Building and deploying modern systems in highly regulated cloud environments is challenging. Regulators impose requirements that are meant to be applied in a traditional on-premise environment, which requires unique design decisions in cloud native environments. In this session, we will explore the key lessons learned building a regulated cloud environment, automating deployments, securing networks, and configuring compliance services. Attendees will leave with an understanding of the key regulatory requirements, and the cloud native security controls for meeting those requirements.
In this session customers will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers. We will also show you how to scan container images for vulnerabilities as part of your CI/CD pipeline.
Speaker: Marcus Santos, Solutions Architect, AWS
From ATT&CKcon 3.0
By Jared Stroud, Lacework
Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.
20 common security vulnerabilities and misconfiguration in AzureCheah Eng Soon
This document outlines 20 common security vulnerabilities and misconfigurations in Microsoft Azure. It discusses issues such as storage accounts being publicly accessible, lack of multi-factor authentication, insecure guest user settings, and features like Azure Security Center and Network Watcher being disabled by default. The document is intended to educate users on important security best practices for securing resources and configurations in Azure.
In 2018, Zero Trust Security gained popularity due to its simplicity and effectiveness. Yet despite a rise in awareness, many organizations still don’t know where to start or are slow to adopt a Zero Trust approach.
The result? Breaches affected as many as 66% of companies just last year. And as hackers become more sophisticated and resourceful, the number of breaches will continue to rise.
Unless organizations adopt Zero Trust Security. In 2019, take some time to assess your company’s risk factors and learn how to implement Zero Trust Security in your organization.
This document discusses security risks and recommendations for cloud computing. The top threats to cloud security are data breaches, data loss, account hijacking, insecure interfaces and APIs, denial of service attacks, malicious insiders, insufficient due diligence, abuse of cloud services, and shared technology vulnerabilities. Virtual machines (VMs) are also vulnerable via VM attacks between VMs on the same physical server, increased attack surface from multitenancy, and hypervisor attacks that can control all VMs and systems. The document recommends security measures like security information and event management (SIEM), identity and access management (IAM), data dispersion, data leakage prevention (DLP), bit splitting, cloud monitoring, load balancing, effective exit processes, and
This document provides an overview of penetration testing on AWS environments. It discusses the key areas to focus on when penetration testing AWS infrastructure and applications, including external infrastructure, applications, internal infrastructure, and AWS configurations. It also outlines services that can be tested without prior approval and limitations on testing AWS-managed infrastructure. The document then covers starting penetration testing activities, accessing AWS with IAM credentials, enumerating IAM users, groups, and policies, and new methods for enumerating cross-account roles between AWS accounts.
This document outlines an agenda for discussing cloud security. It begins with an introduction to cloud computing and deployment models. It then discusses challenges of cloud computing and why cloud security is important. Specific threats like data breaches and account hijacking are listed. The document reviews the shared responsibility model and scope of security in public clouds. It describes cloud security penetration testing methods like static and dynamic application testing. Finally, it provides prerequisites and methods for conducting cloud penetration testing, including reconnaissance, threat modeling, and following standard testing methodologies.
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
In this session customers will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers. We will also show you how to scan container images for vulnerabilities as part of your CI/CD pipeline.
Speaker: Marcus Santos, Solutions Architect, AWS
From ATT&CKcon 3.0
By Jared Stroud, Lacework
Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.
20 common security vulnerabilities and misconfiguration in AzureCheah Eng Soon
This document outlines 20 common security vulnerabilities and misconfigurations in Microsoft Azure. It discusses issues such as storage accounts being publicly accessible, lack of multi-factor authentication, insecure guest user settings, and features like Azure Security Center and Network Watcher being disabled by default. The document is intended to educate users on important security best practices for securing resources and configurations in Azure.
In 2018, Zero Trust Security gained popularity due to its simplicity and effectiveness. Yet despite a rise in awareness, many organizations still don’t know where to start or are slow to adopt a Zero Trust approach.
