SlideShare a Scribd company logo

A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT Group

Download as PPTX, PDF
Net4All
Net4All

Take a leap in the past to better understand the present and discover our advice about how to make your cloud platforms secure ! Find out how we went from on-premise IT to the agility of today's cloud, and how it changed the many faces of IT security. Cloud Security Day - May 17th, 2018

Technology
1 of 23
A history and status of cloud security Thibault Koechlin – Emile Heitor
Internalized Information System 2 1990 – 2018: 50 shades of hosting 00’s IS moved to the datacenter 10’s IS on SaaS 2016 On premise datacenters 90’s
EVERYTHING ON PREMISE, DAD’S IT 3 LEGACY: 1990 - 2000
• IT « controls » the servers – Near to no industrialisation – No patching, partner’s strenght merely ignored – Local threats (floppies, co-workers, pirates) – First Internet accesses, almost no filtering 4 Self-hosted
• Targeted attacks, infosec is not even a thing (phrack: 85) • From the defense PoV, we were pretty much naked 5 Self-hosted
WHEN HYBRIDIZATION WAS NOT EVEN A BUZZWORD YET 6 BUBBLES : 2000 - 2010
• Links on the rise, world is connecting fast • Datacenters are slowly ruling the industry, but – Low to no standardization & security – Public infrastructure – Clear text protocols • Development methods – Near to no versioning mechanisms – Near to non existing code reviews 7 Internet is the worm
• The pivot: Internet is now part of the network • From the attacker’s PoV, the era of memleaks has begun • From the protection PoV, risk analysis early stages 8 First paradigm shift
VIRTUALIZATION OPENS THE PATH TO INFRASTRUCTURE AS CODE 9 DEMATERIALIZATION: 2010 - 2016
• Mature virtualization technologies but – Increasing number of ghost machines – Deployments are now available for everyone – Wider security risks – Expensive downtimes • Even wider exposure – OVH, Online, Hetzner: temporary that lasts – Low costs mean more and more exposure 10 VMWare, Xen, KVM…
• Better infrastructure issues handling, but now emerges the DDoS threat • Virtualization security is still not a read deal as blue / red pill attacks are still technical fantasies – XEN : 2003 – XEN sold to Citrix : 2007 – First XSA : 2011 (last XSA : 262) 11 Defensive maturity
• While SQLi exist from ~ 2000, this area has witnessed their rise – Memleaks are less common – Updates are (hpefully) available regularly – Hardening solutions are getting robust – « Web » vulnerabilities are far more accessible • From days to hours to exploit • Attacks are being more common as the surface grows ~ 12 Attackers maturity
• IT security policies : – Patching policy – Actual audit – Number of home made services increases the attack surface • Having a WAF / IDS / IPS is still not a common practice 13 How to evaluate your partners
• Shift : VMs, VMs everywhere • From the attacker PoV – « OR 1=1 » era : Web security breaches are sadly common – More trivial exploit creation – Classic mafias entered the arena and are making big money with it • On the defense side – Intrusion threat is now taken seriously – Virtual machines are often still ignored 14 Second paradigm shift
OPS IS A THING FROM THE PAST! 15 AGILITY DRIVING CHAOS: 2016 - NOW
16 Who needs a sysadmin?
• Sane best practices – Continuous integration – Code repositories – Orchestration & Industrialization – Greater communities and cooperation • Wrong ideas have landed – No need for system experts anymore – Thanks to disposable machines, no need for research and deep dive • And also bad reflexes – Million of ghost containers, thousands of images – Low cost infrastructures, what about durability? – New shadow-IT format: container being the new Schrödinger’s box 17 CI: container’s bright side
18 But wait, there’s more!
• How reversible is my partner technology, how does it bound to a particular SaaS or cloud provider? • New technologies such as serverless give the illusion of isolation – Access control is more important than ever – Code reviews must be the norm • Extra care to be bound to a particular solution : thus the importance of your partner in your cloud journey! 19 Reversibility & Durability
20 A new context Pass****
• Availability – No more control on maintenance activity – Ephemeral platforms – Auto-scaling: the partner must adapt to new methodologies • Confidentiality – What / where is my storage? Is it encrypted? Who has the keys? – Are the rights to my assets regularly reviewed? • Integrity – Are the limits between user and group privileges tight enough? « We’ll use root as it’s easier » – MFA is not even a choice? • Traceability – Automated reporting? – Recurring audits on rights and accesses (scout2, trusted advisor…) 21 How to evaluate my partner’s integrity?
DON’T PANIC 22 SO WHAT?
Chemin du Dévent 7 1024 Ecublens, Switzerland +41.21.625.6990 contact@net4all.ch @Net4allCH

Recommended

The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICS
Tripwire
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
GWAVACon - Files Matters (English)
GWAVACon - Files Matters (English)GWAVACon - Files Matters (English)
GWAVACon - Files Matters (English)
GWAVA
 
Advanced Firewalls Progress Report
Advanced Firewalls Progress ReportAdvanced Firewalls Progress Report
Advanced Firewalls Progress Report
David Strom Inc.
 
