As more businesses move to cloud services, they are facing with new challenges in IT security. This presentation outlines the key challenges in cloud security, and my observations and recommendations
Congresso Sociedade Brasileira de Computação CSBC2016 Porto Alegre (Brazil)
Workshop on Cloud Networks & Cloudscape Brazil
João Gondim, Luis Pacheco and Priscila Solis (University of Brasilia, Brazil)
Unpublished, novel research work related to the latest challenges, technologies, solutions and techniques related to networking within the cloud and to the efficient and effective cloud deployment and hosting of the various emerging applications and services.
Effective solutions related to the placement, sizing, bursting, and migration of compute, storage, and data resources within the cloud network(s) become critical to the deployment of elastic and agile applications.
Cloud computing security is the set of control-based technologies and policies designed to adhere to regulatory compliance rules and protect information, data applications and infrastructure associated with cloud computing use
Sections:
Introduction
Cloud Computing background
Securing the Cloud
Virtualization
Mobile Cloud Computing
User safety & energy consumption
Author’s proposal
Conclusion
In order to make cloud computing to be adopted by users and enterprises, security concerns of users should be rectified by making cloud environment trustworthy, discussed by Latif et al. in the assessment of cloud computing risks[2].
We address the questions related to:
security concerns and threats over general cloud computing,
(2) the solutions for these problems and
(3) mobile users safety in convergence with energy consumption.
Congresso Sociedade Brasileira de Computação CSBC2016 Porto Alegre (Brazil)
Workshop on Cloud Networks & Cloudscape Brazil
João Gondim, Luis Pacheco and Priscila Solis (University of Brasilia, Brazil)
Unpublished, novel research work related to the latest challenges, technologies, solutions and techniques related to networking within the cloud and to the efficient and effective cloud deployment and hosting of the various emerging applications and services.
Effective solutions related to the placement, sizing, bursting, and migration of compute, storage, and data resources within the cloud network(s) become critical to the deployment of elastic and agile applications.
Cloud computing security is the set of control-based technologies and policies designed to adhere to regulatory compliance rules and protect information, data applications and infrastructure associated with cloud computing use
Sections:
Introduction
Cloud Computing background
Securing the Cloud
Virtualization
Mobile Cloud Computing
User safety & energy consumption
Author’s proposal
Conclusion
In order to make cloud computing to be adopted by users and enterprises, security concerns of users should be rectified by making cloud environment trustworthy, discussed by Latif et al. in the assessment of cloud computing risks[2].
We address the questions related to:
security concerns and threats over general cloud computing,
(2) the solutions for these problems and
(3) mobile users safety in convergence with energy consumption.
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEMNexgen Technology
TO GET THIS PROJECT COMPLETE SOURCE ON SUPPORT WITH EXECUTION PLEASE CALL BELOW CONTACT DETAILS
MOBILE: 9791938249, 0413-2211159, WEB: WWW.NEXGENPROJECT.COM,WWW.FINALYEAR-IEEEPROJECTS.COM, EMAIL:Praveen@nexgenproject.com
NEXGEN TECHNOLOGY provides total software solutions to its customers. Apsys works closely with the customers to identify their business processes for computerization and help them implement state-of-the-art solutions. By identifying and enhancing their processes through information technology solutions. NEXGEN TECHNOLOGY help it customers optimally use their resources.
Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions – The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks – Modes and Types
The Notorious Nine – Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways
Cloud here means data and encryption means to secure the data. In this ppt you can get to know about various encryption algorithms which are used to secure the data.
In shared infrastructures such as clouds, sensitive or regulated data—including run-time and archived data—must be properly segregated from unauthorized users. Database and system administrators may have access to multiple clients’ data, and the location of stored data in a cloud may change rapidly. Compliance requirements such as Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA) and others may need to be met. This webinar will discuss how to help protect cloud-based customer information and intellectual property from both external and internal threats.
View the On-demand webinar: https://www2.gotomeeting.com/register/187735186
In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, recession-hit companies are increasingly realizing that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost. But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment it is. This paper discusses security issues, requirements and challenges that cloud service providers (CSP) face during cloud engineering. Recommended security standards and management models to address these are suggested for technical and business community.
