(No Ratings Yet)
Loading ...
Jeff Barr from Amazon just posted a AWS Security White Paper that’s ‘intended to answer customer questions such as “How does AWS help me ensure my data is secure?”;
This document provides an overview of security as it pertains to the following areas
relevant to AWS:
- Certifications and Accreditations
- Physical Security
- Backups
- Amazon Elastic Compute Cloud (EC2) Security
- Amazon Simple Storage Service (S3) Security
- Amazon SimpleDB Security
(No Ratings Yet) Loading ...Recently we seem to be hearing more and more security exploits aimed at core Internet protocols. In July, Dan Kaminsky revealed a critical exploit aimed at the DNS protocol.
A couple of days ago “[t]wo security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.” See Revealed: The Internet’s Biggest Security Hole | Threat Level from Wired.com for more detailed reporting.
According to Wired.com,
The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.”
. . .
Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can’t always vacuum in traffic within a network — say, from one AT&T customer to another.
The clever trip the researchers have done is to
use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients.
All these core protocol exploits have direct impact to cloud computing as the nature of cloud computing is that computing will happen out there on the Internet somewhere. According to the article,
The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.
(1 votes, average: 5 out of 5) Loading ...Craig Balding from Cloud Security wrote an interesting piece on the security benefits of cloud computing back in July (that I just now got to read.) Craig qualified the post as potential security benefits of Cloud Computing.
After reading through it, I felt compelled to respond, even though it’s a been over a month since the post is up. Craig mentioned he won’t talk about the “flip” side of these benefits in this post, so I figure I will do that. 
I have only quoted the headers from Craig’s article so please refer to the original article for all the details.
Overall, Craig has made a good list of potential benefits. However, we really need to distinguish the benefits of virtualization vs cloud computing. Many of the benefits listed here are really benefits of virtualization and not cloud computing. When I read the title, I was hoping to read about how the cloud could be more secure than enterprise environments. I think this list has a mix of that, and how enterprise could use the cloud for some security use cases. That’s fine but mixing them together can be misleading.
As Craig said, “this is the benefit I hear most from Cloud providers”. Unfortunately I have to disagree with Craig here. In my view, the cloud providers are dead wrong about this one. Many of the cloud providers talk about how laptops or backup tapes being stolen as the biggest threat to data leakage, and they are right about that. However, having enterprise data stored in the cloud doesn’t reduce these risks one bit. Travelers will continue to copy data to their laptops as they need to access them while on the road. Old habits die hard. Enterprises will continue to backup data to tapes because they can’t simply reply on cloud providers to backup their data. These will still happen no matter where the data is stored.
In fact, there likely will be an increased chance of data leakage by using cloud computing because now the cloud providers will have to somehow backup their data (maybe on tape!!)
Most enterprises, probably including the one Craig works for, have centralized file servers, content management systems, etc etc. However, we continue to see problems with data leakage. Having data stored in clouds is not all that different than storing on centralized corporate file servers. Centralized storage and monitoring is not an advantage for clouds. Enterprises had centralized storage/archiving solutions for years.
In my opinion, cloud storage makes it even tougher to monitor data leakage. Think about the tools available to monitor enterprise file servers. Many of them monitors all types of access: read, write, via CIFS/NFS/etc, via local system. How do you do all of that in the cloud? Think S3, the only thing S3 provide you are http access logs. You have no way of knowing who else viewed your files if it’s done locally, for example.
To a certain extent this benefits is real. However, it’s not a cloud-only benefit. You get the same benefit by simply doing virtualization on your infrastructure. VMware allows you to easily clone an image so that you can perform whatever analysis is needed on the image instead of the original virtual machine. Same as Xen.
However, think about the cases where forensics require physical hard disk scan in case the attacker has “rm” the “bad stuff” such as audit trails or root kit. You now have NO WAY of getting to that in a virtualized environment. Granted, this is probably an issue with any network/san attached storage.
