rationalization and defense in depth - two steps closer to the clouds
DESCRIPTION
As presented by Dave Chappelle at Oracle Technology Network Architect Day in Phoenix, AZ on December 14, 2011.TRANSCRIPT
![Page 1: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/1.jpg)
<Insert Picture Here>
OTN Architect Day Security Breakout Session
Dave Chappelle
14 December 2011
![Page 2: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/2.jpg)
Rationalization and
Defense in Depth -
Two Steps Closer to
the Clouds
OTN Architect Day 2011
![Page 3: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/3.jpg)
Perimeter Security
Firewall
Web Server
(app Proxy)
Firewall
Application
Server
DB
Message
Queue
Mainframe
Application
DB
Client
Unprotected Zone Perimeter Protected Zone(s)
DMZ
All network traffic
blocked except for
specific ports.
All network traffic blocked
except from the proxy.
• Can establish multiple perimeters
• Each perimeter can be more restrictive
• Perimeters can be at varying degrees of granularity
• Alone, often involves a lot of implied trust
• Modern environments don’t have such a clearly
defined perimeter
OTN Architect Day 2011
DB
![Page 4: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/4.jpg)
Defense in Depth
• Military defensive strategy to secure
a position using multiple defense
mechanisms.
• Less emphasis is placed on a single
perimeter wall
• Several barriers and different types
of fortifications
• Objective is to win the battle by
attrition. The attacker may overcome
some barriers but can’t sustain the
attack for such a long period of time.
"Krak des Chavaliers“, Syria
OTN Architect Day 2011
![Page 5: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/5.jpg)
Data
Defense in Depth
Application
Host
Internal Network
Perimeter
Physical
Policies, Procedures, & Awareness
OTN Architect Day 2011
Identity &
Access ManagementGovernance,
Risk Management,
& Compliance
Fences, walls, guards, locks, keys, badges, …
Firewalls, network address translation, denial
of service prevention, message parsing and
validation, ...
Transport Layer Security (encryption, identity)
Platform O/S, Vulnerability Mgmt (patches),
Desktop (malware protection),…
Security Assurance (coding practices)
Authentication, Authorization, Auditing (AAA)
Federation (SSO, Identity Propagation, Trust, …)
Message Level Security
Content Security, Information Rights Management
Database Security (online storage & backups)
Data Classification, Password Strengths,
Code Reviews, Usage Policies, …
![Page 6: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/6.jpg)
Defense in Depth: Greater Control
Policies & Procedures
Physical
Perimeter
Internal Network
Host
Application / Service
Data
Consistent set of policies & procedures
Many enforcement points
OTN Architect Day 2011
![Page 7: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/7.jpg)
Finance
Sales
Support
End User
Security Administrator
Security Auditor
!
!
?
Security Silos
• Application silos with their own
standalone security architecture
• Integration is hard enough
without security
• End users have many
logins & passwords
• Administration is time-
consuming and error-prone
• Auditing is inaccurate
and/or impossible
OTN Architect Day 2011
![Page 8: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/8.jpg)
Finance
Sales
Support
End UserSecurity Administrator
Security Auditor
Security
Framework
Security Framework
• Security is part of the foundation,
not an inconvenient afterthought
• Users have one
identity and a set of
roles & attributes that
govern access
• Administration
operator-centric, not
system-centric
• Auditing is possible
and realistic
OTN Architect Day 2011
![Page 9: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/9.jpg)
Security Framework High Level Architecture
Information Processing:
• Provide a secure run-time environment
• Offer security services to business logic
• Allow solution-level security administration
Information Management:
• Provide a secure data persistence env.
• Offer security features to protect data
• Allow db-level security administration
Security Framework:
• Provide shared security services
• Manage security data for the enterprise
• Allow enterprise-level security administration
Security Interfaces:
• Provide consistent access to security services
• Embrace open, common industry standards
Infrastructure Platforms
(Application Servers, Information Management Systems, etc.)
