Cloud can provide great flexibility to IT, ensuring business continuity and optimizing costs. But what are the implications for IT security? Even big names such as IEEE, Apple and Samsung are among the victims of identity theft in the Cloud. If you choose to adopt virtual data center (IaaS) or on-line applications (SaaS), you shift the paradigm of security as it was conceived up to now. The presentation will examine the security implications of a Cloud infrastructure and possible remedies with practical examples.
This data centric exercise is intended for individuals who want to gain a better understanding of their information assets and run through a structured brainstorming guide for a Data Loss Prevention (DLP) plan in efforts to protect their data.
Ideal for those looking to gain greater situational awareness on their personal information assets.
Part A: Understand what information assets exist.
Part B: Categorize the information assets identified in part A into Low, Medium and High.
Part C: Identify where the information assets are located. [Mirrors & backups included]
Part D: Considering the sensitivity classification identified in Part B and the location of the information assets identified in Part C, create a Data Loss Prevention (DLP) plan for when the information assets are at rest, in motion, in use, or when they disposed of.
This data centric exercise is intended for individuals who want to gain a better understanding of their information assets and run through a structured brainstorming guide for a Data Loss Prevention (DLP) plan in efforts to protect their data.
Ideal for those looking to gain greater situational awareness on their personal information assets.
Part A: Understand what information assets exist.
Part B: Categorize the information assets identified in part A into Low, Medium and High.
Part C: Identify where the information assets are located. [Mirrors & backups included]
Part D: Considering the sensitivity classification identified in Part B and the location of the information assets identified in Part C, create a Data Loss Prevention (DLP) plan for when the information assets are at rest, in motion, in use, or when they disposed of.
Efficiency, effectiveness, productivity: Dell Connected Security in actionKenneth de Brucq
Dell Solutions Tour 2014 Norge
Florian Malecki, Product Marketing Director at Dell
Silos of disconnected security information are killing your efficiency and effectiveness, making it more difficult than ever to be productive. These silos are cause by the layers of disjointed security tools and structure your organization has implemented. But Dell's approach to managing security is different. Attend this session to see how Dell's integrated approach knocks down security silos and brings solutions together to improve your efficiency and effectiveness.
Symantec Data Loss Prevention 11 simplifies the detection and protection of intellectual property. Symantec’s market-leading data security suite features Vector Machine Learning, which makes it easier to detect hard-to-find intellectual property, and enhancements to Data Insight that streamline remediation, increasing the effectiveness of an organization’s data protection initiatives.
The Cloud & I, The CISO challenges with Cloud Computing Moshe Ferber
The Cloud is a challenge for the Security professional, but also creates opportunities. In this presentation we will overview the different cloud challenges according to each market sector.
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
This presentation discuss how the Israeli banks should cope with the Israeli central bank cloud regulations. In the slide we examine different articles inside the cloud regulation and discuss the challenges and controls to be used.
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your OrganizationRaffa Learning Community
An examination of ever growing cyber threats which continue to develop and successfully execute cyber attacks and fraud scams, which cost businesses billions of dollars globally. This session will step through different current and emerging cyber attacks and cyber fraud scenarios, and then discuss how basic but effective security controls can help to significantly reduce the risks.
IBM Security Strategy Intelligence, Integration and Expertise
by Marc van Zadelhoff, VP, WW Strategy and Product Management and Joe Ruthven IBM MEA Security Leader
Cloud data governance, risk management and compliance ny metro joint cyber...Ulf Mattsson
The rapid rise of cloud data storage and applications has led to unease among adopters over the security of their data. Whether it is data stored in a public, private or hybrid cloud, or used in third party SaaS applications, companies have good reason to be concerned.
In this session Protegrity CTO and data security thought leader Ulf Mattsson will focus on practical advice on what to look for in cloud service providers and a review of the technologies and architectures available to protect sensitive data in the cloud, both on- and off-site. Through real life use cases, Ulf will discuss solutions to some of the most common issues of data governance, usability, compliance and security in the cloud environment.
