This document discusses cloud computing security. It summarizes a presentation on cloud security given by Jean-François Audenard from Orange Business Services. The presentation covers the challenges of securing data in the cloud, Orange's "SecuredByDesign" approach to cloud security, and maintaining security on an ongoing basis. It also discusses threats that follow data as it moves to the cloud, customer expectations around cloud security, vulnerabilities specific to cloud computing environments like virtualization, and the shared responsibilities between cloud providers and customers to ensure security.
This document discusses how IT operations are becoming more complex with the rise of cloud computing and virtualization. It notes that managing technologies across on-premises and cloud environments introduces challenges around monitoring, automation, and maintaining processes. The document also discusses how NetEnrich provides services to help companies operationalize their virtual and cloud environments through consulting, monitoring, security, and managing the full lifecycle of virtual machines and cloud workloads.
This document discusses how Trend Micro's Deep Security product provides virtualization and cloud security through an integrated platform. It offers agentless and agent-based security across physical, virtual, and cloud environments from a single management console. This consolidated security model maximizes performance and ROI while simplifying management and strengthening protection across platforms.
Deep Security provides software-based security and compliance for systems operating in standalone, virtual, and cloud environments to help organizations meet PCI DSS requirements. It addresses 7 PCI regulations and over 20 sub-controls with features like network segmentation, host firewall, antivirus, virtual patching, and web application protection to provide core PCI controls from a single, centrally managed solution. Deep Security can economically help organizations meet PCI compliance challenges for distributed locations, vulnerability management, and website and virtualization security.
Cloud Cuckoo Land to Corporate AcceptanceMark Henshaw
This document summarizes a presentation on cloud computing XaaS (everything as a service) models and moving corporate acceptance of cloud computing beyond initial skepticism. The presentation discusses key issues for boards to understand regarding security, compliance and liability when adopting cloud services, and measures for implementing access controls in cloud environments. It also addresses how organizations can comply with data privacy laws when using multiple cloud storage solutions across jurisdictions with elastic and fungible data storage.
This document discusses how IT operations are becoming more complex with the rise of cloud computing and virtualization. It notes that managing technologies across on-premises and cloud environments introduces challenges around monitoring, automation, and maintaining processes. The document also discusses how NetEnrich provides services to help companies operationalize their virtual and cloud environments through consulting, monitoring, security, and managing the full lifecycle of virtual machines and cloud workloads.
This document discusses how Trend Micro's Deep Security product provides virtualization and cloud security through an integrated platform. It offers agentless and agent-based security across physical, virtual, and cloud environments from a single management console. This consolidated security model maximizes performance and ROI while simplifying management and strengthening protection across platforms.
Deep Security provides software-based security and compliance for systems operating in standalone, virtual, and cloud environments to help organizations meet PCI DSS requirements. It addresses 7 PCI regulations and over 20 sub-controls with features like network segmentation, host firewall, antivirus, virtual patching, and web application protection to provide core PCI controls from a single, centrally managed solution. Deep Security can economically help organizations meet PCI compliance challenges for distributed locations, vulnerability management, and website and virtualization security.
Cloud Cuckoo Land to Corporate AcceptanceMark Henshaw
This document summarizes a presentation on cloud computing XaaS (everything as a service) models and moving corporate acceptance of cloud computing beyond initial skepticism. The presentation discusses key issues for boards to understand regarding security, compliance and liability when adopting cloud services, and measures for implementing access controls in cloud environments. It also addresses how organizations can comply with data privacy laws when using multiple cloud storage solutions across jurisdictions with elastic and fungible data storage.
Join the discussion with Andrew Hay, Chief Evangelist of CloudPassage and Dave Shackleford, Senior Vice President, Research and Chief Technology Officer of IANS.
In this presentation, we will discuss:
- How compliance is affected by using private, hybrid, and public cloud environments
- What to consider when researching providers who offer "PCI-compliant" clouds
- Recommendations for improving compliance and security posture in the cloud
1. The document discusses risks associated with cloud computing, including potential security breaches that could compromise sensitive customer data and lead to costly litigation and reputational damage.
2. It provides examples of large-scale breaches involving cloud services firms, where hackers accessed millions of customer account files and email addresses.
3. Businesses considering cloud computing need to carefully evaluate what types of sensitive data they will entrust to the cloud, and conduct thorough due diligence on cloud providers' security practices and controls. Developing a clear data-security strategy is important for protecting information.
Cloud lockin and interoperability v2 indic threads cloud computing conferen...IndicThreads
This document discusses cloud lock-in and interoperability. It begins with recapping cloud computing concepts like deployment models and service models. It then defines lock-in, portability, and interoperability. Lock-in occurs when there are significant costs to switch cloud vendors. The document discusses how portability and interoperability benefit customers by increasing choice and lowering costs. It provides examples of lock-in for different cloud platforms and analyzes emerging standards from groups like DMTF, SNIA, and CSA. Best practices are outlined to minimize lock-in for IaaS, PaaS and SaaS. The document concludes that while lock-in exists now, interoperability is improving and portability
This document discusses how IT is transforming through trends like cloud computing and big data. It summarizes that EMC can help customers navigate these changes by providing solutions like hybrid cloud infrastructure and big data analytics to help businesses transform their applications and IT infrastructure. The document also emphasizes that EMC is committed to innovation through R&D investment and acquisitions to ensure it continues to lead customers on their journey to the cloud and with big data.
This document discusses security challenges in the cloud era. It covers four pillars of cloud computing: infrastructure, applications, data protection, and consumerization. The rise of mobile devices and consumerization of IT brings new security risks. Advanced persistent threats are challenging to detect due to sophisticated techniques including social engineering, stealthy behavior, and use of zero-day vulnerabilities. Deep Discovery provides specialized threat detection across the attack sequence through network visibility, analysis, and correlation with Trend Micro's global threat intelligence.
Presenter manual cloud computing (specially for summer interns)XPERT INFOTECH
Objective of Project Based Industrial Training :
To provide state of art, cutting edge customized software solutions to clients of various Industries.
To reduce the gap between the academic learning and Industry experience.
Core and advanced features of each technology, are covered in interactive classroom sessions.
