security in web 2.0, social web and cloud

Cisco PublicVinay Bansal 1

Cisco Public 2Vinay Bansal

Vinay Bansal

Lead Security Architect, Web and Application Security

Cisco Systems

iFront Internet Conference

2009 2010 2011

Security in Web 2.0, Social Weband Cloud

2012

Cisco PublicVinay Bansal 3

Objective at iFront Today

Growth in Social Web, Web 2.0, Collaboration

Thinking: Information Centric Security

Cisco Stories

How Cloud Computing is changing IT

Emerging Trend : Borderless Enterprise

Cisco PublicVinay Bansal 4

Who am I

Lead Security Architect for Cisco’s Web and Application Architecture Team (Infosec)

16+ years architecting, developing and securing IT systems

MS in Computer Sciences – Duke University

What do I help protect at Cisco…

Cisco PublicVinay Bansal 5

Cisco IT and Supported Web Applications

Total Users:–Customers (500k+), Partners (20k+)

–Employees and Vendors (~90 k)

Business Revenue:

–95%+ Cisco Revenue

People: Cisco IT (10,000) –Employees = 3,000

–Contractors (Vendors/Temp) = 7,000

Applications :–1500 Internal/External Web Applications (~50% external)

–280 ASPs (Application Service Providers)

Web Infrastructures– Cisco.com (CCO) and CEC (Intranet)

- 1300+ Enterprise DB instances

Attacks:

–Millions per day

Cisco Public 6Vinay Bansal

What is Social Web, Web 2.0 and Collaboration?

Cisco PublicVinay Bansal 7

What is Web 2.0?

Buzzword - !!-Social, Participation, Collaboration

“Aggregation of Improvements in Web Application space in last few years…”

“.. Applications that harness network effects to get better the more people use them.” -Tim O’Reilly*

Cisco PublicVinay Bansal 8

Web 2.0 - User Generated Data

Who is providing the majority of content for these popular Web sites? - Users

Cisco PublicVinay Bansal 9

Rich User Experience

•Interactive•Personalized•Simple•Quick•User Focused•….

Usability and Interface beyond traditional Web-pages

Cisco PublicVinay Bansal 10

Harnessing Collective Intelligence

Architecture of participation Application that gets better with

more people using it

Cisco PublicVinay Bansal 11

Connecting People

Social Web

Cisco PublicVinay Bansal 12

Let’s twist these connections

Users

End Points

Enablers

Providers

Data

Cisco PublicVinay Bansal 13

Information Centric Security

Users

Data

1. Identify User, Authentication

2. Access to which data, Authorization

3. Secure Data Transfer : Encryption

4. Data Center Security

5. Data on Client : Client End Point Security

Cisco PublicVinay Bansal 14

User’s Security Concerns (Social Sites)

Privacy of my data– Credit Cards

–Address, Email,.. (Personally Identifiable Information)

– Personal Details (email, phosts, IMs,….)

–Authentication Credentials (userids, passwords)

End Device Security– No Trojans, Unwanted programs

Data Ownership (perception)– Forums, Wikis, Blogs

Users

Cisco PublicVinay Bansal 15

Application Provider’s Security Priorities

Stability, Business Continuity

Protection of their Intellectual property

Compliance to Regulations

What they really want to do–Push out the liabilities to user via Privacy and Acceptable Use Policy

–Build Additional Services on users behavior (targeted advertisements) e.g. Google Email, banner adv.

–Track User behavior, usage pattern

–Keep their social applications more open

Cisco PublicVinay Bansal 16

Regulations protecting end users

Users Providers

PrivacyIntellectual Property

Business Continuity

Regulatory Compliance

HIPPA – HealthPCI – Credit CardsEU Directive - ….

Cisco PublicVinay Bansal 17

Digital Rights and Data Privacy Challenges

Openness/Social Collaboration– contradicts privacy?

Digital Rights Management (DRM)– who “owns” the data?

– how do you protect your intellectual property?

Collective content creation – difficult to assign data ownership

Global Web (Data Access anywhere from anywhere)–- privacy laws/regulations vary

Cisco PublicVinay Bansal 18

Malware Spread via Web 2.0/ Social Web

Drive by Installs (via Web Browsers)– Increasing concern for malware infections

– Google Research: Malicious URLs 0.3% to 1.3% in 8 months

Malware authors exploit the very thing that makes Web 2.0 so successful – the user’s trust.

Multiple redirects on sites– Advertising space on page changes multiple hands

Browser or plug-in vulnerabilities exploited– Browser is the platform

Growing Challenge for Enterprises and users

Cisco PublicVinay Bansal 19

Cisco Story - 1

Threat 1: Employees using public Social Web– E.g. Yammer, Facebook, MySpace

Provide internal Collaborative Resources (within enterprise)–C-vision (internal YouTube)

– Ciscopedia (Wikipedia)

– Internal Wiki/Forums/Blogs

– Directory 3.0 (Connections, Communities)

– Cisco Telepresence

–WebEx Connect

–…

Cisco PublicVinay Bansal 20

Cisco Story – 1 .. Cont.

