As a regulated cloud user, security and compliance are two of your primary concerns, a workshop on how to keep secure and demonstrate your compliance to key stakeholders.
Specifically, what can be done to secure cloud resources and show compliance for auditors, investors, DDQs, SSAE16, covering:
- Strategies for securing data in transit and at rest
- Federating with your internal directory for role based access to your cloud
- Capturing and processing audit logs for security event notifications
- Fun with Infrastructure as Code – detecting and reverting misconfigurations and manual changes
Cloud Security Engineering - Tools and TechniquesGokul Alex
Cloud Security Engineering Education Materials prepared by Gokul Alex. It covers the essential tools and techniques to protect cloud enterprise architectures and cloud information systems.
This presentation includes the concept of cloud security domains, flaws in security approaches, Datacenter requirement,
VMware NSX limitations and a new solution that should have a complete solution. Finally, a guideline to describe how to assessment of micro-segmentation.
This presentation includes cloud security overview, Could Security Access Broker, CASB's four pillars, proxy and API deployment mode and advantage and limitation of deployment modes
Cloud Security - Emerging Facets and FrontiersGokul Alex
My session on Cloud Computing Security prepared for ISC2 Bangalore Chapter MeetUp. It is a walkthrough on the fundamental axioms of cloud security with reference to architecture standards, industry best practices and a coverage of some of the most pertinent attack vectors in the recent times. This presentation delves deeper into Cloud Security Reference Architectures, Cloud Security Operating Models, Cloud Firewalls, Cloud Identity Access Management Models, Cloud Malware Concepts etc.
Cloud Security: What you need to know about IBM SmartCloud SecurityIBM Security
Safeguarding the cloud with IBM Security solutions - Maintain visibility and control with proven security solutions for public, private and hybrid clouds.
As more organizations look to deploy new or additional cloud apps to enable employee productivity, securing corporate data becomes a challenge. Cloud Access Security Brokers (CASBs) have emerged as the go-to solution for organizations that need end-to-end data security, from cloud to device.
Cloud Security & Cloud Encryption Explained by Porticor the industry leader in Cloud Data Security. Learn from Porticor the issues for cloud security and how to protect your data in the cloud. Learn more about cloud security at http://www.porticor.com
Cloud Security Engineering - Tools and TechniquesGokul Alex
Cloud Security Engineering Education Materials prepared by Gokul Alex. It covers the essential tools and techniques to protect cloud enterprise architectures and cloud information systems.
This presentation includes the concept of cloud security domains, flaws in security approaches, Datacenter requirement,
VMware NSX limitations and a new solution that should have a complete solution. Finally, a guideline to describe how to assessment of micro-segmentation.
This presentation includes cloud security overview, Could Security Access Broker, CASB's four pillars, proxy and API deployment mode and advantage and limitation of deployment modes
Cloud Security - Emerging Facets and FrontiersGokul Alex
My session on Cloud Computing Security prepared for ISC2 Bangalore Chapter MeetUp. It is a walkthrough on the fundamental axioms of cloud security with reference to architecture standards, industry best practices and a coverage of some of the most pertinent attack vectors in the recent times. This presentation delves deeper into Cloud Security Reference Architectures, Cloud Security Operating Models, Cloud Firewalls, Cloud Identity Access Management Models, Cloud Malware Concepts etc.
Cloud Security: What you need to know about IBM SmartCloud SecurityIBM Security
Safeguarding the cloud with IBM Security solutions - Maintain visibility and control with proven security solutions for public, private and hybrid clouds.
As more organizations look to deploy new or additional cloud apps to enable employee productivity, securing corporate data becomes a challenge. Cloud Access Security Brokers (CASBs) have emerged as the go-to solution for organizations that need end-to-end data security, from cloud to device.
Cloud Security & Cloud Encryption Explained by Porticor the industry leader in Cloud Data Security. Learn from Porticor the issues for cloud security and how to protect your data in the cloud. Learn more about cloud security at http://www.porticor.com
What the auditor need to know about cloud computingMoshe Ferber
As more and more workloads moving to the cloud , more practices need to be developed. ISACA and CSA launched the CCAK certification for auditors, in this presentation I will elaborate on highlight of auditor knowledge in Cloud.
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data.
Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.
Guide to security patterns for cloud systems and data security in aws and azureAbdul Khan
Cloud has many advantages over the traditional on-premise infrastructure; however, this does bring many new concerns around issues of system security, communication security, data security, privacy, latency and availability. When designing and developing Cloud SaaS application, these security issues need to be addressed in order to ensure regulatory compliance, security and trusted environment in AWS and Azure.