Cloud Security - Emerging Facets and FrontiersGokul Alex
My session on Cloud Computing Security prepared for ISC2 Bangalore Chapter MeetUp. It is a walkthrough on the fundamental axioms of cloud security with reference to architecture standards, industry best practices and a coverage of some of the most pertinent attack vectors in the recent times. This presentation delves deeper into Cloud Security Reference Architectures, Cloud Security Operating Models, Cloud Firewalls, Cloud Identity Access Management Models, Cloud Malware Concepts etc.
This presentation will give complete information regarding security issues related to cloud computing. To learn cloud computing fill up a simple form.
http://bit.ly/aDegGN
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEMNexgen Technology
TO GET THIS PROJECT COMPLETE SOURCE ON SUPPORT WITH EXECUTION PLEASE CALL BELOW CONTACT DETAILS
MOBILE: 9791938249, 0413-2211159, WEB: WWW.NEXGENPROJECT.COM,WWW.FINALYEAR-IEEEPROJECTS.COM, EMAIL:Praveen@nexgenproject.com
NEXGEN TECHNOLOGY provides total software solutions to its customers. Apsys works closely with the customers to identify their business processes for computerization and help them implement state-of-the-art solutions. By identifying and enhancing their processes through information technology solutions. NEXGEN TECHNOLOGY help it customers optimally use their resources.
Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions – The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks – Modes and Types
The Notorious Nine – Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways
Cloud here means data and encryption means to secure the data. In this ppt you can get to know about various encryption algorithms which are used to secure the data.
In shared infrastructures such as clouds, sensitive or regulated data—including run-time and archived data—must be properly segregated from unauthorized users. Database and system administrators may have access to multiple clients’ data, and the location of stored data in a cloud may change rapidly. Compliance requirements such as Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA) and others may need to be met. This webinar will discuss how to help protect cloud-based customer information and intellectual property from both external and internal threats.
View the On-demand webinar: https://www2.gotomeeting.com/register/187735186
In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, recession-hit companies are increasingly realizing that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost. But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment it is. This paper discusses security issues, requirements and challenges that cloud service providers (CSP) face during cloud engineering. Recommended security standards and management models to address these are suggested for technical and business community.
Cloud Security - Emerging Facets and FrontiersGokul Alex
My session on Cloud Computing Security prepared for ISC2 Bangalore Chapter MeetUp. It is a walkthrough on the fundamental axioms of cloud security with reference to architecture standards, industry best practices and a coverage of some of the most pertinent attack vectors in the recent times. This presentation delves deeper into Cloud Security Reference Architectures, Cloud Security Operating Models, Cloud Firewalls, Cloud Identity Access Management Models, Cloud Malware Concepts etc.
This presentation will give complete information regarding security issues related to cloud computing. To learn cloud computing fill up a simple form.
http://bit.ly/aDegGN
Cloud technology to ensure the protection of fundamental methods and use of i...SubmissionResearchpa
A comparative analysis of attacks carried out in cloud technologies, the main methods and methods of information protection, the possibilities of using hardware and software, and methods to combat threats when eliminating them, ensuring data protection were carried out by Mamarajabov Odil Elmurzayevich 2020. Cloud technology to ensure the protection of fundamental methods and use of information. International Journal on Integrated Education. 3, 10 (Oct. 2020), 313-315. DOI:https://doi.org/10.31149/ijie.v3i10.780 https://journals.researchparks.org/index.php/IJIE/article/view/780/750 https://journals.researchparks.org/index.php/IJIE/article/view/780
Information Leakage Prevention In Cloud ComputingIJERA Editor
The cloud computing is still in it infancy.this is an emerging technology which will bring about innovations in
terms of businessmodels and applications.the widespread penetration of smartphones will be a major factor in
driving the adoption of cloude computing.however, cloud computing faces challenges related to privacy and
security. Due to varied degree of security features and management schemes within the cloud entities security in
the cloud is challenging. Security issues ranging from system misconfiguration, lack of proper updates, or
unwise user behaviour from remote data storage that can expose user ̳s private data and information to unwanted
access can plague a Cloud Computing. The intent of this paper is to investigate the security related issues and
challenges in Cloud computing environment . We also proposed a security scheme for protecting services
keeping in view the issues and challenges faced by cloud computing.
