Cloud Security Questions

- J.D. Meier, Prashant Bansode, Paul Enfield.

These questions will ultimately be factored into the Q&A sections of the guide.

Cloud Security Questions

Hot Spots

  • Auditing and Logging
  • Authentication
  • Authorization
  • Code Access Security
  • Communication
  • Data Access
  • Exception Management
  • Infrastructure
  • Logging and instrumentation
  • Session Mgmt
  • Validation

Auditing and Logging

P1
  • How do I log security-relevant information?
  • How do I create audit trails?
  • How do I securely log information?

P2
  • How do I identify the operations and events to be logged?
  • How do I archive log information?
  • How do I handle log failures?
  • How do I avoid storing sensitive information in log files?
  • How do I retrieve log information from the cloud?
  • How can I securely monitor events logged in real-time?

Authentication

P1
  • How do I choose authentication strategy for cloud based application?
  • How do I accept different authentication methods with a single model?
  • How do I use cloud storage as a user store?

P2
  • How do I use local directory as user store with cloud based application?
  • How do I map user in local directory to internal STS?
  • How do I map a Windows login ID claims token?
  • How do I combine claims associated with identities from separate user stores into new set of claims useful for your application?
  • How do I authenticate mobile device users against cloud user store?
  • How do I mitigate risks of weak passwords in a federated system?
  • How to authenticate an OpenId user?

Authorization

P1
  • How do I choose authorization strategy in the cloud?
  • What is the best strategy for migrating roles authorization to claims authorization?
  • How do I use role store in cloud?

P2
  • How do I decide authorization granularity for your application?
  • How do I map groups in local directory to roles in the claims?
  • How do I use roles as part of the claims?
  • How do I authorize users based on claims
  • How do I chain claims?
  • How do I establish a trust relationship with an Issuing Authority?

Code Access Security

P1
  • How do I use partial trust in your cloud application?

P2
  • How do I use code access security for constraining your cloud application?
  • How do I use full trust for your cloud application?

Communication

P1
  • How do I secure any sensitive data that is sent across the network
  • How do I choose between message security and transport security

P2
  • How do I choose protocol, security and communication-style for communication with your cloud application?

Data Access

P1
  • What level of configurability in data storage location is there?
  • How do I connect to the database securely in the cloud?
  • How do I encrypt connection strings in the cloud?
  • How do I protect data in the cloud?
  • How do I I access corporate data from the cloud?

P2
  • How do I protect my application data?
  • How do I protect data stored in Cloud Storage?
*

Exception Management

P1
  • How do I design a secure exception management strategy?
  • How do I deal with sensitive information when handling the exception?

P2
  • How do I scrub exception message for secure exception handling?
  • How do I deal with unhandled exceptions?
P1
*
P2

Infrastructure

P1
  • What types of ingress/egress filtering are available?

P2
  • What is the strategy for data management (back-up, recovery ect) for cloud applications?
  • What federal standards does Azure comply to?
  • What is the Microsoft SLA?
  • What are the Disclosure agreements in place?
  • Is there a Host-Based Inspection (HBI) system in place?
  • What level of certification does the Host-Based Inspection (HBI) have?
  • How do patches get rolled out to online systems and active VM’s?
  • What security assurances are in place for data backups?
  • Will data be limited regionally? i.e. will North American data be maintained physically within the NA continent?
  • What is the Cert storage solution?

Session Management

P1
  • How do I design an effective session management strategy?
  • What are threats, attacks, and vulnerabilities with state management?

P2
  • How do I choose a state store?
  • How do I identify the data to be stored in session store?
  • How do I handle session state in a single application instance?
  • How do I handle session state in multiple application instances?
  • How do I secure your session store?
  • How and when should I encrypt session ID’s?

Validation

P1
  • How do I validate input?
  • How do I design your validation strategy to constrain, reject, and sanitize malicious input?

P2
  • How do I identify trust boundaries for validation?
  • How do I efficiently and securely validate input data?
  • How do I perform secure Ajax validation?
  • How do I safely pass dynamic query language (TSQL) to cloud data access components?
  • How do I scrub REST URLs?
  • How do I use SOAP request XML scrubbing/schema validation?


Last edited Sep 8, 2009 at 9:38 PM by paulenfield, version 2

Comments

No comments yet.