OWASP - User contributions [en]

Category:OWASP Cloud ‐ 10 Project

2011-09-13T19:23:16Z

Shankar Babu Chebrolu:

Category:OWASP Cloud ‐ 10 Project

2011-09-13T19:18:58Z

Shankar Babu Chebrolu:

Cloud-10 Service and Data Integration

2011-01-13T12:44:40Z

Shankar Babu Chebrolu:

==R6: Service and Data Integration ==

Gartner published extensive research on cloud services intermediaries called cloud services brokerages, which would enhance and enrich cloud services in terms of performance etc and help improve cloud adoption.

Cloud consumers that are planning to adopt cloud and cloud services brokerages must make sure that their proprietary data is adequately protected as it traverses through the internet between the end user and the cloud data center(s). Cloud computing models increase the risks associated with interception of data in transit, eventhough these risks are not unique to cloud. Cloud providers must ensure that they use SSL and/or tighter encryption protocols to secure data in transit.
Increasingly complex integration and the dynamics in cloud computing present significant challenges to timely diagnosis and resolution of incidents such as malware detection and immediate intrusion response to mitigate the impact (Gupta, 2009; Christodorescu, Sailer, Schales, Sgandurra & Zamboni, 2009).

References:

Babcock, C. (2009, September). Hybrid Clouds. InformationWeek,(1240), 15-19. Retrieved December 20, 2009, from ABI/INFORM Global. (Document ID: 1865633581).

Byrne, T. (2009, April). Clouding Over. EContent, 32(3), 37. Retrieved December 20, 2009, from ABI/INFORM Global. (Document ID: 1675328451).
de Assuncao, M. D., di Costanzo, A., & Buyya, R. (2009). Evaluating the cost-benefit of using cloud computing to extend the capacity of clusters. Paper presented at the HPDC '09: Proceedings of the 18th ACM International Symposium on High Performance Distributed Computing, Garching, Germany. 141-150.

Hoover, J. (2009, April). GE Puts The Cloud Model To The Test. InformationWeek,(1226), 32-33. Retrieved December 20, 2009, from ABI/INFORM Global. (Document ID: 1682898981).

Gupta, R., Prasad, K. H., Luan, L., Rosu, D., & Ward, C. (2009). Multi-dimensional knowledge integration for efficient incident management in a services cloud. Paper presented at the SCC '09: Proceedings of the 2009 IEEE International Conference on Services Computing, 57-64

Christodorescu, M., Sailer, R., Schales, D. L., Sgandurra, D., & Zamboni, D. (2009). Cloud security is not (just) virtualization security: A short paper. Paper presented at the CCSW '09: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, Chicago, Illinois, USA. 97-102

[[Category:OWASP Cloud ‐ 10 Project]]

__NOTOC__
<headertabs/>

Category:OWASP Cloud ‐ 10 Project

2010-10-31T19:01:02Z

Shankar Babu Chebrolu:

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

According to Gartner, by 2012, 20% of businesses will adopt cloud services and own no IT assets. Goal of the project is to maintain a list of top 10 security risks faced with the Cloud* Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

* Most of the risks are based on the assumption that Cloud is a public or a hybrid cloud

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

Also refer the recent presentation - http://www.owasp.org/images/4/47/Cloud-Top10-Security-Risks.pdf

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| A traditional data center of an organization is under complete control of that organization. The organization logically and physically protects the data it owns. An organization that chooses to use a public cloud for hosting its business service loses control of its data. This poses critical security risks that the organization needs to carefully consider and mitigate. (Pankaj, Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay, Pankaj)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar, Ove)
|-
| [http://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency R4 - Business Continuity and Resiliency]
| Business Continuity is an activity an IT organization performs to ensure that the business can be conducted in a disaster situation. In case of an organization that uses cloud, the responsibility of business continuity gets delegated to the cloud provider. This creates a risk to the organization of not having appropriate business continuity. (Pankaj, Shankar)
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay, Ove)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar, Ove)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Multi-tenancy in cloud means sharing of resources and services among multiple clients(CPU, networking, storage/databases, application stack). It increases dependence on logical segregation and other controls to ensure that one tenant deliberately or inadvertently can not interfere with the security ( confidentiality, integrity, availability) of the other tenants. (Vinay, Pankaj)

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar, Ove)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| All infrastructure must be hardened and configured securely, and the hardening/configuration baselines should be based on Industry Best Practices. Applications, systems and networks must be architected and configured with tiering and security zones, and access must be configured to only allow required network and application protocols. Administrative access must be role-based, and granted on a need-to-know basis. Regular risk assessments must be done, preferably by an independent party. A policy and process must be in place for patching/security updates, and can based on risk/threat assessments of new security issues. (Ove, Shankar)

