2. Rationalization and
Defense in Depth -
Two Steps Closer to
the Clouds
OTN Architect Day 2011
3. Perimeter Security
DB
All network traffic All network traffic blocked
blocked except for except from the proxy.
specific ports.
Web Server Application Message Mainframe
(app Proxy) Server Queue Application
Client
Firewall Firewall
DB DB
DMZ
Unprotected Zone Perimeter Protected Zone(s)
• Can establish multiple perimeters • Alone, often involves a lot of implied trust
• Each perimeter can be more restrictive • Modern environments don’t have such a clearly
• Perimeters can be at varying degrees of granularity defined perimeter
OTN Architect Day 2011
4. Defense in Depth
• Military defensive strategy to secure
a position using multiple defense "Krak des Chavaliers“, Syria
mechanisms.
• Less emphasis is placed on a single
perimeter wall
• Several barriers and different types
of fortifications
• Objective is to win the battle by
attrition. The attacker may overcome
some barriers but can’t sustain the
attack for such a long period of time.
OTN Architect Day 2011
5. Defense in Depth
Governance, Identity &
Risk Management, Access Management
& Compliance Database Security (online storage & backups)
Content Security, Information Rights Management
Data Message Level Security
Federation (SSO, Identity Propagation, Trust, …)
Application Authentication, Authorization, Auditing (AAA)
Security Assurance (coding practices)
Host Platform O/S, Vulnerability Mgmt (patches),
Desktop (malware protection),…
Internal Network Transport Layer Security (encryption, identity)
Firewalls, network address translation, denial
Perimeter of service prevention, message parsing and
validation, ...
Physical Fences, walls, guards, locks, keys, badges, …
Data Classification, Password Strengths,
Policies, Procedures, & Awareness
Code Reviews, Usage Policies, …
OTN Architect Day 2011
6. Defense in Depth: Greater Control
Many enforcement points
Data
Application / Service
Host
Internal Network
Perimeter
Physical
Policies & Procedures
Consistent set of policies & procedures
OTN Architect Day 2011
7. Security Silos
Support • Application silos with their own
standalone security architecture
• Integration is hard enough
without security
!
! • End users have many
logins & passwords
End User
Security Administrator
• Administration is time-
consuming and error-prone
• Auditing is inaccurate
? and/or impossible
Finance
Sales
Security Auditor
OTN Architect Day 2011
8. Security Framework Support
• Security is part of the foundation,
not an inconvenient afterthought
• Users have one
identity and a set of
roles & attributes that
govern access End User
Security Security Administrator
• Administration
operator-centric, not Framework
system-centric
• Auditing is possible
and realistic Finance
Sales
Security Auditor
OTN Architect Day 2011
9. Security Framework High Level Architecture
Information Processing:
Infrastructure Platforms • Provide a secure run-time environment
(Application Servers, Information Management Systems, etc.) • Offer security services to business logic
Development &
Administration
• Allow solution-level security administration
Administration
Business
Information
Design &
Logic
Information Information Information Management:
Processing Management • Provide a secure data persistence env.
Security Services Security Services
• Offer security features to protect data
• Allow db-level security administration
Security Interfaces
Security Framework:
Shared Security Services • Provide shared security services
• Manage security data for the enterprise
Enterprise Security Information • Allow enterprise-level security administration
Security Management & Administration
Security Interfaces:
Enterprise Security Framework • Provide consistent access to security services
• Embrace open, common industry standards
OTN Architect Day 2011
10. Support for Architecture Principles
Architecture Principles
Provides Security as a Service
Supports Defense in Depth
Supports Least Privilege
Supports Information Confidentiality, Integrity, & Availability
Provides Secure Management of Security Information
Provides Active Threat Detection and Analysis
Provides Secure Audit Trail
Provides Cross-Domain Identity Federation
OTN Architect Day 2011
11. Space Between the Clouds
Technology Integration
Private Private Public
Id & Access Mgmt
Cloud Cloud Cloud
Data SaaS
Application / Service PaaS
Host IaaS
Internal Network
Perimeter
Physical Your Cloud
Organization Provider
Policies & Procedures
GRC
Planning & Reconciliation
OTN Architect Day 2011
12. SaaS I&AM Authorization Authorization
Patterns Access Policy Access Policy
Management Management
Provider
B Identity
Provider
Management
A
Provider
SAML C
User id & attributes
User Id
SPML
SAML
In-House (Private) Authentication
IT Environment
Authorization
Authentication Authorization STS Identity
Provider
D Management
Identity Access Policy
Management Management SAML, WS-Trust, Access Policy
WS-Federation Management
OTN Architect Day 2011
13. Common Attacks & Cloud Computing
Common What types of attacks
Attacks happen most frequently?
