Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationITpreneurs
The Certificate of Cloud Security Knowledge (CCSK) has become an important certification and provides a new area of opportunity for training and consulting companies. As cloud computing is being adopted globally, one of the needs is proper implementation of cloud computing with the appropriate security controls.
Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions – The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks – Modes and Types
The Notorious Nine – Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationITpreneurs
The Certificate of Cloud Security Knowledge (CCSK) has become an important certification and provides a new area of opportunity for training and consulting companies. As cloud computing is being adopted globally, one of the needs is proper implementation of cloud computing with the appropriate security controls.
Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions – The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks – Modes and Types
The Notorious Nine – Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways
Cloud is not an option, but is security?Jody Keyser
A "cloudless" computing environment in your enterprise is not an option, due to the coming wave of the Cloud. Cloud Security is an option of course. Spend an hour with one of the industries top cloud security consultants, Graham Silver.
Webinar / Discussion / Q&A
AGENDA:
- Common understanding of Cloud
- Look at Cloud Computing Trends
- Examine Cloud Security Concerns
- Introduce Cloud Life Cycle
- Cloud Security Assessment
"Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.
It is a sub-domain of computer security, network security, and, more broadly, information security." By Ambrish Gangal
Infrastructure Security by Sivamurthy HiremathClubHack
With the development of technology, the interdependence of various infrastructures has increased, which also enhanced their vulnerabilities. The National Information Infrastructure security concerns the nation’s stability and economic security. So far, the research in Internet security primarily focused on securing the information rather than securing the infrastructure itself.
The pervasive and ubiquitous nature of the Internet coupled with growing concerns about cyber attacks we need immediate solutions for securing the Internet infrastructure. Given the prevailing threat situation, there is a compelling need to develop Hardware redesign architectures, Algorithms, and Protocols to realize a dependable Internet infrastructure. In order to achieve this goal, the first and foremost step is to develop a comprehensive understanding of the security threats and existing solutions. These attempts to fulfil this important step by providing classification of Security attacks are classified into four main categories: DNS hacking, Routing table poisoning, Packet mistreatment, and Denial-of-Service attacks. We are generally discussing on the existing Infrastructure solutions for each of these categories, and also outline a methodology for developing secured Nation.
Trust based Mechanism for Secure Cloud Computing Environment: A Surveyinventionjournals
Ubiquitous computing has revolutionized interaction of humans and machines. Cloud computing has been mainly used for storing data and various computational purposes. It has changed the face of using the internet. But, as we know every technology has its pros and cons. Securing cloud environment is the most challenging issue for the researchers and developers. Main aspects which cloud security should cover are authentication, authorization, data protection etc. Establishing trust between cloud service providers (CSP) is the biggest challenge, when someone is discussing about cloud security. Trust is a critical factor which mainly depends on perception of reputation and self-assessment done by both user and CSP. The trust model can act as security strength evaluator and ranking service for cloud application and services. For establishing trust relationship between two parties, mutual trust mechanism is reliable, as it does verification from both sides. There are various trust models which mainly focuses on securing one party i.e., they validate either user or service node. In this survey paper, the study of various trust models and their various parameters are discussed.
Cloud computing security issues .what is cloud computing, cloud clients, disadvantages of clouds, security issues, value of data, threat model and solutions.
Sections:
Introduction
Cloud Computing background
Securing the Cloud
Virtualization
Mobile Cloud Computing
User safety & energy consumption
Author’s proposal
Conclusion
In order to make cloud computing to be adopted by users and enterprises, security concerns of users should be rectified by making cloud environment trustworthy, discussed by Latif et al. in the assessment of cloud computing risks[2].
We address the questions related to:
security concerns and threats over general cloud computing,
(2) the solutions for these problems and
(3) mobile users safety in convergence with energy consumption.
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
The magnitude of the migration effort to the Cloud, the complexity of both customized apps and Cloud environments, and the requirement for ongoing app-level monitoring suggests the need for what Gartner calls a “programmable security infrastructure capable of supporting security policy ‘toolchains’.”