Although the fine details of the items above must be regarded as highly sensitive information, it is reasonable to expect a customer to want to see at least the high-level details. The Provider must be willing to provide this.
|-
| [http://www.owasp.org/index.php/Cloud-10_Nonproduction_Environment_Exposure R10 - Non Production Environment Exposure]
| An IT organization that develops software applications internally employs a set of non-production environments for design, development, and test activities. The non-production environments are generally not secured to the same extent as the production environment. If an organization uses a cloud provider for such non-production environment, then there is a high risk of unauthorized access, information modification, and information theft. (Pankaj, Ove)
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 
Risk Criteria:

#Easily Executable
#Most Damaging
#Incidence Frequency (Known)

== Alpha Release ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (Dec 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Jan 2010)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (Jan-Feb 2010)

== Beta Release ==

# Writeup to be finished by April 5th (All)
# Provide feedback by April 19th
# Incorporate all the comments feedback by 26th April
# Publish the first (beta) list of "OWASP Cloud-10" (April 3rd 2010)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Dr. Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]
 [[User:Ove Hansen|Ove Hansen]]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

User:Shankar Babu Chebrolu

2010-10-31T19:00:11Z

Shankar Babu Chebrolu:

Dr. Shankar Babu Chebrolu, CISSP is an IT Security Architect responsible for securing web based applications in Customer Value Chain Management at Cisco Systems, working closely with Cisco Supply Chain partners, Application Service Providers, Solution Vendors and Corporate Security Programs Organization (CSPO). He has worked at Cisco for about 10 years. Shankar Babu Chebrolu has been a speaker at a number of professional conferences including Siebel Customer World 2005, Oracle Open World 2006, Oracle Applications User Group 2007, CA World 2007, Triangle InfoseCon 2008 and 2010, ISSA-Raleigh Chapter 20009 presenting in his areas of expertise: securing web applications and integrating third party security models within Cisco Enterprise. Shankar earned his PhD in Information Technology from Capella University, Minneapolis and earned his Master's Degree in Computer Science & Engineering from Indian Institute of Technology (IIT), Mumbai, India.

Industry:ENISA Cloud Computing Common Assurance Metrics

2010-05-27T19:09:25Z

Shankar Babu Chebrolu:

__NOTOC__

Return to [[Global Industry Committee]]

{| style="width:100%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white"|'''ACTIVITY IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Activity Name'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|'''ENISA Common Assurance Maturity Model'''
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Short Description'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|Collaborate with ENISA on their Cloud Computing Common Assurance Metrics project during 2010
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Related Projects '''
| colspan="3" style="width:75%; background:#cccccc" align="left"|[[:Category:OWASP Cloud ‐ 10 Project]]
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
| style="width:25%; background:#cccccc" align="center"|'''Primary''' Shankar Babu Chebrolu Vinay Bansal Colin Watson
| style="width:25%; background:#cccccc" align="center"|'''Secondary''' TBC
| style="width:25%; background:#cccccc" align="center"|'''Mailing list''' Use [https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Cloud 10 Project Mailing List]
|}

{| style="width:100%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white"|'''ACTIVITY SPECIFICS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Objectives'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|
* Contribute to ENISA's project as contributors or reviewers
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Deadlines'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|
* Q1 2010 - Agree Scope
** 05 Feb 2010 - Receive CAM Briefing Pack
** 12 Feb 2010 - Respond to ENISA about participation
** 16 Feb 2010 - OWASP Conference call with OWASP participants (CW/SC/VB/DC)
** 19 Feb 2010 - ENISA initial project conference call
** 15 Mar 2010 - Initial meeting in Barcelona at [http://www.cloudsecurityalliance.org/sc2010.html SecureCloud 2010]
* Q2 2010 - Develop Framework
** 04 May Sub-domain "development" assigned to OWASP team
** 21 May 2010 - Framework meeting in London
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Status'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|
* In Progress
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Resources'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|[http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment ENISA Report on Cloud Computing]
[http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework?searchterm=cloud ENISA Information Assurance Framework]
[http://www.cloudsecurityalliance.org/cm.html Cloud Security Alliance Cloud Controls Matrix]
|-
|}

Return to [[Global Industry Committee]]

Category:OWASP Cloud ‐ 10 Project

2010-05-03T13:57:00Z

Shankar Babu Chebrolu: /* Goal */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

According to Gartner, by 2012, 20% of businesses will adopt cloud services and own no IT assets. Goal of the project is to maintain a list of top 10 security risks faced with the Cloud* Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

* Most of the risks are based on the assumption that Cloud is a public or a hybrid cloud

