932

Vinay Bansal Lead Security Architect, Web and Application Security Cisco Systems iFront Internet Conference 2009 2010 2011 Security in Web 2.0, Social Web and Cloud 2012

Objective at iFront Today Growth in Social Web, Web 2.0, Collaboration Thinking: Information Centric Security Cisco Stories How Cloud Computing is changing IT Emerging Trend : Borderless Enterprise

Growth in Social Web, Web 2.0, Collaboration

Thinking: Information Centric Security

Cisco Stories

How Cloud Computing is changing IT

Emerging Trend : Borderless Enterprise

Who am I Lead Security Architect for Cisco’s Web and Application Architecture Team (Infosec) 16+ years architecting, developing and securing IT systems MS in Computer Sciences – Duke University What do I help protect at Cisco …

Lead Security Architect for Cisco’s Web and Application Architecture Team (Infosec)

16+ years architecting, developing and securing IT systems

MS in Computer Sciences – Duke University

What do I help protect at Cisco …

Cisco IT and Supported Web Applications Total Users: Customers (500k+), Partners (20k+) Employees and Vendors (~90 k) Business Revenue: 95%+ Cisco Revenue People: Cisco IT (10,000) Employees = 3,000 Contractors (Vendors/Temp) = 7,000 Applications : 1500 Internal/External Web Applications (~50% external) 280 ASPs (Application Service Providers) Web Infrastructures Cisco.com (CCO) and CEC (Intranet) 1300+ Enterprise DB instances Attacks: Millions per day

Total Users:

Customers (500k+), Partners (20k+)

Employees and Vendors (~90 k)

Business Revenue:

95%+ Cisco Revenue

People: Cisco IT (10,000)

Employees = 3,000

Contractors (Vendors/Temp) = 7,000

Applications :

1500 Internal/External Web Applications (~50% external)

280 ASPs (Application Service Providers)

Web Infrastructures

Cisco.com (CCO) and CEC (Intranet)

1300+ Enterprise DB instances

Attacks:

Millions per day

What is Social Web, Web 2.0 and Collaboration?

What is Web 2.0? Buzzword - !! Social, Participation, Collaboration “ Aggregation of Improvements in Web Application space in last few years…” “ .. Applications that harness network effects to get better the more people use them.” -Tim O’Reilly*

Buzzword - !!

Social, Participation, Collaboration

“ Aggregation of Improvements in Web Application space in last few years…”

“ .. Applications that harness network effects to get better the more people use them.” -Tim O’Reilly*

Web 2.0 - User Generated Data Who is providing the majority of content for these popular Web sites? - Users

Rich User Experience Interactive Personalized Simple Quick User Focused … . Usability and Interface beyond traditional Web-pages

Interactive

Personalized

Simple

Quick

User Focused

… .

Harnessing Collective Intelligence Architecture of participation Application that gets better with more people using it

Social Web Connecting People

Let’s twist these connections Users End Points Enablers Providers Data

Information Centric Security Users Data 1. Identify User, Authentication 2. Access to which data, Authorization 3. Secure Data Transfer : Encryption 4. Data Center Security 5. Data on Client : Client End Point Security

User’s Security Concerns (Social Sites) Privacy of my data Credit Cards Address, Email,.. (Personally Identifiable Information) Personal Details (email, phosts, IMs,….) Authentication Credentials (userids, passwords) End Device Security No Trojans, Unwanted programs Data Ownership (perception) Forums, Wikis, Blogs Users

Privacy of my data

Credit Cards

Address, Email,.. (Personally Identifiable Information)

Personal Details (email, phosts, IMs,….)

Authentication Credentials (userids, passwords)

End Device Security

No Trojans, Unwanted programs

Data Ownership (perception)

Forums, Wikis, Blogs

Application Provider’s Security Priorities Stability , Business Continuity Protection of their Intellectual property Compliance to Regulations What they really want to do Push out the liabilities to user via Privacy and Acceptable Use Policy Build Additional Services on users behavior (targeted advertisements) e.g. Google Email, banner adv. Track User behavior , usage pattern Keep their social applications more open

Stability , Business Continuity

Protection of their Intellectual property

Compliance to Regulations

What they really want to do

Push out the liabilities to user via Privacy and Acceptable Use Policy

Build Additional Services on users behavior (targeted advertisements) e.g. Google Email, banner adv.

