mr. desmond cloud security_format
TRANSCRIPT
![Page 1: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/1.jpg)
![Page 2: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/2.jpg)
AGENDA
• Cloud Computing Defined
• Software as a service
• Platform as a service
• Infrastructure as a service
![Page 3: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/3.jpg)
Cloud Computing
• What is it not?
• Virtualization
• Remote Backup
• Most of the stuff called cloud computing
![Page 4: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/4.jpg)
Cloud Computing• Generally means :
• Lots of general purpose hosts
• Central Management
• Distributed data storage
• Ability to move application from system to system
• Low touch provisioning system
• Soft Failover/redundancy
![Page 5: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/5.jpg)
• All technology and policy assessment must be based on :
• Specific deployment model
• Specific Implementation
• Anybody who talks about “Cloud Computing Security” in general is selling you something
Cloud Computing
![Page 6: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/6.jpg)
Software as a Service
• Authentication
• Audit
• Taking Back Control
![Page 7: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/7.jpg)
Software as a ServiceApplicationApplication
ApplicationApplicationServerServer MiddlewareMiddleware DatabaseDatabase
Operating SystemOperating System
HypervisorHypervisor
NetworkingNetworkingCPUCPU StorageStorage BackupBackup
Datacenter ( Power, Cooling , Physical Security)Datacenter ( Power, Cooling , Physical Security)
![Page 8: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/8.jpg)
Cloudy Authentication
• Recent twitter incidents reinforces an important point:
• “No matter how long an opinion you have your users, they will figure out a way to disappoint you”
![Page 9: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/9.jpg)
Authentication and Credentials
• What controls do we lose when using SaaS?
• Physical and logical network barriers
• Endpoint restrictions and management
• Non-password auth
• Fine grained credential quality controls
• Password reset process
• Real time anomaly detection
![Page 10: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/10.jpg)
Authentication and Credentials
• Most IT departments believe in some of these :
• Many people doubt usefulness of perimeter
• Hackers aren’t unicorns
![Page 11: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/11.jpg)
Account Quality• Some services mix consumer accounts
with “datacenter admin”
![Page 12: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/12.jpg)
Audit and Logging• Most SaaS vendors do not provide the level of
audit logs necessary to recover from a serious breach
• What do I need to know?
• Who logged in?
• When?
• From where?
• What administrative actions were taken?
• What documents/data was accessed?
![Page 13: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/13.jpg)
SaaS Audit Comparison
Login Events
AdminEvent
s
Data Read
Data Write
SSO
Google Apps No No No Yes Yes
Office Live No No No Yes No
Salesforce Yes No No Yes Yes
Missing from all these guys:Per record/document read recordsSalesforce has much more centralized data access
![Page 14: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/14.jpg)
Google Apps Audit Logs• Google provides users with some self-services
history
• Admin can see last logged in time
• Google claims information available via DocList API
![Page 15: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/15.jpg)
Salesforce Audit• SF.com provides detailed login, admin event logs
• Write logging available in Force.com DB, not read
![Page 16: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/16.jpg)
Credential Alternatives• Some providers offer mechanisms to return login control
to you
• Google offers SAML integration:
![Page 17: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/17.jpg)
Why take back authentication?
• Doesn’t it defeat some of the benefits of the cloud?
• Yes.
• But it allows you to:
• Use alternative cred scheme (token, cert)
• Completely control password policies
• Implement internal password reset
• Perform anomaly detection on login attempts
• Place the portal behind VPN
• Access control
• Endpoint management
![Page 18: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/18.jpg)
SaaS Auth Bottom Line• Recommendations:
• Strong policies on quality and rotation
• Employee education is key
• Never re-use credentials
• Anti-Phishing techniques
• Use off-site SSO if available
• Consider additional restrictions using VPN
• Map to what protections you had pre-cloud
![Page 19: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/19.jpg)
Legal Concerns: Liability• As you would expect, Cloud EULAs promise nothing
• What happens in case of...
• Breach
• Data loss
• Disaster
• Business event
• You can’t expect these folks to take on financial liability, but it would be nice if they would promise to help
![Page 20: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/20.jpg)
Legal Concerns: Self-Testing
• Most of the EULAs specifically disallow malicious traffic
• Important part of IT security, sometimes required
• Amazon, assured us that they are ok with pen- testing with the owner’s permission
• Salesforce, Google allow app-level pen-testing of hosted apps
![Page 21: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/21.jpg)
Legal Concern: Search and Seizure
• Does using Cloud Services decrease your protection from search of your data by:
• LawEnforcement?
