Cloud Security Questions
- J.D. Meier,
Prashant Bansode, Paul Enfield
These questions will ultimately be factored into the Q&A sections of the guide.
Cloud Security Questions
- Auditing and Logging
- Code Access Security
- Data Access
- Exception Management
- Logging and instrumentation
- Session Mgmt
Auditing and Logging
- How do I log security-relevant information?
- How do I create audit trails?
- How do I securely log information?
- How do I identify the operations and events to be logged?
- How do I archive log information?
- How do I handle log failures?
- How do I avoid storing sensitive information in log files?
- How do I retrieve log information from the cloud?
- How can I securely monitor events logged in real-time?
- How do I choose authentication strategy for cloud based application?
- How do I accept different authentication methods with a single model?
- How do I use cloud storage as a user store?
- How do I use local directory as user store with cloud based application?
- How do I map user in local directory to internal STS?
- How do I map a Windows login ID claims token?
- How do I combine claims associated with identities from separate user stores into new set of claims useful for your application?
- How do I authenticate mobile device users against cloud user store?
- How do I mitigate risks of weak passwords in a federated system?
- How to authenticate an OpenId user?
- How do I choose authorization strategy in the cloud?
- What is the best strategy for migrating roles authorization to claims authorization?
- How do I use role store in cloud?
- How do I decide authorization granularity for your application?
- How do I map groups in local directory to roles in the claims?
- How do I use roles as part of the claims?
- How do I authorize users based on claims
- How do I chain claims?
- How do I establish a trust relationship with an Issuing Authority?
Code Access Security
- How do I use partial trust in your cloud application?
- How do I use code access security for constraining your cloud application?
- How do I use full trust for your cloud application?
- How do I secure any sensitive data that is sent across the network
- How do I choose between message security and transport security
- How do I choose protocol, security and communication-style for communication with your cloud application?
- What level of configurability in data storage location is there?
- How do I connect to the database securely in the cloud?
- How do I encrypt connection strings in the cloud?
- How do I protect data in the cloud?
- How do I I access corporate data from the cloud?
- How do I protect my application data?
- How do I protect data stored in Cloud Storage?
- How do I design a secure exception management strategy?
- How do I deal with sensitive information when handling the exception?
- How do I scrub exception message for secure exception handling?
- How do I deal with unhandled exceptions?
- What types of ingress/egress filtering are available?
- What is the strategy for data management (back-up, recovery ect) for cloud applications?
- What federal standards does Azure comply to?
- What is the Microsoft SLA?
- What are the Disclosure agreements in place?
- Is there a Host-Based Inspection (HBI) system in place?
- What level of certification does the Host-Based Inspection (HBI) have?
- How do patches get rolled out to online systems and active VM’s?
- What security assurances are in place for data backups?
- Will data be limited regionally? i.e. will North American data be maintained physically within the NA continent?
- What is the Cert storage solution?
- How do I design an effective session management strategy?
- What are threats, attacks, and vulnerabilities with state management?
- How do I choose a state store?
- How do I identify the data to be stored in session store?
- How do I handle session state in a single application instance?
- How do I handle session state in multiple application instances?
- How do I secure your session store?
- How and when should I encrypt session ID’s?
- How do I validate input?
- How do I design your validation strategy to constrain, reject, and sanitize malicious input?
- How do I identify trust boundaries for validation?
- How do I efficiently and securely validate input data?
- How do I perform secure Ajax validation?
- How do I safely pass dynamic query language (TSQL) to cloud data access components?
- How do I scrub REST URLs?
- How do I use SOAP request XML scrubbing/schema validation?