Rationalization and Defense in Depth - Two Steps Closer to the Clouds

<Insert Picture Here>

OTN Architect Day Security Breakout Session

Dave Chappelle

14 December 2011

Rationalization and

Defense in Depth -

Two Steps Closer to

the Clouds

OTN Architect Day 2011

Perimeter Security

Firewall

Web Server

(app Proxy)

Firewall

Application

Server

DB

Message

Queue

Mainframe

Application

DB

Client

Unprotected Zone Perimeter Protected Zone(s)

DMZ

All network traffic

blocked except for

specific ports.

All network traffic blocked

except from the proxy.

• Can establish multiple perimeters

• Each perimeter can be more restrictive

• Perimeters can be at varying degrees of granularity

• Alone, often involves a lot of implied trust

• Modern environments don’t have such a clearly

defined perimeter


DB

Defense in Depth

• Military defensive strategy to secure

a position using multiple defense

mechanisms.

• Less emphasis is placed on a single

perimeter wall

• Several barriers and different types

of fortifications

• Objective is to win the battle by

attrition. The attacker may overcome

some barriers but can’t sustain the

attack for such a long period of time.

"Krak des Chavaliers“, Syria


Data

Defense in Depth

Application

Host

Internal Network

Perimeter

Physical

Policies, Procedures, & Awareness


Identity &

Access ManagementGovernance,

Risk Management,

& Compliance

Fences, walls, guards, locks, keys, badges, …

Firewalls, network address translation, denial

of service prevention, message parsing and

validation, ...

Transport Layer Security (encryption, identity)

Platform O/S, Vulnerability Mgmt (patches),

Desktop (malware protection),…

Security Assurance (coding practices)

Authentication, Authorization, Auditing (AAA)

Federation (SSO, Identity Propagation, Trust, …)

Message Level Security

Content Security, Information Rights Management

Database Security (online storage & backups)

Data Classification, Password Strengths,

Code Reviews, Usage Policies, …

Defense in Depth: Greater Control

Policies & Procedures

Physical

Perimeter

Internal Network

Host

Application / Service

Data

Consistent set of policies & procedures

Many enforcement points


Finance

Sales

Support

End User

Security Administrator

Security Auditor

!

!

?

Security Silos

• Application silos with their own

standalone security architecture

• Integration is hard enough

without security

• End users have many

logins & passwords

• Administration is time-

consuming and error-prone

• Auditing is inaccurate

and/or impossible


Finance

Sales

Support

End UserSecurity Administrator

Security Auditor

Security

Framework

Security Framework

• Security is part of the foundation,

not an inconvenient afterthought

• Users have one

identity and a set of

roles & attributes that

govern access

• Administration

operator-centric, not

system-centric

• Auditing is possible

and realistic


Security Framework High Level Architecture

Information Processing:

• Provide a secure run-time environment

• Offer security services to business logic

• Allow solution-level security administration

Information Management:

• Provide a secure data persistence env.

• Offer security features to protect data

• Allow db-level security administration

Security Framework:

• Provide shared security services

• Manage security data for the enterprise

• Allow enterprise-level security administration

Security Interfaces:

• Provide consistent access to security services

• Embrace open, common industry standards

Infrastructure Platforms

(Application Servers, Information Management Systems, etc.)

Enterprise Security Framework

Shared Security Services

Security Management & Administration

Enterprise Security Information

Security Interfaces

Information

Management

Security Services

Desig

n &

Ad

min

istr

ati

on

Information

Information

Processing

Security Services Dev

elo

pm

en

t &

Ad

min

istr

ati

on

Business

Logic


Support for Architecture Principles

Architecture Principles

Provides Security as a Service

Supports Defense in Depth

Supports Least Privilege

Supports Information Confidentiality, Integrity, & Availability

Provides Secure Management of Security Information

Provides Active Threat Detection and Analysis

Provides Secure Audit Trail

Provides Cross-Domain Identity Federation


Space Between the Clouds

Policies & Procedures

Physical

Perimeter

Internal Network

Host

Application / Service

Data

Private

Cloud

Public

CloudPrivate

Cloud

IaaS

PaaS

SaaS

GRC

Id & Access Mgmt

Technology Integration

Planning & Reconciliation

Your

Organization

Cloud

Provider


In-House (Private)

