OWASP - User contributions [en]

Cloud-10 Nonproduction Environment Exposure

2010-02-16T03:14:32Z

Pankaj Telang:

An IT organization that develops software applications internally
employs a set of non-production environments for design, development,
and test activities. The non-production environments are generally not
secured to the same extent as the production environment. This is to
ease and facilitate the development and test cycles. Such
non-production environments are not only accessed by the employees of
the organization, but also by the outsourced vendors. In a non-cloud
environment, the non-production environments are in the data-center of
the organization, and are under complete ownership of the organization.
Therefore, the organization can appropriately control the access of these
environments.

If an organization chooses to use a cloud provider for a
non-production environment, then the organization loses control over
them. Since cloud is publicly accessible, there is a high risk that an
unauthorized user may get access to the non-production environment. A
malicious user may alter the environment in such a way that it becomes
unusable. Or even worse, a malicious user may completely delete the
environment.

A non-production environment may use generic authentication
credentials. The passwords used in non-production environment may not
conform to the standard password policy of the organization. In such a
case, unauthorized access becomes very easy.

An organization may create a non-production environment by copying
data from its production equivalent. In such a case, an unauthorized
user can steal the sensitive production data. Examples of such data
are credit card and social security numbers.

To mitigate non-production environment exposure risk, an organization
should consider the following:

1. Ensure that the credentials used for accessing non-production environments
are strong, and conform to the same standards as the production environment.

2. The data in the non-production environment is not a copy of the data in
the production environment.

Cloud-10 Nonproduction Environment Exposure

2010-02-16T03:09:28Z

Pankaj Telang:

Category:OWASP Cloud ‐ 10 Project

2010-02-16T02:55:22Z

Pankaj Telang: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| A traditional data center of an organization is under complete control of that organization. The organization logically and physically protects the data it owns. An organization that chooses to use a public cloud for hosting its business service loses control of its data. This poses critical security risks that the organization needs to carefully consider and mitigate.
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| [http://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency R4 - Business Continuity and Resiliency]
| Business Continuity is an activity an IT organization performs to ensure that the business can be conducted in a disaster situation. In case of an organization that uses cloud, the responsibility of business continuity gets delegated to the cloud provider. This creates a risk to the organization of not having appropriate business continuity.
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| [http://www.owasp.org/index.php/Cloud-10_Nonproduction_Environment_Exposure R10 - Non Production Environment Exposure]
| An IT organization that develops software applications internally employs a set of non-production environments for design, development, and test activities. The non-production environments are generally not secured to the same extent as the production environment. If an organization uses a cloud provider for such non-production environment, then there is a high risk of unauthorized access, information modification, and information theft.
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 
Risk Criteria:

#Easily Executable
#Most Damaging
#Incidence Frequency (Known)

== Alpha Release ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (Dec 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Jan 2010)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (Jan-Feb 2010)

== Beta Release ==

#Publish the first (beta) list of "OWASP Cloud-10" (April 2010)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Cloud-10 Nonproduction Environment Exposure

2010-02-16T02:44:05Z

Pankaj Telang:

An IT organization that develops software applications internally
employs a set of non-production environments for design, development,
and test activities. The non-production environments are generally not
secured to the same extent as the production environment. This is to
ease and facilitate the development and test cycles. Such
non-production environments are not only accessed by the employees of
the organization, but also by the outsourced vendors. In a non-cloud
environment, the non-production environments are in the data-center of
the organization, and are under complete ownership of the organization.
Therefore, the organization can control the access of these
environments.

If an organization chooses to use a cloud provider for a
non-production environment, then the organization loses control over
them. Since cloud is publicly accessible, there is a high risk that an
unauthorized user may get access to the non-production environment. A
malicious user may alter the environment in such a way that it becomes
unusable. Or even worse, a malicious user may completely delete the
environment.

A non-production environment may use generic authentication
credentials. The passwords used in non-production environment may not
conform to the standard password policy of the organization. In such a
case, unauthorized access becomes very easy.

