AWS provides certifications and reports on standards like ISO 27001, SOC 1/2/3,
PCI DSS, HIPAA, FISMA. AWS performs regular internal/external audits and penetration
tests by 3rd parties and publishes results in the reports. AWS also offers penetration testing
services for customer applications and networks through AWS Security services.
AWS provides ability to logically isolate and encrypt customer data using services like S3, EBS,
EFS, RDS, Redshift. AWS also offers data backup, recovery and deletion capabilities through
services like S3 Versioning, EBS Snapshots, Database Snapshots etc.
How to Add Advanced Threat Defense to Your EMMSkycure
View recorded webinar here: http://hubs.ly/y0SRV90
In this webinar presentation we discuss how to:
- Stop mobile attacks before they make it to the enterprise by leveraging crowd wisdom
- Dynamically enforce BYOD, security and compliance policies based on actively detected threats
- Leverage risk-based enterprise mobility management to detect and protect against corporate espionage via infiltrated mobile devices
In a confusing web world of "Like" buttons, tweets, Instagram'ing, and files being stored in clouds like Dropbox, organizations are challenged with how to protect the network, while not hindering business. To make matters worse, vendors are confusing the deployment methods by introducing On Premise Web Security Gateways, Cloud Web Security Gateways and Next Generation Firewalls.
This paper covers security issues that a security analyst may look for during vulnerability assessment and penetration testing on case–by-case basis. Issues covered in the paper are generic and can be considered across all the mobile platforms.
The 1st Step to Zero Trust: Asset Management for Cybersecuritynathan-axonius
Eight years after former Forrester analyst John Kindervag introduced the Zero Trust model, the concept has hit the mainstream. As current Forrester analyst Chase Cunningham says, 85% of his calls involve zero trust. With the amount of interest in the concept, many organizations are rushing to understand how to implement the zero-trust model. In this guide, we’ll look at the first step to implementing zero trust: asset management.
How to Add Advanced Threat Defense to Your EMMSkycure
View recorded webinar here: http://hubs.ly/y0SRV90
In this webinar presentation we discuss how to:
- Stop mobile attacks before they make it to the enterprise by leveraging crowd wisdom
- Dynamically enforce BYOD, security and compliance policies based on actively detected threats
- Leverage risk-based enterprise mobility management to detect and protect against corporate espionage via infiltrated mobile devices
In a confusing web world of "Like" buttons, tweets, Instagram'ing, and files being stored in clouds like Dropbox, organizations are challenged with how to protect the network, while not hindering business. To make matters worse, vendors are confusing the deployment methods by introducing On Premise Web Security Gateways, Cloud Web Security Gateways and Next Generation Firewalls.
This paper covers security issues that a security analyst may look for during vulnerability assessment and penetration testing on case–by-case basis. Issues covered in the paper are generic and can be considered across all the mobile platforms.
The 1st Step to Zero Trust: Asset Management for Cybersecuritynathan-axonius
Eight years after former Forrester analyst John Kindervag introduced the Zero Trust model, the concept has hit the mainstream. As current Forrester analyst Chase Cunningham says, 85% of his calls involve zero trust. With the amount of interest in the concept, many organizations are rushing to understand how to implement the zero-trust model. In this guide, we’ll look at the first step to implementing zero trust: asset management.
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceIvanti
Join Ivanti cybersecurity experts as they share best practices for implementing an effective zero trust security strategy at the user, device and network-access levels to ensure the optimal security posture for your organization. Learn how you can implement a multi-tiered approach to mobile phishing protection to best protect against data breaches.
Defend your Everywhere Workplace through adaptive zero trust security and adapt to modern threats faster and experience better outcomes.
View recorded webinar - http://get.skycure.com/accessibility-clickjacking-webinar
Accessibility Clickjacking, a vulnerability discovered by Skycure’s Mobile Threat Defense Research Team, is a method hackers may use to gain complete control over an Android device, including acquiring elevated privileges and exposing the content of all apps on the device.
It can compromise container solutions and is extremely difficult to detect.
C0c0n 2011 mobile security presentation v1.2Santosh Satam
Mobile phone security has been a hot topic for debate in recent times. The top mobile manufacturers seem to claim that their mobiles and applications are secure, but recent news on mobile hacking and malware suggest otherwise.
