Difference between revisions of "Category:OWASP Cloud ‐ 10 Project"

From OWASP
Jump to: navigation, search
(Initial pre-alpha list of OWASP Cloud Top 10 Security Risks)
(Initial pre-alpha list of OWASP Cloud Top 10 Security Risks)
Line 46: Line 46:
 
|-
 
|-
 
| R6 - Complex to Demonstrate Regulatory Compliance  
 
| R6 - Complex to Demonstrate Regulatory Compliance  
| - Shankar
+
| - Data that is perceived to be secure in one country may not be perceived secure in another country or region. For eg., Europen Union has very strict privacy laws. (Shankar)
 +
 
 
|-
 
|-
 
| R7 - Risk of Not having Right Level of Insurance and Accountability in SLAs (Control ?? - Service Availability Risk)
 
| R7 - Risk of Not having Right Level of Insurance and Accountability in SLAs (Control ?? - Service Availability Risk)

Revision as of 09:33, 9 November 2009

Main

Cloud Top 10 Security Risks

Goal

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

Audience

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

Managing OWASP Cloud-10 List (Pre-Alpha)

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

  • Various Risk Scenarios
  • Real World Examples
  • Possible Mitigations and Security Controls
  • Reference to any related Incident


OWASP Cloud-10 List

Initial pre-alpha list of OWASP Cloud Top 10 Security Risks

R1 - Accountability and Data Ownership in Cloud Pankaj
R2 - Federating User Identity It is very important for the enterprises to keep control over user identities as they move services and applications to the different cloud providers. Rather than letting cloud providers create multiple islands of identities that become too complex to manage down the line. Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers. User experience is enhanced when he/she does not manage multiple userids and credentials. This allows easier back-end data integrations between cloud provides. (Vinay)
R3 - Privacy of Users User's personal data gets stored in the cloud as users start using social web sites. Most of the social sites are vague about how they will handle users personal data. Additionally most of the social sites go with the default share all (least restrictive) setup for the user. E.g. via LinkedIn, Twitter, Facebook it is very easy to deduct personal details of the users (Vinay)
R4 - Secure service integration among cloud providers and consumers Shankar
R5 - Secondary Usage of Data by Cloud Providers - Need to ensure with your cloud providers what data can or cannot be used by them for secondary purposes. It includes data that can be mined directly from user data by providers or indirectly based on user behavior (clicks, incoming outgoing URLs etc.). Many social application providers mine user data for secondary usage e.g. directed advertising. No wonder when many of us use their personal gmail/hotmail or yahoo account to tell a friend your vacation plans and immediately you start seeing advertisements on hotels/flights near your destination. (Vinay)
R6 - Complex to Demonstrate Regulatory Compliance - Data that is perceived to be secure in one country may not be perceived secure in another country or region. For eg., Europen Union has very strict privacy laws. (Shankar)
R7 - Risk of Not having Right Level of Insurance and Accountability in SLAs (Control ?? - Service Availability Risk) - Pankaj
R8 - Incident analysis and forensic support - Shankar
R9 - Business Continuity and Resiliency - Pankaj
R10 - Controlling exposure to non-prod and internal environments - Vinay
R11 - Multi Tenancy and Physical Security - Shankar
Table 1: Top 10 Cloud - Security Risks

Other OWASP Cloud-10 Candidates

  • Service Availability Risk
  • Multi-Tenancy
  • Integration between cloud and internally hosted services
  • Patching and Vulnerability Management
  • Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
  • Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)


This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

  • Various Risk Scenarios
  • Real World Examples
  • Possible Mitigation and Security Controls
  • Reference to any related Incident


Roadmap (Status)

Alpha State

Approach:

Criteria: a) Easily Executable b) Most Damaging c) Incidence Frequency (Known)

Top 10

Normalize Verbiage Describe



  1. Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)
  2. Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
  3. Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

Beta State

  1. Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
  2. Identify additional candidates
  3. ……. (repeat steps as in Alpha)


Reference

Related Efforts

  1. Cloud Security Alliance - http://www.cloudsecurityalliance.org/
  2. IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

Related OWASP Projects

  1. OWASP Top Ten Project
  2. OWASP Legal Project


Contributors

Project Leaders

Vinay Bansal
Shankar Babu Chebrolu
Martin G. Nystrom
Jim Born

Ken Huang

Contributors



  1. Subscribe or read the Cloud-10 mail archives

Project Details


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What does this OWASP project release offer you?
what is this project?
OWASP Cloud ‐ 10 Project

Purpose: Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

License: N/A

who is working on this project?
Project Leader: Vinay Bansal @

Project Maintainer:

Project Contributor(s):

how can you learn more?
Project Pamphlet: N/A

3x slide Project Presentation: N/A

Mailing list: Subscribe or read the archives

Project Roadmap: To view, click here

Main links: N/A

Project Health: Yellow button.JPG Not Reviewed (Provisional)
To be reviewed under Assessment Criteria v2.0

Key Contacts
  • Contact Vinay Bansal @ to contribute, review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
First Release - Unknown Date - (no download available)

Release Leader: N/A

Release details: Main links, release roadmap and assessment

Rating: Yellow button.JPG Not Reviewed
To be reviewed under Assessment Criteria v2.0



Subcategories

This category has the following 2 subcategories, out of 2 total.

C

O