An organization may create a non-production environment by copying
data from its production equivalent. In such a case, an unauthorized
user can steal the sensitive production data. Examples of such data
are credit card and social security numbers.

Cloud-10 Accountability and Data Ownership

2010-02-15T22:31:59Z

Pankaj Telang: /* R1:Accountability and Data Ownership */

==R1:Accountability and Data Ownership==
[[Category:OWASP Cloud ‐ 10 Project]]

__NOTOC__
<headertabs/>
A traditional data center of an organization is under complete control
of that organization. The organization logically and physically
protects the data it owns. For economical reasons, an organization
may choose to use a public cloud for hosting its business services. In
this case, the organization loses control of its data. This poses
critical security risks that the organization needs to carefully
consider and mitigate.

The severity of risks depends on the sensitivity of the data stored in
the cloud. Informal blogs, twitter posts, public news, and newsgroup
messages are examples of less sensitive data. The risk of hosting
such data in the cloud is low. On the contrary, data such as
health-related records, criminal records, credit history, and payroll
information is highly sensitive business data. There are serious
business and legal ramifications if such data is compromised.
Therefore, the risk of hosting such data in the cloud is very high.

Since data in the cloud is physically in control of the cloud
provider, the foremost risk is that of ensuring confidentiality of the
stored data. Encryption can be employed to ensure confidentiality. If
the cloud provider uses multi-tenancy architecture, then separate
encryption keys, one per cloud consumer, should be employed.

A cloud provider may physically store a consumer's data in various
countries. Such architecture poses several risks. For example, a
country has its own legal system, and the cloud provider operating in
that country is bound to that system. The laws of a country may force
a cloud provider to permit legal officials to access the data, and any
encryption keys, stored in that country's geographical boundary. The
physical location of data can additionally have economic
ramifications. For example, the tax rules vary based on the country
in which sales orders are processed. A cloud consumer may not be able
to benefit economically by processing orders in a country that offers
lowest tax rates, since the cloud provider may store orders data in
any country.

A cloud provider may store the consumer's data in its premises, or
employ an Infrastructure-As-A-Provider (IAAS) for data storage. The
provider may use multi-tenancy architecture which collocates data of
multiple cloud consumers in one physical storage. This architecture
may lack appropriate controls to ensure that a cloud consumer can
access only its own data, and not the data of other consumers. If the
cloud consumers are competitors in their business domain, then such
such lack of control can pose serious business risks for the
consumers.

Upon a request to delete some data, a cloud provider may only
nominally delete it, and leave traces that can be used to reconstruct
the original data. Such reconstructed data can be stolen, and
misused, posing a significant risk to the cloud consumer.

To mitigate various data related risks, an organization that uses a
cloud for conducting business should do the following:

1. Understand how the cloud provider secures the data and how the
provider detects and reports a compromise.

2. Know the geographical location of the data storage, and ensure
that the provider will not store data in a restricted country.

3. Know the situations in which a third party or a government
can sieze the data from the provider. The provider should provide
advanced notification of such event.

4. Ensure that the cloud provider appropriately protects data based on
the data classification as specified by the consumer, and to address
the concerns of privacy laws such as HIPPA.

5. The provider by default denies all access to the consumer's data.
The consumer organization can explicitly grant access with specific
privilege to desired parties.

6. The provider encrypts the data at rest, and the data in transit.

7. The provider logically isolates the data of multiple consumers in
such a way so as to prevent any unauthorized access, modification, or
deletion of the data.

8. Understand how the cloud provider manages ecnryption for multiple
consumers. Instead of a single encryption key for all consumers, the
provider should use (atleast) one key per consumer.

9. Verify that the provider destroys deleted data in such a way that
it cannot be later recreated.

10. In case of a data breach, make the cloud provider pay certain
penalty.

Real-world incident: On July 15, 2009, Twitter disclosed that a hacker
accessed a substantial amount of company data stored on Google Apps by
first hijacking a Twitter employee's official e-mail account. Though
the breach had more to do with weak passwords and password resets, the
incident has nevertheless drawn fresh attention to broader security
and privacy concerns related to cloud computing.

