TAKING THE MODULAR VIEW

Similar documents
Zero Trust in Healthcare Centrify Corporations. All Rights Reserved.

Cloud-Security: Show-Stopper or Enabling Technology?

Mobile Devices prioritize User Experience

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Make Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

Single Sign-On Best Practices

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

The Oracle Trust Fabric Securing the Cloud Journey

Solution. Imagine... a New World of Authentication.

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Cloud Essentials for Architects using OpenStack

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Microsoft 365 Security & Compliance For Small- and Mid-Sized Businesses

EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

Securing Your Cloud Introduction Presentation

THE SECURITY LEADER S GUIDE TO SSO

5 OAuth EssEntiAls for APi AccEss control layer7.com

Build Your Zero Trust Security Strategy With Microsegmentation

Voice Control. Setting with Google and Amazon

Cloud Security, Mobility and Current Threats. Tristan Watkins, Head of Research and Innovation

How to setup Google Assistant and Amazon Alexa. Make sure your Gateway has Firmware version 1.81 or higher.

Five Reasons It s Time For Secure Single Sign-On

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

Business value of Federated Login for Enterprises Enterprise SaaS vendors Consumer websites

1 The intersection of IAM and the cloud

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

AKAMAI CLOUD SECURITY SOLUTIONS

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Securing Office 365 with MobileIron

Symantec Endpoint Protection Family Feature Comparison

Building a Resilient Security Posture for Effective Breach Prevention

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Using Biometric Authentication to Elevate Enterprise Security

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Cracking the Access Management Code for Your Business

Embracing a Secure Cloud. Cloud & Network Virtualisation India 2017

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

ADC im Cloud - Zeitalter

Google Identity Services for work

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Best Practices in Securing a Multicloud World

The Need For A New IT Security Architecture: Global Study On The Risk Of Outdated Technologies

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

6 Vulnerabilities of the Retail Payment Ecosystem

PKI is Alive and Well: The Symantec Managed PKI Service

The State of the Trust Gap in 2015

5 OAuth Essentials for API Access Control

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

WHITEPAPER. How to secure your Post-perimeter world

Cyber Security Maturity Model

Securing Your Amazon Web Services Virtual Networks

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Mobile Security using IBM Endpoint Manager Mobile Device Management

CLOUD REPORT LITTLE CHANGE IN GDPR-READINESS LEVELS WITH MAY 2018 DEADLINE LOOMING. 24.6% of cloud services rated high on GDPR-readiness

Security Program Guide Security is designed from the outside in.

API Best Practices. Managing APIs holistically across the enterprise

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

2017 Riverbed Technology. All rights reserved.

Warm Up to Identity Protocol Soup

Strong Security Elements for IoT Manufacturing

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

CSP 2017 Network Virtualisation and Security Scott McKinnon

Keep the Door Open for Users and Closed to Hackers

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

Information Security Policy

Crash course in Azure Active Directory

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Prof. Christos Xenakis

The Modern Web Access Management Platform from on-premises to the Cloud

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

Hybrid Identity de paraplu in de cloud

Security in Cloud Environments

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Cloud Computing Private Cloud

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Securing Your Microsoft Azure Virtual Networks

Hosted Azure for your business. Build virtual servers, deploy with flexibility, and reduce your hardware costs with a managed cloud solution.

GlobalPlatform Trusted Execution Environment (TEE) for Mobile

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

Verizon Software Defined Perimeter (SDP).

Cybersecurity Roadmap: Global Healthcare Security Architecture

Additional Security Services on AWS

Mobile Security Overview Rob Greer, VP Endpoint Management and Mobility Product Management Dave Cole, Sr. Director Consumer Mobile Product Management

Danish Cloud Maturity Survey 2018

Security Readiness Assessment

Implementing Your BYOD Mobility Strategy An IT Checklist and Guide

Securing Your Most Sensitive Data

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

5 Pillars of API. management

Administering Jive Mobile Apps

Verasys Enterprise Security and IT Guide

Russ McRee Bryan Casper

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

Speaker Introduction Who Mate Barany, VMware Manuel Mazzolin, VMware Peter Schmitt, Deutsche Bahn Systel Why VMworld 2017 Understanding the modern sec

Transcription:

TAKING THE MODULAR VIEW Extracting security from the application Chenxi Wang, Ph.D. Forrester Research SANS Application Security Summit, May, 2012

Application security remains an elusive goal 2012 Breach study (Verizon) More than 50% breaches involve web apps unknown 17% Web applications 54% Backdoor control 34% Remote desktop services 20% 0% 10% 20% 30% 40% 50% 60%

Mobile apps are taking off 60 Mobile apps: $6 billion Market today Will hit $ 55.7 billion by 2015 50 40 30 Tablet apps Smartphone apps 20 10 0 2011 2013* 2015* March 2012 Mobile App is the new fact of engagement

State of application security: Abysmal and not getting better any time soon

Two unfortunate facts Software Complexity Software is getting more complex with modern development frameworks Security Technology Software security products are difficult to use. Dev adoption remains low,

Today s software security processes and technologies Too complex 6 months to stabilize a static analysis product on a single code project CISO of a large financial firm

So how do we change the status quo?