Cloud Security for small and medium enterprises (SME)Fabio Cerullo
Learn important security risks and opportunities SMEs should take into account when procuring a cloud service while also providing a list of security recommendations SMEs can use to understand the security features of cloud services in the market.
Learning objectives:
1. Identify 11 important security risks and 11 important security opportunities SMEs should take into account.
2. Utilise a list of 12 security questions SMEs can use to understand the security features of cloud services in the market.
3. Learn how to use these tools when evaluating cloud providers.
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
ISACA Journal Publication Volume 5 written by Shah Sheikh - published in Q4 2013. Based on the Cloud Security Alliance Framework whitepaper titled "Does your Cloud have a Secure Lining?"
Cloud is not an option, but is security?Jody Keyser
A "cloudless" computing environment in your enterprise is not an option, due to the coming wave of the Cloud. Cloud Security is an option of course. Spend an hour with one of the industries top cloud security consultants, Graham Silver.
Webinar / Discussion / Q&A
AGENDA:
- Common understanding of Cloud
- Look at Cloud Computing Trends
- Examine Cloud Security Concerns
- Introduce Cloud Life Cycle
- Cloud Security Assessment
"Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.
It is a sub-domain of computer security, network security, and, more broadly, information security." By Ambrish Gangal
Infrastructure Security by Sivamurthy HiremathClubHack
With the development of technology, the interdependence of various infrastructures has increased, which also enhanced their vulnerabilities. The National Information Infrastructure security concerns the nation’s stability and economic security. So far, the research in Internet security primarily focused on securing the information rather than securing the infrastructure itself.
The pervasive and ubiquitous nature of the Internet coupled with growing concerns about cyber attacks we need immediate solutions for securing the Internet infrastructure. Given the prevailing threat situation, there is a compelling need to develop Hardware redesign architectures, Algorithms, and Protocols to realize a dependable Internet infrastructure. In order to achieve this goal, the first and foremost step is to develop a comprehensive understanding of the security threats and existing solutions. These attempts to fulfil this important step by providing classification of Security attacks are classified into four main categories: DNS hacking, Routing table poisoning, Packet mistreatment, and Denial-of-Service attacks. We are generally discussing on the existing Infrastructure solutions for each of these categories, and also outline a methodology for developing secured Nation.
Trust based Mechanism for Secure Cloud Computing Environment: A Surveyinventionjournals
Ubiquitous computing has revolutionized interaction of humans and machines. Cloud computing has been mainly used for storing data and various computational purposes. It has changed the face of using the internet. But, as we know every technology has its pros and cons. Securing cloud environment is the most challenging issue for the researchers and developers. Main aspects which cloud security should cover are authentication, authorization, data protection etc. Establishing trust between cloud service providers (CSP) is the biggest challenge, when someone is discussing about cloud security. Trust is a critical factor which mainly depends on perception of reputation and self-assessment done by both user and CSP. The trust model can act as security strength evaluator and ranking service for cloud application and services. For establishing trust relationship between two parties, mutual trust mechanism is reliable, as it does verification from both sides. There are various trust models which mainly focuses on securing one party i.e., they validate either user or service node. In this survey paper, the study of various trust models and their various parameters are discussed.
Cloud computing security issues .what is cloud computing, cloud clients, disadvantages of clouds, security issues, value of data, threat model and solutions.
Sections:
Introduction
Cloud Computing background
Securing the Cloud
Virtualization
Mobile Cloud Computing
User safety & energy consumption
Author’s proposal
Conclusion
In order to make cloud computing to be adopted by users and enterprises, security concerns of users should be rectified by making cloud environment trustworthy, discussed by Latif et al. in the assessment of cloud computing risks[2].
We address the questions related to:
security concerns and threats over general cloud computing,
(2) the solutions for these problems and
(3) mobile users safety in convergence with energy consumption.
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
The magnitude of the migration effort to the Cloud, the complexity of both customized apps and Cloud environments, and the requirement for ongoing app-level monitoring suggests the need for what Gartner calls a “programmable security infrastructure capable of supporting security policy ‘toolchains’.”