• Civil Plantiffs?
• The answer seems to be YES.
![Page 22: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/22.jpg)
Legal Concern: Search and Seizure
• “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
![Page 23: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/23.jpg)
Legal Concern: Search and Seizure
• Apparently “persons, houses, papers, and effects” does not include “hard drives in Google’s DC”
• Several statutory protections, but mostly only protect “communications”
• Are your Salesforce data “communications”?
![Page 24: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/24.jpg)
Legal Concern: Search and Seizure
• What do you lose in the Cloud?
• Protection of a Warrant
• Signed by Magistrate
• Requires “probable cause”
• Guarantee of notice
• Ability to fight seizure before hand
![Page 25: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/25.jpg)
• "Storing data yourself, on your own computers — without relying on the cloud — is the most legally secure way to handle your private information, generally requiring a warrant and prior notice. The government asserts that it can subpoena your data from cloud computing providers, with no prior notice to you.“
![Page 26: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/26.jpg)
Google’s Response• “Google complies with valid legal process. Google
requests that all third-party legal process be directed at the customer, not at Google, and we provide our customers with the tools and/or data required to respond to process directly. If Google directly receives legal process concerning customer or end-user data, it is Google policy to inform the customer of said process, unless legally prevented from doing so. We are committed to protecting user privacy when faced with law enforcement requests. We have a track record of advocating on behalf of user privacy in the face of such requests (including U.S. Dept. of Justice subpoenas). We scrutinize requests carefully to ensure that they adhere to both the letter and the spirit of the law before complying.”
![Page 27: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/27.jpg)
Platform as a Service
• Developers are the Essential Audience
• The Contenders
• Attack Surface Case Study
![Page 28: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/28.jpg)
Platform as a ServiceApplicationApplication
ApplicationApplicationServerServer MiddlewareMiddleware DatabaseDatabase
Operating SystemOperating System
HypervisorHypervisor
NetworkingNetworkingCPUCPU StorageStorage BackupBackup
Datacenter ( Power, Cooling , Physical Security)Datacenter ( Power, Cooling , Physical Security)
![Page 29: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/29.jpg)
The Contenders
![Page 30: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/30.jpg)
Attack Surface Cases• Questions to consider:
• Secure out of the box?
• Is it {hard/easy } to get {right/wrong }?
• How could it be better?
• Selected cases:
• CSRF
• XSS
• SQLInjection
![Page 31: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/31.jpg)
Cross-Site Request Forgery
• Subtle, often misunderstood.
• Can be mitigated almost transparently.
• Frameworks can tie forms to sessions.
• Just remember to confine modifications to POSTs.
![Page 32: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/32.jpg)
GAE CSRF Prevention
• Not easily found in documentation.
• ... nor the discussion groups.
• Django mitigates CSRF with configuration.
• App must be configured to use Django in lieu of default framework.
![Page 33: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/33.jpg)
Infrastructure as a Service
•IaaS Concerns
•Linux RNG on IaaS
![Page 34: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/34.jpg)
Infrastructure as a Service
ApplicationApplication
ApplicationApplicationServerServer MiddlewareMiddleware DatabaseDatabase
Operating SystemOperating System
HypervisorHypervisor
NetworkingNetworkingCPUCPU StorageStorage BackupBackup
Datacenter ( Power, Cooling , Physical Security)Datacenter ( Power, Cooling , Physical Security)
![Page 35: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/35.jpg)
IaaS Background
• IaaS is not just virtualization
• Shorter lived instances
• Non-persistent local storage
• Software optimized for cloud lifecycle
• Often includes helper services like storage
![Page 36: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/36.jpg)
IaaS Concerns• Flaws in Hypervisor
• Well researched area, still many bugs to uncover
• Virtualization bugs are important, but not the last word in IaaS issues
• Services
• Administrative interfaces can have vulnerabilities
• Not always accessed over TLS
• Audit logs are still poor
• Networking
• “Cheap” IaaS provides = no network segmentation
• Amazon has ipfilters like rule set.
• Generally harder to build secure network
![Page 37: Mr. desmond cloud security_format](https://reader035.vdocuments.mx/reader035/viewer/2022062514/557e2273d8b42a807e8b45c5/html5/thumbnails/37.jpg)
IaaS Concerns – OS Assumptions
• Operating systems aren’t built to be cloned at block level
• A lot of unique or secret data
• Private keys (SSH, SSL, Kerberos)
• Identifiers (Windows Machine GUID, hostname)
• Salted password hashes