1 / 44

Cloud Computing Security Session

Cloud Computing Security Session. Steven C. Markey , MSIS, PMP, CISSP , CIPP, CISM, CISA, STS-EV, CCSK Principal, nControl, LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal). Cloud Computing Security Session III. Presentation Overview

mairi
Télécharger la présentation

Cloud Computing Security Session

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cloud Computing Security Session Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK Principal, nControl, LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)

  2. Cloud Computing Security Session III • Presentation Overview • Cloud Application Security (AppSec) Overview • Virtualization Security Overview

  3. Cloud Computing Security Session III • Cloud AppSec Overview • Why AppSec in the Cloud? • Open Web Application Security Project (OWASP) • Top 10 AppSec Vulnerabilities • Cloud = New AppSec Attack Vectors • Secure Coding • Tools, Tips & Tricks

  4. Cloud Computing Security Session III • Why AppSec in the Cloud? • As of 2009: • 62% of Breaches Dealt with AppSec Vulns • 90% of Hacker Tools Focused on Apps

  5. Cloud Computing Security Session III • OWASP Top 10

  6. Cloud Computing Security Session III • Cloud = New AppSec Attack Vectors • Cloud Service Provider (CSPs) Provided • Application Programming Interfaces (APIs) • Svce-Oriented Arch (SOA) / Web Services • Distributed Database Systems (DDS) • SQL Injection • Authentication / Authorization • Encryption • Public Storage • Insecure Direct Object References

  7. Cloud Computing Security Session III • Secure Coding • Software Assurance • Security Development Lifecycle (SDL / C) Source: Microsoft

  8. Cloud Computing Security Session III • Top Ten Best Practices for Secure Software Source: ISC2

  9. Cloud Computing Security Session III • Tools, Tips & Tricks • Tools • Firewalls • Cloud Vulnerability Scanners • Tips & Tricks • Code Reviews / Audits • Coding Conventions • Outsource • Security as a Service (SaaS) • Monitoring as a Service (MaaS)

  10. Cloud Computing Security Session III • Tools • Firewalls • Web Application Firewalls (WAF) • XML Firewalls • Database Firewalls (DBF) • Cloud Vulnerability Scanners • CSP Specific • CloudInspect • Generic • AppScan

  11. Cloud Computing Security Session III • Firewalls • WAFs Source: Imperva

  12. Cloud Computing Security Session III • XML Firewalls Source: SANS

  13. Cloud Computing Security Session III • DBFs Source: Oracle

  14. Cloud Computing Security Session III • Cloud Vulnerability Scanners • CloudInspect • McAfee’s Database Security Scanner (DSS)

  15. Cloud Computing Security Session III

  16. Cloud Computing Security Session III

  17. Cloud Computing Security Session III • Tips & Tricks • Code Reviews / Audits • Coding Conventions • Outsource • Security as a Service (SaaS) • Monitoring as a Service (MaaS)

  18. Cloud Computing Security Session III • Virtualization Security Overview • Infrastructure • Threats / Attack Vectors • Tools, Tips & Tricks

  19. Cloud Computing Security Session III • Virtual Infrastructure • Hypervisors / Virtual Machine Monitors (VMMs) • Virtual Local Area Networks (VLANs) • Virtual Routing & Switching • Virtual Firewalls • Virtual Desktop Infrastructure (VDI)

  20. Type I Hypervisor Source: Virtuatopia

  21. Citrix Xen Source: Virtuatopia Source: Citrix

  22. VMware ESX/i Source: VMware

  23. AWS Proprietary Hypervisor Source: Amazon

  24. Type II Hypervisor Source: Virtuatopia

  25. Microsoft Hyper-V Source: Microsoft

  26. Cloud Computing Security Session III • VLANs • Virtual Routing & Switching

  27. Cloud Computing Security Session III Source: VPN-Cubed

  28. Source: VPN-Cubed

  29. Source: VPN-Cubed

  30. Source: Amazon

  31. Source: Rackspace

  32. Cloud Computing Security Session III • Virtual Firewalls • Bridged Virtual Firewalls • Hypervisor Virtual Firewalls

  33. Cloud Computing Security Session III Source: FireRack

  34. Cloud Computing Security Session III

  35. Cloud Computing Security Session III • VDI Source: VMware

  36. Cloud Computing Security Session III • Virtual Threats / Attack Vectors • VM Specific • Rootkits • Improper Change / Configuration Management

  37. Cloud Computing Security Session III • VM Specific Threats / Attack Vectors • Hopping – One VM to Another • Sprawl – Unmanaged • Escape – Escapes to the Hypervisor (via Rootkit) • Theft – Data Loss • Hyperjacking – Rogue Hypervisor

  38. Cloud Computing Security Session III • Rootkit Threats / Attack Vectors • What is a Rootkit?

  39. Cloud Computing Security Session III • Improper Virtual Change / Configuration Mgmt • Access Controls

  40. Cloud Computing Security Session III • Virtual Security Tools, Tips & Tricks • Tools • VM Management / Monitoring • Tips & Tricks • Cloud Security Alliance (CSA) Research • Virtual Audits • VM Risk Mitigation Strategies

  41. Cloud Computing Security Session III • VM Management / Monitoring • VMware • vCenter (Protect Essentials Plus) • vShield • Microsoft System Ctr Virtual Machine Mgr (SCVMM) • Savvis Secure VM • Reflex Virtualization Management Center (VMC) • Cisco • Virtual Security Gateway • Virtual Network Management Center

  42. Cloud Computing Security Session III • VM Risk Mitigation Strategies • Grouping – Segmenting VMs • Generalization – Base Configuration • Aspect-Oriented Management – Tiering • Automation – Streamlined Provisioning • Air Gapping – Silod Networks / VLANs

  43. Questions? • Contact • Email: steve@ncontrol-llc.com • Twitter: @markes1, @csadelval2011 • LI: http://www.linkedin.com/in/smarkey

More Related