Cloud-10 Accountability and Data Ownership

2010-02-15T22:31:22Z

Pankaj Telang:

==R1:Accountability and Data Ownership==
[[Category:OWASP Cloud ‐ 10 Project]]

__NOTOC__
<headertabs/>

A traditional data center of an organization is under complete control
of that organization. The organization logically and physically
protects the data it owns. For economical reasons, an organization
may choose to use a public cloud for hosting its business services. In
this case, the organization loses control of its data. This poses
critical security risks that the organization needs to carefully
consider and mitigate.

The severity of risks depends on the sensitivity of the data stored in
the cloud. Informal blogs, twitter posts, public news, and newsgroup
messages are examples of less sensitive data. The risk of hosting
such data in the cloud is low. On the contrary, data such as
health-related records, criminal records, credit history, and payroll
information is highly sensitive business data. There are serious
business and legal ramifications if such data is compromised.
Therefore, the risk of hosting such data in the cloud is very high.

Since data in the cloud is physically in control of the cloud
provider, the foremost risk is that of ensuring confidentiality of the
stored data. Encryption can be employed to ensure confidentiality. If
the cloud provider uses multi-tenancy architecture, then separate
encryption keys, one per cloud consumer, should be employed.

A cloud provider may physically store a consumer's data in various
countries. Such architecture poses several risks. For example, a
country has its own legal system, and the cloud provider operating in
that country is bound to that system. The laws of a country may force
a cloud provider to permit legal officials to access the data, and any
encryption keys, stored in that country's geographical boundary. The
physical location of data can additionally have economic
ramifications. For example, the tax rules vary based on the country
in which sales orders are processed. A cloud consumer may not be able
to benefit economically by processing orders in a country that offers
lowest tax rates, since the cloud provider may store orders data in
any country.

A cloud provider may store the consumer's data in its premises, or
employ an Infrastructure-As-A-Provider (IAAS) for data storage. The
provider may use multi-tenancy architecture which collocates data of
multiple cloud consumers in one physical storage. This architecture
may lack appropriate controls to ensure that a cloud consumer can
access only its own data, and not the data of other consumers. If the
cloud consumers are competitors in their business domain, then such
such lack of control can pose serious business risks for the
consumers.

Upon a request to delete some data, a cloud provider may only
nominally delete it, and leave traces that can be used to reconstruct
the original data. Such reconstructed data can be stolen, and
misused, posing a significant risk to the cloud consumer.

To mitigate various data related risks, an organization that uses a
cloud for conducting business should do the following:

1. Understand how the cloud provider secures the data and how the
provider detects and reports a compromise.

2. Know the geographical location of the data storage, and ensure
that the provider will not store data in a restricted country.

3. Know the situations in which a third party or a government
can sieze the data from the provider. The provider should provide
advanced notification of such event.

4. Ensure that the cloud provider appropriately protects data based on
the data classification as specified by the consumer, and to address
the concerns of privacy laws such as HIPPA.

5. The provider by default denies all access to the consumer's data.
The consumer organization can explicitly grant access with specific
privilege to desired parties.

6. The provider encrypts the data at rest, and the data in transit.

7. The provider logically isolates the data of multiple consumers in
such a way so as to prevent any unauthorized access, modification, or
deletion of the data.

8. Understand how the cloud provider manages ecnryption for multiple
consumers. Instead of a single encryption key for all consumers, the
provider should use (atleast) one key per consumer.

9. Verify that the provider destroys deleted data in such a way that
it cannot be later recreated.

10. In case of a data breach, make the cloud provider pay certain
penalty.

Real-world incident: On July 15, 2009, Twitter disclosed that a hacker
accessed a substantial amount of company data stored on Google Apps by
first hijacking a Twitter employee's official e-mail account. Though
the breach had more to do with weak passwords and password resets, the
incident has nevertheless drawn fresh attention to broader security
and privacy concerns related to cloud computing.

