Professional Documents
Culture Documents
Cloud Top10 Security Risks PDF
Cloud Top10 Security Risks PDF
com
Cisco
Business .. Google docs to share
.. Facebook/MySpace Cisco documents within
User
to collaborate with team.
companys customer.
Cloud Taxonomy
Risk Mitigations
Q&A
Cisco Public 4
Cloud Industry Adoption Trend
(Source Gartner)
Cisco Public 5
Cloud Taxonomy
Service Models Deployment Models
Software as a Public
Service (SaaS)
Private
Platform as a
Service (PaaS)
Hybrid
Infrastructure as a
Service (IaaS) Community
Cisco Public 7
Cloud Top 10 - Approach
Easily Executable
Most Damaging
Incidence Frequency
ISC2
CSA Industry
Experience
Publications
IDC
NIST News
OWASP
Cloud Top 10
Cisco Public 8
Cloud Top 10 Risks
R1: Accountability & Data Risk
Application
Organization fully accountable
for security at all layers
Web/App/DB server
Computing
Network
Storage
Accountable
Accountable Storage
Application
Web/App/DB server
PaaS Computing
Network
Storage
Application
Web/App/DB server
IaaS Computing
Network
* Few exceptions Storage
Cisco Public 11
R1: Data Risk
How sensitive is the data?
Informal blogs
Twitter posts
Public news
Newsgroup messages
Health records
Criminal records
Credit history
Payroll
Security Risks
1. Managing
Identities across
multiple providers
2. Less control over
user lifecycle (off-
boarding)
3. User experience
Enterprise
Cisco Public 14
R2: Mitigation: User Identity Federation
Mitigations
SAML 1. Federated Identity
2. OAuth for backend
integrations
3. Tighter user
provisioning
controls
Identity Federation
Cisco Public 15
R3: Regulatory Compliance
Data that is perceived to be secure in one Lack of transparency in
country may not be perceived the underlying
secure in another country/region implementations makes it
difficult for data owners to
Key:
demonstrate compliance(
DC2
SOX/HIPAA etc.)
DC1 DC3
European Union (EU) has very strict privacy laws and hence data stored
in US may not comply with those EU laws (US Patriot Act allows federal
agencies limitless powers to access any corporate data etc)
Cisco Public 16
R3: Regulatory Compliance Mitigation Strategy
Cisco Public 18
18
R4: Business Continuity & Resiliency
Mitigation
Cisco Public 19
19
R5: User Privacy & Secondary Usage of Data
Users vs. Providers (Priorities)
Cisco Public 21
R5: Mitigations: User Privacy & Secondary Usage of
Data
Policy Enactment
-Privacy and Acceptable Usage
- Consent (Opt In / Opt Out)
- Policy on Secondary Usage
De-identification of personal
Information
Encrypted storage
Public Cloud
Cloud Provider 1 Cloud Provider 2
Proxy Proxy
Cloud Broker
Service / App 1 Service / App 2 Service / App 5 Service / App 6
Cisco Public 23
R6: Service & Data Integration Mitigation Strategy
Data in Transit
Data at Rest
Cisco Public 24
24
R7: Risks: Multi-tenancy and Physical Security
Security Risks
1. Inadequate
Logical
Separations
2. Co-mingled
Tenant Data
3. Malicious or
Ignorant Tenants
4. Shared Service-
single point of
Backups
failures
5. Uncoordinated
Admin Change Controls
and Misconfigs
Reach back to 6. Performance
Enterprise Risks
Cisco Public 26
R7: Attacks and Incidences
* http://chenxiwang.wordpress.com/2009/11/02/mits-attack-on-amazon-ec2-an-academic-exercise/
** http://smoothspan.wordpress.com/2010/06/11/wordpress-and-the-dark-side-of-multitenancy/
Cisco Public 27
R7: Mitigations: Multi-tenancy and Physical
Security
Architecting for Multi-Tenancy
Transparency/Audit-
ability of
Administrative Access
Regular Third
Party Assessments
Virtual Private
Cloud (VPC)
Cisco Public 28
R8: Incidence Analysis & Forensic Support
Complex integration and dynamics in cloud computing present significant
challenges to timely diagnosis and resolution of incidents such as:
Malware detection and
Immediate intrusion response to mitigate the impact
Proxy Proxy
Cloud Broker
Service / App 1 Service / App 2 Service / App 5 Service / App 6
Cisco Public 29
R8: Incidence Analysis & Forensic Support
Mitigation Strategy
Comprehensive logging
Cisco Public 30
30
R9: Infrastructure Security
Malicious parties are actively scanning the internet for
Active
Unused Ports
Data
Default
Passwords
Default
Configurations
Cisco Public 31
R9: Infrastructure Security - Mitigations
Cisco Public
Hardening Networks, OS, Apps
32
R10: Non-Production Environment Exposure
Non-Production Environments are
used for design, development, and test activities internally within an
organization
Prod Non-Prod
Security flaws
Typical non-prod Data copied to non-prod from
environment use generic its production equivalent
authentication credentials
Non-Prod
Photo - http://fineartamerica.com/featured/peaceful-sleep-ron-white.html
Cisco Public 35
Cisco Public 36
R5: Incidence: User Privacy & Secondary Usage of
Data
Cisco Public 37