440 likes | 637 Vues
Cloud Computing Security Session. Steven C. Markey , MSIS, PMP, CISSP , CIPP, CISM, CISA, STS-EV, CCSK Principal, nControl, LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal). Cloud Computing Security Session III. Presentation Overview
E N D
Cloud Computing Security Session Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK Principal, nControl, LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)
Cloud Computing Security Session III • Presentation Overview • Cloud Application Security (AppSec) Overview • Virtualization Security Overview
Cloud Computing Security Session III • Cloud AppSec Overview • Why AppSec in the Cloud? • Open Web Application Security Project (OWASP) • Top 10 AppSec Vulnerabilities • Cloud = New AppSec Attack Vectors • Secure Coding • Tools, Tips & Tricks
Cloud Computing Security Session III • Why AppSec in the Cloud? • As of 2009: • 62% of Breaches Dealt with AppSec Vulns • 90% of Hacker Tools Focused on Apps
Cloud Computing Security Session III • OWASP Top 10
Cloud Computing Security Session III • Cloud = New AppSec Attack Vectors • Cloud Service Provider (CSPs) Provided • Application Programming Interfaces (APIs) • Svce-Oriented Arch (SOA) / Web Services • Distributed Database Systems (DDS) • SQL Injection • Authentication / Authorization • Encryption • Public Storage • Insecure Direct Object References
Cloud Computing Security Session III • Secure Coding • Software Assurance • Security Development Lifecycle (SDL / C) Source: Microsoft
Cloud Computing Security Session III • Top Ten Best Practices for Secure Software Source: ISC2
Cloud Computing Security Session III • Tools, Tips & Tricks • Tools • Firewalls • Cloud Vulnerability Scanners • Tips & Tricks • Code Reviews / Audits • Coding Conventions • Outsource • Security as a Service (SaaS) • Monitoring as a Service (MaaS)
Cloud Computing Security Session III • Tools • Firewalls • Web Application Firewalls (WAF) • XML Firewalls • Database Firewalls (DBF) • Cloud Vulnerability Scanners • CSP Specific • CloudInspect • Generic • AppScan
Cloud Computing Security Session III • Firewalls • WAFs Source: Imperva
Cloud Computing Security Session III • XML Firewalls Source: SANS
Cloud Computing Security Session III • DBFs Source: Oracle
Cloud Computing Security Session III • Cloud Vulnerability Scanners • CloudInspect • McAfee’s Database Security Scanner (DSS)
Cloud Computing Security Session III
Cloud Computing Security Session III
Cloud Computing Security Session III • Tips & Tricks • Code Reviews / Audits • Coding Conventions • Outsource • Security as a Service (SaaS) • Monitoring as a Service (MaaS)
Cloud Computing Security Session III • Virtualization Security Overview • Infrastructure • Threats / Attack Vectors • Tools, Tips & Tricks
Cloud Computing Security Session III • Virtual Infrastructure • Hypervisors / Virtual Machine Monitors (VMMs) • Virtual Local Area Networks (VLANs) • Virtual Routing & Switching • Virtual Firewalls • Virtual Desktop Infrastructure (VDI)
Type I Hypervisor Source: Virtuatopia
Citrix Xen Source: Virtuatopia Source: Citrix
VMware ESX/i Source: VMware
AWS Proprietary Hypervisor Source: Amazon
Type II Hypervisor Source: Virtuatopia
Microsoft Hyper-V Source: Microsoft
Cloud Computing Security Session III • VLANs • Virtual Routing & Switching
Cloud Computing Security Session III Source: VPN-Cubed
Cloud Computing Security Session III • Virtual Firewalls • Bridged Virtual Firewalls • Hypervisor Virtual Firewalls
Cloud Computing Security Session III Source: FireRack
Cloud Computing Security Session III
Cloud Computing Security Session III • VDI Source: VMware
Cloud Computing Security Session III • Virtual Threats / Attack Vectors • VM Specific • Rootkits • Improper Change / Configuration Management
Cloud Computing Security Session III • VM Specific Threats / Attack Vectors • Hopping – One VM to Another • Sprawl – Unmanaged • Escape – Escapes to the Hypervisor (via Rootkit) • Theft – Data Loss • Hyperjacking – Rogue Hypervisor
Cloud Computing Security Session III • Rootkit Threats / Attack Vectors • What is a Rootkit?
Cloud Computing Security Session III • Improper Virtual Change / Configuration Mgmt • Access Controls
Cloud Computing Security Session III • Virtual Security Tools, Tips & Tricks • Tools • VM Management / Monitoring • Tips & Tricks • Cloud Security Alliance (CSA) Research • Virtual Audits • VM Risk Mitigation Strategies
Cloud Computing Security Session III • VM Management / Monitoring • VMware • vCenter (Protect Essentials Plus) • vShield • Microsoft System Ctr Virtual Machine Mgr (SCVMM) • Savvis Secure VM • Reflex Virtualization Management Center (VMC) • Cisco • Virtual Security Gateway • Virtual Network Management Center
Cloud Computing Security Session III • VM Risk Mitigation Strategies • Grouping – Segmenting VMs • Generalization – Base Configuration • Aspect-Oriented Management – Tiering • Automation – Streamlined Provisioning • Air Gapping – Silod Networks / VLANs
Questions? • Contact • Email: steve@ncontrol-llc.com • Twitter: @markes1, @csadelval2011 • LI: http://www.linkedin.com/in/smarkey