Same as above, it’s not a cloud-exclusive benefit. It’s simply a benefit of virtualization. The only real benefit of the cloud, as mentioned by Craig, is not having to “find” storage. Though I would say that’s the least of your worries if there’s a real attack that happened.
First, if the server/VM is truly “0wn3d”, I am not sure you want to keep that system up and running. You may want to bring a good copy of the VM up and run that instead. (or just go back to a previous good snapshot.)
Second, with the cloud, you don’t even have a CHOICE of using physical acquisition toolkit. So I am not so sure that’s a benefit.
Again, not a real benefit of the cloud. First, bit-by-bit copies of the VM in the cloud still takes time just like if you would in the real world. Second, this benefit can also be realized as part of the internal VM infrastructure, not cloud-exclusive.
Ok, so this is a minor benefit, but not a security benefit of the cloud. It’s more about the performance and scalability of the cloud.
Both this and the next benefit are really about the elasticity and scalability of the clouds and not security.
Same as above, this is about the benefits of elasticity and scalability, not security.
Same as above, this is about the benefits of elasticity and scalability, not security.
Ok, this is about the utility and scalability of the cloud. Not a cloud security benefit. It’s about using the cloud for security tasks.
I believe this is true for even software on dedicated machines. Not cloud-exclusive.
This I agree with. Having pre-built images that are secure from the start is a HUGE benefit. Though it’s a benefit of virtualization and virtual machines, not cloud-exclusive.
I don’t understand this one. Once the VM is running in production, I can imagine taking that down to do patching. You would have to manage the patching process like any other machine, no?
Now image templates can be updated with patches so if new machines are started, they are pre-patched.
Again I agree. However, it’s still the benefit of virtualization, not necessarily cloud-exclusive.
Agreed. It’s a side benefit of economies of scale.
(No Ratings Yet) Loading ...
Loading ...Today, the major use of cloud computing for enterprises are still in its infancy (heck the whole cloud computing space is in its infancy). Most enterprises use cloud computing for testing, development and other peripheral tasks. However, most, if any, are using the clouds for production use. This is fairly similar to the virtualization space, where early use of the virtualization technology are for testing and development. Ten years later, we are seeing more and more enterprises adopt virtualization for production use and virtualization has become main stream.
In the past month or so I have talked to a lot of people in the cloud computing and virtualization space. Many of these folk are working at/on startups that solves one of the many challenges for Enterprise cloud computing. What are these challenges? I have tried to summarize them here (in no particular order).
I’ve written extensively about the need for data governance in previous posts. In essence, enterprises have a ton of sensitive data that requires access monitoring and protection. Data (and information generated from the data) is the life blood of many enterprises, the loss of control will not be acceptable. Whole markets (read: DLP) are created to protect the enterprise data and information. On top of all that, enterprises must comply with many of the regulations that require data governance. By moving the data into the cloud, enterprise, for now, will lose some capabilities to govern their own data set. They would have to rely on the service providers to guarantee the safety of their data.
I hate to invoke the ILM acronym but much of data governance is about
So who’s tackling this problem? As far as I know, nobody is and nobody really can except for the service providers themselves. It is really up to the service providers such as Amazon, Google and Salesforce to provide guarantees that customer data are safe and access to data are restricted and protected.
There are some great IaaS/PaaS out there, including Amazon’s web services (S3, EC2, EBS, etc), Google’s App Engine, Salesforce’s Force.com, Joyent, etc. However, most of these are raw infrastructures and platforms that do not have great management capabilities. This is not unusual. Throughout computing history, raw capabilities will generally appear on the market first, then management of these raw capabilities become a differentiator when competition heats up. Just look at the blade server and virtualization spaces as these are great examples of that trend. The hypervisor was the key technology that enabled enterprise virtualization; however, that piece is now being given away (see VMware’s ESXi) and management capabilities becomes the main differentiator.
