Cloud Security:Threats & Mitgations

Similar documents
Security Issues in Cloud Computing

D. L. Corbet & Assoc., LLC

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Where every interaction matters.

FileCloud Security FAQ

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Adobe Systems Incorporated

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

From the Bottom to the Top: The Evolution of Application Monitoring

Web Application Vulnerability Testing with Nessus

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Passing PCI Compliance How to Address the Application Security Mandates

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

SERENA SOFTWARE Serena Service Manager Security

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Web Application Penetration Testing

What is Web Security? Motivation

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web application security

How to complete the Secure Internet Site Declaration (SISD) form

Barracuda Web Site Firewall Ensures PCI DSS Compliance

OWASP Top Ten Tools and Tactics

05.0 Application Development

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Penta Security 3rd Generation Web Application Firewall No Signature Required.

Codes of Connection for Devices Connected to Newcastle University ICT Network

Sitefinity Security and Best Practices

PCI DSS 3.0 Compliance

OWASP AND APPLICATION SECURITY

PCI Compliance Updates

Web App Security Audit Services

Magento Security and Vulnerabilities. Roman Stepanov

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Network Access Control and Cloud Security

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Web Application Report

(WAPT) Web Application Penetration Testing

Attacks from the Inside

Web Application Security Assessment and Vulnerability Mitigation Tests

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Essential IT Security Testing

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

DiamondStream Data Security Policy Summary

Supplier Information Security Addendum for GE Restricted Data

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Using Free Tools To Test Web Application Security

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Overview of the Penetration Test Implementation and Service. Peter Kanters

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

PCI Compliance for Cloud Applications

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

College Training Program

How To Protect Your Cloud Computing Resources From Attack

Web Plus Security Features and Recommendations

CONTENTS. Security Policy

Cloud Computing Governance & Security. Security Risks in the Cloud

Web Application Firewall on SonicWALL SSL VPN

Cloud-Security: Show-Stopper or Enabling Technology?

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Guide to Vulnerability Management for Small Companies

Hacking the WordpressEcosystem

Web Application Report

Managing Cloud Computing Risk

Data Protection: From PKI to Virtualization & Cloud

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Network Access Control and Cloud Security

Protecting Your Organisation from Targeted Cyber Intrusion

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Global Partner Management Notice

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Rational AppScan & Ounce Products

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Guidelines for Web applications protection with dedicated Web Application Firewall

Ethical Hacking as a Professional Penetration Testing Technique

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Auditing Web Applications

Pentests more than just using the proper tools

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Transcription:

Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1

What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer 2

What Security Physical security controls implemented at and for physical facilities (offices, datacenters) Network security controls implemented for network (firewall, anti-ddos, auth controls) System security controls implemented for the IT systems (anti-virus, active directory) Application security controls implemented for business applications (AAA, API Security, release management) Maturity, effectiveness & completeness of security controls implemented 3

First Step Towards Cloud Security Your assets on the cloud - Data, Applications & Processes Evaluate all assets in terms of Confidentiality What if the asset becomes publicly accessible? What if the cloud provider employee accessed your asset? Integrity What if the process was manipulated by an outsider? What if the process failed to provide expected results? What if the data got unexpectedly changed? Availability What if the asset were unavailable for a period of time? 4

Cloud Service Models IAAS Provider secures the physical infrastructure (server locations) Provider may give basic firewall like protection for running instances Consumer implements additional Network, System and Application security controls Zero application like features, enormous extensibility PAAS Provider takes care of securing the infrastructure (server locations, servers, network, OS and storage) Consumer implements Application security controls Intended to enable developers to build their apps on top of the platform SAAS Provider implements the Network, System & Application security Service levels, security, liability expectations are contractually enforced Most integrated functionality And hence, Least consumer extensibility 5

Lets Begin the Debate The first Threat: Unknown Risk Profile Applies To: IaaS PaaS SaaS 6

