Upload
vijay-kumar
View
16
Download
2
Tags:
Embed Size (px)
DESCRIPTION
fsg
Citation preview
Securing Databases in the Cloud
Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud EssentialsPrincipal, nControl, LLCAdjunct ProfessorPresident, Cloud Security Alliance Delaware Valley Chapter (CSA-DelVal)
Presentation OverviewCloud OverviewDatabase OverviewBig Data OverviewCloud-Based DB SolutionsSecuring Cloud-Based DB SolutionsVulnerabilities Found in Cloud-Based OfferingsSecuring Your Relational Cloud-Based OfferingsSecuring Your Non-Relational Cloud-Based OfferingsPrivacy & Data Protection for Cloud-Based DBsCase Study: MySQL & SimpleDB in the Cloud
Securing Databases in the Cloud
Source: NIST
Service Delivery ModelsSource: Swain Techs
Source: Matthew Gardiner, Computer Associates
Securing Databases in the CloudDatabase OverviewDatabase Management SystemsRelational Database Management Systems (RDBMS)Object-Oriented Database Management Systems (OODBMS)Non-Relational, Distributed DB Mgmt Systems (NRDBMS)Not only Structured Query Language (NoSQL)Online Transaction Processing (OLTP)Real-time Data WarehousingOnline Analytical Processing (OLAP)Operational Data Stores (ODS)Enterprise Data Warehouse (EDW)
Securing Databases in the CloudDatabase OverviewOnline Analytical Processing (OLAP)Business Intelligence (BI)Data MiningReportingOLAP
Securing Databases in the CloudDatabase OverviewOLAP (Continued)Business Intelligence (BI) (Continued)OLAP (Continued)Relational OLAP (ROLAP)Multi-Dimensional OLAP (MOLAP)Hybrid OLAP (HOLAP)
OLTPODSEDW (Data Marts)BI (Data Mining)
OLTPODSEDW (Data Marts)BI (Reporting)
OLTPODSEDW (Data Marts)BI (OLAP)
Securing Databases in the CloudBig Data OverviewAggregated Data From the Following Sources:TraditionalSensorySocialAggregatorsPredominantly: NRDBMSColumn Family Stores: Cassandra (FB), BigTable (Google), HBase (Apache)Key-Values Stores: App Engine DataStore (Google), DynamoDB & SimpleDB (AWS)Document Databases: CouchDB, MongoDBGraph Databases: Neo4J
Securing Databases in the CloudBig Data OverviewSerial ProcessingHadoopHadoop Distributed File System (HDFS)Hive DWPig Querying LanguageRiakParallel ProcessingHadoopDBAnalyticsGoogle MapReduceApache MapReduceSplunk (for Security Information / Event Management [SIEM])
Source: Cloudera
Source: Wikispaces
Source: Google
Source: Cloudera
Securing Databases in the CloudCloud-Based Database SolutionsPaaSDBaaSForce.comIntuit QuickBaseAmazon Web Services (AWS) Relational Database Service (RDS) Oracle 11g / MySQLDynamoDBSimpleDBGoogle App EngineDatastoreOracle Public Cloud11g
Securing Databases in the CloudCloud-Based Database SolutionsIaaSBuild MySQL, Microsoft SQL Server, or Oracle 11g InstanceLeverage Compute Node & Storage Node EffectivelyAWS Elastic Compute Cloud (EC2) AWS Elastic Block Store (EBS)OpenStack Compute (Nova)OpenStack Storage (Swift)
Securing Databases in the CloudVulnerabilities Found in Cloud-Based DB SolutionsGeneral Cloud ServiceMiddleware VulnerabilitiesOpen / Java Database Connectivity (ODBC / JDBC) Attacks Database VulnerabilitiesImproper (Logical) Access ControlsChange / Configuration ManagementBackupsMulti-TenancyVirtualization VulnerabilitiesInsecure Hypervisor / Management BackplaneHyperjacking Rogue HypervisorVirtual Machine (VM) Theft Data LossVM Hopping One VM to AnotherVM Sprawl Unmanaged (Legacy VMs)VM Escape One VM to Another
Securing Databases in the CloudVulnerabilities Found in Cloud-Based DB SolutionsGeneral Cloud Service (Continued)Internal (Cloud Service Provider) Attack Vectors:Legacy AccountsAutomate Provisioning / De-ProvisioningLack of Segregation / Separation of DutiesLightweight Directory Access Protocol (LDAP) InjectionApplication Vulnerabilities:SQL InjectionCross-Site Scripting (XSS)Cross-Site Request Forgery (XSRF)
Securing Databases in the CloudVulnerabilities Found in Cloud-Based DB SolutionsIaaSInfrastructure:Improper Physical Access ControlsChange / Configuration ManagementPhysical Separation of Compute & Storage NodesPerformance DegradationBackupsVM Backup Location, JurisdictionData File Backup Location, JurisdictionOperating System (OS):Improper (Logical) & Physical Access ControlsChange / Configuration Management