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| A traditional data center of an organization is under complete control of that organization. The organization logically and physically protects the data it owns. An organization that chooses to use a public cloud for hosting its business service loses control of its data. This poses critical security risks that the organization needs to carefully consider and mitigate. (Pankaj, Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay, Pankaj)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar, Ove)
|-
| [http://www.owasp.org/index.php/Cloud-10_Business_Continuity_and_Resiliency R4 - Business Continuity and Resiliency]
| Business Continuity is an activity an IT organization performs to ensure that the business can be conducted in a disaster situation. In case of an organization that uses cloud, the responsibility of business continuity gets delegated to the cloud provider. This creates a risk to the organization of not having appropriate business continuity. (Pankaj, Shankar)
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay, Ove)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar, Ove)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Multi-tenancy in cloud means sharing of resources and services among multiple clients(CPU, networking, storage/databases, application stack). It increases dependence on logical segregation and other controls to ensure that one tenant deliberately or inadvertently can not interfere with the security ( confidentiality, integrity, availability) of the other tenants. (Vinay, Pankaj)

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar, Ove)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| All infrastructure must be hardened and configured securely, and the hardening/configuration baselines should be based on Industry Best Practices. Applications, systems and networks must be architected and configured with tiering and security zones, and access must be configured to only allow required network and application protocols. Administrative access must be role-based, and granted on a need-to-know basis. Regular risk assessments must be done, preferably by an independent party. A policy and process must be in place for patching/security updates, and can based on risk/threat assessments of new security issues. (Ove, Shankar)

Although the fine details of the items above must be regarded as highly sensitive information, it is reasonable to expect a customer to want to see at least the high-level details. The Provider must be willing to provide this.
|-
| [http://www.owasp.org/index.php/Cloud-10_Nonproduction_Environment_Exposure R10 - Non Production Environment Exposure]
| An IT organization that develops software applications internally employs a set of non-production environments for design, development, and test activities. The non-production environments are generally not secured to the same extent as the production environment. If an organization uses a cloud provider for such non-production environment, then there is a high risk of unauthorized access, information modification, and information theft. (Pankaj, Ove)
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 
Risk Criteria:

#Easily Executable
#Most Damaging
#Incidence Frequency (Known)

== Alpha Release ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (Dec 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Jan 2010)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (Jan-Feb 2010)

== Beta Release ==

# Writeup to be finished by April 5th (All)
# Provide feedback by April 19th
# Incorporate all the comments feedback by 26th April
# Publish the first (beta) list of "OWASP Cloud-10" (April 3rd 2010)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]
 [[User:Ove Hansen|Ove Hansen]]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Cloud-10 Service and Data Integration

2010-04-12T14:09:06Z

Shankar Babu Chebrolu: /* R6: Service and Data Integration */

==R6: Service and Data Integration ==

Companies that are planning to adopt cloud must make sure that their proprietary data is adequately protected as it traverses through the internet between the end user and the cloud data center(s). Cloud computing models increase the risks associated with interception of data in transit, eventhough these risks are not unique to cloud. Cloud providers must ensure that they use SSL and/or tighter encryption protocols to secure data in transit.
Increasingly complex integration and the dynamics in cloud computing present significant challenges to timely diagnosis and resolution of incidents such as malware detection and immediate intrusion response to mitigate the impact (Gupta, 2009; Christodorescu, Sailer, Schales, Sgandurra & Zamboni, 2009).

References:

Babcock, C. (2009, September). Hybrid Clouds. InformationWeek,(1240), 15-19. Retrieved December 20, 2009, from ABI/INFORM Global. (Document ID: 1865633581).

Byrne, T. (2009, April). Clouding Over. EContent, 32(3), 37. Retrieved December 20, 2009, from ABI/INFORM Global. (Document ID: 1675328451).
de Assuncao, M. D., di Costanzo, A., & Buyya, R. (2009). Evaluating the cost-benefit of using cloud computing to extend the capacity of clusters. Paper presented at the HPDC '09: Proceedings of the 18th ACM International Symposium on High Performance Distributed Computing, Garching, Germany. 141-150.

Hoover, J. (2009, April). GE Puts The Cloud Model To The Test. InformationWeek,(1226), 32-33. Retrieved December 20, 2009, from ABI/INFORM Global. (Document ID: 1682898981).

Gupta, R., Prasad, K. H., Luan, L., Rosu, D., & Ward, C. (2009). Multi-dimensional knowledge integration for efficient incident management in a services cloud. Paper presented at the SCC '09: Proceedings of the 2009 IEEE International Conference on Services Computing, 57-64

Christodorescu, M., Sailer, R., Schales, D. L., Sgandurra, D., & Zamboni, D. (2009). Cloud security is not (just) virtualization security: A short paper. Paper presented at the CCSW '09: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, Chicago, Illinois, USA. 97-102

[[Category:OWASP Cloud ‐ 10 Project]]

__NOTOC__
<headertabs/>

Cloud-10 Service and Data Integration

2010-04-12T13:49:44Z

Shankar Babu Chebrolu: /* R6: Service and Data Integration */

==R6: Service and Data Integration ==

Companies that are planning to adopt cloud must make sure that their proprietary data is adequately protected as it traverses through the internet between the end user and the cloud data center(s). Cloud computing models increase the risks associated with interception of data in transit, eventhough these risks are not unique to cloud. Cloud providers must ensure that they use SSL and/or tighter encryption protocols to secure data in transit.
Increasingly complex integration and the dynamics in cloud computing present significant challenges to timely diagnosis and resolution of incidents such as malware detection and immediate intrusion response to mitigate the impact (Gupta, 2009; Christodorescu, Sailer, Schales, Sgandurra & Zamboni, 2009).