IT Environment

Provider

A

SaaS I&AM

Patterns


Authentication Authorization

Access Policy

Management

Identity

Management

Provider

B

Provider

C

Provider

D

Authorization

Access Policy

Management

SAML

User id & attributes

Authorization

Access Policy

Management

Identity

Management

SPML

SAML

User Id

Authorization

Access Policy

Management

Authentication

Identity

Management

STS

SAML, WS-Trust,

WS-Federation

Common Attacks & Cloud Computing


Common

AttacksWhat types of attacks

happen most frequently?

Defense

StrategiesHow would you normally

protect your IT resources?

Cloud

ScenarioWhat might be different

about a Cloud environment?

Common Threat Summarization

• 2011 Data Breach Investigations Report (DBIR)

Verizon Investigative Response Team +

US Secret Service (financial & cyber fraud) +

Dutch National High Tech Crime Unit

• 2010: 761 incidents, ~ 4 million records compromised

• 7 years: > 1700 incidents, > 900 million records compromised


• Agent: Whose actions affected the asset

• Action: What actions affected the asset

• Asset: Which assets were affected

• Attribute: How the asset was affected

Verizon Enterprise Risk & Incident Sharing

(VERIS) Framework

Threat AgentsA

gen

ts 1. External

2. Internal

3. Partner

91% / 99%

16% / 1%

<1% / <1%

58% Organized Criminal Groups

40% Unaffiliated individuals

2% Former Employees

1% Competitors

External“[External Agents] created economies of

scale by refining standardized,

automated, and highly repeatable

attacks directed at smaller, vulnerable,

and largely homogenous targets.”

- ExternalA

ctions 1. Malware

2. Hacking

3. Misuse

49% / 79%

50% / 89%

17% / 1%


Source: Verizon 2011 Data Breach Investigations Report (DBIR)

Hacking (50% of breaches, 89% of records)

Defensive Strategy:

1. Limit network/port/protocol access

2. Strengthen & change passwords

3. Protect applications from SQL

injection & buffer overflows

4. Require authentication

Cloud Implications:

• Remote access may be required for public

cloud maintenance & troubleshooting

• Cloud provider may control authentication &

password requirements

• Cloud provider may control code base

Backdoor or command/control channel

Default or guessable credentials

Brute force & dictionary attacks

Footprinting & fingerprinting

Use of stolen login credentials

SQL Injection

Insufficient authentication

Abuse of functionality

Buffer overflow

73% / 45%

67% / 30%

52% / 34%

49% / 19%

21% / 21%

14% / 24%

10% / 21%

10% / 19%

9% / 15%

1

2

3

4

1

2

2

3


71% via remote access services

(RDP, PCAnywhere, Go2Assist,

LogMein, NetViewer, ssh,

telnet, rsh, …)


Malware (49% of breaches, 79% of records)

• Designed to: open back doors, perform key logging, RAM

scraping, network scanning, data capture & send, …

• 80% installed by attacker following breach of system

• Almost 100% caused by external agents

Defensive Strategy:

1. Protect systems from hacking

2. Maintain system patches, virus

protection, security settings, firewalls

3. Internet Usage Policies & Awareness

4. Consider Internet-facing devices to be

suspect & limit access accordingly

Cloud Implications:

• Efficacy of cloud provider’s security

measures will factor into risk -

• How are hacking threats handled?

• How are Internet-facing devices

secured and isolated?

• How are they audited for compliance?

Installed / Injected

by remote attacker81%

Email 4%

Web / Internet auto-executed

(“drive-by” infection)3%

Web / Internet user-executed

(download)3%

1

2 3

2

2

3

3



Perimeters & Internal Networks

• Limit exposure to the Internet

• Turn off unnecessary ports & protocols

• Limit exposure to management interfaces

• Don’t plug in devices that may be contaminated

• Data Loss Prevention

• VPN

• Site to site

• User to site

• Cloud as a DMZ

• Multi-tenancy

• A hacker’s launch point?


