security in web 2.0, social web and cloud
DESCRIPTION
Prezentacija "Security in Web 2.0, Social Web and Cloud" koju je Vinay Bansal održao na konferenciji iFront 9. juna 2009. godine u Beogradu.TRANSCRIPT
Cisco PublicVinay Bansal 1
Cisco Public 2Vinay Bansal
Vinay Bansal
Lead Security Architect, Web and Application Security
Cisco Systems
iFront Internet Conference
2009 2010 2011
Security in Web 2.0, Social Weband Cloud
2012
Cisco PublicVinay Bansal 3
Objective at iFront Today
Growth in Social Web, Web 2.0, Collaboration
Thinking: Information Centric Security
Cisco Stories
How Cloud Computing is changing IT
Emerging Trend : Borderless Enterprise
Cisco PublicVinay Bansal 4
Who am I
Lead Security Architect for Cisco’s Web and Application Architecture Team (Infosec)
16+ years architecting, developing and securing IT systems
MS in Computer Sciences – Duke University
What do I help protect at Cisco…
Cisco PublicVinay Bansal 5
Cisco IT and Supported Web Applications
Total Users:–Customers (500k+), Partners (20k+)
–Employees and Vendors (~90 k)
Business Revenue:
–95%+ Cisco Revenue
People: Cisco IT (10,000) –Employees = 3,000
–Contractors (Vendors/Temp) = 7,000
Applications :–1500 Internal/External Web Applications (~50% external)
–280 ASPs (Application Service Providers)
Web Infrastructures– Cisco.com (CCO) and CEC (Intranet)
- 1300+ Enterprise DB instances
Attacks:
–Millions per day
Cisco Public 6Vinay Bansal
What is Social Web, Web 2.0 and Collaboration?
Cisco PublicVinay Bansal 7
What is Web 2.0?
Buzzword - !!-Social, Participation, Collaboration
“Aggregation of Improvements in Web Application space in last few years…”
“.. Applications that harness network effects to get better the more people use them.” -Tim O’Reilly*
Cisco PublicVinay Bansal 8
Web 2.0 - User Generated Data
Who is providing the majority of content for these popular Web sites? - Users
Cisco PublicVinay Bansal 9
Rich User Experience
•Interactive•Personalized•Simple•Quick•User Focused•….
Usability and Interface beyond traditional Web-pages
Cisco PublicVinay Bansal 10
Harnessing Collective Intelligence
Architecture of participation Application that gets better with
more people using it
Cisco PublicVinay Bansal 11
Connecting People
Social Web
Cisco PublicVinay Bansal 12
Let’s twist these connections
Users
End Points
Enablers
Providers
Data
Cisco PublicVinay Bansal 13
Information Centric Security
Users
Data
1. Identify User, Authentication
2. Access to which data, Authorization
3. Secure Data Transfer : Encryption
4. Data Center Security
5. Data on Client : Client End Point Security
Cisco PublicVinay Bansal 14
User’s Security Concerns (Social Sites)
Privacy of my data– Credit Cards
–Address, Email,.. (Personally Identifiable Information)
– Personal Details (email, phosts, IMs,….)
–Authentication Credentials (userids, passwords)
End Device Security– No Trojans, Unwanted programs
Data Ownership (perception)– Forums, Wikis, Blogs
Users
Cisco PublicVinay Bansal 15
Application Provider’s Security Priorities
Stability, Business Continuity
Protection of their Intellectual property
Compliance to Regulations
What they really want to do–Push out the liabilities to user via Privacy and Acceptable Use Policy
–Build Additional Services on users behavior (targeted advertisements) e.g. Google Email, banner adv.
–Track User behavior, usage pattern
–Keep their social applications more open
Cisco PublicVinay Bansal 16
Regulations protecting end users
Users Providers
PrivacyIntellectual Property
Business Continuity
Regulatory Compliance
HIPPA – HealthPCI – Credit CardsEU Directive - ….
Cisco PublicVinay Bansal 17
Digital Rights and Data Privacy Challenges
Openness/Social Collaboration– contradicts privacy?
Digital Rights Management (DRM)– who “owns” the data?
– how do you protect your intellectual property?
Collective content creation – difficult to assign data ownership
Global Web (Data Access anywhere from anywhere)–- privacy laws/regulations vary
Cisco PublicVinay Bansal 18
Malware Spread via Web 2.0/ Social Web
Drive by Installs (via Web Browsers)– Increasing concern for malware infections
– Google Research: Malicious URLs 0.3% to 1.3% in 8 months
Malware authors exploit the very thing that makes Web 2.0 so successful – the user’s trust.
Multiple redirects on sites– Advertising space on page changes multiple hands
Browser or plug-in vulnerabilities exploited– Browser is the platform
Growing Challenge for Enterprises and users
Cisco PublicVinay Bansal 19
Cisco Story - 1
Threat 1: Employees using public Social Web– E.g. Yammer, Facebook, MySpace
Provide internal Collaborative Resources (within enterprise)–C-vision (internal YouTube)
– Ciscopedia (Wikipedia)
– Internal Wiki/Forums/Blogs
– Directory 3.0 (Connections, Communities)
– Cisco Telepresence
–WebEx Connect
–…
Cisco PublicVinay Bansal 20
Cisco Story – 1 .. Cont.