The result? Breaches affected as many as 66% of companies just last year. And as hackers become more sophisticated and resourceful, the number of breaches will continue to rise.
Unless organizations adopt Zero Trust Security. In 2019, take some time to assess your company’s risk factors and learn how to implement Zero Trust Security in your organization.
This document discusses security risks and recommendations for cloud computing. The top threats to cloud security are data breaches, data loss, account hijacking, insecure interfaces and APIs, denial of service attacks, malicious insiders, insufficient due diligence, abuse of cloud services, and shared technology vulnerabilities. Virtual machines (VMs) are also vulnerable via VM attacks between VMs on the same physical server, increased attack surface from multitenancy, and hypervisor attacks that can control all VMs and systems. The document recommends security measures like security information and event management (SIEM), identity and access management (IAM), data dispersion, data leakage prevention (DLP), bit splitting, cloud monitoring, load balancing, effective exit processes, and
This document provides an overview of penetration testing on AWS environments. It discusses the key areas to focus on when penetration testing AWS infrastructure and applications, including external infrastructure, applications, internal infrastructure, and AWS configurations. It also outlines services that can be tested without prior approval and limitations on testing AWS-managed infrastructure. The document then covers starting penetration testing activities, accessing AWS with IAM credentials, enumerating IAM users, groups, and policies, and new methods for enumerating cross-account roles between AWS accounts.
This document outlines an agenda for discussing cloud security. It begins with an introduction to cloud computing and deployment models. It then discusses challenges of cloud computing and why cloud security is important. Specific threats like data breaches and account hijacking are listed. The document reviews the shared responsibility model and scope of security in public clouds. It describes cloud security penetration testing methods like static and dynamic application testing. Finally, it provides prerequisites and methods for conducting cloud penetration testing, including reconnaissance, threat modeling, and following standard testing methodologies.
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
Presented at MQ Technical Conference - 24th September 2018
Security features are important in any modern day application and MQ is no exception. In order to ensure user data is protected to the user's requirements applications must supply a variety of configurable security features. In this session we will be providing an introduction to all of IBM MQ's security features and a high level overview of why you would use them.
1) Zero Trust is a security model that does not inherently trust anything inside or outside its perimeter and instead verifies anything and everything trying to connect to its systems before granting access.
2) Traditional security models rely on physical or logical network boundaries to define what is trusted, but this is ineffective as users and devices can no longer be trusted once inside these boundaries.
3) The core tenants of Zero Trust include secure all communication, grant least permission, grant access to single resources at a time, make access policies dynamic, collect and use data to improve security, monitor assets, and periodically re-evaluate trust.
here's where Microsoft has invested, across these areas: identity and access management, apps and data security, network security, threat protection, and security management.
We’ve put a tremendous amount of investment into these areas and the way it shows up is across a pretty broad array of product areas and features.
Our Identity and Access Management tools enable you to take an identity-based approach to security, and establish truly conditional access policies
Our App and Data Security help you protect your apps and your data as it moves around—both inside and outside your organization
Azure includes a robust networking infrastructure with built-in security controls for your application and service connectivity.
Our Threat Protection capabilities are built in and fully integrated, so you can strengthen both pre-breach protection with deep capabilities across e-mail, collaboration services, and end points including hardware based protection; and post-breach detection that includes memory and kernel based protection and response with automation.
And our Security Management tools give you the visibility and more importantly the guidance to manage policy centrally
This Deck, gives you an overview of the zero trust security posture, considerations you should have while looking to adopt that posture, and the advantages of doing so.
This document discusses Zero Trust security and how to implement a Zero Trust network architecture. It begins with an overview of Zero Trust and why it is important given limitations of traditional perimeter-based networks. It then covers the basic components of a Zero Trust network, including an identity provider, device directory, policy evaluation service, and access proxy. The document provides guidance on designing a Zero Trust architecture by starting with questions about users, applications, conditions for access, and corresponding controls. Specific conditions discussed include user/device attributes as well as device health and identity. Benefits of the Zero Trust model include conditional access, preventing lateral movement, and increased productivity.
