OWASP - User contributions [en]

Cloud-10 Infrastructure Security

2010-05-24T13:23:23Z

Ove Hansen: /* R9:Infrastructure Security */

== R9:Infrastructure Security ==

The security of the data hosted within an application is totally dependent upon the security of the infrastructure components that make up the platform for the application. Failure to take "best practices" into account can lead to a loss of data, reputation, or availability, and may even have regulatory/legal ramifications.

 

Security Risks

 

#Default configurations of systems and network devices. A system, application or network device "fresh out of the box" is likely to be running old versions of its software, and not be up-to-date with regards to security updates. Furthermore, standard configurations, passwords, exploits etc. are well known and the details of those circulate freely on the Internet, and will mean these systems are much more likely to become compromised.
#All services, even active, unused ones, may contain security related bugs that potentially can be exploited, and malicious parties are actively scanning the Internet. Running such services even though one isn't actually using it for any purposes, will therefore needlessly increase the likelyhood of an organizations infrastructure becoming the target of an exploit.
#Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier.
#Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture.
#Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents
#All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited.

 

 

Countermeasures

 

#
#Hardening of operating systems, applications and configurations. The purpose of this is to reduce the risk of an exploit via a vulnerable system service, application, unused or insecure default accounts etc. There are many approaches to this, and
#Tiering of the solution architecture. A tiered solution architecture will mean that a system directly exposed to for example the Internet is less likely to be used by a perpetrator as a hop-off point deeper into the organization's infrastructure. "Flat" networks where for example an Internet-facing system can talk directly a backend database server should be looked at with scrutiny.
#Isolation of infrastructure components, for example through the use of network ACLs, to reduce the
#Role-based administrative access and restricted administrative privileges. Any organization should try to restrict administrative access to resources to people who "need to know", and to ensure that roles are well defined. For example, if database administrators, system administrators and network administrators have clearly defined and delineated roles, the risk of an incident via an individual maliciously using his privileges, or makes an accidental mistake, will be reduced.
#Regular vulnerability assessments. Every organization should do regular risk assessments of their infrastructure, as well as vulnerability assessments of code they develop. Where customer/client/partner information is involved, the organizations must expect that the other parties have an interest in knowing how their data is protected, and only independent assessments/audits are likely to be accepted as trustworthy.

 

References

#Center for Internet Security (CISecurity) http://www.cisecurity.org/
#SANS Institute - Reading Room: http://www.sans.org/reading_room/

__NOTOC__ <headertabs />

[[Category:OWASP_Cloud_‐_10_Project]]

Cloud-10 Infrastructure Security

2010-05-24T13:03:14Z

Ove Hansen: /* R9:Infrastructure Security */

== R9:Infrastructure Security ==

The security of the data hosted within an application is totally dependent upon the security of the infrastructure components that make up the platform for the application. Failure to take "best practices" into account can lead to a loss of data, reputation, or availability, and may even have regulatory/legal ramifications.

 

Security Risks

 

#Default configurations of systems and network devices
#All services, even active, unused ones, may contain security related bugs that potentially can be exploited.
#Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier.
#Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture
#Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents
#All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited.

 

 

Countermeasures

 

#
#Hardening of operating systems, applications and configurations. The purpose of this is to reduce the risk of an exploit via a vulnerable system service, application, unused or insecure default accounts etc. There are many approaches to this, and
#Tiering of the solution architecture. A tiered solution architecture will mean that a system directly exposed to for example the Internet is less likely to be used by a perpetrator as a hop-off point deeper into the organization's infrastructure. "Flat" networks where for example an Internet-facing system can talk directly a backend database server should be looked at with scrutiny.
#Isolation of infrastructure components, for example through the use of network ACLs, to reduce the
#Role-based administrative access and restricted administrative privileges. Any organization should try to restrict administrative access to resources to people who "need to know", and to ensure that roles are well defined. For example, if database administrators, system administrators and network administrators have clearly defined and delineated roles, the risk of an incident via an individual maliciously using his privileges, or makes an accidental mistake, will be reduced.
#Regular vulnerability assessments. Every organization should do regular risk assessments of their infrastructure, as well as vulnerability assessments of code they develop. Where customer/client/partner information is involved, the organizations must expect that the other parties have an interest in knowing how their data is protected, and only independent assessments/audits are likely to be accepted as trustworthy.

 

References

#Center for Internet Security (CISecurity) http://www.cisecurity.org/
#SANS Institute - Reading Room: http://www.sans.org/reading_room/

__NOTOC__ <headertabs />

[[Category:OWASP_Cloud_‐_10_Project]]

Cloud-10 Infrastructure Security

2010-05-17T14:31:14Z

Ove Hansen:

Cloud-10 Infrastructure Security

2010-05-17T14:22:38Z

Ove Hansen: /* R9:Infrastructure Security */

== R9:Infrastructure Security ==

Security Risks

 

#Default configurations of systems and network devices
#All services, even active, unused ones, may contain security related bugs that potentially can be exploited.
#Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier.
#Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture
#Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents
#All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited.