Cloud-10 Accountability and Data Ownership

2010-02-15T17:04:52Z

Pankaj Telang:

Category:OWASP Cloud ‐ 10 Project

2010-02-15T16:50:29Z

Pankaj Telang: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| A traditional data center of an organization is under complete control of that organization. The organization logically and physically protects the data it owns. An organization that chooses to use a public cloud for hosting its business service loses control of its data. This poses critical security risks that the organization needs to carefully consider and mitigate.
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| [http://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency R4 - Business Continuity and Resiliency]
| Business Continuity is an activity an IT organization performs to ensure that the business can be conducted in a disaster situation. In case of an organization that uses cloud, the responsibility of business continuity gets delegated to the cloud provider. This creates a risk to the organization of not having appropriate business continuity.
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| [http://www.owasp.org/index.php/Cloud-10_Nonproduction_Environment_Exposure R10 - Non Production Environment Exposure]
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 
Risk Criteria:

#Easily Executable
#Most Damaging
#Incidence Frequency (Known)

== Alpha Release ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (Dec 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Jan 2010)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (Jan-Feb 2010)

== Beta Release ==

#Publish the first (beta) list of "OWASP Cloud-10" (April 2010)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Category:OWASP Cloud ‐ 10 Project

2010-02-15T16:48:57Z

Pankaj Telang: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| [http://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency R4 - Business Continuity and Resiliency]
| Business Continuity is an activity an IT organization performs to ensure that the business can be conducted in a disaster situation. In case of an organization that uses cloud, the responsibility of business continuity gets delegated to the cloud provider. This creates a risk to the organization of not having appropriate business continuity.
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| [http://www.owasp.org/index.php/Cloud-10_Nonproduction_Environment_Exposure R10 - Non Production Environment Exposure]
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 
Risk Criteria:

#Easily Executable
#Most Damaging
#Incidence Frequency (Known)

== Alpha Release ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (Dec 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Jan 2010)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (Jan-Feb 2010)

== Beta Release ==

#Publish the first (beta) list of "OWASP Cloud-10" (April 2010)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Category:OWASP Cloud ‐ 10 Project

2010-02-15T16:48:15Z

Pankaj Telang: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| [http://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency R4 - Business Continuity and Resiliency]
| Business Continuity is an activity an IT organization
performs to ensure that the business can be conducted in a disaster
situation. In case of an organization that uses cloud, the
responsibility of business continuity gets delegated to the cloud
provider. This creates a risk to the organization of not having
appropriate business continuity.
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| [http://www.owasp.org/index.php/Cloud-10_Nonproduction_Environment_Exposure R10 - Non Production Environment Exposure]
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 
Risk Criteria:

#Easily Executable
#Most Damaging
#Incidence Frequency (Known)

== Alpha Release ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (Dec 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Jan 2010)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (Jan-Feb 2010)

== Beta Release ==

#Publish the first (beta) list of "OWASP Cloud-10" (April 2010)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Category:OWASP Cloud ‐ 10 Project

2010-02-15T16:46:31Z

Pankaj Telang: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| [http://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency R4 - Business Continuity and Resiliency]
| - Traditionally, Business Continuity is an activity an IT
organization performs to ensure that business can be conducted in a
disaster situation. In case of an organization that uses cloud, the
responsibility of business continuity gets delegated to the cloud
provider. This creates a risk to the organization of not having
appropriate business continuity.
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| [http://www.owasp.org/index.php/Cloud-10_Nonproduction_Environment_Exposure R10 - Non Production Environment Exposure]
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 
Risk Criteria:

#Easily Executable
#Most Damaging
#Incidence Frequency (Known)

== Alpha Release ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (Dec 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Jan 2010)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (Jan-Feb 2010)

== Beta Release ==

#Publish the first (beta) list of "OWASP Cloud-10" (April 2010)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Category:OWASP Cloud ‐ 10 Project