Securing your cloud perimeter with azure network security brk3185jtaylor707
This document discusses Azure network security features for securing the cloud perimeter and implementing a zero trust architecture. It covers Azure Virtual WAN for connecting and segmenting networks, Azure Firewall for security policy enforcement across distributed networks, and Azure Private Link for private connectivity to PaaS resources without an internet accessible IP address. Other relevant security services mentioned include Azure Web Application Firewall, Azure Bastion for secure RDP/SSH access without a public IP, and Azure DDoS Protection.
Pentest ekiplerinin kullandığı Kali dağıtımı ile Linux dünyasına giriş dökümanıdır. Bu döküman; güvenlik alanına giriş yapmak isteyen insanların Türkçe kaynak problemini gidermeyi amaçlayarak hazırlanmıştır. Bu açık kaynak projesine katkı sağlamak isteyen gönüllü linux kullanıcıları ise bize ulaşabilirler. Yazım hatası, anlam karmaşası, yanlış bilgi veya iyileştirmeler için mehmet.ince@intelrad.com adresine mail atabilirsiniz. İyi çalışmalar.
Understand the concepts of the NIST Zero Trust Architecture (ZTA). We will use a parenting analogy and show how it applies to protecting file as an enterprise resource.
Palo alto networks next generation firewallsCastleforce
The document summarizes Palo Alto Networks next-generation firewalls which can identify applications, users, and content to provide visibility and granular control. This helps address challenges of uncontrolled use of internet applications in enterprises. The firewalls can see through ports and protocols to classify over 900 applications using techniques like App-ID, User-ID, and Content-ID. This gives IT unprecedented control over network activities.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
This Cloud Security tutorial shall first address the question whether Cloud Security is really a concern among companies which are making a move to the cloud. The tutorial also discusses the process of troubleshooting a problem in the cloud. This tutorial is ideal for people who are planning to make a career shift in the cloud industry. Below are the topics covered in this tutorial:
1. Why and What of Cloud Security?
2. Private, Public or Hybrid
3. Is Cloud Security really a concern?
4. How secure should you make your application?
5. Troubleshooting a threat in the Cloud
6. Cloud Security in AWS
Lex Crumpton leads MITRE's defensive ATT&CK efforts. In 2021, they added data sources and detections for monitoring processes interacting with LSASS.exe and detecting credential dumping tools. In 2022, they plan to add more detections and develop the Cyber Analytic Repository to share analytic knowledge. Crumpton invites attendees to learn more about defensive ATT&CK on their website and contact them directly with any other questions.
MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator facilitate corporate adoption and allow for a holistic overview on attack techniques and how the organization is preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Join Erik Van Buggenhout in this presentation, where he will discuss how MITRE ATT&CK can be leveraged in the organization as part of your overall cyber security program, with a focus on adversary emulation.
Erik Van Buggenhout is the lead author of SANS SEC599 - Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses. Next to his activities at SANS, Erik is also a co-founder of NVISO, a European cyber security firm with offices in Brussels, Frankfurt and Munich.
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
This presentation simplifies Cloud, Cloud Security and Cloud Security Certifications. This includes the following:
- Understanding Cloud
- Understanding Cloud Security using the Risk Management and Cloud Security Control Frameworks
- Cloud Security Certifications
- Key Definitions
This advanced technical session covers architecture patterns for different workloads, IAM policy tips & tricks, and how to implement security automation and forensics. Be prepared for a technically deep session on AWS security.
AWS CloudHSM allows customers to leverage dedicated Hardware Security Modules (HSMs) located within AWS data centers. This provides strong protection of encryption keys through physical and logical access controls. While AWS manages the HSM appliances, customers control and manage their own keys. Application performance can also improve through the close proximity of HSMs to workloads running in AWS. Customers have full control over key generation, storage, and use through APIs that integrate with their existing applications.