References:

Babcock, C. (2009, September). Hybrid Clouds. InformationWeek,(1240), 15-19. Retrieved December 20, 2009, from ABI/INFORM Global. (Document ID: 1865633581).

Byrne, T. (2009, April). Clouding Over. EContent, 32(3), 37. Retrieved December 20, 2009, from ABI/INFORM Global. (Document ID: 1675328451).
de Assuncao, M. D., di Costanzo, A., & Buyya, R. (2009). Evaluating the cost-benefit of using cloud computing to extend the capacity of clusters. Paper presented at the HPDC '09: Proceedings of the 18th ACM International Symposium on High Performance Distributed Computing, Garching, Germany. 141-150. Retrieved from http://doi.acm.org.library.capella.edu/10.1145/1551609.1551635

Hoover, J. (2009, April). GE Puts The Cloud Model To The Test. InformationWeek,(1226), 32-33. Retrieved December 20, 2009, from ABI/INFORM Global. (Document ID: 1682898981).

Gupta, R., Prasad, K. H., Luan, L., Rosu, D., & Ward, C. (2009). Multi-dimensional knowledge integration for efficient incident management in a services cloud. Paper presented at the SCC '09: Proceedings of the 2009 IEEE International Conference on Services Computing, 57-64

Christodorescu, M., Sailer, R., Schales, D. L., Sgandurra, D., & Zamboni, D. (2009). Cloud security is not (just) virtualization security: A short paper. Paper presented at the CCSW '09: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, Chicago, Illinois, USA. 97-102

[[Category:OWASP Cloud ‐ 10 Project]]

__NOTOC__
<headertabs/>

Cloud-10 Regulatory Compliance

2010-04-12T13:46:54Z

Shankar Babu Chebrolu: /* R3: Regulatory Compliance */

==R3: Regulatory Compliance ==

Customers are ultimately responsible for the security and compliance with regulatory laws (e.g., SOX, HIPAA etc) of their own applications that are hosted in cloud. Data stewards and application owners must plan to put timely audits in place to ensure proper controls in the applications and infrastructure that is hosted at a cloud provider. Companies that are planning to adopt cloud (SaaS, Iaas, Paas etc) must ensure that their cloud provider understand the respective roles and responsbilities (RACI etc) in helping out customers in maintaining required compliance with the appropriate regulatory laws and standards (government and commercial).
IT managers are likely to push back on cloud adoption due to the fear of losing control of their resources to outside cloud providers who can change the underlying technology or implementation or both without customer’s consent which may have implications on regulatory compliance due to lack of transparency (Sullivan, 2009; Chow et al., 2009). IT organizations should analyze whether or not a move to the cloud makes sense with a risk management framework that incorporates data protection and compliance requirements and by making sure that the data protection, availability and key management expectations are well defined into the service level agreements (Getgen, 2009).

References:

Anthes, G.. (2009, January). SaaS Realities. Computerworld, 43(1), 21-22. Retrieved August 9, 2009, from ABI/INFORM Global. (Document ID: 1626575741).

Business: Pain in the aaS; Computer security. (2008, April). The Economist, 387(8577), 86. Retrieved August 9, 2009, from ABI/INFORM Global. (Document ID: 1469385981).

Gartner: Seven Cloud-Computing Security Risks. http://www.cio.com/article/423713/Gartner_Seven_Cloud_Computing_Security_Risks?page=1&taxonomyId=1419

Google: Cloud computing more secure than traditional IT. http://www.computerweekly.com/Articles/2009/07/21/236982/cloud-computing-more-secure-than-traditional-it-says.htm

Top five cloud computing security issues. http://www.computerweekly.com/Articles/2009/04/24/235782/top-five-cloud-computing-security-issues.htm

Cloud Security Alliance. http://www.cloudsecurityalliance.org/csaguide.pdf

O'Sullivan, D. (2009). The internet cloud with a silver lining. The British Journal of Administrative Management.

Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., & Molina, J. (2009). Controlling data in the cloud: Outsourcing computation without outsourcing control. Paper presented at the CCSW '09: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, Chicago, Illinois, USA

Getgen, K. (2009, October). 2009 Encryption and key management industry benchmark report. Trust Catalyst white paper on Risk Management for data protection.

