rationalization and defense in depth - two steps closer to the clouds
Post on 12-Jan-2015
1.040 Views
Preview:
DESCRIPTION
TRANSCRIPT
<Insert Picture Here>
OTN Architect Day Security Breakout Session
Dave Chappelle
14 December 2011
Rationalization and
Defense in Depth -
Two Steps Closer to
the Clouds
OTN Architect Day 2011
Perimeter Security
Firewall
Web Server
(app Proxy)
Firewall
Application
Server
DB
Message
Queue
Mainframe
Application
DB
Client
Unprotected Zone Perimeter Protected Zone(s)
DMZ
All network traffic
blocked except for
specific ports.
All network traffic blocked
except from the proxy.
• Can establish multiple perimeters
• Each perimeter can be more restrictive
• Perimeters can be at varying degrees of granularity
• Alone, often involves a lot of implied trust
• Modern environments don’t have such a clearly
defined perimeter
OTN Architect Day 2011
DB
Defense in Depth
• Military defensive strategy to secure
a position using multiple defense
mechanisms.
• Less emphasis is placed on a single
perimeter wall
• Several barriers and different types
of fortifications
• Objective is to win the battle by
attrition. The attacker may overcome
some barriers but can’t sustain the
attack for such a long period of time.
"Krak des Chavaliers“, Syria
OTN Architect Day 2011
Data
Defense in Depth
Application
Host
Internal Network
Perimeter
Physical
Policies, Procedures, & Awareness
OTN Architect Day 2011
Identity &
Access ManagementGovernance,
Risk Management,
& Compliance
Fences, walls, guards, locks, keys, badges, …
Firewalls, network address translation, denial
of service prevention, message parsing and
validation, ...
Transport Layer Security (encryption, identity)
Platform O/S, Vulnerability Mgmt (patches),
Desktop (malware protection),…
Security Assurance (coding practices)
Authentication, Authorization, Auditing (AAA)
Federation (SSO, Identity Propagation, Trust, …)
Message Level Security
Content Security, Information Rights Management
Database Security (online storage & backups)
Data Classification, Password Strengths,
Code Reviews, Usage Policies, …
Defense in Depth: Greater Control
Policies & Procedures
Physical
Perimeter
Internal Network
Host
Application / Service
Data
Consistent set of policies & procedures
Many enforcement points
OTN Architect Day 2011
Finance
Sales
Support
End User
Security Administrator
Security Auditor
!
!
?
Security Silos
• Application silos with their own
standalone security architecture
• Integration is hard enough
without security
• End users have many
logins & passwords
• Administration is time-
consuming and error-prone
• Auditing is inaccurate
and/or impossible
OTN Architect Day 2011
Finance
Sales
Support
End UserSecurity Administrator
Security Auditor
Security
Framework
Security Framework
• Security is part of the foundation,
not an inconvenient afterthought
• Users have one
identity and a set of
roles & attributes that
govern access
• Administration
operator-centric, not
system-centric
• Auditing is possible
and realistic
OTN Architect Day 2011
Security Framework High Level Architecture
Information Processing:
• Provide a secure run-time environment
• Offer security services to business logic
• Allow solution-level security administration
Information Management:
• Provide a secure data persistence env.
• Offer security features to protect data
• Allow db-level security administration
Security Framework:
• Provide shared security services
• Manage security data for the enterprise
• Allow enterprise-level security administration
Security Interfaces:
• Provide consistent access to security services
• Embrace open, common industry standards
Infrastructure Platforms
(Application Servers, Information Management Systems, etc.)