The presentation provides real-world cloud security scenarios (problem statements) and proposed solutions for each security design pattern. Also covers the different security aspects of system including, data security to privacy and GDPR related problems.
Everything and anything is hackable and vulnerable in some ways. Even with all the security governance and check points, businesses are still being cyberattacked & hacked regularly.
Did you know, a public IP is attacked by a hacker after the first five minutes of life on the internet.
This presentation directly explores the 7 dangerous ways to Cyberattack Azure and provides countermeasures.
More importantly, provides some guidance to start protecting your business in the Cloud!
A providers view of security in the cloud. This talk shows how the main cloud providers (AWS & Azure) build security into their cloud services and how they contribute to the shared responsibility model for security in the cloud.
Webinar presentation: November 17, 2016
Subject matter experts from the CSCC present an overview of the security standards, frameworks, and certifications that exist for cloud computing. We also discuss privacy considerations in light of new regulations (e.g., EU’s General Data Protection Regulation (GDPR)). This presentation helps cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers.
Read the CSCC's deliverable, Cloud Security Standards: What to Expect and What to Negotiate: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm
Webinar topic: Cloud Security Introduction
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing Cloud Security Introduction
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
This session provides an introduction to simulation environments like Cyber Ranges, differentiate them from gamification systems, and discusses the emerging delivery, adoption and organizational lessons learned that are driving further adoption.
This presentation walks through the Security and Compliance functionality to customers leveraging Azure as a compute environment. It includes deep-dive references to detailed information on each topic presented.
Doing business in China – Recent anti-corruption and briberyGrant Thornton LLP
China enforcement agencies have recently made headlines in their crackdown on corruption within the several industries. As a result of these high-profile investigations, multinationals are refreshing their current anti-corruption compliance and oversight programs to address China’s bribery laws.
What the auditor need to know about cloud computingMoshe Ferber
As more and more workloads moving to the cloud , more practices need to be developed. ISACA and CSA launched the CCAK certification for auditors, in this presentation I will elaborate on highlight of auditor knowledge in Cloud.
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data.
Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.
Guide to security patterns for cloud systems and data security in aws and azureAbdul Khan
Cloud has many advantages over the traditional on-premise infrastructure; however, this does bring many new concerns around issues of system security, communication security, data security, privacy, latency and availability. When designing and developing Cloud SaaS application, these security issues need to be addressed in order to ensure regulatory compliance, security and trusted environment in AWS and Azure.
The presentation provides real-world cloud security scenarios (problem statements) and proposed solutions for each security design pattern. Also covers the different security aspects of system including, data security to privacy and GDPR related problems.
Everything and anything is hackable and vulnerable in some ways. Even with all the security governance and check points, businesses are still being cyberattacked & hacked regularly.
Did you know, a public IP is attacked by a hacker after the first five minutes of life on the internet.
This presentation directly explores the 7 dangerous ways to Cyberattack Azure and provides countermeasures.
More importantly, provides some guidance to start protecting your business in the Cloud!
A providers view of security in the cloud. This talk shows how the main cloud providers (AWS & Azure) build security into their cloud services and how they contribute to the shared responsibility model for security in the cloud.
Webinar presentation: November 17, 2016
Subject matter experts from the CSCC present an overview of the security standards, frameworks, and certifications that exist for cloud computing. We also discuss privacy considerations in light of new regulations (e.g., EU’s General Data Protection Regulation (GDPR)). This presentation helps cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers.
Read the CSCC's deliverable, Cloud Security Standards: What to Expect and What to Negotiate: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm
Webinar topic: Cloud Security Introduction
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing Cloud Security Introduction
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
This session provides an introduction to simulation environments like Cyber Ranges, differentiate them from gamification systems, and discusses the emerging delivery, adoption and organizational lessons learned that are driving further adoption.
This presentation walks through the Security and Compliance functionality to customers leveraging Azure as a compute environment. It includes deep-dive references to detailed information on each topic presented.
Doing business in China – Recent anti-corruption and briberyGrant Thornton LLP
China enforcement agencies have recently made headlines in their crackdown on corruption within the several industries. As a result of these high-profile investigations, multinationals are refreshing their current anti-corruption compliance and oversight programs to address China’s bribery laws.
Using R in Kaggle Competitions.
