Here is a draft of our Cloud Security Frame as part of our early exploration work for our patterns & practices Cloud Security Project. It’s a lens for looking at Cloud Security. The frame is simply a collection of Hot Spots. Each Hot Spot represents an actionable category for information. Using Hot Spots, you can quickly find pain and opportunities, or key decision points. It helps us organize principles, patterns, and practices by relevancy. For example, in this case, we use the Cloud Security Frame to organize threats, attacks, vulnerabilities and countermeasures.
Hot Spots
This is our current set of Hot Spots for our Cloud Security Frame:.
- Auditing and Logging
- Authentication
- Authorization
- Communication
- Configuration Management
- Cryptography
- Exception Management
- Sensitive Data
- Session Management
- Validation
Cloud Security Frame
Here is our draft of the Cloud Security Frame with a description of each Hot Spot category:
Hot Spot | Description |
---|---|
Auditing and Logging | Auditing and logging refers to how security-related events are recorded, monitored, and audited. Examples include: Who did what and when? |
Authentication | Authentication is the process of proving identity, typically through credentials, such as a user name and password. |
Authorization | Authorization is how your application provides access controls for roles, resources and operations. |
Communication | Communication encompasses how data is transmitted over the wire. Transport security versus message encryption is covered here. |
Configuration Management | Configuration management refers to how your application handles configuration and administration of your applications from a security perspective. Examples include: Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? |
Cryptography | Cryptography refers to how your application enforces confidentiality and integrity. Examples include: How are you keeping secrets (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? |
Exception Management | Exception management refers to how you handle applications errors and exceptions. Examples include: When your application fails, what does your application do? How much information do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully? |
Sensitive Data | Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores. Examples include: How does your application handle sensitive data? |
Session Management | A session refers to a series of related interactions between a user and your application. Examples include: How does your application handle and protect user sessions? |
Validation | Validation refers to how your application filters, scrubs, or rejects input before additional processing, or how it sanitizes output. It’s about constraining input through entry points and encoding output through exit points. Message validation refers to how you verify the message payload against schema, as well as message size, content and character sets. Examples include: How do you know that the input your application receives is valid and safe? Do you trust data from sources such as databases and file shares? |
Threats, Attacks, Vulnerabilities and Countermeasures
Here is our working draft of our threats, attacks, vulnerabilities and countermeasures organized by our Cloud Security Frame:
Hot Spot | Threats, Attacks, Vulnerabilities and Countermeasures |
---|---|
Auditing and Logging | Vulnerabilities
Threats / Attacks
Countermeasures
|
Authentication | Vulnerabilities
Threats / Attacks
Countermeasures
|
Authorization | Vulnerabilities
Threats / Attacks
Countermeasures
|
Configuration Management | Vulnerabilities
Threats / Attacks
Countermeasures
|
Cryptography | Vulnerabilities
Threats / Attacks
Countermeasures
|
Exception Management | Vulnerabilities
Threats / Attacks
Countermeasures
|
Sensitive Data | Vulnerabilities
Threats or Attacks
Countermeasures
|
Session Management | Vulnerabilities
Threats or Attacks
Countermeasures
|
Validation | Vulnerabilities
Threats / Attacks
Countermeasures
|
[…] Meier heeft op zijn blog Shaping Software een draft gepubliceerd van hun Cloud Security Frame. Dit zijn de eerste verkenningen voor het patterns & practices Cloud Security Project. The […]