Defense How would you normally
Strategies protect your IT resources?
Cloud What might be different
Scenario about a Cloud environment?
OTN Architect Day 2011
14. Common Threat Summarization
• 2011 Data Breach Investigations Report (DBIR)
Verizon Investigative Response Team +
US Secret Service (financial & cyber fraud) +
Dutch National High Tech Crime Unit
• 2010: 761 incidents, ~ 4 million records compromised
• 7 years: > 1700 incidents, > 900 million records compromised
Verizon Enterprise Risk & Incident Sharing
(VERIS) Framework
• Agent: Whose actions affected the asset
• Action: What actions affected the asset
• Asset: Which assets were affected
• Attribute: How the asset was affected
OTN Architect Day 2011
15. Threat Agents - External
1. External
Agents
91% / 99%
2. Internal 16% / 1%
3. Partner <1% / <1%
External
“[External Agents] created economies of
58% Organized Criminal Groups scale by refining standardized,
40% Unaffiliated individuals automated, and highly repeatable
2% Former Employees attacks directed at smaller, vulnerable,
and largely homogenous targets.”
1% Competitors
1. Malware
Actions
49% / 79%
2. Hacking 50% / 89%
3. Misuse 17% / 1%
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
OTN Architect Day 2011
16. Hacking (50% of breaches, 89% of records)
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
Backdoor or command/control channel 1 73% / 45%
Default or guessable credentials 2 67% / 30%
Brute force & dictionary attacks 2 52% / 34%
Footprinting & fingerprinting 1 49% / 19%
71% via remote access services
Use of stolen login credentials 2 21% / 21% (RDP, PCAnywhere, Go2Assist,
LogMein, NetViewer, ssh,
SQL Injection 3 14% / 24% telnet, rsh, …)
Insufficient authentication 4 10% / 21%
Abuse of functionality 10% / 19%
Buffer overflow 3 9% / 15%
Defensive Strategy: Cloud Implications:
1. Limit network/port/protocol access • Remote access may be required for public
2. Strengthen & change passwords cloud maintenance & troubleshooting
3. Protect applications from SQL • Cloud provider may control authentication &
injection & buffer overflows password requirements
4. Require authentication • Cloud provider may control code base
OTN Architect Day 2011
17. Malware (49% of breaches, 79% of records)
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
Installed / Injected
by remote attacker
1 81%
Email 4% 2 3
Web / Internet auto-executed
(“drive-by” infection)
3% 2 3
Web / Internet user-executed
(download)
3% 2 3
• Designed to: open back doors, perform key logging, RAM
scraping, network scanning, data capture & send, …
• 80% installed by attacker following breach of system
• Almost 100% caused by external agents
Defensive Strategy: Cloud Implications:
1. Protect systems from hacking • Efficacy of cloud provider’s security
2. Maintain system patches, virus measures will factor into risk -
protection, security settings, firewalls • How are hacking threats handled?
3. Internet Usage Policies & Awareness • How are Internet-facing devices
4. Consider Internet-facing devices to be secured and isolated?
suspect & limit access accordingly • How are they audited for compliance?
