securing the cloud

Download Securing the Cloud

If you can't read please download the document

Post on 16-Apr-2017

261 views

Category:

Business

0 download

Embed Size (px)

TRANSCRIPT

  • Securing the CloudAuthentication Perspective

    *

  • Moving to the Cloud is like........

    Moving your data from your own personal safe, to a safety deposit box in a bank.

    Access to you safety-deposit box is controlled by the bank, not you.

    In most cases all you need to supply is the right name and the right password

    The cloud is a public place.

    Everyones experience of cloud applications is pretty much the same.

    If I know how to access my account, chances are I know how to access yours.

    *

  • The CloudIs a very public placeEveryone knows where your front door isEveryone knows what your username isJust one password away from access!In The Cloud, all access is Remote Access(remote from the application at least)

    The cloud is a public place.

    Everyones experience of cloud applications is pretty much the same.

    If I know how to access my account, chances are I know how to access yours.

    *

  • It is not Rocket scienceI know that Dell use Salesforce CRM(source: Salesforce.com)I know that Michael Dell is CEO(source: Wikipedia)I know the format of Dell emails is firstname.lastname@dell.com(source: my inbox)Just one password away from access ?????

    Just an example.

    But all three facts are true. Whether Dell use email address for salesforce and whether Micheal Dell has an account or not is not clear.

    But the principle is the same, as we just one password away from Dells entire CRM data ?

    Of course this is another element of the public nature of the cloud. Cloud applications such as facebook, twitter, etc mean there is much more information available about people in the cloud

    *

  • Passwords in public places are not safeHow many different strong passwords can a user safely remember ?NOT ENOUGH!Recent straw poll users accessed at least 20 different password protected services!

    Passwords and The Cloud

    Of course we all use the cloud in some way, if not in our corporate life then in our personal life.

    Password reuse becomes inevitable*

  • 1st :123456 6th :princess 2nd :12345 7th :rockyou 3rd :123456789 8th :1234567 4th :password 9th :12345678 5th :iloveyou10th :abc123

    Analysis of the 32 million passwords exposed in Jan 2010 in the breach of social media application developer RockYou - who's applications can be used on Facebook and Myspace -revealed the top 10 most commonly used passwords were:(source: www.cxo.eu.com)Strong Passwords ???Dont forget for many attacks the strength of the password is no defence

    Weakness of passwords is well documented.

    But the point is that these passwords were obtained from a cloud serviceSwivel Secure Ltd. - version maytr05.1.01*

  • Password ReusePassword Reuse is inevitableCloud breaches (PSN, Sega, Facebook etc) have knock-on impactsYour corporate data may only be as secure as the least secure Cloud service being used by your employeesCan we rely on people separating their corporate and social identitiesNo!

    So if you use cloud services for your corporate data

    Chances are your corporate users will also reuse credentials

    Therefore their credentials are potentially only as safe as the weakest link in the chain*

  • Sega explained that it had reset all passwords and urged customers to change their log-on details on other services and websites where they used the same credentials

    (Source: http://www.bbc.co.uk/news/technology-13829690)

    The SEGA breach was perhaps the first acknowledgement from a cloud service provider that the fact that they lost your credentials not only affected you SEGA data but many other potential accounts as well.

    When you trust a cloud service with your username and password, you are not only trusting them with your data in relation to that service but possibly others as well.Swivel Secure Ltd. - version maytr05.1.01*

  • Authentication and the CloudUsing Cloud services can meanYou delegate authentication policies to the Cloud providerYou create multiple control points for user accessIf you use multiple Cloud servicesIf you use a mix of Cloud and non-Cloud servicesForgetting to remove access from ex-employees is a common cause of loss of commercial data.You rely on username/password

    `A key issue is that using cloud services means you delegate the service and access control to the cloud provider as well as the service itself.

    You are trusting the cloud service with more than just the service.

    This creates multiple control points

    It means authentication policy is defined by the cloud provider.

    *

  • Authentication and the CloudThe need for strong authentication for (eg VPN) remote access is well understood.

