The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part.
Designated IT security experts in Europe and Asia have been interviewed by RadarServices, the European market leader for managed security services, with regards to future IT security trends and challenges. They shared their views concerning the development of cyber attacks and security technologies until 2025.
** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **
This Edureka PPT on "Cybersecurity Fundamentals" will introduce you to the world of cybersecurity and talks about its basic concepts. Below is the list of topics covered in this session:
Need for cybersecurity
What is cybersecurity
Fundamentals of cybersecurity
Cyberattack Incident
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Cloud Security is critical to Data Security and Application Resilience against CyberAttacks. This talk looks at Security Best Practices that need to be practised.
This talk was presented at AWS Community Day Bengaluru 2019 by Amar Prusty, Cloud-Data Center Consultant Architect, DXC Technology
Sections:
Introduction
Cloud Computing background
Securing the Cloud
Virtualization
Mobile Cloud Computing
User safety & energy consumption
Author’s proposal
Conclusion
In order to make cloud computing to be adopted by users and enterprises, security concerns of users should be rectified by making cloud environment trustworthy, discussed by Latif et al. in the assessment of cloud computing risks[2].
We address the questions related to:
security concerns and threats over general cloud computing,
(2) the solutions for these problems and
(3) mobile users safety in convergence with energy consumption.
This presentation goes through a higher level overview of understanding cyber resilience, important concepts, the difference between cybersecurity and cyber resilience, and frameworks aimed at achieving or assessing an organizations cyber resilience.
This presentation simplifies Cloud, Cloud Security and Cloud Security Certifications. This includes the following:
- Understanding Cloud
- Understanding Cloud Security using the Risk Management and Cloud Security Control Frameworks
- Cloud Security Certifications
- Key Definitions
Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web.
Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors.
The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others.
Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered.
The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.
Are you aware of the current security threats to your business? Are you prepared to handle the next big DDoS attack? What can you do to be prepared?
Join this webinar to learn about:
- Growing threat landscape
- Challenges to a successful security strategy
- Business impact of attacks
- Securing web applications from attacks
Designated IT security experts in Europe and Asia have been interviewed by RadarServices, the European market leader for managed security services, with regards to future IT security trends and challenges. They shared their views concerning the development of cyber attacks and security technologies until 2025.
** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **
This Edureka PPT on "Cybersecurity Fundamentals" will introduce you to the world of cybersecurity and talks about its basic concepts. Below is the list of topics covered in this session:
Need for cybersecurity
What is cybersecurity
Fundamentals of cybersecurity
Cyberattack Incident
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Cloud Security is critical to Data Security and Application Resilience against CyberAttacks. This talk looks at Security Best Practices that need to be practised.
This talk was presented at AWS Community Day Bengaluru 2019 by Amar Prusty, Cloud-Data Center Consultant Architect, DXC Technology
Sections:
Introduction
Cloud Computing background
Securing the Cloud
Virtualization
Mobile Cloud Computing
User safety & energy consumption
Author’s proposal
Conclusion
In order to make cloud computing to be adopted by users and enterprises, security concerns of users should be rectified by making cloud environment trustworthy, discussed by Latif et al. in the assessment of cloud computing risks[2].
We address the questions related to:
security concerns and threats over general cloud computing,
(2) the solutions for these problems and
(3) mobile users safety in convergence with energy consumption.
This presentation goes through a higher level overview of understanding cyber resilience, important concepts, the difference between cybersecurity and cyber resilience, and frameworks aimed at achieving or assessing an organizations cyber resilience.
This presentation simplifies Cloud, Cloud Security and Cloud Security Certifications. This includes the following:
- Understanding Cloud
- Understanding Cloud Security using the Risk Management and Cloud Security Control Frameworks
- Cloud Security Certifications
- Key Definitions
Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web.
Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors.
The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others.
Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered.
The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.
Are you aware of the current security threats to your business? Are you prepared to handle the next big DDoS attack? What can you do to be prepared?
Join this webinar to learn about:
- Growing threat landscape
- Challenges to a successful security strategy
- Business impact of attacks
- Securing web applications from attacks
What are some items every CIO should review when making the decision on whether or not to cloud? This infographic covers the most important aspects. More here: http://bit.ly/1vpGeKL
Along with accessibility and convenience, cloud-based IT resources also bring risk. This webinar provides you with a brief introduction on the development of cloud computing and the related business risks. Additionally, you will learn questions to ask to determine if your company is using cloud-based IT resources along with information on the formal assurance frameworks that exist and can be effectively employed by both cloud consumers and providers without specialized training.