Topic Based Assignments are given to trainees to develop their programming skills.
Hands on Training are imparted on “Live Projects” by industry experts.
Project completion certificate is awarded by “XPERT INFOTECH”
Trainees are helped by our dedicated team of HR executives in finding out suitable job, after completion of the training.
Through our partnerships with leading cloud providers, we are able to offer hybrid, private and public cloud solutions. At Epoch Universal, we supply cloud the way you want it with deep control, extreme performance, and broad customization capabilities. When you join the Epoch Universal fold, you take back the keys to your kingdom. Reign as supreme commander in chief of your cloud. No compromises. No exceptions.
Enterprise IT is transitioning from the use of traditional on-premise data centers to hybrid cloud environments. As a result, we’re experiencing a paradigm shift in the way we must think about and manage enterprise security. From Four Walls to No Walls Until now, the conventional view on IT security has been that applications and data are safe because they’re physically housed within the confines of a company’s data center walls using company-owned equipment. So, it’s not surprising that many decision makers perceive greater risks as they trade physical assets for cloud-based solutions.
Marlabs offers an overview of the kind of threats facing technology today and explains the service offerings that will help ensure data security at all costs.
The document discusses a study that aimed to evaluate the transparency of cloud providers' security, privacy, auditability, and service level agreements. It developed a Cloud Provider Transparency Scorecard to assess information from cloud providers' websites. It conducted a preassessment of six cloud providers to evaluate available information and then performed a detailed assessment using the scorecard. The assessment focused on policies, procedures, certifications, audits and service level agreements published on providers' websites.
Cloud Computing is a growing research topic in recent years. The key concept of Cloud Computing is to provide a resource sharing model based on virtualization, distributed file system, parallel algorithm and web services. But how can we provide a testbed for cloud computing related training courses? In this talk we will share our experience to build cloud computing testbed for virtualization, high throughput computing and bioinformatics applications. It covers lots of open source projects, such as DRBL, Xen, Hadoop and bioinformatics related applications.
In short, Diskless Remote Boot in Linux (DRBL) provides a diskless or systemless environment for client machines. It works on Debian, Ubuntu, Mandriva, Red Hat, Fedora, CentOS and SuSE. DRBL uses distributed hardware resources and makes it possible for clients to fully access local hardware.
Xen is one of open source hypervisor for linux kernel. It had been used in Amazon EC2 production environment to provide cloud service model (1) — "Infrastructure as a Service (IaaS)". In this talk, we will show you how DRBL can help on fast deployment of Xen playground in classroom.
Hadoop is becoming the well-known open source cloud computing technology developed by Apache community. It is very power tool for data mining. It had been used in Yahoo and Facebook production environment to provide cloud service model (2) — "Platform as a Service (PaaS)". It’s easy to setup single hadoop node but difficult to manage a hadoop cluster. In this talk, we will show you how DRBL can help on fast deployment and management.
Most bioinformatics applications are open source, such as R, Bioconductor, BLAST, Clustal, PipMaker, Phylip, etc. But it also require traditional cluster job submission. In this talk we will show you how DRBL can help to build a testbed of bioinformatics research and provide cloud service model (3) — "Software as a Service (SaaS)". In this talk, we will cover how to:
- 1. Use DRBL to deploy Xen virtual cluster (drbl-xen)
- 2. Use DRBL to deploy Hadoop cluster (drbl-hadoop)
- 3. Use DRBL to deploy bioinformatics cluster (drbl-biocluster)
A live demonstration about drbl-hadoop and drbl-biocluster will be done in the talk, too.
SCIT-MTD is a patented technique that provides continuous rotation of virtual machines to a pristine state in order to remove malware and limit the time intruders have to exploit systems. It uses virtualization and fast VM rotation times of less than a minute to dynamically change systems into moving targets. This makes it difficult for attackers to gain access and plan attacks before being removed from the system. SCIT-MTD can be implemented without changes to existing systems and improves security even without knowing the details of vulnerabilities or malware.
Security assessment for financial institutionsZsolt Nemeth
Group-IB is a cybersecurity company founded in 2003 in Russia that provides services such as security analysis, penetration testing, computer forensics, incident response, and malware intelligence. It has expanded internationally and now has over 60 employees. The company operates the first 24/7 cybersecurity response team in Eastern Europe called CERT-GIB. Group-IB works with many financial institutions and has expertise in vulnerabilities specific to the banking/e-commerce sector.
The document discusses why proper governance is important for multi-sourcing IT workloads. Effective governance simplifies multi-vendor management, improves collaboration and performance, and controls costs. Without governance, organizations typically realize only a fraction of expected benefits from multi-sourcing due to ineffective management. Key components of governance include aligning workloads with sourcing models, clarifying accountability, and strengthening relationships to improve communication. The document concludes that a flexible sourcing model combined with governance enables organizations to benefit from modern IT sourcing opportunities.
This document summarizes 10 key security concerns for cloud computing: 1) data location; 2) access controls; 3) regulatory requirements; 4) audit rights; 5) employee training; 6) data classification; 7) service level agreements; 8) long-term viability; 9) security breach response; and 10) disaster recovery plans. It also briefly outlines cloud computing models and benefits, as well as potential security attacks against cloud systems like denial of service attacks and authentication attacks.
The document discusses cloud computing and networking of information. It covers topics like cloud computing layers (SaaS, PaaS, IaaS), challenges of networking information currently, and the potential for a new approach called NetInf to address these challenges. NetInf could enable more efficient content distribution and a common naming scheme for information. The document also examines how NetInf concepts could integrate with cloud computing platforms and applications.
The document announces the Second International Conference on Cloud Computing, GRIDs, and Virtualization (CLOUD COMPUTING 2011) to be held in Rome, Italy from September 25-30, 2011. It calls for submissions of technical papers, position papers, surveys, and panel proposals on topics related to cloud computing, grids, and virtualization. Suggested topics include cloud technologies, services, platforms, applications, security and privacy challenges, and the relationships between cloud computing, grids, and virtualized environments. The conference aims to explore applications of cloud computing and identify open issues to address in these emerging technologies.