One of the key challenges in mobile security is the diverse platforms and multitude of operating systems (both open and proprietary) in the market. This makes it almost impossible to devise a generic catch-all strategy for mobile application security. Every platform whether it is iOS, Android, Blackberry, Windows Mobile, Symbian etc. is unique and requires a specialized treatment.
In this talk, we will demystify mobile and related application security. We will understand the architectures of various mobile operating systems and the native security support provided by the manufacturers and operating system vendors. Then we will look at how hackers have come up with different techniques and tools to break mobile security, and what mobile companies are doing to mitigate these attacks.
Finally, we will look at secure practices for mobile deployment in the Enterprise using policy files and other technology solutions, We will also outline best practices for business users and road warriors, on how to ensure your company data is protected while still continuing to enjoy the flexibility provided by mobile phones.
How to Predict, Detect and Protect Against Mobile Cyber AttacksSkycure
Watch webinar recording: http://hubs.ly/H01l56L0
Join Brian Katz, director of mobile strategy at VMware, and Varun Kohli, vice president at Skycure, discuss how to:
- Get visibility into ALL mobile threats, vulnerabilities and attacks impacting your organization today
- Integrate Skycure with AirWatch to predict, detect, and protect against mobile cyber attacks
- Stop attacks before they make it to the enterprise by profiling good and bad device, app and user behaviors by leveraging crowd wisdom
The Future of Mobile Application SecuritySecureAuth
The rapid adoption of mobile technology in recent years has created an opportunity for enterprises to increase the productivity and flexibility of their organizations. This demand for greater mobility has forced enterprises to deliver sensitive applications and data across a wide array of devices and networks.
SecureAuth and Sencha have created an integrated approach to application, data, and user mobility that elegantly addresses these challenges.
-Secure enterprise application deployment
-End-to-end data security with strong encryption
-Managed application container that works on any device
-Developer SDK for creating rich application user experiences
The Zero Trust Model of Information Security Tripwire
In today’s IT threat landscape, the attacker might just as easily be over the cubicle wall as in another country. In the past, organizations have been content to use a trust and verify approach to information security, but that’s not working as threats from malicious insiders represent the most risk to organizations. Listen in as John Kindervag, Forrester Senior Analyst, explains why it’s not working and what you can do to address this IT security shortcoming.
In this webcast, you’ll hear:
Examples of major data breaches that originated from within the organization
Why it’s cheaper to invest in proactive breach prevention—even when the organization hasn’t been breached
What’s broken about the traditional trust and verify model of information security
About a new model for information security that works—the zero-trust model
Immediate and long-term activities to move organizations from the "trust and verify" model to the "verify and never trust" model
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
Security as a Service with Microsoft Presented by Razor TechnologyDavid J Rosenthal
Identity-driven Security
Protect at the front door. Safeguard customers’ resources at the front door with innovative and advanced risk-based conditional access and multi-factor authentication.
Protect data against user mistakes. Gain deep visibility into user, device, and data activity on-premises and in the cloud—including high-risk usage of cloud apps and abnormal behavior.
Detect attacks before they cause damage. Uncover suspicious activity and pinpoint threats with deep visibility and ongoing behavioral analytics.
Enabling Technologies
Azure AD Identity Protection
Azure AD Privileged Identity Management
Azure Active Directory Premium P1/P2
Cloud App Security
Advanced Threat Protection
Advanced Threat Analytics
A profile is an extremely sensitive optional configuration file which allows to re-define different system functionality parameters such as mobile carrier settings, Mobile Device Management (MDM) settings and networking settings. Through social engineering techniques such as email phishing or a fake URL, an attacker can convince a user to install a malicious profile and compromise the device settings to silently route network traffic from the device to a remote proxy over SSL using a self-signed certificate.
The impact:
Once the attacker has re-routed all traffic from the mobile device to their own server, they can begin to install other malicious apps and decrypt SSL communications.