In shared infrastructures such as clouds, sensitive or regulated data—including run-time and archived data—must be properly segregated from unauthorized users. Database and system administrators may have access to multiple clients’ data, and the location of stored data in a cloud may change rapidly. Compliance requirements such as Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA) and others may need to be met. This webinar will discuss how to help protect cloud-based customer information and intellectual property from both external and internal threats.
View the On-demand webinar: https://www2.gotomeeting.com/register/187735186
This presentation provides an overview of the NIST SP 500-299 NIST Cloud Computing Security Reference Architecture. It includes a brief description of the Cloud Computing Architecture, its services along with the required Risk Management activities.
Cloud Security using NIST guidelines, using NIST Cloud Computing Security Reference Architecture
(NIST SP 500-299), NIST Cloud
Computing Reference Architecture (NIST SP 500-292), NIST's Guide for Applying the Risk Management Framework to Federal Information Systems (NIST SP 800-37)
Guddu Kumar. “A Review on Data Protection of Cloud Computing Security, Benefits, Risks and Suggestions” United International Journal for Research & Technology (UIJRT) 1.2 (2019): 26-34.
An educational overview of the Cloud Computing Ecosystem or Framework. This presentation is geared toward those who are just beginning to understand Cloud Computing.
Fault Tolerance in AWS Distributed Cloud ComputingCaner KAYA
Abstract— The cloud computing enable information technologies solutions by using the visual machines to provide resource-sharing and using on demand basis; so within this complex, this area is becoming more attractive for researching. Upon the rapid development of these technologies, the fault tolerance of cloud computing has become one of the most important topic for information technologies. This requirement has become forefront since, this system needs reliability and must be ready all the time. This case-study, review the techniques that protect the cloud computing and user systems from process fault. One of the indications is as shown below, that, the cloud computing is prone to create faults. The main goals of the fault tolerance are to protect financial loses, to achieve the restoration of the system. The case study has review the scenario that the fault, repetitions could be solved by checkpoints and back-ups. The Amazon AWS is shown asan example for the fault-tolerance.
Keywords- Cloud Computing; Fault Tolerance; Dependability ; Availability ; Redundancy; Human Factor: Replication ;Amazon Web Services.
Cloud Computing intends a trend in computing model arises many security issues in all levels such as: network, application, data and host.
These models put up different challenges in security
Depending on consumers, models QOS(quality of service) requirements. Privacy, authentication, secre-cy are main concern for both consumers and cloud providers. IaaS serves as base for other models, if the security in this model is uncertain; it will affect the other models too. This paper delivers a examine the countermeasures and exposures. As a research we project security Assessment and improvement in Iaas layer.
A traditional computing environment requires a costly
infrastructure to offer a better service to users. The introduction
of cloud computing has changed the working environment from
traditional to virtual. A larger number of IT companies are
utilizing the cloud. On the one hand, the cloud attracts more
number of consumers by offering services with minimized
capital cost and virtual infrastructure. On the other hand, there
are a risk and security challenges in cloud computing that
makes the user not to move completely towards it. The cloud
environment is more vulnerable to security breaches and data
theft. Moreover, insider attacks are more frequent in larger
enterprises. An unauthenticated user can cause more damage
to company reputation. The cloud service providers are trying
to provide a secure work environment for users. However,
there is a lack of global standards and policies to invoke
security measures in cloud computing. This study aims to
highlight and classify security challenges and trust issues in the
cloud environment.
The survey was conducted in various institutions and
governmental organizations in Saudi Arabia to study the
opinions of stakeholders on cloud computing security
challenges and risks.
Links:
http://sites.google.com/site/ijcsis/
https://google.academia.edu/JournalofComputerScience
https://www.linkedin.com/in/ijcsis-research-publications-8b916516/
http://www.researcherid.com/rid/E-1319-2016
The paradigm called “Cloud computing” acts as a mechanism for attaining the resources of shared technology and infrastructure cost-effectively. The on-demand services are accomplished to execute the various operations across the network. Regularly, the last client doesn't know about the area of open physical assets and devices. Developing, using, and dealing with their applications 'on the cloud', which includes virtualization of assets that keeps and guides itself are led by arranged activities to clients. Calculation experience the new methodology of cloud computing which perhaps keeps the world and can set up all the human necessities. At the end of the day, cloud computing is the ensuing normal step in the development of on-request data innovation administrations and items. The Cloud is an allegory for the Internet and is an idea for the secured confused foundation; it likewise relies upon drawing network graphs on a computer. In this work, thorough investigations of distributed computing security and protection concerns are given. The work distinguishes both the identified and unidentified attacks, vulnerabilities in the cloud, security attacks and also the solutions to control these threats and attacks. Moreover, the restrictions of the present solutions and offers various perceptions of security viewpoints are distinguished and explored. At long last, a cloud security system is given in which the different lines of protection and the reliance levels among them are identified.