Your Data Center Boundaries Don’t Exist Anymore! EMC
In the pre-cloud era, data centers were simpler to define and restrict. As organizations move to public, private, and hybrid clouds, they have to account for internal, industrial, and government compliance initiatives and oversight that impacts data center architecture and information flow. This session describes data center challenges in the Cloud Era and articulates real-life best practices to address those challenges.
Virtualization and cloud computing provide business benefits like scalability, efficiency and elasticity but also introduce security challenges. Key security risks in virtualized environments include issues with the hypervisor, shared infrastructure vulnerabilities, and operational problems with access controls and application hardening. To balance security and business needs, a "protect to enable" strategy uses granular trust zones like high, medium and low trust environments that apply controls proportionate to asset risk and value. Lessons learned are that a holistic risk view is needed, virtualization security is still maturing, and applications introduced must be hardened.
ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...Cyber Security Alliance
Sur fond d’affaire PRISM, lier les mots sécurité et cloud semble de prime abord osé, nous verrons pourquoi cela ne l’est pas forcément. Cette conférence présentera le retour d’expérience concret d’un grand compte sur l’intégration d’infrastructures cloud (IaaS, PaaS et SaaS) dans une architecture existante, ainsi que les différents mécanismes de sécurité qu’il est sage d’utiliser. Nous aborderons techniquement des sujets tels que l’interconnexion de datacenters, les Virtual Private Clouds, l’authentification forte, la segmentation, la défense périmétrique ou la fédération d’identités.
Implémentation de la norme PCI DSS dans le Cloud (PFE Master Faculté des scie...Nouh Droussi
Travail pour augmenter la sécurité en Cloud Computing : Implémentation de la norme PCI DSS dans le Cloud; Nouvelle recommandations à prendre en considération. est un travail qui vise de donner des idées sur les recommandations de Sécurité à ajouter dans les infrastructures de Cloud Computing.
Mon livre n'est qu'un départ pour bien protéger les données très sensibles: non seulement les données bancaires, mais aussi toutes les données qui valent de l'argent (Clés d'activations des produits informatiques...)
Join the discussion with Andrew Hay, Chief Evangelist of CloudPassage and Dave Shackleford, Senior Vice President, Research and Chief Technology Officer of IANS.
In this presentation, we will discuss:
- How compliance is affected by using private, hybrid, and public cloud environments
- What to consider when researching providers who offer "PCI-compliant" clouds
- Recommendations for improving compliance and security posture in the cloud
1. The document discusses risks associated with cloud computing, including potential security breaches that could compromise sensitive customer data and lead to costly litigation and reputational damage.
2. It provides examples of large-scale breaches involving cloud services firms, where hackers accessed millions of customer account files and email addresses.
3. Businesses considering cloud computing need to carefully evaluate what types of sensitive data they will entrust to the cloud, and conduct thorough due diligence on cloud providers' security practices and controls. Developing a clear data-security strategy is important for protecting information.
Cloud lockin and interoperability v2 indic threads cloud computing conferen...IndicThreads
This document discusses cloud lock-in and interoperability. It begins with recapping cloud computing concepts like deployment models and service models. It then defines lock-in, portability, and interoperability. Lock-in occurs when there are significant costs to switch cloud vendors. The document discusses how portability and interoperability benefit customers by increasing choice and lowering costs. It provides examples of lock-in for different cloud platforms and analyzes emerging standards from groups like DMTF, SNIA, and CSA. Best practices are outlined to minimize lock-in for IaaS, PaaS and SaaS. The document concludes that while lock-in exists now, interoperability is improving and portability
This document discusses how IT is transforming through trends like cloud computing and big data. It summarizes that EMC can help customers navigate these changes by providing solutions like hybrid cloud infrastructure and big data analytics to help businesses transform their applications and IT infrastructure. The document also emphasizes that EMC is committed to innovation through R&D investment and acquisitions to ensure it continues to lead customers on their journey to the cloud and with big data.
This document discusses security challenges in the cloud era. It covers four pillars of cloud computing: infrastructure, applications, data protection, and consumerization. The rise of mobile devices and consumerization of IT brings new security risks. Advanced persistent threats are challenging to detect due to sophisticated techniques including social engineering, stealthy behavior, and use of zero-day vulnerabilities. Deep Discovery provides specialized threat detection across the attack sequence through network visibility, analysis, and correlation with Trend Micro's global threat intelligence.
Presenter manual cloud computing (specially for summer interns)XPERT INFOTECH
Objective of Project Based Industrial Training :
To provide state of art, cutting edge customized software solutions to clients of various Industries.
To reduce the gap between the academic learning and Industry experience.
Core and advanced features of each technology, are covered in interactive classroom sessions.
Topic Based Assignments are given to trainees to develop their programming skills.
Hands on Training are imparted on “Live Projects” by industry experts.
Project completion certificate is awarded by “XPERT INFOTECH”
Trainees are helped by our dedicated team of HR executives in finding out suitable job, after completion of the training.
Through our partnerships with leading cloud providers, we are able to offer hybrid, private and public cloud solutions. At Epoch Universal, we supply cloud the way you want it with deep control, extreme performance, and broad customization capabilities. When you join the Epoch Universal fold, you take back the keys to your kingdom. Reign as supreme commander in chief of your cloud. No compromises. No exceptions.
Enterprise IT is transitioning from the use of traditional on-premise data centers to hybrid cloud environments. As a result, we’re experiencing a paradigm shift in the way we must think about and manage enterprise security. From Four Walls to No Walls Until now, the conventional view on IT security has been that applications and data are safe because they’re physically housed within the confines of a company’s data center walls using company-owned equipment. So, it’s not surprising that many decision makers perceive greater risks as they trade physical assets for cloud-based solutions.
Marlabs offers an overview of the kind of threats facing technology today and explains the service offerings that will help ensure data security at all costs.
The document discusses a study that aimed to evaluate the transparency of cloud providers' security, privacy, auditability, and service level agreements. It developed a Cloud Provider Transparency Scorecard to assess information from cloud providers' websites. It conducted a preassessment of six cloud providers to evaluate available information and then performed a detailed assessment using the scorecard. The assessment focused on policies, procedures, certifications, audits and service level agreements published on providers' websites.