Cloud computing is a model which uses the mixture concept of “software-as-a-service” and “utility computing”, and provides
various on-demand services in a convenient way requested end users. It is internet based where resources are shared and the
information is available for on demand service users. Security issue in Cloud computing is the important and critical issues
because the resources are distributed. Both the Cloud provider and the cloud consumer should be fully sure that the cloud is safe
enough from all the external threats so that the customer does not face any kind of problem like loss or theft of their valua ble
data. There is also a possibility where a malicious user can penetrate the cloud by imitate an authorized user, and affect with a
virus to the entire cloud and affects many customers who are sharing the infected cloud. In this paper we firstly lists the
parameters that affects the security of the cloud then it explores the security issues of cloud computing and the troubles faced by
providers and consumers about their data, privacy, and infected application and security issues. It also presents some security
solutions for tackling these issues and problems.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
2. Outline
1. Background of Cloud Computing
2. Key Security Concerns in Traditional Data Centers
3. Key Security Concerns in Cloud Computing
4. Why Computing Security is so hard?
5. Observations
6. Recommendations
3. Background of Cloud Computing - 1
● The concept of cloud computing and virtualization is not a new concept. It started with
IBM mainframe many decades ago and then progressed to x86 hypervisors and java
virtual machine in the 90s.
● In the early days of my career (90s), my Nortel colleagues and I were experimenting
with java (1.0 and 1.1) virtualization and application virtualization in multi-HA cluster
configuration with zero downtime.
● That was the early day of cloud computing. The pilot project was a success but the
market was not ready for the technology back in the 90s.
● Our team did not solve a market problem because nobody wanted to share any
infrastructure with anyone and all dot-com companies had too much money to spend.
● In the early or mid 2000s, big data service providers like Google and Amazon understood
the only way to scale and to keep their operating cost to a minimum was to leverage
virtualization technology in their own data centers.
● At the time, the academic and startup communities were floating the concept of utility
computing and cloud computing. They believed an utopia world in which people could
put their applications on " the cloud" and they paid only for the actual resources their
applications consumed (pay as you go).
● Think of it as free computing market economy (capitalism - does it ring a bell?).
4. Background of Cloud Computing - 2
● Next, the Amazon engineers made a bold proposal to their executives: They built a
massive infrastructure for their e-Commerce needs. Why not extend this massive
virtualized infrastructure to gazillions of SMBs who would pay for hosting their
applications and data.
● Long story short, Cloud computing economy was born !!
● Although cloud computing offers many great benefits, it poses many great security
challenges.
● Many traditional 2-tier, or n-tier systems run in co-located data centers with dedicated
racks/cages, or dedicated data centers where the computing resources are tightly
controlled.
● All the networking appliances and servers are dedicated to that organization, and no
one else.
● The IT team relies on air-tight physical and network security to reduce the attack
surface to a minimum, but they tend to put application security in the back burner.
● This security model may work well in traditional data centers but it is insufficient in a
cloud environment in which applications may move around in containers and the
underlying infrastructure are shared among tenants, that may include (virtual) network
appliances/nodes.
● One bad tenant or one compromised tenant may compromise other tenants or even the
cloud provider (Not Good!)
5. Background of Cloud Computing - 3
● Some of my colleagues suggest just encrypting everything (transport, applications,
database, logs, etc). However, that is an over-simplification.
● You can have the strongest data encryption but if your key(s) is/are compromised, your
applications and data will be compromised as well.
● Let’s not forget modern cryptography depends on cryptographic keys. The secret keys
are either protected by physical elements (e.g. SE, HSMs, etc) or by other keys (key
encrypting keys) at rest or during transport.
● The whole notion of key lifecycle management (including distribution) can be very
hairy, especially in a cloud environment.
● In a cloud environment, the attack surface is very large.
● Hypervisors can be compromised. How about the OS or the container?