The 2013 Security Threat Report recaps what happened in data security in 2012, and what trends are ahead in 2013. For more information, visit: http://bit.ly/VcLfLa
7 Ways to Stay 7 Years Ahead of the Threat 2015IBM Security
View on-demand webinar: https://securityintelligence.com/events/7-ways-stay-7-years-ahead-threat/#.VdXsFFNVhBc
With breach reports becoming a weekly, if not daily, occurrence, organizations need proactive security to protect themselves and their customers against the loss of sensitive data.
The disappearing network perimeter means organizations can no longer rely on traditional methods to secure their networks, and must plan for porous access to corporate assets and intellectual property. Deploying a simple intrusion prevention solution that relies on pattern matching is no longer sufficient. By focusing on blocking the behavior of malware, organizations are better protected with techniques like protocol analysis detection, shellcode heuristics, application layer heuristics, malicious communication prevention, and exploit chain disruption.
View this on-demand webinar to hear from IBM X-Force research and product experts on 7 types of behavioral based protection layered into network and endpoint security that can help your organization stay ahead of the threat.
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Lacoon Mobile Security
CEO Michael Shaulov and Sr. Security Researcher Daniel Brodie will be presenting “A Practical Attack Against VDI Solutions” at this year’s conference in Las Vegas.
ESET sur la cybersécurité. ESET over cybersecurity.
Dans ce slideshow, ESET présente ses produits pour protéger votre organisation au mieux. L'entreprise européenne renommée aborde également des notions comme la double authentification ou la gestion de mots de passe.
In deze slideshow stelt ESET zijn producten voor om uw organisatie optimaal te beschermen. Het gerenommeerde Europese bedrijf bespreekt ook concepten als dubbele authenticatie en wachtwoordbeheer.
Consultez également notre chaîne YouTube pour retrouver les sessions enregistrées avec ce slideshow. Zie ook ons YouTube-kanaal voor opgenomen sessies met deze slideshow.
YouTube SOCIALware: https://www.youtube.com/channel/UCBGL9kTljcXZcP7iuIAC6Hw
Cloud Smart is today’s IT modernization strategy designed to help Federal agencies adopt cloud solutions that streamline transformation and embrace modern capabilities. We will review the key aspects of the Cloud Smart strategy that agencies can focus on to meet those objectives. We will dive into the Security aspect of Cloud Smart as we focus on its impact on Trusted Internet Connections. We'll see how the new horizon of security services in AWS can help agencies implement Zero Trust Networking and we'll look at ways in which Government agencies can utilize AWS tools and services for architecture decisions that may not require TIC routing, while still meeting government-wide requirements.
Aov is one of the leading manufacturer & exporter from India. Aov offers comprehensive range of cotton, nylon & polyester socks in size & designs to fit individual customer specifications from Middle East, Europe, Canda & USA.
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceIvanti
Join Ivanti cybersecurity experts as they share best practices for implementing an effective zero trust security strategy at the user, device and network-access levels to ensure the optimal security posture for your organization. Learn how you can implement a multi-tiered approach to mobile phishing protection to best protect against data breaches.
Defend your Everywhere Workplace through adaptive zero trust security and adapt to modern threats faster and experience better outcomes.
View recorded webinar - http://get.skycure.com/accessibility-clickjacking-webinar
Accessibility Clickjacking, a vulnerability discovered by Skycure’s Mobile Threat Defense Research Team, is a method hackers may use to gain complete control over an Android device, including acquiring elevated privileges and exposing the content of all apps on the device.
It can compromise container solutions and is extremely difficult to detect.
C0c0n 2011 mobile security presentation v1.2Santosh Satam
Mobile phone security has been a hot topic for debate in recent times. The top mobile manufacturers seem to claim that their mobiles and applications are secure, but recent news on mobile hacking and malware suggest otherwise.
One of the key challenges in mobile security is the diverse platforms and multitude of operating systems (both open and proprietary) in the market. This makes it almost impossible to devise a generic catch-all strategy for mobile application security. Every platform whether it is iOS, Android, Blackberry, Windows Mobile, Symbian etc. is unique and requires a specialized treatment.
In this talk, we will demystify mobile and related application security. We will understand the architectures of various mobile operating systems and the native security support provided by the manufacturers and operating system vendors. Then we will look at how hackers have come up with different techniques and tools to break mobile security, and what mobile companies are doing to mitigate these attacks.