Cloud Computing is a growing research topic in recent years. The key concept of Cloud Computing is to provide a resource sharing model based on virtualization, distributed file system, parallel algorithm and web services. But how can we provide a testbed for cloud computing related training courses? In this talk we will share our experience to build cloud computing testbed for virtualization, high throughput computing and bioinformatics applications. It covers lots of open source projects, such as DRBL, Xen, Hadoop and bioinformatics related applications.
In short, Diskless Remote Boot in Linux (DRBL) provides a diskless or systemless environment for client machines. It works on Debian, Ubuntu, Mandriva, Red Hat, Fedora, CentOS and SuSE. DRBL uses distributed hardware resources and makes it possible for clients to fully access local hardware.
Xen is one of open source hypervisor for linux kernel. It had been used in Amazon EC2 production environment to provide cloud service model (1) — "Infrastructure as a Service (IaaS)". In this talk, we will show you how DRBL can help on fast deployment of Xen playground in classroom.
Hadoop is becoming the well-known open source cloud computing technology developed by Apache community. It is very power tool for data mining. It had been used in Yahoo and Facebook production environment to provide cloud service model (2) — "Platform as a Service (PaaS)". It’s easy to setup single hadoop node but difficult to manage a hadoop cluster. In this talk, we will show you how DRBL can help on fast deployment and management.
Most bioinformatics applications are open source, such as R, Bioconductor, BLAST, Clustal, PipMaker, Phylip, etc. But it also require traditional cluster job submission. In this talk we will show you how DRBL can help to build a testbed of bioinformatics research and provide cloud service model (3) — "Software as a Service (SaaS)". In this talk, we will cover how to:
- 1. Use DRBL to deploy Xen virtual cluster (drbl-xen)
- 2. Use DRBL to deploy Hadoop cluster (drbl-hadoop)
- 3. Use DRBL to deploy bioinformatics cluster (drbl-biocluster)
A live demonstration about drbl-hadoop and drbl-biocluster will be done in the talk, too.
SCIT-MTD is a patented technique that provides continuous rotation of virtual machines to a pristine state in order to remove malware and limit the time intruders have to exploit systems. It uses virtualization and fast VM rotation times of less than a minute to dynamically change systems into moving targets. This makes it difficult for attackers to gain access and plan attacks before being removed from the system. SCIT-MTD can be implemented without changes to existing systems and improves security even without knowing the details of vulnerabilities or malware.
Security assessment for financial institutionsZsolt Nemeth
Group-IB is a cybersecurity company founded in 2003 in Russia that provides services such as security analysis, penetration testing, computer forensics, incident response, and malware intelligence. It has expanded internationally and now has over 60 employees. The company operates the first 24/7 cybersecurity response team in Eastern Europe called CERT-GIB. Group-IB works with many financial institutions and has expertise in vulnerabilities specific to the banking/e-commerce sector.
The document discusses why proper governance is important for multi-sourcing IT workloads. Effective governance simplifies multi-vendor management, improves collaboration and performance, and controls costs. Without governance, organizations typically realize only a fraction of expected benefits from multi-sourcing due to ineffective management. Key components of governance include aligning workloads with sourcing models, clarifying accountability, and strengthening relationships to improve communication. The document concludes that a flexible sourcing model combined with governance enables organizations to benefit from modern IT sourcing opportunities.
This document summarizes 10 key security concerns for cloud computing: 1) data location; 2) access controls; 3) regulatory requirements; 4) audit rights; 5) employee training; 6) data classification; 7) service level agreements; 8) long-term viability; 9) security breach response; and 10) disaster recovery plans. It also briefly outlines cloud computing models and benefits, as well as potential security attacks against cloud systems like denial of service attacks and authentication attacks.
The document discusses cloud computing and networking of information. It covers topics like cloud computing layers (SaaS, PaaS, IaaS), challenges of networking information currently, and the potential for a new approach called NetInf to address these challenges. NetInf could enable more efficient content distribution and a common naming scheme for information. The document also examines how NetInf concepts could integrate with cloud computing platforms and applications.
The document announces the Second International Conference on Cloud Computing, GRIDs, and Virtualization (CLOUD COMPUTING 2011) to be held in Rome, Italy from September 25-30, 2011. It calls for submissions of technical papers, position papers, surveys, and panel proposals on topics related to cloud computing, grids, and virtualization. Suggested topics include cloud technologies, services, platforms, applications, security and privacy challenges, and the relationships between cloud computing, grids, and virtualized environments. The conference aims to explore applications of cloud computing and identify open issues to address in these emerging technologies.
Your Data Center Boundaries Don’t Exist Anymore! EMC
In the pre-cloud era, data centers were simpler to define and restrict. As organizations move to public, private, and hybrid clouds, they have to account for internal, industrial, and government compliance initiatives and oversight that impacts data center architecture and information flow. This session describes data center challenges in the Cloud Era and articulates real-life best practices to address those challenges.
Virtualization and cloud computing provide business benefits like scalability, efficiency and elasticity but also introduce security challenges. Key security risks in virtualized environments include issues with the hypervisor, shared infrastructure vulnerabilities, and operational problems with access controls and application hardening. To balance security and business needs, a "protect to enable" strategy uses granular trust zones like high, medium and low trust environments that apply controls proportionate to asset risk and value. Lessons learned are that a holistic risk view is needed, virtualization security is still maturing, and applications introduced must be hardened.
ASFWS 2013 - Sécurité et extension d’infrastructure vers le cloud: retour d’e...Cyber Security Alliance
Sur fond d’affaire PRISM, lier les mots sécurité et cloud semble de prime abord osé, nous verrons pourquoi cela ne l’est pas forcément. Cette conférence présentera le retour d’expérience concret d’un grand compte sur l’intégration d’infrastructures cloud (IaaS, PaaS et SaaS) dans une architecture existante, ainsi que les différents mécanismes de sécurité qu’il est sage d’utiliser. Nous aborderons techniquement des sujets tels que l’interconnexion de datacenters, les Virtual Private Clouds, l’authentification forte, la segmentation, la défense périmétrique ou la fédération d’identités.