● An attacker can exploit just one of these vulnerabilities to get to secret keys, and then
to the valuable business data
● All IT systems still rely on secret and public key cryptography (e.g. 3DES, AES, RSA,
ECC, etc). They are neither post-quantum computing proof nor do they allow additional
encryption to be carried out on ciphertext, thus generating an encrypted result which,
when decrypted, matches the result of operations performed on the plaintext.
● This increases the exposure of the plaintext in a multi-tenant cloud environment (Not
Good!)
6. Key Security Concerns in Traditional Data Centers - 1
● Main offerings of Traditional Data Centers:
1. Dedicated Servers by Data Center
2. Co-located Servers by YOU
3. Own Servers by Own Data Center
● Key Actors: Data Center Operator, Other Tenants, and YOU
● Data center is responsible for physical security of #1 and #2
● Data center is responsible for infrastructure and/or network
security of #1
● In case of #3, you are responsible for all security controls.
● Pros: Good to control your security destiny in various degrees
● Cons: This gets expensive and also your business won’t be agile
(Time to Market)
7. Key Security Concerns in Traditional Data Centers - 2
● Physical Security
○ Building security, Personnel security, Asset security, Wiring security
● Network Security
○ Vulnerability in Network Protocol Configuration and Support tools
○ Denial of Service attacks
○ Address or Name Resolution attacks
○ Network Access Restriction (Incl. Authentication and Authorization)
○ Vulnerability in Network Appliances and Nodes
○ Any possibilities of eavesdropping data streams that carry sensitive data
● Infrastructure Security
○ Physical Tampering of Servers and Appliances
○ Vulnerability in OS and Support tools (e.g. malwares, virus, worms, etc)
○ Any possibilities of exposing sensitive data and cryptographic keys in unencrypted
form in storage
○ OS user account management (incl. User authentication and Authorization)
8. Key Security Concerns in Traditional Data Centers - 3
● Middleware and Application Security
○ Vulnerability in middleware and application virtualization
○ Vulnerability in middleware and application support tools
○ Any possibilities of exposing sensitive data and cryptographic keys in unencrypted
form in storage
○ Middleware and Application account management (incl. Authentication and
authorization)
○ Tampering of Middleware or Application software (incl. patches)
● Data Security
○ Vulnerability in database management software and support tools
○ Any possibilities of exposing sensitive data and cryptographic keys in unencrypted
form in storage
○ Gaps in data lifecycle management (e.g. replication, backup, archive, purging) that
leaves sensitive data available potentially to unauthorized parties
○ Database account management (incl. Authentication and authorization)
○ Tampering of Database Software Patches
9. Key Security Concerns in Cloud Computing - 1
● Current Cloud offerings in horizontal (tenant) and vertical
(service) aspects
1. Tenant-based: a) Public, b) Private, c) Hybrid
2. Service-based: a) IaaS, b) PaaS, c) SaaS
● Key Actors: Cloud Provider, Other Tenants, and YOU
1. Data center is responsible for physical security of #1 and #2
2. Data center is responsible for infrastructure and/or network security of #1
3. In case of #3, you are responsible for all security controls.
● Pros:
1. With cloud, your operating cost is low because you are sharing common computing
elements with others
2. Your cloud provider may be better than YOU in implementing security controls
because good security controls are tricky and expensive to implement.
● Cons:
1. You have to put a lot of faith in your cloud provider
2. What are the risks and the impacts if either your cloud provider or other tenants
get compromised.