[[Category:OWASP Cloud ‐ 10 Project]]

__NOTOC__
<headertabs/>

Category:OWASP Cloud ‐ 10 Project

2010-01-29T15:43:52Z

Shankar Babu Chebrolu: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| R4 - Business Continuity and Resiliency
| - Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-located on the same hardware and storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| R10 - Non Production Environment Exposure
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 
Risk Criteria:

#Easily Executable
#Most Damaging
#Incidence Frequency (Known)

== Alpha Release ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (Dec 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Jan 2010)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (Jan-Feb 2010)

== Beta Release ==

#Publish the first (beta) list of "OWASP Cloud-10" (April 2010)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Cloud-10 Service and Data Integration

2009-12-22T21:27:45Z

Shankar Babu Chebrolu: /* R6: Service and Data Integration */

Cloud-10 Service and Data Integration

2009-12-22T21:27:15Z

Shankar Babu Chebrolu: /* R6: Service and Data Integration */

Cloud-10 Regulatory Compliance

2009-12-22T21:10:49Z

Shankar Babu Chebrolu: /* R3: Regulatory Compliance */

Category:OWASP Cloud ‐ 10 Project

2009-11-30T01:54:49Z

Shankar Babu Chebrolu: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 

==== OWASP Cloud-10 List ====

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| R4 - Business Continuity and Resiliency
| - Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-mingled on the same storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| R10 - Non Production Environment Exposure
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Alpha State ==

Approach:

Criteria:
a) Easily Executable
b) Most Damaging
c) Incidence Frequency (Known)

Top 10

Normalize Verbiage
Describe

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

== Beta State ==

#Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Category:OWASP Cloud ‐ 10 Project

2009-11-30T01:53:19Z

Shankar Babu Chebrolu: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 

==== OWASP Cloud-10 List ====

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| R4 - Business Continuity and Resiliency
| - Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration] Organizations must be sure that their proprietary data is adequately protected as it is transferred between the end user and the cloud data center. While interception of data in transit should be of concern to every organization, the risk is much greater for organizations utilizing a cloud computing model, where data is transmitted over the Internet. Unsecured data is susceptible to interception and compromise during transmission. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-mingled on the same storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| R10 - Non Production Environment Exposure
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Alpha State ==

Approach:

Criteria:
a) Easily Executable
b) Most Damaging
c) Incidence Frequency (Known)

Top 10

Normalize Verbiage
Describe

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

== Beta State ==

#Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Category:OWASP Cloud ‐ 10 Project

2009-11-28T21:32:28Z

Shankar Babu Chebrolu: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 

==== OWASP Cloud-10 List ====

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| R4 - Business Continuity and Resiliency
| - Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Shankar

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-mingled on the same storage devices and hence a concern for law enforcing agencies for forensic recovery. (Shankar)

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| R10 - Non Production Environment Exposure
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Alpha State ==

Approach:

Criteria:
a) Easily Executable
b) Most Damaging
c) Incidence Frequency (Known)

Top 10

Normalize Verbiage
Describe

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

== Beta State ==

#Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Category:OWASP Cloud ‐ 10 Project

2009-11-28T21:21:26Z

Shankar Babu Chebrolu: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 

==== OWASP Cloud-10 List ====

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| R4 - Business Continuity and Resiliency
| - Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Shankar

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
|In the event of a security incident, applications and services hosted at a cloud provider are difficult to investigate as logging may be distributed across multiple hosts and data centers which could be located in various countries and hence governed by different laws. Also, along with log files, data belonging to multiple customers may be co-mingled on the same storage devices and hence a concern for law enforcing agencies for forensic recovery.
| Shankar

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| R10 - Non Production Environment Exposure
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Alpha State ==

Approach:

Criteria:
a) Easily Executable
b) Most Damaging
c) Incidence Frequency (Known)

Top 10

Normalize Verbiage
Describe

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

== Beta State ==

#Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']]
 [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]]
 [[User:Pankaj Telang|Pankaj Telang]]
 [http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

User:Shankar Babu Chebrolu

2009-11-16T15:08:01Z

Shankar Babu Chebrolu:

Shankar Babu Chebrolu,CISSP is an IT Security Architect responsible for securing web based applications in Customer Value Chain Management at Cisco Systems, working closely with Cisco Supply Chain partners, Application Service Providers, Solution Vendors and Corporate Security Programs Organization (CSPO). He has worked at Cisco for about 9 years. Shankar Babu Chebrolu has been a speaker at conferences including Siebel Customer World, Oracle Open World, Oracle Applications User Group, CA World, Triangle InfoseCon, ISSA-Raleigh presenting in his areas of expertise: securing web applications and integrating third party security models within Cisco Enterprise. Shankar holds a Master's Degree in Computer Science from Indian Institute of Technology (IIT), Mumbai, India.