Implémentation de la norme PCI DSS dans le Cloud (PFE Master Faculté des scie...Nouh Droussi
Travail pour augmenter la sécurité en Cloud Computing : Implémentation de la norme PCI DSS dans le Cloud; Nouvelle recommandations à prendre en considération. est un travail qui vise de donner des idées sur les recommandations de Sécurité à ajouter dans les infrastructures de Cloud Computing.
Mon livre n'est qu'un départ pour bien protéger les données très sensibles: non seulement les données bancaires, mais aussi toutes les données qui valent de l'argent (Clés d'activations des produits informatiques...)
Cybersécurité & protection des données personnellesMohamed MDELLA
L'Intervention de Mohamed MDELLAH dans le cadre du Workshop régional co-organisé par l'UIT et AICTO portant sur l'expérience de Tunisie Telecom en matière de protection des données personnelles en rapport avec le Cloud Computing
This document discusses how cloud services can help with security. It notes that scalability, cost savings, and agility are key drivers for companies adopting cloud services. However, cybercrime poses rising risks and costs to businesses. The cloud can enhance security through features like 24/7 monitoring, patching, firewalls, encryption, and identity/access management. It also discusses adopting a "assume breach" mindset and conducting wargame exercises to prepare for and respond to security incidents rapidly. The document promotes Microsoft's cloud compliance certifications and transparency around law enforcement data requests. It introduces their Advanced Threat Analytics solution for on-premises behavioral analytics and advanced threat detection.
This document discusses a seminar on cloud computing security and forensics. It covers topics like cloud security risks, risk assessment, and cloud forensics. The seminar aims to help people understand security issues in cloud computing and how to address them.
This document discusses cloud security and provides an overview of McAfee's cloud security solutions. It summarizes McAfee's cloud security program, strengths, weaknesses, opportunities, threats, and competitors in the cloud security market. It also discusses Netflix's migration to the cloud for its infrastructure and content delivery and outlines Netflix's cloud security strategy.
Cloud computing provides a way for organizations to share distributed resources over a network. However, data security is a major concern in cloud computing since data is stored remotely. The document discusses several techniques used for data security in cloud computing including authentication, encryption, data masking, and data traceability. The latest technologies discussed are a cloud information gateway that can control data transmission and secure logic migration that transfers applications to an internal sandbox for secure execution.
Artificial intelligence (AI) is everywhere, promising self-driving cars, medical breakthroughs, and new ways of working. But how do you separate hype from reality? How can your company apply AI to solve real business problems?
Here’s what AI learnings your business should keep in mind for 2017.
This document discusses security in cloud computing. It begins by outlining the current state of cloud security and several high-profile data breach cases. It then examines some of the key challenges to cloud security, such as insecure interfaces, insider threats, and resource sharing issues. The document compares security in traditional networks versus cloud networks. It also looks at common cloud security controls and an approach based on defense in depth. Finally, it explores security as a service (SaaS) model and its future prospects.
Becoming the safe choice for the cloud by addressing cloud fraud & security t...cVidya Networks
Nava Levy, cVidya's VP SaaS/Cloud Solutions, chaired and spoke at TM Forum's Management World America's 2011 on Racing Ahead of the Competition by Capitalizing on Your Potential to be the Safe and Secure Choice for Cloud at The Race to Cloud Services Summit
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
Trend Micro Deep Security
#1 Security Platform for Virtualization and the cloud
Trend Micro Deep Discovery
Combating Advanced Persistent Treats (APT’s)
Trend Micro Mobile Security
Manage and control your mobile devices (BYOD)
Cloud security is a top concern for customers. Providers must demonstrate sound security practices to protect customer and provider data and mitigate risks. While security requirements are not different in cloud computing, worries can grow due to anonymous interactions and low pricing. Key customer concerns include loss of governance, compliance risks, isolation failures, securing data handling, managing interfaces, and the risk of malicious insiders. Providers must implement measures like isolation mechanisms, access controls, encryption, auditing, and policies to address these concerns.
This document discusses security architecture in cloud computing. It provides an overview of cloud risk assessments and how they differ from traditional assessments. It also compares cloud security architectures to traditional security architectures. Finally, it outlines the key domains covered by the Cloud Security Alliance, including governance, operations, and others.
The document discusses developing a system for smart cloud security from single to multi-clouds. It outlines the introduction, literature survey, existing systems, problem definition, software architecture, requirements, UML diagrams, SDLC process, and conclusions. The problem is ensuring security and availability when data is stored and processed across single or multiple cloud systems. The goal is to develop a system that provides features like availability even during cloud failures, ability to handle multiple requests, and data security across single or multi-cloud environments.
In the cloud, data is not tied to one server or even one group of servers, and it can be accessed from multiple devices simultaneously. To protect data, therefore, security solutions must shift from defense of a fixed perimeter towards an approach that protects the data as it travels from physical to virtual to cloud environments.
In the post-PC era, Trend Micro envisions a smart, data-centric security framework that advances the capabilities of our cloud-based Smart Protection Network™, adds smarter threat protection that correlates local threat intelligence; smarter data protection that follows and protects your data; and unified security management that increases visibility into data access and potential attacks.
This presentation was given at the Information Security Executive Summit on 28th / 29th February 2012
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
1) The document discusses the challenges facing CISOs in 2013, including the need to identify and mitigate risks, ensure effective controls, and communicate risks in business terms.
2) It presents Skybox Security as a leader in proactive security risk management through predictive risk analytics and continuous, scalable operations across diverse customers and industries.
3) The CEO argues that traditional vulnerability management, SIEM, and GRC tools are insufficient for continuous and effective security risk management. Skybox proposes an integrated approach using modeling, simulation, and risk analytics to provide improved visibility, security, and performance.
How Adopting the Cloud Can Improve Your Security.martin_lee1969
The document discusses how adopting cloud computing can improve security for organizations. Some key security benefits of the cloud include providers having greater expertise and resources dedicated to security, the ability to automatically scale security capabilities with demand, and incentives for providers to maintain strong security given their business model relies on customers trusting the security of their systems. However, security concerns remain a top adoption barrier, though targeted attacks are still relatively rare. The document provides guidance on how to evaluate cloud providers and ensure they can meet an organization's security requirements.
