Rationalization and Defense in Depth - Two Steps Closer to the Clouds

<Insert Picture Here>

OTN Architect Day Security Breakout Session

Dave Chappelle

21 April 2011

Rationalization and

Defense in Depth -

Two Steps Closer to

the Clouds

OTN Architect Day 2011

Perimeter Security

Firewall

Web Server

(app Proxy)

Firewall

Application

Server

DB

Message

Queue

Mainframe

Application

DB

Client

Unprotected Zone Perimeter Protected Zone(s)

DMZ

All network traffic

blocked except for

specific ports.

All network traffic blocked

except from the proxy.

• Can establish multiple perimeters

• Each perimeter can be more restrictive

• Perimeters can be at varying degrees of granularity

• Alone, often involves a lot of implied trust

• Modern environments don’t have such a clearly

defined perimeter


Defense in Depth

• Military defensive strategy to secure

a position using multiple defense

mechanisms.

• Usually multiple perimeters, each

with their own fortifications

• Objective is to win the battle by

attrition. The attacker may overcome

some barriers but can’t sustain the

attack for such a long period of time.

• Less emphasis is placed on a single

perimeter wall

"Krak des Chavaliers“, Syria


Data

Several Layers of Defense

Application

Host

Internal Network

Perimeter

Physical

Policies, Procedures, & Awareness

Each layer introduces

additional security

measures

Each layer can contain

multiple levels of

control


Defense in Depth: Greater Control

Policies & Procedures

Physical

Perimeter

Internal Network

Host

Application / Service

Data

Consistent set of policies & procedures

Many enforcement points


Finance

Sales

Support

End User

Security Administrator

Security Auditor

!

!

?

Security Silos

• Application silos with their own

standalone security architecture

• Integration is hard enough

without security

• End users have many

logins & passwords

• Administration is time-

consuming and error-prone

• Auditing is inaccurate

and/or impossible


Finance

Sales

Support

End UserSecurity Administrator

Security Auditor

Security

Framework

Security Framework

• Security is part of the foundation,

not an inconvenient afterthought

• Users have one

identity and a set of

roles & attributes that

govern access

• Administration

operator-centric, not

system-centric

• Auditing is possible

and realistic


Security Framework High Level Architecture


Solution Platforms:

• Provide a secure run-time environment

• Offer security services to business logic

• Allow solution-level security admin

Database Platforms:

• Provide confidentiality, integrity, and

availability for information management

• Allow db-level security administration

Security Framework:

• Provide shared security services

• Manage security data for the enterprise

• Allow enterprise-level security admin

Security Interfaces:

• Provide consistent access to security

services

• Embrace open, common industry

standards

Enterprise Security Framework

Business Solution Platforms

(Applications, Business Processes, Services, Databases, etc.)

Solution Platform

Security Services

Business

Logic

Dev

elo

pm

en

t &

Ad

min

istr

ati

on

Data Management

Security Services

Desig

n &

Ad

min

istr

ati

on

Shared Security Services

Security Management & Administration

Enterprise Security Information

Security Interfaces

Information

Platform Security Plug-in Framework

Security Providers

Protected Resources

Business Logic

WebPages

Container

Security Services

Authentication Authorization

Auditing Encryption

Credential Mapping

Role Mapping …

Standard Security APIs & Libraries

Container-Based Computing Platform

• Container enforces security on behalf

of the protected resources

• Access to security services via

standard APIs & libraries

• Plug-in framework allows one to

configure multiple providers for each

security service

• Providers may be selected and

configured based on the needs of the

solution

• Providers can be included with the

platform or custom written for a

specific purpose

Client

Inbound

Requests


Database Platform Security


Data Management

Security Services

De

sig

n &

Ad

min

istr

ati

on

Information

• Transactional

• Historical

• Unstructured

• Audit

• Security

Administrative

• Access Control

• SoD Rules & Controls

• Realms

• Auditing

Encryption

• Network

• Persistence

• Backup

• Dev & Test Masking

Access Control

• Multi-Factor AuthN

• Label Security

• Table Policies

• Connection Id

Auditing

• Central collection & control

• Local online archive

Firewall

• SQL inspection & rejection

Security Framework

Services:

Security

Information:

Administration &

Management:

Security Framework

Users &

Identity


FederationAuthentication

Authorization WSS Policy

Key MgmtSelf Service

SSO AttributeAudit

Federated

Identities

Groups

& Roles

Access

Policies

WSS

Policies

Audit

Logs

Certs

& Keys

Identity Management

• UIs & APIs

• Approval Workflows

• Provisioning Workflows

• System Integration

Directory Management

• Synchronization

• Virtualization

• Change Detection & Alerts

• Reconciliation

Governance

• Attestation

• Risk Analysis

• Reporting

• Auditing

Key Management

Authentication

Policy

Management

Access

Policy

Management

Role Management

Policy Manager

App ServerApp Server

Service

Consumer

Service

Provider

WSS

Agent

WSS

Agent

Platform Security Id CM Platform SecurityIdAAA

DMZFirewalls

WSS

Gateway

External

Consumer

Legacy

Service

Provider

Security

Token

Service

Mediation

WSS Agent

Platform

Security

AuthN

Service

AuthZ

Service

Audit

Service

DB

SOA Scenario

Before

You

Leap…


Jumping to Cloud

(Some of) The Good…

• Cloud providers have a deep vested interest in

security

• Must prove themselves to the market

• Often much greater investment and attention to detail than

traditional IT

• Cloud homogeneity makes security auditing/testing

simpler

• Shifting public data to an external cloud

reduces the exposure of the internal

sensitive data

• Data held by an unbiased party

http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt









…The Bad…

• Multi-tenancy; need for isolation management

• High value target for hackers

• Fragmentation; creation of more silos

• Data dispersal and international privacy laws• EU Data Protection Directive and U.S. Safe Harbor program

• Exposure of data to foreign government and data subpoenas

• Data retention issues










…& The Ugly

• Trusting another vendor’s security model

• Proprietary implementations

• Audit & compliance

• Availability: Relying on a vendor to stay in business










Recommendations

1. Assess your risks

2. Classify your information

3. Define policies and procedures

4. Maintain most sensitive data in house

5. Don’t outsource your security management

6. Follow a security architecture / roadmap

7. Include patterns for cloud computing

8. Choose a secure platform


Takeaways (Cloud or not)

Deploy Defense in Depth

• Good general strategy to protect highly distributed

systems (SOA, BPM, Cloud, etc.)

• Limit your risks

Consolidate your resources

• Standardized frameworks, services, & technologies

• Implement processes & policies

Plan Ahead

• Classification strategy: know your systems & data

• Cloud strategy: know your options & vendors

• Risk management: choose wisely & CYA

Visit the ITSO Reference Library at www.oracle.com/goto/itstrategies

http://www.oracle.com/goto/itstrategies

Rationalization and Defense in Depth - Two Steps Closer to the Clouds

Technology

Transcript of Rationalization and Defense in Depth - Two Steps Closer to the Clouds