    Customers purchase Remote Access solutions and an Authentication solution.

    The same authentication solution is ideally used across all remote access services.

    `A key issue is that using cloud services means you delegate the service and access control to the cloud provider as well as the service itself.

    You are trusting the cloud service with more than just the service.

    This creates multiple control points

    It means authentication policy is defined by the cloud provider.

    *

  • ApproachSeparate Authentication from the Cloud ServiceUse a single Authentication service for all servicesCloud and non-CloudKeep control over you access policiesApply appropriate authenticationIf I have access rights to data because I am an employee of an organisation, then that organisation should control my access

    Reclaim or retain control over access.

    *

  • New Authentication ModelNot a new idea, but now becoming possibleEnterpriseCreate/DeleteAccountsUser-nameCredentialsCheck CredentialsConfigure ServiceRequest AccessRedirectUser-nameCredentialsIf anyone wants to access my data, send them to me!TraditionalApproachFederatedApproachEnterprise

    Traditionally authentication was done at the back-end

    Within the DMZ.

    User submits credentials and are checked behind the scenes.

    New standards are enabling new models. Whereby authentication is done in front

    The standards are not new in themsleves but what is new is that fact that service providers are implementing them. Which means vendors like ourselves can build solutions around them.

    Federation is another overloaded term. But I want to highlight a specific meaning*

  • Phone Home ModelEnterprise owns the identitySingle point of controlCloud services do not store credentialsCloud services do not set authentication policiesMulti-factor where requiredRisk-based authenticationUser needs one set of credentialsCloud ApplicationsVPNAccessIntranetCoreAuthenticationPlatform

    This federation model means that to access data that you have rights to because you are an employee of a company then the service must verify your identity and rights with that company,

    This means cloud service is not longer responsible for AuthenticationStoring Credentials

    And same credential and authentication service can be used for internal and cloud access*

  • The phone home model is like..

    When a user wants to access your safety deposit box, the bank sends them to you.

    The person confirms their identity to YOU in the manner you decide.

    You tell the bank that they can access the data

    The cloud is a public place.

    Everyones experience of cloud applications is pretty much the same.

    If I know how to access my account, chances are I know how to access yours.

    *

  • InternetADFSProxySwivel and Office 365ActiveDirectoryADFSServerfilterADFS RequestResponseSystem can be configured so users already on the LAN need not authenticate again to Office 365.

    Developments will allow the same for other SAML-based cloud services.

    *

  • Swivel and Office 365

    *

  • Swivel and Office 365 (Demo)Forms Based Authentication

    Customisable

    Additional Credential only required if user as a PINsafe account (optional)

    Some users could have 2FA Mandatory

    *

  • Questions

    *

    *The cloud is a public place.

    Everyones experience of cloud applications is pretty much the same.

    If I know how to access my account, chances are I know how to access yours.

    *The cloud is a public place.

    Everyones experience of cloud applications is pretty much the same.

    If I know how to access my account, chances are I know how to access yours.

    *Just an example.

    But all three facts are true. Whether Dell use email address for salesforce and whether Micheal Dell has an account or not is not clear.

    But the principle is the same, as we just one password away from Dells entire CRM data ?

    Of course this is another element of the public nature of the cloud. Cloud applications such as facebook, twitter, etc mean there is much more information available about people in the cloud

    *Of course we all use the cloud in some way, if not in our corporate life then in our personal life.

    Password reuse becomes inevitable*Weakness of passwords is well documented.

    But the point is that these passwords were obtained from a cloud serviceSwivel Secure Ltd. - version maytr05.1.01*So if you use cloud services for your corporate data

    Chances are your corporate users will also reuse credentials

    Therefore their credentials are potentially only as safe as the weakest link in the chain*The SEGA breach was perhaps the first acknowledgement from a cloud service provider that the fact that they lost your credentials not only affected you SEGA data but many other potential accounts as well.

    When you trust a cloud service with your username and password, you are not only trusting them