a professional approach to data security in the cloud
DESCRIPTION
Data don’t lie. Cloud-based computing is ramping up in every day usage and encounters a wide spread acceptance. There are actually several factors that determine the success of SaaS, IaaS and PaaS, all connected to business enablement: - Platform independence - Price competitiveness, especially in times of cost optimization - Technological innovation - Greater implementation agility in a complete license lifecycle management Whether you have already embraced this revolution and are considering moving forward to a private cloud, or you are an early adopter that is going to gradually transition from on-premise to cloud-based solutions, hacking attempts are likely to knock on your door. Do you have the expertise to recognize them in time, and possibly prevent them before they affect the security of your data and that of your customers? Wibu-Systems is ready to reveal a number of frequent scenarios software publishers might find themselves in. From an analytical perspective but in a simple language we will navigate you from theory to practice through: - The most common reasons that drive hacking - The architectural weaknesses of a cloud system - The security measures you should be sure to put in place The professional services from Wibu-Systems will assist you in assessing your requirements and specifications, with special attention to the security aspect of your cloud-based solution.TRANSCRIPT
![Page 1: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/1.jpg)
Secure Operation of a Cloud Solution 1
Rüdiger Kügler | WIBU-SYSTEMS AG
Rüdiger Kügler
Security Expert
Secure Operation of a Cloud Solution
30.01.2014
![Page 2: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/2.jpg)
Secure Operation of a Cloud Solution 2
What is the cloud?
30.01.2014
???
![Page 3: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/3.jpg)
Secure Operation of a Cloud Solution 3
The theory
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Webspace
30.01.2014
![Page 4: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/4.jpg)
Secure Operation of a Cloud Solution 4
CLOUD SOLUTIONS IN PRACTICE
30.01.2014
![Page 5: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/5.jpg)
Secure Operation of a Cloud Solution 5
Salesforce
30.01.2014
No
Software
v
![Page 6: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/6.jpg)
Secure Operation of a Cloud Solution 6
Amazon Cloud Drive
30.01.2014
v
Webspace for images
![Page 7: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/7.jpg)
Secure Operation of a Cloud Solution 7
Blue Ray Ripper / MMOs
30.01.2014
v
![Page 8: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/8.jpg)
Secure Operation of a Cloud Solution 8
ArchiCAD
30.01.2014
v
Private Cloud(similar to a Terminal Server)
![Page 9: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/9.jpg)
Secure Operation of a Cloud Solution 9
REQUIREMENTS – PERSPECTIVE OF A SOFTWARE VENDOR
30.01.2014
![Page 10: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/10.jpg)
Secure Operation of a Cloud Solution 10
The ISV offers SaaS
The vendor installs and operates the solution
(mostly) Browser-based access
Special solutions for the cloud
Challenges: Licensing models (rental, InApp purchase, pay-per-use, …)
Users‘ identification
Security of the solution
30.01.2014
![Page 11: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/11.jpg)
Secure Operation of a Cloud Solution 11
Mixed solutions
Native client + Computing power from the vendor in the cloud
For the user „Under the hood“
Internet connection required
Challenges: What needs to be computed in the cloud?
Licensing models (purchase cost = once, cloud = recurrent costs)
30.01.2014
![Page 12: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/12.jpg)
Secure Operation of a Cloud Solution 12
User operates the Private Cloud
30.01.2014
Original Vendors‘ Software
The user installs it autonomously in the cloud (Private Cloud)
Challenges Licensing (the PC is more powerful = fewer PCs = fewer licenses)
Copy protection (Dongle? Binding to the PC?)
![Page 13: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/13.jpg)
Secure Operation of a Cloud Solution 13
HOW TO IMPLEMENT A SAAS SOLUTION ON THE SERVER?
30.01.2014
![Page 14: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/14.jpg)
Secure Operation of a Cloud Solution 14
PHP / Script code
30.01.2014
ApacheHttpd
v
PHP
![Page 15: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/15.jpg)
Secure Operation of a Cloud Solution 15
Java
30.01.2014
ApplicationServer
(Tomcat)
v
Java VM
![Page 16: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/16.jpg)
Secure Operation of a Cloud Solution 16
.NET
30.01.2014
IIS
v
ASP.NET(DLL)
![Page 17: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/17.jpg)
Secure Operation of a Cloud Solution 17
WHY HACKING A CLOUD SOLUTION?
30.01.2014
![Page 18: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/18.jpg)
Secure Operation of a Cloud Solution 18
Just for Fun
30.01.2014
You have been hacked!
![Page 19: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/19.jpg)
Secure Operation of a Cloud Solution 19
Credit card details
30.01.2014
2013-041113-10045
ESC
Euro Slave CardUranium Version
12/2099
![Page 20: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/20.jpg)
Secure Operation of a Cloud Solution 20
Passwords
30.01.2014
v
Banking
HotelsSony PSN
![Page 21: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/21.jpg)
Secure Operation of a Cloud Solution 21
Data and formulae
30.01.2014
Medical records
Customer’sdataTurnover
data
Cola recipe:• 100 g sugar• 100 ml water
???
