Protecting Enterprise Data in the Cloud

Thomas
Vandermarliere
  • Chris
    Kappler

Deze thesis probeert antwoord te geven op volgende vier vragen. Hoe eenvoudig is het om data te stelen van publieke Software as a Service (SaaS) oplossingen? Wat is het risico van een datalek? Hoe kan een bedrijf zich hiertegen beschermen? Wat kan en moet een bedrijf doen in het geval van een datalek? Twee use cases worden gebruikt om op een realistische wijze een risicoanalyse te maken over het gebruik van publieke SaaS in een grote onderneming. Een derde use case is toegevoegd om het minder zichtbare risico van de zogenaamde Shadow-IT aan te tonen. Op basis van een selectie bedreigingen specifiek voor publieke SaaS wordt een risicoanalyse uitgevoerd. Deze risicoanalyse gebruikt een kwalitatieve aanpak om de risico’s te bepalen op basis van de waarschijnlijkheid en de impact van de verschillende bedreigingen. Aan de hand van de gevonden risico’s worden oplossingen beschreven om deze risico’s te verlagen. Elke opgegeven bedreiging wordt gekoppeld aan een mogelijke oplossing voor de specifieke use cases. De thesis sluit af met verschillende opties voor een bedrijf om te reageren op een datalek.

Bibliografie

[1] P. Mell and T. Grance, “The NIST Definition of Cloud Computing,” 2011. [2] S. Srinivasan, Cloud Computing Basics, Houston: Springer, 2014. [3] R. Heroux, “6 tips for satisfying security concerns on public cloud,” Scalar, 7 10 2014. [Online]. Available: https://www.scalar.ca/en/2014/10/6-tips-for-satisfying-securityconcerns…. [Accessed 1 12 2015]. [4] N. Phaphoom, X. Wang, S. Samuel, S. Helmer and P. Abrahamsson, “A survey study on major technical barriers affecting the decision to adopt cloud services,” The Journal of Systems and Software, pp. 167-181, 2015. [5] NIST, “NIST Cloud Computing Standards Roadmap,” NIST, 2013. [6] D. Shackleford, “Orchestrating Security in the Cloud,” 22 September 2015. [Online]. Available: https://www.cloudpassage.com/assets/img/resources/sans-surveyorchestrat…. [7] RightScale, “State of the cloud report,” 2015. [8] L. E. Nelson, “The State of Cloud Platform Standards: Q2 2015,” Forrester, Cambridge, 2015. [9] Forrester, “Business Technographics Global Infrastructure Survey,” September 2014. [Online]. Available: https://www.forrester.com/Business+Technographics+Global+Infrastructure… 4/-/E-SUS2713. [10] R. Fichera, G. O'Donnell and M. Caputo, “Vendor Landscape: Converged InfrastructureBased Private Cloud Solutions,” Forrester, 2015. [11] Cloud Security Alliance, “Security guidance for critical areas of focus in cloud computing v3.0,” Cloud Security Alliance, 2009. [12] European Commission, “Unleashing the potential of Cloud Computing in Europe,” European Union, Brussels, 2012. [13] R. Johnson, Security Policies and Implementation Issues, Burlington: Jones & Bartlett Learning, 2015. [14] N. Bhensook and T. Senivongse, “An Assessment of Security Requirements Compliance of Cloud Providers,” IEEE 4th International Conference on Cloud Computing Technology and Science, pp. 520-525, 2012. 109 [15] EuroCloud, “ECSA - Self Assessment,” [Online]. Available: https://eurocloudstaraudit.eu/quality.html. [Accessed 11 1 2016]. [16] Eurocloud, “ECSA,” [Online]. Available: https://eurocloud-staraudit.eu/. [Accessed 11 1 2016]. [17] Cloud Industry Forum, “Code of Practice for Cloud Service Providers,” 9 11 2015. [Online]. Available: http://cloudindustryforum.org/code-of-practice/cop. [18] NIST, “Inventory of Standards Relevant to Cloud Computing,” NIST, [Online]. Available: http://collaborate.nist.gov/twiki-cloudcomputing/bin/view/CloudComputin…. [Accessed 