Security in Clouds: Cloud security challenges – Software as a
Service Security, Common Standards: The Open Cloud Consortium – The Distributed management Task Force – Standards for application Developers – Standards for Messaging – Standards for Security, End user access to cloud computing, Mobile Internet devices and the cloud. Hadoop – MapReduce – Virtual Box — Google App Engine – Programming Environment for Google App Engine.
Similar to Cloud computing understanding security risk and management (20)
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Cloud computing understanding security risk and management
1. Cloud Computing -
understanding security risk
and management
The aim of this paper is to make cloud service consumer aware about cloud
computing fundamentals, its essential services, service models and
deployment options. This also through light on security and risk
management piece of CSA trusted cloud reference architecture, cloud
control matrix and notorious nine threats and ENISAs top risks to cloud
computing. At the end it talks about certifications and attestation part.
Author –
Shamsundar
Machale (CISSP)
2. Fig.1 NIST Visual Model of Cloud Computing Definition
Any cloud should demonstrate the certain essential characteristics to
get full benefits of cloud. Any missing essential characteristic would
not give you 100% benefit from cloud computing.
Whatever is not your core, outsource it. Similarly maintaining capex IT
infrastructure, information is not your core so outsource it to some
specialized agency i.e. Cloud Service Provider (CSP)
Multi-tenancy is the fundamental used in resource pooling but keep in
mind that resource pooling is not limited to your server and storage, it
is extended to network connectivity, physical security, administration
of cloud services and last but not least is your facility space. CSP uses
the same infrastructure to provide services to multiple clients from
same or different geographies. This provides great benefit to Cloud
consumer (CC) by not having direct capital investment and pay per use
model of cloud. Only required amount of compute, storage etc. are
provisioned and no extra investment is done by CC. At the same time
resource pooling might become huge risk if attacker uses shared
pooled resource to steal sensitive information processed by CC. this is
possible through attacks such as guest hopping attack or side channel
attack to capture cryptographic keys.
Second essential characteristic is on-demand self-service. The CC
should be able to do the provisioning / de-provisioning of computing
What is definition of Cloud
Computing?
Cloud computing is model for
enabling continent, on-demand
network access to a shared pool
of configuration computing
resources (e.g. networks,
servers, storage, applications,
and services) that can be rapidly
provisioned and released with
minimal management efforts or
services provider interaction
The above NIST definition
defines in what way you can
deploy cloud, what service
offerings you can make available
and what are the essential
characteristics of cloud
Fig. 1 represents the visual
model of above NIST cloud
computing definition.
Let’s take a deeper look into the
definition.
3. resources by themselves with minimum administrative involvement from CSP. The lead time required
doing the provisioning and de-provisioning should be reduced significantly.
Rapid elasticity means CC should be able to do expansion and contraction of services as per their
requirements with immediate effect and it will be charged on pay per usages policy. There should not be
any locking CSP side while reducing the required level of resources.
As there is trend of BYOD and consumerization, people want to access applications locations and end
device independent which essentially means there should not be any restriction on your work location,
it can be work from office, home or cafe and how do you access it, is it through your desktop, laptop,
smartphone or tablet.
Lastly CC should be able to measure services offered by CSP through SLA.
Let’s take a look at service offering models; there are typically three kind of service offering models as
below
IaaS (Infrastructure as a Service) – Here you will get only infrastructure like compute and storage. This is
nothing but plain vanilla virtual machine with operating system e.g. Amazon EC2 and S3, Rackspace etc.
PaaS (Platform as a Service) – Here you expect little bit more from CP which will help in development of
applications on provided infrastructure. It includes development tools, configuration management and
deployment platforms such as Microsoft Azure, Force and Google App engine.
SaaS (Software as a Service) – this is full package of application, CC has to just use it and don’t worry
how and where it is running, who is managing the show? It is pure service such as online CRM system
(Salesforce.com), online office tools (Office 365), online content filtering and messaging etc.
As you move from IaaS to SaaS CC loses control on the services whereas CSP gains more control which is
depicted in below figure.
Fig-2
4. Now we will look at third tier of cloud computing definition which is nothing but deployment options. As
you seen in the above visual model there are four ways in which cloud services can be deployed.
Public Cloud – Available publicly, multiple customers can avail same services with different SLA
commitments
Private Cloud – Build specifically for single customer and available to only one customer
Community Cloud – Services can be offered to same of customers which are forming community such as
cloud services for power generation companies, cloud services for manufacturing industry etc.
Hybrid Cloud – Combination of any of the above
Below table provides more information about the deployment models
Fig.3
5. As mentioned above security of cloud services is joint responsibility
of CC and CSP which purely depends on the service offering.