Enterprise Security Framework
Shared Security Services
Security Management & Administration
Enterprise Security Information
Security Interfaces
Information
Management
Security Services
Desig
n &
Ad
min
istr
ati
on
Information
Information
Processing
Security Services Dev
elo
pm
en
t &
Ad
min
istr
ati
on
Business
Logic
OTN Architect Day 2011
Support for Architecture Principles
Architecture Principles
Provides Security as a Service
Supports Defense in Depth
Supports Least Privilege
Supports Information Confidentiality, Integrity, & Availability
Provides Secure Management of Security Information
Provides Active Threat Detection and Analysis
Provides Secure Audit Trail
Provides Cross-Domain Identity Federation
OTN Architect Day 2011
Space Between the Clouds
Policies & Procedures
Physical
Perimeter
Internal Network
Host
Application / Service
Data
Private
Cloud
Public
CloudPrivate
Cloud
IaaS
PaaS
SaaS
GRC
Id & Access Mgmt
Technology Integration
Planning & Reconciliation
Your
Organization
Cloud
Provider
OTN Architect Day 2011
In-House (Private)
IT Environment
Provider
A
SaaS I&AM
Patterns
OTN Architect Day 2011
Authentication Authorization
Access Policy
Management
Identity
Management
Provider
B
Provider
C
Provider
D
Authorization
Access Policy
Management
SAML
User id & attributes
Authorization
Access Policy
Management
Identity
Management
SPML
SAML
User Id
Authorization
Access Policy
Management
Authentication
Identity
Management
STS
SAML, WS-Trust,
WS-Federation
Common Attacks & Cloud Computing
OTN Architect Day 2011
Common
AttacksWhat types of attacks
happen most frequently?
Defense
StrategiesHow would you normally
protect your IT resources?
Cloud
ScenarioWhat might be different
about a Cloud environment?
Common Threat Summarization
• 2011 Data Breach Investigations Report (DBIR)
Verizon Investigative Response Team +
US Secret Service (financial & cyber fraud) +
Dutch National High Tech Crime Unit
• 2010: 761 incidents, ~ 4 million records compromised
• 7 years: > 1700 incidents, > 900 million records compromised
OTN Architect Day 2011
• Agent: Whose actions affected the asset
• Action: What actions affected the asset
• Asset: Which assets were affected
• Attribute: How the asset was affected
Verizon Enterprise Risk & Incident Sharing
(VERIS) Framework
Threat AgentsA
gen
ts 1. External
2. Internal
3. Partner
91% / 99%
16% / 1%
<1% / <1%
58% Organized Criminal Groups
40% Unaffiliated individuals
2% Former Employees
1% Competitors
External“[External Agents] created economies of
scale by refining standardized,
automated, and highly repeatable
attacks directed at smaller, vulnerable,
and largely homogenous targets.”
- ExternalA
ctions 1. Malware
2. Hacking
3. Misuse
49% / 79%
50% / 89%
17% / 1%
OTN Architect Day 2011
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
Hacking (50% of breaches, 89% of records)
Defensive Strategy:
1. Limit network/port/protocol access
2. Strengthen & change passwords
3. Protect applications from SQL
injection & buffer overflows
4. Require authentication
Cloud Implications:
• Remote access may be required for public
cloud maintenance & troubleshooting
• Cloud provider may control authentication &
password requirements
• Cloud provider may control code base
Backdoor or command/control channel
Default or guessable credentials
Brute force & dictionary attacks
Footprinting & fingerprinting
Use of stolen login credentials
SQL Injection
Insufficient authentication
Abuse of functionality
Buffer overflow
73% / 45%
67% / 30%
52% / 34%
49% / 19%
21% / 21%
14% / 24%
10% / 21%
10% / 19%
9% / 15%
1
2
3
4
1
2
2
3
OTN Architect Day 2011
71% via remote access services
(RDP, PCAnywhere, Go2Assist,
LogMein, NetViewer, ssh,
telnet, rsh, …)
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
Malware (49% of breaches, 79% of records)
• Designed to: open back doors, perform key logging, RAM
scraping, network scanning, data capture & send, …
• 80% installed by attacker following breach of system
• Almost 100% caused by external agents
Defensive Strategy:
1. Protect systems from hacking
2. Maintain system patches, virus
protection, security settings, firewalls
3. Internet Usage Policies & Awareness
4. Consider Internet-facing devices to be
suspect & limit access accordingly
Cloud Implications:
• Efficacy of cloud provider’s security
measures will factor into risk -
• How are hacking threats handled?
• How are Internet-facing devices
secured and isolated?
• How are they audited for compliance?
Installed / Injected
by remote attacker81%
Email 4%
Web / Internet auto-executed
(“drive-by” infection)3%
Web / Internet user-executed
(download)3%
1
2 3
2
2
3
3
OTN Architect Day 2011
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
Perimeters & Internal Networks
• Limit exposure to the Internet
• Turn off unnecessary ports & protocols
• Limit exposure to management interfaces
• Don’t plug in devices that may be contaminated
• Data Loss Prevention
• VPN
• Site to site
• User to site
• Cloud as a DMZ
• Multi-tenancy
• A hacker’s launch point?