Finally, we will look at secure practices for mobile deployment in the Enterprise using policy files and other technology solutions, We will also outline best practices for business users and road warriors, on how to ensure your company data is protected while still continuing to enjoy the flexibility provided by mobile phones.
How to Predict, Detect and Protect Against Mobile Cyber AttacksSkycure
Watch webinar recording: http://hubs.ly/H01l56L0
Join Brian Katz, director of mobile strategy at VMware, and Varun Kohli, vice president at Skycure, discuss how to:
- Get visibility into ALL mobile threats, vulnerabilities and attacks impacting your organization today
- Integrate Skycure with AirWatch to predict, detect, and protect against mobile cyber attacks
- Stop attacks before they make it to the enterprise by profiling good and bad device, app and user behaviors by leveraging crowd wisdom
The Future of Mobile Application SecuritySecureAuth
The rapid adoption of mobile technology in recent years has created an opportunity for enterprises to increase the productivity and flexibility of their organizations. This demand for greater mobility has forced enterprises to deliver sensitive applications and data across a wide array of devices and networks.
SecureAuth and Sencha have created an integrated approach to application, data, and user mobility that elegantly addresses these challenges.
-Secure enterprise application deployment
-End-to-end data security with strong encryption
-Managed application container that works on any device
-Developer SDK for creating rich application user experiences
The Zero Trust Model of Information Security Tripwire
In today’s IT threat landscape, the attacker might just as easily be over the cubicle wall as in another country. In the past, organizations have been content to use a trust and verify approach to information security, but that’s not working as threats from malicious insiders represent the most risk to organizations. Listen in as John Kindervag, Forrester Senior Analyst, explains why it’s not working and what you can do to address this IT security shortcoming.
In this webcast, you’ll hear:
Examples of major data breaches that originated from within the organization
Why it’s cheaper to invest in proactive breach prevention—even when the organization hasn’t been breached
What’s broken about the traditional trust and verify model of information security
About a new model for information security that works—the zero-trust model
Immediate and long-term activities to move organizations from the "trust and verify" model to the "verify and never trust" model
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
Security as a Service with Microsoft Presented by Razor TechnologyDavid J Rosenthal
Identity-driven Security
Protect at the front door. Safeguard customers’ resources at the front door with innovative and advanced risk-based conditional access and multi-factor authentication.
Protect data against user mistakes. Gain deep visibility into user, device, and data activity on-premises and in the cloud—including high-risk usage of cloud apps and abnormal behavior.
Detect attacks before they cause damage. Uncover suspicious activity and pinpoint threats with deep visibility and ongoing behavioral analytics.
Enabling Technologies
Azure AD Identity Protection
Azure AD Privileged Identity Management
Azure Active Directory Premium P1/P2
Cloud App Security
Advanced Threat Protection
Advanced Threat Analytics
A profile is an extremely sensitive optional configuration file which allows to re-define different system functionality parameters such as mobile carrier settings, Mobile Device Management (MDM) settings and networking settings. Through social engineering techniques such as email phishing or a fake URL, an attacker can convince a user to install a malicious profile and compromise the device settings to silently route network traffic from the device to a remote proxy over SSL using a self-signed certificate.
The impact:
Once the attacker has re-routed all traffic from the mobile device to their own server, they can begin to install other malicious apps and decrypt SSL communications.
The 2013 Security Threat Report recaps what happened in data security in 2012, and what trends are ahead in 2013. For more information, visit: http://bit.ly/VcLfLa
7 Ways to Stay 7 Years Ahead of the Threat 2015IBM Security
View on-demand webinar: https://securityintelligence.com/events/7-ways-stay-7-years-ahead-threat/#.VdXsFFNVhBc
With breach reports becoming a weekly, if not daily, occurrence, organizations need proactive security to protect themselves and their customers against the loss of sensitive data.
The disappearing network perimeter means organizations can no longer rely on traditional methods to secure their networks, and must plan for porous access to corporate assets and intellectual property. Deploying a simple intrusion prevention solution that relies on pattern matching is no longer sufficient. By focusing on blocking the behavior of malware, organizations are better protected with techniques like protocol analysis detection, shellcode heuristics, application layer heuristics, malicious communication prevention, and exploit chain disruption.
