Your SlideShare is downloading. ×
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Rationalization and Defense in Depth - Two Steps Closer to the Clouds

1,092
views

Published on

As presented by Dave Chappelle at Oracle Technology Network Architect Day in Phoenix, AZ on December 14, 2011.

As presented by Dave Chappelle at Oracle Technology Network Architect Day in Phoenix, AZ on December 14, 2011.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,092
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. <Insert Picture Here>OTN Architect Day Security Breakout SessionDave Chappelle14 December 2011
  • 2. Rationalization and Defense in Depth - Two Steps Closer to the CloudsOTN Architect Day 2011
  • 3. Perimeter Security DB All network traffic All network traffic blocked blocked except for except from the proxy. specific ports. Web Server Application Message Mainframe (app Proxy) Server Queue Application Client Firewall Firewall DB DB DMZ Unprotected Zone Perimeter Protected Zone(s) • Can establish multiple perimeters • Alone, often involves a lot of implied trust • Each perimeter can be more restrictive • Modern environments don’t have such a clearly • Perimeters can be at varying degrees of granularity defined perimeterOTN Architect Day 2011
  • 4. Defense in Depth • Military defensive strategy to secure a position using multiple defense "Krak des Chavaliers“, Syria mechanisms. • Less emphasis is placed on a single perimeter wall • Several barriers and different types of fortifications • Objective is to win the battle by attrition. The attacker may overcome some barriers but can’t sustain the attack for such a long period of time.OTN Architect Day 2011
  • 5. Defense in Depth Governance, Identity & Risk Management, Access Management & Compliance Database Security (online storage & backups) Content Security, Information Rights Management Data Message Level Security Federation (SSO, Identity Propagation, Trust, …) Application Authentication, Authorization, Auditing (AAA) Security Assurance (coding practices) Host Platform O/S, Vulnerability Mgmt (patches), Desktop (malware protection),… Internal Network Transport Layer Security (encryption, identity) Firewalls, network address translation, denial Perimeter of service prevention, message parsing and validation, ... Physical Fences, walls, guards, locks, keys, badges, … Data Classification, Password Strengths, Policies, Procedures, & Awareness Code Reviews, Usage Policies, …OTN Architect Day 2011
  • 6. Defense in Depth: Greater Control Many enforcement points Data Application / Service Host Internal Network Perimeter Physical Policies & Procedures Consistent set of policies & proceduresOTN Architect Day 2011
  • 7. Security Silos Support • Application silos with their own standalone security architecture • Integration is hard enough without security ! ! • End users have many logins & passwords End User Security Administrator • Administration is time- consuming and error-prone • Auditing is inaccurate ? and/or impossible Finance Sales Security AuditorOTN Architect Day 2011
  • 8. Security Framework Support • Security is part of the foundation, not an inconvenient afterthought • Users have one identity and a set of roles & attributes that govern access End User Security Security Administrator • Administration operator-centric, not Framework system-centric • Auditing is possible and realistic Finance Sales Security AuditorOTN Architect Day 2011
  • 9. Security Framework High Level Architecture Information Processing: Infrastructure Platforms • Provide a secure run-time environment (Application Servers, Information Management Systems, etc.) • Offer security services to business logic Development & Administration • Allow solution-level security administration Administration Business Information Design & Logic Information Information Information Management: Processing Management • Provide a secure data persistence env. Security Services Security Services • Offer security features to protect data • Allow db-level security administration Security Interfaces Security Framework: Shared Security Services • Provide shared security services • Manage security data for the enterprise Enterprise Security Information • Allow enterprise-level security administration Security Management & Administration Security Interfaces: Enterprise Security Framework • Provide consistent access to security services • Embrace open, common industry standardsOTN Architect Day 2011