Efficiency, effectiveness, productivity: Dell Connected Security in actionKenneth de Brucq
Dell Solutions Tour 2014 Norge
Florian Malecki, Product Marketing Director at Dell
Silos of disconnected security information are killing your efficiency and effectiveness, making it more difficult than ever to be productive. These silos are cause by the layers of disjointed security tools and structure your organization has implemented. But Dell's approach to managing security is different. Attend this session to see how Dell's integrated approach knocks down security silos and brings solutions together to improve your efficiency and effectiveness.
Symantec Data Loss Prevention 11 simplifies the detection and protection of intellectual property. Symantec’s market-leading data security suite features Vector Machine Learning, which makes it easier to detect hard-to-find intellectual property, and enhancements to Data Insight that streamline remediation, increasing the effectiveness of an organization’s data protection initiatives.
The Cloud & I, The CISO challenges with Cloud Computing Moshe Ferber
The Cloud is a challenge for the Security professional, but also creates opportunities. In this presentation we will overview the different cloud challenges according to each market sector.
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
This presentation discuss how the Israeli banks should cope with the Israeli central bank cloud regulations. In the slide we examine different articles inside the cloud regulation and discuss the challenges and controls to be used.
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your OrganizationRaffa Learning Community
An examination of ever growing cyber threats which continue to develop and successfully execute cyber attacks and fraud scams, which cost businesses billions of dollars globally. This session will step through different current and emerging cyber attacks and cyber fraud scenarios, and then discuss how basic but effective security controls can help to significantly reduce the risks.
IBM Security Strategy Intelligence, Integration and Expertise
by Marc van Zadelhoff, VP, WW Strategy and Product Management and Joe Ruthven IBM MEA Security Leader
Cloud data governance, risk management and compliance ny metro joint cyber...Ulf Mattsson
The rapid rise of cloud data storage and applications has led to unease among adopters over the security of their data. Whether it is data stored in a public, private or hybrid cloud, or used in third party SaaS applications, companies have good reason to be concerned.
In this session Protegrity CTO and data security thought leader Ulf Mattsson will focus on practical advice on what to look for in cloud service providers and a review of the technologies and architectures available to protect sensitive data in the cloud, both on- and off-site. Through real life use cases, Ulf will discuss solutions to some of the most common issues of data governance, usability, compliance and security in the cloud environment.
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Ulf Mattsson
Practical Advice for Cloud Data Security for Oracle
Learn about critical security issues in the Cloud in relation to databases
Learn about Cloud data security guidance and standards
Learn Cloud data security technologies, models and Cloud security in context to the enterprise
The rapid rise of cloud databases, storage and applications has led to unease among adopters over the security of their data. Whether it is data stored in a public, private or hybrid cloud, or used in third party SaaS applications, companies have good reason to be concerned.
In this session Protegrity CTO and data security thought leader Ulf Mattsson will focus on practical advice on what to look for in cloud service providers and a review of the technologies and architectures available to protect sensitive data in the cloud, both on- and off-site. Through real life use cases, Ulf will discuss solutions to some of the most common issues of usability, database indexing, database searches, separation of duties, key management, tokenization, compliance, privacy and security in the cloud environment.
Practical advice for cloud data protection ulf mattsson - bright talk webin...Ulf Mattsson
The rapid rise of cloud data storage and applications has led to unease among adopters over the security of their data. Whether it is data stored in a public, private or hybrid cloud, or used in third party SaaS applications, companies have good reason to be concerned.
In this session Protegrity CTO and data security thought leader Ulf Mattsson will focus on practical advice on what to look for in cloud service providers and a review of the technologies and architectures available to protect sensitive data in the cloud, both on- and off-site. Through real life use cases, Ulf will discuss solutions to some of the most common issues of data governance, usability, compliance and security in the cloud environment.
