rationalization and defense in depth - two steps closer to the cloud

<Insert Picture Here>

OTN Architect Day Security Breakout Session

Dave Chappelle

24 October 2011

Rationalization and

Defense in Depth -

Two Steps Closer to

the Clouds

OTN Architect Day 2011

Perimeter Security

Firewall

Web Server

(app Proxy)

Firewall

Application

Server

DB

Message

Queue

Mainframe

Application

DB

Client

Unprotected Zone Perimeter Protected Zone(s)

DMZ

All network traffic

blocked except for

specific ports.

All network traffic blocked

except from the proxy.

• Can establish multiple perimeters

• Each perimeter can be more restrictive

• Perimeters can be at varying degrees of granularity

• Alone, often involves a lot of implied trust

• Modern environments don’t have such a clearly

defined perimeter


DB

Defense in Depth

• Military defensive strategy to secure

a position using multiple defense

mechanisms.

• Less emphasis is placed on a single

perimeter wall

• Several barriers and different types

of fortifications

• Objective is to win the battle by

attrition. The attacker may overcome

some barriers but can’t sustain the

attack for such a long period of time.

"Krak des Chavaliers“, Syria


Data

Several Layers of Defense

Application

Host

Internal Network

Perimeter

Physical

Policies, Procedures, & Awareness

Each layer introduces

additional security

measures

Each layer can contain

multiple levels of

control


Defense in Depth: Greater Control

Policies & Procedures

Physical

Perimeter

Internal Network

Host

Application / Service

Data

Consistent set of policies & procedures

Many enforcement points


Finance

Sales

Support

End User

Security Administrator

Security Auditor

!

!

?

Security Silos

• Application silos with their own

standalone security architecture

• Integration is hard enough

without security

• End users have many

logins & passwords

• Administration is time-

consuming and error-prone

• Auditing is inaccurate

and/or impossible


Finance

Sales

Support

End User Security Administrator

Security Auditor

Security

Framework

Security Framework

• Security is part of the foundation,

not an inconvenient afterthought

• Users have one

identity and a set of

roles & attributes that

govern access

• Administration

operator-centric, not

system-centric

• Auditing is possible

and realistic


Enterprise Security Framework

Security Interfaces

Security Framework High Level Architecture


Information Processing:

• Provides a secure run-time environment

• Offer security services to business logic

• Allow solution-level security admin

Information Management:

• Provides confidentiality, integrity, and

availability for information management

• Allow db-level security administration

Security Framework:

• Provides shared security services

• Manage security data for the enterprise

• Allow enterprise-level security admin

Security Interfaces:

• Provide consistent access to security

services

• Embrace open, common industry

standards

Information

Processing

Security Services

Business

Logic

De

ve

lop

me

nt

&

Ad

min

istr

ati

on

Information

Management

Security Services

Desig

n &

Ad

min

istr

ati

on

Information

Shared Security Services

Security Management & Administration

Enterprise Security Information

Platform Security Plug-in Framework

Security Providers

Protected Resources

Business Logic

Web Pages

Container

Security Services

Authentication Authorization

Auditing Encryption

Credential Mapping

Role Mapping …

Standard Security APIs & Libraries

Container-Based Computing Platform

• Container enforces security on behalf

of the protected resources

• Access to security services via

standard APIs & libraries

• Plug-in framework allows one to

configure multiple providers for each

security service

• Providers may be selected and

configured based on the needs of the

solution

• Providers can be included with the

platform or custom written for a

specific purpose


Client

Inbound

Requests

Database Platform Security


Information

Management

Security Services

De

sig

n &

Ad

min

istr

ati

on

Information

• Transactional

• Historical

• Unstructured

• Audit

• Security

Administrative

• Access Control

• SoD Rules & Controls

• Realms

• Auditing

Encryption & Masking

• Network

• Persistence

• Backup

• Dev & Test Masking

Access Control

• Multi-Factor AuthN

• Label Security

• Table Policies

• Connection Id

Auditing & Availability

• Central collection & control

• Local online archive

Firewall

• SQL inspection & rejection

Security Framework

Services:

Security

Information:

Administration &

Management:

Security Framework

Users &

Identity


Federation Authentication

Authorization WSS Policy

Key Mgmt Self Service

SSO Attribute Audit

Federated

Identities

Groups

& Roles

Access

Policies

WSS

Policies

Audit

Logs

Certs

& Keys

Identity Management

• UIs & APIs

• Approval Workflows

• Provisioning Workflows

• System Integration

Directory Management

• Synchronization

• Virtualization

• Change Detection & Alerts

• Reconciliation

Governance

• Attestation

• Risk Analysis

• Reporting

• Auditing

Key Management

Authentication

Policy

Management

Access

Policy

Management

Role Management

Policy Manager

App Server App Server

Service

Consumer

Service

Provider

WSS

Agent

WSS

Agent

Platform Security Id CM Platform Security Id AAA

DMZ Firewalls

WSS

Gateway

External

Consumer

Legacy

Service

Provider

Security

Token

Service

Mediation

WSS Agent

Platform

Security

AuthN

Service

AuthZ

Service

Audit

Service

DB

SOA Scenario


Before

You

Leap…


Jumping to Cloud

(Some of) The Good…

• Cloud providers have a deep vested interest in

security

• Must prove themselves to the market

• Often much greater investment and attention to detail than

traditional IT

• Cloud homogeneity makes security auditing/testing

simpler

• Shifting public data to an external cloud

reduces the exposure of the internal

sensitive data

• Data held by an unbiased party

http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt









…The Bad…

• Multi-tenancy; need for isolation management

• High value target for hackers

• Fragmentation; creation of more silos

• Data dispersal and international privacy laws • EU Data Protection Directive and U.S. Safe Harbor program

• Exposure of data to foreign government and data subpoenas

• Data retention issues










…& The Ugly

• Trusting another vendor’s security model

• Proprietary implementations

• Audit & compliance

• Availability: Relying on a vendor to stay in business










Provider

A

SaaS Patterns


Authentication Authorization

Access Policy

Management

Identity

Management

Provider

B

Provider

C

Provider

D

Authorization

Access Policy

Management

SAML

User id & attributes

Authorization

Access Policy

Management

Identity

Management

SPML

SAML

User Id

Authorization

Access Policy

Management

Authentication

Identity

Management

STS

SAML, WS-Trust,

WS-Federation

Recommendations

1. Assess your risks

2. Classify your information

3. Define policies and procedures

4. Maintain most sensitive data in house

5. Don’t outsource your security management

6. Follow a security architecture / roadmap

7. Design patterns for cloud computing

8. Choose a secure platform


Takeaways (Cloud or not)

Deploy Defense in Depth

• Good general strategy to protect highly distributed

systems (SOA, BPM, Cloud, etc.)

• Limit your risks

Rationalize & Consolidate

• Standardized frameworks, services, & technologies

• Implement processes & policies

Plan Ahead

• Classification strategy: know your systems & data

• Cloud strategy: know your options & vendors

• Risk management: choose wisely & CYA

Visit the ITSO Reference Library at www.oracle.com/goto/itstrategies

http://www.oracle.com/goto/itstrategies

rationalization and defense in depth - two steps closer to the cloud

Technology