This project is read-only.

Cloud Security Frame

- J.D. Meier, Prashant Bansode, Paul Enfield.

Frames are a lens for looking at Cloud Security. The frame is simply a collection of Hot Spots. Each Hot Spot represents an actionable category for information. Using Hot Spots, you can quickly find pain and opportunities, or key decision points. It helps us organize principles, patterns, and practices by relevancy. For example, in this case, we use the Cloud Security Frame to organize threats, attacks, vulnerabilities and countermeasures.

Hot Spots

  • Auditing and Logging
  • Authentication
  • Authorization
  • Communication
  • Configuration Management
  • Cryptography
  • Exception Management
  • Sensitive Data
  • Session Management
  • Validation


Hot Spot Description
Auditing and Logging Auditing and logging refers to how security-related events are recorded, monitored, and audited. Examples include: Who did what and when?
Authentication Authentication is the process of proving identity, typically through credentials, such as a user name and password.
Authorization Authorization is how your application provides access controls for roles, resources and operations.
Communication Communication encompasses how data is transmitted over the wire. Transport security versus message encryption is covered here.
Configuration Management Configuration management refers to how your application handles configuration and administration of your applications from a security perspective. Examples include: Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured?
Cryptography Cryptography refers to how your application enforces confidentiality and integrity. Examples include: How are you keeping secrets (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong?
Exception Management Exception management refers to how you handle applications errors and exceptions. Examples include: When your application fails, what does your application do? How much information do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?
Sensitive Data Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores. Examples include: How does your application handle sensitive data?
Session Management A session refers to a series of related interactions between a user and your application. Examples include: How does your application handle and protect user sessions?
Validation Validation refers to how your application filters, scrubs, or rejects input before additional processing, or how it sanitizes output. It's about constraining input through entry points and encoding output through exit points. Message validation refers to how you verify the message payload against schema, as well as message size, content and character sets. Examples include: How do you know that the input your application receives is valid and safe? Do you trust data from sources such as databases and file shares?

Last edited Aug 22, 2009 at 12:54 AM by paulenfield, version 6


No comments yet.