Cloud Security for small and medium enterprises (SME)Fabio Cerullo
Learn important security risks and opportunities SMEs should take into account when procuring a cloud service while also providing a list of security recommendations SMEs can use to understand the security features of cloud services in the market.
Learning objectives:
1. Identify 11 important security risks and 11 important security opportunities SMEs should take into account.
2. Utilise a list of 12 security questions SMEs can use to understand the security features of cloud services in the market.
3. Learn how to use these tools when evaluating cloud providers.
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
ISACA Journal Publication Volume 5 written by Shah Sheikh - published in Q4 2013. Based on the Cloud Security Alliance Framework whitepaper titled "Does your Cloud have a Secure Lining?"
George konstantakis iot and product design360mnbsu
The Internet of Things (IoT) may be at the core of the next Industrial Revolution! The socioeconomic implications of IoT, in general, are astounding. As with all disruptive technology, there are threats and opportunities that must be understood by business leaders. How do these implications relate to the needs of manufacturing businesses and the human resources that are intertwined with them? How can Product Design address those needs? This closing session will explore these questions and offer solutions.
Der Siegeszug der Künstlichen Intelligenz und disruptiver Technologien scheint unaufhaltsam. Aber was heißt das für unsere Gesellschaft, den Arbeitsmarkt sowie ethische Grundkonstanten? Muss der Gesetzgeber tätig werden? Diesen Fragen ging unser Seminar an der TU Berlin auf den Grund.
Chapter 11 Globalization and the Digital Divide Learnin.docxzebadiahsummers
Chapter 11: Globalization and
the Digital Divide
Learning Objectives
Upon successful completion of this chapter, you will be
able to:
• explain the concept of globalization;
• describe the role of information technology in
globalization;
• identify the issues experienced by firms as they
face a global economy; and
• define the digital divide and explain Nielsen’s three
stages of the digital divide.
Introduction
The Internet has wired the world. Today it is just as simple to
communicate with someone on the other side of the world as it
is to talk to someone next door. But keep in mind that many
businesses attempted to outsource different needs in technology,
only to discover that near-sourcing (outsourcing to countries to
Chapter 11: Globalization and the
Digital Divide | 245
Internet
Statistics by
Continent.
Source:
https://www
.internetworl
dstats.com/
stats.htm.
(Click to
enlarge)
which your country is physically connected) had greater advantage.
This chapter looks at the implications of globalization and the
impact it is having on the world.
What Is Globalization?
Globalization refers to the integration of goods, services, and
culture among the nations of the world. Globalization is not
necessarily a new phenomenon. In many ways globalization has
existed since the days of European colonization. Further advances
in telecommunication and transportation technologies accelerated
globalization. The advent of the the worldwide Internet has made all
nations virtual next door neighbors.
The Internet is truly a worldwide phenomenon. As of December
2017 the Internet was being used by over 4.1 billion people world
wide.
1
From its initial beginnings in the United States in the 1970s to
the development of the World Wide Web in the 1990s to the social
networks and e-commerce of today, the Internet has continued to
increase the integration between countries, making globalization a
fact of life for citizens all over the world.
1. [1]
246 | Information Systems for Business and Beyond (2019)
https://www.internetworldstats.com/stats.htm
https://www.internetworldstats.com/stats.htm
The Network Society
In 1996 social-sciences researcher Manuel Castells published The
Rise of the Network Society, in which he identified new ways
economic activity was being organized around the networks that
the new telecommunication technologies had provided. This new,
global economic activity was different from the past, because “it
is an economy with the capacity to work as a unit in real time on
a planetary scale.”
2
Having a world connected via the Internet has
some massive implications.
The World Is Flat
Thomas Friedman’s 2005 book The World Is Flat uses anecdotal
evidence to present the impact the personal computer, the Internet,
and communication software have had on business, specifically the
impact on globalization. Three eras of globalization are defi.
Social engineering 101 or The Art of How You Got Owned by That Random StrangerSteven Hatfield
This covers the basics of Social Engineering, different attack vectors that have worked with real world examples from friends currently conducting such tests, provide different sources to gather information on this topic, and present ways to prevent such attacks from happening in the future.