Lisa Guess - Embracing the Cloud
Lisa Guess - Embracing the CloudLisa Guess - Embracing the Cloud
Lisa Guess - Embracing the Cloud
centralohioissa
 
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44
Jisc
 
Source code escrow and continuity in the cloud
Source code escrow and continuity in the cloudSource code escrow and continuity in the cloud
Source code escrow and continuity in the cloud
Ernst-Jan Louwers
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa
 

Recommended

The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICS
Tripwire
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
GWAVACon - Files Matters (English)
GWAVACon - Files Matters (English)GWAVACon - Files Matters (English)
GWAVACon - Files Matters (English)
GWAVA
 
Advanced Firewalls Progress Report
Advanced Firewalls Progress ReportAdvanced Firewalls Progress Report
Advanced Firewalls Progress Report
David Strom Inc.
 
Lisa Guess - Embracing the Cloud
Lisa Guess - Embracing the CloudLisa Guess - Embracing the Cloud
Lisa Guess - Embracing the Cloud
centralohioissa
 
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44
Jisc
 
Source code escrow and continuity in the cloud
Source code escrow and continuity in the cloudSource code escrow and continuity in the cloud
Source code escrow and continuity in the cloud
Ernst-Jan Louwers
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa
 
Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo
Tripwire
 
Installation Issues for Converged AV/IT Systems
Installation Issues for Converged AV/IT Systems Installation Issues for Converged AV/IT Systems
Installation Issues for Converged AV/IT Systems
rAVe [PUBS]
 
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
North Texas Chapter of the ISSA
 
Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016
Alert Logic
 
Cloud Software - Cloud-based System Security
Cloud Software - Cloud-based System SecurityCloud Software - Cloud-based System Security
Cloud Software - Cloud-based System Security
Net at Work
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
CloudPassage
 
The simplification of the campus network Juniper - Networkshop44
The simplification of the campus network Juniper - Networkshop44The simplification of the campus network Juniper - Networkshop44
The simplification of the campus network Juniper - Networkshop44
Jisc
 
Verisign Cloud Mitigation
Verisign Cloud MitigationVerisign Cloud Mitigation
Verisign Cloud Mitigation
Juniper Networks
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
Xavier Mertens
 
Big Data Shouldn't Be Big
Big Data Shouldn't Be BigBig Data Shouldn't Be Big
Big Data Shouldn't Be Big
Napier University
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Algosec security policy management for financial institutions
Algosec security policy management for financial institutionsAlgosec security policy management for financial institutions
Algosec security policy management for financial institutions
Maytal Levi
 
DDoS Mitigator. Personal control panel for each hosting clients.
DDoS Mitigator. Personal control panel for each hosting clients.DDoS Mitigator. Personal control panel for each hosting clients.
DDoS Mitigator. Personal control panel for each hosting clients.
Глеб Хохлов
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
ColorTokens Inc
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Research
 
Code review - networkshop44
Code review - networkshop44Code review - networkshop44
Code review - networkshop44
Jisc
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
Trend Micro
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
Porticor - The Cloud Security Experts
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
AlgoSec
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
AlgoSec
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
TI Safe
 

More Related Content

What's hot

Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo
Tripwire
 
Installation Issues for Converged AV/IT Systems
Installation Issues for Converged AV/IT Systems Installation Issues for Converged AV/IT Systems
Installation Issues for Converged AV/IT Systems
rAVe [PUBS]
 
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
North Texas Chapter of the ISSA
 
Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016
Alert Logic
 
Cloud Software - Cloud-based System Security
Cloud Software - Cloud-based System SecurityCloud Software - Cloud-based System Security
Cloud Software - Cloud-based System Security
Net at Work
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
CloudPassage
 
The simplification of the campus network Juniper - Networkshop44
The simplification of the campus network Juniper - Networkshop44The simplification of the campus network Juniper - Networkshop44
The simplification of the campus network Juniper - Networkshop44
Jisc
 