OTN Architect Day 2011
Firewall
Threat AgentsA
gen
ts 1. External
2. Internal
3. Partner
91% / 99%
16% / 1%
<1% / <1%
85% Regular Employee / End User
22% Finance / Accounting Staff
11% Executive / Upper Mgmt
9% Helpdesk, SA, DBA, Developer
Internal
- Internal
• Not as scalable as external agents
• 9% of incidents involve a
combination of external and
internal agents
• fewer records but greater impact
Actions 1. Malware
2. Hacking
3. Misuse
49% / 79%
50% / 89%
17% / 1%
OTN Architect Day 2011
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
Misuse (17% of breaches, 1% of records)
Defensive Strategy:
1. SoD, Principle of Least Privilege Access
Control measures
2. Auditing & Review
3. Deprovisioning users
4. Data Loss Prevention solutions
Cloud Implications:
• Cloud provider maintains some level of
identity and access management
• Auditing & review up to cloud provider
• DLP up to cloud provider
• Abuse of privilege not “provider-dependent”
•“…employees aren’t normally escalating
their privileges in order to steal data
because they don’t need to. They simply
take advantage of whatever standard
user privileges were granted to them by
their organizations.”
•“…regular employees typically seek
“cashable” forms of information like
payment card data, bank account
numbers, and personal information.”
Embezzlement, skimming, & related fraud
Abuse of system access / privileges
Use of unapproved hardware / devices
Abuse of private knowledge
75%
49%
39%
7%
OTN Architect Day 2011
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
Threat AgentsA
gen
ts 1. External
2. Internal
3. Partner
91% / 99%
16% / 1%
<1% / <1%
• Includes vendors, suppliers, hosting providers, outsourced IT support
• Direct involvement has been on the decline
• Responsible involvement has not declined
• Attacks often involve compromised remote access connection
• Poor governance, lax security, too much trust
• “Out-of-sight, Out-of mind” condition
Cloud Implications:
• Provider’s enforcement of Least Privilege and Segregation of Duties
• Provider’s contrats, policies, controls, governance, & auditing
• Secure communications channels & active threat detection
• You can’t delegate accountability
- Partner
OTN Architect Day 2011
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
Administrative & Management Control
• Cloud control vs. your control
• Where are the lines drawn?
• Segregation of Duties, Least Privilege
• How do you measure your provider’s success?
• How will you know if your risk is greater than expected?
• Audit & Review
• What (objectives), by whom, how often
• Motility of Data
• How to ensure data remnants are destroyed (digital shredding)
OTN Architect Day 2011
(Some of) The Good…
• Cloud providers have a deep vested interest in
security
• Must prove themselves to the market
• Often much greater investment and attention to detail than
traditional IT
• Cloud homogeneity makes security auditing/testing
simpler
• Shifting public data to an external cloud
reduces the exposure of the internal
sensitive data
• Data held by an unbiased party
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
OTN Architect Day 2011
…The Bad…
• Multi-tenancy; need for isolation management
• High value target for hackers
• Fragmentation; creation of more silos
• Data dispersal and international privacy laws• EU Data Protection Directive and U.S. Safe Harbor program
• Exposure of data to foreign government and data subpoenas
• Data retention issues
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
OTN Architect Day 2011
…& The Ugly
• Proprietary implementations
• Audit & compliance
• Availability
• Relying on a vendor to stay in business
• Equipment seizure (e.g. FBI - DigitalOne AG 2011)
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
OTN Architect Day 2011
Recommendations
Institute Defense in Depth
• Good general strategy to protect highly distributed
systems (SOA, BPM, Cloud, etc.)
• Protect the whole environment, not just the perimeter
Rationalize & Consolidate
• Standardized frameworks, services, & technologies
• Holistic management, visibility, & control
Mind The Gap(s)
• Technology: Secure integration
• Identity & Access Management
• Policies, Procedures, Audits, Attestation, GRC
Visit the ITSO Reference Library at www.oracle.com/goto/itstrategies
top related