Digital revolution with Cloud computingTarry Singh
Digital revolution is upon us. Cloud has become increasingly mature, social has taken over our lives by storm, whether twitter, Facebook, linkedin or just about doing anything with our personal or private lives. Mobile / smartphone is almost literally wearable tech in our pockets but more is coming. And finally with big data & analytics (structured and unstructured), we are at the brink of defining our new lives as "fully informed consumers". IoT (Internet of things) is the next big platform, a marketplace where all things will happen. Yes, all of the things!
This presentation was given in Malaysia conference 2009 and it still holds true!
Slides for talk by Prof Christopher Millard on "Cloud computing: identifying and managing legal risks" at Google's Oxford Internet Institute Learned Lunches, Brussel, February 2011
Digital Transformation and Innovation on http://denreymer.com
- Merging the Real World and the Virtual World
- Intelligence Everywhere
- The New IT Reality Emerges
http://www.gartner.com//it/content/2940400/2940420/january_15_top_10_technology_trends_2015_dcearley.pdf
2014 Managing Cloud: A New Multidisciplinary Paradigm for Policymakersaccacloud
The core problems around cloud, telco and other providers who need to transfer data across borders are how to ensure compliance with an alphabet soup of general and sector-specific laws and regulations, and codes of practice, and legal judgements, and legal and procedural uncertainties, that differ in their details across so many jurisdictions.
Exploring Leadership in Third Industrial Revolution TeiglandRobin Teigland
My presentation at "Leadership in Complex Orgnizations" workshop in Oslo Nov 2013 organized by NHH Focus: http://www.nhh.no/no/forskning-og-fagmilj%C3%B8/handlingsprogrammet-nhh-2021/nhh-2021/focus.aspx
mindtrek2016 - the economics of open source cloudsCarlo Daffara
When public cloud is better than the alternatives? What is the real economics of cloud computing? From my presentation at Mindtrek 2016 in Tampere, Finland
Scalable cloud governance, risk management and compliancePeter HJ van Eijk
Cloud consumers are primarily worried about security. If you are a cloud provider, or cloud broker, learn how to get improve your trustworthiness to your customers efficiently and scalable, by integrating governance, risk management and compliance.
Web performance is good, understanding performance is better.
What you need to understand in order to be able to have IT systems that perform well at a reasonable cost.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Enhancing Performance with Globus and the Science DMZ
Ohm2013 cloud security 101 slideshare
1. Cloud Security 101
presented at OHM2013
“what would General Eisenhower say about PRISM”
Dr. Peter HJ van Eijk
@petersgriddle
2. Cloud Security: an oxymoron?
The knee-jerk reaction of a lot of people when they
first hear about cloud is:
– “The PATRIOT act/PRISM allows the US
government/YFTLA * to see everything that
(I do/everything my company does)
on the internet”
– “Therefore, the cloud is evil”
– “Besides: cloud computing is marketing hype.”
Is YFTLA ruining your internet?
Whose internet is it anyway?
*) Your favorite three letter agency
3. This talk’s roadmap
• Who am I? Who are you?
• Security and power in a historical context
• The Cloud: hype or reality?
• Basic cloud security concepts and methods
• Wrap up
4. Who am I?
• One of the world’s most experienced
independent cloud trainers.
• Developing and delivering cloud training such as
CCSK, Cloud Essentials and Cloud Governance
worldwide.
• Work history: University of Twente, AT&T Bell
Labs 07974, EDS, Eunet, Deloitte, independent
• See www.clubcloudcomputing.com for more
information and
https://ohm2013.org/wiki/User:Petersgriddle
5. Who are you at OHM2013?
• You are probably professionally involved in IT
or IT security
• You might work at or for corporate IT or with
cloud providers
• Or maybe for a three-letter agency
• You might be a senior
developer, sysadmin, risk manager, consultant
or auditor
7. Dwight D. Eisenhower
• 5-star general US army
• Supreme commander of
Allied Forces in Europe
WW2.