2010-02-15T16:42:13Z

Pankaj Telang: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| [http://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency R4 - Business Continuity and Resiliency]
| - Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| [http://www.owasp.org/index.php/Cloud-10_Nonproduction_Environment_Exposure R10 - Non Production Environment Exposure]
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 
Risk Criteria:

#Easily Executable
#Most Damaging
#Incidence Frequency (Known)

== Alpha Release ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (Dec 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Jan 2010)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (Jan-Feb 2010)

== Beta Release ==

#Publish the first (beta) list of "OWASP Cloud-10" (April 2010)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Cloud-10 Nonproduction Environment Exposure

2010-02-15T16:41:30Z

Pankaj Telang: Created page with 'Nonproduction Environment Exposure'

Nonproduction Environment Exposure

Cloud-10 Business Continuity and Resiliency

2010-02-15T16:37:11Z

Pankaj Telang:

Business Continuity is the activity an organization performs to ensure
that critical business functions are available to the customers,
suppliers, regulators, and other entities that must have access to
those functions. These activities include many daily chores such as
project management, system backups, change control, and help
desk. Resiliency is the property of a system to adapt itself to the
consequences of a catastrophic failure caused by natural or man-made
events.

The business continuity is the responsibility of an organization that
operates in a non-cloud environment. The planning and execution of
business continuity is owned by the organization. Since the
organization owns the entire IT infrastructure, it has the knowledge
and the resources needed to develop an effective business continuity
plan.

In case of an organization using a cloud, the responsibility of
business continuity gets delegated to the cloud provider. The
organization loses control over how business continuity is planned for
and executed. This creates a risk to the organization of not having
appropriate business continuity in the case of a disaster. To mitigate
this risk, the organization using a cloud should do the following:

1. Ensure customer Recovery Time Objectives (RTOs) are fully
understood and defined in contractual relationships.

2. Confirm that the cloud provider has an existing Business Continuity
Policy approved by the provider’s board of directors.

3. Check if the cloud provider has an active management support and a
periodic review of the Business Continuity Program.

4. Verify whether the cloud provider's Business Continuity Program is
certified and/or mapped to internationally recognized standards such
as BS 25999.

Instead of a risk, if an organization itself lacks a business
continuity strategy, and decides to use a cloud provider that has a
well defined business continuity strategy, the organization benefits
from the use of the cloud.

Real-world incident: Windows Azure, Microsoft's cloud computing
platform, suffered an outage over a weekend in March, 2009. If your
organization was using this service, how would the outage have
affected the organization's ability to conduct business? Microsoft
would own the responsibility to fix the issue and not the IT team of
your organization.

Cloud-10 Business Continuity and Resiliency

2010-02-15T16:36:07Z

Pankaj Telang:

Business Continuity is the activity an organization performs to ensure
that critical business functions are available to the customers,
suppliers, regulators, and other entities that must have access to
those functions. These activities include many daily chores such as
project management, system backups, change control, and help
desk. Resiliency is the property of a system to adapt itself to the
consequences of a catastrophic failure caused by natural or man-made
events.

The business continuity is the responsibility of an organization that
operates in a non-cloud environment. The planning and execution of
business continuity is owned by the organization. Since the
organization owns the entire IT infrastructure, it has the knowledge
and the resources needed to develop an effective business continuity
plan.

In case of an organization using a cloud, the responsibility of
business continuity gets delegated to the cloud provider. The
organization loses control over how business continuity is planned for
and executed. This creates a risk to the organization of not having
appropriate business continuity in the case of a disaster. To mitigate
this risk, the organization using a cloud should do the following:

1. Ensure customer Recovery Time Objectives (RTOs) are fully
understood and defined in contractual relationships.

2. Confirm that the cloud provider has an existing Business Continuity
Policy approved by the provider’s board of directors.

3. Check if the cloud provider has an active management support and a
periodic review of the Business Continuity Program.