View this on-demand webinar to hear from IBM X-Force research and product experts on 7 types of behavioral based protection layered into network and endpoint security that can help your organization stay ahead of the threat.
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Lacoon Mobile Security
CEO Michael Shaulov and Sr. Security Researcher Daniel Brodie will be presenting “A Practical Attack Against VDI Solutions” at this year’s conference in Las Vegas.
ESET sur la cybersécurité. ESET over cybersecurity.
Dans ce slideshow, ESET présente ses produits pour protéger votre organisation au mieux. L'entreprise européenne renommée aborde également des notions comme la double authentification ou la gestion de mots de passe.
In deze slideshow stelt ESET zijn producten voor om uw organisatie optimaal te beschermen. Het gerenommeerde Europese bedrijf bespreekt ook concepten als dubbele authenticatie en wachtwoordbeheer.
Consultez également notre chaîne YouTube pour retrouver les sessions enregistrées avec ce slideshow. Zie ook ons YouTube-kanaal voor opgenomen sessies met deze slideshow.
YouTube SOCIALware: https://www.youtube.com/channel/UCBGL9kTljcXZcP7iuIAC6Hw
Cloud Smart is today’s IT modernization strategy designed to help Federal agencies adopt cloud solutions that streamline transformation and embrace modern capabilities. We will review the key aspects of the Cloud Smart strategy that agencies can focus on to meet those objectives. We will dive into the Security aspect of Cloud Smart as we focus on its impact on Trusted Internet Connections. We'll see how the new horizon of security services in AWS can help agencies implement Zero Trust Networking and we'll look at ways in which Government agencies can utilize AWS tools and services for architecture decisions that may not require TIC routing, while still meeting government-wide requirements.
Aov is one of the leading manufacturer & exporter from India. Aov offers comprehensive range of cotton, nylon & polyester socks in size & designs to fit individual customer specifications from Middle East, Europe, Canda & USA.
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...cscpconf
Deployment of using cloud services as a new approach to keep people's platforms, Infrastructure and applications has become an important issue in the world of communications technology. This is a very useful paradigm for humans to obtain their essential needs simpler, faster ,more flexible, and safer than before. But there are many concerns about this system challenge. Security is the most important challenge for cloud systems. In this paper we design and explain the procedure of implementation of a new method for cloud services based on multi clouds on our platform which supplies security and privacy more than other clouds. We introduce some confidentiality and security methods in each layer to have a secure access to requirements. The architecture of our method and the implementation of method on our selected platform for each layer are introduced in this paper.
Design and implement a new cloud security method based on multi clouds on ope...csandit
Deployment of using cloud services as a new approach to keep people's platforms,
Infrastructure and applications has become an important issue in the world of communications
technology. This is a very useful paradigm for humans to obtain their essential needs simpler,
faster ,more flexible, and safer than before. But there are many concerns about this system
challenge. Security is the most important challenge for cloud systems. In this paper we design
and explain the procedure of implementation of a new method for cloud services based on multi
clouds on our platform which supplies security and privacy more than other clouds. We
introduce some confidentiality and security methods in each layer to have a secure access to
requirements. The architecture of our method and the implementation of method on our selected
platform for each layer are introduced in this paper.
Cloud computing is set of resources and services offered through the Internet. Cloud
services are delivered from data centers located throughout the world. Cloud computing
facilitates its consumers by providing virtual resources via internet. The biggest challenge in
cloud computing is the security and privacy problems caused by its multi-tenancy nature and the
outsourcing of infrastructure, sensitive data and critical applications. Enterprises are rapidly adopting
cloud services for their businesses, measures need to be developed so that organizations can be assured
of security in their businesses and can choose a suitable vendor for their computing needs. Cloud
computing depends on the internet as a medium for users to access the required services at any time on
pay-per-use pattern. However this technology is still in its initial stages of development, as it suffers
from threats and vulnerabilities that prevent the users from trusting it. Various malicious activities
from illegal users have threatened this technology such as data misuse, inflexible access control and
limited monitoring. The occurrence of these threats may result into damaging or illegal access of
critical and confidential data of users. In this paper we identify the most vulnerable security
threats/attacks in cloud computing, which will enable both end users and vendors to know a bout
the k ey security threats associated with cloud computing and propose relevant solution directives to
strengthen security in the Cloud environment. We also propose secure cloud architecture for
organizations to strengthen the security.