Key Topics include:
What is “Cloud” computing?
Security issues in the Cloud
Cloud data security guidance
Cloud data security technologies and models
Cloud security in context to the enterprise
Understand what it means to develop a cloud security strategy as a cybersecurity specialist. Gain mastery in core skills via the best cybersecurity certification programs. Becoming a Cloud security professional is made easy with USCSI®.
Read more: https://shorturl.at/lDGL7
Understand what it means to develop a cloud security strategy as a cybersecurity specialist. Gain mastery in core skills via the best cybersecurity certification programs. Becoming a Cloud security professional is made easy with USCSI®.
Read more: https://shorturl.at/lDGL7
Turning the tables talk delivered at CCISDA conferenceDean Iacovelli
Slides from my presentation at the CCISDA (California Counties) information technology conference this week. NOTE: hacking video I narrated has been removed for file size considerations.
This presentation was delivered at the 2nd International Conference on Recent Trends in Information Technology and Computer Science in Mumbai. The paper deals with security issues in Cloud Computing, its mitigation and proposes a secure cloud mechanism with an implementation of the single-sign on mechanism on the Ubuntu Enterprise Cloud
Turtles, Trust and The Future of Cybersecurity
Faith in our institutions is collapsing, and GDPR is at the door. What would cybersecurity look like if we started from scratch, right now, in our hybrid, interdependent world? It would focus relentlessly on data. Learn how a data-centric security approach can reduce risk, increase efficiency and re-engineer trust in a society where faith has been shaken by unstoppable breaches.
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
The enterprise attack surface has exploded in recent years. More users on more devices in more locations are able to access ever more sensitive enterprise applications. The result is that the number of targets for attackers has gone up dramatically.
The expanding attack surface has been dubbed a “Cyber House of Horrors,” as insider risks, aggressive social engineering, exploitation of outdated access controls, and a range of other security issues have come to the fore.
Join Certes Networks and Intellyx for a webinar to explore:
What factors are driving the expansion of the attack surface?
What types of attacks and exploits are taking advantage of these changes?
How are segmentation techniques and access controls evolving in response?
This is a very short slide deck I did for a 10-minute slot on a http://pistoiaalliance.org/ webinar. The slides do not fully cover what I intend to talk about so if the webinar is recorded and available afterwards I'll update this description with the recording URL.
PDF copy of the slides available upon request ("chris@bioteam.net")
Cloud Security - Emerging Facets and FrontiersGokul Alex
My session on Cloud Computing Security prepared for ISC2 Bangalore Chapter MeetUp. It is a walkthrough on the fundamental axioms of cloud security with reference to architecture standards, industry best practices and a coverage of some of the most pertinent attack vectors in the recent times. This presentation delves deeper into Cloud Security Reference Architectures, Cloud Security Operating Models, Cloud Firewalls, Cloud Identity Access Management Models, Cloud Malware Concepts etc.
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...Amazon Web Services
There’s no shortage of noise about cybersecurity. Between the shear number of vendors and daily news coverage about the next big vulnerability or breach, it’s easy to start feeling directionless and reactive. However, there are ways to cut through the noise. The first step is understanding how companies are actually getting breached - not just the ones you hear about in the media. Then, you can create a strategy that’s tailored to your risk profile and attack surface. In this session, you’ll leave with an understanding of how to measure your risk, devise a realistic defense strategy, and deploy high impact security, no matter what your budget or time crunch is.
The Share Responsibility Model of Cloud Computing - ILTA NYCPatrick Sklodowski
Cloud Security is YOUR responsibility, not just your service provider! Understand the shared responsibilities of Cloud Computing from the public cloud to application as a service.
Includes a few updates from the Philadelphia session!
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
Organizations today are vastly unprepared for the threat of modern cyber-attacks. At the same time, the attackers are becoming more sophisticated and the amount of resources at their disposal is increasing. It has become a lucrative business to hack, disrupt, and steal intellectual property from organizations of all sizes and in all business sectors.