10. Key Security Concerns in Cloud Computing - 2
● Physical Security
○ Your cloud provider is responsible for this 100%
● Network Security
○ Typically a Public IaaS, PaaS, SaaS provider is primarily responsible for:
■ Vulnerability in Network Protocol Configuration, Denial of Service attacks, Address or Name
Resolution attacks, Vulnerability in Network Appliances and Nodes, and some degree in Network
Access Restriction, and Support tools
○ However, in the case of hybrid and private cloud, both YOU and your cloud
provider need to jointly implement network security controls
● Infrastructure Security
○ Typically a Public IaaS, PaaS, SaaS provider is primarily responsible for:
■ Physical Tampering of Servers and Appliances, OS vulnerability (e.g. malwares, viruses, worms, etc),
OS user account management (incl. User authentication and Authorization)
■ Some degree in infrastructure support tools
○ However, in the case of hybrid and private cloud, both YOU and your cloud
provider need to implement your own infrastructure security controls
11. Key Security Concerns in Cloud Computing - 3
● Middleware and Application Security
○ Typically a Public PaaS, SaaS provider is primarily responsible for:
■ Vulnerability in middleware and application virtualization, and support tools
■ Any possibilities of exposing sensitive data and cryptographic keys in unencrypted form in storage
■ Middleware and Application account management (incl. Authentication and authorization)
■ Tampering of Middleware or Application software (incl. patches)
○ However, in the case of hybrid and private cloud, both YOU and your cloud
provider need to implement your own middleware platform or application security
controls
● Data Security
○ Typically a Public PaaS, SaaS provider is primarily responsible for:
■ Vulnerability in database management software and support tools
■ Any possibilities of exposing sensitive data and cryptographic keys in unencrypted form in storage
■ Gaps in data lifecycle management (e.g. replication, backup, archive, purging) that leaves sensitive
data available potentially to unauthorized parties
■ Database account management (incl. Authentication and authorization)
■ Tampering of Database Software Patches
○ However, in the case of hybrid and private cloud, both YOU and your cloud
provider need to implement your own data security controls
12. Why Computing Security is so hard? - 1
● So, how to solve all these security concerns?
● First, people often take security for granted.
● First thing comes to our mind is password authentication and data
encryption.
● Computing security is more than data encryption and password
authentication
● A sound security framework must satisfy four properties of
computing security to a very high degree; and these famous
properties are:
● Confidentiality, Integrity, Non-Repudiation, and Availability
● Stronger cryptographic algorithms alone do not and will not solve
all the computing security concerns
13. Why Computing Security is so hard? - 2
● Security, through the lens of enterprise architecture (EA), is an
aspect across all EA domains (e.g. network, infrastructure,
application, data).
● In a complex IT environment, there are many layers and hops
between an end user to a business service.
● That may mean from a few dozen hops in network, to another a
few dozen hops in infrastructure, then a few dozen hops in
application, and a few dozen hops to data storage.
● We are talking about millions of possible path combinations for a
single user operation or transaction.
● 100% security = every possible path combination must be
validated and verified against the four security properties.
● With thousands of operation types, we have billions of
combinations to validate every so often. (at least NP or EXP hard)
● No time, resources, or $$$$$ to be 100% secure
14. Observations
● Yes, it could be scary to put your critical IT assets at the hands of
another party (cloud provider)
● Ask yourself a question, could you implement better security
controls than your cloud provider?
● For most businesses, the answer is NO
● AWS, Azure, IBM/Softlayer, Google, and others have put in
billions USD in their cloud business.
● For a SMB, you don’t have time and money and perhaps expertise
to do the same
● Instead, put your time, money, and resources on your business
service or application (software) → revenue generator!
● Make sure all your support tools are also air-tight!!
● Attackers like to get in through the backdoors (support tools or
support systems or workstations)!!
● Cloud computing is the right solution for most organizations
15. Recommendations - 1
● Before you decide the type of cloud service to implement your
business service, think about the following:
1. Understand on your level of risk tolerance of that business service
i. If your cloud provider or other tenants get compromised with a given
probability, then what would be the impacts?
ii. Could you accept the loss (e.g. reputational, financial, etc)?
2. Compare your risk tolerance against
i. Business cost
ii. Business agility
iii. Asset Reuse
3. Most importantly, how well you can implement your own security controls versus
how well your cloud provider can implement theirs
4. Then, pick the right cloud service (Public, Private, Hybrid, IaaS, PaaS, SaaS)
16. Recommendations - 2
Once you decide the type of cloud service, implement your security
framework (which is no different from USA Secret Service):
1. Reduce your security complexity by partitioning your system based on security
criteria
2. Understand the type of assets you need to protect
3. Understand who and what you need to protect your assets from
4. Prioritize resources based on business impacts and risks
5. Define your security perimeters and zones
6. Not every zone requires highest security measures
OK, That's all for now.
My next presentation will discuss security architecture and design for
cloud computing ...