I apologize, I do not actually have information about a specific cloud provider's identity and access management capabilities. The questions provided would be good to ask a potential cloud services provider to understand their support for common provisioning standards and options
SAP HANA 2 – Upgrade and Operations Part 1 - Exploring Features of the New Co...
Similaire à I apologize, I do not actually have information about a specific cloud provider's identity and access management capabilities. The questions provided would be good to ask a potential cloud services provider to understand their support for common provisioning standards and options
Similaire à I apologize, I do not actually have information about a specific cloud provider's identity and access management capabilities. The questions provided would be good to ask a potential cloud services provider to understand their support for common provisioning standards and options (20)
Take control of your SAP testing with UiPath Test Suite
I apologize, I do not actually have information about a specific cloud provider's identity and access management capabilities. The questions provided would be good to ask a potential cloud services provider to understand their support for common provisioning standards and options
2. • Moshe Ferber, 37, lives in Modiin (+2).
• Information security professional for over 15 years.
• Managed the security department for Ness Technologies.
• Founded Cloud7, Israel based MSSP (currently owned by Matrix).
• Shareholder at Clarisite
• Shareholder at FortyCloud
• Member of the board at Macshava Tova
• Certified instructor for the Cloud Security Alliance
2
10. 11
• The lower down the stack the cloud service
provider stops, the more security capabilities
and management consumers are responsible for
implementing and managing themselves.
SaaSIaaS PaaS
Security Responsibility
ProviderCustomer
16. • Make sure that you and your customers speak the same
language.
• Transparency, planning and taking risks are key success
factors for this process.
• Standards are great way for establishing common ground
for discussion.
• Contracts and SLA will define the partnership.
18. Taken from: Ponemon Institute: security of cloud computing
users study 2013
Research show that many organization don’t understand the shared
responsibilities between customer and provider in cloud computing.
21. • Adjust your contracts to reflect the nature of the
cloud (This is not a software licensing agreement).
• Do not over complicate.
• Provide security policy statement.
• Specify how you help customer to avoid Vendor
lock-in and unexpected termination.
22. • Responsible for actions of his providers.
• Compliance in the service.
• Answer to subpoena and e-discovery
• Data loss / recovery.
• Conform with specification.
• Fix break down.
• SLA: uptime, downtime notice &POC.
• Indemnity
Location of
services
Contract
jurisdiction
Standard of
care
Applicable
legislation
Treaties
23. •ISO 27001 – Adopted by the cloud industry . Although
no real reference to cloud (ISO 27017 is planned,but
still a draft).
•SSAE16 – Got some level of cloud details… Need to
verify the scope.
•FIPS140-2 - Standard for encryption on sensitive data.
•PCI –Many resources on adapting PCI on cloud
environment. Including PCI cloud guidelines.
•ENISA– guide for cloud security recommendations.
•ILITA (Israel) - guidelines for outsourcing computer
data including cloud reference.
24. •CSA – Responsible for CSA STAR Level 1,2,3. Which is
ISO27001 / SOC with additional controls from CCM.
•FedRAMP – Defining the federal policy regarding the
use of cloud services within the federal government.
Based on NIST guidelines.
27. Design to security
Integrate security into
software life cycle
Plan your security
testing
Threat modeling
(including cloud
threats)
Access controls
Coding standard
(Based on relevant
Regulation)
Code review
SDLC Checkpoint
Cloud provider
API’s
Static analysis
Dynamic analysis
Vulnerability
scanning
Penetration test
28. • SDLC in the cloud requires us to integrate the cloud provider and
consumer into the process.
• Security referent should be present on each development team.
• Threat modeling should include cloud specific threats.
• SDLC can be any standard in the market, as long as you
remember to adjust responsibilities.
Architecture &
Design
Development Test Production
IaaS
Cloud
Consumer
Cloud
Consumer
Shared Shared
PaaS Shared
Cloud
Consumer
Shared Shared
SaaS Shared
Cloud
Provider
Cloud
Provider
Cloud
Provider
29. Identity is the perimeter
Identity Lifecycle
Access control
Authentication
• Cloud consumers prefer to extend their Identities
to the cloud instead of creating new ones.
• Identity Providers are a growing service.
• SCIM – marked as the new standard for provisioning
(replacing SPML).
• XACML is growing standard regarding access
management.
• Best practices separate between Policy Decision
Point and Policy enforcement Point.
• The challenge is to leverage customer current
authentication mechanism.
• Identity Federation is growing market.
• SAML, Open ID and Oauth can help SaaS provider to
meet customers requirements.
30. • Dynamic and Static analysis should be integrated to
the SDLC.