Firewall

Threat AgentsA

gen

ts 1. External

2. Internal

3. Partner

91% / 99%

16% / 1%

<1% / <1%

85% Regular Employee / End User

22% Finance / Accounting Staff

11% Executive / Upper Mgmt

9% Helpdesk, SA, DBA, Developer

Internal

- Internal

• Not as scalable as external agents

• 9% of incidents involve a

combination of external and

internal agents

• fewer records but greater impact

Actions 1. Malware

2. Hacking

3. Misuse

49% / 79%

50% / 89%

17% / 1%



Misuse (17% of breaches, 1% of records)

Defensive Strategy:

1. SoD, Principle of Least Privilege Access

Control measures

2. Auditing & Review

3. Deprovisioning users

4. Data Loss Prevention solutions

Cloud Implications:

• Cloud provider maintains some level of

identity and access management

• Auditing & review up to cloud provider

• DLP up to cloud provider

• Abuse of privilege not “provider-dependent”

•“…employees aren’t normally escalating

their privileges in order to steal data

because they don’t need to. They simply

take advantage of whatever standard

user privileges were granted to them by

their organizations.”

•“…regular employees typically seek

“cashable” forms of information like

payment card data, bank account

numbers, and personal information.”

Embezzlement, skimming, & related fraud

Abuse of system access / privileges

Use of unapproved hardware / devices

Abuse of private knowledge

75%

49%

39%

7%



Threat AgentsA

gen

ts 1. External

2. Internal

3. Partner

91% / 99%

16% / 1%

<1% / <1%

• Includes vendors, suppliers, hosting providers, outsourced IT support

• Direct involvement has been on the decline

• Responsible involvement has not declined

• Attacks often involve compromised remote access connection

• Poor governance, lax security, too much trust

• “Out-of-sight, Out-of mind” condition

Cloud Implications:

• Provider’s enforcement of Least Privilege and Segregation of Duties

• Provider’s contrats, policies, controls, governance, & auditing

• Secure communications channels & active threat detection

• You can’t delegate accountability

- Partner



Administrative & Management Control

• Cloud control vs. your control

• Where are the lines drawn?

• Segregation of Duties, Least Privilege

• How do you measure your provider’s success?

• How will you know if your risk is greater than expected?

• Audit & Review

• What (objectives), by whom, how often

• Motility of Data

• How to ensure data remnants are destroyed (digital shredding)


(Some of) The Good…

• Cloud providers have a deep vested interest in

security

• Must prove themselves to the market

• Often much greater investment and attention to detail than

traditional IT

• Cloud homogeneity makes security auditing/testing

simpler

• Shifting public data to an external cloud

reduces the exposure of the internal

sensitive data

• Data held by an unbiased party

http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt









…The Bad…

• Multi-tenancy; need for isolation management

• High value target for hackers

• Fragmentation; creation of more silos

• Data dispersal and international privacy laws• EU Data Protection Directive and U.S. Safe Harbor program

• Exposure of data to foreign government and data subpoenas

• Data retention issues










…& The Ugly

• Proprietary implementations

• Audit & compliance

• Availability

• Relying on a vendor to stay in business

• Equipment seizure (e.g. FBI - DigitalOne AG 2011)










Recommendations

Institute Defense in Depth

• Good general strategy to protect highly distributed

systems (SOA, BPM, Cloud, etc.)

• Protect the whole environment, not just the perimeter

Rationalize & Consolidate

• Standardized frameworks, services, & technologies

• Holistic management, visibility, & control

Mind The Gap(s)

• Technology: Secure integration

• Identity & Access Management

• Policies, Procedures, Audits, Attestation, GRC

Visit the ITSO Reference Library at www.oracle.com/goto/itstrategies

http://www.oracle.com/goto/itstrategies