While the attackers are becoming more sophisticated, organizations have their IT security positioned for threats from the past century, with poor password management techniques, simple ACL based file permissions, and basic firewall and zone-based containment techniques. This makes it easier for attackers to obtain access to critical intellectual property and makes career-ruining disruptions all the more common.
This session focuses on understanding what is currently wrong with IT security practices and how your organization can change processes, techniques, and tools to provide for a significantly higher level of IT security without necessarily having to implement expensive tools or obtrusive processes.
• Understand the pitfalls of current IT Security practices, including myths around password change policies, allowing logins without providing multiple factors, and the proliferation of ‘always-on’ admin rights.
• Examine how simple changes in IT strategy can greatly improve your overall IT posture, including providing for up to a 99% improvement in the likelihood of a data credential theft.
• Determine which easy to deploy tools and features which you may already be licensed for can be used to tighten up IT security within an environment, including solutions such as Microsoft Defender for Identity, Azure Sentinel, Microsoft Cloud App Security, next-generation firewalls, and more.
Similar to Identity theft in the Cloud and remedies (20)
Slides I published explaining OpenStack at the OpenSource conference in Milan 2016. Explain also how business processes are involved and explain OpenStack components
OpenStack Explained: Learn OpenStack architecture and the secret of a success...Giuseppe Paterno'
OpenStack can help your business in cutting costs and have a faster time to market. A lot of people are looking at OpenStack as an alternative to VMware and most of the vendors are trying to let you think that visualization is cloud. While Cloud implies a virtualized environment, virtualization is not a cloud.
This ebook will go through the concept of Cloud and help you understand the architecture of OpenStack and its benefits. It also explores DevOps and reveal the "secret ingredient" to have a successful cloud project.
This ebook was created to raise funds for the Nepalese population after the Earthquake in 2015.
OpenStack security is a huge topic. In these slides I presented at the OpenStack Day, I analyzed cloud security the network to the application layer, going through specific layers, some in common between OpenStack itself and the applications.
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiGiuseppe Paterno'
No matter if you are a lonely system administrator or the CTO of the largest carrier in the World, getting to know what’s out there is a jungle. Is VMware still the lead? I’ve heard about OpenStack, how mature is that? And what this “Ganeti” I’ve never heard of?
Well, here I am. Guess what, you’re not the only one asking these questions. I traveled most of Europe hearing world’s most famous enterprises, banks and telcos and also in contact with many vendors’ labs, from San Francisco to Munich.
In this presentation I just wish to give a quick overview of the state-of-the-art in the IaaS and virtualization world. This is not a sales or marketing presentation: no vaporware, just pure and real experience from the field.
Enjoy the slides and stay tuned on my twitter channel on @gpaterno
La gestione delle identità per il controllo delle frodi bancarieGiuseppe Paterno'
Che differenza c'e' tra una banca retail e un private banking in ambito frodi? Assistiamo a diversi fenomeni nel private banking come l'uso di device mobili (tablet, smartphone, ...) e l'aumento delle frodi dovute al fattore umano. Il mio intervento a Forum Banca 2013 descrive i rischi del private banking e come sono stati risolti. Presentazione in collaborazione con Banca Esperia, gruppo Mediobanca.
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediGiuseppe Paterno'
E' noto che il Cloud consente di dare una maggiore flessibilità all'IT, garantendo una continuità del business e ottimizzando i costi. Ma quali sono le implicazioni sulla sicurezza aziendale? La cronaca recente ha evidenziato che anche nomi importanti quali IEEE, Apple e Samsung sono tra le vittime piu' famose dei furti di identita' nel Cloud. Se si adottano datacenter virtuali (IaaS) o applicazioni on-line (SaaS), si sposta il paradigma della sicurezza così' come concepita finora.