Cloud computing is no different. An example of missing management capabilities for cloud infrastructures is auto-scaling. Amazon EC2 claims to be elastic; however, it really means that it has the potential to be elastic. Amazon EC2 will not automatically scale your application as your server becomes heavily loaded. It is still up to the developer to manage that scalability problem.
So who’s tackling this problem? Many startups have recognized the need for management early on and have built management capabilities on top of the existing cloud infrastructure/platforms. RightScale is one of the early pioneers in this space. Their solution solves many of the management issues such as auto-scaling and load balancing.
Monitoring, whether is for performance or availability, is critical to any IT shop. We are not talking about just how much CPU or memory the machines are using. We are talking about performance of transactions and disk IO and others. CPU and memory usage are misleading most of the time in virtual environments. The only real measurement is how long your transactions are taking and how much latency there are. According to High Availability’s article on latency:
Amazon found every 100ms of latency cost them 1% in sales. Google found an extra .5 seconds in search page generation time dropped traffic by 20%. A broker could lose $4 million in revenues per millisecond if their electronic trading platform is 5 milliseconds behind the competition.
So who’s tackling this problem? Hypernic’s CloudStatus is one of the first to recognize this issue and developed a solution for it. They started with monitoring of Amazon’s web services, then recently added monitoring for Google App Engine. In addition, RightScale’s solution can also provide monitoring for the virtual machines under their management.
I won’t beat the dead “Gmail down, EC2 down, etc down” horse here. But the truth of the matter is enterprises today cannot reasonably rely on the cloud infrastructures/platforms to run their business. There’s almost no SLAs provided by the cloud providers today. Even Jeff Barr from Amazon said that AWS only provides SLA for their S3 service. I haven’t researched the SLA issue so not sure how true that is. But if it’s true, I think this will be one of the biggest factor, if not the biggest factor, in enterprise adoption. Can you imagine enterprises signing up cloud computing contracts without SLAs clearly defined? It’s like going to host their business critical infrastructure in a data center that doesn’t have clearly defined SLA.
We all know that SLAs really doesn’t buy you much. In most cases, enterprises get refunded for the amount of time that the network was down. No SLA will cover business loss. However, as one of the CSOs I met said, it’s about risk transfer. As long as there’s a defined SLA on paper, when the network/site goes down, they can go after somebody. If there’s no SLA, it will be the CIO/CSO’s head that’s on the chopping block.
So who’s tackling this problem? Well, again, no one is today as far as I know. Maybe some startup will come up with clever idea to provide SLA as a third party vendor (read: cloud insurance.) Or maybe the cloud providers will grow/wake up and actually do something to encourage the enterprise adoption.
Security is a huge area that encompasses many different things, including the standard enterprise security policies on access control, activity monitoring, patch management, etc. On top of that, virtualization security is something that most enterprises are just starting to grasp but don’t fully understand. Many IT people still believe that the hypervisor and virtual machines are safe. Recent presentations from Blackhat has demonstrate that we shouldn’t sleep so tight at night. As IT shops get more educated on the virtualization security issues, it will become one of the factors they will consider when they move into the cloud. Access control and monitoring of the virtual infrastructure will be on top of their mind.
So who’s tackling this problem? There are quite a few startups like Reflex, Blue Lane and Catbird that are creating privileged VAs that claim to protect the VAs running on VMware’s ESX servers. However, ensure you do your research on the performance of these solutions first before adopting one of them. Other startups (unnamed) are creating interesting solutions in protecting the actual virtual infrastructure themselves, e.g., how do you protect and monitor access to the ESX servers? how do you control and monitor the movement of virtual machines using live migration or VMotion.
—
Cloud computing is here to stay. It will be the next big wave and will be adopted by enterprises. However, the industry as a whole needs to answer some of these challenges and ease the enterprises’ concerns.