Security and Privacy Solutions in Cloud Computing at Openstack to Sustain Use...Zac Darcy
Cloud computing is an emerging model of service provision that has the advantage of minimizing costs
through sharing and storage of resources combined with a demand provisioning mechanism relying on
pay-per-use business model. Cloud computing features direct impact on information technology (IT)
budgeting but pose detrimental impacts on privacy and security mechanisms especially where sensitive
data is to be held offshore by third parties. Even though cloud computing environment promises new
benefits to organizations, it also presents its fair share of potential risks. It is considered as a double edge
sword considering the privacy and security standpoints. However, despite its potential to offer a low cost
security, customer organizations may increase the risks by storing their sensitive information in the cloud.
Therefore, this study focuses on privacy and security issues that pose a challenge in maintaining a level of
assurance that is sufficient enough to sustain confidence in potential users.
In this study, survey questions were sent to different non-profit and government organizations, which
assisted in collecting fundamental information. The data was acquired by conducting surveys in OpenStack
Company to identify the critical vulnerabilities in the cloud computing platform in order to provide the
recommended solutions.
So, analysis will be made on how the cloud’s characteristics such as the nature of the architecture,
attractiveness, as well as, vulnerability are tightly related to privacy and security issues. Privacy and
security are complex issues for which there is no standard and the relationship between them is necessarily
complicated. The study also highlight on the inherent challenge to data privacy because it typically results
in data to be presented in an encryption from the data owner. Thus, the study aimed at obtaining a common
goal to provide a comprehensive review of the existing security and privacy issues in cloud environments,
and identify and describe the most representative of the security and privacy attributes and present a
relationship among them.
Finally, in order to ensure that the standard measure of validity is achieved, validity test was conducted in
order to ensure that the study is free from errors. Various recommendations were provided. The study also
explored various areas that require future directions for each attribute, which comprise of multi-domain
policy integration and a secure service composition to design a comprehensive policy-based management
framework in the cloud environments.
Lastly, the recommendations will provide the potential for security and privacy approaches that can be
implemented to improve the cloud computing environment to ensure that a level of trust is achieved
SECURITY AND PRIVACY SOLUTIONS IN CLOUD COMPUTING AT OPENSTACK TO SUSTAIN USE...Zac Darcy
Cloud computing is an emerging model of service provision that has the advantage of minimizing costs
through sharing and storage of resources combined with a demand provisioning mechanism relying on
pay-per-use business model. Cloud computing features direct impact on information technology (IT)
budgeting but pose detrimental impacts on privacy and security mechanisms especially where sensitive
data is to be held offshore by third parties. Even though cloud computing environment promises new
benefits to organizations, it also presents its fair share of potential risks. It is considered as a double edge
sword considering the privacy and security standpoints. However, despite its potential to offer a low cost
security, customer organizations may increase the risks by storing their sensitive information in the cloud.
Therefore, this study focuses on privacy and security issues that pose a challenge in maintaining a level of
assurance that is sufficient enough to sustain confidence in potential users.
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREIJNSA Journal
In a typical cloud computing diverse facilitating components like hardware, software, firmware,
networking, and services integrate to offer different computational facilities, while Internet or a private
network (or VPN) provides the required backbone to deliver the services. The security risks to the cloud
system delimit the benefits of cloud computing like “on-demand, customized resource availability and
performance management”. It is understood that current IT and enterprise security solutions are not
adequate to address the cloud security issues. This paper explores the challenges and issues of security
concerns of cloud computing through different standard and novel solutions. We propose analysis and
architecture for incorporating different security schemes, techniques and protocols for cloud computing,
particularly in Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) systems. The proposed
architecture is generic in nature, not dependent on the type of cloud deployment, application agnostic and
is not coupled with the underlying backbone. This would facilitate to manage the cloud system more
effectively and provide the administrator to include the specific solution to counter the threat. We have also
shown using experimental data how a cloud service provider can estimate the charging based on the
security service it provides and security-related cost-benefit analysis can be estimated.
