OWASP Cloud Top 10 A brief history of... Security Risks

Slides:



Advertisements
Similar presentations
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Advertisements

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Security+ Guide to Network Security Fundamentals
Introduction to Cloud Computing and Secure Cloud Computing
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Session 3 – Information Security Policies
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Chapter 7 Database Auditing Models
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
Page  1 SaaS – BUSINESS MODEL Debmalya Khan DEBMALYA KHAN.
No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+
SEC835 Database and Web application security Information Security Architecture.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Security considerations for mobile devices in GoRTT
CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Cloud Computing Project By:Jessica, Fadiah, and Bill.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Strategic Agenda We want to be connected to the internet……… We may even want to host our own web site……… We must have a secure network! What are the.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Principles Identified - UK DfT -
Review of IT General Controls
Cloud Faxing for Law Firms
OWASP Cloud Top 10 A brief history of... Security Risks
EAST AFRICAN DATA HANDLERS DATA SECURITY/MOBILITY
The time to address enterprise mobility is now
Chapter 6: Securing the Cloud
Stop Those Prying Eyes Getting to Your Data
Avenues International Inc.
By: Raza Usmani SaaS, PaaS & TaaS By: Raza Usmani
ISSeG Integrated Site Security for Grids WP2 - Methodology
VIRTUALIZATION & CLOUD COMPUTING
Providing Access to Your Data: Handling sensitive data
Data and Applications Security Developments and Directions
Deployment Planning Services
Federated IdM Across Heterogeneous Clouding Environment
ServiceNow Implementation Knowledge Management
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
AWS COURSE DEMO BY PROFESSIONAL-GURU. Amazon History Ladder & Offering.
Chapter 3: IRS and FTC Data Security Rules
Cloud Testing Shilpi Chugh.
I have many checklists: how do I get started with cyber security?
Cyber Issues Facing Medical Practice Managers
SECURITY MECHANISM & E-COMMERCE
CONFIDENTIALITY, INTEGRITY, LEGAL INTERCEPTION
Data Security for Microsoft Azure
IT INFRASTRUCTURES Business-Driven Technologies
IS4680 Security Auditing for Compliance
Druva inSync: A 360° Endpoint and Cloud App Data Protection and Information Management Solution Powered by Azure for the Modern Mobile Workforce MICROSOFT.
Dell Data Protection | Rapid Recovery: Simple, Quick, Configurable, and Affordable Cloud-Based Backup, Retention, and Archiving Powered by Microsoft Azure.
Cloud Consulting Services and Solutions
IS4680 Security Auditing for Compliance
Microsoft Virtual Academy
Cloud Computing for Wireless Networks
Presentation transcript:

OWASP Cloud Top 10 A brief history of... Security Risks OWASP Training Paris, 26th April 2011 OWASP Cloud Top 10 A brief history of... Security Risks Ludovic Petit SFR Chapter Leader OWASP France OWASP Global Connections Committee Ludovic.Petit@owasp.org

About me Group Fraud & Information Security Adviser at SFR (Vodafone Group) Chapter Leader & Founding member OWASP France Member OWASP Global Connections Committee Translator of the OWASP Top Ten (All versions) Contributions & Reviews OWASP Secure Coding Practices - Quick Reference Guide OWASP Mobile Security Project OWASP Cloud Top10 Project

Agenda Motivation(s) Cloud Top 10 Security Risks Summary & Conclusion Q&A

Motivation(s) Develop and maintain Top 10 Risks with Cloud Serve as a Quick List of Top Risks with Cloud adoption Provide Guidelines on Mitigating the Risks Building Trust in the Cloud Data Protection in Large Scale Cross-Organizational Systems Most Security Risks still remain the same Failure is NOT an Option! So, would you like to Cloud with me? Let’s begin…

Cloud Top 10 Risks R1. Accountability & Data Risk R2. User Identity Federation R3. Legal & Regulatory Compliance R4. Business Continuity & Resiliency R5. User Privacy & Secondary Usage of Data R6. Service & Data Integration R7. Multi-tenancy & Physical Security R8. Incidence Analysis & Forensics R9. Infrastructure Security R10. Non-production Environment Exposure

R1. Accountability & Data Risk A traditional data center of an organization is under complete control of that organization. The organization logically and physically protects the data it owns. An organization that chooses to use a public cloud for hosting its business service loses control of its data. This poses critical security risks that the organization needs to carefully consider and mitigate. One must ensure about the guarantee of recovering Data: Once the data entrusted to a third operator, what are the guarantees that you will recover your information? What about the backups performed by the operator of Cloud?

R2. User Identity Federation It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting Cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides.

R3. Legal & Regulatory Compliance Complex to demonstrate Regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For instance, European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws.

R4. Business Continuity & Resilency Business Continuity is an activity an IT organization performs to ensure that the business can be conducted in a disaster situation. In case of an organization that uses cloud, the responsibility of business continuity gets delegated to the cloud provider. This creates a risk to the organization of not having appropriate business continuity. About Service Continuity and QoS, one have to ensure about the contractual solutions proposed by the Operator of Cloud, the Service Level Agreement as well

R5. User Privacy & Secondary Usage of Data User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users. You need to ensure with your Cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs, etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination.

R6. Service & Data Integration Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a Cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission.

R7. Multi-tenancy & Physical Security Multi-tenancy in Cloud means sharing of resources and services among multiple clients (CPU, networking, storage/databases, application stack). It increases dependence on logical segregation and other controls to ensure that one tenant deliberately or inadvertently can not interfere with the security (confidentiality, integrity, availability) of the other tenants.

R8. Incidence Analysis & Forensics In the event of a security incident, applications and services hosted at a Cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery.

R9. Infrastructure Security All infrastructure must be hardened and configured securely, and the hardening/configuration baselines should be based on Industry Best Practices. Applications, Systems and Networks must be architected and configured with tiering and security zones, and access must be configured to only allow required network and application protocols. Administrative access must be role-based, and granted on a need-to-know basis. Regular risk assessments must be done, preferably by an independent party. A policy and process must be in place for patching/security updates, and can based on risk/threat assessments of new security issues. Although the fine details of the items above must be regarded as highly sensitive information, it is reasonable to expect a customer to want to see at least the high-level details. The Provider must be willing to provide this.

R10. Non-production Environment Exposure An IT organization that develops software applications internally employs a set of non-production environments for design, development, and test activities. The non-production environments are generally not secured to the same extent as the production environment. If an organization uses a Cloud provider for such non-production environment, then there is a high risk of unauthorized access, information modification, and information theft.

Summary & Conclusion

Summary Cloud computing is a new way of delivering computing resources, not a new technology. Computing services (ranging from data storage and processing to software, such as email handling) are now available instantly, commitment-free and on-demand. This checklist should provide a means for customers to Assess the risk of adopting Cloud Services Compare different Cloud provider offerings Obtain assurance from selected Cloud providers Reduce the assurance burden on Cloud providers

The OWASP Cloud Top 10 Project https://www.owasp.org/index.php/Projects/OWASP_Cloud_%E2%80%90_10_Project Want to contribute or provide feedback? Ludovic.Petit@owasp.org Project Leader: Vinay Bansal vinaykbansal@gmail.com

Q&A