Other interesting reads for Enterprise Cloud Computing are:
(No Ratings Yet) Loading ...Stacey Higginbotham over at GigaOM wrote an interesting piece on 10 Reasons Enterprises Aren’t Ready to Trust the Cloud. Even though I agree that some of these points are valid reasons on why enterprises are hesitant in moving into the cloud, I have to wonder whether Stacey meant to be provocative (read: flame bait) on the piece. Also, the piece seems to be quite opinionated and lack support in many cases. Let’s drill down on it a bit.
1. It’s not secure.
I have written extensively on this blog (here and here) regarding the security concerns of SaaS and cloud computing. However, saying that the cloud is not secure is definitely a stretch. I would like to see some supporting evidence on this. The only major “security breach” I’ve seen is probably the Salesforce case.
In addition, none of the regulations or industry mandates, including HIPAA, GLBA, SOX, PCI, FISMA, etc etc, say anything about not allowing data to be outside of the corporate firewalls. In fact, many of the enterprises in the affected industries are already outsourcing some of their critical data. For example, financial companies using credit card processing services such as ViewPointe. There’s also plenty of hospitals using external services. PCI also has a specific section on hosting providers. Again, no regulation or mandate explicitly state that data cannot leave the corporate firewalls.
What CIOs/CSOs care mostly about is that cloud (application or platform) providers must meet their security requirements, there’s transparency in the security and operational practices, and that they can audit the provider or review the appropriate audit reports from the provider. The issue comes down to trust.
2. It can’t be logged.
Again, this is really about auditability, especially for compliance. This is definitely an area that’s lacking and cloud providers would be wise to do more in this area. Again, I wrote about that here: 4. Access Audit - Who has accessed my data and where’s my access logs?
3. It’s not platform agnostic.
Seriously though, is this really an issue? We are still in the world of multiple OS platforms, including different variants of Linux, Microsoft Windows, Mac OS X, Sun Solaris, IBM AIX, HP UX, etc etc etc. Is platform agnostic really that critical? Just like in the on-premise world, enterprises would be wise to evaluate the cloud platforms they plan to use based on a predefined set of requirements. Also, is supporting multiple cloud platforms really a concern that will prevent enterprise adoption?
4. Reliability is still an issue.
Again, I agree that reliability is a concern. However, that’s a concern regardless of what you decide. You have to worry about reliability if you choose to go with your own data center or cloud. You have to worry about reliability if you choose to partner with a data center provider to hose your gears. You have to worry about reliability if you choose to go into the cloud. Heck, you have to worry about reliability even if you just host your gears in your own IT network.
Stacey said “Even inside an enterprise, data centers or servers go down, but generally the communication around such outages is better and in many cases, fail-over options exist.” I am sorry, but by definition, the cloud platforms usually have these capabilities built-in already. A single server or multiple servers failing is usually not going to affect your cloud applications or platforms.
I believe the real issue is service level agreement. Are the cloud providers providing adequate SLAs and do the CIOs feel comfortable with the SLA that they are getting?
5. Portability isn’t seamless.
No disagreement here. Currently there’s not an enterprise version of the data portability standard. That can turn many enterprises away if they have no way of retrieving/migrating their data if they choose to go with another provider.
6. It’s not environmentally sustainable.
Again, a good issue to raise. However, I would like to see some evidence to show that creating and maintaining your own data center is more efficient than going into the cloud. There will always be excess capacity in order to handle spikes, regardless whether you build your own data center or go into the cloud.
7. Cloud computing still has to exist on physical servers.
No disagreement that data locality is an important consideration when moving into the cloud. I wrote about it in a previous blog. However, that just means enterprises should be aware of this issue and make sure that’s part of their requirement for evaluating the cloud vendors. This however does not mean enterprises won’t adopt because of this concern.
8. The need for speed still reigns at some firms.
The increase in bandwidth to home and offices is one of the main reasons why clouds are hot these days. However, I agree with Stacey that speed is definitely a concern for certain types of applications. At CloudCamp, during Jeff Barr’s AWS feedback session, the first hot topic that came up was how do people move a HUGE amount of data into the cloud and back. People talked about shipping hard drives as a solution to this type of problem.