Clear guidelines on expected behavior (external Social Web)
– Identifying yourself
– Handling Confidential Information
– Copyrighted Content
– Using common sense
Awareness/Training– Videos
– Executive Messaging
Cisco PublicVinay Bansal 21
Cisco Story - 2
Threat 2: Web Browsing Initiated Malware
Monitoring Outgoing Web Traffic
– Ironport’s Web Security Appliance
Browsers and plug-ins patching (priority)
Cisco PublicVinay Bansal 22
Cisco Story - 3
SDLC
Secure Coding Training
Application Vulnerability
Assessment (AVA)
Architecture Review
ApplicationFirewall
Threat 3: How to continually improve Application Security?
Tying Application Security Practice with Software Development Life Cycle (SDLC)
Cisco Public 23Vinay Bansal
Cloud Computing and Security Challenges
Cisco PublicVinay Bansal 24
Cloud Computing?
IT resources and services
- abstracted from the underlying infrastructure
-elasticity of resources
-utility model of consumption and allocation
Cisco PublicVinay Bansal 25
Cloud : A big shift for IT
“Does IT Matter?” , Nicholas G Carr floated this “Bombshell” idea in 2004
Cloud commoditizing IT infrastructure and services
Could mean death for individual IT departments in small to medium enterprises
Public Cloud
Private Cloud
Cisco PublicVinay Bansal 26
Types of Clouds
Software as a Service (SaaS)
Platform as a Service (SaaS)
Infrastructure as a Service (SaaS)
Cisco PublicVinay Bansal 27
Cloud Computing : Security Risks …1
1. Data move outside the Enterprise – Cloud vendor custodian of data
– Encryption (Key Management)
– Backups of data (Multi – tenant)
– Alternate/Secondary use of data
2. Shared Infrastructure
- Assume (Logical security = Physical Security)
Cisco PublicVinay Bansal 28
Cloud Computing : Security Risks …2
3. Regulations and Cross Country laws
- Cloud vendors spread their data/operation geographically
4. Security Breach
- Responsibility to investigate
- Monitoring, logs
5. SLAs
- High Penalty for security incident
6. Strong Federated Authentication
Cisco PublicVinay Bansal 29
Cloud Computing : Security Risks …3
7. Software Licensing Issues
- Enterprise licenses , how do they apply in cloud
8. Reliance on ongoing security audits of the vendor– Third party risk assessments
– Keep check on security practices, internal policies, standards
9. Security dependence on developers – convenience vs. security
– development environments accessible on the Internet
Cisco Public 30Vinay Bansal
Emerging Trend : Borderless Enterprises
Cisco PublicVinay Bansal 31
BorderlessEnterprise
Enterprise Virtualization
Communication & Collaboration
Remote Desktop
(RDE)
VNC & Term
Server
VMWare
App/Svc Resilienc
y
MobileDevice
Evolution
PlatformOption
Expansion
Ubiquitous Connectivit
y (WiFi, VPN)
GlobalWorkforce
Sharing & IP
Telephony Platforms
Web 2.0
Real-time & Customized Interaction
EmergingBusinessModels
“Any Device,Anywhere”
2001-7 2008 2011*20102009
Cisco PublicVinay Bansal 32
Drivers for Borderless Enterprise
*Single Source of Truth **Born in 1980’s - early 90s
Cisco PublicVinay Bansal 33
Borderless Enterprise : Security Risks
Services
Data
Assets
“Trusted” Internal Externalizing Trend
Externalized Services
Company Owned User Owned
Cisco PublicVinay Bansal 34
Emergence of End Point Reputation based Security
Location
BehaviorDevice Ownership
Local Policy
Simple Userid/Pwd
Inside EnterpriseExternal Enterprise Virus Scanner
Local FirewallDisk Encryption
Which data/services accessedEnterpriseEnd UserPublic/Kiosk
Cisco PublicVinay Bansal 35
Cisco: Achieving Borderless Enterprise
Think - Information Centric Security
–Concept: (App/NW Hardening -> Information Hardening)
– How to classify information
More Reliance on End Point Security
- Each device capable of protecting itself
Granular Identity Management
- Device Identity
- Dynamic shifts in identity and access (Federation)
Dynamic Traffic Inspection and Control Capabilities
-Non intrusive monitoring
Security Bar raised for Intranet/Internal Systems
Shifting Security Zones– (Physical Logical)
Cisco PublicVinay Bansal 36
Summarizing and Looking Forward
Web 2.0, Social Web, Collaboration … Security Challenges
Think … Information Centric Security
Cloud Computing ….. A big shift for IT
Borderless Enterprise … Enterprise Data Everywhere
Cisco PublicVinay Bansal 37
“Our adversaries only have to be right once.”
Cisco PublicVinay Bansal 38
Contact Information
Vinay BansalInformation Security Architect
Corporate Security Programs Organization
Cisco Systems, Inc.