Mais conteúdo relacionado

Similar a Chap 6 cloud security(20)

Chap 6 cloud security

  1. Chapter 6 Cloud Security By Prof. Raj Sarode
  2. Cloud Security Fundamentals • There are a lot of security myths about cloud security needed to be clarified. lot of people think that as soon as they give something to the cloud, they do not have to worry about compliance with security. That is absolutely not correct. If you are a business, your clients are looking at you for security. Whether you go to the cloud or you do it internally using your private infrastructure, that doesn’t change your responsibility in terms of who owns compliance to security. There needs to be a Has to do with black and white, that either cloud is insecure by default or cloud is secure by default. None of that is correct. It really depends on the controls. You’re not reinventing or eliminating any controls. You’re just moving where the controls reside and changing who owns the controls. Cloud by default is neither insecure nor secure, end of the day it’s how everything is implemented and how the data flows. very clear demarcation line. By Prof. Raj Sarode 2
  3. Cloud Security Fundamentals Data is encrypted all the time. It really depends, and that’s a big myth. Some cloud service providers encrypt your data; some do not. You need to find and understand how your data is handled. Does your service providers have the key or does not. It all depends on the model of the cloud. Whether you are at or Dropbox or Salesforce, it all depends on various processes that they’re doing on your data and whether your data is really encrypted or not. “It’s my data, I’ll get it back when I need it.” It’s not necessarily, it depends on where typically the data has been residing. And there are country specific laws that you need to know and understand how to get your data ba Cloud security considerations, whether it is compliance, identity and access management, service integrity, endpoint integrity, information protection, IP specific protection, all needs to be taken into consideration no matter how you are using cloud and for what reasons. By Prof. Raj Sarode 3
  4. Cloud Security Fundamentals Cloud Security: The security and risk management mechanisms and operational proce As a consumer of a cloud platform, application or service, it is the customer’s responsibility to understand the inner-workings of the cloud model and inherent risks with applicable available controls. This includes understanding not only the services being provided but the back-end processes including governance, physical security, network security and other critical controls. The Cloud Security Alliance (CSA) maintains an active body of work titled the Cloud Controls Matrix, or CCM, currently in version 3.0.1 (here: https://, which provides an excellent way to understand common available security controls for cloud services. sses supporting the cloud computing IT model. By Prof. Raj Sarode 4
  5. Vulnerability Assessment Tool For Cloud By Prof. Raj Sarode 5
  6. Vulnerability Assessment Tool For Cloud • Clouds provide a powerful computing platform that enables individuals and organizations to perform variety levels of tasks such as: use of online storage space, adoption of business applications, development of customized computer software, and creation of a “realistic” network environment. • Vulnerability management tools help information security teams stay ahead of the rising tide of security issues in their organizations. • They combine state-of-the art vulnerability detection capabilities with prioritization algorithms that help organizations identify the issues requiring immediate attention, so they can focus efforts on the vulnerabilities most likely to result in a breach. By Prof. Raj Sarode 6
  7. Vulnerability Assessment Life Cycle By Prof. Raj Sarode 7
  8. Vulnerability Management Product Features  Quality and Speed of Updates.  Compatibility with Your Environment.  Support for Cloud Services.  Compliance.  Prioritization.  Active and Passive Detection.  Authenticated and Unauthenticated Scanning.  Remediation Guidance.  Vendor Support. By Prof. Raj Sarode 8
