What Is "Secure"?
-
Upload
peter-coffee -
Category
Technology
-
view
296 -
download
1
description
Transcript of What Is "Secure"?
What is “Secure”?
“If you think cryptography can solve your problem, then you
don't understand your problem and you don't understand
cryptography.” – Bruce Schneier, 1998
The Nouns and Verbs of Security
Preserve integrity, availability & access
Permit authentication and authorization
Assure confidentiality & control
Promote awareness and accountability
Perform inspection; maintain protection;
afford detection; enable reaction; build on
reflection
The Nouns and Verbs of Security
Preserve integrity, availability & access
Permit authentication and authorization
Assure confidentiality & control
Promote awareness and accountability
Perform inspection; maintain protection;
afford detection; enable reaction; build on
reflection
The Nouns and Verbs of Security
If all you want is data protection, put it on
tape and store it in a Kansas cavern
The point of security is to maximize the
risk-adjusted value of the asset: money in
a bank, not under a mattress
Infosec is therefore a process, not a
product; a mode of travel, not a destination
“Secure” against what?
“Who” Matters So Much More than “Where”
"There are five common factors that lead to the compromise of database information":
• ignorance
• poor password management
• rampant account sharing
• unfettered access to data
• excessive portability of data
DarkReading.com, October 2009
Clouds Can Be
Usefully Secure
Single-Tenant vs. Multi-Tenant Clouds
In a multi-tenant environment, all
applications run under a common trust
model: more manageable, more consistent,
more subject to rigorous scrutiny by trained
specialists (internal & customer)
Shared infrastructure
Other apps
Single tenancy entails creation of multiple
software stacks, whether real or virtual:
each layer in each stack represents a
distinct opportunity for misconfiguration or
other sources of security risk
Server
OS
Database
App Server
Storage
Network
App 1
Server
OS
Database
App Server
Storage
Network
App 2
Server
OS
Database
App Server
Storage
Network
App 3
Every Act an Invocation: Granular Privilege
Password security policies
Rich Sharing Rules
User Profiles
SSO/2-factor solutions
Login… Authenticate…Apply Data Security Rules… View Filtered Content
Bottom-Up Design to be “Shared and Secure”
Expanding legislation, regulation, mainstream mind share
Rising standard of due diligence
Desktop/laptop systems carry far too much “state”
– More data than people actually use
– Far too much data that user may easily lose
– More than one version of what should be one shared truth
Cloud’s Solutions:
– Logical view of exactly one database
– Profile definitions manage privilege sets
– Activity logs precisely record actions
Governance: More Eyes, More Agendas
Strong Session Management Every row in the database contains an ORG_ID - Unique encoded string Session Tokens – user unique, non-predictable long random value generated for each session combined with a routing “hint” and checksum, base64 encoded Contains no user-identifiable information Session Timeout – 15 Mins to 8 Hrs Lock Sessions to IP – prevent hijacking and replay attacks SSLv3/TLS used to prevent token capture / session hijacking Session Logout – Explicitly expire and destroy the session
Common Controls + Customer Choices
• SSL data encryption
• Optional strict password policies
• SAS 70 Type II & SysTrust Certification
• Security certifications from Fortune 50
financial services customers
• May 2008: ISO 27001 Certification
Platform Security
• Fault tolerant external firewall
• Intrusion detection systems
• Best practices secure systems mgmt
• 3rd party vulnerability assessments
Network Security
• 24x365 on site security
• Biometric readers, man traps
• Anonymous exterior
• Silent alarm
• CCTV
• Motion detection
• N+1 infrastructure
Facility Security
World-Class Defense in Depth
“There are some strong technical security arguments in favor of Cloud
Computing… (Craig Balding, Fortune 500 security practitioner)
Peter Coffee VP for Strategic Research
facebook.com/peter.coffee
twitter.com/petercoffee