Your servers are just as important as your code
•Descargar como PPTX, PDF•
0 recomendaciones•367 vistas
The document discusses the importance of server security and highlights key cloud security risks. It begins by establishing that servers are critical for storing customer data and content. The main sections cover the role of servers, cloud computing models, and the top 4 OWASP cloud security risks: accountability and data risks, issues with managing user identities across providers, challenges with regulatory compliance given data locations, and ensuring business continuity during outages. The document emphasizes that both data owners and cloud providers share responsibility for security and compliance.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Your servers are just as important as your code
Similar a Your servers are just as important as your code (20)
Último
Último (20)
Your servers are just as important as your code
- 1. Your only as strong as your weakest link Why your servers are just as important as your code
- 2. Edward Ogden https://www.linkedin.com/in/edward-ogden-705b84a8 ● Devops engineer ● SysAdmin (Site Reliability Engineer) ● Web Development ● IT Support
- 3. What’s to talk about? ● The role of a server ● Cloud Computing ● OWASP Top 10 Cloud Security Risk ● Future of hosting
- 4. The role of a server ● Serving customers with web/app content ● Data - Personal information - Finance details ● Storage Types of servers ● Cloud ● Datacenter ● On Prem ● Psychical computer ● Household kit
- 5. Cloud Computing So what is cloud hosting? ● On-demand self-service ● Broad network access ● Resource pooling ● Rapid elasticity ● Measured service Service models ● Infrastructure as a service (IaaS) ● Platform as a service (PaaS) ● Software as a service (SaaS) (National Institute of Standards and Technology)
- 6. OWASP Top 10 Cloud Security Risk (Source OWASP)
- 7. R1:Accountability and Data Risk What can be done? 1. Understand how the cloud provider secures that data, and how they detect and report compromises. 2. Geographical location of your data. 3. Know the situations in which a third party or government can seize the data. 4. Verify that the provider destroys your data when its deleted. 5. Check the providers SLA and T&C’s on where the responsibility lays if the provider is breached. July 15th 2009 Twitter disclosed that a hacker accessed a substantial amount of company data stored on Google Apps. What was the cause? Hacker hijacked an employee's official email account that had a weak password. OWASP Cloud Security Project
- 8. R2: Islands of User Identities Risks: ● Managing identities across multiple providers ● Less control over user lifecycle (off-boarding) ● User experience Mitigations ● Federated Identity ● OAuth for backend integrations ● Tighter user provisioning controls OWASP Cloud Security Project
- 9. R3: Regulatory Compliance You or your customers are responsible for the security and compliance with regulatory laws. Risks: ● Data that is perceived to be secure in one country may not be perceived secure in another country/region ● Lack of transparency in the underlying implementations makes it difficult for data owners to demonstrate compliance( SOX/HIPAA etc.) ● Lack of consistent standards and requirements for global regulatory compliance –data governance can no longer be viewed from a point-to-point data flow perspective but rather a multi-point to multi- point. ● European Union (EU) has very strict privacy laws and hence data stored in US may not comply with those EU laws (US Patriot Act allows federal agencies limitless powers to access any corporate data etc) OWASP Cloud Security Project
- 10. R4: Business Continuity and Resiliency March 2009 Microsoft Azure suffered an outage over a weekend. Risks: ● Lack of know-how and capabilities needed. ● Cloud provider may be acquired by a consumers competitor. ● Monetary losses due o outages Mitigations: ● Ensure customers Recovery Time Objectives (RTOs) are fully understood. ● Confirm that the cloud provider has an existing Business Continuity Policy. ● Check if the cloud provider has an active management support and a periodic review of the Business Continuity Program. ● Verify whether the cloud provider's Business Continuity Program is certified and/or mapped to internationally recognized standards such as BS 25999. OWASP Cloud Security Project
- 11. Future of hosting ● Serverless ● Containers (Docker/Kubernetes) ● NoSQL ● Migration from on prem to Cloud ● Automation
Notas del editor
- OWASP has created a list of the top 10 cloud security risks, lets go through some of them now. In traditional storage methods, with the complete control of the data center, an organization can protect their data on their own both physically and logically. When it comes to cloud computing, several organizations are opting for the public clouds for their business, where the cloud service provider has the control over the data, not the data owners. If an organization is moving their services and application from one cloud provider to another, they should have proper control over their user credentials. Instead of allowing the cloud providers to maintain identities causing authentication overhead to users, organizations are using user identity federation. The approach involves SAML (Security Assertion Markup Language), an open source protocol that allows single sign-on across multiple cloud service providers. It eliminates multiple identities allocated to an individual user. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. Business Continuity is an activity an IT organization performs to ensure that the business can be conducted in a disaster situation. In case of an organization that uses cloud, the responsibility of business continuity gets delegated to the cloud provider. This creates a risk to the organization of not having appropriate business continuity. (Pankaj, Shankar). About Service Continuity and QoS, one have to ensure about the contractual solutions proposed by the Operator of Cloud, and the Service Level Agreement as well.
- Real-world incident: On July 15, 2009, Twitter disclosed that a hacker accessed a substantial amount of company data stored on Google Apps by first hijacking a Twitter employee's official e-mail account. Through the breach had more to do with weak passwords and password resets, the incident has nevertheless drawn fresh attention to broader security and privacy concerns related to cloud computing.
- Real-world incident: Windows Azure, Microsoft's cloud computing platform, suffered an outage over a weekend in March, 2009. If your organization was using this service, how would the outage have affected the organization's ability to conduct business? Microsoft would own the responsibility to fix the issue and not the IT team of your organization.