• Responsible for D-day ‘the
longest day’ invasion of
Normandy June 1944
• 1st Supreme Allied
Commander Europe (NATO)
• 34th president of the USA
(1953-1961)
• Instituted NASA and DARPA
8. Dwight D Eisenhower warns in 1961
• On January 17, 1961, Eisenhower gave his final televised Address to the Nation
from the Oval Office.[204] In his farewell speech, Eisenhower raised the issue of the
Cold War and role of the U.S. armed forces. He described the Cold War: "We face a
hostile ideology global in scope, atheistic in character, ruthless in purpose and
insidious in method ..." and warned about what he saw as unjustified government
spending proposals and continued with a warning that "we must guard
against the acquisition of unwarranted
influence, whether sought or unsought, by the
military–industrial complex." He said, "we recognize the
imperative need for this development ... the potential for the disastrous rise of
misplaced power exists and will persist ... Only an alert and
knowledgeable citizenry can compel the proper
meshing of the huge industrial and military
machinery of defense with our peaceful methods
and goals, so that security and liberty may prosper
together."
2013 update: g/the Cold War/s//Terrorism/
9. “we must guard against the
acquisition of unwarranted
influence, whether sought or
unsought, by the
military–industrial complex”
10. DARPA: Defense Advanced Research
Projects Agencies
• Part of the military-industrial complex
• Established 1958 under Eisenhower
• Funds a significant part of all US Information
Technology research.
• Set up ARPAnet in 1969, which we now know as
the Internet
• Arguably the most important founding
(grand)father of “the cloud”
11. Who is who?
• The internet is a product of the military-industrial
complex.
• Who is part of this complex?
– HP, Cisco, AT&T, IBM, Microsoft, most US universities
and research agencies, etc.
– Most of Silicon Valley
– The security industry ….
• That includes you, probably.
12. Whose side are you on?
• Friend or Foe?
• Black hat or white hat?
• Cat or mouse?
• Inventor or user?
• You decide …
13. Personal opinion and story
• I believe there is a role for regulation and
governments in the way we collectively handle
data.
• I don’t believe that uncontrolled access to
data is healthy, neither by governments or
other organizations
• “A car with your name on it is used for an
armed robbery” <- this and similar things have
happened to me.
14. WHAT IS CLOUD COMPUTING AND
WHY ARE PEOPLE USING IT?
15. Cloud computing is a type of IT outsourcing
See NIST definitions on http://www.nist.gov/itl/cloud/
NIST: Cloud computing is a model for enabling
convenient, on-demand network access to a shared pool
of configurable computing resources *…+. This cloud
model promotes availability and is composed of five
essential characteristics
• On-demand self-service
• Broad network access,
• Resource pooling
• Rapid elasticity
• Measured Service (pay as you go)
15
Colloquial: Your data on somebody
else’s hard disk.
22. Platform as
a Service:
e.g. social
media
integration
Web API / PaaS connection
GET http://api.twitter.com/1/statuses/user_timeline.json?screen_name=petersgriddle22
23. Who is hosting my website, really?
Integration happens client side
* Source: Gomez 2010
In November 2010, 30% of web transactions used an Amazon EC2 object
23
24. Companies are flocking to the cloud
because of the business benefits
they experience or expect
25. Business benefit
Generic IT outsourcing
benefits +
• Collaboration
• Speed of deployment
• Fast scale up and down
• Low initial cost
• Low capital cost
• Easier integration
• Wider user base
• …
25
On-demand
self service
Broad
network
access
Resource
pooling
Rapid
elasticity
Measured
service
26. IT is outgrowing the capability of
organizations to manage IT
• IT is still one of the fastest growing and innovative
technologies, 50 years and counting
• From 1:20 to 1:1000 productivity.
– i.e. servers, workplaces, network connections
• Do you think that Joe R. SME can run secure IT in
his closet? Really. What are you smoking?
27. It is ‘cloud’ when the consumer
experiences it as ‘cloud’.
28. The cloud is *BIG*.
Amazon, Google and Microsoft have
200K-2M+ servers, each.
(conservatively)
Akamai runs 10-20% of total
Internet traffic.