However, this is not going to be an issue for most enterprises in the US, UK and countries with adequate bandwidth. Take for example applications such as Salesforce.com CRM, NetSuite, and many others, these applications do not require the need to transfer large amount of data back and forth so they are ideal for delivering via the web.
So again, a valid concern, but not a show stopper.
9. Large companies already have an internal cloud.
Again, I would like to hear more evidence from Stacey to back this up. I agree that most enterprises already have IT infrastructure in place, but most of these infrastructures are not considered clouds. My conversations with enterprises, including discussion from CloudCamp, is that enterprise IT groups are stretched thin and they can’t respond fast enough to business requirements. When the business require certain applications to do their job, they have to go provision hardware, software, space, etc and that process can take months. Going with the cloud allows them to quickly react to the business requirements and makes it a win-win situation.
Even if enterprises have their internal clouds, does that mean that shouldn’t consider external clouds? Enterprises should, and will, always weigh the cost/benefits to determine what’s the right solution for them.
10. Bureaucracy will cause the transition to take longer than building replacement housing in New Orleans.
Agreed. In big companies that’s ways going to be the case. No one is suggesting that all enterprises will move into the cloud overnight. Many of the enterprises are just starting to experiment with the cloud to see what can and cannot be done. This is healthy and it’s the right approach. A good example is New York Times using Amazon EC2 to convert millions of articles and TIFF image into PDF files.
Again, enterprises are adopting the cloud, just cautiously.
(No Ratings Yet) Loading ...CIO.com has an interesting article on The Truth About Software as a Service (SaaS). It highlighted the fact that most CIOs are still quite cautious when it comes to adopting SaaS.
Here’s when SaaS doesn’t make sense:
Other areas of concerns include Service level agreement and Security.
However, there are definitely advantages to SaaS, including:
The article also showed a chart on SaaS adoption by application and vertical market.
Read related articles on why management costs need to be part of SaaS ROI calculations and three approaches for on-demand computing.
(No Ratings Yet) Loading ...Reuven Cohen, Dave Nielsen, Sam Charrington and a group of awesome volunteers organized a very successful CloudCamp event last night. This was organized in 3.5 weeks, which is an amazing feat. The event probably attracted 200-300 people. You can see some of the pictures of the event on flickr. The format was an unconference. There were 20+ sessions proposed and they were all very interesting. The topics range from cloud computing definition to transactions processing.
Here are some of the topics that I gathered based on the sessions I attended and people I’ve talked to.
There’s no agreement on the definition of Cloud Computing. Reuven Cohen held a very popular session on “What is Cloud Computing?” There were at least 40 people in the room that was supposed to hold only 20. There were a wide variant of definitions, going from Reuven’s very open definition (internet centric software) to another person’s very restrictive definition (cloud computing must use web services, XML, SOAP, etc).
There were also discussions (and disagreements) on whether Google App engine is considered a cloud or not. Interesting enough, some of the people there didn’t consider GAE as a cloud. In one of the sessions, someone put an even more restrictive constraint on cloud computing. He said that a cloud MUST run any existing application without modification. So in that case, GAE would not be a cloud by his definition. I am definitely in the camp of that GAE is a cloud.
Some interesting questions were asked as well, such as the question from a Microsoft guy, “Does the operating system still matter, if the the application is running in the cloud. My answer to that was it depends on the type of application. If it’s a web centric application that has a web front end, uses a database for storage, and doesn’t use any of the low level file IO, then really there’s no need to know what the OS is. In that case, the OS doesn’t matter.
The term that’s used most to describe cloud computing is elasticity: the ability to quickly provision and de-provision computing resources on demand. Almost everyone I’ve talked to or listened to agrees to that. Some of the enterprise attendees also noted this as one of the biggest benefits of the cloud. When business units come to IT with new application requirements, IT now has a way to quickly spin up resources without having to wait weeks or months to procure equipment. The other thing that everyone agrees on is the utility model: the ability to pay for what you use.