15 12 2015]. [19] NIST, “Federal Information Security Management Act (FISMA) Implementation Project,” 5 November 2015. [Online]. Available: http://www.nist.gov/itl/csd/soi/fisma.cfm. [20] S. Nepal and M. Pathan, Security, Privacy and Trust in Cloud Systems, Springer, 2014. [21] IsecT, “ISO/IEC 27017,” 6 11 2015. [Online]. Available: http://www.iso27001security.com/html/27017.html. [22] ISO, “Microsoft gives users confidence to move to the cloud,” 6 11 2015. [Online]. Available: http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1…. [23] Cloud Security Alliance, “About,” 6 11 2015. [Online]. Available: https://cloudsecurityalliance.org/about/. [24] Cloud Security Alliance, “CSA STAR,” 19 10 2015. [Online]. Available: https://cloudsecurityalliance.org/star/. [25] Cloud Security Alliance, “Certificate of Cloud Security Knowledge,” 6 11 2015. [Online]. Available: https://cloudsecurityalliance.org/education/ccsk/#_about. [26] Cloud Security Alliance, “CloudAudit Working Group,” 9 11 2015. [Online]. Available: https://cloudsecurityalliance.org/group/cloudaudit//#_overview. [27] A. Pannetrat, “CTP Data Model and API, rev. 2.13,” Cloud Security Alliance, 2015. [28] ISO, “ISO 31000 - Risk Management,” 12 11 2015. [Online]. Available: http://www.iso.org/iso/home/standards/iso31000.htm. [29] FedRAMP, “fedramp.gov,” 9 11 2015. [Online]. Available: https://www.fedramp.gov/aboutus/about/. [30] M. Silic and A. Back, “Shadow-IT - A view from behind the curtain,” Elsevier, pp. 274 - 283, 2014. 110 [31] Cloud Security Alliance, “Cloud Adoption Practices & Priorities Survey Report,” Cloud Security Alliance, 2015. [32] PriceWaterhouseCoopers, “Managing the Shadow Cloud,” PriceWaterhouseCoopers, 2015. [33] ISACA, Controls and Assurance in the Cloud: Using COBIT5, Rolling Meadows, IL: ISACA, 2014. [34] NIST, “Special Publication 800-30 Guide for Conducting Risk Assessments,” NIST, Gaithersburg, 2013. [35] J. Maniscalchi, “Threat vs Vulnerability vs Risk,” 30 November 2015. [Online]. Available: http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/#. [36] W. Stallings and L. Brown, Computer Security, London: Pearson Educated Limited 2012, 2012. [37] J. Lim, “Dropbox: Focus On Future Value, Not The Current Valuation,” 23 November 2015. [Online]. Available: http://www.forbes.com/sites/jlim/2015/11/12/dropbox-focus-onfuture-valu…. [38] R. Seth, “Disaster Recovery by Google,” 24 November 2015. [Online]. Available: http://googleforwork.blogspot.be/2010/03/disaster-recovery-by-google.ht…. [39] Crypto Fails, “Crypto Noobs #2: Side Channel Attacks,” 24 November 2015. [Online]. Available: http://www.cryptofails.com/post/70097430253/crypto-noobs-2-side-channel…. [40] D. Harnik, B. Pinkas and A. Shulman-Peleg, “Side Channels in Cloud Services: Deduplication in Cloud Storage,” IEEE Security & Privacy, pp. 40-47, 2010. [41] IC off the Record, “PRISM SLIDES,” 26 November 2015. [Online]. Available: https://nsa.gov1.info/dni/prism.html. [42] A. Philip, “Dissecting Big Tech's Denial of Involvement in NSA's PRISM Spying Program,” 26 November 2015. [Online]. Available: http://abcnews.go.com/Technology/nsa-prismdissecting-technology-compani…. [43] M. Higashi, “Turn 25,” CipherCloud, 25 6 2015. [Online]. Available: Shadow-IT is by now in such rampant use that the very employees tasked with keeping enterprises safe from Shadow-IT are themselves adopting Shadow-IT.. [Accessed 1 12 2015]. [44] CipherCloud, “CIO's guide to enterprise cloud adoption,” San Jose. [45] Google, “Privacy,” [Online]. Available: https://support.google.com/work/answer/6056650?hl=en. [Accessed 4 12 2015]. 