  • 10. Support for Architecture Principles Architecture Principles Provides Security as a Service Supports Defense in Depth Supports Least Privilege Supports Information Confidentiality, Integrity, & Availability Provides Secure Management of Security Information Provides Active Threat Detection and Analysis Provides Secure Audit Trail Provides Cross-Domain Identity FederationOTN Architect Day 2011
  • 11. Space Between the Clouds Technology Integration Private Private Public Id & Access Mgmt Cloud Cloud Cloud Data SaaS Application / Service PaaS Host IaaS Internal Network Perimeter Physical Your Cloud Organization Provider Policies & Procedures GRC Planning & ReconciliationOTN Architect Day 2011
  • 12. SaaS I&AM Authorization Authorization Patterns Access Policy Access Policy Management Management Provider B Identity Provider Management A Provider SAML C User id & attributes User Id SPML SAML In-House (Private) Authentication IT Environment Authorization Authentication Authorization STS Identity Provider D Management Identity Access Policy Management Management SAML, WS-Trust, Access Policy WS-Federation ManagementOTN Architect Day 2011
  • 13. Common Attacks & Cloud Computing Common What types of attacks Attacks happen most frequently? Defense How would you normally Strategies protect your IT resources? Cloud What might be different Scenario about a Cloud environment?OTN Architect Day 2011
  • 14. Common Threat Summarization • 2011 Data Breach Investigations Report (DBIR) Verizon Investigative Response Team + US Secret Service (financial & cyber fraud) + Dutch National High Tech Crime Unit • 2010: 761 incidents, ~ 4 million records compromised • 7 years: > 1700 incidents, > 900 million records compromised Verizon Enterprise Risk & Incident Sharing (VERIS) Framework • Agent: Whose actions affected the asset • Action: What actions affected the asset • Asset: Which assets were affected • Attribute: How the asset was affectedOTN Architect Day 2011
  • 15. Threat Agents - External 1. External Agents 91% / 99% 2. Internal 16% / 1% 3. Partner <1% / <1% External “[External Agents] created economies of 58% Organized Criminal Groups scale by refining standardized, 40% Unaffiliated individuals automated, and highly repeatable 2% Former Employees attacks directed at smaller, vulnerable, and largely homogenous targets.” 1% Competitors 1. Malware Actions 49% / 79% 2. Hacking 50% / 89% 3. Misuse 17% / 1% Source: Verizon 2011 Data Breach Investigations Report (DBIR)OTN Architect Day 2011
  • 16. Hacking (50% of breaches, 89% of records) Source: Verizon 2011 Data Breach Investigations Report (DBIR) Backdoor or command/control channel 1 73% / 45% Default or guessable credentials 2 67% / 30% Brute force & dictionary attacks 2 52% / 34% Footprinting & fingerprinting 1 49% / 19% 71% via remote access services Use of stolen login credentials 2 21% / 21% (RDP, PCAnywhere, Go2Assist, LogMein, NetViewer, ssh, SQL Injection 3 14% / 24% telnet, rsh, …) Insufficient authentication 4 10% / 21% Abuse of functionality 10% / 19% Buffer overflow 3 9% / 15% Defensive Strategy: Cloud Implications: 1. Limit network/port/protocol access • Remote access may be required for public 2. Strengthen & change passwords cloud maintenance & troubleshooting 3. Protect applications from SQL • Cloud provider may control authentication & injection & buffer overflows password requirements 4. Require authentication • Cloud provider may control code baseOTN Architect Day 2011
  • 17. Malware (49% of breaches, 79% of records) Source: Verizon 2011 Data Breach Investigations Report (DBIR) Installed / Injected by remote attacker 1 81% Email 4% 2 3 Web / Internet auto-executed (“drive-by” infection) 3% 2 3 Web / Internet user-executed (download) 3% 2 3 • Designed to: open back doors, perform key logging, RAM scraping, network scanning, data capture & send, … • 80% installed by attacker following breach of system • Almost 100% caused by external agents Defensive Strategy: Cloud Implications: 1. Protect systems from hacking • Efficacy of cloud provider’s security 2. Maintain system patches, virus measures will factor into risk - protection, security settings, firewalls • How are hacking threats handled? 3. Internet Usage Policies & Awareness • How are Internet-facing devices 4. Consider Internet-facing devices to be secured and isolated? suspect & limit access accordingly • How are they audited for compliance?OTN Architect Day 2011
