W jaki sposób projektowanie aplikacji wpływa na bezpieczeństwo? Zasady projektowania aplikacji krytycznych ze względu na charakter przetrzymywanych danych. Omówienie ciekawszych przypadków wdrożenia lub nie securyty designu.
11. 31% 69%
Time from Earliest Evidence of Compromise to Discovery of Compromise: 205 days (median)
Based on: https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf
12.
13. Identity and access
management
responsibility
Cloud Customer
Cloud Provider
Based on: https://www.microsoft.com/en-us/download/confirmation.aspx?id=50742
Responsibility On-Prem IaaS PaaS SaaS
Data classification
and accountability
Client & end-point
protection
Identity & access
management
Application level controls
Network controls
Host Security
Physical Security
24. Laptop 1
Smartphone
NSG NSG NSG
HTTP(s)
443 port SQL 1443
AzureAccessLayer
HTTP/HTTPS
80 /443 port
A
H
U/D
Re set
B1
B8
Load
Carry out
ENB
Pre load Count er
HTTP/HTTPS
80 /443 port
25. Laptop 1
Smartphone
NSG NSG NSG
HTTP(s)
443 port
SQL 1443
AzureAccessLayer
HTTP/HTTPS
80 /443 port
A
H
U/D
Re set
B1
B8
Load
Car ry out
ENB
Pre load Count er
HTTP/HTTPS
80 /443 port
SQL 1443
HTTP/HTTPS
80 /443 port
NSG
HTTP(s)
80/443 port
26. Laptop 1
Smartphone
NSG NSG NSG
HTTP(s)
443 port
SQL 1443
AzureAccessLayer
HTTP/HTTPS
80 /443 port
A
H
U/D
Re set
B1
B8
Load
Carry out
ENB
Pre load Count er
HTTP/HTTPS
80 /443 port
HTTP/HTTPS
80 /443 port
NSG
HTTP(s)
80/443 port
NSG
SQL 1443
What has been lost?
What information has been exfiltrated?
What was the vulnerability that led to the breach?
What was done to maintain access in the event that the breach was discovered?
What needs to be done to eliminate the vulnerability that allowed for entry?
What needs to be done to clean up any backdoor entry points that may have been installed?
Longest Presence: 2,982 days
R1 - Accountability and Data OwnershipA traditional data center of an organization is under complete control of that organization. The organization logically and physically protects the data it owns. An organization that chooses to use a public cloud for hosting its business service loses control of its data. This poses critical security risks that the organization needs to carefully consider and mitigate. (Pankaj, Vinay) One must ensure about the guarantee of recovering Data: Once the data entrusted to a third operator, what are the guarantees that you will recover your information? What about the backups performed by the operator of Cloud? (Ludovic)R2 - User Identity FederationIt is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay, Pankaj)R3 - Regulatory Compliance- Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar, Ove)R4 - Business Continuity and ResiliencyBusiness Continuity is an activity an IT organization performs to ensure that the business can be conducted in a disaster situation. In case of an organization that uses cloud, the responsibility of business continuity gets delegated to the cloud provider. This creates a risk to the organization of not having appropriate business continuity. (Pankaj, Shankar). About Service Continuity and QoS, one have to ensure about the contractual solutions proposed by the Operator of Cloud, and the Service Level Agreement as well. (Ludovic)R5 - User Privacy and Secondary Usage of DataUser's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay, Ove)R6 - Service and Data IntegrationOrganizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar, Ove)R7 - Multi Tenancy and Physical SecurityMulti-tenancy in cloud means sharing of resources and services among multiple clients(CPU, networking, storage/databases, application stack). It increases dependence on logical segregation and other controls to ensure that one tenant deliberately or inadvertently can not interfere with the security ( confidentiality, integrity, availability) of the other tenants. (Vinay, Pankaj)R8 - Incidence Analysis and Forensic SupportIn the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar, Ove)R9 - Infrastructure SecurityAll infrastructure must be hardened and configured securely, and the hardening/configuration baselines should be based on Industry Best Practices. Applications, systems and networks must be architected and configured with tiering and security zones, and access must be configured to only allow required network and application protocols. Administrative access must be role-based, and granted on a need-to-know basis. Regular risk assessments must be done, preferably by an independent party. A policy and process must be in place for patching/security updates, and can based on risk/threat assessments of new security issues. (Ove, Shankar)Although the fine details of the items above must be regarded as highly sensitive information, it is reasonable to expect a customer to want to see at least the high-level details. The Provider must be willing to provide this.