Verisign Cloud Mitigation
Verisign Cloud MitigationVerisign Cloud Mitigation
Verisign Cloud Mitigation
Juniper Networks
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
Xavier Mertens
 
Big Data Shouldn't Be Big
Big Data Shouldn't Be BigBig Data Shouldn't Be Big
Big Data Shouldn't Be Big
Napier University
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Algosec security policy management for financial institutions
Algosec security policy management for financial institutionsAlgosec security policy management for financial institutions
Algosec security policy management for financial institutions
Maytal Levi
 
DDoS Mitigator. Personal control panel for each hosting clients.
DDoS Mitigator. Personal control panel for each hosting clients.DDoS Mitigator. Personal control panel for each hosting clients.
DDoS Mitigator. Personal control panel for each hosting clients.
Глеб Хохлов
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
ColorTokens Inc
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Research
 
Code review - networkshop44
Code review - networkshop44Code review - networkshop44
Code review - networkshop44
Jisc
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
Trend Micro
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
Porticor - The Cloud Security Experts
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
AlgoSec
 

What's hot (20)

Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo
 
Installation Issues for Converged AV/IT Systems
Installation Issues for Converged AV/IT Systems Installation Issues for Converged AV/IT Systems
Installation Issues for Converged AV/IT Systems
 
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
 
Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016
 
Cloud Software - Cloud-based System Security
Cloud Software - Cloud-based System SecurityCloud Software - Cloud-based System Security
Cloud Software - Cloud-based System Security
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
 
The simplification of the campus network Juniper - Networkshop44
The simplification of the campus network Juniper - Networkshop44The simplification of the campus network Juniper - Networkshop44
The simplification of the campus network Juniper - Networkshop44
 
Verisign Cloud Mitigation
Verisign Cloud MitigationVerisign Cloud Mitigation
Verisign Cloud Mitigation
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
Big Data Shouldn't Be Big
Big Data Shouldn't Be BigBig Data Shouldn't Be Big
Big Data Shouldn't Be Big
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
Cloud security
Cloud securityCloud security
Cloud security
 
Algosec security policy management for financial institutions
Algosec security policy management for financial institutionsAlgosec security policy management for financial institutions
Algosec security policy management for financial institutions
 
DDoS Mitigator. Personal control panel for each hosting clients.
DDoS Mitigator. Personal control panel for each hosting clients.DDoS Mitigator. Personal control panel for each hosting clients.
DDoS Mitigator. Personal control panel for each hosting clients.
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
 
Code review - networkshop44
Code review - networkshop44Code review - networkshop44
Code review - networkshop44
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
 

Similar to A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT Group

Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
AlgoSec
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
TI Safe
 
How Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run ITHow Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run IT
Peter HJ van Eijk
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
ImpactGenshin3
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
Fidelis Cybersecurity
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Security analytics
Security analyticsSecurity analytics
Security analytics
Simon Bennett
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
GovCloud Network
 
Cloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersCloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and Frontiers
Gokul Alex
 
Power Grid Communications & Control Systems
Power Grid Communications & Control SystemsPower Grid Communications & Control Systems
Power Grid Communications & Control Systems
fajjarrehman
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
ARJUNMUKHERJEE27
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
ssuser3be95f
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
NaradaDilshan
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
Sameer Ali
 
Cloud complete
Cloud completeCloud complete
Cloud complete
Muhammad Rehan
 
cloud-complete power point presentation for digital signature
cloud-complete power point presentation for digital signaturecloud-complete power point presentation for digital signature
cloud-complete power point presentation for digital signature
ArunsunaiComputer
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
Cloud complete
Cloud completeCloud complete
Cloud complete
Navriti
 
12-cloud-security.ppt
12-cloud-security.ppt12-cloud-security.ppt
12-cloud-security.ppt
chelsi33
 

Similar to A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT Group (20)

Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
How Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run ITHow Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run IT
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Security analytics
Security analyticsSecurity analytics
Security analytics
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Cloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersCloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and Frontiers
 
Power Grid Communications & Control Systems
Power Grid Communications & Control SystemsPower Grid Communications & Control Systems
Power Grid Communications & Control Systems
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
Cloud complete
Cloud completeCloud complete
Cloud complete
 
cloud-complete power point presentation for digital signature
cloud-complete power point presentation for digital signaturecloud-complete power point presentation for digital signature
cloud-complete power point presentation for digital signature
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
Cloud complete
Cloud completeCloud complete
Cloud complete
 