Countermeasures

##Hardening of operating systems, applications and configurations
#Tiering of the solution architecture
#Containment
#Role-based administrative access, restricted administrative privileges
#Regular vulnerability assessments

__NOTOC__ <headertabs />

[[Category:OWASP_Cloud_‐_10_Project]]

Category:OWASP Cloud ‐ 10 Project

2010-04-19T11:30:47Z

Ove Hansen: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud* Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

* Most of the risks are based on the assumption that Cloud is a public or a hybrid cloud

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| A traditional data center of an organization is under complete control of that organization. The organization logically and physically protects the data it owns. An organization that chooses to use a public cloud for hosting its business service loses control of its data. This poses critical security risks that the organization needs to carefully consider and mitigate.
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| [http://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency R4 - Business Continuity and Resiliency]
| Business Continuity is an activity an IT organization performs to ensure that the business can be conducted in a disaster situation. In case of an organization that uses cloud, the responsibility of business continuity gets delegated to the cloud provider. This creates a risk to the organization of not having appropriate business continuity.
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Multi-tenancy in cloud means sharing of resources and services among multiple clients(CPU, networking, storage/databases, application stack). It increases dependence on logical segregation and other controls to ensure that one tenant deliberately or inadvertently can not interfere with the security ( confidentiality, integrity, availability) of the other tenants.

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| All infrastructure must be hardened and configured securely, and the hardening/configuration baselines should be based on Industry Best Practices. Applications, systems and networks must be architected and configured with tiering and security zones, and access must be configured to only allow required network and application protocols. Administrative access must be role-based, and granted on a need-to-know basis. Regular risk assessments must be done, preferably by an independent party. A policy and process must be in place for patching/security updates, and can based on risk/threat assessments of new security issues.

Although the fine details of the items above must be regarded as highly sensitive information, it is reasonable to expect a customer to want to see at least the high-level details. The Provider must be willing to provide this.
|-
| [http://www.owasp.org/index.php/Cloud-10_Nonproduction_Environment_Exposure R10 - Non Production Environment Exposure]
| An IT organization that develops software applications internally employs a set of non-production environments for design, development, and test activities. The non-production environments are generally not secured to the same extent as the production environment. If an organization uses a cloud provider for such non-production environment, then there is a high risk of unauthorized access, information modification, and information theft.
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 
Risk Criteria:

#Easily Executable
#Most Damaging
#Incidence Frequency (Known)

== Alpha Release ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (Dec 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Jan 2010)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (Jan-Feb 2010)

== Beta Release ==

# Writeup to be finished by April 5th (All)
# Provide feedback by April 19th
# Incorporate all the comments feedback by 26th April
# Publish the first (beta) list of "OWASP Cloud-10" (April 3rd 2010)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]
 [[User:Ove Hansen|Ove Hansen]]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Category:OWASP Cloud ‐ 10 Project

2010-04-19T11:24:42Z

Ove Hansen: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud* Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

* Most of the risks are based on the assumption that Cloud is a public or a hybrid cloud

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| A traditional data center of an organization is under complete control of that organization. The organization logically and physically protects the data it owns. An organization that chooses to use a public cloud for hosting its business service loses control of its data. This poses critical security risks that the organization needs to carefully consider and mitigate.
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| [http://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency R4 - Business Continuity and Resiliency]
| Business Continuity is an activity an IT organization performs to ensure that the business can be conducted in a disaster situation. In case of an organization that uses cloud, the responsibility of business continuity gets delegated to the cloud provider. This creates a risk to the organization of not having appropriate business continuity.
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Multi-tenancy in cloud means sharing of resources and services among multiple clients(CPU, networking, storage/databases, application stack). It increases dependence on logical segregation and other controls to ensure that one tenant deliberately or inadvertently can not interfere with the security ( confidentiality, integrity, availability) of the other tenants.

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| All infrastructure must be hardened and configured securely, and the hardening/configuration baselines should be based on Industry Best Practices. Applications, systems and networks must be architected and configured with tiering and security zones, and access must be configured to only allow required network and application protocols. Administrative access must be role-based, and granted on a need-to-know basis. Regular risk assessments must be done, preferably by an independent party. A policy and process must be in place for patching/security updates, and can based on risk/threat assessments of new security issues.
|-
| [http://www.owasp.org/index.php/Cloud-10_Nonproduction_Environment_Exposure R10 - Non Production Environment Exposure]
| An IT organization that develops software applications internally employs a set of non-production environments for design, development, and test activities. The non-production environments are generally not secured to the same extent as the production environment. If an organization uses a cloud provider for such non-production environment, then there is a high risk of unauthorized access, information modification, and information theft.
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 
Risk Criteria:

#Easily Executable
#Most Damaging
#Incidence Frequency (Known)

== Alpha Release ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (Dec 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Jan 2010)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (Jan-Feb 2010)

== Beta Release ==

# Writeup to be finished by April 5th (All)
# Provide feedback by April 19th
# Incorporate all the comments feedback by 26th April
# Publish the first (beta) list of "OWASP Cloud-10" (April 3rd 2010)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]
 [[User:Ove Hansen|Ove Hansen]]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]