Presented at MQ Technical Conference - 24th September 2018
Security features are important in any modern day application and MQ is no exception. In order to ensure user data is protected to the user's requirements applications must supply a variety of configurable security features. In this session we will be providing an introduction to all of IBM MQ's security features and a high level overview of why you would use them.
1) Zero Trust is a security model that does not inherently trust anything inside or outside its perimeter and instead verifies anything and everything trying to connect to its systems before granting access.
2) Traditional security models rely on physical or logical network boundaries to define what is trusted, but this is ineffective as users and devices can no longer be trusted once inside these boundaries.
3) The core tenants of Zero Trust include secure all communication, grant least permission, grant access to single resources at a time, make access policies dynamic, collect and use data to improve security, monitor assets, and periodically re-evaluate trust.
here's where Microsoft has invested, across these areas: identity and access management, apps and data security, network security, threat protection, and security management.
We’ve put a tremendous amount of investment into these areas and the way it shows up is across a pretty broad array of product areas and features.
Our Identity and Access Management tools enable you to take an identity-based approach to security, and establish truly conditional access policies
Our App and Data Security help you protect your apps and your data as it moves around—both inside and outside your organization
Azure includes a robust networking infrastructure with built-in security controls for your application and service connectivity.
Our Threat Protection capabilities are built in and fully integrated, so you can strengthen both pre-breach protection with deep capabilities across e-mail, collaboration services, and end points including hardware based protection; and post-breach detection that includes memory and kernel based protection and response with automation.
And our Security Management tools give you the visibility and more importantly the guidance to manage policy centrally
This Deck, gives you an overview of the zero trust security posture, considerations you should have while looking to adopt that posture, and the advantages of doing so.
This document discusses Zero Trust security and how to implement a Zero Trust network architecture. It begins with an overview of Zero Trust and why it is important given limitations of traditional perimeter-based networks. It then covers the basic components of a Zero Trust network, including an identity provider, device directory, policy evaluation service, and access proxy. The document provides guidance on designing a Zero Trust architecture by starting with questions about users, applications, conditions for access, and corresponding controls. Specific conditions discussed include user/device attributes as well as device health and identity. Benefits of the Zero Trust model include conditional access, preventing lateral movement, and increased productivity.
Securing your cloud perimeter with azure network security brk3185jtaylor707
This document discusses Azure network security features for securing the cloud perimeter and implementing a zero trust architecture. It covers Azure Virtual WAN for connecting and segmenting networks, Azure Firewall for security policy enforcement across distributed networks, and Azure Private Link for private connectivity to PaaS resources without an internet accessible IP address. Other relevant security services mentioned include Azure Web Application Firewall, Azure Bastion for secure RDP/SSH access without a public IP, and Azure DDoS Protection.
Pentest ekiplerinin kullandığı Kali dağıtımı ile Linux dünyasına giriş dökümanıdır. Bu döküman; güvenlik alanına giriş yapmak isteyen insanların Türkçe kaynak problemini gidermeyi amaçlayarak hazırlanmıştır. Bu açık kaynak projesine katkı sağlamak isteyen gönüllü linux kullanıcıları ise bize ulaşabilirler. Yazım hatası, anlam karmaşası, yanlış bilgi veya iyileştirmeler için mehmet.ince@intelrad.com adresine mail atabilirsiniz. İyi çalışmalar.
Understand the concepts of the NIST Zero Trust Architecture (ZTA). We will use a parenting analogy and show how it applies to protecting file as an enterprise resource.
