• Save
Cloud and security, the mys(t)ery revealed! - Raf Cox
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Cloud and security, the mys(t)ery revealed! - Raf Cox

on

  • 334 views

Windows Azure and Office 365 are great cloud platforms to host both your internal and external applications on. And since it is managed by Microsoft, a number of security services and ...

Windows Azure and Office 365 are great cloud platforms to host both your internal and external applications on. And since it is managed by Microsoft, a number of security services and protection-services come as part of the service.
What are the security measures you need to focus on? How do you keep your applications and cloud infrastructure secure?

Statistics

Views

Total Views
334
Views on SlideShare
334
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cloud and security, the mys(t)ery revealed! - Raf Cox Presentation Transcript

  • 1. Cloud and security, the mys(t)ery revealed Raf Cox – Managing Partner
  • 2. Overview Introduction Types of cloud Control versus security responsibility Threats in the cloud Some best practices securing your cloud
  • 3. Industry Cloud Models Infrastructure as a service host IaaS Platform as a service build PaaS Software as a service consume SaaS Directory Access control Multi-factor authN Rights mgmt
  • 4. Cloud Security Concerns  Where is my data located?  Is the Microsoft cloud “secure”?  Who can see my data?  How do you make sure my company data follows “the rules”?  What happens if… “Cloudy with a chance of Rain”, The Economist
  • 5. Cloud Security Model  Less customer control, more trust on the provider Physical Network Host Application Data On-Premises Customer Microsoft Physical Network Data PaaS Physical Network Host Application Data SaaS Host Application Physical Application Data IaaS Network Host
  • 6. Threats in the cloud: physical Physical Network Hypervisor Tenant 2Tenant 1 Internal Azure Management Azure Management Azure Management Tenant 1 (corporate network) Azure Mgmt Tenant 1 (customers; external employees) vm stora ge site AD vm stora ge site AD Responsibilty?
  • 7. Threats in the cloud: network Physical Network Hypervisor Tenant 2Tenant 1 Internal Azure Management Azure Management Azure Management Tenant 1 (corporate network) Azure Mgmt Tenant 1 (customers; external employees) vm stora ge site AD vm stora ge site AD Examples: • DNS Attack (spoofing) • Network flooding Responsibilty?
  • 8. Threats in the cloud: management Physical Network Hypervisor Tenant 2Tenant 1 Internal Azure Management Azure Management Azure Management Tenant 1 (corporate network) Azure Mgmt Tenant 1 (customers; external employees) vm stora ge site AD vm stora ge site AD Examples: • Management workstations compromised • Admin account/certificate compromised Responsibilty?
  • 9. Threats in the cloud: privacy Physical Network Hypervisor Tenant 2Tenant 1 Internal Azure Management Azure Management Azure Management Tenant 1 (corporate network) Azure Mgmt Tenant 1 (customers; external employees) vm stora ge site AD vm stora ge site AD Examples: • Local authorities at datacenter-location accessing your data Responsibilty?
  • 10. Threats in the cloud: admin misuse Physical Network Hypervisor Tenant 2Tenant 1 Internal Azure Management Azure Management Azure Management Tenant 1 (corporate network) Azure Mgmt Tenant 1 (customers; external employees) vm stora ge site AD vm stora ge site AD Responsibilty?
  • 11. Threats in the cloud: VM-escape Physical Network Hypervisor Tenant 2Tenant 1 Internal Azure Management Azure Management Azure Management Tenant 1 (corporate network) Azure Mgmt Tenant 1 (customers; external employees) vm stora ge site AD vm stora ge site AD Responsibilty?
  • 12. Threats in the cloud: exploiting unpatched vulnerabities Physical Network Hypervisor Tenant 2Tenant 1 Internal Azure Management Azure Management Azure Management Tenant 1 (corporate network) Azure Mgmt Tenant 1 (customers; external employees) vm stora ge site AD vm stora ge site AD Responsibilty?
