Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byAntonia Pierce Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Protecting Data From The Web Tier Mike Fleck CEO CipherPoint Software, Inc. mfleck@cipherpoint.com @CipherPointSW 888-657-5355 3-22-2012

2 OWASP 2 Agenda  Why does this matter?  Drivers for data protection  Shifting application architectures  Common data encryption challenges  Why Infosec struggles to keep up  Why protect data from the web tier  A web tier data protection architecture  Questions

3 OWASP Why Does This Matter?  Shift in thinking about security control effectiveness from network > application > data  Auditors recognize value of encrypting data “higher in the stack”  Applications moving to 3-tier web architecture  Cloud data protection = encrypting @ web tier  Web tier affords a unique place from which to apply data encryption and access controls to application data and unstructured content 3

4 OWASP Data Protection Drivers  Compliance: PCI DSS, HIPAA/HITECH, GLBA, state breach laws  Native platform controls are generally inadequate to secure against insider threats, including IT admins  Given current threat climate w/ APTs and determined attackers, need that last line of defense for stored data 4 “69% said that complying with data protection and privacy regulations was the main driver behind use of encryption” Ponemon 2010 Enterprise Encryption Study

5 OWASP Enforcing “Need to Know”, “Least Privileges”  PCI DSS  7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities, Audit procedure = Confirm that access rights for privileged user IDs are restricted to least privileges necessary to perform job responsibilities.  HIPAA/HITECH  HIPAA requires access control to limit access to those with valid need to know, encryption is an addressable requirement  GLBA  Access control required to limit access to authorized individuals, encryption for NPI required 5

6 OWASP PCI Assessment Failings 6

7 OWASP Most Challenging Compliance Requirements 7

8 OWASP Sources of Compliance & Security Pain 8

9 OWASP Sea Change in Security Control Placement 9 http://movetheworld.files.wordpress.com/2008/01/evolution-of-security-controls-graph-only.png

10 OWASP App Architecture, Delivery Models Changing 10 Client- server 3 Tier, web based apps On premise IT Cloud

11 OWASP Today’s Data Encryption Challenges  Effective threat protection = higher level insertion point  Low level insertion (FDE, Bitlocker) only protect media loss/theft  Application insertion = best threat protection, not common from app vendors, hard to DIY & get right  Key management  “it’s 2am, on a Saturday, we have to restore an encrypted file from 2008, where the @#!&% is the encryption key”  Silo’ed or centralized  Making it easy: operationalizing compliance requirements for key rotation, key lifecycle, information lifecycle 11

12 OWASP More Key Management 12

13 OWASP Data Encryption & Access Control Challenges for Web Apps, & SaaS Delivery  Where can/should we insert?  How do we afford protection for data stored in cloud/SaaS?  How can enterprises retain control of keys for data stored in cloud/SaaS services?  How to keep IT admins at cloud service providers from viewing sensitive data? 13

14 OWASP Policy Enforcement @ Web Front End 14 Front-end Servers Application Servers Database Server End users Web Server Admin Shared Services Admin Database Admin Need to manage Need to know PEPPEP PEPPEP WFE Policy Enforcement Point

15 OWASP Visibility @ WFE for Security Decisions 15 What: Where: Who: Cipherpoint\csmith https://www.covert.com/HR/payroll

16 OWASP Security Control Possibilities  Selectively encrypt information for specific users, or URI destinations  Unstructured files  Fields in web forms  Apply access controls for user groups  Enforce need to know for IT admins  Apply sophisticated access controls for authorized users  Time of day, excessive file downloads, strange download locations, etc. 16

17 OWASP WFE Encryption & Access Control  Previously had to either convince your app vendor to add this capability, or DIY  In either case, odds are poor for:  getting key management right, and  making the encryption easy to use, easy to manage  Ubiquitous web application architectures opens up encryption & access control platform possibilities at the WFE 17

18 OWASP Use Cases  Web-based collaboration portals, on premise, e.g. SharePoint, ECM systems  Sensitive information protection such as HR data, IP, business plans  Compliance regulated data, e.g. PII, NPI, ePHI  Where outsiders are the new insider threat:  Cloud collaboration platforms, Google Docs, Box.net, et al  Any SaaS application… 18

19 OWASP About CipherPoint  Incorporated 2010  1 st provider of transparent content encryption for Microsoft SharePoint  Insider threat protection  Separation of duties  Mass market pricing  Building a cloud collaboration security platform 19

20 OWASP Questions? 20

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Presentation by Priyanka Sawarkar

Presentation by Priyanka Sawarkar
Identity & Security. Today's IT Security challenges Rising Internal Attacks 75% of companies report insiders responsible for breaches Growing headcount.

Identity & Security. Today's IT Security challenges Rising Internal Attacks 75% of companies report insiders responsible for breaches Growing headcount.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
© 2009 VMware Inc. All rights reserved VMware Horizon Mobile Intro - NetHope Deepak Puri Director Mobile Business Development +1 (415) 606-4416

© 2009 VMware Inc. All rights reserved VMware Horizon Mobile Intro - NetHope Deepak Puri Director Mobile Business Development +1 (415)
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
1 © Copyright 2013 EMC Corporation. All rights reserved. Online File Synchronization and Sharing for the Enterprise.

1 © Copyright 2013 EMC Corporation. All rights reserved. Online File Synchronization and Sharing for the Enterprise.
Www.tectia.com COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.

COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.
SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.

SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.
11© 2011 Hitachi Data Systems. All rights reserved. HITACHI DATA DISCOVERY FOR MICROSOFT® SHAREPOINT ® SOLUTION SCALING YOUR SHAREPOINT ENVIRONMENT PRESENTER.

11© 2011 Hitachi Data Systems. All rights reserved. HITACHI DATA DISCOVERY FOR MICROSOFT® SHAREPOINT ® SOLUTION SCALING YOUR SHAREPOINT ENVIRONMENT PRESENTER.
Security Controls – What Works

Security Controls – What Works
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
Securing Enterprise Applications Rich Cole. Agenda Sample Enterprise Architecture Sample Enterprise Architecture Example of how University Apps uses Defense.

Securing Enterprise Applications Rich Cole. Agenda Sample Enterprise Architecture Sample Enterprise Architecture Example of how University Apps uses Defense.
Microsoft Office Sharepoint Server 2007 (MOSS) Overview Momentum Microsoft November 15, 2007.

Microsoft Office Sharepoint Server 2007 (MOSS) Overview Momentum Microsoft November 15, 2007.
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.

Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.
A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.

A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.
Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.

Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.

1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.

Similar presentations

Ads by Google