWORD (THE SAME WITH ANDROID, iOS) BES MANAGEMENT (SMARTPHONES, TABLETS) SOFTWARE OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE BBM VIDEO ACCESS TO WORK NETWORK VIDEO CHAT APP USES ORGANIZATIONS WI-FI/VPN NETWORK WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE VOICE CONTROL & DICTATION IN WORK & USER APPS BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE PC ACCESS TO WORK & PERSONAL SPACE (USB, BT) PERSONAL SPACE DATA ENCRYPTION

NETWORK ACCESS CONTROL FOR WORK APPS PERSONAL APPS ACCESS TO WORK CONTACTS SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
CERTIFICATES & CIPHERS & S/MIME HASH & ENCRYPTION ALGS AND KEY PARAMS TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS PROXY PASSWORD/PORT/SERVER/SUBNET MASK

EMAIL PROFILES

WI-FI PROFILES

SECURITY

VPN PROFILES

PROXY, SCEP, AUTH PROFILE PARAMS TOKENS, IKE, IPSEC OTHER PARAMS PROXY PORTS, USERNAME, OTHER PARAMS

MDM . Extend your device security capabilities

Blackberry (old)
THERE 55 GROUPS CONTROLLED IN ALL EACH GROUP CONTAINS FROM 10 TO 30 UNITS ARE CONTROLLED TOO EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs INSTEAD OF A WAY DISABLE/ENABLED & HIDE/UNHIDE EACH EVENT IS CONTROLLED BY CERTAIN PERMISSION ALLOWED TO CONTROL BY SIMILAR PERMISSIONS TO BE MORE FLEXIBLE DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME MORE THAN OTHER DOCUMENTS

Huge amount of permissions are MDM & device built-in

EACH UNIT CANT CONTROL ACTIVITY UNDER ITSELF CREATE, READ, WRITE/SAVE, SEND, DELETE ACTIONS IN REGARDS TO MESSAGES LEAD TO SPOOFING BY REQUESTING A MESSAGE PERMISSION ONLY SOME PERMISSIONS ARENT REQUIRED (TO DELETE ANY OTHER APP) SOME PERMISSIONS ARE RELATED TO APP, WHICH 3RD PARTY PLUGIN WAS EMBEDDED IN, INSTEAD OF THAT PLUGIN

CONCLUSION
The best Security & Permissions ruled by AWS Most cases are not clear in according to the roles and responsibilities of cloud vendors & customers May happen swapping responsibilities and shifting the vendor job on to customer shoulders Referring to independent audits reports under NDA as many times as they can CSA put the cross references to other standards that impact on complexity & lack of clarity more than NIST SP800-53
Select Security Controls

CSA

Check Scope

Define Granularity

Remap to NIST

NIST enhanc.

Apply CSA as common

Improve basic CSA

Combine custom sets

Q&A