Cloud Computing Security Session

Cloud Computing Security Session Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK Principal, nControl, LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)

Cloud Computing Security Session III • Presentation Overview • Cloud Application Security (AppSec) Overview • Virtualization Security Overview

Cloud Computing Security Session III • Cloud AppSec Overview • Why AppSec in the Cloud? • Open Web Application Security Project (OWASP) • Top 10 AppSec Vulnerabilities • Cloud = New AppSec Attack Vectors • Secure Coding • Tools, Tips & Tricks

Cloud Computing Security Session III • Why AppSec in the Cloud? • As of 2009: • 62% of Breaches Dealt with AppSec Vulns • 90% of Hacker Tools Focused on Apps

Cloud Computing Security Session III • OWASP Top 10

Cloud Computing Security Session III • Cloud = New AppSec Attack Vectors • Cloud Service Provider (CSPs) Provided • Application Programming Interfaces (APIs) • Svce-Oriented Arch (SOA) / Web Services • Distributed Database Systems (DDS) • SQL Injection • Authentication / Authorization • Encryption • Public Storage • Insecure Direct Object References

Cloud Computing Security Session III • Secure Coding • Software Assurance • Security Development Lifecycle (SDL / C) Source: Microsoft

Cloud Computing Security Session III • Top Ten Best Practices for Secure Software Source: ISC2

Cloud Computing Security Session III • Tools, Tips & Tricks • Tools • Firewalls • Cloud Vulnerability Scanners • Tips & Tricks • Code Reviews / Audits • Coding Conventions • Outsource • Security as a Service (SaaS) • Monitoring as a Service (MaaS)

Cloud Computing Security Session III • Tools • Firewalls • Web Application Firewalls (WAF) • XML Firewalls • Database Firewalls (DBF) • Cloud Vulnerability Scanners • CSP Specific • CloudInspect • Generic • AppScan

Cloud Computing Security Session III • Firewalls • WAFs Source: Imperva

Cloud Computing Security Session III • XML Firewalls Source: SANS

Cloud Computing Security Session III • DBFs Source: Oracle

Cloud Computing Security Session III • Cloud Vulnerability Scanners • CloudInspect • McAfee’s Database Security Scanner (DSS)

Cloud Computing Security Session III

Cloud Computing Security Session III • Tips & Tricks • Code Reviews / Audits • Coding Conventions • Outsource • Security as a Service (SaaS) • Monitoring as a Service (MaaS)

Cloud Computing Security Session III • Virtualization Security Overview • Infrastructure • Threats / Attack Vectors • Tools, Tips & Tricks

Cloud Computing Security Session III • Virtual Infrastructure • Hypervisors / Virtual Machine Monitors (VMMs) • Virtual Local Area Networks (VLANs) • Virtual Routing & Switching • Virtual Firewalls • Virtual Desktop Infrastructure (VDI)

Type I Hypervisor Source: Virtuatopia

Citrix Xen Source: Virtuatopia Source: Citrix

VMware ESX/i Source: VMware

AWS Proprietary Hypervisor Source: Amazon

Type II Hypervisor Source: Virtuatopia

Microsoft Hyper-V Source: Microsoft

Cloud Computing Security Session III • VLANs • Virtual Routing & Switching

Cloud Computing Security Session III Source: VPN-Cubed

Source: VPN-Cubed

Source: Amazon

Source: Rackspace

Cloud Computing Security Session III • Virtual Firewalls • Bridged Virtual Firewalls • Hypervisor Virtual Firewalls

Cloud Computing Security Session III Source: FireRack

Cloud Computing Security Session III

Cloud Computing Security Session III • VDI Source: VMware

Cloud Computing Security Session III • Virtual Threats / Attack Vectors • VM Specific • Rootkits • Improper Change / Configuration Management

Cloud Computing Security Session III • VM Specific Threats / Attack Vectors • Hopping – One VM to Another • Sprawl – Unmanaged • Escape – Escapes to the Hypervisor (via Rootkit) • Theft – Data Loss • Hyperjacking – Rogue Hypervisor

Cloud Computing Security Session III • Rootkit Threats / Attack Vectors • What is a Rootkit?

Cloud Computing Security Session III • Improper Virtual Change / Configuration Mgmt • Access Controls

Cloud Computing Security Session III • Virtual Security Tools, Tips & Tricks • Tools • VM Management / Monitoring • Tips & Tricks • Cloud Security Alliance (CSA) Research • Virtual Audits • VM Risk Mitigation Strategies

Cloud Computing Security Session III • VM Management / Monitoring • VMware • vCenter (Protect Essentials Plus) • vShield • Microsoft System Ctr Virtual Machine Mgr (SCVMM) • Savvis Secure VM • Reflex Virtualization Management Center (VMC) • Cisco • Virtual Security Gateway • Virtual Network Management Center

Cloud Computing Security Session III • VM Risk Mitigation Strategies • Grouping – Segmenting VMs • Generalization – Base Configuration • Aspect-Oriented Management – Tiering • Automation – Streamlined Provisioning • Air Gapping – Silod Networks / VLANs

Questions? • Contact • Email: steve@ncontrol-llc.com • Twitter: @markes1, @csadelval2011 • LI: http://www.linkedin.com/in/smarkey

Cloud Computing Security Session

Cloud Computing Security Session

Presentation Transcript

Cloud Computing Security Considerations

Cloud Computing Security

Cloud Computing Security

Cloud Computing Security

Security in Cloud Computing

Security in Cloud Computing

Cloud Computing Security

Cloud Computing Infrastructure Security

Session 3 : Cloud Computing

Security of Cloud Computing

CLOUD COMPUTING SECURITY

Cloud Computing Security

Cloud Computing Security Session

Cloud Computing Security

Cloud Computing - Security

Cloud Computing Security Research

Cloud Computing Security Considerations

Security in Cloud Computing

Cloud Computing Security Knowledge

Cloud Computing Security - Cloud Security Controls

Cloud Computing Security | Cloud Security | Audit Checklist

Cloud Computing Security Considerations