User:Shankar Babu Chebrolu

2009-11-16T15:07:21Z

Shankar Babu Chebrolu:

Shankar Babu Chebrolu,CISSP is an IT Security Architect responsible for securing web based applications in Customer Value Chain Management at Cisco Systems, working closely with Cisco Supply Chain partners, Application Service Providers, Solution Vendors and Corporate Security Programs Organization (CSPO). He has worked at Cisco for about 9 years. Shankar Babu Chebrolu has been a speaker at conferences including Siebel Customer World, Oracle Open World, Oracle Applications User Group, CA World, Triangle InfoseCon, ISSA presenting in his areas of expertise: securing web applications and integrating third party security models within Cisco Enterprise. Shankar holds a Master's Degree in Computer Science from Indian Institute of Technology (IIT), Mumbai, India.

Cloud-10 Regulatory Compliance

2009-11-16T14:39:23Z

Shankar Babu Chebrolu: Created page with '==R3: Regulatory Compliance == Category:OWASP Cloud ‐ 10 Project __NOTOC__ <headertabs/>'

==R3: Regulatory Compliance ==

[[Category:OWASP Cloud ‐ 10 Project]]

__NOTOC__
<headertabs/>

Category:OWASP Cloud ‐ 10 Project

2009-11-16T14:38:19Z

Shankar Babu Chebrolu: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 

==== OWASP Cloud-10 List ====

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| [http://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance R3 - Regulatory Compliance]
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| R4 - Business Continuity and Resiliency
| - Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Shankar

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
| Shankar

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| R10 - Non Production Environment Exposure
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Alpha State ==

Approach:

Criteria:
a) Easily Executable
b) Most Damaging
c) Incidence Frequency (Known)

Top 10

Normalize Verbiage
Describe

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

== Beta State ==

#Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']] [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]] [[User:Martin G. Nystrom|Martin G. Nystrom]] [[User:Jim Born|Jim Born]]

[http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Cloud-10 Incidence Analysis and Forensic Support

2009-11-16T14:19:40Z

Shankar Babu Chebrolu: Created page with '==R8: Incidence Analysis and Forensic Support == Category:OWASP Cloud ‐ 10 Project __NOTOC__ <headertabs/>'

==R8: Incidence Analysis and Forensic Support ==

[[Category:OWASP Cloud ‐ 10 Project]]

__NOTOC__
<headertabs/>

Cloud-10 Service and Data Integration

2009-11-16T14:18:24Z

Shankar Babu Chebrolu: Created page with '==R6: Service and Data Integration == Category:OWASP Cloud ‐ 10 Project __NOTOC__ <headertabs/>'

==R6: Service and Data Integration ==

[[Category:OWASP Cloud ‐ 10 Project]]

__NOTOC__
<headertabs/>

Category:OWASP Cloud ‐ 10 Project

2009-11-16T14:15:33Z

Shankar Babu Chebrolu: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 

==== OWASP Cloud-10 List ====

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| [http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership R1 - Accountability and Data Ownership]
| Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Identity_Federation R2 - User Identity Federation]
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| R3 - Regulatory Compliance
| - Complex to Demonstrate regulatory compliance. Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)
|-
| R4 - Business Continuity and Resiliency
| - Pankaj
|-
| [http://www.owasp.org/index.php/Cloud-10_User_Privacy_and_Secondary_Usage_of_Data R5 - User Privacy and Secondary Usage of Data]
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay) - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)

|-
| [http://www.owasp.org/index.php/Cloud-10_Service_and_Data_Integration R6 - Service and Data Integration]
| Shankar

|-
| [http://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_Security R7 - Multi Tenancy and Physical Security]
| Vinay

|-
| [http://www.owasp.org/index.php/Cloud-10_Incidence_Analysis_and_Forensic_Support R8 - Incidence Analysis and Forensic Support]
| Shankar

|-
| [http://www.owasp.org/index.php/Cloud-10_Infrastructure_Security R9 - Infrastructure Security]
| -Vinay
|-
| R10 - Non Production Environment Exposure
| - Pankaj
|-
|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

* exposure to non-prod and internal environments
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Alpha State ==

Approach:

Criteria:
a) Easily Executable
b) Most Damaging
c) Incidence Frequency (Known)

Top 10

Normalize Verbiage
Describe

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

== Beta State ==

#Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Taxonomy ====

== Terms ==

== Diagrams ==

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']] [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]] [[User:Martin G. Nystrom|Martin G. Nystrom]] [[User:Jim Born|Jim Born]]

[http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Category:OWASP Cloud ‐ 10 Project