Source: Flickr
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsPaaSDBaaSSIEMLogical Segregation / Separation of Duties (DBA, Developer)Enforce Logical Access ControlsVirtual FirewallsEncryptionEnforce Compliance Encryption Requirements for Data Public Key Infrastructure (PKI): Remote & Application AccessKey ManagementUser Rights Management (URM)Identity & Access Management (IAM)
Securing Databases in the CloudSource: Chris Brenton
Securing Databases in the CloudSource: FireRack
Securing Databases in the CloudSource: Chris Brenton
Securing Databases in the Cloud
Securing Databases in the CloudSource: Chappell & Associates
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsPaaSDBaaS (Continued)Backups & Disaster Recovery Physically / Geographically Separate Build RTO & RPO Into SLARegularly Test (Semi-Annually)Application & Middleware-level SecurityWeb Application Firewalls (WAF) / ProxyXML FirewallsSecurity Development Lifecycle (SDL)Static Application Security Testing (SAST)Dynamic Application Security testing (DAST)
Securing Databases in the CloudSource: Imperva
Securing Databases in the CloudSource: SANS
Securing Databases in the CloudSource: Microsoft
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsPaaSDBaaS (Continued)AWS RDS Oracle 11g & Java Apache Tomcat EC2 Scenario:Setup VPC Public & Private via NAT w/ IPSec VPN Setup App Security GroupBuild Public App Instance on EC2 w/ Java & Apache TomcatSetup DB Security Group w/ App Security Group AddedBuild Private AWS RDS Oracle 11g DBLeverage PL/SQL Audit Triggers for ComplianceLeverage CloudWatch for App & DB InstancesLeverage Prepared Statements & Error / Exception Handling
Securing Databases in the Cloud
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSServer / InfrastructurePhysical Access ControlsHypervisor / Management BackplaneGrouping Segmenting VMsGeneralization Leveraging a Template Aspect-Oriented Management TieringAutomation ProvisioningAir Gapping Siloed Virtual Networks (VLANs)
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSOSOS Firewalls (Windows)Patching / Configuration Management (Chef / Puppet)PKI Encryption Key ManagementLogical Access ControlsAnti-Virus (AV)Authentication, Authorization & Accounting (AAA)IAMVulnerability Assessment ScanningAmazon Elastic Compute Cloud (EC2) Instance: CloudInspect
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the CloudSource: CORE
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseBackupsURMSegregation / Separation of DutiesVulnerability ScanningMcAfee Database Security Scanner (DSS) for MS SQL AzureDatabase Activity Monitoring (DAM)Database FirewallIAM
Securing Databases in the CloudInternetAWS CloudEBSEBSEBSEBSEBSEBSEBS SnapshotEBS SnapshotEBS SnapshotEBS SnapshotEBS SnapshotSource: Amazon
Securing Databases in the CloudSource: McAfee
Securing Databases in the CloudSource: Application Security
Securing Databases in the CloudSource: Oracle
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseLAMP Stack & phpMyAdmin Scenario:Setup VPC Public & Private via NATSetup App Security GroupBuild Public App Instance on EC2 w/ LAP & phpMyAdminSetup DB Security Group w/ App Security Group AddedBuild Private MySQL DB Instance on EC2 w/ Encrypted EBSLeverage CloudWatch for App & DB Instances
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSStoragePKI Encryption Key ManagementLogical Access ControlsRBAC Groups (OpenStack Swift)Authentication, Authorization & Accounting (AAA)IAMMonitoringInformation GovernanceLifecycle
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseIAMFederated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
Source: OASIS
Source: Intuit
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseIAMFederated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
Source: OASIS
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseIAMFederated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
Source: Apache
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseIAMFederated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
Source: OASIS
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSDatabaseIAMFederated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
