trademark
2c2kIhh
2c2kIhh
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
4.0<br />
Endpoint Input Validation/Filtering<br />
Users should ensure that the source of data is not malicious and—if it is—should filter<br />
malicious input materials generated by that source. This challenge becomes more<br />
severe with the utilization of the “bring your own device” (BYOD) model. The following are<br />
recommended practices to achieve the best-possible input validation/filtering results.<br />
4.1 Use trusted certificates<br />
4.1.1 Why?<br />
To ensure trust in communication and prevent Sybil attacks (i.e. a single entity<br />
masquerading as multiple identities).<br />
4.1.2 How?<br />
The digital certificate certifies the ownership of a public key by the named subject of<br />
the certificate. This allows others (relying parties) to trust that signatures or assertions<br />
made by the private key (that correspond to the public key) are certified. In this model,<br />
a certificate authority (CA) is a trusted third party that is trusted by both the subject<br />
(owner) of the certificate and the party relying upon the certificate. CAs are characteristic<br />
of many public key infrastructure (PKI) schemes. There exist several open-source<br />
implementations of certificate authority software. Common to all is that they provide the<br />
necessary services to issue, revoke and manage digital certificates. Some open-source<br />
implementations are DogTag, EJBCA, gnoMint, OpenCA, OpenSSL, r509, and XCA. Validity<br />
of certificates must be verified before usage based on a periodically issued certificate<br />
revocation list (CRL) or via OCSP (Online Certificate Status Protocol). If a central authority<br />
ensures that a unique certificate is assigned to each entity in a system, then an attacker<br />
cannot fake multiple identities. A trusted certificate is the only reliable method to defend<br />
against Sybil attacks.<br />
4.2 Do resource testing<br />
4.2.1 Why?<br />
To avoid the drawback of managing certificates in a large enterprise but still achieve a<br />
minimal defense against Sybil attacks instead of preventing them.<br />
CLOUD SECURITY ALLIANCE Big Data Working Group Guidance<br />
© Copyright 2016, Cloud Security Alliance. All rights reserved.<br />
22