The document discusses the importance of server security and highlights key cloud security risks. It begins by establishing that servers are critical for storing customer data and content. The main sections cover the role of servers, cloud computing models, and the top 4 OWASP cloud security risks: accountability and data risks, issues with managing user identities across providers, challenges with regulatory compliance given data locations, and ensuring business continuity during outages. The document emphasizes that both data owners and cloud providers share responsibility for security and compliance.
3. What’s to talk about?
● The role of a server
● Cloud Computing
● OWASP Top 10 Cloud Security Risk
● Future of hosting
4. The role of a server
● Serving customers with web/app content
● Data
- Personal information
- Finance details
● Storage
Types of servers
● Cloud
● Datacenter
● On Prem
● Psychical computer
● Household kit
5. Cloud Computing
So what is cloud hosting?
● On-demand self-service
● Broad network access
● Resource pooling
● Rapid elasticity
● Measured service
Service models
● Infrastructure as a service (IaaS)
● Platform as a service (PaaS)
● Software as a service (SaaS)
(National Institute of Standards and Technology)
7. R1:Accountability and Data Risk
What can be done?
1. Understand how the cloud provider secures that data, and how they detect and report
compromises.
2. Geographical location of your data.
3. Know the situations in which a third party or government can seize the data.
4. Verify that the provider destroys your data when its deleted.
5. Check the providers SLA and T&C’s on where the responsibility lays if the provider is breached.
July 15th 2009
Twitter disclosed that a hacker accessed a substantial amount of company data stored on Google
Apps.
What was the cause?
Hacker hijacked an employee's official email account that had a weak password.
OWASP Cloud Security Project
8. R2: Islands of User Identities
Risks:
● Managing identities across multiple providers
● Less control over user lifecycle (off-boarding)
● User experience
Mitigations
● Federated Identity
● OAuth for backend integrations
● Tighter user provisioning controls
OWASP Cloud Security Project
9. R3: Regulatory Compliance
You or your customers are responsible for the security and compliance with regulatory laws.
Risks:
● Data that is perceived to be secure in one country may not be perceived secure in another
country/region
● Lack of transparency in the underlying implementations makes it difficult for data owners to
demonstrate compliance( SOX/HIPAA etc.)
● Lack of consistent standards and requirements for global regulatory compliance –data governance
can no longer be viewed from a point-to-point data flow perspective but rather a multi-point to multi-
point.
● European Union (EU) has very strict privacy laws and hence data stored in US may not comply with
those EU laws (US Patriot Act allows federal agencies limitless powers to access any corporate
data etc)
OWASP Cloud Security Project
10. R4: Business Continuity and Resiliency
March 2009
Microsoft Azure suffered an outage over a weekend.
Risks:
● Lack of know-how and capabilities needed.
● Cloud provider may be acquired by a consumers competitor.
● Monetary losses due o outages
Mitigations:
● Ensure customers Recovery Time Objectives (RTOs) are fully understood.
● Confirm that the cloud provider has an existing Business Continuity Policy.
● Check if the cloud provider has an active management support and a periodic review of the
Business Continuity Program.
● Verify whether the cloud provider's Business Continuity Program is certified
and/or mapped to internationally recognized standards such as BS 25999.
OWASP Cloud Security Project
11. Future of hosting
● Serverless
● Containers (Docker/Kubernetes)
● NoSQL
● Migration from on prem to Cloud
● Automation
OWASP has created a list of the top 10 cloud security risks, lets go through some of them now.
In traditional storage methods, with the complete control of the data center, an organization can protect their data on their own both physically and logically. When it comes to cloud computing, several organizations are opting for the public clouds for their business, where the cloud service provider has the control over the data, not the data owners.
If an organization is moving their services and application from one cloud provider to another, they should have proper control over their user credentials. Instead of allowing the cloud providers to maintain identities causing authentication overhead to users, organizations are using user identity federation. The approach involves SAML (Security Assertion Markup Language), an open source protocol that allows single sign-on across multiple cloud service providers. It eliminates multiple identities allocated to an individual user.
Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws.
Business Continuity is an activity an IT organization performs to ensure that the business can be conducted in a disaster situation. In case of an organization that uses cloud, the responsibility of business continuity gets delegated to the cloud provider. This creates a risk to the organization of not having appropriate business continuity. (Pankaj, Shankar). About Service Continuity and QoS, one have to ensure about the contractual solutions proposed by the Operator of Cloud, and the Service Level Agreement as well.
Real-world incident: On July 15, 2009, Twitter disclosed that a hacker accessed a substantial amount of company data stored on Google Apps by first hijacking a Twitter employee's official e-mail account. Through the breach had more to do with weak passwords and password resets, the incident has nevertheless drawn fresh attention to broader security and privacy concerns related to cloud computing.
Real-world incident: Windows Azure, Microsoft's cloud computing platform, suffered an outage over a weekend in March, 2009. If your organization was using this service, how would the outage have affected the organization's ability to conduct business? Microsoft would own the responsibility to fix the issue and not the IT team of your organization.