Palo alto networks next generation firewallsCastleforce
The document summarizes Palo Alto Networks next-generation firewalls which can identify applications, users, and content to provide visibility and granular control. This helps address challenges of uncontrolled use of internet applications in enterprises. The firewalls can see through ports and protocols to classify over 900 applications using techniques like App-ID, User-ID, and Content-ID. This gives IT unprecedented control over network activities.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
This Cloud Security tutorial shall first address the question whether Cloud Security is really a concern among companies which are making a move to the cloud. The tutorial also discusses the process of troubleshooting a problem in the cloud. This tutorial is ideal for people who are planning to make a career shift in the cloud industry. Below are the topics covered in this tutorial:
1. Why and What of Cloud Security?
2. Private, Public or Hybrid
3. Is Cloud Security really a concern?
4. How secure should you make your application?
5. Troubleshooting a threat in the Cloud
6. Cloud Security in AWS
Lex Crumpton leads MITRE's defensive ATT&CK efforts. In 2021, they added data sources and detections for monitoring processes interacting with LSASS.exe and detecting credential dumping tools. In 2022, they plan to add more detections and develop the Cyber Analytic Repository to share analytic knowledge. Crumpton invites attendees to learn more about defensive ATT&CK on their website and contact them directly with any other questions.
MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator facilitate corporate adoption and allow for a holistic overview on attack techniques and how the organization is preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Join Erik Van Buggenhout in this presentation, where he will discuss how MITRE ATT&CK can be leveraged in the organization as part of your overall cyber security program, with a focus on adversary emulation.
Erik Van Buggenhout is the lead author of SANS SEC599 - Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses. Next to his activities at SANS, Erik is also a co-founder of NVISO, a European cyber security firm with offices in Brussels, Frankfurt and Munich.
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
This presentation simplifies Cloud, Cloud Security and Cloud Security Certifications. This includes the following:
- Understanding Cloud
- Understanding Cloud Security using the Risk Management and Cloud Security Control Frameworks
- Cloud Security Certifications
- Key Definitions
This advanced technical session covers architecture patterns for different workloads, IAM policy tips & tricks, and how to implement security automation and forensics. Be prepared for a technically deep session on AWS security.
AWS CloudHSM allows customers to leverage dedicated Hardware Security Modules (HSMs) located within AWS data centers. This provides strong protection of encryption keys through physical and logical access controls. While AWS manages the HSM appliances, customers control and manage their own keys. Application performance can also improve through the close proximity of HSMs to workloads running in AWS. Customers have full control over key generation, storage, and use through APIs that integrate with their existing applications.
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Amazon Web Services
This document discusses how to automate compliance and security on AWS through infrastructure as code. It recommends architecting for compliance upfront by mapping controls to AWS services, creating standardized baselines, and taking advantage of automation tools. It also emphasizes continuous monitoring and validation to maintain compliance.
Amazon Web Services: Overview of Security Processeswhite paper
The document provides an overview of security processes for Amazon Web Services (AWS). It discusses certifications and accreditations AWS has obtained, their physical security measures for data centers, backup procedures for AWS services, and security features for the Amazon Elastic Compute Cloud (EC2) including the hypervisor, firewall configuration, and signed API calls. The goal is to ensure customer data and systems on AWS are kept confidential, intact, and available.
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET Journal
1. The document discusses improving data storage security and performance in cloud environments. It proposes a middleware framework that integrates different Infrastructure as a Service (IaaS) storage clouds and relies on a service level manager to split files during upload according to node computing capabilities, encrypt file segments, and decrypt and merge files for download.
2. It analyzes factors affecting the performance of the OpenStack Cinder block storage service, such as the number of API workers and storage driver selection. Distributed and encrypted storage of file segments across nodes based on their capabilities could improve both security and performance.
3. The proposed system authenticates users in OpenStack and uses block encryption of volumes, with keys provided via secure connections, to enhance security of
Privileged Access Management for the Software-Defined NetworkCA Technologies
New extensions to CA Privileged Access Manager significantly expand the ability of the product to protect and defend resources in VMware NSX virtualized network environments. In this session, we’ll examine and demonstrate those capabilities, which take advantage of new technologies and methods made available by the NSX infrastructure, in more detail.
For more information, please visit http://cainc.to/Nv2VOe
This document provides an overview of Amazon Web Services' (AWS) CloudHSM service. It discusses how CloudHSM is tamper-proof and tamper-evident, can be used as a keystore or for document timestamping, and needs to be backed up. It also summarizes how CloudHSM can be integrated with other AWS services like S3, EBS, EC2, Redshift, and RDS. Finally, it briefly discusses auditing capabilities and some common use cases for CloudHSM.