111 [46] V. Winkler, “Cloud Computing: Data Privacy in the Cloud,” Microsoft, August 2012. [Online]. Available: https://technet.microsoft.com/en-us/magazine/jj554305.aspx. [Accessed 4 12 2015]. [47] CSA, “STAR Registrant Dropbox, Inc,” 16 March 2015. [Online]. Available: https://cloudsecurityalliance.org/star-registrant/dropbox-inc/. [Accessed 4 12 2015]. [48] Harvard University, “Data Classification Table,” [Online]. Available: http://security.harvard.edu/dct. [Accessed 07 12 2015]. [49] NIST, “Special Publication 800-16 Information technology security training requirements: A role- and performance-based model,” NIST, Gaithersburg, 1998. [50] R. Smith, “Crafting An Effective Security Organization,” in QCon NYC 2015, NYC, 2015. [51] M. Eminagaoglu, E. Uçar and S. Eren, “The positive outcomes of information security awareness training in companies - A case study,” Elsevier - Information security technical report, no. 14, pp. 223 - 229, 2009. [52] M. Hillick, “Leveling Up Security @ Riot Games,” in Brucon 0x07, Ghent, 2015. [53] Harvard University, “Click Wisely,” [Online]. Available: http://security.harvard.edu/clickwisely#widget-3. [Accessed 7 12 2015]. [54] Techopedia, “Security as a Service (Secaas or SaaS),” [Online]. Available: https://www.techopedia.com/definition/26746/security-as-a-service-secaa…. [Accessed 7 12 2015]. [55] Gartner, “Cloud Access Security Brokers (CASBs),” Gartner, [Online]. Available: http://www.gartner.com/it-glossary/cloud-access-security-brokers-casbs. [Accessed 1 12 2015]. [56] C. Lawson, N. MacDonald and B. Lowans, “Market Guide for Cloud Access Security Brokers,” Gartner, 2015. [57] N. MacDonald and P. Firstbrook, “The Growing Importance of Cloud Access Security Brokers,” Gartner, 2013. [58] Skyhigh Networks, “The definitive guide to cloud security”. [59] Bitglass, “Bitlass for Dropbox: Solution Brief,” Bitglass, 2014. [60] Skyhigh, “Cloud Access Security Broker,” [Online]. Available: https://www.skyhighnetworks.com/cloud-access-security-broker/. [Accessed 4 12 2015]. [61] McAfee, “McAfee Data Loss Prevention Endpoint,” McAfee. 112 [62] Symantec, “Data Sheet: Symantec Data Loss Prevention for Cloud,” Symantec Corporation, 2015. [63] K. Scarfone, “Introduction to SIEM services and products,” July 2015. [Online]. Available: http://searchsecurity.techtarget.com/feature/Introduction-to-SIEM-servi…. [Accessed 10 12 2015]. [64] S. Lawton, “Shadow-IT: How to Detect and Mitigate Cloud Security Risks,” 7 7 2015. [Online]. Available: http://www.tomsitpro.com/articles/preventing-shadow-it,2-932.html. [Accessed 10 12 2015]. [65] T. Bailey, J. Brandley and J. Kaplan, “How good is your cyberincident-response plan?,” McKinsey&Company, December 2013. [Online]. Available: http://www.mckinsey.com/insights/business_technology/how_good_is_your_c… t_response_plan. [Accessed 11 12 2015]. [66] M. Justaert, “Regering zoekt wettelijk kader voor 'ethisch hacken',” Standaard, 8 1 2016. [Online]. Available: http://m.standaard.be/cnt/dmf20160107_02055359. [Accessed 11 1 2016]. [67] I. D. Ceukelaire, “Crowdsourced security: Get hacked before you get hacked,” in Belgian Internet Security Conference, Brussels, 2015. [68] S. Ruwhof, “Epic failure of Phone House & Dutch telecom providers to protect personal data: How I could access 12+ million records #phonehousegate,” 8 12 2015. [Online]. Available: http://sijmen.ruwhof.net/weblog/608-personal-data-of-dutch-telecomprovi…. [Accessed 14 12 2015]. [69] N. Hawthorn, “Compared to data breach costs, an ICO fine is simply a dropb in the ocean,” ITProPortal, 10 12 2015. [Online]. Available: http://www.itproportal.com/2015/12/10/compared-to-data-breach-costs-an-…. [Accessed 14 12 2015]. [70] L. Constantin, “5 Things you need to know about cybersecurity insurance,” 25 4 2014. [Online]. Available: http://www.cio.com/article/2376802/security0/5-things-you-need-toknow-a…. [Accessed 14 12 2015]. [71] D. Gollom, “Cyber insurance market set to reach $7.5 billion by 2020 - PwC report,” PwC, 15 9 2015. [Online]. Available: http://www.pwc.com/ca/en/media/release/2015-09-15- cyber-insurance-market-reach-7-5-billion-2020.html. [Accessed 15 12 2015]. [72] PwC, “Key findings from The Global State of Information Security Survey 2015,” 2014. [73] Cloud Security Alliance, “The Notorious Nine: Cloud Computing Top Threats in 2013,” February 2013. [Online]. Available: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The… Cloud_Computing_Top_Threats_in_2013.pdf. 113 [74] Aerohive, “Public or Private Cloud,” 2013. [Online]. Available: http://www.aerohive.com/pdfs/Aerohive-Whitepaper-Public-or-Private-Clou…. [75] CDWG, “Private Cloud and Software as a Service,” 2012. [Online]. Available: CDWG.com. [76] L. Cheng, R. Ithal, K. Narayanaswamy and S. Malmskog, Cloud Security for dummies, New Jersey: John Wiley & Sons, 2015. [77] M. Rouse, “data loss prevention (DLP),” October 2014. [Online]. Available: http://whatis.techtarget.com/definition/data-loss-prevention-DLP. [78] “SAS 70 FAQ,” [Online]. Available: http://sas70.com/sas70_faqs.html. [79] A. Cser and R. Holland, “The Emergence Of The Cloud Security Gateway,” Forrester, 2015. [80] F. Liu, “Market Overview: Public Cloud Services In China In 2015,” Forrester, 2015. [81] T. Vissers, T. V. Goethem, W. Joosen and N. Nikiforakis, “Maneuvering Around Clouds: Bypassing Cloud-based Security Providers,” ACM, Denver, 2015. [82] J. Vijayan, “From 55 Cents to $1,200: The Value Chain For Stolen Data,” 16 10 2015. [Online]. Available: http://www.darkreading.com/risk/from-55-cents-to-$1200-the-valuechain-f…?. [83] C. McFarland, F. Paget and R. Samani, “The Hidden Data Economy,” Intel Security, Santa Clara, 2015. [84] ISO, “About ISO,” [Online]. Available: http://www.iso.org/iso/home/about.htm. [85] F. Sabahi, “Cloud Computing Security Threats and Responses,” IEEE, 2011. [86] R. Choubey, R. Dubey and J. Bhattacharjee, “A survey on Cloud Computing Security, Challenges and Threats,” International Journal on Computer Science and Engineering (IJCSE), pp. 1227-1231, 2011. [87] F. B. Shaikh and S. Haider, “Security Threats in Cloud Computing,” in 6th International Conference on Internet Technology and Secured Transactions, Abu Dhabi, 2011. [88] W. A. Jansen, “Cloud Hooks: Security and Privacy Issues in Cloud Computing,” in Proceedings of the 44th Hawaii International Conference on System Sciences, 2011. [89] J. Sen, “Security and Privacy Issues in Cloud Computing,” Tata Consultancy Services, Kolkata. [90] The Blackstone Group , “Cyber Secure: A Look at Employee Cybersecurity Habits in the Workplace,” CompTIA, 2015. [91] CPNI, “Information Security Briefing: Cloud Computing,” CPNI, 2010. 114 [92] T. Lambo, “Why you need a Cloud Rating Score,” 2012. [93] ISACA, Security Considerations for Cloud Computing, Rolling Meadows, IL: ISACA, 2012. [94] LEET Security, “Rating Levels,” 4 November 2015. [Online]. Available: http://www.leetsecurity.com/niveles-calificacion/. [95] AICPA, “Service Organization Controls (SOC) Reports for Service Organizations,” 4 November 2015. [Online]. Available: http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/… zation%27sManagement.aspx. [96] D. Deutsch, “Cloud Computing Standardization in ISO/IEC JTC 1 SC 38,” in NIST Cloud Computing Forum