Kaggle has been the most popular data science platform linking close to half a million of data scientists worldwide. How to get yourself a decent ranking on Kaggle competitions with R programming, eXtreme Gradient BOOSTing, and a laptop. Great machine learning tools for all levels to get started and learn. Find out how to perform features engineering, tuning XGB models, selecting a sizable cross validations and performing model ensembles.
IeFP - La formazione professionale in ambito meccanico per i giovani. Tre percorsi: Operatore Meccanico, Operatore Meccanico di sistemi e Operatore Meccatronico dell'autoriparazione
An engaging experience is what it takes to convert a visitor into a customer. Here are some strategies that businesses using WordPress, can use to turn fleeting WordPress visitors into loyal users.
Infinitely Scalable Clusters - Grid Computing on Public Cloud - New YorkHentsū
Hentsū helps hedge funds and asset managers run research clusters, big data and high performance computing solutions using the public cloud.
This workshop was hosted in our NY offices and covered an introduction to grid computing using the public cloud. We also specifically looked at Google's BigQuery for running analytics across terabytes of depth market data, with some live demos.
Presentation given at HE Learn Live Arena, at Bett 2017.
This session looks at the co-creation of an inclusive learning experience for Aviation undergraduates that live-linked London and Auckland, and which combined web conferencing software, mobile apps and learning space considerations.
With Dom Pates and Dr Ivan Sikora
Infinitely Scalable Clusters - Grid Computing on Public Cloud - LondonHentsū
Slides from our recent workshop for hedge funds and a review of the cloud grid computing options. Included some live demos tackling 2TB of full depth market data using MATLAB on AWS, and Google BigQuery with Datalab.
Webinar presented live on April 19, 2017
The Cloud Standards Customer Council has published a reference architecture for securing workloads on cloud services. The aim of this new guide is to provide a practical reference to help IT architects and IT security professionals architect, install, and operate the information security components of solutions built using cloud services.
Building business solutions using cloud services requires a clear understanding of the available security services, components and options, allied to a clear architecture which provides for the complete lifecycle of the solutions, covering development, deployment and operations. This webinar will discuss specific security services and corresponding best practices for deploying a comprehensive cloud security architecture.
Read the whitepaper: http://www.cloud-council.org/deliverables/cloud-customer-architecture-for-securing-workloads-on-cloud-services.htm
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...Amazon Web Services
Does moving core business applications to AWS make sense for your organization? This session covers key business and IT considerations gathered from industry experts and real-world enterprise customers who have chosen to move their mission critical ERP applications to the AWS cloud, resulting in lower costs and better service.
This session covers the following:
- Insights from industry experts and analysts, who explain how the cloud affects costs from three angles: launch, operations, and long-term infrastructure expense
- Review of how time-to-value and cloud launch processes differ from on-premises infrastructure
- How AWS offers increased security and reliability over what some enterprises can afford on their own
Sponsored by Infor
Your organisation’s data are now everywhere: on your servers and your desktop PCs; on your employees’ smart phones, tablet computers and laptops; on social networks; and in public clouds. Some of these data require special protection but they also need to be accessed remotely, which makes security a considerable challenge. Can you trust public clouds to keep your data safe and secure? Can you trust your own internal systems? And on what criteria and risk management strategies should you base your trust? -- Dr Mark Ian Williams's presentation at the April 2012 'Why Cloud? Why now?' conference at the headquarters of the Institute of Chartered of Accountants of England Wales.
Cloud Security is critical to Data Security and Application Resilience against CyberAttacks. This talk looks at Security Best Practices that need to be practised.
This talk was presented at AWS Community Day Bengaluru 2019 by Amar Prusty, Cloud-Data Center Consultant Architect, DXC Technology
Security in the cloud Workshop HSTC 2014Akash Mahajan
A broad overview of what it takes to be secure. This is more of an introduction where we introduce the basic terms around Cloud Computing and how do we go about securing our information assets(Data, Applications and Infrastructure)
The workshop was fun because all the slides were paired with real world examples of security breaches and attacks.
Spoke on Securing Data in the Cloud at GISEC on 23rd May 2017. Touched on the trends, perceptions, and various controls to protect data. Finally, discussed various approaches to secure data in the cloud
Shared responsibility - a model for good cloud securityAndy Powell
An overview of the shared responsibility model that is typically adopted by cloud providers and its impact on the way that Jisc members should build secure solutions in public cloud.
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
The magnitude of the migration effort to the Cloud, the complexity of both customized apps and Cloud environments, and the requirement for ongoing app-level monitoring suggests the need for what Gartner calls a “programmable security infrastructure capable of supporting security policy ‘toolchains’.”
