Professional Documents
Culture Documents
com
We want to use
SalesForce.com to
host our next Cisco
customer application
.. Amazon EC2
(Cloud) to host
Eng. Lab
testing.
Cisco
Business
.. Facebook/MySpace
User
to collaborate with
companys customer.
Outline
Cloud Industry Adoption Trend
Cloud Taxonomy
OWASP Cloud Top 10
Cloud Security Risks
Risk Mitigations
Q&A
Cisco Public
148.8
58.6
2009
68.3
2010
2014
(Source Gartner)
Cisco Public
Cloud Taxonomy
Service Models
Deployment Models
Software as a
Service (SaaS)
Public
Private
Platform as a
Service (PaaS)
Hybrid
Infrastructure as a
Service (IaaS)
Broad Network
Access
Rapid
Elasticity
Community
Measured
Service
On-Demand
Self-Service
Resource
Pooling
ISC2
CSA
Industry
Experience
Publications
IDC
NIST
News
OWASP
Cloud Top 10
Cisco Public
R1: Accountability
In traditional data center, the owning organization is
accountable for security at all layers
Application
Web/App/DB server
Computing
Network
Storage
10
10
Cloud Consumer
PaaS
Accountable
SaaS
Application
Web/App/DB server
Computing
Network
Storage
Accountable
Application
Web/App/DB server
Computing
Network
Storage
Application
Web/App/DB server
Computing
Network
Storage
IaaS
* Few exceptions
Cisco Public
11
12
12
Mitigation
13
13
Security Risks
1. Managing
Identities across
multiple providers
2. Less control over
user lifecycle (offboarding)
3. User experience
Enterprise
Cisco Public
14
Mitigations
1. Federated Identity
2. OAuth for backend
integrations
3. Tighter user
provisioning
controls
SAML
Identity Federation
Cisco Public
15
DC2
DC1
Lack of transparency in
the underlying
implementations makes it
difficult for data owners to
Key:
demonstrate compliance(
SOX/HIPAA etc.)
DC3
European Union (EU) has very strict privacy laws and hence data stored
in US may not comply with those EU laws (US Patriot Act allows federal
agencies limitless powers to access any corporate data etc)
Cisco Public
16
17
17
Cisco Public
18
18
Mitigation
Cisco Public
19
19
Privacy of my data
- Address, Email,..
(Personally Identifiable
Information)
End Users
Providers
Cisco Public
20
21
De-identification of personal
Information
Encrypted storage
22
Branch Office
End Users
Private
Cloud / Internal Data Center
Key:
Cloud Broker
Internal
Databases
Cloud Broker
Cloud Provider 2
Proxy
Proxy
Cloud Broker
Service / App 1
Service / App 5
Service / App 2
Cisco Public
Service / App 6
23
Data in Transit
Data at Rest
24
24
Database Tier
Web Tier
1.
2.
3.
4.
Backups
5.
Admin
Reach back to
Enterprise
Cisco Public
6.
Security Risks
Inadequate
Logical
Separations
Co-mingled
Tenant Data
Malicious or
Ignorant Tenants
Shared Servicesingle point of
failures
Uncoordinated
Change Controls
and Misconfigs
Performance
Risks
26
* http://chenxiwang.wordpress.com/2009/11/02/mits-attack-on-amazon-ec2-an-academic-exercise/
** http://smoothspan.wordpress.com/2010/06/11/wordpress-and-the-dark-side-of-multitenancy/
Cisco Public
27
28
Private
Cloud / Internal Data Center
Key:
Cloud Broker
Internal
Databases
Cloud Broker
International differences in
relevant regulations
Public Cloud
Cloud Provider 1
Cloud Provider 2
Proxy
Proxy
Cloud Broker
Service / App 1
Service / App 5
Service / App 2
Cisco Public
Service / App 6
29
Comprehensive logging
Without compromising Performance
Dedicated Forensic VM Images
Cisco Public
30
30
Active
Unused Ports
Data
Default
Passwords
Default
Configurations
Cisco Public
31
Prod
Non-Prod
Security flaws
Data copied to non-prod from
its production equivalent
Typical non-prod
environment use generic
authentication credentials
Non-Prod
33
33
Mitigation
Prod
Non-Prod
34
34
Cisco Public
Photo - http://fineartamerica.com/featured/peaceful-sleep-ron-white.html
35
Cisco Public
36
Cisco Public
37