12-cloud-security.ppt
12-cloud-security.ppt12-cloud-security.ppt
12-cloud-security.ppt
 

More from Net4All

Kubernetes est-il soluble dans la sécurité ? Meetup Genève
Kubernetes est-il soluble dans la sécurité ? Meetup GenèveKubernetes est-il soluble dans la sécurité ? Meetup Genève
Kubernetes est-il soluble dans la sécurité ? Meetup Genève
Net4All
 
Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...
Net4All
 
Panorama des menaces informatiques - Philippe Humeau, Net4All
Panorama des menaces informatiques - Philippe Humeau, Net4AllPanorama des menaces informatiques - Philippe Humeau, Net4All
Panorama des menaces informatiques - Philippe Humeau, Net4All
Net4All
 
Présentation de CerberHost, nouvelle solution de Cloud sécurisé - Philippe Hu...
Présentation de CerberHost, nouvelle solution de Cloud sécurisé - Philippe Hu...Présentation de CerberHost, nouvelle solution de Cloud sécurisé - Philippe Hu...
Présentation de CerberHost, nouvelle solution de Cloud sécurisé - Philippe Hu...
Net4All
 
État des lieux de la sécurité en Suisse - Enrico Viganò, CLUSIS
État des lieux de la sécurité en Suisse - Enrico Viganò, CLUSISÉtat des lieux de la sécurité en Suisse - Enrico Viganò, CLUSIS
État des lieux de la sécurité en Suisse - Enrico Viganò, CLUSIS
Net4All
 
Approche juridique de la sécurité informatique & RGPD - Isabelle Dubois, Ad H...
Approche juridique de la sécurité informatique & RGPD - Isabelle Dubois, Ad H...Approche juridique de la sécurité informatique & RGPD - Isabelle Dubois, Ad H...
Approche juridique de la sécurité informatique & RGPD - Isabelle Dubois, Ad H...
Net4All
 
Test d'intrusion, méthodologie et cas concret - Dominique Climenti, Kyos
Test d'intrusion, méthodologie et cas concret - Dominique Climenti, KyosTest d'intrusion, méthodologie et cas concret - Dominique Climenti, Kyos
Test d'intrusion, méthodologie et cas concret - Dominique Climenti, Kyos
Net4All
 

More from Net4All (7)

Kubernetes est-il soluble dans la sécurité ? Meetup Genève
Kubernetes est-il soluble dans la sécurité ? Meetup GenèveKubernetes est-il soluble dans la sécurité ? Meetup Genève
Kubernetes est-il soluble dans la sécurité ? Meetup Genève
 
Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...
 
Panorama des menaces informatiques - Philippe Humeau, Net4All
Panorama des menaces informatiques - Philippe Humeau, Net4AllPanorama des menaces informatiques - Philippe Humeau, Net4All
Panorama des menaces informatiques - Philippe Humeau, Net4All
 
Présentation de CerberHost, nouvelle solution de Cloud sécurisé - Philippe Hu...
Présentation de CerberHost, nouvelle solution de Cloud sécurisé - Philippe Hu...Présentation de CerberHost, nouvelle solution de Cloud sécurisé - Philippe Hu...
Présentation de CerberHost, nouvelle solution de Cloud sécurisé - Philippe Hu...
 
État des lieux de la sécurité en Suisse - Enrico Viganò, CLUSIS
État des lieux de la sécurité en Suisse - Enrico Viganò, CLUSISÉtat des lieux de la sécurité en Suisse - Enrico Viganò, CLUSIS
État des lieux de la sécurité en Suisse - Enrico Viganò, CLUSIS
 
Approche juridique de la sécurité informatique & RGPD - Isabelle Dubois, Ad H...
Approche juridique de la sécurité informatique & RGPD - Isabelle Dubois, Ad H...Approche juridique de la sécurité informatique & RGPD - Isabelle Dubois, Ad H...
Approche juridique de la sécurité informatique & RGPD - Isabelle Dubois, Ad H...
 