29. Disruptive Innovations
Characteristics
• Much cheaper
• Not as good (initially)
• Rapidly improving
• Eventually drives original
out of the market
• Addresses ‘over served’
clients
Examples
• Mass manufacturing
• PC
• Internet
• Wikipedia
• Cloud Computing
29
https://en.wikipedia.org/wiki/Disruptive_innovation
30. •Up to date content
•Lower cost
Editorial content
‘Social’ content
Dutch Olympic
committee
Content hosted at
Flickr, Twitter and
Youtube
30
31. Dutch Olympic committee website
• Challenge: The Dutch Olympic committee had a
traditionally hosted website for the Beijing games
in 2008, running up a bill of more than 150.000
euro.
• Approach: For the Vancouver games they totally
changed the concept. The website became a single
page, hosted in the cloud. This page then pulls in
social media content that is hashtagged #os2010.
• It is displayed on two panes. The top
one, whitelisted by author name, is the editorial
content. The rest is social media content. Run cost
for the new website: a few hundred euro per
month.
32. Oxfam: flexible capacity
• Type of organization: charity, relief aid
• # IT staff: ~200
• Challenge: inconsistent infrastructure, no scalability for
seasonal or exceptional (i.e. natural disasters) demand
patterns
• Approach: IBM private cloud (IaaS)
• http://www.businesscloudnews.com/applications/789-
oxfam-cio-cloud-is-a-philosophical-challenge.html
33. KLM: dispersed workforce
• Type of organization: Airline
• Challenge: dispersed workforce, multilingual,
multiple devices to work on
• Solution: SaaS. Google Apps Premier Edition
for more than 10.000 crew members
• http://googleenterprise.blogspot.nl/2010/02/f
lying-into-cloud.html
34. Canadian Pacific: flexible deployment
• Type of organization: Railroad
• Challenge
– “…lead times to get new infrastructure for
development, for test, for experimentation purposes as
well as production purposes,” said Stuart
Charlton, executive IT advisor at CP.
• Approach: IaaS private cloud plus Amazon;
– IBM WebSphere eXtreme Scale for developing distributed
software
• http://www.itworldcanada.com/news/canadian-pacific-gets-
agile-with-hybrid-cloud/145408
35. Commonwealth of Virginia:
Community SaaS
• Type of organization: Public Government
• Challenge: procurement process spread over 171
agencies, most having their own IT systems, controlling
$3B procurement
• Approach: Community SaaS procurement system
(Ariba)
• http://cloud2slg.techamericafoundation.org/wp-
content/uploads/group-documents/3/1328666319-
Final2_Commonwealth_of_VA_ProcurementCaseStudy
.pdf
37. Cloud is the same, but different
• Like Websites/web technology
– Technical risk
• but different
– Scalability and elasticity much higher
• Like outsourcing
– Third party risk
• but different
– Speed of control and failure is much higher
– Chains of providers
– More sharing
• Virtualization
– But taken to much higher levels of automation
38
38. Cloud computing implies
massive sharing and scaling
Consolidation risk
– Performance
– Capacity management
– Multi-tenancy leakage
– More ‘collateral damage’ of legal action
– Bigger impact of failures
– More interesting target for cybercrime
You cannot manage this risk on a yearly or even
monthly basis
See Animoto autoscaling (next slide)
39
39. Animoto, EC2 and
RightScaleNumberofservers
Launch of Facebook modification
Peak of 4700 instances
4/14/2008 4/15/2008 4/16/2008 4/18/2008 4/19/2008 4/20/20084/17/20084/13/2008
Using RightScale, Animoto
automatically scaled to
handle a dramatic load to
their application
Inside scoop at http://blog.rightscale.com/2008/04/23/animoto-facebook-scale-up/40
40. Cloud Computing differs from
traditional outsourcing
• Contracts much more flexible/volatile
• More sharing of resources across customers
• Little influence from customer
• More players and layers involved
• More legal implications
41
41. Cloud brings new technology
• Multitenancy
– VMs, storage, databases, application code
• Federated Identity Management
– OpenID, Oauth, SAML
This tends to be a tough challenge for
•Software publishers moving to a SaaS model and
•Hosting companies moving to an IaaS model
42
42. Compliance is harder in the cloud
• More moving parts
• More regulation
– E-DPD, PCI-
DSS, HIPAA, Sox, Ediscovery, Netneutrality, privacy,
etc, etc, etc
• More risk exposure
– The world is our playfield
– Cybercrime
– TLAs
43
43. Cloud Security Alliance
The Cloud Security Alliance (CSA) is an industry
consortium, volunteer based, open.