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...Khazret Sapenov
This document discusses the growing demand from customers for cloud computing services and the challenges cloud providers face in meeting those demands. It notes that while public cloud adoption is growing, many customers still have security and privacy concerns that inhibit greater private and hybrid cloud use. The document outlines strategies for cloud providers to provide more compelling security solutions through open standards-based, collaborative approaches between hardware and software vendors to secure datacenters, connections, devices and workloads across cloud infrastructures. It also discusses the rise of "big data" from billions of connected devices and the potential value of analyzing this untapped data for industries like healthcare and government.
Building a Strong Foundation for Your Cloud with Identity ManagementNishant Kaushik
The document discusses identity management strategies for securing cloud environments. It outlines extending enterprise identity and access management capabilities to cloud applications through standards-based federation. Managing authentication, account lifecycles, claims-based identity, and authorization policies are identified as foundational elements for identity management in the cloud. Risks of cloud computing like loss of governance and compliance challenges are also addressed.
Hvorfor kun sikre din cloud halvt – tænk det hele ind fra starten med Symantec
”Cloud” er mange ting, og beskyttelse af data og systemer i skyen, privat eller public, kræver strategi og omtanke. Kom og hør Symantecs anbefalinger omkring, hvad man skal tænke ind i sin beskyttelse og governance af cloud. Vi har et omfattende sæt af løsninger, som vi vil berøre i denne session, som dækker sikkerhed, backup, storage management og risk governance, hvad enten det drejer sig om private eller public clouds.
This document provides a framework for classifying and rating IT vendors in the cloud computing environment. It begins by defining various classifications for cloud computing based on products, business type, deployment method, servicing model, and technical capabilities. It then discusses factors for rating vendors, such as corporate viability, market offerings, and customer service. Finally, it proposes using these classifications and ratings to map vendors on a "market map" to categorize them as market leaders, major players, up-and-comers, etc. based on capabilities, momentum, market share, and other parameters.
Cloud Computing Webinar: Legal & Regulatory Update for 2012itandlaw
Cloud computing has revolutionized computing, providing organizations with the opportunity to outsource their computing capability to a third party provider of networks, servers, storage, applications or services located in multiple jurisdictions. This webinar explored the global legal and regulatory developments in cloud computing that have occurred during 2012
Cloud security is a must have. Also, an expectation AND a business accelerator.
But what really changes with cloud ? Cloud is not more or less secure : the security posture evolves..
Cloud computing provides on-demand delivery of IT resources and applications via the Internet with benefits of scalability, cost-savings and flexibility. However, security is a major concern as customers lose direct control over data and infrastructure. The document discusses key cloud security domains including data security, reliability, compliance and security management. Customers are most concerned about security, reliability and economics when considering cloud adoption. Providers must offer transparency, strong availability guarantees and easy security controls to help customers address these risks.
The document discusses how application-aware network performance management can help businesses in today's digital economy. It highlights factors like increasing traffic, cloud computing, and mobility that are stressing networks. Traditional network monitoring tools do not provide end-to-end visibility into application performance. Riverbed's Cascade solution bridges this gap with deep packet inspection and analytics. The document shares customer cases where Cascade improved visibility, support for initiatives, and reduced IT costs.
This document discusses the growing adoption of cloud computing from different perspectives. It notes that Gartner research predicts 20% of businesses will eliminate all their own IT assets by moving fully to the cloud by 2012. It also discusses how application developers, IT administrators and operators, and business advocates view and are influencing the cloud. Finally, it introduces VMware's vCloud initiatives to provide cloud solutions that can be deployed privately or publicly and integrate internal and external clouds.
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAmazon Web Services
Encryption is emerging as a key cloud security control that can address many cloud compliance and regulatory issues. It isolates data in multi-tenant environments, demonstrates adherence to regulations, and establishes trust in the cloud. Encryption fundamentally solves issues around data access, ownership, isolation between tenants, and separation of duties. SafeNet offers encryption products like ProtectV and Data Secure that maintain customer control over encrypted data in the cloud.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
How to Get CNIC Information System with Paksim Ga.pptx
CLUSIR DU 12 JUIN
1. cloud computing security
Jean-François AUDENARD – Orange Business Services - Cloud Security Advisor
Présentation CLUSIR – InfoNord – Club RSSI
v1r0 – June 12th, 2012
2. agenda
Sécurité et cycle de vie des données
– Les challenges de la sécurité des données dans le cloud
– Des opportunités mais aussi un retour aux fondamentaux
– Sécurité « adhérente aux données » : principes & approche
La sécurité du cloud chez Orange Business Services
– Notre approche « SecuredByDesign »
– Modèle d’intégration de la sécurité dans les projets Cloud
– Entretenir et améliorer la sécurité au quotidien
Questions/réponses
2 Cloud Security – 12 Juin 2012 Orange Business Services
3. context
3 Cloud Security – 12 Juin 2012 Orange Business Services
4. Our customers are targets
Flame – 1Q2012
CISCO – Global Threat Report – 2Q2011
4 Cloud Security – 12 Juin 2012 Orange Business Services
5. Cloud concentrate everything
Datacenters
Customer’s data
Revenues
Risks
Hacker’s greed
Security (good news !)
5 Cloud Security – 12 Juin 2012 Orange Business Services
6. Threats follows the data
Enterprise Internal network/IT Cloud
Services Providers (CSP)
Threats / Attackers
6 Cloud Security – 12 Juin 2012 Orange Business Services
7. expectations
7 Cloud Security – 12 Juin 2012 Orange Business Services
8. Cloud security is a must have
All big analysts firms agree !
8 Cloud Security – 12 Juin 2012 Orange Business Services
9. An expectation AND a business accelerator
<…> As counterintuitive as this may seem, enterprises actually
expect cloud security to be superior to what they employ for
traditional IT services. Current Analysis’ survey of ‘Cloud
Services 2011 – Enterprise Adoption Plans and Trends’ in
August 2011 found that one of the drivers for cloud adoption is
actually more security <…>
security.