OTN Architect Day 2011
18. Perimeters & Internal Networks
• Limit exposure to the Internet
• Turn off unnecessary ports & protocols
• Limit exposure to management interfaces
• Don’t plug in devices that may be contaminated
• Data Loss Prevention
• VPN
• Site to site
• User to site
• Cloud as a DMZ
• Multi-tenancy
• A hacker’s launch point? Firewall
OTN Architect Day 2011
19. Threat Agents - Internal
1. External
Agents
91% / 99%
2. Internal 16% / 1%
3. Partner <1% / <1%
Internal
• Not as scalable as external agents
85% Regular Employee / End User • 9% of incidents involve a
22% Finance / Accounting Staff combination of external and
11% Executive / Upper Mgmt internal agents
9% Helpdesk, SA, DBA, Developer • fewer records but greater impact
1. Malware
Actions
49% / 79%
2. Hacking 50% / 89%
3. Misuse 17% / 1%
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
OTN Architect Day 2011
20. Misuse (17% of breaches, 1% of records)
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
Embezzlement, skimming, & related fraud 75%
Abuse of system access / privileges 49%
Use of unapproved hardware / devices 39%
Abuse of private knowledge 7%
Defensive Strategy:
1. SoD, Principle of Least Privilege Access •“…employees aren’t normally escalating
Control measures their privileges in order to steal data
2. Auditing & Review because they don’t need to. They simply
3. Deprovisioning users take advantage of whatever standard
4. Data Loss Prevention solutions user privileges were granted to them by
their organizations.”
Cloud Implications:
• Cloud provider maintains some level of •“…regular employees typically seek
identity and access management “cashable” forms of information like
• Auditing & review up to cloud provider payment card data, bank account
• DLP up to cloud provider numbers, and personal information.”
• Abuse of privilege not “provider-dependent”
OTN Architect Day 2011
21. Threat Agents - Partner
1. External
Agents
91% / 99%
2. Internal 16% / 1%
3. Partner <1% / <1%
Source: Verizon 2011 Data Breach Investigations Report (DBIR)
• Includes vendors, suppliers, hosting providers, outsourced IT support
• Direct involvement has been on the decline
• Responsible involvement has not declined
• Attacks often involve compromised remote access connection
• Poor governance, lax security, too much trust
• “Out-of-sight, Out-of mind” condition
Cloud Implications:
• Provider’s enforcement of Least Privilege and Segregation of Duties
• Provider’s contrats, policies, controls, governance, & auditing
• Secure communications channels & active threat detection
• You can’t delegate accountability
OTN Architect Day 2011
22. Administrative & Management Control
• Cloud control vs. your control
• Where are the lines drawn?
• Segregation of Duties, Least Privilege
• How do you measure your provider’s success?
• How will you know if your risk is greater than expected?
• Audit & Review
• What (objectives), by whom, how often
• Motility of Data
• How to ensure data remnants are destroyed (digital shredding)
OTN Architect Day 2011
23. (Some of) The Good…
• Cloud providers have a deep vested interest in
security
• Must prove themselves to the market
• Often much greater investment and attention to detail than
traditional IT
• Cloud homogeneity makes security auditing/testing
simpler
• Shifting public data to an external cloud
reduces the exposure of the internal
sensitive data
• Data held by an unbiased party
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
OTN Architect Day 2011
24. …The Bad…
• Multi-tenancy; need for isolation management
• High value target for hackers
• Fragmentation; creation of more silos
• Data dispersal and international privacy laws
• EU Data Protection Directive and U.S. Safe Harbor program
• Exposure of data to foreign government and data subpoenas
• Data retention issues
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
OTN Architect Day 2011
25. …& The Ugly
• Proprietary implementations
• Audit & compliance
• Availability
• Relying on a vendor to stay in business
• Equipment seizure (e.g. FBI - DigitalOne AG 2011)
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
OTN Architect Day 2011
26. Recommendations
Institute Defense in Depth
• Good general strategy to protect highly distributed
systems (SOA, BPM, Cloud, etc.)
• Protect the whole environment, not just the perimeter
Rationalize & Consolidate
• Standardized frameworks, services, & technologies
• Holistic management, visibility, & control
Mind The Gap(s)
• Technology: Secure integration
• Identity & Access Management
• Policies, Procedures, Audits, Attestation, GRC
Visit the ITSO Reference Library at www.oracle.com/goto/itstrategies