Well, Yeah! But we have to start somewhere: Educate ourselves Read the Contract Carefully! Disagree when you are not comfortable Ask the provider for Disclosure of applicable logs and data. Get Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.). Setup best possible Monitoring and alerting on necessary information TOOLS: NAGIOS, AIDE 7

Abuse and Nefarious Use of Cloud Computing Applies To: IaaS PaaS SaaS 8

I choose my friends wisely! Look for providers with Stricter initial registration and validation processes. Check levels of credit card fraud monitoring and coordination used by the provider Is the provider capable of running a Comprehensive introspection of customer network traffic Monitor public blacklists for one s own network blocks. 9

Insecure Interfaces and APIs Applies To: IaaS PaaS SaaS 10

Yeah, thats a tough one! Analyze the security model of cloud provider's interfaces. Ensure strong authentication and access controls are implemented in concert with encrypted transmission. Understand the Dependency Chain associated with the API. 11

Malicious Insiders Applies To: IaaS PaaS SaaS 12

You can trust no one! Enforce strict supply chain management and conduct a comprehensive supplier assessment. Specify human resource requirements as part of legal contracts. Require transparency into overall information security and management practices, as well as compliance reporting. Determine security breach notification processes 13

Shared Technology Issues Applies To: IaaS PaaS SaaS 14

Get your own Bag! Implement security best practices for installation/ configuration. Monitor environment for unauthorized changes/ activity. Promote strong authentication and access control for administrative access and operations. Enforce service level agreements for patching and vulnerability remediation. Conduct vulnerability scanning and configuration audits 15

Data Loss or Leakage Applies To: IaaS PaaS SaaS 16

I know its Confidential Implement strong API access control. Encrypt and protect integrity of data in transit. Analyze data protection at both design and run time. Implement strong key generation, storage and management, and destruction practices. Contractually demand providers wipe persistent media before it is released into the pool. Contractually specify provider backup and retention strategies. 17

Account or Service Hijacking Applies To: IaaS PaaS SaaS 18

Do I really know you? Prohibit the sharing of account credentials between users and services. Leverage strong two-factor authentication techniques where possible. Employ proactive monitoring to detect unauthorized activity. Understand cloud provider security policies and SLAs. 19

What do we do now? 20

Lets Brace Ourselves Basic Security Install libpam for enforcing stricter password scheme Defined a policy for groups and users Disable root login Don't share user logins Assign user privileges based on requirements Minimize the login accounts that have root access Enable user action logging (**) Don't run webserver and database as root user Restrict SSH access by groups or users Allow SSH login using identity keys only Change default SSH port 21

Server / OS Hardening Chkrootkit Checks for root kits installed, if any SNORT - Intrusion Detection AIDE - File Integrity Checking, can alert you if any file is changed on the machine psad Port Scan Attack Detection Well! Bastille Best Firewall configuration tool NAGIOS Open source remote monitoring of the server and all important services running on it Keep a Reference Machine Image 22

Apache web server Hardening Download server binary from trusted sources only and verify download integrity Disable modules that are not required Change the default webserver user and group Follow appropriate security forums & apply security patches ASAP 23

Application Security -Authentication Authentication must be on HTTPS Choose strong authentication scheme, especially if you are going to provide an API access Prefer Basic authentication over HTTPS as against Digest authentication. Maintain a strong password policy Implement captcha or response slow down when multiple failed login attempts are detected 24

Application Security the rest Educate yourself on application security, learn to use a http intercepting proxy WebScarab/Burp Top Ten Vulnerabilities according to the OWASP Project Remember these are just the TOP TEN Injection, Cross-Site Scripting (XSS), Broken Authentication and Session Management, Insecure Direct Object References, Cross-Site Request Forgery (CSRF), Security Misconfiguration, Insecure Cryptographic Storage, Failure to Restrict URL Access, Insufficient Transport Layer Protection, Unvalidated Redirects and Forwards 25

What happens next?" "I'm not sure, exactly. But this world is ours now. It's what we make of it." - 9 (2009) 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information