• Sample products
– CCSK (Certificate of Cloud Security Knowledge)
• CSA guidance, ENISA study
– Clouds Controls Matrix
– STAR registry
• Disclosure: I am a certified CCSK trainer, and
Dutch chapter board member.
Similar/complementary efforts underway at
ISO, ISACA, etc.
44. CCSK Course Structure
1 Intro to Cloud Computing
•NIST definitions:
•Essential characteristics
•Service models
•Deployment models
2 Infrastructure Security
for Cloud
•Securing base infrastructure
•Management plane security
•Securing Virtual Hosts and
Networks
•IaaS, PaaS, SaaS security
3 Managing Cloud
Security and Risk
•Risk and Governance
•Legal and Compliance
•Audit
•Portability and
interoperability
•Incident response and more
4 Data Security for Cloud
•Cloud Data Architectures
•Data Security Lifecycle
•Information Governance
•Data security and
Encryption
•Data Loss prevention
5 Securing Cloud
Applications and Users
•Application Security
•Identity and Access
management
6 Selecting Cloud Services
•What to look for in a cloud
provider
•Security as a Service
45. Infrastructure security
• No longer sufficient
• Still required, with additional surface to
protect (hypervisor, management plane)
• More opportunity for fine grained and elastic
controls, especially through automation
46. Data security
• A blanket (perimeter) approach to data
security fails
• The data that matters to you might not be in
your datacenter to begin with
• Lifecycle model allows more precise controls
to be applied
• Encryption can be applied on multiple levels.
47. Application security
• Web security++ (OWASP on steroids)
• Application lifecycle model allows more fine-
grained controls to be applied
48. User security
• Federated ID-management allows decoupling
of Identity Providers and Relying Parties
• Can reduce the need for credential sprawl and
leakage
49. Security as a Service
• The cloud can be a source of security solutions
• E.g. spam filtering, web filtering, management
dashboards, DDOS protection.
51. How does professional security and
risk management work?
• Risk based: professional risk management
prioritizes the most important risks
– No superfluous or useless measures and controls
• Professional risk management incorporates audit
and compliance obligations
– Anchor in operational process, instead of running a
troublesome project for each audit
• Professional risk management is repeatable and
scalable
– Champagne? Really? Did you expect the audit to be a
one time effort?
52
52. Control frameworks
• Cloud security alliance: Cloud Control Matrix
• ISACA : Cobit, mostly cost/value based
• ISO: ISO 27001 Information Security
Management Systems
• CloudControls.org: Dutch initiative
(CloudVPS, KPMG)
• ISO: ISO 20000 Not security but relevant as a
service management and governance
framework
53
53. Cloud Security Alliance
Cloud Control Matrix
• CSA: dominant industry coalition
• Cloud Controls Matrix version 1.3
– soon to be v3.0
• CCM features:
– 11 control areas, 98 controls
– Selectable by S-P-I, Provider/Tenant
– Cross referenced to COBIT, ISO, HIPPAA, PCI-DSS
etc.
54
54. New controls
• 3rd and 4th party management
• Contracts
• SLA
• Identity and Access Management (IAM)
• Escrow
55
55. The future of cloud GRC
• Collaborative effort between provider and
consumer
• Continuous audit
• As automated as possible
• Integrated GRC: risk management in the
widest sense of the word drives governance
– Compliance is a collateral benefit
– Maturity level of organization rises
56
56. CCM (Cloud Control Matrix), CAIQ (Consensus Assessments Initiative Questionnaire),
Cloud Audit and CTP (Cloud Trust Protocol) are products maintained by CSA (Cloud
Security Alliance).