R10 - Non Production Environment ExposureAn IT organization that develops software applications internally employs a set of non-production environments for design, development, and test activities. The non-production environments are generally not secured to the same extent as the production environment. If an organization uses a cloud provider for such non-production environment, then there is a high risk of unauthorized access, information modification, and information theft. (Pankaj, Ove)
The figure shows how customers and providers share the identity and access management responsibility for both Office 365 (a SaaS offering) and Azure (an IaaS/PaaS offering). It also shows how customers and providers share the application-level controls and network controls for Azure, but that these responsibilities fall completely in the domain of the provider for SaaS services such as Office 365.
- The customer is completely responsible for all aspects of operations when solutions are deployed on-premises.
With IaaS, the lower levels of the stack (physical hosts or servers) and host security are managed by the platform vendor. The customer is still responsible for securing and managing the operating system, network configuration, applications, identity, clients, and data. For the developer, an obvious benefit with IaaS is that it reduces the developer requirement to configure physical computers.
With PaaS, everything from network connectivity through the runtime or identity service may be provided and managed by the platform vendor. PaaS offerings further reduce the developer burden by additionally supporting the platform runtime and related application services. With PaaS, the developer can almost immediately begin creating the business logic for an application.
With SaaS, a vendor provides the application and abstracts customers from all of the underlying components. Nonetheless, the customer continues to be responsible to ensure that data is classified correctly and that user devices are secured and protected when connected to the service
Secure booting: When power is first introduced to the device, the authenticity and integrity of the software on the device is verified using cryptographically generated digital signatures. In much the same way that a person signs a check or a legal document, a digital signature attached to the software image and verified by the device ensures that only the software that has been authorized to run on that device, and signed by the entity that authorized it, will be loaded. The foundation of trust has been established, but the device still needs protection from various run-time threats and malicious intentions. 2. Access control: Next, different forms of resource and access control are applied. Mandatory or role-based access controls built into the operating system limit the privileges of device components and applications so they access only the resources they need to do their jobs. If any component is compromised, access control ensures that the intruder has as minimal access to other parts of the system as possible. Device-based access control mechanisms are analogous to network-based access control systems such as Microsoft® Active Directory®: even if someone managed to steal corporate credentials to gain access to a network, compromised information would be limited to only those areas of the network authorized by those particular credentials. The principle of least privilege dictates that only the minimal access required to perform a function should be authorized in order to minimize the effectiveness of any breach of security. 3. Device authentication: When the device is plugged into the network, it should authenticate itself prior to receiving or transmitting data. Deeply embedded devices often do not have users sitting behind keyboards, waiting to input the credentials required to access the network. How, then, can we ensure that those devices are identified correctly prior to authorization? Just as user authentication allows a user to access a corporate network based on user name and password, machine authentication allows a device to access a network based on a similar set of credentials stored in a secure storage area. 4. Firewalling and IPS: The device also needs a firewall or deep packet inspection capability to control traffic that is destined to terminate at the device. Why is a host-based firewall or IPS required if network-based appliances are in place? Deeply embedded devices have unique protocols, distinct from enterprise IT protocols. For instance, the smart energy grid has its own set of protocols governing how devices talk to each other. That is why industry-specific protocol filtering and deep packet inspection capabilities are needed to identify malicious payloads hiding in non-IT protocols. The device needn’t concern itself with filtering higher-level, common Internet traffic—the network appliances should take care of that—but it does need to filter the specific data destined to terminate on that device in a way that makes optimal use of the limited computational resources available. 5. Updates and patches: Once the device is in operation, it will start receiving hot patches and software updates. Operators need to roll out patches, and devices need to authenticate them, in a way that does not consume bandwidth or impair the functional safety of the device. It’s one thing when Microsoft sends updates to Windows® users and ties up their laptops for 15 minutes. It’s quite another when thousands of devices in the field are performing critical functions or services and are dependent on security patches to protect against the inevitable vulnerability that escapes into the wild. Software updates and security patches must be delivered in a way that conserves the limited bandwidth and intermittent connectivity of an embedded device and absolutely eliminates the possibility of compromising functional safety
Establish Design Requirements
Addressing security and privacy concerns early helps minimize the risk of schedule disruptions and reduce a project's expense.
Validating all design specifications against a functional specification involves accurate and complete design specifications, including minimal cryptographic design requirements and a specification review.
Perform Attack Surface Analysis/Reduction
Reducing the opportunities for attackers to exploit a potential weak spot or vulnerability requires thoroughly analyzing overall attack surface and includes disabling or restricting access to system services, applying the principle of least privilege, and employing layered defenses wherever possible.
Use Threat Modeling
Applying a structured approach to threat scenarios during design helps a team more effectively and less expensively identify security vulnerabilities, determine risks from those threats, and establish appropriate mitigations.