2009-11-09T14:48:05Z

Shankar Babu Chebrolu: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 

==== OWASP Cloud-10 List ====

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| R1 - Accountability and Data Ownership in Cloud
| Pankaj
|-
| R2 - Federating User Identity
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| R3 - Privacy of Users
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay)
|-
| R4 - Secure service integration among cloud providers and consumers
| Shankar
|-
| R5 - Secondary Usage of Data by Cloud Providers
| - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)
|-
| R6 - Complex to Demonstrate Regulatory Compliance
| - Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., European Union has very strict privacy laws and hence data stored in US may not comply with those EU laws. (Shankar)

|-
| R7 - Risk of Not having Right Level of Insurance and Accountability in SLAs (Control ?? - Service Availability Risk)
| - Pankaj
|-
| R8 - Incident analysis and forensic support
| - Shankar
|-
| R9 - Business Continuity and Resiliency
| - Pankaj
|-
| R10 - Controlling exposure to non-prod and internal environments
| - Vinay
|-
| R11 - Multi Tenancy and Physical Security
| - Shankar

|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

*Service Availability Risk
*Multi-Tenancy
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Alpha State ==

Approach:

Criteria:
a) Easily Executable
b) Most Damaging
c) Incidence Frequency (Known)

Top 10

Normalize Verbiage
Describe

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

== Beta State ==

#Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']] [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]] [[User:Martin G. Nystrom|Martin G. Nystrom]] [[User:Jim Born|Jim Born]]

[http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Category:OWASP Cloud ‐ 10 Project

2009-11-09T14:39:22Z

Shankar Babu Chebrolu: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 

==== OWASP Cloud-10 List ====

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| R1 - Accountability and Data Ownership in Cloud
| Pankaj
|-
| R2 - Federating User Identity
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| R3 - Privacy of Users
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay)
|-
| R4 - Secure service integration among cloud providers and consumers
| Shankar
|-
| R5 - Secondary Usage of Data by Cloud Providers
| - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)
|-
| R6 - Complex to Demonstrate Regulatory Compliance
| - Data that is perceived to be secure in one country may not be perceived secure in another due to different regulatory laws across countries or regions. For eg., Europen Union has very strict privacy laws. (Shankar)

|-
| R7 - Risk of Not having Right Level of Insurance and Accountability in SLAs (Control ?? - Service Availability Risk)
| - Pankaj
|-
| R8 - Incident analysis and forensic support
| - Shankar
|-
| R9 - Business Continuity and Resiliency
| - Pankaj
|-
| R10 - Controlling exposure to non-prod and internal environments
| - Vinay
|-
| R11 - Multi Tenancy and Physical Security
| - Shankar

|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

*Service Availability Risk
*Multi-Tenancy
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Alpha State ==

Approach:

Criteria:
a) Easily Executable
b) Most Damaging
c) Incidence Frequency (Known)

Top 10

Normalize Verbiage
Describe

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

== Beta State ==

#Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']] [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]] [[User:Martin G. Nystrom|Martin G. Nystrom]] [[User:Jim Born|Jim Born]]

[http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Category:OWASP Cloud ‐ 10 Project

2009-11-09T14:33:36Z

Shankar Babu Chebrolu: /* Initial pre-alpha list of OWASP Cloud Top 10 Security Risks */

==== Main ====

== Cloud Top 10 Security Risks ==

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 

==== OWASP Cloud-10 List ====

== Initial pre-alpha list of OWASP Cloud Top 10 Security Risks ==

{| cellpadding="2" border="1"
|-
| R1 - Accountability and Data Ownership in Cloud
| Pankaj
|-
| R2 - Federating User Identity
| It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
|-
| R3 - Privacy of Users
| User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay)
|-
| R4 - Secure service integration among cloud providers and consumers
| Shankar
|-
| R5 - Secondary Usage of Data by Cloud Providers
| - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)
|-
| R6 - Complex to Demonstrate Regulatory Compliance
| - Data that is perceived to be secure in one country may not be perceived secure in another country or region. For eg., Europen Union has very strict privacy laws. (Shankar)

|-
| R7 - Risk of Not having Right Level of Insurance and Accountability in SLAs (Control ?? - Service Availability Risk)
| - Pankaj
|-
| R8 - Incident analysis and forensic support
| - Shankar
|-
| R9 - Business Continuity and Resiliency
| - Pankaj
|-
| R10 - Controlling exposure to non-prod and internal environments
| - Vinay
|-
| R11 - Multi Tenancy and Physical Security
| - Shankar

|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

*Service Availability Risk
*Multi-Tenancy
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Alpha State ==

Approach:

Criteria:
a) Easily Executable
b) Most Damaging
c) Incidence Frequency (Known)

Top 10

Normalize Verbiage
Describe

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

== Beta State ==

#Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']] [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]] [[User:Martin G. Nystrom|Martin G. Nystrom]] [[User:Jim Born|Jim Born]]

[http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Cloud-10 Risks with SaaS

2009-08-17T13:38:25Z

Shankar Babu Chebrolu: Added 4 references

Potential security risks and loss of IT control topped the list of perceived barriers to SaaS adoption (Anthes, 2009). "On a list of 24 possible IT project priorities for 2009, a survey respondents ranks SaaS at No.23".