  • 13. Threats in the cloud: outgoing attacks Physical Network Hypervisor Tenant 2Tenant 1 Internal Azure Management Azure Management Azure Management Tenant 1 (corporate network) Azure Mgmt Tenant 1 (customers; external employees) vm stora ge site AD vm stora ge site AD Responsibilty?
  • 14. DataDefense in Depth Approach Physical Application Host Network  Strong storage keys for access control  SSL support for data transfers between all parties  Front-end .NET framework code running under partial trust  Windows account with least privileges  Stripped down version of Windows Server 2008 OS  Host boundaries enforced by external hypervisor  Host firewall limiting traffic to VMs  VLANs and packet filters in routers  World-class physical security  ISO 27001 and SAS 70 Type II certifications for datacenter processes Layer Defenses Windows Azure Security Layers
  • 15. Physical Security  Physical Data Center SSAE 16/ISAE 3402 Attestation and ISO 27001 Certified  Motion Sensors  24x7 protected Access  Biometric controlled access systems  Video Camera surveillance  Security breach alarms
  • 16. Defenses Inherited by Windows Azure Platform Applications Spoofing Tampering/ Disclosure Elevation of Privilege Configurable scale-out Denial of Service VM switch hardening Certificate Services Shared- Access Signatures HTTPS Side channel protections VLANs Top of Rack Switches Custom packet filtering Partial Trust Runtime Hypervisor custom sandboxing Virtual Service Accounts Repudiation Monitoring Diagnostics Service Information Disclosure HTTPS Shared Access Signatures
  • 17. Your responsibilities in the cloud PaaS SaaS IaaS Secure Authentication (multifactor authN) Secure Management (limit nr of admins!) Access control Data encryption Application Security SDL Least privilege Pen-testing Secure Configuration (framework level) Network access Control (<ipsecurity>) Patching! Network access Control (endpoint ACLs) OS hardening Site-to-site or Point-to-site VPNs Certs & storage keys OS level authentication
  • 18. Azure/O365 multifactor authentication  Microsoft provides a multi-factor authentication solution (phonefactor.net)  Multiple authentication solutions  SMS (OTP or notification (push))  Automated Call  Multifactor authentication App (Windows Phone, Android & iOS)  Cost: per user or per authentication http://technet.microsoft.com/library/en-us/dn249471
  • 19. Azure/O365 multifactor authentication
  • 20. Azure/O365 network security • Setup site-to-site VPN • Setup point-to-site VPN • Configure endpoints • Set ACL on end-points • Configure Access through <ipsecurity> element in web.config (no config possible) 1 NIC ONLY! PaaS SaaS IaaS
  • 21. Application Security threats
  • 22. Application mitigations  .Net framework provides numerous mitigating functionality  Request validation  Header checking  Anti XSS encoders  Anti forgery tokens  Strong session management  …  Some features are not enabled by default or require some configuration  One has to use them correctly and at the proper moment  Know the impact of certain settings  Not every vulnerability can be covered by the .Net framework  Rely on 3rd party libraries  Rely on own development  Test your applications!
  • 23. Call to action Is the Microsoft Cloud a good choice ? Review: http://azure.microsoft.com/en-us/support/trust-center/ http://office.microsoft.com/en-001/business/office-365-trust-center- cloud-computing-security-FX103030390.aspx Check Certifications Microsoft will not solve everything for you! Make the right choice: IAAS – PAAS – SAAS
  • 24. How can The Security Factory help?  Development Security  Secure development (SDLC) and training  Application security testing  Environment Security  Security, authentication & authorization for cloud applications (Assessments, architecture, design, testing)  Protect you internal network  Leverage existing investments  Infrastructure security testing  People Security  Security awareness  Social engineering testing www.theSecurityFactory.be
  • 25. Contact us Raf Cox The Security Factory Veldkant – 2550 Kontich raf.cox@cronos.be www.theSecurityFactory.be