  • 18. Perimeters & Internal Networks • Limit exposure to the Internet • Turn off unnecessary ports & protocols • Limit exposure to management interfaces • Don’t plug in devices that may be contaminated • Data Loss Prevention • VPN • Site to site • User to site • Cloud as a DMZ • Multi-tenancy • A hacker’s launch point? FirewallOTN Architect Day 2011
  • 19. Threat Agents - Internal 1. External Agents 91% / 99% 2. Internal 16% / 1% 3. Partner <1% / <1% Internal • Not as scalable as external agents 85% Regular Employee / End User • 9% of incidents involve a 22% Finance / Accounting Staff combination of external and 11% Executive / Upper Mgmt internal agents 9% Helpdesk, SA, DBA, Developer • fewer records but greater impact 1. Malware Actions 49% / 79% 2. Hacking 50% / 89% 3. Misuse 17% / 1% Source: Verizon 2011 Data Breach Investigations Report (DBIR)OTN Architect Day 2011
  • 20. Misuse (17% of breaches, 1% of records) Source: Verizon 2011 Data Breach Investigations Report (DBIR) Embezzlement, skimming, & related fraud 75% Abuse of system access / privileges 49% Use of unapproved hardware / devices 39% Abuse of private knowledge 7% Defensive Strategy: 1. SoD, Principle of Least Privilege Access •“…employees aren’t normally escalating Control measures their privileges in order to steal data 2. Auditing & Review because they don’t need to. They simply 3. Deprovisioning users take advantage of whatever standard 4. Data Loss Prevention solutions user privileges were granted to them by their organizations.” Cloud Implications: • Cloud provider maintains some level of •“…regular employees typically seek identity and access management “cashable” forms of information like • Auditing & review up to cloud provider payment card data, bank account • DLP up to cloud provider numbers, and personal information.” • Abuse of privilege not “provider-dependent”OTN Architect Day 2011
  • 21. Threat Agents - Partner 1. External Agents 91% / 99% 2. Internal 16% / 1% 3. Partner <1% / <1% Source: Verizon 2011 Data Breach Investigations Report (DBIR) • Includes vendors, suppliers, hosting providers, outsourced IT support • Direct involvement has been on the decline • Responsible involvement has not declined • Attacks often involve compromised remote access connection • Poor governance, lax security, too much trust • “Out-of-sight, Out-of mind” condition Cloud Implications: • Provider’s enforcement of Least Privilege and Segregation of Duties • Provider’s contrats, policies, controls, governance, & auditing • Secure communications channels & active threat detection • You can’t delegate accountabilityOTN Architect Day 2011
  • 22. Administrative & Management Control • Cloud control vs. your control • Where are the lines drawn? • Segregation of Duties, Least Privilege • How do you measure your provider’s success? • How will you know if your risk is greater than expected? • Audit & Review • What (objectives), by whom, how often • Motility of Data • How to ensure data remnants are destroyed (digital shredding)OTN Architect Day 2011
  • 23. (Some of) The Good… • Cloud providers have a deep vested interest in security • Must prove themselves to the market • Often much greater investment and attention to detail than traditional IT • Cloud homogeneity makes security auditing/testing simpler • Shifting public data to an external cloud reduces the exposure of the internal sensitive data • Data held by an unbiased partyhttp://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.pptOTN Architect Day 2011
  • 24. …The Bad… • Multi-tenancy; need for isolation management • High value target for hackers • Fragmentation; creation of more silos • Data dispersal and international privacy laws • EU Data Protection Directive and U.S. Safe Harbor program • Exposure of data to foreign government and data subpoenas • Data retention issueshttp://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.pptOTN Architect Day 2011
  • 25. …& The Ugly • Proprietary implementations • Audit & compliance • Availability • Relying on a vendor to stay in business • Equipment seizure (e.g. FBI - DigitalOne AG 2011)http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.pptOTN Architect Day 2011
  • 26. Recommendations  Institute Defense in Depth • Good general strategy to protect highly distributed systems (SOA, BPM, Cloud, etc.) • Protect the whole environment, not just the perimeter  Rationalize & Consolidate • Standardized frameworks, services, & technologies • Holistic management, visibility, & control  Mind The Gap(s) • Technology: Secure integration • Identity & Access Management • Policies, Procedures, Audits, Attestation, GRCVisit the ITSO Reference Library at www.oracle.com/goto/itstrategies