Your SlideShare is downloading. ×
0
What Is "Secure"?
What Is "Secure"?
What Is "Secure"?
What Is "Secure"?
What Is "Secure"?
What Is "Secure"?
What Is "Secure"?
What Is "Secure"?
What Is "Secure"?
What Is "Secure"?
What Is "Secure"?
What Is "Secure"?
What Is "Secure"?
What Is "Secure"?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

What Is "Secure"?

469

Published on

Security is too often discussed in terms of what it prevents rather than what it assures. Too much trust in narrowly focused technology, combined with too much fear of the unknown in areas like …

Security is too often discussed in terms of what it prevents rather than what it assures. Too much trust in narrowly focused technology, combined with too much fear of the unknown in areas like adoption of the cloud, combine to make many enterprise and other IT systems unnecessarily expensive and inadequately trustworthy.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
469
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. What is “Secure”? “If you think cryptography can solve your problem, then you don't understand your problem and you don't understand cryptography.” – Bruce Schneier, 1998
  2. The Nouns and Verbs of Security  Preserve integrity, availability & access  Permit authentication and authorization  Assure confidentiality & control  Promote awareness and accountability  Perform inspection; maintain protection; afford detection; enable reaction; build on reflection
  3. The Nouns and Verbs of Security  Preserve integrity, availability & access  Permit authentication and authorization  Assure confidentiality & control  Promote awareness and accountability  Perform inspection; maintain protection; afford detection; enable reaction; build on reflection
  4. The Nouns and Verbs of Security  If all you want is data protection, put it on tape and store it in a Kansas cavern  The point of security is to maximize the risk-adjusted value of the asset: money in a bank, not under a mattress  Infosec is therefore a process, not a product; a mode of travel, not a destination
  5. “Secure” against what?
  6. “Who” Matters So Much More than “Where” "There are five common factors that lead to the compromise of database information": • ignorance • poor password management • rampant account sharing • unfettered access to data • excessive portability of data DarkReading.com, October 2009
  7. Clouds Can Be Usefully Secure
  8. Single-Tenant vs. Multi-Tenant Clouds In a multi-tenant environment, all applications run under a common trust model: more manageable, more consistent, more subject to rigorous scrutiny by trained specialists (internal & customer) Shared infrastructure Other apps Single tenancy entails creation of multiple software stacks, whether real or virtual: each layer in each stack represents a distinct opportunity for misconfiguration or other sources of security risk Server OS Database App Server Storage Network App 1 Server OS Database App Server Storage Network App 2 Server OS Database App Server Storage Network App 3
  9. Every Act an Invocation: Granular Privilege
  10.  Password security policies  Rich Sharing Rules  User Profiles  SSO/2-factor solutions Login… Authenticate… Apply Data Security Rules… View Filtered Content Bottom-Up Design to be “Shared and Secure”
  11.  Expanding legislation, regulation, mainstream mind share  Rising standard of due diligence  Desktop/laptop systems carry far too much “state” – More data than people actually use – Far too much data that user may easily lose – More than one version of what should be one shared truth  Cloud’s Solutions: – Logical view of exactly one database – Profile definitions manage privilege sets – Activity logs precisely record actions Governance: More Eyes, More Agendas
  12. Strong Session Management Every row in the database contains an ORG_ID - Unique encoded string Session Tokens – user unique, non-predictable long random value generated for each session combined with a routing “hint” and checksum, base64 encoded Contains no user-identifiable information Session Timeout – 15 Mins to 8 Hrs Lock Sessions to IP – prevent hijacking and replay attacks SSLv3/TLS used to prevent token capture / session hijacking Session Logout – Explicitly expire and destroy the session Common Controls + Customer Choices
  13. • SSL data encryption • Optional strict password policies • SAS 70 Type II & SysTrust Certification • Security certifications from Fortune 50 financial services customers • May 2008: ISO 27001 Certification Platform Security • Fault tolerant external firewall • Intrusion detection systems • Best practices secure systems mgmt • 3rd party vulnerability assessments Network Security • 24x365 on site security • Biometric readers, man traps • Anonymous exterior • Silent alarm • CCTV • Motion detection • N+1 infrastructure Facility Security World-Class Defense in Depth “There are some strong technical security arguments in favor of Cloud Computing… (Craig Balding, Fortune 500 security practitioner)
  14. Peter Coffee VP for Strategic Research pcoffee@salesforce.com facebook.com/peter.coffee twitter.com/petercoffee

×