• Penetration test and vulnerability scans are a must in
some standards and regulations, and should be done
periodically.
• Scan results and pen test should be available to
customers.
• Customers should have the ability to coordinate
scans and penetration tests.
31. • Vulnerability management as a service a very popular. Just make sure
they are Cloud API aware
• Code review and Web Application Firewall can also used as a service.
• New standards such as SAML, SCIM and XACML can assist.
37. • Customers will expect:
Clear Security Policy.
Change management process.
DR / BC procedures.
Backup and Restore procedure and testing.
Notice on maintenance & service time.
Clear information channel regarding malfunctions.
SLA for coordinating audits / VA / Pen tests.
Visibility into the operations.
38. 42
• not just complianceLog Monitoring
• Availability and more.
Performance
Monitoring
• tie to alerting
Monitoring for
Malicious use
• analytics helpful here
Monitoring for
Compromise
• access control, authorized
use
Monitoring for
policy violations
39. • Define what is “Incident” with your customers.
• The nature of cloud makes likelihood of some kinds of incident
goes up, others goes down.
• Consider attacks targeted at the Cloud infrastructure provider
and how that affects your systems
• Legislative and Regulatory régimes may have different
requirements for incident management.
• Plan your containment policy in cases where attack is focused
on specific customer.
• Provide your customer with POC and make sure you got
communication channels to address them.
Preparation
Detection &
Analysis
Containment
Eradication
& Recovery
40. 44
• COBIT / ITIL can make a good framework for building correct
operations standards.
• Twitter turned to be great tool for information distribution.
• NIST SP800-61 is great start for incident management.
42. • US privacy laws are made from federal legislation, and state
level regulation.
• The 4th amendment is the basic pillar for privacy in US, and is
not valid for cloud services.
• The FISA, Patriot act and protect America act grant US
government right to force Cloud provider to deliver customer
data.
• US laws require provide planning capability to respond to
requests for legal holds on documents (FRCP)
46
43. • EU privacy laws prohibit transfer of EU data outside of the EU
unless it will receive the same level of protection.
• US based companies enjoyed Safe Harbor agreement for
processing EU data.
• On July 2, 2012 – Working Party 29 issued an opinion stating
that safe harbor controls are not sufficient for cloud
computing.
47
44. 48
Data
• Make sure
that data
in the
cloud is
secured
along all
data
lifecycle.
Application
• Make sure
application
meets the
standards
and risks.
Users
• Make sure
that users
lifecycle
matches
standards
and risks.
45. Create
Destroy
Store
Share Archive
Use
Classify
Assign Rights
Content Discovery
Access Controls
Encryption
Rights Management
Activity Monitoring
and Enforcement
Rights Management
Logical Controls
Application Security
DLP
Encryption (SSL/HTTPS)
Logical Controls
Application Security
Encryption
Asset Management
Crypto-Shredding
Secure Deletion
Content Discovery
49
46. 50
Identity
Management
• Lifecycle
management
may require
identity
propagation
and/or
synchronization
• Identity
provisioning
• User profile
management
Access
Management
• Authentication
– process can
occur on Cloud
Consumer side
or Cloud
Provider side
• Authorization –
process can
occur on Cloud
Consumer side,
and always
occurs on the
Cloud Provider
side
Federation
• Managing
relationships
and policies
Compliance
• Dealing with
regulations and
audits
48. 52
1.What provisioning standards do you
support today?
2.Do you support SPML? What version? If
so, do you have a schema?
3.Do you offer web services for
automated provisioning (bulk or
single)?
49. 53
4. Do you offer on the fly (just-in-time)provisioning,
where by users are provisioned using a pre-assigned
token but activated at the time of online registration?
5. What language support do you offer for clients of
provisioning web services? Examples include Java,
.NET, Ruby on Rails, PHP, etc.
6. Do you support provisioning via transient
federation(SAML)?
7. What logging of provisioning requests is performed,
and how is it protected from tampering? What
reconciliation mechanisms are available?
Notes de l'éditeur
The first of the essential characteristics is “Broad Network Access,” which basically means the computing resources are available through pretty much any mechanism desired. These may include:
Standard clients, like mobile phones, laptops and desktop computers, both internal and external to your corporate network.
Traditional software services, like applications and middleware. Since the cloud provides similar capabilities to what a company would build themselves, any cloud-resident resources would need to be accessible from computing resources (both internal and external) to the organization.
There shouldn’t be any restrictions in terms of access via cloud-based software services either.