An important use-case for Vault is to provide short lived and least privileged Cloud credentials. In this webinar we will review specifically how Vault's Azure Secrets Engine can provide dynamic Azure credentials. We will cover details on how to configure the Azure Secrets Engine in Vault and use it in an application. If you are using Azure now or in the near future, join us for some patterns on maintaining a high security posture with Vault's dynamic credentials model!
Preparing data for analysis and insights is the foundation of any data-driven exercise. Moving workloads to a PaaS, be it data engineering, analytic database, or data science requires a two step leap of faith - in trusting the public cloud, and then your PaaS vendor. In this webinar we will discuss the architecture of a PaaS solution for data management and understand the nitty gritty details of what exactly this involves with the following:
An exploration of the architecture of Cloudera Altus PaaS - the industry’s first multi-function, multi-cloud data and analytic platform-as-a-service
A dive into use cases and a demo of Altus
The synergy between AWS and Altus to help you securely standardize on a combination of public cloud and data management
3 things to learn:
An exploration of the architecture of Cloudera Altus PaaS - the industry’s first multi-function, multi-cloud data and analytic platform-as-a-service
A dive into use cases and a demo of Altus
The synergy between AWS and Altus to help you securely standardize on a combination of public cloud and data management
Organizations are moving data and applications into public cloud services at a rapid pace. As the public cloud footprint expands, red teams and attackers are reinventing the kill chain in the cloud. Public cloud services provide new, creative ways to discover assets, compromise credentials, move laterally, and exfiltrate data. In this keynote, we explore common techniques from the MITRE ATT&CK Cloud Matrix. For each technique, attendees will analyze misconfigurations, exploitation paths, and common architecture patterns for breaking the kill chain.
The document provides an overview of secret management solutions and architectures. It discusses what secrets are and why secret management is important. Some key points:
- Secrets include authentication credentials, API keys, passwords, and certificates that need access control. As services increase, so do secrets.
- An ideal secret management solution provides security, encryption, access control, auditing, ease of use, and integration with other tools.
- Version control systems and orchestration tools like Kubernetes can be used for secrets but have limitations compared to dedicated secret management solutions.
- AWS offers Parameter Store, Secrets Manager, and KMS for secret management. Parameter Store is generally recommended, while Secrets Manager is better for database
How to implement data encryption at rest in compliance with enterprise requir...Steffen Mazanek
This presentation has been given at the #AWS #Community day #2019 in #Hamburg by Steffen Mazanek and Louay Mresheh. Title has been "How to implement data encryption at rest in compliance with enterprise requirements"
Are you a systems integrator (SI), small, or mid-size enterpriser required to secure controlled unclassified Information (CUI) data in order to meet NIST 800-171 security requirements? Learn how to simplify and automate compliance for your government customers. Learn how to architect and document IT workloads to meet NIST 800-171 security requirements in AWS GovCloud (US) – Amazon’s isolated cloud region built for sensitive data and regulated workloads.
The slides present:
· How to use AWS Enterprise Accelerator for Compliance Quick Start tools to accelerate compliance.
· The steps necessary to modify the security control matrix (SCM) for specific customer workloads.
· AWS tools and techniques to make security and compliance easier, while improving the security posture of your system.
In this updated slideshare, Principal Security Engineer, Eric Johnson shows engineers, developers and application security professionals how to start conversations on implementing security into the DevOps workflow.
You’ll learn about:
1) Cloud and DevSecOps Practices
2) Pre-Commit: The Paved Road
3) Commit: CI / CD Security Controls
4) Acceptance: Supply Chain Security
5) Operations: Continuous Security Compliance
For questions, please contact our team at sales [at] pumascan [dot] com.
Thanks for taking time to further your understanding of DevSecOps!