Track User behavior , usage pattern

Keep their social applications more open

Regulations protecting end users Privacy Intellectual Property Business Continuity Regulatory Compliance HIPPA – Health PCI – Credit Cards EU Directive - …. Users Providers

Digital Rights and Data Privacy Challenges Openness/Social Collaboration contradicts privacy? Digital Rights Management ( DRM ) who “owns” the data? how do you protect your intellectual property? Collective content creation difficult to assign data ownership Global Web (Data Access anywhere from anywhere ) - privacy laws/regulations vary

Openness/Social Collaboration

contradicts privacy?

Digital Rights Management ( DRM )

who “owns” the data?

how do you protect your intellectual property?

Collective content creation

difficult to assign data ownership

Global Web (Data Access anywhere from anywhere )

- privacy laws/regulations vary

Malware Spread via Web 2.0/ Social Web Drive by Installs (via Web Browsers) Increasing concern for malware infections Google Research : Malicious URLs 0.3% to 1.3% in 8 months Malware authors exploit the very thing that makes Web 2.0 so successful – the user’s trust . Multiple redirects on sites Advertising space on page changes multiple hands Browser or plug-in vulnerabilities exploited Browser is the platform Growing Challenge for Enterprises and users

Drive by Installs (via Web Browsers)

Increasing concern for malware infections

Google Research : Malicious URLs 0.3% to 1.3% in 8 months

Malware authors exploit the very thing that makes Web 2.0 so successful – the user’s trust .

Multiple redirects on sites

Advertising space on page changes multiple hands

Browser or plug-in vulnerabilities exploited

Browser is the platform

Cisco Story - 1 Threat 1: Employees using public Social Web E.g. Yammer, Facebook, MySpace Provide internal Collaborative Resources (within enterprise) C-vision (internal YouTube) Ciscopedia (Wikipedia) Internal Wiki/Forums/Blogs Directory 3.0 (Connections, Communities) Cisco Telepresence WebEx Connect …

Threat 1: Employees using public Social Web

E.g. Yammer, Facebook, MySpace

Provide internal Collaborative Resources (within enterprise)

C-vision (internal YouTube)

Ciscopedia (Wikipedia)

Internal Wiki/Forums/Blogs

Directory 3.0 (Connections, Communities)

Cisco Telepresence

WebEx Connect

…

Cisco Story – 1 .. Cont. Clear guidelines on expected behavior (external Social Web) Identifying yourself Handling Confidential Information Copyrighted Content Using common sense Awareness /Training Videos Executive Messaging

Clear guidelines on expected behavior (external Social Web)

Identifying yourself

Handling Confidential Information

Copyrighted Content

Using common sense

Awareness /Training

Videos

Executive Messaging

Cisco Story - 2 Threat 2: Web Browsing Initiated Malware Monitoring Outgoing Web Traffic Ironport’s Web Security Appliance Browsers and plug-ins patching (priority)

Threat 2: Web Browsing Initiated Malware

Monitoring Outgoing Web Traffic

Ironport’s Web Security Appliance

Browsers and plug-ins patching (priority)

Cisco Story - 3 SDLC Secure Coding Training Application Vulnerability Assessment (AVA) Architecture Review Application Firewall Threat 3: How to continually improve Application Security? Tying Application Security Practice with Software Development Life Cycle (SDLC)

Cloud Computing and Security Challenges

Cloud Computing? IT resources and services abstracted from the underlying infrastructure elasticity of resources utility model of consumption and allocation

IT resources and services

abstracted from the underlying infrastructure

elasticity of resources

utility model of consumption and allocation

Cloud : A big shift for IT “ Does IT Matter ?” , Nicholas G Carr floated this “ Bombshell ” idea in 2004 Cloud commoditizing IT infrastructure and services Could mean death for individual IT departments in small to medium enterprises Public Cloud Private Cloud

“ Does IT Matter ?” , Nicholas G Carr floated this “ Bombshell ” idea in 2004

Cloud commoditizing IT infrastructure and services

Could mean death for individual IT departments in small to medium enterprises

Types of Clouds Software as a Service (SaaS) Platform as a Service (SaaS) Infrastructure as a Service (SaaS)