Highly secure cloud services will boost our business
9 Cloud Security – 12 Juin 2012 Orange Business Services
10. Compliance
As a customer
– Internal compliance
– vertical compliance (PCI-DSS, …)
As a service provider
– Telco’s legal obligations
Rising trend on personal information's
– Data breach notifications
Nothing specific related to cloud
10 Cloud Security – 12 Juin 2012 Orange Business Services
12. Question : what really changes with cloud ?
Cloud is not more or less secure : the
security posture evolves
…the cloud’s economies of scale
– Risks are transferred and flexibility are both a friend
– New risk appear and a foe from a security point of
view. The massive concentrations
of resources and data present a
Underlying cloud technologies are not more attractive target to
attackers, but cloud-based defenses
new
can be more robust, scalable
and cost-effective…
Concentration brings new Source: Enisa
opportunities (but increased risks too).
Answer : Cloud require security excellence & associated transparency
transparency
12 Cloud Security – 12 Juin 2012 Orange Business Services
13. Cloud specific vulnerabilities
NIST
On-demand self-service
Ubiquitous network access
Resource polling
Rapid elasticity Virtualization
Measured service
Direct
Hyper-jacking
vulnerabilities VM-Escape
VM sprawl
VM Theft
13 Cloud Security – 12 Juin 2012 Orange Business Services
14. Direct vulnerabilities
they’re the visible top of the iceberg
associated risks may hit both
– the provider
– its customers
Identified during risk assessment phase
the provider must manage them
the provider must demonstrate them
14 Cloud Security – 12 Juin 2012 Orange Business Services
15. Vulnerabilities are an opportunity
? ? ?
? ?
?
? ?
? ? ?
15 Cloud Security – 12 Juin 2012 Orange Business Services
16. Yes : Thanks to cloud-specific vulnerabilities
Indirect
vulnerabilities
NIST Inability to monitor traffic
On-demand self-service Limited network zoning
Single point of failure
Ubiquitous network access Forbidden network vulns scans
Resource polling
Rapid elasticity Virtualization
Measured service
Direct
Hyper-jacking
vulnerabilities VM-Escape
VM sprawl
VM Theft
16 Cloud Security – 12 Juin 2012 Orange Business Services
17. Indirect vulnerabilities
is seen as regressions or limitations
A security control may be either
– difficult to instantiate
– impossible to implement
associated risks are customer’s centric
an opportunity for
– provider’s differentiation
– premium services catalog
17 Cloud Security – 12 Juin 2012 Orange Business Services
19. Appropriate level of engagement
Cloud Service Provider Management
Customer’s Management
increased
responsibilities for Responsibilities between parties
the Cloud Service
Provider Applications
middleware
Operating systems
increased criticality
VM
Hypervisor (VMM)
high-
high-level of shared
resources Servers & network
Datacenter
aS
aS
aS
Ia
Pa
Sa
19 Cloud Security – 12 Juin 2012 Orange Business Services
20. Cloud models & security
Security is under
customer’s control private
cloud
community
Internal risk &
cloud compliance still
shared
apply here !
infrastructure
hybrid
cloud Dedicated
infrastructure/staff/processes
public
cloud
Security controlled by
the provider
20 Cloud Security – 12 Juin 2012 Orange Business Services
22. Trust must be both external & internal
Regulation/standards bodies
specifics
government standards regulations
• Applicable laws
• “Cloud-ready” regulations
Internal stakeholders • certification bodies Cloud Providers
Executives
enterprise
Business Units
Risk Managers, CISO • Certifications
• Cloud service
catalog • Security SLAs
Corporate IT
•Risks assessment • Transparency
• Security SLAs • Adherence to
Employees standards
• Policies
22 Cloud Security – 12 Juin 2012 Orange Business Services
23. with the cloud data is living everywhere
Business Units
virtual datacenter
access to the corporate
application application
VM VM VM
Corporate IT VM
VM VM VM
administration
VM/data transfers
VM
VM
cloud infrastructure
VM VM VM
VM templates
23 Cloud Security – 12 Juin 2012 Orange Business Services
24. in the cloud data is living everywhere : risk too
Business Units
virtual datacenter
access to the corporate access control
poor
application application injections
SQL
toxic data
malware
device theft/loss
sniffing
DDoS
Impersonation
VM
VM VMsprawl VM
Corporate IT VM Malware
security patches
VM VM VM
administration
VM/data transfers
disgruntled admin
VM
VM
cloud rogue admin
infrastructure
VM VM VM
theft of credentials isolation failure
weak release mgt data location
VM templates
24 Cloud Security – 12 Juin 2012 Orange Business Services
25. the data security lifecyle
generation of new content
or significant modification
of existing content
Create
permanent destruction
& committing data to
content discovery storage
Destroy
Store
Archive Use
data-transfer to long-term user interacting with the
storage data (cloud & endpoint)
Share
exchange of data between
users, customers and
partners
25 Cloud Security – 12 Juin 2012 Orange Business Services
26. simultaneous and multiples data lifecycles
Business Units
Create
Destroy Store virtual datacenter
access to the corporate
Archive Use
application application
Share
Create
Destroy Store
Archive Use
VM VM VM
Share
Corporate IT VM Create
Destroy Store VM VM VM
administration
VM/data transfers
Archive Use
Create
Share
Destroy Store
VM
VM
cloud infrastructure
VM VM VM
Archive Use
VM templates
Share
26 Cloud Security – 12 Juin 2012 Orange Business Services
27. use-case : a Virtual Machine (IaaS) VM
VM
1 initial creation by
corporate IT
VM
Create
VM templates and
instances are deleted
3 insertion in the VM
template store
5 Destroy
Store
4
Archive Use VM are instantiated and
executed for business
purposes
Share
2 transfer to the cloud as an
OVF container
27 Cloud Security – 12 Juin 2012 Orange Business Services
28. Create V VM
M V
1
V M
creation of the VM M V V V
M M M
template by corporate IT V
M
V
M
V
M
1. classify Share
2. assign rights
Risk-based decision for
2 transfer to the cloud as an
OVF container
moving specific
workloads/applications in 1. activity monitoring & enforcement
selected cloud(s) 2. encryption
& 3. logical controls
Tag VM templates with