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...ATMOSPHERE .
In this webinar, Francisco Brasileiro and Ignacio Blanquer will discuss the trustworthiness requirements of big-data applications deployed atop cloud infrastructures, and how the ATMOSPHERE platform can be used to handle them. This will be explained using as example a medical application developed in the context of the ATMOSPHERE project, and deployed over a transatlantic federated cloud infrastructure.
Introduction of Cloud Computing & Historical Background
Cloud Service Models & Cloud Deployment Models
Benefits of Cloud Computing
Risks and Challenges
Future Trends in Cloud Computing
Edge Computing, Serverless Computing, AI & Machine Learning in Cloud, Security and
Compliance
Needs and Obstacles for Cloud Deployment
Conclusion
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
PHP Frameworks: I want to break free (IPC Berlin 2024)
Cloud Security for Regulated Firms - Securing my cloud and proving it
1. 変通 [hen-tsoo]
noun
1. Resourcefulness – the quality of being able to cope with a difficult situation
2. Adaptability – the ability to change (or be changed) to fit changed circumstances
3. Agility – the power of moving quickly and easily; nimbleness
CLOUD SECURITY FOR REGULATED FIRMS
Securing my cloud and proving it
3. AGENDA
• Why cloud?
• Hedge Fund Cloud usage update
• How secure is secure enough?
• Cloud security - Your responsibilities
• Security Monitoring & enforcement Infrastructure as code
• Wrap up
• Drinks
4. WHAT IS PUBLIC CLOUD?
“A service provider makes resources, such as virtual machines, applications and
storage, available to the general public.”
• Utility model
• No contracts
• Shared hardware / multi tenant
• Self managed
5. WHAT IS PUBLIC CLOUD
• Software as a Service
• Office 365
• Platform as a Service
• AWS RDS, S3
• Azure SQL Database
• Infrastructure as a Service
• Virtual Machines
• Virtual Disks
• Virtual Networks
8. YOUR PUBLIC CLOUD USAGE?
Where are you today?
On Premises
Bare Metal
On Premises
Virtualised
Hybrid
All in
Public Cloud
9. CLOUD USAGE BY HEDGE FUNDS
HFM TECHNOLOGY SURVEY FEBRUARY 2016
83% of respondents plan to increase their cloud usage in 2016
- HFM Technology survey February 2016
“all firms will be leveraging cloud to some extent” in the future
-Thomson Reuters managing director of enterprise Mike Powell
https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends
10. CLOUD USAGE BY HEDGE FUNDS
43% of managers said they did not want to place potentially sensitive information in
the public cloud.
- HFM Technology survey February 2016
This attitude was one of the reasons four out of 10 participants used private cloud
only.
https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends
11. CLOUD USAGE BY HEDGE FUNDS
If using public cloud, what business functions do you run?
https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends
12. CLOUD USAGE BY HEDGE FUNDS
What concerns do you have about using the cloud generally?
https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends
13. CLOUD USAGE BY HEDGE FUNDS
For new firms especially, “cloud technology allows them the ability to avoid making
large capital outlays on servers that may not be fully utilised,” argues Iain Buchanan,
CTO of Piquant Technologies.
A sub-$500m quant fund launched in 2013, Piquant runs all its technology
requirements through the cloud.
It has no physical servers, using exclusively cloud services.
https://hfm.global/hfmtechnology/analysis/hybrid-solutions-tipped-as-more-managers-embrace-the-cloud/
15. WE’VE BEEN HERE BEFORE?
How to cure
NEPHOPHOBIA
(fear of clouds)
16. HOW SECURE IS SECURE
ENOUGH?
REGULATORY REQUIREMENTS & INDUSTRY STANDARDS
17. WHAT ARE THE REQUIREMENTS
The following Cloud Computing guidance is available:
• United Kingdom
• Financial Conduct Authority (FCA)
• United States
• Securities and Exchange Commission (SEC) Office of Compliance Inspections and
Examinations (OCIE)
https://en.wikipedia.org/wiki/List_of_financial_regulatory_authorities_by_country
18. WHAT DOES THE FCA SAY?
https://www.fca.org.uk/static/fca/article-type/news/fg16-5.pdf
“We see no fundamental reason why cloud services
(including public cloud services) cannot be implemented,
with appropriate consideration, in a manner that
complies with our rules.”
“We have successfully supported both new and existing
firms to use cloud and other IT service solutions in a
compliant manner.”