La presentazione analizzerà le implicazioni di sicurezza di una infrastruttura Cloud e i possibili rimedi, con esempi pratici.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Knowledge engineering: from people to machines and back
Identity theft in the Cloud and remedies
1. Identity theft in the Cloud and
remedies
Giuseppe “Gippa” Paterno’
Friday 26 October 12
2. My identity: Giuseppe “Gippa” Paternò
• Director Digital of GARL, the Swiss bank behind the
SecurePass service
• EMEA Sales Engineer of Canonical, the company behind
Ubuntu
• Security researcher, open source enthusiast, and friend
of the “Penguin” since 1995
• Leisure pilot ... a good excuse to be back in an airport
during the weekends :)
• Non-professional Chef (Ramsay, I challenge you :)
• Radio-amateur with passion for “strange” WiFi: my
association has the world record of 304km link in WiFi!!
Friday 26 October 12
3. Cloud, a buzzword with different means
IaaS SaaS
PaaS ... what a MesS!
Friday 26 October 12
4. What is meant by “Cloud”
A set of services, usually “rented” from a service provider or internal IT
department (for large corporations), that enables:
• Flexibility: the ability of expanding or reducing our IT infrastructure based on the
business needs
• Resiliency: high availability of IT services, ensuring business continuity in any
event
• Accessibility: access to services anytime and anywhere on earth with a simple
Internet connection
• Cost optimization: you truly have a pay-as-you use IT infrastructure without
money wasting
Friday 26 October 12
5. The Cloud: IaaS
• Renting a virtual infrastructure from
a service provider composed by
virtual servers and virtual networks
IaaS
• Example: Amazon Web Services,
= Moresi.Com, ecc....
Infrastructure as
• Security risk: total control of the IT
a Service infrastructure by an attacker with
service disruption or silent data
leaking (control panel is accessible
from Internet)
Friday 26 October 12
6. The Cloud: SaaS
•Renting a given application, usually
web-based, from a service provider
with high availability and
SaaS accessible from anywhere
= •Example: SalesForce.com, Office
Software as 360, etc...
a Service
•Security risk: compromising a
single identity will lead to
corporate data leaking by an
attacker or competitor
Friday 26 October 12
7. The Cloud: PaaS
• Renting an “application environment” that
hosts YOUR application. If compared to IaaS,
PaaS does not focus on operating system, but
on “operating” the application environment
PaaS (app server, languages, frameworks,
databases, etc..)
=
Platform as • Example: Microsoft Azure, Google App Engine,
CloudFoundry, etc....
a Service
• Security risk: total control of the application(s)
by an attacker with service disruption (control
panel accessible from Internet), corporate data
leaking (users’ identity theft)
Friday 26 October 12
8. Let’s make things complicated: BYOD
• Yet another marketing buzzword :)
• BYOD = Bring Your Own Device
• Basically the use of a “consumer” device
within a corporate environment: iPad/
iPhone/Android/....
• Security risk: device lost or stolen means
access to confidential data. Many apps for
iOS/Android have a “static key” that get rid of
the identification process.
Friday 26 October 12
9. Famous victims of identity theft
... and many others!
Friday 26 October 12
10. Identity theft in numbers
millions of victims of identity theft in USA in 2008 (Javelin
10 Strategy and Research, 2009)
billions dollars lost every year due to identity theft (Aberdeen
221 Group)
hours to correct damages due to identity theft, i.e. 2 years
5840 of a working resource (ITRC Aftermath Study, 2004).
billion corporate and government records compromised in
35 2010 (ITRC)
is the factor of multiplication of the number of breaches
2 from 2009 to 2010. The trend of data breaches due identity
theft is doubling each year.
Friday 26 October 12
11. Human factor, an example in aviation
An organization can minimize its vulnerability to human
error and reduce its risks by implementing human
factors best practices [...] It contains guidance material
which [...] should help reduce the risks associated with
human error and human factors, and improve safety. It
[...] concentrates upon risk and error management
rather than risk and error elimination.