and Workshop VIII, 2015. [97] IsecT, “ISO/IEC 27018,” 6 11 2015. [Online]. Available: http://www.iso27001security.com/html/27017.html. [98] ENISA, “Cloud Computing Certification - CCSL and CCSM,” 9 11 2015. [Online]. Available: https://resilience.enisa.europa.eu/cloud-computing-certification. [99] Cloud Security Alliance, “The Notorious Nine - Cloud Computin Top Threats in 2013,” Cloud Security Alliance, 2013. [100] M. Silic and A. Back, “Shadow-IT - A view from behind the curtain,” Elsevier Computer and Security 45, pp. 274-283, 2014. [101] Cloud Security Alliance, “GRC Stack,” 9 11 2015. [Online]. Available: https://cloudsecurityalliance.org/research/grc-stack/. [102] M. I. M. Almanea, “A Survey and Evaluation of the Existing Tools that Support Adoption of Cloud Computing and Selection of Trustworthy and Transparent Cloud Providers,” in International Conference on Intelligent Networking and Collaborative Systems, 2014. [103] M. Rouse, “Federal Risk and Authorization Program (FedRAMP),” May 2014. [Online]. Available: http://whatis.techtarget.com/definition/Federal-Risk-and-AuthorizationP…. [104] M. Hillick, “Levelling Up Security @ Riot Games,” in Brucon 0x07, Ghent, 2015. [105] R. Gallagher, “Operation Socialist,” 13 December 2014. [Online]. Available: https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/. [106] Shared Assessments, “Evaluating Cloud Risk for the Enterprise,” 2010. [107] A. A. Nada Ahmed, “Modeling Security Risk Factors in a Cloud Computing Environment,” Journal of Information Assurance and Security, pp. 279-289, 2013. 115 [108] E. V. d. Sar, “MegaUpload shut down by the feds, founder arrested,” 23 November 2015. [Online]. Available: https://torrentfreak.com/megaupload-shut-down-120119/. [109] G. Sandoval, “After nearly four years, is it time to just settle the MegaUpload case?,” 23 November 2015. [Online]. Available: http://www.theverge.com/2015/9/28/9409847/megaupload-extradition-hearin…. [110] wikipedia, “Megaupload,” 23 November 2015. [Online]. Available: https://nl.wikipedia.org/wiki/Megaupload. [111] S. Anthony, “Megaupload's demise: What happens to your files when a cloud service dies?,” 23 November 2015. [Online]. Available: http://www.extremetech.com/computing/114803-megauploads-demise-what-hap…. [112] Google, “Google Transparency Report,” 23 November 2015. [Online]. Available: https://www.google.com/transparencyreport/userdatarequests/legalprocess… _a_government. [113] B. Butler, “Report: Nirvanix customers have two weeks to get data out of the cloud,” 23 November 2015. [Online]. Available: http://www.networkworld.com/article/2170916/cloud-computing/report--nir…. [114] K. Leswing, “Apple: "Certain celebrity accounts" were compromised by a targeted attack,” 23 November 2015. [Online]. Available: https://gigaom.com/2014/09/02/apple-deniesicloud-nude-celebrity-hack/. [115] Imperva, “Man in the Cloud (MITC) Attacks,” Imperva, 2015. [116] B. Prince, “Stealthy 'Inception' Attackers Hide Behind Layers of Obfuscation,” 23 November 2015. [Online]. Available: http://www.securityweek.com/stealthy-inceptionattackers-hide-behind-lay…. [117] M. Rouse, “Social Engineering definition,” 23 November 2015. [Online]. Available: http://searchsecurity.techtarget.com/definition/social-engineering. [118] Y. Zhang, A. Juels, A. Oprea and M. K. Reiter, “HomeAlone: Co-Residency Detection in the Cloud via Side-Channel Analysis,” IEEE Symposium on Security and Privacy, pp. 313 - 328, 2011. [119] E. Felten, “Side-Channel Leaks in Web Applications,” 24 November 2015. [Online]. Available: https://freedom-to-tinker.com/blog/felten/side-channel-leaks-webapplica…. [120] M. Einar and C.