This topic was heavily discussed in the “No Cure for Cancer: Manage the Expectations of Cloud Computing” session. To summarize, there’s almost no SLAs provided by the cloud providers today. Even Jeff Barr from Amazon said that AWS only provides SLA for their S3 service. I haven’t researched the SLA issue so not sure how true that is. But if it’s true, I think this will be one of the biggest factor, if not the biggest factor, in enterprise adoption. Can you imagine enterprises signing up cloud computing contracts without SLAs clearly defined? It’s like going to host their business critical infrastructure in a data center that doesn’t have clearly defined SLA.
We all know that SLAs really doesn’t buy you much. In most cases, enterprises get refunded for the amount of time that the network was down. No SLA will cover business loss. However, as one of the CSOs I met said, it’s about risk transfer. As long as there’s a defined SLA on paper, when the network/site goes down, they can go after somebody. If there’s no SLA, it will be the CIO/CSO’s head that’s on the chopping block.
Another topic that was discussed in Sam Charrington’s “How Cloud Impacts Enterprise Computing” session is security in the cloud. When Sam asked the group what are the factors that prevent enterprise from adopting the cloud, Ben Charian from ServiceCloud empathically said “security.” He talked about that the clouds must be certified or audited against standards or frameworks such as PCI. I’ve written about cloud security requirements here and here so I won’t elaborate on this topic. Needless to say, I am in total agreement with Ben. What I didn’t agree with Ben on is the need to rewrite these frameworks or standards specifically for the cloud. I believe many of the controls such as identity management and segregation of duties are the same in the cloud or out of the cloud.
(No Ratings Yet) Loading ...Another very interesting and popular discussion thread in the cloud-computing Google group on the Issues of data in the cloud.
There are really two main topics in the discussion:
(No Ratings Yet) Loading ...This is part 2 of the tough security questions for SaaS providers. In part 1 of the series, we asked the following questions:
1. Data Locality - Where’s my data?
2. Data Segregation - How is my data segregated with other customers, potentially my competitors?
3. Data Access - Who can access my data in your company?
4. Access Audit - Who has accessed my data and where’s my access logs?
We are continuing this discussion with the following questions in part 2.
5. How are the users authenticated and authorized?
6. Web Application Security - How secure is the SaaS provider’s web application?
7. Data Breaches - How do you protect my data from insider breaches?
8. PCI DSS - Are you compliant with PCI DSS?
Companies have spent hundreds of man years and millions of dollars trying to setup single-sign-on systems inside the corporate firewalls. Most companies, if not all, are storing their employee information in some type of LDAP servers. In the case of SMB companies, a segment that has the highest SaaS adoption rate, Active Directory seems to be the most popular tool for managing users. In many cases, companies have designed their IT infrastructure so that all authentication, including VPN, web proxy, file server, and others will go through this single infrastructure. The process of employee onboarding and termination is much easier this way.
Just as companies start to have some success, the advent of the SaaS model changes the scenario again. With SaaS, the software is hosted outside of the corporate firewall. Many times user credentials are stored in the SaaS providers’ databases and not part of the corporate IT infrastructure. This means SaaS customers must remember to remove/disable accounts as employees leave the company and create/enable accounts as come onboard. In essence, having multiple SaaS products will increase IT management overhead.
SaaS customers will start asking questions on identity and access integration and providers would be wise to design such features in early on. For example, SaaS providers can provide delegate the authentication process to the customer’s internal LDAP/AD server so that companies can retain control over the management of users.
One of the “must-have” requirements for a SaaS application is that it has to be used and managed over the web (in a browser.) This creates an interesting scenario. In the on-premise scenario, when a vulnerability is found, at least you have your firewall protecting the application so you may get a bit more time to patch it (assuming the application vendor provides the patch in a timely fashion.) However, in the SaaS world, there is no such luxury. Any vulnerability identified can potentially have detrimental impact on all of the customers. Even leading security companies aren’t immune to security holes in their web applications.