Securing Databases in the CloudSource: Microsoft
Source: Chappell & Associates
Securing Databases in the CloudSource: Microsoft
Securing Databases in the CloudSecuring Relational Cloud-Based DB SolutionsIaaSApplication & MiddlewareWAF / ProxyXML FirewallSDLSASTDAST
Securing Databases in the CloudSecuring NRDBMS Cloud-Based DB SolutionsGeneralFocus on Application / Middleware-Level SecuritySQL Injections Are Still PossibleLeverage Application IAM for NRDBMS URMLeverage Application & System Logging for AAASegregation of DutiesRead / Write NamespacesRead-Only NamespacesSpecificDocumentConsistency AssuranceKey / ValueEnsure Referential Integrity
Securing Databases in the Cloud
Securing Databases in the Cloud
Securing Databases in the CloudPrivacy & Data Protection for Cloud-Based DBsJurisdictions*Regional: EU DPANational: PIPEDA, GLBA, HIPAA / HITECH, COPPA, Safe HarborStatutory: Bavarian, CA SB 1386 / 24, MA 201 CMR 17, NV SB 227Data Flow & Jurisdictional AdherenceData Sharing with Third PartiesPseudonymization / De-IdentificationConsent & Notices Contract ClausesModel ContractsPrivacy Best PracticesGenerally Accepted Privacy Principles (GAPP)
* Not all inclusive.
Securing Databases in the CloudCase Study: MySQL & SimpleDB in the CloudBackgroundSMB Healthcare Service Provider (HIPAA Business Associate) Providing Services for Larger HIPAA Covered EntitiesFall 2011 ProjectDriversCost SavingsHIPAA / HITECH ComplianceMore Cost Effective & Simplistic BCP / DRP PlanningParse Out Non-Protected Health Information (PHI)
Securing Databases in the CloudCase Study: MySQL & SimpleDB in the CloudTechnologiesAWS: EC2EBSSimple Storage Service (S3)SimpleDBLinux (Ubuntu AMI), Apache, MySQL, & PHP (LAMP) StackOpenLDAPSplunkLimitationsSkill-Sets (AWS EC2, SimpleDB)Risk PostureVendor Management
Securing Databases in the CloudCase Study: MySQL & SimpleDB in the CloudRisksVendor Lock-InAWS EC2 and / or SimpleDBLegal Concerns Lack of Bargaining PowerService Level Agreements (SLAs)Data Security & Privacy ConcernsGeographic JurisdictionBusiness Continuity / AvailabilityDataCom CircuitsVariable CostsData Transfer
Securing Databases in the CloudCase Study: MySQL & SimpleDB in the CloudLessons LearnedCloud Strategy / Roadmap MattersAvailability Issues w/ SimpleDBLearning CurveSimpleDBElastic Block Store (EBS)Not as Cost Effective as First ThoughtBackups & S3Next StepsLeveraging NoSQL for More Log DataEnhanced use of Splunk for SIEMSplunk to the Cloud (on AWS EC2)
Presentation Take-AwaysDatabases in the Cloud are Here to StaySecure Cloud-Based DBs Through Defense-in-DepthApplication / DatabaseMiddlewareOS (Virtual) InfrastructureStay Abreast of New Technologies / ServicesBig DataFederated IdentitiesSecuring Databases in the Cloud
Questions?ContactEmail: [email protected]: markes1LI: http://www.linkedin.com/in/smarkeyCSA-DelVal: http://www.csadelval.org/
*********************************Veracode, Acunetix*modsecurityZED Proxy**************http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
*****http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
*http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
*http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
*http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
*http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
*http://qugstart.com/blog/amazon-web-services/how-to-set-up-db-server-on-amazon-ec2-with-data-stored-on-ebs-drive-formatted-with-xfs/
Heres the procedure I decided on. It involves symlinking Mysql config files and data directories onto the EBS volume. Another trick I used because I needed to migrate about 20 GiBs of data to get started, was that I initially set up an X-tra large instance, with 10 GiBs RAM to handle the data import. After the data was migrated and imported to my database, I simply terminated my X-Large instance and spun up a small instance connected to the same EBS volume! All the databases were preserved nicely and I did not have to waste money paying for an X-Large instance anymore. This exemplifies the value of thinking in the cloud mindset where you can spin up and down servers in a matter of seconds! Hope this article helps someone else out there!
******realm************************