  9. List Of Vulnerability Tools Name Owner Licence Platforms Acunetix WVS Acunetix Commercial / Free (Limited Capability) Windows AppScan IBM Commercial Windows App Scanner Trustwave Commercial Windows AppSpider Rapid7 Commercial Windows AVDS Beyond Security Commercial / Free (Limited Capability) N/A BlueClosure BC Detect BlueClosure Commercial, 2 weeks trial Most platforms supported Burp Suite PortSwiger Commercial / Free (Limited Capability) Most platforms supported Contrast Contrast Security Commercial / Free (Limited Capability) SaaS or On-Premises GamaScan GamaSec Commercial Windows Grabber Romain Gaucher Open Source Python 2.4, BeautifulSoup and PyXML Grendel-Scan David Byrne Open Source Windows, Linux and Macintosh GoLismero GoLismero Team GPLv2.0 Windows, Linux and Macintosh IKare ITrust Commercial N/A Indusface Web Application Scanning Indusface Commercial SaaS N-Stealth N-Stalker Commercial Windows Netsparker MavitunaSecurity Commercial Windows Nexpose Rapid7 Commercial / Free (Limited Capability) Windows/Linux Nikto CIRT Open Source Unix/Linux ParosPro MileSCAN Commercial Windows Websecurify Commercial Macintosh QualysGuard Qualys Commercial N/A Retina BeyondTrust Commercial Windows By Prof. Raj Sarode 9
  10. List Of Vulnerability Tools By Prof. Raj Sarode 10 Securus Orvant, Inc Commercial N/A Sentinel WhiteHat Security Commercial N/A SOATest Parasoft Commercial Windows / Linux / Solaris Tinfoil Security Tinfoil Security, Inc. Commercial / Free (Limited Capability) SaaS or On-Premises Trustkeeper Scanner Trustwave SpiderLabs Commercial SaaS Vega Subgraph Open Source Windows, Linux and Macintosh Wapiti Informática Gesfor Open Source Windows, Unix/Linux and Macintosh WebApp360 TripWire Commercial Windows WebInspect HP Commercial Windows WebReaver Websecurify Commercial Macintosh WebScanService German Web Security Commercial N/A Websecurify Suite Websecurify Commercial / Free (Limited Capability) Windows, Linux, Macintosh Wikto Sensepost Open Source Windows w3af GPLv2.0 Linux and Mac Xenotix XSS Exploit Framework OWASP Open Source Windows Zed Attack Proxy OWASP Open Source Windows, Unix/Linux and Macintosh
  11. Privacy and Security in Cloud By Prof. Raj Sarode 11 • Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security. • Well-known security issues such as data loss, phishing, botnet (running remotely on a collection of machines) pose serious threats to organization's data and software. • Moreover, the multi- tenancy model and the pooled computing resources in cloud computing has introduced new security challenges that require novel techniques to tackle with. • For example, hackers can use Cloud to organize botnet as Cloud often provides more reliable infrastructure services at a relatively cheaper price for them to start an attack
  12. Cloud Security Architecture By Prof. Raj Sarode 12
  13. Cloud Security Architecture By Prof. Raj Sarode 13
  14. Identity Management & Access Control By Prof. Raj Sarode 14 • Business demands on Identity Management & Access Control are changing rapidly, resulting in the requirement to adopt emerging technologies • Identity Management: Your online identity is established when you register. During registration, some attributes are collected and stored in the database. • The registration process can be quite different depending on what kind of digital identity you will be issued. • An identity management access (IAM) system is a framework for business processes that facilitates the management of electronic identities. • Access Control: So when the user identity is established he can access the service? Wrong. Authentication != Authorization (!= is nerd language and means “not equal”). After authentication there needs to be an access control decision. • The decision is based on the information available about the user. This is where the attributes come into play. • If the authentication process can deliver the required set of attributes to the access control decision point, the process can then evaluate the attributes and make the Yes/No decision.
  15. Identity Management & Access Control By Prof. Raj Sarode 15 • The difference between identity management and access management is thus: • Identity Management is about managing the attributes related to the user • Access Management is about evaluating the attributes based on policies and making Yes/No decisions
  16. Cloud computing security challenges By Prof. Raj Sarode 16 • Cloud computing security challenges fall into three broad categories: • Data Protection: Securing your data both at rest and in transit User Authentication: Limiting access to data and monitoring who accesses the data. • Disaster and Data Breach: Contingency Planning • Advanced Attacks & Cyber Conflicts • Service Provider Visibility • Translating Enterprise Requirements into the Cloud
  17. Thank You By Prof. Raj Sarode 17