4. Verify whether the cloud provider's Business Continuity Program is
certified and/or mapped to internationally recognized standards such
as BS 25999.

Instead of a risk, if an organization itself lacks a business
continuity strategy, and decides to use a cloud provider that has a
well defined business continuity strategy, the organization benefits
from the use of the cloud.

Example: Windows Azure, Microsoft's cloud computing platform, suffered
an outage over a weekend in March, 2009. If your organization was
using this service, how would the outage have affected the
organization's ability to conduct business? Microsoft would own the
responsibility to fix the issue and not the IT team of your
organization.

Cloud-10 Business Continuity and Resiliency

2010-02-15T16:26:36Z

Pankaj Telang:

Business Continuity is the activity an
organization performs to ensure that critical business functions
are available to the customers, suppliers, regulators, and other
entities that must have access to those functions. These
activities include many daily chores such as project management,
system backups, change control, and help desk. Resiliency is the
property of a system to adapt itself to the consequences of a
catastrophic failure caused by natural or man-made events.



The business continuity is the responsibility of an organization
that operates in a non-cloud environment. The planning and
execution of business continuity is owned by the
organization. Since the organization owns the entire IT
infrastructure, it has the knowledge and the resources needed to
develop an effective business continuity plan.

In case of an organization using a cloud, the responsibility of
business continuity gets delegated to the cloud provider. The
organization loses control over how business continuity is
planned for and executed. This creates a risk to the organization
of not having appropriate business continuity in the case of a
disaster. To mitigate this risk, the organization using a cloud should
do the following:

Ensure customer Recovery Time Objectives (RTOs) are fully
understood and defined in contractual relationships.

Confirm that the cloud provider has an existing Business Continuity Policy
approved by the provider’s board of directors.

Check if the cloud provider has an active management support and a periodic review
of the Business Continuity Program.

Verify whether the cloud provider's Business Continuity Program is certified and/or mapped to
internationally recognized standards such as BS 25999.

Instead of a risk, if an organization itself lacks a business continuity strategy,
and decides to use a cloud provider that has a well defined
business continuity strategy, the organization benefits from the
use of the cloud.

Example: Windows Azure, Microsoft's cloud computing platform, suffered an
outage over a weekend in March, 2009. If your organization was using
this service, how would the outage have affected the organization's
ability to conduct business? Microsoft would own the responsibility to fix
the issue and not the IT team of your organization.

Cloud-10 Business Continuity and Resiliency

2010-02-15T16:03:30Z

Pankaj Telang:

Business Continuity is the activity an
organization performs to ensure that critical business functions
are available to the customers, suppliers, regulators, and other
entities that must have access to those functions. These
activities include many daily chores such as project management,
system backups, change control, and help desk. Resiliency is the
property of a system to adapt itself to the consequences of a
catastrophic failure caused by natural or man-made events.



The business continuity is the responsibility of an organization
that operates in a non-cloud environment. The planning and
execution of business continuity is owned by the
organization. Since the organization owns the entire IT
infrastructure, it has the knowledge and the resources needed to
develop an effective business continuity plan.



In case of an organization using a cloud, the responsibility of
business continuity gets delegated to the cloud provider. The
organization loses control over how business continuity is
planned for and executed. This creates a risk to the organization
of not having appropriate business continuity in the case of a
disaster.

If an organization itself lacks a business continuity strategy,
and decides to use a cloud provider that has a well defined
business continuity strategy, the organization benefits from the
use of the cloud.

Category:OWASP Cloud ‐ 10 Project

2010-02-15T14:46:20Z

Pankaj Telang: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| [http://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency R4 - Business Continuity and Resiliency]
| - Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| R10 - Non Production Environment Exposure
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 
Risk Criteria:

#Easily Executable
#Most Damaging
#Incidence Frequency (Known)

== Alpha Release ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (Dec 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Jan 2010)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (Jan-Feb 2010)

== Beta Release ==

#Publish the first (beta) list of "OWASP Cloud-10" (April 2010)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Cloud-10 Business Continuity and Resiliency

2010-02-15T14:39:02Z

Pankaj Telang:

As per Wikipedia, Business Continuity is the activity an
organization performs to ensure that critical business functions
are available to the customers, suppliers, regulators, and other
entities that must have access to those functions. These
activities include many daily chores such as project management,
system backups, change control, and help desk. Resiliency is the
property of a system to adapt itself to the consequences of a
catastrophic failure caused by natural or man-made events.