(EASA, JAR 145, Aviation Human Factors)
Friday 26 October 12
12. Human factor in IT (in)security
•Human factor is the primary cause of intrusions
by hackers, foreign government agencies or
competition. Two major issues:
•Password easy to guess or crack
•Social Engineering
•Hope is not a strategy!
Friday 26 October 12
13. Best practices, why they don’t work
• Maybe the most adopted is BS/ISO 17799, that eventually became ISO 27001
• Most best practices cover physical access, server hardening, network access and segregation, etc...
• they just don’t make sense anymore in a Cloud environment
• ... but they could be helpful to select our supplier
• What still makes sense is the access control:
• secure identification of a given user (identity management)
• check and log who’s doing what (auditing)
• permissions/rights to access a given piece of data or document (policy management)
Friday 26 October 12
16. Identity theft remedies
Security must be simple and transparent to the
end user, otherwise it will be circumvented!
• Strong authentication of the users
• Identify from which country the user is connecting from (GeoIP)
• Patches, patches and ... patches!
• Secure application programming
Friday 26 October 12
17. Intranet vs the Cloud and Trusted third party
• In a “traditional” world, Microsoft Active Directory
covers usually the identity management, auditing
and policy role
• AD was not conceived to fit a Cloud environment
and accessed from “outside” company
boundaries (or firewalls)
• A distributed identity management system is
needed, that implements something like
Microsoft Active Directory for Cloud
environments, is able to reduce “human errors”
through strong authentication and is operated by
a trusted third party.
Friday 26 October 12
18. A possible solution:
• SecurePass is a Unified Secure Access platform for Cloud, web
applications and security devices (VPN, firewalls, ...)
• Strong authentication, with hardware tokens or software tokens
on smartphones (iOS/Android/BlackBerry)
• Identity Management, with personnel’s information
• Web seamless Single Sign-On, to simplify user access (and avoid
circumventions)
• Based on open protocols: LDAP, RADIUS and CAS
• Easy to integrate, protect your infrastructure and applications in
few minutes.
• Guaranteed by a Swiss bank
Friday 26 October 12
19. Case Study: Moresi.Com
• Housing / Swiss hosting provider with two
data centers, constantly expanding
• Highly selected customers, including banks
and national and international companies
• Moving the focus from traditional housing /
hosting to a cloud provider (VMware vCloud
based)
• Each customer has access to a "virtual
datacenter" that can orchestrate at his will
• Objective: establish a secure access to the
virtual datacenters
Friday 26 October 12
21. Case Study: Insurance company
• World’s second largest multinational
insurance company, 48 subsidiaries world-
wide, each one with its board of directors,
CEO, CFO
• All CxO level members are accessing
documents and confidential on-the-move
through any devices (laptop, tablet,
smartphone) with high risk of data leaking
• Objective: provide secure access to their
board of director classified documents and
avoid information leaking through an ad-hoc
secure java-based web application
Friday 26 October 12
22. Case Study: Automotive company
• One of the top 5 automotive suppliers in the
world with over 120.000 employees
• Need to solve security issues connected to
the BYOD (Bring Your Own Devices) from
employees and top manager, in particular
tablets and smartphones
• Objective: provide secure access to
corporate resources from BYOD through SSL
VPNs and ad-hoc portals
Friday 26 October 12
23. SecurePass Contest 2012
• Integrate SecurePass and publish a story in a
blog or on-line magazine. Good excuse for:
• testing SecurePass for free
• learn something new
• letting your boss or your customers know
that you care about security
• ... and win something ;-)
• http://www.secure-pass.net/contest2012
Friday 26 October 12
24. Q&A
Giuseppe Paternò
gpaterno@gpaterno.com
gpaterno@garl.ch
Web sites:
www.gpaterno.com
www.secure-pass.net
Twitter: @gpaterno
Friday 26 October 12