![Page 22: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/22.jpg)
Secure Operation of a Cloud Solution 22
Sabotage
30.01.2014
v PLC +OPC UA
![Page 23: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/23.jpg)
Secure Operation of a Cloud Solution 23
HOW TO HACK A CLOUD SOLUTION?
30.01.2014
![Page 24: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/24.jpg)
Secure Operation of a Cloud Solution 24
Exploit
30.01.2014
Program failure
![Page 25: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/25.jpg)
Secure Operation of a Cloud Solution 25
Exploit
Exploiting a vulnerability
Usually a buffer overflow
Starting the code with the application rights (Webserver !?)
Payload can be modified
Zero-Day-Exploit
30.01.2014
![Page 26: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/26.jpg)
Secure Operation of a Cloud Solution 26
SQL Injection
$query = "SELECT user, passwordFROM usersWHERE user = '".$user."' AND password = '".$password."'";
$count = mysql_num_rows($result);
if ($count > 0)
{
print ("Erfolgreich eingeloggt");
}
30.01.2014
![Page 27: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/27.jpg)
Secure Operation of a Cloud Solution 27
SQL Injection
Call:
[email protected]&password=secret
= > Successful login
Call:
[email protected]&password=wrong
=> Failure
30.01.2014
![Page 28: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/28.jpg)
Secure Operation of a Cloud Solution 2830.01.2014
![Page 29: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/29.jpg)
Secure Operation of a Cloud Solution 2930.01.2014
![Page 30: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/30.jpg)
Secure Operation of a Cloud Solution 3030.01.2014
![Page 31: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/31.jpg)
Secure Operation of a Cloud Solution 3130.01.2014
![Page 32: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/32.jpg)
Secure Operation of a Cloud Solution 32
SQL Injection
Injection:
[email protected]&password=wrong' OR 'a'='a
= > Successful login, even if the password is incorrect
30.01.2014
![Page 33: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/33.jpg)
Secure Operation of a Cloud Solution 33
SQL Injection
Tamper WHERE queries
Including new commands („;“) INSERT
DROP
Spying out data („UNION“)
…
30.01.2014
![Page 34: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/34.jpg)
Secure Operation of a Cloud Solution 34
Cross Side Scripting
Inject code into another page Texts as parameters
JavaScript files as parameters
30.01.2014
![Page 35: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/35.jpg)
Secure Operation of a Cloud Solution 3530.01.2014
![Page 36: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/36.jpg)
Secure Operation of a Cloud Solution 3630.01.2014
Somewhere else !
![Page 37: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/37.jpg)
Secure Operation of a Cloud Solution 37
HOW TO MAKE IT SECURE?
30.01.2014
![Page 38: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/38.jpg)
Secure Operation of a Cloud Solution 38
Escape SQL
PHP mysql_real_escape_string
Manual check
Binding parameters
Protection against SQL injection
30.01.2014
![Page 39: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/39.jpg)
Secure Operation of a Cloud Solution 39
Passwords
Never save them in clear text
„Encryption “ (Hash value) Random Salt value
Hash (Salt + Password)
Save Hash and Salt
Hash = Employee cannot read the password
Salt = Security against rainbow tables and identical passwords
30.01.2014
![Page 40: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/40.jpg)
Secure Operation of a Cloud Solution 40
Updates
Always update the operating system as soon as new patches are available
Always update the server (Apache, IIS, Tomcat, …) as soon as new patches are available
Protection against known Exploits
30.01.2014
![Page 41: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/41.jpg)
Secure Operation of a Cloud Solution 41
Name and Version
30.01.2014
ServerTokens FullServerSignature On
![Page 42: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/42.jpg)
Secure Operation of a Cloud Solution 42
Name and Version
30.01.2014
ServerTokens ProdServerSignature Off
![Page 43: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/43.jpg)
Secure Operation of a Cloud Solution 43
No phpinfo()
30.01.2014
![Page 44: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/44.jpg)
Secure Operation of a Cloud Solution 44
System Error Messages
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wwwroot\dmz\demo\en\test.php on line 54 Call Stack: 0.9981 349568 1. {main}() C:\wwwroot\dmz\demo\en\test.php:0 1.0081 537128 2. mysql_num_rows()
30.01.2014
display_errors = On
![Page 45: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/45.jpg)
Secure Operation of a Cloud Solution 45
System Error Messages
30.01.2014
display_errors = Off
![Page 46: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/46.jpg)
Secure Operation of a Cloud Solution 46
File extensions
Index.php
Index.html
Index.asp
Index.jsp
Should the extensions be hidden?