Enterprise Security Framework
Shared Security Services
Security Management & Administration
Enterprise Security Information
Security Interfaces
Information
Management
Security Services
Desig
n &
Ad
min
istr
ati
on
Information
Information
Processing
Security Services Dev
elo
pm
en
t &
Ad
min
istr
ati
on
Business
Logic
OTN Architect Day 2011
![Page 10: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/10.jpg)
Support for Architecture Principles
Architecture Principles
Provides Security as a Service
Supports Defense in Depth
Supports Least Privilege
Supports Information Confidentiality, Integrity, & Availability
Provides Secure Management of Security Information
Provides Active Threat Detection and Analysis
Provides Secure Audit Trail
Provides Cross-Domain Identity Federation
OTN Architect Day 2011
![Page 11: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/11.jpg)
Space Between the Clouds
Policies & Procedures
Physical
Perimeter
Internal Network
Host
Application / Service
Data
Private
Cloud
Public
CloudPrivate
Cloud
IaaS
PaaS
SaaS
GRC
Id & Access Mgmt
Technology Integration
Planning & Reconciliation
Your
Organization
Cloud
Provider
OTN Architect Day 2011
![Page 12: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/12.jpg)
In-House (Private)
IT Environment
Provider
A
SaaS I&AM
Patterns
OTN Architect Day 2011
Authentication Authorization
Access Policy
Management
Identity
Management
Provider
B
Provider
C
Provider
D
Authorization
Access Policy
Management
SAML
User id & attributes
Authorization
Access Policy
Management
Identity
Management
SPML
SAML
User Id
Authorization
Access Policy
Management
Authentication
Identity
Management
STS
SAML, WS-Trust,
WS-Federation
![Page 13: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/13.jpg)
Common Attacks & Cloud Computing
OTN Architect Day 2011
Common
AttacksWhat types of attacks
happen most frequently?
Defense
StrategiesHow would you normally
protect your IT resources?
Cloud
ScenarioWhat might be different
about a Cloud environment?
![Page 14: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/14.jpg)
Common Threat Summarization
• 2011 Data Breach Investigations Report (DBIR)
Verizon Investigative Response Team +
US Secret Service (financial & cyber fraud) +
Dutch National High Tech Crime Unit
• 2010: 761 incidents, ~ 4 million records compromised
• 7 years: > 1700 incidents, > 900 million records compromised
OTN Architect Day 2011
• Agent: Whose actions affected the asset
• Action: What actions affected the asset
• Asset: Which assets were affected
• Attribute: How the asset was affected
Verizon Enterprise Risk & Incident Sharing
(VERIS) Framework
![Page 15: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/15.jpg)
Threat AgentsA
gen
ts 1. External
2. Internal
3. Partner
91% / 99%
16% / 1%
<1% / <1%
58% Organized Criminal Groups
40% Unaffiliated individuals
2% Former Employees
1% Competitors
External“[External Agents] created economies of
scale by refining standardized,
automated, and highly repeatable
attacks directed at smaller, vulnerable,
and largely homogenous targets.”
- ExternalA
ctions 1. Malware
2. Hacking
3. Misuse
49% / 79%
50% / 89%
17% / 1%
OTN Architect Day 2011
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
![Page 16: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/16.jpg)
Hacking (50% of breaches, 89% of records)
Defensive Strategy:
1. Limit network/port/protocol access
2. Strengthen & change passwords
3. Protect applications from SQL
injection & buffer overflows
4. Require authentication
Cloud Implications:
• Remote access may be required for public
cloud maintenance & troubleshooting
• Cloud provider may control authentication &
password requirements
• Cloud provider may control code base
Backdoor or command/control channel
Default or guessable credentials
Brute force & dictionary attacks
Footprinting & fingerprinting
Use of stolen login credentials
SQL Injection
Insufficient authentication
Abuse of functionality
Buffer overflow
73% / 45%
67% / 30%
52% / 34%
49% / 19%
21% / 21%
14% / 24%
10% / 21%
10% / 19%
9% / 15%
1
2
3
4
1
2
2
3
OTN Architect Day 2011
71% via remote access services
(RDP, PCAnywhere, Go2Assist,
LogMein, NetViewer, ssh,
telnet, rsh, …)
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
![Page 17: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/17.jpg)
Malware (49% of breaches, 79% of records)
• Designed to: open back doors, perform key logging, RAM
scraping, network scanning, data capture & send, …
• 80% installed by attacker following breach of system
• Almost 100% caused by external agents
Defensive Strategy:
1. Protect systems from hacking
2. Maintain system patches, virus
protection, security settings, firewalls
3. Internet Usage Policies & Awareness
4. Consider Internet-facing devices to be
suspect & limit access accordingly
Cloud Implications:
• Efficacy of cloud provider’s security
measures will factor into risk -
• How are hacking threats handled?
• How are Internet-facing devices
secured and isolated?
• How are they audited for compliance?
Installed / Injected
by remote attacker81%
Email 4%
Web / Internet auto-executed
(“drive-by” infection)3%
Web / Internet user-executed
(download)3%
1
2 3
2
2
3
3
OTN Architect Day 2011
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
![Page 18: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/18.jpg)
Perimeters & Internal Networks
• Limit exposure to the Internet
• Turn off unnecessary ports & protocols
• Limit exposure to management interfaces
• Don’t plug in devices that may be contaminated
• Data Loss Prevention
• VPN
• Site to site
• User to site
• Cloud as a DMZ
• Multi-tenancy
• A hacker’s launch point?