Preparing data for analysis and insights is the foundation of any data-driven exercise. Moving workloads to a PaaS, be it data engineering, analytic database, or data science requires a two step leap of faith - in trusting the public cloud, and then your PaaS vendor. In this webinar we will discuss the architecture of a PaaS solution for data management and understand the nitty gritty details of what exactly this involves with the following:
An exploration of the architecture of Cloudera Altus PaaS - the industry’s first multi-function, multi-cloud data and analytic platform-as-a-service
A dive into use cases and a demo of Altus
The synergy between AWS and Altus to help you securely standardize on a combination of public cloud and data management
3 things to learn:
An exploration of the architecture of Cloudera Altus PaaS - the industry’s first multi-function, multi-cloud data and analytic platform-as-a-service
A dive into use cases and a demo of Altus
The synergy between AWS and Altus to help you securely standardize on a combination of public cloud and data management
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Amazon Web Services
This talk compares AWS CloudHSM to other AWS cryptography services for common use cases. We dive deep on how to build scalable, reliable workloads with CloudHSM, and we cover configuration of the service for performance, error resilience, and cross-region redundancy.
This document discusses Amazon Web Services (AWS) cryptography services and how to use AWS CloudHSM to achieve security goals on AWS. It provides an overview of AWS cryptography services like AWS Key Management Service (AWS KMS) and the AWS Encryption SDK. It then discusses AWS CloudHSM fundamentals like clusters, high availability, and performance optimization. It also covers cross-region redundancy, key management best practices, and the new capabilities for CloudHSM like integration with AWS KMS custom key stores.
The document discusses establishing full stack security when using AWS services. It covers turning security into a shared responsibility between AWS and customers by establishing platform, network, operating system, and data protection security. Some key points include setting up identity and access management (IAM) and enabling detective controls like CloudTrail and CloudWatch. It also discusses establishing network security using VPC, security groups, and flow logs and operating system security using EC2 Systems Manager tools. The goal is to provide security from the ground up and give customers fine-grained control over their infrastructure.
DevFest | Presentation | Final - Imran RoshanImranRoshan5
This document discusses approaches to securing hybrid workloads on Google Cloud Platform (GCP). It begins by outlining basic security controls available on GCP like identity and access management, VPC controls, key management, and monitoring. It then discusses using open source tools like Suricata, ELK Stack, OpenVAS, and OSSEC to provide additional intrusion detection, log analysis, vulnerability scanning, and file integrity monitoring capabilities. The document emphasizes infrastructure hardening, robust configurations, patch management, network segmentation, and incident response strategies. It also covers using BeyondCorp for zero-trust access and Stratozone for security monitoring, detection, and automation.
Similar to Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments (20)
Microsoft's Threat Matrix for Kubernetes helps organizations understand the attack surface a Kubernetes deployment introduces to their environments. This ensures that adequate detections and mitigations are in place. By covering over 40 different attacker techniques, defenders can learn about Kubernetes-specific mitigations and controls to deploy to their environments. In this session, we will explore the MS-TA9013 Host Path Mount technique, which is commonly used by attackers to perform privilege escalation in a Kubernetes cluster. Attendees will learn how attackers and defenders can:
* Escape the container's host volume mount to gain persistence on an underlying node
* Move laterally from the underlying node into the customer's cloud environment
* Analyze Kubernetes audit logs to detect pods deployed with a hostPath mount
* Deploy an admission controller that prevents new pods from using a hostPath mount
Winning in the Dark: Defending Serverless InfrastructurePuma Security, LLC
This technical session examines real world scenarios security professionals will encounter defending Cloud workloads running on Serverless Infrastructure. Attendees will see a series of hands-on attack techniques for extracting credentials from serverless functions, and how to leverage those credentials for data exfiltration.
The session starts with insecure secrets management in Serverless. Live demonstrations will show how a vulnerability in a function can allow attackers to exfiltrate secrets from a configuration file inside the function’s execution environment.
Attendees will then see how to extract credentials from a function’s execution environment, and use those credentials from a remote machine to gain unauthorized access to data.