The business continuity is the responsibility of an organization
that operates in a non-cloud environment. The planning and
execution of business continuity is owned by the
organization. Since the organization owns the entire IT
infrastructure, it has the knowledge and the resources needed to
develop an effective business continuity plan.



In case of an organization using a cloud, the responsibility of
business continuity gets delegated to the cloud provider. The
organization loses control over how business continuity is
planned for and executed. This creates a risk to the organization
of not having appropriate business continuity in the case of a
disaster.

If an organization itself lacks a business continuity strategy,
and decides to use a cloud provider that has a well defined
business continuity strategy, the organization benefits from the
use of the cloud.

Cloud-10 Business Continuity and Resiliency

2010-02-15T14:37:56Z

Pankaj Telang:

Cloud-10 Business Continuity and Resiliency

2010-01-29T15:49:32Z

Pankaj Telang: Created page with 'Due to the lack of physical control over infrastructure in many Cloud Computing deployments; Service Level Agreements, contract requirements, and provider documentation play a la…'

Due to the lack of physical control over infrastructure in many Cloud Computing
deployments; Service Level Agreements, contract requirements, and provider
documentation play a larger role in risk management than with traditional, enterpriseowned
infrastructure.

Cloud-10 Accountability and Data Ownership

2009-11-17T21:08:37Z

Pankaj Telang: /* R1:Accountability and Data Ownership */

Cloud-10 Accountability and Data Ownership

2009-11-17T21:06:43Z

Pankaj Telang: /* R1:Accountability and Data Ownership */

Cloud-10 Accountability and Data Ownership

2009-11-16T19:50:20Z

Pankaj Telang: /* R1:Accountability and Data Ownership */

Cloud-10 Accountability and Data Ownership

2009-11-16T19:50:05Z

Pankaj Telang: /* R1:Accountability and Data Ownership */

Cloud-10 Accountability and Data Ownership

2009-11-16T14:18:04Z

Pankaj Telang: /* R1:Accountability and Data Ownership */

==R1:Accountability and Data Ownership==

[[Category:OWASP Cloud ‐ 10 Project]]

__NOTOC__
<headertabs/>

An internal cloud or a data center of an autonomous organization is
under complete control of that organization. The organization is
accountable and owns data in an internal cloud. Unlike internal cloud,
for economical reasons, an organization may choose to use a public
cloud for hosting business services. In the public cloud, the
accountability and data ownership gets delegated to the cloud
provider.

Tim Mather, et.al. (cite Cloud Security & Privacy) categorize data
risks of a public cloud in the following categories:

Data-in-transit risk: The data of a cloud consumer traverses to and
from the cloud provider over the public internet. The data can be
stolen or tampered in-transit. This poses confidentiality and
integrity risks.

Data-at-rest risk: The cloud provider may store the data in its
premises, or employ an Insfrastructure-As-A-Provider (IAAS) for data
storage. The provider may use multi-tenancy architecture which
collocates data of multiple cloud consumers in one physical
storage. This poses the risks of physical security of the data,
unauthorized data access, and lack of auditability.

Data processing: A cloud consumer may use a cloud for data processing.
Data processing necessitates the data to be un-encrypted during the
duration of the processing. There is a risk of data getting stolen.

Data location: For audit and compliance purposes, the specific
location of data can be important. A cloud provider may have a
geographically distributed storage architecture which conflicts
with the regulatory requirements.

Data remanence: Upon a deletion request, a cloud provider may
may nominally erase data. The remanant data can be accessed and
stolen.