View
44
Download
1
Category
Tags:
Preview:
Citation preview
CTO Roundtable
O’Reilly Definition - What is Web 2.0?
• Scalable services, not packaged software
• Harnessing collective intelligence through an
“architecture of participation”
• “Open Source” => users as co-developers
• Leveraging the long tail => customer self-
service
• Rich user experience => rich client
Web 2.0 - A Practical Definition
SocialNetworks
Skype
P2P Networks
Blogs
Wikis
SaaS
Mashups
IMLinkedin
BitTorrent
YouTube
The Emerging
Web
Salesforce
The Web 2.0 Security ProblemThe Web 2.0 Security Problem
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Web 2.0 Security Implications
• Consumerization of IT => UnregulatedCorporate IT
• Rich Client Side Scripting => Emerging Attack Vectors
• Web 2.0 plus Mobility => Loss ofPerimeter Control
Web 2.0 Security - “IT
Consumerization”
“[Consumer IT] is the most significant trend affecting information technology (IT) during the next 10 years…Consumer IT will affect every enterprise…Attempts by enterprises to deny this are doomed to failure”
David Mitchell Smith, Gartner Fellow
Gartner press release, October 2005
IT Consumerization -
Unregulated Applications
• Velocity of Application Deployment & Usage
– “Rogue IT” proliferation
• Use of Common Ports or Hopping Ports
Makes Policy Enforcement Difficult.
– Example: Skype
• Encrypted Traffic Obfuscates Attacks
– What are attackers doing in the encrypted
transport?
IT Consumerization - P2P
Liability Issue
• Data Theft with P2P File Sharing Tools like Limewire, Kazaa or BearShare.
• Increasing Corporate Compliance Issue around P2P File Sharing.
• FTC Issued Warning on P2P tools
IT Consumerization - Covert
Communications
• Unmonitored Covert Communication Channels– Web mail unmonitored by many security
organizations
– IM is informal communication channel
• Tools to Bypass Policy Enforcement– Meebo
– Anonymizers
Web 2.0 - Emerging Attack
Vectors• Web 2.0 is about rich clients
– AJAX programming
• AJAX Increases Attack Surface– Dynamic script execution leads to malicious script
injection
– Poisoning of Javascript serialization objects
– Cross domain requests lead to XSRF (Cross Site Request Forgery)
Emerging Attack Vectors
• New Channels for Launching Attacks– RSS Injection
– Social networks like MySpace, Facebook
• Example: Samy Worm– Circa October 2005
– AJAX script executed
– Added Samy to visitor’s friends list w/ message
Emerging Attack Vectors -
Phishing Revival
• Next Generation Phishing
– Ajax Enabled
• Next Generation Targets - Saas Applications?
– Salesforce
Web 2.0 Meets MobilityWeb 2.0 Meets Mobility
Web 2.0
Application
Model
Web 2.0
Application
Model
Ubiquitous
Mobile Access
Ubiquitous
Mobile Access
++
Loss of Perimeter
Control
Loss of Perimeter
Control
The Traditional EnterpriseThe Traditional Enterprise
Internet
Remote Access
Network
Segment 1
Mail Server
Customer Database
Network
Segment…
Network
Segment N
Intranet
Firewall
Corporate Web Server
Finance/HR Servers
Attacker
DMZ
Corporate End Users
The Emerging Enterprise TodayThe Emerging Enterprise Today
Internet
Ubiquitous Access
Network
Segment 1
Untrusted Web 2.0
SalesForce.com
Network
Segment…
Network
Segment N
Intranet
Firewall
Corporate Web Server
Finance/HR ServersDMZ
Collaboration
Server
Corporate End-Users
Trojans
Bots
SpywareAnonymizers
The Dissolving Enterprise Perimeter
- Security Implications
The Dissolving Enterprise Perimeter
- Security Implications
Internet
Remote Corporate
End Users
Untrusted
Web 2.0
SalesForce.com
Corporate
Network
Firewall
DMZ
Data Theft
Productivity Loss
Drive by Downloads
Unauthorized P2P Tools
Bandwidth Stealing
Non-compliant Comm.
Client Scripting Attacks
Benign Misuse
COMPLIANCECOMPLIANCE
EMERGING ATTACKSEMERGING ATTACKS
DATA LEAKAGEDATA LEAKAGE
INEFFICIENCIESINEFFICIENCIES
Different OptionsDifferent Options
• Custom Security Architecture
– Remote web traffic rerouted back into Enterprise
– Specialized web gateway combined with standard
FW, IPS, AV
• De-perimeterize by Design
– Jericho Forum
– Protect end points, not the network
• Custom Security Architecture
– Remote web traffic rerouted back into Enterprise
– Specialized web gateway combined with standard
FW, IPS, AV
• De-perimeterize by Design
– Jericho Forum
– Protect end points, not the network
CloudMZ - Securing the Emerging
Enterprise
CloudMZ - Securing the Emerging
Enterprise
Internet
Ubiquitous Access
Network
Segment 1
Web 2.0
SalesForce.com
Network
Segment…
Network
Segment N
Intranet
Corporate Web Server
Finance/HR Servers
Mail Server
CloudMZ
Corporate Access
-Enforce web 2.0 usage policy
-Discover hidden usage patterns
-Secure SaaS mobility backdoor
SummarySummary
• Perimeter Security is on the Brink of a
Disruptive Shift
• Pure Play Security SaaS is the New Emerging
Architecture
• Seeking Beta Customers…secure your
emerging web experience
• Perimeter Security is on the Brink of a
Disruptive Shift
• Pure Play Security SaaS is the New Emerging
Architecture
• Seeking Beta Customers…secure your
emerging web experience
Recommended