As per CSA’s “ Trusted cloud Reference Architecture version 2.0 “,
Security and Risk Management is one of the key building block to
focus if you want to build trusted cloud
Fig.4 CSA Trusted cloud security reference arcthitecture
This block basically talks about below domains.
Governance Risk and Compliance - how are you going to manage
governance, risk, audit, vendor, policy and awareness around CSP
support staff?
InfoSec Management – capability management, risk portfolio, risk
dashboard, and residual risk management
Privilege Management Infrastructure – This purely focuses around
how effectively you manage the identities in the cloud. How secure
is your authentication service? How do you manage authorization
and accountability of identities in the cloud? How privilege identities
are handled?
Threat and Vulnerability Management - How do you keep
environment vulnerability free, up to date with latest patches and
assurance on compliance testing to CC.
What is Security for Cloud
Computing?
As per CSA, Security
controls in cloud
computing are, for the
most part, no different
than security controls in
any IT environment.
However, because of the
cloud service models
employed, the operational
models, and the
technologies used to
enable cloud services,
cloud computing may
present different risks to
an organization than
traditional IT solutions.
This means we have to
focus on defense in depth
approach for security in
cloud computing
The focus of defense in
depth approach is always a
data at center and
different type of controls
such as Administrative,
Technical and Physical are
wrapped around data.
For example physical
security has the same
importance in both
traditional data center and
cloud based datacenter.
6. Infrastructure Protection Services - How do you protect your applications, operating systems on
servers, databases, network and end points. What kind of technical controls are put around these? Do
you have perimeter firewall at network level, whether servers are locked down as per hardening
guidelines, do you have Anti-virus, HIPS / HIDS installed at the end points, logging and monitoring
enabled, application level firewall and web content filtering
Data Protection – how well are you managing the data lifecycle, what controls are placed to prevent the
Data loss, how are you protecting your intellectual properties and how effective is your cryptographic
service management.
Policies and Standards – Have you defined information security policies, guidelines based on different
industry standards like ISO 27001. Whether operational security baseline and standard operating
procedures defined and followed within the organization. Whether asset / data classification guidelines
are defined and practiced within team.
CSA has defined the Cloud Controls Matrix which provides fundamental security principles to guide
cloud vendors and to assist cloud customers in assessing the overall security risk of a cloud provider. The
latest version of Cloud Controls Matrix is CCM v3.0.1
As per this control matrix there are 133 controls divided into 16 domains of CSA cloud security.
Fig.5 CCMv3.0.2 Domains
Risk Management is one of the important aspect of cloud computing. There is no different strategy for
management of risk in the cloud. You have to follow the conventional approach of performing the risk
assessment based on certain framework and management of these risk either through risk mitigation by
use of certain controls, transfer, avoid or accept the risk. As per ENISA’s “ Cloud Computing Benefits,
risks and recommendations for information security Rev.B-2012 ” document cloud risks are classified
into three categories “Policy and Organizational Risks”, “Technical Risks”, and “Legal Risks”
7. Below figure represents the top rated risk identified by ENISA based on the probability and impact of the
risk.
Fig.6 ENISA top security risks to cloud computing
If you refer to below table which list down “ The Notorious Nine – Cloud Computing Top Threats in
2013” you will find certain risk / threats are common in both the documents such as Malicious Insider /
Cloud Provider Malicious Insider, shared technology issue / isolation failure, insecure APIs /
Management interface compromise
Fig.7 – Notorious Nine Threats to Cloud Computing
Data Breaches Data Loss
Account
Hijacking
Insecure APIs
Denial of
Service
Malicious
Insiders
Abuse of
Cloud Services
Insufficient
Due Diligence
Shared
Technology
Issues
8. Security Certification and Attestations – CSPcan provide the assurance to CC on current compliance level
with respect to different standards, legal and regulatory requirements through certain security
certifications and attestations.
Below figure provides the security certifications obtained by different CSPs. This is just a reference and
CC is kidnly reuquested to obtain list of current certifications during evaluation of CSP
Fig.8 – Security Certifications and Attestations
Conclusion - Cloud computing is double edged sword which provides good amount of
benefits but only if implemented properly considering all security, governance, privacy and
legal requirements. Risk assessment and due diligence would be the key for cloud
consumers to make their case as success story.
9. References –
“CSA Trusted cloud Reference Architecture version 2.0”
“CSA Cloud Controls Matrix, CCM v3.0.1”
“The Notorious Nine – Cloud Computing Top Threats in 2013”
ENISA’s “Cloud Computing Benefits, risks and recommendations for information security Rev.B-2012”
The Forrester Wave™: Public Cloud Platform Service Providers’ Security, Q4 2014
END OF DOCUMENT