Cloud Security Task List

- J.D. Meier, Prashant Bansode, Paul Enfield.

Task lists are a compilation of expected activities of customers with this technology. We attempt to determine the areas that will likely need the most guidance and prioritize them here.

Hot Spots

  • Auditing and Logging
  • Authentication
  • Authorization
  • Code Access Security
  • Communication
  • Data Access
  • Exception Management
  • Logging and instrumentation
  • Session Mgmt
  • Validation

Auditing and Logging

P1
  • How to log information in the cloud securely.
  • How to avoid storing sensitive information in log files.

P2
  • How to identify the operations and events to be logged.
  • How to archive log information in a secure location.
  • How to handle log failures.
  • How to retrieve log information from the cloud.

Authentication

P1
  • How to authenticate in the cloud.
  • How to protect from brute force / dictionary attacks.
  • How to protect credentials.
  • How to protect user accounts.

P2
  • How to authenticate mobile device users against cloud user store.
  • How to federate identities and claims.
  • How to choose an authentication strategy for cloud based application.
  • How to use local directory as user store with cloud based application.
  • How to deploy and use user store in the cloud.
  • How to map user in local directory using an on-premises STS.
  • How to map a Windows login ID to a claims token using an STS.

Authorization

P1
  • How to choose authorization strategy.
  • How to use role store in clouds.

P2
  • How to decide authorization granularity for your application.
  • How to map groups in local directory to roles in the claims.
  • How to migrate from a role based implementation to a claims based authorization model.
  • How to use roles as part of the claims.
  • How to authorize users based on claims

Code Access Security

  • How to use code access security for constraining your cloud application.
  • How to use partial trust in your cloud application.
  • How to use full trust for your cloud application

Communication

  • How to choose protocol, security and communication-style for communication with your cloud application.
  • How to secure any sensitive data that is sent across the network
  • How to choose between message security and transport security

Data Access

  • How to protect connection strings.
  • How to use Windows authentication.

Exception Management

  • How to design an exception management strategy.
  • How to scrub exception message for secure exception handling.
  • How to deal with sensitive information when handling the exception.
  • How to deal with unhandled exceptions

Logging and instrumentation

  • How to implement non-disruptive administration functionality.
  • How to choose which configurable options should be exposed.

Session Mgmt

  • How to choose a secure state store.
  • How to identify the data to be stored in session store.
  • How to handle session state in a single application instance.
  • How to handle session state in multiple application instances.
  • How to secure your session store.
  • How to encrypt session ID’s

Validation

  • How to identify trust boundaries for validation.
  • How to design your validation strategy to constrain, reject, and sanitize malicious input.
  • How to efficiently and securely validate input data.
  • How to secure Ajax validation.
  • How to safely pass dynamic query language (TSQL) to cloud data access components.
  • How to do REST url scrubbing.
  • How to use SOAP request XML scrubbing/schema validation.


Last edited Aug 22, 2009 at 12:01 AM by paulenfield, version 2

Comments

No comments yet.