Let s look at the problem in a different light

Extract security from the application Authentication (credential handling, Risk-based auth, ) Secure Communication (protocols, encryption) Crypto-related functions App dev: focus on this Core application business logic Security log capturing & analysis Security-specific logic (e.g.,jailbreak detection) App-level DDoS protection

Extract security from the application Authentication (credential handling, Risk-based auth, ) Security-specific logic (e.g.,jailbreak detection) Secure Communication (protocols, encryption) Security domain - Developed by engineers with know how - Separately verified - Separately hardened - Separately developed App-level DDoS protection Crypto-related functions Security log capturing & analysis

Separation of duty between Security & Business Logic

This is a powerful architecture Cloud Authentication (credential handling, Risk-based auth, ) Secure Communication (protocols, encryption) Crypto-related functions Core application business logic Security log capturing & analysis Security-specific logic (e.g.,jailbreak detection) App-level DDoS protection

Taking it several notches up Authentication Threat protection (DDoS, WAF) Security analytics Core application business logic Securityspecific logic Security log & analysis Platform Crypto-related functions Secure Communication

The modular view Core application business logic Implemented separately Come together at run time Security functions Implemented separately

Security is a case for modularity All programs need security Not all developers are trained in security Security has commonality from program to program Authentication logic Attack detection Security monitoring

Think about it Some are good at developing security functions Authentication, app hardening, threat protection May be unique, may be reusable Others Business logics create security use cases More efficient to rely on others to supply security functions

What makes this vision work? Standard APIs Modular way of programming Zero trust assumptions

Remember this? Cloud Authentication (credential handling, Risk-based auth, ) Secure Communication (protocols, encryption) Crypto-related functions Core application business logic Security log capturing & analysis Security-specific logic (e.g.,jailbreak detection) App-level DDoS protection

Re-examine your trust assumptions Do not assume the network is trusted No data is communicated in the clear Do not assume that the component on the other end is trusted Always engage in authentication Trust is derived, verified, not assumed

Distributing security tasks presents a host of opportunities modularity efficiency security agility

But we can t outsource all security

For the core business logic Ensure code level integrity Eliminate security vulnerabilities from the code Reduce unintended side-effects You still have to test and review the core program!

But at least Authentication (credential handling, Risk-based auth, ) Secure Communication (protocols, encryption) Crypto-related functions Your responsibility to secure Your responsibility to secure Core application business logic Security log capturing & analysis Security-specific logic (e.g.,jailbreak detection) App-level DDoS protection

And because you have standardized the interfaces Reduced attack surface Reduced the scope to monitor and verify Core application business logic

Real world examples mobile application wrapping Separate Login (PIN Code Access) Geo fencing VPN Enforcement Encryption Data Containment

Next 2-3 years and beyond

How far are we from this modular vision? Not very close Interfaces are not standardized Third party functions are not necessarily trustworthy or easily comparable Fine-grained control over data/content is not mature Modular programming for security is not widely practiced

Cloud services rely on APIs heavily 75% API > web traffic 35% of our enterprise applications include API calls to Amazon web services - CIO of a large health care company API-traffic is a major category of Internet traffic

OAuth is gaining momentum OAuth API: single keychain for authenticating to Twitter, salesforce.com, and Chatter APIs Google Apps and Gmail binding: avoiding the password antipattern SecureSpan Gateway: tool kit approach to STS for flexibility in the face of spec change WIF and Azure ACS: client and server support for.net development PingFederate: STS that allows apps to add identity information to their API calls with OAuth Force.com: complete PaaS with brandable OAuth 2 Source: June 3, 2011, The Venn Of Federated Identity Forrester report

The Cathedral vs. Bazaar Model Top down Monolithic Available to the elite Bottom up Agile Developer- centric

Modular security is a journey Isolated experiments 12 to 24 months Modular by design: Establishing API-based ecosystem programming becomes prevalent 2 to 5 years 5 to 8 years Secure by design

Recommendations Take a modular view: extract security from applications and infrastructure Adopt the API-centric model Review your trust assumptions for building applications Prepare to distribute security tasks

Questions? Chenxi Wang E: cwang@forrester.com T: @chenxiwang

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback