400 likes | 617 Vues
Cloud Computing Security Session. Steven C. Markey , MSIS, PMP, CISSP , CIPP, CISM, CISA, STS-EV, CCSK Principal, nControl , LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA- DelVal ). Cloud Computing Security Session II. Presentation Overview
E N D
Cloud Computing Security Session Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK Principal, nControl, LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)
Cloud Computing Security Session II • Presentation Overview • General Security Overview • Business Continuity / Disaster Recovery (BCP / DR) • Physical Security • Human Resource Management • Authentication, Authorization & Acctg (AAA) • Identity & Access Management (IAM) • Encryption
Cloud Computing Security Session II • BCP / DR • Recovery Time Objective (RTO) • Recovery Point Objective (RPO) • Business Impact Assessment (BIA)
Cloud Computing Security Session II • Physical Security • Building Access Controls • Data Center / Privileged Access Controls • Fire Suppression • Visitor Access Logs • Surveillance
Cloud Computing Security Session II • Human Resource Management • Separation / Segregation of Duties • Defined Roles and Responsibilities • Criminal Background Checks • Credit Checks • Disciplinary Records
Cloud Computing Security Session II • AAA • Logging • Monitoring • Incident Response
Cloud Computing Security Session II • IAM • Single Sign-On (SSO) • Allows User to Gain Access to Multiple Systems / Apps • Negates Password Fatigue • Implementations • Externally • One-Time Password (OTP) / Tokenization • Federated Identity / Tokenization • Smart Card • Remote Access Dial-In User Service (RADIUS) • Internally • Kerberos • Lightweight Directory Access Protocol (LDAP)
Cloud Computing Security Session II • IAM Technologies • Federated Identity • OpenID • OAuth • Security Assertion Markup Language (SAML) • Web Services – Trust Language (WS-Trust) • Representational State Transfer (REST) • Active Directory Federation Service (ADFS) • Microsoft Federation Gateway (MFG)
Cloud Computing Security Session II • IAM Technologies • Federated Identity • OpenID • OAuth • Security Assertion Markup Language (SAML) • Web Services – Trust Language (WS-Trust) • Representational State Transfer (REST) • Active Directory Federation Service (ADFS) • Microsoft Federation Gateway (MFG)
Cloud Computing Security Session II • IAM Technologies • Federated Identity • OpenID • OAuth • Security Assertion Markup Language (SAML) • Web Services – Trust Language (WS-Trust) • Representational State Transfer (REST) • Active Directory Federation Service (ADFS) • Microsoft Federation Gateway (MFG)
Cloud Computing Security Session II • IAM Technologies • Federated Identity • OpenID • OAuth • Security Assertion Markup Language (SAML) • Web Services – Trust Language (WS-Trust) • Representational State Transfer (REST) • Active Directory Federation Service (ADFS) • Microsoft Federation Gateway (MFG)
Cloud Computing Security Session II
Cloud Computing Security Session II • IAM Technologies • Federated Identity • OpenID • OAuth • Security Assertion Markup Language (SAML) • Web Services – Trust Language (WS-Trust) • Representational State Transfer (REST) • Active Directory Federation Service (ADFS) • Microsoft Federation Gateway (MFG)
Cloud Computing Security Session II • IAM Technologies • Federated Identity • OpenID • OAuth • Security Assertion Markup Language (SAML) • Web Services – Trust Language (WS-Trust) • Representational State Transfer (REST) • Active Directory Federation Service (ADFS) • Microsoft Federation Gateway (MFG)
Cloud Computing Security Session II • IAM Technologies • Federated Identity • OpenID • OAuth • Security Assertion Markup Language (SAML) • Web Services – Trust Language (WS-Trust) • Representational State Transfer (REST) • Active Directory Federation Service (ADFS) • Microsoft Federation Gateway (MFG)
Cloud Computing Security Session II • IAM Technologies • Kerberos • Created at MIT • (Mostly) Internal Network Authentication • Implementations • Linux • Windows Active Directory (AD)
Cloud Computing Security Session II • Encryption • Data at Rest (DAR) • Data in Use (DIU) • Data in Motion (DIM)
Cloud Computing Security Session II • DAR • Full Disk Encryption • Object / Volume Encryption • Database Table, Column or Field Encryption
Cloud Computing Security Session II • DIU • Email Message Encryption • File Encryption
Cloud Computing Security Session II • DIM • Public Key Infrastructure (PKI)
Cloud Computing Security Session II • PKI • An Alternative to Two Factor (2F) Authentication • Public Key End Point • Analogy -- Yellow Pages: Telephone Number Person • Information Security (InfoSec) Triad • CIA: Confidentiality, Integrity & Availability • PKI: C & I • Deployments • HTTPS (HTTP & SSL / TLS), SSL VPN, SSH, SFTP • S/MIME • WLAN (802.11x, EAP-TTLS) • IPSec (VPN)
Cloud Computing Security Session II • Crypto Terms • Encryption • Takes input data and a secret key and outputs data that appears to bear no relation to the input data. • Hashing • Takes input data and outputs a fixed size chunk of data that uniquely represents the input data. • Symmetric Key • Same key to encrypt / decrypt data – known receiver • Asymmetric Key • Different key to encrypt / decrypt data – unknown receiver
Cloud Computing Security Session II • Crypto Examples • Symmetric Key • Deployment: IPSec (AH, ESP), Database, Tape, DRM • Asymmetric Key • Deployment: HTTPS (HTTP & SSL / TLS), WLAN, IPSec (IKE), S-MIME, SSH, SFTP • Hash Functions • HMAC: MD5, SHA1 / 2 / 3 • Encryption • Symmetric Algorithms: AES, Twofish, Serpent, DES, Triple DES (TDES) • Asymmetric Algorithms: Diffie-Hellman, RSA, ECC, DSA, El Gamal
Cloud Computing Security Session II Ciphertext
Cloud Computing Security Session II
Cloud Computing Security Session II • PKI Technical Components • Certificate / Registration Authority (CA / RA) Server • Issues X.509 Certificates (PKIX) • Generates CRLs • Hosts Private Key • PKI Clients • Outlook • Browsers: Safari, IE, Firefox • Wireless NIC • Revocation Server OR OCSP Server • Revocation Server Hosts CRLs • More on OCSP Later
Cloud Computing Security Session II • Digital Signature • Code Signing • Digital Certificate • X.509
Cloud Computing Security Session II • Digital Signature • Code Signing • Digital Certificate • X.509
Questions? • Contact • Email: steve@ncontrol-llc.com • Twitter: @markes1, @csadelval2011 • LI: http://www.linkedin.com/in/smarkey