19. WHAT DOES THE FCA SAY?
• Risk Management
• identify current industry good practice,
including data and information security
management system requirements
• International standards
• In conducting its due diligence on potential
third-party providers, and as part of
ongoing monitoring of service provision, a
firm may wish to take account of the
provider’s adherence to international
standards as relevant to the provision of IT
services.
• Data security
• Firms should carry out a security risk
assessment
• have a data residency policy that sets out
where data can be stored
“Regulated firms retain full
responsibility and accountability for
discharging all of their regulatory
responsibilities.”
“Firms cannot delegate any part of
this responsibility to a third party.”
https://www.fca.org.uk/static/fca/article-type/news/fg16-5.pdf
23. INDUSTRY STANDARDS - ISO 27001
“an auditable, international, information security
management standard published by the
International Organization for Standardization
(ISO) and the International Electrotechnical
Commission (IEC) that formally defines
requirements for a complete ISMS to help protect
and secure an organization’s data”
Requirements
“User access is centrally managed using
appropriate solution”
Controls
“AWS Identity and Access Management
(IAM) reuses Active Directory identities
and groups via AD federation services.”
http://www.iso.org/iso/iso27001
24. INDUSTRY STANDARDS - ISO 27001
• Management direction for information
security
• Responsibility for assets
• Information classification
• Business requirements of access control
• User access management
• User responsibilities
• System and application access control
• Cryptographic controls
• Operational procedures and
responsibilities
• Protection from malware
• Backup
• Logging and monitoring
• Control of operational software
• Technical vulnerability management
• Information systems audit considerations
• Network security management
• Information transfer
• Security in development and support
processes
• Test data
• Information security in supplier relationships
• Management of information security
incidents and improvements
• Information security reviews
http://www.iso.org/iso/iso27001
25. DATA CLASSIFICATION AND CONTROLS
Restricted Confidential Public
Data
examples
Strategy source code
Restricted documents
Cleaned tickdata
Back office app source code
Logs and monitoring data
Vendor data
Company confidential data
3rd party software binaries
IT automation scripts
Public website content
Access Access controlled to authorised
users & intended audience
Protection from System Admin
access
Access logged
Access approved by Information
Owner
Access controlled to authorised users
& intended audience
Access logged
Access approved by information
owner
No specific requirements
Transmission Encrypted in transit Encrypted in transit No specific requirements
Storage Encrypted storage
Data resident in UK
Encrypted storage
Data resident in UK
No specific requirements
Disposal Secure erase Secure erase No specific requirements
26. ACCESS CONTROL
Who needs access to what?
• Use the same procedures for on premises as cloud
• Joiners and leavers processes
• Single sign on
• Multifactor authentication (but what about scripts/scheduled tasks)
• Least rights privilege
• Separation of roles and responsibilities
• Time based access (Just In Time Access, temporary access, escalate, drop back)
27. DATA TRANSMISSION
• Encrypt data in transit (traversing 3rd party networks / public internet)
• Virtual Private Network (VPN)
• Use encrypted protocols HTTPS, SFTP, SMB3.0
28. DATA STORAGE
• AWS Elastic Block Storage - server side encryption for virtual disks
• Data volumes and also boot volumes (since Dec 2015)
• AWS Simple Storage Service (S3) server side encryption for objects
• Azure Client Side disk encryption Bitlocker (Windows), DM-crypt (Linux)
• Azure Server Side encryption in preview, GA due August/September 2016
31. AWS TRUSTED ADVISOR
• Security Groups - Specific Ports Unrestricted
• Security Groups - Unrestricted Access
• IAM Use
• Amazon S3 Bucket Permissions
• MFA on Root Account
• IAM Password Policy
• Amazon RDS Security Group Access Risk
• AWS CloudTrail Logging
• Amazon Route 53 MX and SPF Resource Record Sets
• ELB Listener Security
• ELB Security Groups
• CloudFront Custom SSL Certificates in the IAM Certificate Store
• CloudFront SSL Certificate on the Origin Server
• IAM Access Key Rotation
• Exposed Access Keys
https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices/
32. AWS CLOUDTRAIL
Audit Trail for every use of AWS API
• The identity of the API caller.
• The time of the API call.
• The source IP address of the API caller.
• The request parameters.
• The response elements returned by the
AWS service
Extendable for Event Notifications and
Analytics
(CloudWatch, Splunk, SumoLogic, LogEntries,
Datadog, LogicMonitor, Open Source)