Web application security is quite a hot topic these days and it’s discussed by many security researchers such as rmogull and RSnake. Here’s an interesting article on “What web application security really is“.
Verizon Business recently released their Verizon Business 2008 Data Breach Investigations Report. Of all the breaches, 59% of the breaches involve hacking, with the following breakdown:
- Application/Service layer -39%
- OS/Platform layer - 23%
- Exploit known vulnerability -18%
- Exploit unknown vulnerability - 5%
- Use of back door -15%
Attacks targeting applications, software, and services were by far the most common technique, representing 39 percent of all hacking activity leading to data compromise. This follows a trend in recent years of attacks moving up the stack. Far from passé, operating system, platform, and server-level attacks accounted for a sizable portion of breaches. Eighteen percent of hacks exploited a specific known vulnerability while 5 percent exploited unknown vulnerabilities for which a patch was not available at the time of the attack. Evidence of re-entry via backdoors, which enable prolonged access to and control of compromised systems, was found in 15 percent of hacking-related breaches. The attractiveness of this to criminals desiring large quantities of information is obvious.
Currently there’s really no mandate or requirement for SaaS providers to provide detailed security analysis of the SaaS application. However, it would be wise for the SaaS providers to start considering something similar to what PCI DSS has required of the merchants:
- 6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following:
- 6.5.1 Unvalidated input
- 6.5.2 Broken access control (for example, malicious use of user IDs)
- 6.5.3 Broken authentication and session management (use of account credentials and session
cookies)- 6.5.4 Cross-site scripting (XSS) attacks
- 6.5.5 Buffer overflows
- 6.5.6 Injection flaws (for example, structured query language (SQL) injection)
- 6.5.7 Improper error handling
- 6.5.8 Insecure storage
- 6.5.9 Denial of service
- 6.5.10 Insecure configuration management
- 6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
- Having all custom application code reviewed for common vulnerabilities by an organization
that specializes in application security- Installing an application layer firewall in front of web-facing applications.
Additional sources of information provided as a starting point for more information on web application security would include
Trey Ford of Security Spin Control has a fairly good explanation of the recently released PCI information supplement on requirement 6.6.
SC Magazine also has an article on Deconstructing PCI 6.6 for the management folks.
In the Verizon Business breach report blog, Verizon Business stated that
While criminals more often came from external sources, and insider attacks result in the greatest losses, criminals at, or via partner connections actually represent the greatest risk. This is due to our risk equation: Threat X Impact = Risk
- External criminals pose the greatest threat (73%), but achieve the least impact (30,000 compromised records), resulting in a Psuedo Risk Score of 21,900
- Insiders pose the least threat (18%), and achieve the greatest impact (375,000 compromised records), resulting in a Pseudo Risk Score of 67,500
- Partners are middle in both (73 39% and 187,500), resulting in a Pseudo Risk Score of 73,125
Many SaaS advocates claim that SaaS providers can do a better job at protecting the customers’ data. Unfortunately, just because the data is now in the cloud, it does not reduce the risk of insider breaches. Insiders still have access to the data, they are just accessing it a different way. Just because the data is in the cloud, the responsibility of segregation of duties and access authorization still fall on the customers, not the SaaS or cloud computing providers. So yes, it may reduce the chance of insiders getting direct access to, say, a database, it does not in any way reduce the risk of insider breaches. In fact, it may even increase the possibility as you now have to take into consideration of the cloud or SaaS providers’ employees. They have access to a lot more information and a single incident could expose information from many customers.
SaaS providers should be prepared to answer questions on what tools and processes are utilized to ensure segregation of duties and protect from insider breaches. Remember, in the case of the mult-billion dollar insider incident at Société Générale, IT management had implemented all of the controls recommended by auditors, but nobody was monitoring them. So it’s extremely critical to be able to show the processes around these security controls.
