Difference between revisions of "Cloud-10 Infrastructure Security"

From OWASP
Jump to: navigation, search
(R9:Infrastructure Security)
Line 1: Line 1:
== R9:Infrastructure Security ==
+
== R9:Infrastructure Security ==
 +
 
 +
The security of the data hosted within an application is totally dependent upon the security of the infrastructure components that make up the platform for the application. Failure to take "best practices" into account can lead to a loss of data, reputation, or availability, and may even have regulatory/legal ramifications.
 +
 
 +
<br>
  
 
Security Risks  
 
Security Risks  
Line 6: Line 10:
  
 
#Default configurations of systems and network devices  
 
#Default configurations of systems and network devices  
#All services, even active, unused ones, may contain security related bugs that potentially can be exploited.
+
#All services, even active, unused ones, may contain security related bugs that potentially can be exploited.  
#Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier.
+
#Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier.  
#Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture
+
#Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture  
#Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents
+
#Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents  
#All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited.  
+
#All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited.
  
 +
<br>
  
 +
<br>
  
 +
Countermeasures
  
 +
<br>
  
Countermeasures
+
#
 +
#Hardening of operating systems, applications and configurations
 +
#Tiering of the solution architecture
 +
#Isolation of infrastructure components, for example through the use of network ACLs, to reduce the <br>
 +
#Role-based administrative access, restricted administrative privileges
 +
#Regular vulnerability assessments
  
 +
<br>
  
 +
References
  
##Hardening of operating systems, applications and configurations
+
#Center for Internet Security (CISecurity)
#Tiering of the solution architecture
+
#Containment
+
#Role-based administrative access, restricted administrative privileges
+
#Regular vulnerability assessments
+
  
  

Revision as of 09:31, 17 May 2010

R9:Infrastructure Security

The security of the data hosted within an application is totally dependent upon the security of the infrastructure components that make up the platform for the application. Failure to take "best practices" into account can lead to a loss of data, reputation, or availability, and may even have regulatory/legal ramifications.


Security Risks


  1. Default configurations of systems and network devices
  2. All services, even active, unused ones, may contain security related bugs that potentially can be exploited.
  3. Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier.
  4. Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture
  5. Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents
  6. All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited.



Countermeasures


  1. Hardening of operating systems, applications and configurations
  2. Tiering of the solution architecture
  3. Isolation of infrastructure components, for example through the use of network ACLs, to reduce the
  4. Role-based administrative access, restricted administrative privileges
  5. Regular vulnerability assessments


References

  1. Center for Internet Security (CISecurity)