One of the first areas of confusion for “the cloud” is to understand how cloud services and virtualization relate to each other. And in the media grinder, the terms tend to be used synonymously, which is both factually and intrinsically incorrect. So let’s try to define virtualization and draw some specific distinctions between each:
According to Wikipedia, “virtualization, in computing, is the creation of a virtual (rather than actual) version of something, such as a hardware platform, operating system, a storage device or network resources.” [1]”
We say that virtualization is the platform for the cloud. Meaning that cloud service models would not be possible to build without the ability to virtualize everything (network, operating systems, storage, etc.) involved in providing a computing platform. Although it’s transparent to the customers that deploy cloud architectures, every cloud service provider makes heavy use of virtualization technology at all levels of their computing architecture to deliver the scalability and flexibility required to derive economies of scale.
On the other hand, the cloud is also used by most customers as a platform for virtualization. By that we mean the easiest way for many customers to leverage the power of virtualization is to use a cloud service. Thus the customer doesn’t have to deal with deploying their own environment of computers running hypervisors and supporting a variety of guest operating systems, and offering block storage accessible by a specific API or a certain computing platform for some of their key enterprise applications. All of these capabilities can be exposed using a cloud service (as opposed to building it themselves).
Thus, not only does the cloud heavily utilize virtualization, it’s provides an ability for customers to quickly start achieving the value of virtualization, without having to virtualize their existing architecture. Yes, it’s kind of recursive, but the point here is that cloud and virtualization are attached at the hip, but they are not the same.
In terms of what you buy when you look at cloud services, the types of offerings tend to broken up into three different levels. We’ll go through each distinction in some detail.
These offerings tend to be describe as the SPI stack. S for Software as a Service. P for Platform as a Service. And I for Infrastructure as a Service. Now the cloud stack is clearly evolving and we are seeing a lot of overlap and less clear distinction between the layers of the stack. So first, let’s get a feel for the standard definitions of each layer in the stack and then we can use some examples to show the blurring that is happening now.
The statement says it all. The lower in the stack the provider stops, the more the customer has to do. So IaaS stops low in the stack, thus the customers are responsible to secure the systems and applications. PaaS is in the middle and may offer some level of security within the platform, but the customer would still be required to make the API calls within the application.
SaaS is a bit of a different animal because the provider is responsible for the entire solution (from cradle to grave). Thus the onus is upon them to protect any information within their service. As you can imagine, data security is very important to the SaaS providers, since a breach or failure could result in the proverbial “run on the bank” and put the entire business in danger.
Public Cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. This tends to be what most organizations view as the “cloud.” Basically a big set of computers in the sky that can be spun up or decommissioned instantly to support almost any kind of applications.
Private Cloud. The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party, and may exist on-premises or off- premises. Any infrastructure you are responsible for managing can be termed a “private cloud.” Thus your existing data center, given some of the essential characteristics of cloud infrastructure (brad network access, rapid elasticity, etc.) is sort of a private cloud. Of course, there is a lot of work to be done to turn a traditional existing data center into a private cloud facility, but it’s definitely a direction many organizations are moving towards.
Community Cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). There are many affinity groups (organized by vertical, geography, size, etc.) that tend to have very similar computing requirements. A community cloud can bring leverage and economies of scale to these environment, driving down the cost of delivering the IT service and likely increasing capabilities. The community cloud may be managed by the organizations or a third party and may exist on-premises or off-premises.
Hybrid Cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). Why have one, when you can have two for twice the price? OK, that may be a little facetious, but hybrid models are real and provide both a shorter term migration plan (so you can support your existing data centers/private cloud, while moving some or all of your infrastructure to another cloud platform).
The statement says it all. The lower in the stack the provider stops, the more the customer has to do. So IaaS stops low in the stack, thus the customers are responsible to secure the systems and applications. PaaS is in the middle and may offer some level of security within the platform, but the customer would still be required to make the API calls within the application.
SaaS is a bit of a different animal because the provider is responsible for the entire solution (from cradle to grave). Thus the onus is upon them to protect any information within their service. As you can imagine, data security is very important to the SaaS providers, since a breach or failure could result in the proverbial “run on the bank” and put the entire business in danger.
STRIDE is a threat model that is widely used at Microsoft and across the industry. It provides six types of threats
For now, we will do a brief summary of the threats to give you an idea of what a Threat Model is
Spoofing occurs when an attacker assumes the identity of subject (like user or client), object (like a server, web application or database), or account. Phishing is an example of Spoofing where an attacker fools the user by spoofing a legitimate site like an online bank and tricks the user into sending their username and password to a site the attacker controls. Its also possible for an attacker to spoof the identity of the user directly
Tampering occurs when message or data is altered by the attacker
Repudiation occurs when the attacker repudiates an authentic event such as claiming that an ATM machine did not give any money when in fact the attacker did receive money from the ATM
Information may be disclosed in number of ways, information can be sniffed off of a network communication channel, such as through packet sniffing unencrypted networks. Attackers may actively try to gather information through injecting SQL commands to the database.