4. application security
labels to facilitate rights
allocation/assignments watch when and where admin(s)
are transferring templates
logs accesses to admin
VM
interfaces
VM
VM secure data in motion using
VM
encryption
secure admin interfaces/API
28 Cloud Security – 12 Juin 2012 Orange Business Services
29. 3 insertion in the VM
template store Store
isolation between tenants & administrator
1. filesystem access controls separation of duties
2. encryption volume/media encryption
3. rights management Enforcement of rights created during
“Create” phase (when data enters storage)
4. content discovery
ensure data are located at the right place
VM are instantiated and
4 executed for business
purposes
Use
! agent-based security & access log
collection 1. activity monitoring &
2 perimeters of controls enforcement
enforcement of rights created during
1) cloud-based controls 2. rights management
“Create” phase (modification, export,
2) endpoint-based controls copying, …) 3. Logical controls
application logic controls 4. application security
application security
29 Cloud Security – 12 Juin 2012 Orange Business Services
30. VM are instantiated and
4 executed for business
agent-based security & access log
purposes Use
1. activity
collection
monitoring &
enforcement of rights created during enforcement
“Create” phase (modification, export,
copying, …)
2. rights
management
Destroy
application logic controls 3. Logical controls
application security 4. application
security
5 VM templates and
instances are deleted
1. crypto-shredding
2. secure deletion
3. physical destruction
VM VM VM VM VM
4. Content discovery
VM VM VM VM VM
delete the encryption keys
overwrite data from 3 to 7
times with random pattern
degaussing or physical
destruction of storage devices
ensure no copies or version of
the date remain accessible
30 Cloud Security – 12 Juin 2012 Orange Business Services
31. Implementation rules
transparency brings confidence
change your mind for data-centric
security
leverage existing security frameworks &
practices
participate to research & standardization
activities
31 Cloud Security – 12 Juin 2012 Orange Business Services
32. secure Infrastructure
6 lessons learnt from the fields
Build security-in
from
the start of the
project
Select your Train your team
compliance and educate
frameworks & stick others to cloud
with them security
Take network & IT
Integrate security
convergence as an
in
opportunity
existing processes
Get intimate with
cloud IT & ops
32 Cloud Security – 12 Juin 2012 Orange Business Services
36. CloudTrust : a tailored approach for secure cloud
CloudTrust
> per-service based > unified to the cloud-program
> part of standard processes > bridge processes between BUs
> risks/benefits based approach > cloud security architects
> keep service definition >enhanced security value prop.
> focuses on think/build/deploy > integrated operational security
secure cloud services backed with highly reliable
network connectivity with end-2-end SLAs
36 Cloud Security – 12 Juin 2012 Orange Business Services
37. maintaining & enhancing trust in cloud services
Global security
oversight on
changes
Incident
Admin & third-parties management
access management CISSM
Legal obligations
Vulnerabilities Periodic security
Management reviews & audits
Cloud Information Systems Security Manager
37 Cloud Security – 12 Juin 2012 Orange Business Services
38. end-2-end operational security CISSM
cloud security
architects • build security in right from the beginning
• ensure continuous delivery model with
smooth roll-out
Orange Cloud
Computing Services
• global understanding and broad
experience Flexible
• leverage experiences and foster Computing
Express Flexible
new initiatives
certifications Backup
JCI
ISO …
27K/20K
• certified security professionals
•active role in certifications activities
and 27K ISMS
• leverage processes to bolt security in private cloud
• deliver telco-grade expertise to
customer’s private cloud
• tailored solutions for specific
requirements
38 Cloud Security – 12 Juin 2012 Orange Business Services
39. Flexible Computing Express
CISSM
Service
Providers
Business VPN
Business
Secure Virtual Data Center Galerie
VPN
LB
DDoS VM VM VM VM
Protection
(6 zones)
Internal Private
WAN
Remote sites
2-factors Logs
Auth
VM Templates
Datacenters
Security patches
Antivirus
Backup Business VPN
VPN-SSL Console
DDoS Protection
Firewalling
Automated VA scans IPVPN network connectivity
ISAE 3402 datacenters
(SAS 70 Type 2)
39 Cloud Security – 12 Juin 2012 Orange Business Services
40. Flexible Computing Express standard security
features
V V V V
vDC)
Secure Virtual DataCenter (vDC)
M M M M
(6 • 6 dedicated/isolated VLANs
zon
es) • State-full firewalling (dedicated instance)
• Load-balancing (dedicated instance)
Secure management
V V V V
• VPN-SSL remote access M M M M
(6
• web-based unified management (vDC, VLANs, FW, …) zone
s)
• Two-factors authentication
• Access to firewall logs
Security services zone
V V V V
M M M M • VM templates (Microsoft, Linux)
• Security patches distribution servers
• Antivirus signatures
• Backup services
40 Cloud Security – 12 Juin 2012 Orange Business Services
41. additional security services
security services
store
security services
•Hardened VM templates
Secure Virtual Data Center •Vulnerability scans & compliance
LB •Encrypted VM & volumes
VM VM VM VM
•IDS/IPS
•Database security
(6 zones) •…
professional services
2-factors Logs
Auth •Vulnerabilities management
VM Templates
Security patches •OS & Applications Management
Antivirus •Security audits
Backup
VPN-SSL Console •Penetration testing
•…
41 Cloud Security – 12 Juin 2012 Orange Business Services
42. takeaways
42 Cloud Security – 12 Juin 2012 Orange Business Services
43. blogs : the direct link with our security experts
http://blogs.orange-business.com/connecting-technology/security/
http://blogs.orange-business.com/securite/
43 Cloud Security – 12 Juin 2012 Orange Business Services
44. continue the journey with us !
CSA EMEA Congress – 25-26th September 2012 - Amsterdam
http://www.cloudsecuritycongress.com/
C&ESAR 2012 – 20-22th November – Rennes
http://www.cesar-conference.org/
44 Cloud Security – 12 Juin 2012 Orange Business Services