Next, the session explores the ephemeral execution environment that is supposed to live for a few hundred milliseconds and then disappear. In practice, does that hold true?
Concluding the session, we discuss some defensive techniques for locking down serverless environments, controlling egress traffic, restricting credential access, and querying audit logs.
Attendees will leave with an understanding of the common attacks and practical security controls for defending their Serverless Infrastructure.
Defending Serverless Infrastructure in the Cloud RSAC 2020Puma Security, LLC
Cloud workloads running on Serverless Infrastructure provide near zero visibility to security teams. Can security professionals inventory, scan, and monitor an environment running thousands of functions for only 100 milliseconds? This technical session examines real world attacks and teaches you how to enable security controls to defend your Serverless Infrastructure.
Continuation of the v1 presentation with new slides for the v2 instance metadata service.
Cloud Metadata Services are popular targets for attackers trying to gain direct access to an organization’s cloud resources. The Capital One breach notification published in July put a spotlight on the metadata service and its weaknesses. Using publicly available information from the breach, we will demonstrate how the attacker compromised AWS instance metadata credentials, gained access to privileged resources, and exfiltrated data from the account. The conversation then shifts to a post mortem discussion about cloud security controls that could have prevented or limited the blast radius of the attack.
Cloud Metadata Services are popular targets for attackers trying to gain direct access to an organization’s cloud resources. The Capital One breach notification published in July put a spotlight on the metadata service and its weaknesses. Using publicly available information from the breach, we will demonstrate how the attacker compromised AWS instance metadata credentials, gained access to privileged resources, and exfiltrated data from the account. The conversation then shifts to a post mortem discussion about cloud security controls that could have prevented or limited the blast radius of the attack.
This document outlines 5 key practices for modern security success in DevSecOps: 1) Cloud & DevSecOps practices, 2) Pre-Commit controls like the "paved road" of secure templates, 3) Commit controls through CI/CD pipelines, 4) Acceptance controls for supply chain security, and 5) Operations controls for continuous security compliance. The presentation provides examples for implementing controls at each stage to integrate security practices into the DevSecOps workflow.
Modern development teams are delivering features at a rapid pace using modern technologies such as containers, microservices, and serverless functions. Operations and infrastructure teams are supporting these rapid delivery cycles using Infrastructure as Code, Test Driven Infrastructure (TDI), and cloud automation. Yet, most security teams are still using traditional security approaches and can't keep up with the rate of accelerated change.
Security must be reinvented in a DevOps world to take advantage of the opportunities provided by continuous integration and delivery pipelines. In this talk, attendees will take a journey through the DevSecOps Toolchain broken down into the key phases: pre-commit, commit, acceptance, production, and operations. We will explore the pre-commit and commit phases in-depth, identifying security controls, open source tools, and how to integrate these tools into a pipeline. Attendees will walk away with a practical approach for weaponizing the toolchain and building a successful DevSecOps program.
DevOps is changing the way that organizations design, build, deploy and operate online systems. Engineering teams are making hundreds, or even thousands, of changes per day, and traditional approaches to security are struggling to keep up. Security must be reinvented in a DevOps world and take advantage of the opportunities provided by continuous integration and delivery pipelines.
In this talk, we start with a case study of an organization trying to leverage the power of Continuous Integration (CI) and Continuous Delivery (CD) to improve their security posture. After identifying the key security checkpoints in the pre-commit, commit, acceptance, and deployment lifecycle phases, we will explore how unit testing and static analysis fit into DevSecOps. Live demonstrations will show how to identify vulnerabilities pre-commit inside the Visual Studio development environment, and how to enforce security unit tests and static analysis in a Jenkins continuous integration (CI) build pipeline. Attendees will walk away with a better understanding of how security fits into DevOps, and an open source .NET static analysis engine to help secure your organization’s applications.
Continuous Integration - Live Static Analysis with Puma ScanPuma Security, LLC
Puma Scan is a software security Visual Studio analyzer extension providing real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.