Cloud Security Task List
- J.D. Meier,
Prashant Bansode, Paul Enfield
Task lists are a compilation of expected activities of customers with this technology. We attempt to determine the areas that will likely need the most guidance and prioritize them here.
- Auditing and Logging
- Code Access Security
- Data Access
- Exception Management
- Logging and instrumentation
- Session Mgmt
Auditing and Logging
- How to log information in the cloud securely.
- How to avoid storing sensitive information in log files.
- How to identify the operations and events to be logged.
- How to archive log information in a secure location.
- How to handle log failures.
- How to retrieve log information from the cloud.
- How to authenticate in the cloud.
- How to protect from brute force / dictionary attacks.
- How to protect credentials.
- How to protect user accounts.
- How to authenticate mobile device users against cloud user store.
- How to federate identities and claims.
- How to choose an authentication strategy for cloud based application.
- How to use local directory as user store with cloud based application.
- How to deploy and use user store in the cloud.
- How to map user in local directory using an on-premises STS.
- How to map a Windows login ID to a claims token using an STS.
- How to choose authorization strategy.
- How to use role store in clouds.
- How to decide authorization granularity for your application.
- How to map groups in local directory to roles in the claims.
- How to migrate from a role based implementation to a claims based authorization model.
- How to use roles as part of the claims.
- How to authorize users based on claims
Code Access Security
- How to use code access security for constraining your cloud application.
- How to use partial trust in your cloud application.
- How to use full trust for your cloud application
- How to choose protocol, security and communication-style for communication with your cloud application.
- How to secure any sensitive data that is sent across the network
- How to choose between message security and transport security
- How to protect connection strings.
- How to use Windows authentication.
- How to design an exception management strategy.
- How to scrub exception message for secure exception handling.
- How to deal with sensitive information when handling the exception.
- How to deal with unhandled exceptions
Logging and instrumentation
- How to implement non-disruptive administration functionality.
- How to choose which configurable options should be exposed.
- How to choose a secure state store.
- How to identify the data to be stored in session store.
- How to handle session state in a single application instance.
- How to handle session state in multiple application instances.
- How to secure your session store.
- How to encrypt session ID’s
- How to identify trust boundaries for validation.
- How to design your validation strategy to constrain, reject, and sanitize malicious input.
- How to efficiently and securely validate input data.
- How to secure Ajax validation.
- How to safely pass dynamic query language (TSQL) to cloud data access components.
- How to do REST url scrubbing.
- How to use SOAP request XML scrubbing/schema validation.