5 Risks:

1. Data Security
One company data co-mingled with other businesses' data (e.g: Salesforce.com)

2. Lack of federated identity management
Due to multiple identities of employees at multiple SaaS providers, an employee's access cannot be shut off automatically, following termination of an employee.

3. Lack of strong service level agreements (SLAs) and contracts that hold people accountable should something happen.

4. Lack of interoperability among vendors (Vendor Lock-in)
Puts companies at risk if SaaS provider goes out of business or acquired by a competitor. Switching costs could be high.

5. Web Application and Infrastructure Vulnerabilities

References:

Anthes, G.. (2009, January). SaaS Realities. Computerworld, 43(1), 21-22. Retrieved August 9, 2009, from ABI/INFORM Global. (Document ID: 1626575741).

Business: Pain in the aaS; Computer security. (2008, April). The Economist, 387(8577), 86. Retrieved August 9, 2009, from ABI/INFORM Global. (Document ID: 1469385981).

Gartner: Seven Cloud-Computing Security Risks. http://www.cio.com/article/423713/Gartner_Seven_Cloud_Computing_Security_Risks?page=1&taxonomyId=1419

Google: Cloud computing more secure than traditional IT. http://www.computerweekly.com/Articles/2009/07/21/236982/cloud-computing-more-secure-than-traditional-it-says.htm

Top five cloud computing security issues. http://www.computerweekly.com/Articles/2009/04/24/235782/top-five-cloud-computing-security-issues.htm

Cloud Security Alliance. http://www.cloudsecurityalliance.org/guidance/csaguide.pdf

[[Category:OWASP Cloud ‐ 10 Project]]

Cloud-10 Risks with SaaS

2009-08-09T12:26:32Z

Shankar Babu Chebrolu:

Cloud-10 Risks with SaaS

2009-08-09T12:17:43Z

Shankar Babu Chebrolu:

Potential security risks and loss of IT control topped the list of perceived barriers to SaaS adoption (Anthes, 2009). "On a list of 24 possible IT project priorities for 2009, a survey respondents ranks SaaS at No.23".

5 Risks:

1. Data Security

2. Lack of federated identity management
Due to multiple identities of employees at multiple SaaS providers, an employee's access cannot be shut off automatically, following termination of an employee.

3. Lack of strong service level agreements (SLAs) and contracts that hold people accountable should something happen.

4. Lack of interoperability among vendors (Vendor Lock-in)

References:

Anthes, G.. (2009, January). SaaS Realities. Computerworld, 43(1), 21-22. Retrieved August 9, 2009, from ABI/INFORM Global. (Document ID: 1626575741).

Business: Pain in the aaS; Computer security. (2008, April). The Economist, 387(8577), 86. Retrieved August 9, 2009, from ABI/INFORM Global. (Document ID: 1469385981).

[[Category:OWASP Cloud ‐ 10 Project]]

Cloud-10 Risks with SaaS

2009-08-09T11:53:15Z

Shankar Babu Chebrolu:

Potential security risks and loss of IT control topped the list of perceived barriers to SaaS adoption (Anthes, 2009). "On a list of 24 possible IT project priorities for 2009, a survey respondents ranks SaaS at No.23".

5 Security Risks:

1. Data Security
2. Lack of federated identity management
3.

References:

Anthes, G.. (2009, January). SaaS Realities. Computerworld, 43(1), 21-22. Retrieved August 9, 2009, from ABI/INFORM Global. (Document ID: 1626575741).

Business: Pain in the aaS; Computer security. (2008, April). The Economist, 387(8577), 86. Retrieved August 9, 2009, from ABI/INFORM Global. (Document ID: 1469385981).

[[Category:OWASP Cloud ‐ 10 Project]]

Cloud-10 Risks with SaaS

2009-07-27T14:13:15Z

Shankar Babu Chebrolu:

Placeholder

[[Category:OWASP Cloud ‐ 10 Project]]

Cloud-10 Risks with SaaS

2009-07-27T14:11:14Z

Shankar Babu Chebrolu: Created page with 'Placeholder'

Placeholder

User:Shankar Babu Chebrolu

2009-07-27T13:23:57Z

Shankar Babu Chebrolu:

Shankar Babu Chebrolu (CISSP, GIAC) is an IT Security Architect responsible for securing web based applications in Customer Value Chain Management at Cisco Systems, working closely with Cisco Supply Chain partners, Application Service Providers, Solution Vendors and Corporate Security Programs Organization (CSPO). He has worked at Cisco for about 9 years. Shankar Babu Chebrolu has been a speaker at conferences including Siebel Customer World, Oracle Open World, Oracle Applications User Group, CA World, Triangle InfoseCon presenting in his areas of expertise: securing web applications and integrating third party security models within Cisco Enterprise. Shankar holds a Master's Degree in Computer Science from Indian Institute of Technology (IIT), Mumbai, India and he is currently pursuing his PhD in Information Technology at Capella University.