Denial of Service (also sometimes called “Denial of business”) means an attacker can swamp the system to deny access to legitimate users.
Elevation of privilege occurs when an attacker finds a way to bypass access control that limits their privileges. An attacker may try to elevate privilege by using a normal account to run commands that are administrator only
This is a brief overview of one threat model, we will now look at how countermeasures can be identified based on the threats.
The value of threat modeling is to assist the problem of building security in, specifically the threat model gives a concrete set of requirements and location of the countermeasure in the system.
For the six threats in STRIDE that we briefly introduced, each will be mitigated by a different countermeasure.
The following list is illustrative not exhaustive, the purpose is to see that each threat will likely yield different security mechanisms
Spoofing threats such as when an attacker impersonates a users, client or server, may be mitigated by authentication mechanisms which verify the authenticity of the subjects, objects and users.
Tampering threats such as altering data may be mitigated by signing and hashing data to verify the integrity of the data
Repudiating legitimate transactions may be mitigated through audit log that produce evidence of the transaction
Information disclosure can occur in many ways, in the example of sniffing information off the wire threats, encryption can mitigate this attack.
Denial of service is mitigated through availability services like clustering, and fail over
Elevation of privilege is mitigated through authorization checking to see if the user has the correct rights to access the system.
This table is a good example of the value of threat modeling, it shows that security is not one thing or one mechanism. Rather security can be defined as a set of mechanisms that cope with certain threats. Depending on which threats the system designers are trying to mitigate the threat model will yield different guidance for which mechanisms are necessary.
Monitoring applications is a multi-faceted job. The CSA Guidance lists five distinct types of monitoring. The most fundamental being – Monitoring your logs! Not just storing them and never looking at them, aka Compliance “zombie ware.” No one looks or cares, but they are recording
The other four types of monitoring services can be seen as to how much a priori knowledge is assumed. Performance and policy violation monitoring means defining a set of goals up front and then reviewing logs for those types of events and thresholds
Monitoring for malicious use and compromise is more subtle and relies on careful inspection looking for outliers
To achieve these goals the monitoring system should ensure that the log messages are able to be parsed automatically and that the log messages are actionable
We will walk through each of these
Since we don’t necessarily know what the infrastructure is, where it is located, who has access we need to account for data security as data moves into and through the cloud
Goal is to reorient your security program to protect the information, not merely the network and places where it's stored.
We define these 6 phases (Define – Store – Use – Share – Archival - and Destruction)
Briefly introduce what each means. You can introduce the technologies that support each phase later.
You want to review for Confidentiality, Integrity, Availability, Authenticity, Authorization, Authentication, and Non-Repudiation.
Stress the goal is to define how data is protected at each phase.
Looking at how you apply security in the cloud – ask yourself how you would do it – this should illuminate security issues and overall risks with the service
Federation defines the contract between the Cloud consumer and Cloud provider at a deeper level, this is typically done through standards like SAML.
Compliance activities must review and report on both the identity provisioning and review as well as the runtime access management configuration
Overview of some of the key standards:
SAML provides a wire level protocol that enables movement of attributes and SSO sessions from the Cloud Consumer to the Cloud Provider
OAuth tokens can be used to authorize to the application.
Both SAML and OAuth tokens can be digitally signed and hashed for protection, this is important because the user sessions and application access moves from domain to domain (Consumer & provider), so the tokens must be robust to deal with tampering and other attacks while still being able to move the identity data around in the system
Provisioning must occur on both Cloud Consumer and Cloud Provider, this can create synchronization challenges
If you are a cloud provider, these are the mechanisms you need to support for your customers:
How do you provision? Do you support customer managed provisioning, some sort of synchronization, or do users have to provision within your service? Forcing users to provision within your system without integration into their environment may be too limiting.
Note that SPML is included due to its prominence in the Guidance, but is somewhat stalled at this time. Instructors- be careful and remind students that SPML is on the exam, but not usually a real-world option (we will fix this for the 3.- Guidance).
Automated provisioning via SAML or another mechanism is very valuable to customers. Think about it, they merely have to extend existing processes.
Some other things to consider:
Just in time tokens are useful for activating accounts, especially for SaaS, when you want to offer self-provisioning.
What languages do users need to code their provisioning web services in? Ideally with something like SAML you are language-agnostic.
Logging is key- especially if there is any sort of self provisioning or compliance requirements.