-H. Eriksson, “Deduplication as an attack vector,” Linköpings Universitet, Sweden. 116 [121] Dropbox, “Dropbox Business Agreement,” 24 November 2015. [Online]. Available: https://www.dropbox.com/privacy#business_agreement. [122] Google, “Your security and privacy,” 24 November 2015. [Online]. Available: https://support.google.com/a/answer/60762?hl=en. [123] P. Venezia, “Sorting Facts from Fiction in the Terry Childs Case,” 24 November 2015. [Online]. Available: http://www.pcworld.com/article/149159/terry_childs_case.html?page=2. [124] P. Venezia, “Why San Francisco's network admin went rogue,” 2015 November 2015. [Online]. Available: http://www.infoworld.com/article/2653004/misadventures/why-sanfrancisco…. [125] F. Lardinois, “Google, Facebook, Dropbox, Yahoo, Microsoft, Paltalk, AOL and Apple Deny Participation in NSA PRISM Surveillance Program,” 26 November 2015. [Online]. Available: http://techcrunch.com/2013/06/06/google-facebook-apple-deny-participati…. [126] A. Luttwak, “A new Zeus variant targeting Salesforce.com - Research and Analysis,” 26 November 2015. [Online]. Available: https://www.adallom.com/blog/a-new-zeus-varianttargeting-salesforce-com…. [127] D. McCullagh, “Dropbox confirms security glitch - no password required,” 30 11 2015. [Online]. Available: http://www.cnet.com/news/dropbox-confirms-security-glitch-nopassword-re…. [128] Crunchbase, “Adallom,” [Online]. Available: https://www.crunchbase.com/organization/adallom#/entity. [Accessed 4 12 2015]. [129] M. Hillick, “Levelling Up Security @Riot Games,” [Online]. Available: https://www.youtube.com/watch?v=7Y8iLXkyD7w. [Accessed 7 12 2015]. [130] Bitglass, “The definitive guide to cloud access security brokers,” Bitglass, 2014. [131] D. Sullivan, “How can enterprises prevent shadow data leakage,” November 2015. [Online]. Available: http://searchcloudsecurity.techtarget.com/answer/How-canenterprises-pre…. [Accessed 10 12 2015]. [132] G. Crump, “How is cloud data loss prevention changed by Shadow-IT,” September 2015. [Online]. Available: http://searchcloudstorage.techtarget.com/answer/How-is-cloud-dataloss-p…. [Accessed 10 12 2015]. [133] P. Witsenburg, “Help, mijn cloud is lek?,” 10 12 2015. [Online]. Available: http://www.smartbiz.be/achtergrond/165180/help-mijn-cloud-is-lek/. [Accessed 14 12 2015]. 117 [134] S. Martens, “Europa komt met meldplicht datalekken,” Computable, 8 12 2015. [Online]. Available: https://www.computable.nl/artikel/nieuws/security/5659261/250449/europa…. [Accessed 14 12 2015]. [135] J. Kastrenakes, “Apple denies iCloud breach in celebrity nude photo hack,” The Verge, 2 9 2014. [Online]. Available: http://www.theverge.com/2014/9/2/6098107/apple-deniesicloud-breach-cele…. [Accessed 15 12 2015]. [136] J. Ong, “Apple says iCloud wasn't breached in celebrity photo leak, individual accounts were targeted,” The Next Web, 2 9 2014. [Online]. Available: http://thenextweb.com/apple/2014/09/02/apple-claims-icloud-wasnt-breach…. [Accessed 15 12 2015]. [137] OWASP, “Blocking Brute Force Attacks,” OWASP, 18 March 2015. [Online]. Available: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks. [Accessed 15 12 2015]. [138] Forbes, “The World's Biggest Public Companies,” [Online]. Available: http://www.forbes.com/global2000/list/#search:Google_industry:Computer%…. [Accessed 16 12 2015]. [139] D. Vellante, “Defining RPO and RTO,” 6 5 2008. [Online]. Available: http://wikibon.org/wiki/v/Defining_RPO_and_RTO. [Accessed 11 1 2016].

Download scriptie (4.04 MB)
Universiteit of Hogeschool
Universiteit Gent
Thesis jaar
2016
Promotor(en)
Jan Devos
Kernwoorden