Clear guidelines on expected behavior (external Social Web)

– Identifying yourself

– Handling Confidential Information

– Copyrighted Content

– Using common sense

Awareness/Training– Videos

– Executive Messaging

Cisco PublicVinay Bansal 21

Cisco Story - 2

Threat 2: Web Browsing Initiated Malware

Monitoring Outgoing Web Traffic

– Ironport’s Web Security Appliance

Browsers and plug-ins patching (priority)

Cisco PublicVinay Bansal 22

Cisco Story - 3

SDLC

Secure Coding Training

Application Vulnerability

Assessment (AVA)

Architecture Review

ApplicationFirewall

Threat 3: How to continually improve Application Security?

Tying Application Security Practice with Software Development Life Cycle (SDLC)

Cisco Public 23Vinay Bansal

Cloud Computing and Security Challenges

Cisco PublicVinay Bansal 24

Cloud Computing?

IT resources and services

- abstracted from the underlying infrastructure

-elasticity of resources

-utility model of consumption and allocation

Cisco PublicVinay Bansal 25

Cloud : A big shift for IT

“Does IT Matter?” , Nicholas G Carr floated this “Bombshell” idea in 2004

Cloud commoditizing IT infrastructure and services

Could mean death for individual IT departments in small to medium enterprises

Public Cloud

Private Cloud

Cisco PublicVinay Bansal 26

Types of Clouds

Software as a Service (SaaS)

Platform as a Service (SaaS)

Infrastructure as a Service (SaaS)

Cisco PublicVinay Bansal 27

Cloud Computing : Security Risks …1

1. Data move outside the Enterprise – Cloud vendor custodian of data

– Encryption (Key Management)

– Backups of data (Multi – tenant)

– Alternate/Secondary use of data

2. Shared Infrastructure

- Assume (Logical security = Physical Security)

Cisco PublicVinay Bansal 28

Cloud Computing : Security Risks …2

3. Regulations and Cross Country laws

- Cloud vendors spread their data/operation geographically

4. Security Breach

- Responsibility to investigate

- Monitoring, logs

5. SLAs

- High Penalty for security incident

6. Strong Federated Authentication

Cisco PublicVinay Bansal 29

Cloud Computing : Security Risks …3

7. Software Licensing Issues

- Enterprise licenses , how do they apply in cloud

8. Reliance on ongoing security audits of the vendor– Third party risk assessments

– Keep check on security practices, internal policies, standards

9. Security dependence on developers – convenience vs. security

– development environments accessible on the Internet

Cisco Public 30Vinay Bansal

Emerging Trend : Borderless Enterprises

Cisco PublicVinay Bansal 31

BorderlessEnterprise

Enterprise Virtualization

Communication & Collaboration

Remote Desktop

(RDE)

VNC & Term

Server

VMWare

App/Svc Resilienc

y

MobileDevice

Evolution

PlatformOption

Expansion

Ubiquitous Connectivit

y (WiFi, VPN)

GlobalWorkforce

Sharing & IP

Telephony Platforms

Web 2.0

Real-time & Customized Interaction

EmergingBusinessModels

“Any Device,Anywhere”

2001-7 2008 2011*20102009

Cisco PublicVinay Bansal 32

Drivers for Borderless Enterprise

*Single Source of Truth **Born in 1980’s - early 90s

Cisco PublicVinay Bansal 33

Borderless Enterprise : Security Risks

Services

Data

Assets

“Trusted” Internal Externalizing Trend

Externalized Services

Company Owned User Owned

Cisco PublicVinay Bansal 34

Emergence of End Point Reputation based Security

Location

BehaviorDevice Ownership

Local Policy

Simple Userid/Pwd

Inside EnterpriseExternal Enterprise Virus Scanner

Local FirewallDisk Encryption

Which data/services accessedEnterpriseEnd UserPublic/Kiosk

Cisco PublicVinay Bansal 35

Cisco: Achieving Borderless Enterprise

Think - Information Centric Security

–Concept: (App/NW Hardening -> Information Hardening)

– How to classify information

More Reliance on End Point Security

- Each device capable of protecting itself

Granular Identity Management

- Device Identity

- Dynamic shifts in identity and access (Federation)

Dynamic Traffic Inspection and Control Capabilities

-Non intrusive monitoring

Security Bar raised for Intranet/Internal Systems

Shifting Security Zones– (Physical Logical)

Cisco PublicVinay Bansal 36

Summarizing and Looking Forward

Web 2.0, Social Web, Collaboration … Security Challenges

Think … Information Centric Security

Cloud Computing ….. A big shift for IT

Borderless Enterprise … Enterprise Data Everywhere

Cisco PublicVinay Bansal 37

“Our adversaries only have to be right once.”

Cisco PublicVinay Bansal 38

Contact Information

Vinay BansalInformation Security Architect

Corporate Security Programs Organization

Cisco Systems, Inc.

(vinay.bansal@cisco.com)