Cloud compliance in real-time
GRC stack
component
Example element
CCM CO-02: Independent reviews and assessments shall be
performed at least annually *…+
CAIQ CO-02.3: Do you conduct regular application
penetration tests of your cloud infrastructure as
prescribed by industry best practices and guidance?
Cloud Audit http://mycloudprovider.com
/cloudaudit/org/cloudsecurityalliance/guidance/CO-02
CTP "It is 11 pm, do you know in which geography your
virtual machines are running?"
57
58. Sample Questions to Vendors
Compliance -
Independent Audits
CO-02CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or
similar third party audit reports?
CO-02b - Do you conduct network penetration tests of your cloud service infrastructure
regularly as prescribed by industry best practices and guidance?
CO-02c - Do you conduct application penetration tests of your cloud service infrastructure
regularly as prescribed by industry best practices and guidance?
CO-02d - Do you conduct internal audits regularly as prescribed by industry best
practices and guidance?
CO-02e - Do you conduct external audits regularly as prescribed by industry best
practices and guidance?
CO-02f - Are the results of the network penetration tests available to tenants at their
request?
CO-02g - Are the results of internal and external audits available to tenants at their
request?
Data Governance -
Classification
DG-02DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata
(ex. Tags can be used to limit guest operating systems from
booting/instantiating/transporting data in the wrong country, etc.?)
DG-02b - Do you provide a capability to identify hardware via policy
tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)?
DG-02c - Do you have a capability to use system geographic location as an
authentication factor?
DG-02d - Can you provide the physical location/geography of storage of a tenant’s data
upon request?
DG-02e - Do you allow tenants to define acceptable geographical locations for data
routing or resource instantiation?
59
59. CSA star
Security, Trust and Assurance Registry (STAR)
• Cloud Security Alliance initiative
• An online clearinghouse where cloud
providers can submit documentation detailing
their security controls for review by potential
customers, indexed by CAIQ reference
• 22 participating providers, including Amazon
Web services, Microsoft Azure.
• www.cloudsecurityalliance/star
60
60. Patriot act !?
• In the context of cloud
computing, the Patriot act hardly
adds anything to the power that
the US federal government
already has in accessing digital
assets worldwide.
• Other governments have
similar, or even more extensive
powers.
• Competitive advantage based on
not having infrastructure on US
territory is speculative, at best.The Sting, Paul Newman to Robert Redford: “If this goes wrong, the Feds will be the least of our problems.”
61
63. • It is a new world out there, and it has only just
begun
• Cloud computing is inevitable
• New security issues *and* controls exist
• You can be an ‘alert and knowledgeable
citizen’ and ‘security and liberty may prosper
together.’
• If you apply your own moral compass
Next slides explain the characteristics.Motivation: not to win the debate on who is the most pure cloud providerTo explain why without these essential characteristics the model provides no – or only very limited business value, hence the case / ROI will fail.Push out to other NIST slides, if asked for (breakout deck)
Illustrate: process optimized, lower cost, time to market, but automation (cost) only possible by having sufficient scale Also: the trend to do with less and less personal interaction for lower valued products
The obvious, but add the Intel trends
Explain why ALL resources in cloud must be pooled.
Scale up but also: scale down.Explain (story) why providers with short term contracts are more successful.Explain why many private clouds (financed pool, just a few servers with Vmware, limited in upper size)are not clouds
Explain the pay per use model. Explain why this requires metering and rating . Compare to telco industryExplain why cloud with fixed price do not bring the business benefits to the user
Number of hosts accessed directly by the browser, per user transaction, averaged across 3,000 companies
Reiterate some other drivers
Explain why this is a disruptive innovation, mention driversMade possible by gartner curve starting in 2000, internetAdd virtualization and other technology pushAdd economy of scale, see Msoft doc “the economics of the cloud”Add Nicholas Carr, 2007Add Intel trends
Todo: move the cases to the breakout deck, select depending on type of participant and their markets
Explain why Private cloud is in fact a dedicated pool. All characteristics must applyExplain the risk of a fixed, dedicated pool.Expand on the perceived risks by customers (reason why they elect a private cloud) , true risks and the trade offs