OTN Architect Day 2011
Firewall
![Page 19: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/19.jpg)
Threat AgentsA
gen
ts 1. External
2. Internal
3. Partner
91% / 99%
16% / 1%
<1% / <1%
85% Regular Employee / End User
22% Finance / Accounting Staff
11% Executive / Upper Mgmt
9% Helpdesk, SA, DBA, Developer
Internal
- Internal
• Not as scalable as external agents
• 9% of incidents involve a
combination of external and
internal agents
• fewer records but greater impact
Actions 1. Malware
2. Hacking
3. Misuse
49% / 79%
50% / 89%
17% / 1%
OTN Architect Day 2011
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
![Page 20: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/20.jpg)
Misuse (17% of breaches, 1% of records)
Defensive Strategy:
1. SoD, Principle of Least Privilege Access
Control measures
2. Auditing & Review
3. Deprovisioning users
4. Data Loss Prevention solutions
Cloud Implications:
• Cloud provider maintains some level of
identity and access management
• Auditing & review up to cloud provider
• DLP up to cloud provider
• Abuse of privilege not “provider-dependent”
•“…employees aren’t normally escalating
their privileges in order to steal data
because they don’t need to. They simply
take advantage of whatever standard
user privileges were granted to them by
their organizations.”
•“…regular employees typically seek
“cashable” forms of information like
payment card data, bank account
numbers, and personal information.”
Embezzlement, skimming, & related fraud
Abuse of system access / privileges
Use of unapproved hardware / devices
Abuse of private knowledge
75%
49%
39%
7%
OTN Architect Day 2011
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
![Page 21: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/21.jpg)
Threat AgentsA
gen
ts 1. External
2. Internal
3. Partner
91% / 99%
16% / 1%
<1% / <1%
• Includes vendors, suppliers, hosting providers, outsourced IT support
• Direct involvement has been on the decline
• Responsible involvement has not declined
• Attacks often involve compromised remote access connection
• Poor governance, lax security, too much trust
• “Out-of-sight, Out-of mind” condition
Cloud Implications:
• Provider’s enforcement of Least Privilege and Segregation of Duties
• Provider’s contrats, policies, controls, governance, & auditing
• Secure communications channels & active threat detection
• You can’t delegate accountability
- Partner
OTN Architect Day 2011
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
![Page 22: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/22.jpg)
Administrative & Management Control
• Cloud control vs. your control
• Where are the lines drawn?
• Segregation of Duties, Least Privilege
• How do you measure your provider’s success?
• How will you know if your risk is greater than expected?
• Audit & Review
• What (objectives), by whom, how often
• Motility of Data
• How to ensure data remnants are destroyed (digital shredding)
OTN Architect Day 2011
![Page 23: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/23.jpg)
(Some of) The Good…
• Cloud providers have a deep vested interest in
security
• Must prove themselves to the market
• Often much greater investment and attention to detail than
traditional IT
• Cloud homogeneity makes security auditing/testing
simpler
• Shifting public data to an external cloud
reduces the exposure of the internal
sensitive data
• Data held by an unbiased party
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
OTN Architect Day 2011
![Page 24: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/24.jpg)
…The Bad…
• Multi-tenancy; need for isolation management
• High value target for hackers
• Fragmentation; creation of more silos
• Data dispersal and international privacy laws• EU Data Protection Directive and U.S. Safe Harbor program
• Exposure of data to foreign government and data subpoenas
• Data retention issues
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
OTN Architect Day 2011
![Page 25: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/25.jpg)
…& The Ugly
• Proprietary implementations
• Audit & compliance
• Availability
• Relying on a vendor to stay in business
• Equipment seizure (e.g. FBI - DigitalOne AG 2011)
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
OTN Architect Day 2011
![Page 26: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/26.jpg)
Recommendations
Institute Defense in Depth
• Good general strategy to protect highly distributed
systems (SOA, BPM, Cloud, etc.)
• Protect the whole environment, not just the perimeter
Rationalize & Consolidate
• Standardized frameworks, services, & technologies
• Holistic management, visibility, & control
Mind The Gap(s)
• Technology: Secure integration
• Identity & Access Management
• Policies, Procedures, Audits, Attestation, GRC
Visit the ITSO Reference Library at www.oracle.com/goto/itstrategies
![Page 27: Rationalization and Defense in Depth - Two Steps Closer to the Clouds](https://reader034.vdocuments.us/reader034/viewer/2022051611/54b350b64a795912288b45a9/html5/thumbnails/27.jpg)