Cloud Computing : Security Risks …1 Data move outside the Enterprise Cloud vendor custodian of data Encryption (Key Management) Backups of data (Multi – tenant) Alternate/Secondary use of data 2. Shared Infrastructure - Assume ( Logical security = Physical Security )

Data move outside the Enterprise

Cloud vendor custodian of data

Encryption (Key Management)

Backups of data (Multi – tenant)

Alternate/Secondary use of data

2. Shared Infrastructure

- Assume ( Logical security = Physical Security )

Cloud Computing : Security Risks …2 3. Regulations and Cross Country laws - Cloud vendors spread their data/operation geographically 4. Security Breach - Responsibility to investigate - Monitoring, logs 5 . SLAs - High Penalty for security incident 6. Strong Federated Authentication

3. Regulations and Cross Country laws

- Cloud vendors spread their data/operation geographically

4. Security Breach

- Responsibility to investigate

- Monitoring, logs

5 . SLAs

- High Penalty for security incident

6. Strong Federated Authentication

Cloud Computing : Security Risks …3 7. Software Licensing Issues - Enterprise licenses , how do they apply in cloud 8. Reliance on ongoing security audits of the vendor Third party risk assessments Keep check on security practices, internal policies, standards 9. Security dependence on developers convenience vs. security development environments accessible on the Internet

7. Software Licensing Issues

- Enterprise licenses , how do they apply in cloud

8. Reliance on ongoing security audits of the vendor

Third party risk assessments

Keep check on security practices, internal policies, standards

9. Security dependence on developers

convenience vs. security

development environments accessible on the Internet

Emerging Trend : Borderless Enterprises

Borderless Enterprise Enterprise Virtualization Communication & Collaboration Remote Desktop (RDE) VNC & Term Server VMWare App/Svc Resiliency Mobile Device Evolution Platform Option Expansion Ubiquitous Connectivity (WiFi, VPN) Global Workforce Sharing & IP Telephony Platforms Web 2.0 Real-time & Customized Interaction Emerging Business Models “ Any Device, Anywhere” 2001-7 2008 2011 * 2010 2009

Drivers for Borderless Enterprise *Single Source of Truth **Born in 1980’s - early 90s

Borderless Enterprise : Security Risks Services Data Assets “ Trusted” Internal Externalizing Trend Externalized Services Company Owned User Owned

Emergence of End Point Reputation based Security Inside Enterprise External Enterprise Virus Scanner Local Firewall Disk Encryption Which data/services accessed Enterprise End User Public/Kiosk Location Behavior Device Ownership Local Policy Simple Userid/Pwd

Inside Enterprise

External Enterprise

Virus Scanner

Local Firewall

Disk Encryption

Which data/services accessed

Enterprise

End User

Public/Kiosk

Cisco: Achieving Borderless Enterprise Think - Information Centric Security Concept: (App/NW Hardening -> Information Hardening) How to classify information More Reliance on End Point Security Each device capable of protecting itself Granular Identity Management Device Identity Dynamic shifts in identity and access (Federation) Dynamic Traffic Inspection and Control Capabilities Non intrusive monitoring Security Bar raised for Intranet/ Internal Systems Shifting Security Zones (Physical  Logical)

Think - Information Centric Security

Concept: (App/NW Hardening -> Information Hardening)

How to classify information

More Reliance on End Point Security

Each device capable of protecting itself

Granular Identity Management

Device Identity

Dynamic shifts in identity and access (Federation)

Dynamic Traffic Inspection and Control Capabilities

Non intrusive monitoring

Security Bar raised for Intranet/ Internal Systems

Shifting Security Zones

(Physical  Logical)

Summarizing and Looking Forward Web 2.0, Social Web, Collaboration … Security Challenges Think … Information Centric Security Cloud Computing ….. A big shift for IT Borderless Enterprise … Enterprise Data Everywhere

Web 2.0, Social Web, Collaboration … Security Challenges

Think … Information Centric Security

Cloud Computing ….. A big shift for IT

Borderless Enterprise … Enterprise Data Everywhere

“ Our adversaries only have to be right once .”

Contact Information Vinay Bansal Information Security Architect Corporate Security Programs Organization Cisco Systems, Inc. (vinay.bansal@cisco.com)

Vinay Bansal

Information Security Architect

Corporate Security Programs Organization

Cisco Systems, Inc.

(vinay.bansal@cisco.com)