Test d'intrusion, méthodologie et cas concret - Dominique Climenti, Kyos
Test d'intrusion, méthodologie et cas concret - Dominique Climenti, KyosTest d'intrusion, méthodologie et cas concret - Dominique Climenti, Kyos
Test d'intrusion, méthodologie et cas concret - Dominique Climenti, Kyos
 

Recently uploaded

Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 

Recently uploaded (20)

Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 

A history and status of cloud security - Emile Heitor & Thibault Koechlin, OT Group

  • 1. A history and status of cloud security Thibault Koechlin – Emile Heitor
  • 2. Internalized Information System 2 1990 – 2018: 50 shades of hosting 00’s IS moved to the datacenter 10’s IS on SaaS 2016 On premise datacenters 90’s
  • 4. • IT « controls » the servers – Near to no industrialisation – No patching, partner’s strenght merely ignored – Local threats (floppies, co-workers, pirates) – First Internet accesses, almost no filtering 4 Self-hosted
  • 5. • Targeted attacks, infosec is not even a thing (phrack: 85) • From the defense PoV, we were pretty much naked 5 Self-hosted
  • 6. WHEN HYBRIDIZATION WAS NOT EVEN A BUZZWORD YET 6 BUBBLES : 2000 - 2010
  • 7. • Links on the rise, world is connecting fast • Datacenters are slowly ruling the industry, but – Low to no standardization & security – Public infrastructure – Clear text protocols • Development methods – Near to no versioning mechanisms – Near to non existing code reviews 7 Internet is the worm
  • 8. • The pivot: Internet is now part of the network • From the attacker’s PoV, the era of memleaks has begun • From the protection PoV, risk analysis early stages 8 First paradigm shift
  • 9. VIRTUALIZATION OPENS THE PATH TO INFRASTRUCTURE AS CODE 9 DEMATERIALIZATION: 2010 - 2016
  • 10. • Mature virtualization technologies but – Increasing number of ghost machines – Deployments are now available for everyone – Wider security risks – Expensive downtimes • Even wider exposure – OVH, Online, Hetzner: temporary that lasts – Low costs mean more and more exposure 10 VMWare, Xen, KVM…
  • 11. • Better infrastructure issues handling, but now emerges the DDoS threat • Virtualization security is still not a read deal as blue / red pill attacks are still technical fantasies – XEN : 2003 – XEN sold to Citrix : 2007 – First XSA : 2011 (last XSA : 262) 11 Defensive maturity
  • 12. • While SQLi exist from ~ 2000, this area has witnessed their rise – Memleaks are less common – Updates are (hpefully) available regularly – Hardening solutions are getting robust – « Web » vulnerabilities are far more accessible • From days to hours to exploit • Attacks are being more common as the surface grows ~ 12 Attackers maturity
  • 13. • IT security policies : – Patching policy – Actual audit – Number of home made services increases the attack surface • Having a WAF / IDS / IPS is still not a common practice 13 How to evaluate your partners
  • 14. • Shift : VMs, VMs everywhere • From the attacker PoV – « OR 1=1 » era : Web security breaches are sadly common – More trivial exploit creation – Classic mafias entered the arena and are making big money with it • On the defense side – Intrusion threat is now taken seriously – Virtual machines are often still ignored 14 Second paradigm shift
  • 15. OPS IS A THING FROM THE PAST! 15 AGILITY DRIVING CHAOS: 2016 - NOW
  • 16. 16 Who needs a sysadmin?
  • 17. • Sane best practices – Continuous integration – Code repositories – Orchestration & Industrialization – Greater communities and cooperation • Wrong ideas have landed – No need for system experts anymore – Thanks to disposable machines, no need for research and deep dive • And also bad reflexes – Million of ghost containers, thousands of images – Low cost infrastructures, what about durability? – New shadow-IT format: container being the new Schrödinger’s box 17 CI: container’s bright side
  • 19. • How reversible is my partner technology, how does it bound to a particular SaaS or cloud provider? • New technologies such as serverless give the illusion of isolation – Access control is more important than ever – Code reviews must be the norm • Extra care to be bound to a particular solution : thus the importance of your partner in your cloud journey! 19 Reversibility & Durability
  • 21. • Availability – No more control on maintenance activity – Ephemeral platforms – Auto-scaling: the partner must adapt to new methodologies • Confidentiality – What / where is my storage? Is it encrypted? Who has the keys? – Are the rights to my assets regularly reviewed? • Integrity – Are the limits between user and group privileges tight enough? « We’ll use root as it’s easier » – MFA is not even a choice? • Traceability – Automated reporting? – Recurring audits on rights and accesses (scout2, trusted advisor…) 21 How to evaluate my partner’s integrity?
  • 23. Chemin du Dévent 7 1024 Ecublens, Switzerland +41.21.625.6990 contact@net4all.ch @Net4allCH