PCI DSS has a specific section for hosting providers (including SaaS providers):
Requirement A.1: Hosting providers protect cardholder data environment
As referenced in Requirement 12.8, all service providers with access to cardholder data (including hosting providers) must adhere to the PCI DSS. In addition, Requirement 2.4 states that hosting providers must protect each entity’s hosted environment and data. Therefore, hosting providers must give special consideration to the following:
A.1 Protect each entity’s (that is merchant, service provider, or other entity) hosted environment and data, as in A.1.1 through A.1.4:
- A.1.1 Ensure that each entity only has access to own cardholder data environment
- A.1.2 Restrict each entity’s access and privileges to own cardholder data environment only
- A.1.3 Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10
- A.1.4 Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.
A hosting provider must fulfill these requirements as well as all other relevant sections of the PCI DSS. Note: Even though a hosting provider may meet these requirements, the compliance of the entity that uses the hosting provider is not necessarily guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable.
Simply put, SaaS providers must be compliant with PCI DSS in order to host merchants that must comply with PCI DSS.
We will continue with our tough security questions in part 3 of this series.
(No Ratings Yet) Loading ...Mike Kavis, aka madgreek65, did an interesting 7-minute video blog on the topic of cloud computing where he explains his view of it as well as explaining the risks. He then followed up with a blog post on The future is in the Clouds.
In the video blog, Mike tried to explain why customers shouldn’t have to worry about the loss of data control and security. First of all, as Mike said, “these companies invested in billions of dollars in infrastructures and security and have armies of security professionals.” Therefore, these companies will have greater control and better governance and do a much better job at protecting customers’ data than they can. Second, since “most security breaches are inside jobs”, cloud computing will “greatly reduce the risk” of such breaches. Even though there will still be some, but the risks are reduced. Third, companies are already putting their data out there, including payroll, accounting, CRM. Since this is already being done, we just need to “shift the way we think” because “this is the wave of the future” and it’s the “next game changer.”
I have to disagree on all three points. First, not all “cloud computing” companies that have sprung up can and will invest billions of dollars in infrastructure and security. If you just look at Amazon or Google, yes, maybe. However, there are plenty of cloud computing startups that have no such budget and they have the same problems as every startup when it comes to deciding whether to invest in infrastructure or security (i.e., infrastructure wins, security loses.) So a blanket statement like that doesn’t make any sense. Even in the case of Amazon and Google, just because they can have more security professionals, it doesn’t mean customers should just trust them and not worry about security and data privacy.
Second, on the topic of insider breaches, just because the data is now in the cloud, it does not reduce the risk of insider breaches. Insiders still have access to the data, they are just accessing it a different way. Just because the data is in the cloud, the responsibility of segregation of duties and access authorization still fall on the customers, not the SaaS or cloud computing providers. So yes, it may reduce the chance of insiders getting direct access to, say, a database, it does not in any way reduce the risk of insider breaches. In fact, I will argue that it may even increase the possibility as you now have to take into consideration of the cloud or SaaS providers’ employees. They have access to a lot more information and a single incident could expose information from many customers.
Third, the argument that because companies are doing it already and are already putting their payroll, account, and CRM information in the cloud, customers should just shift the way they think also doesn’t sit well with me. Just because others are doing it doesn’t mean it’s the right thing to do. Customers shouldn’t just throw away their security policies and adopt a new way without evaluating the risks.
So am I advocating companies not to adopt cloud computing and SaaS? Absolutely not. What I am advocating is that companies evaluate the potential risks and understand the business impacts before jumping into the “wave of the future.” Don’t just trust the cloud or SaaS providers to take care of security. At the end of the day, it’s the customer, not the providers, that’s signing off on the SOX report and go to jail (or fined) if the audits fail.
I am working on a series on “Tough security questions for SaaS providers“. It should serve as a good set of questions to ask when evaluating cloud or SaaS providers.
Loading ...