30.01.2014
![Page 47: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/47.jpg)
Secure Operation of a Cloud Solution 47
Data configuration
30.01.2014
![Page 48: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/48.jpg)
Secure Operation of a Cloud Solution 48
Data configuration
Don’t store configuration data inside the Web-Root
Be careful with file extensions!!!
30.01.2014
![Page 49: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/49.jpg)
Secure Operation of a Cloud Solution 49
Avoid GET
127.0.0.1 - - [04/Nov/2013:08:30:19 +0100] "GET /demo/en/[email protected]&password=secret HTTP/1.1" 200 1371
127.0.0.1 - - [04/Nov/2013:08:34:50 +0100] "GET /demo/en/[email protected]&password=secure HTTP/1.1" 200 -
127.0.0.1 - - [04/Nov/2013:08:35:26 +0100] "GET /demo/en/[email protected]&password=secure HTTP/1.1" 200 1381
30.01.2014
![Page 50: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/50.jpg)
Secure Operation of a Cloud Solution 50
User‘s rights
Which rights has the web server (IIS, Apache, own Server, …)?
In case of Exploit, the attacker obtains the same rights!
Rights in the database Web User = generic user
Do not need Create / Drop / Alter / …
30.01.2014
![Page 51: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/51.jpg)
Secure Operation of a Cloud Solution 51
Validate the inputs
Black list What is prohibited
Better: White list Verify inputs validity
Prevention: SQL Injection / Cross Side Scripting
30.01.2014
![Page 52: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/52.jpg)
Secure Operation of a Cloud Solution 52
ADVANCED OPTIONS
30.01.2014
![Page 53: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/53.jpg)
Secure Operation of a Cloud Solution 53
Diversity
30.01.2014
ApacheTomcat(Java)
Protected area
Web serverin DMZ
DB
ApacheHttpd(Php)
v
![Page 54: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/54.jpg)
Secure Operation of a Cloud Solution 54
Certificates
Server certificate
30.01.2014
ApacheHttpd(Php)
v
Key + Certificate
![Page 55: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/55.jpg)
Secure Operation of a Cloud Solution 55
Certificates
Client certificate
30.01.2014
ApacheHttpd(Php)
v
Key + Certificate
Key + Certificate
Certificate
![Page 56: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/56.jpg)
Secure Operation of a Cloud Solution 56
Client Certificate for lc-admin.codemeter.com
30.01.2014
![Page 57: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/57.jpg)
Secure Operation of a Cloud Solution 57
Access only trough certificate
30.01.2014
![Page 58: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/58.jpg)
Secure Operation of a Cloud Solution 58
Monitoring
Availability monitoring
Security monitoring
30.01.2014
![Page 59: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/59.jpg)
Secure Operation of a Cloud Solution 59
SUMMARY
30.01.2014
![Page 60: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/60.jpg)
Secure Operation of a Cloud Solution 60
In short
Save passwords encrypted
Validate inputs
Install updates as soon as available
Do not display error messages (log only)
Reveal nothing about the system
Minimize rights as much as possible
Web-Root is only for Web-Root
30.01.2014
![Page 61: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/61.jpg)
Secure Operation of a Cloud Solution 61
WHAT CAN WIBU DO FOR YOU?
30.01.2014
![Page 62: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/62.jpg)
Secure Operation of a Cloud Solution 62
License Central
30.01.2014
What the secure operation of CodeMeter License Central means for you: Creation, management and distribution of licenses
Secure architecture
Constant monitoring
Professional support
Updates of the operating system and the application
![Page 63: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/63.jpg)
Secure Operation of a Cloud Solution 63
CodeMeter as a Token
Save private keys and certificates in CmDongle PKCS#11 compliant
CSSI Middleware
Save private keys in CmDongle Lean, proprietary solution
RSA and ECC: Use of international standards
30.01.2014
![Page 64: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/64.jpg)
Secure Operation of a Cloud Solution 64
Protection against Reverse Engineering
30.01.2014
AxProtector for .NET
AxProtector for Java
CmActLicense Bound to IP Adress
None bind
![Page 65: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/65.jpg)
Secure Operation of a Cloud Solution 65
Unified Solution: CodeMeter
30.01.2014
Licensing, Protection and Security
Authentication for SaaS Certificate based, Lean solution
License models for all use cases Usage based, Feature based, Time based, concurrent sessions,
single user, …
Encryption of data
Single solution for managing licenses and services
![Page 66: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/66.jpg)
Secure Operation of a Cloud Solution 66
Professional Service
30.01.2014
Specifications
Implementation
Security audits
![Page 67: A professional approach to data security in the cloud](https://reader036.vdocument.in/reader036/viewer/2022070303/54b6ed294a7959aa218b46e7/html5/thumbnails/67.jpg)
Germany +49-721-931720
USA +1-425-7756900
China +86-21-55661790
Worldwide http://www.wibu.com [email protected]
Secure Operation of a Cloud Solution 67
Thank you
30.01.2014