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREIJNSA Journal
In a typical cloud computing diverse facilitating components like hardware, software, firmware, networking, and services integrate to offer different computational facilities, while Internet or a private network (or VPN) provides the required backbone to deliver the services. The security risks to the cloud system delimit the benefits of cloud computing like “on-demand, customized resource availability and performance management”. It is understood that current IT and enterprise security solutions are not adequate to address the cloud security issues. This paper explores the challenges and issues of security concerns of cloud computing through different standard and novel solutions. We propose analysis and architecture for incorporating different security schemes, techniques and protocols for cloud computing, particularly in Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) systems. The proposed architecture is generic in nature, not dependent on the type of cloud deployment, application agnostic and is not coupled with the underlying backbone. This would facilitate to manage the cloud system more effectively and provide the administrator to include the specific solution to counter the threat. We have also shown using experimental data how a cloud service provider can estimate the charging based on the security service it provides and security-related cost-benefit analysis can be estimated.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
The paradigm called “Cloud computing” acts as a mechanism for attaining the resources of shared technology and infrastructure cost-effectively. The on-demand services are accomplished to execute the various operations across the network. Regularly, the last client doesn't know about the area of open physical assets and devices. Developing, using, and dealing with their applications 'on the cloud', which includes virtualization of assets that keeps and guides itself are led by arranged activities to clients. Calculation experience the new methodology of cloud computing which perhaps keeps the world and can set up all the human necessities. At the end of the day, cloud computing is the ensuing normal step in the development of on-request data innovation administrations and items. The Cloud is an allegory for the Internet and is an idea for the secured confused foundation; it likewise relies upon drawing network graphs on a computer. In this work, thorough investigations of distributed computing security and protection concerns are given. The work distinguishes both the identified and unidentified attacks, vulnerabilities in the cloud, security attacks and also the solutions to control these threats and attacks. Moreover, the restrictions of the present solutions and offers various perceptions of security viewpoints are distinguished and explored. At long last, a cloud security system is given in which the different lines of protection and the reliance levels among them are identified.
Cloud computing has changed the entire process that distributed computing used to present e.g. Grid
computing, server client computing. Cloud computing describes recent developments in many existing IT
technologies and separates application and information resources from the underlying infrastructure.
Cloud computing security is an important aspect of quality of service from cloud service providers.
Security concerns arise as soon as one begins to run applications beyond the designated firewall and move
closer towards the public domain. In violation of security in any component in the cloud can be disaster for
the organization (the customer) as well as for the provider. In this paper, we propose a cloud security
model and security framework that identifies security challenges in cloud computing.
International Journal of Network Security & Its Applications (IJNSA)IJNSA Journal
The International Journal of Network Security & Its Applications (IJNSA) is a bi monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of the computer Network Security & its applications. The journal focuses on all technical and practical aspects of security and its applications for wired and wireless networks. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on understanding Modern security threats and countermeasures, and establishing new collaborations in these areas.
Similar to (Pdf) yury chemerkin _ita_2013 proceedings (20)
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
1. Proceedings
of the
Fifth
International
Conference
on Internet
Technologies
and Applications
(ITA 13)
Picking
Cunningham
Houlden
Oram
Grout
Mayers
Proceedings of the
Fifth International
Conference on Internet
Technologies and
Applications (ITA 13)
Editors:
ISBN 978-0-946881-81-9
9 780946 881819
Rich Picking, Stuart Cunningham, Nigel Houlden,
Denise Oram, Vic Grout, & Julie Mayers
Co-editors:
Nathan Clarke, Carlos Guerrero,
Raed A Abd-Alhameed, & Susan Liggett
Glyndŵr University, Wrexham, North Wales, UK
10-13 September 2013
2. PROCEEDINGS OF THE FIFTH
INTERNATIONAL CONFERENCE
ON INTERNET TECHNOLOGIES
AND APPLICATIONS (ITA 13)
Tuesday 10th – Friday 13th September 2013
Glyndŵr University, Wrexham, Wales, UK
http://www.ita13.org
Editors
Rich Picking, Stuart Cunningham,
Nigel Houlden, Denise Oram, Vic Grout,
Julie Mayers
Co-editors
Nathan Clarke, Carlos Guerrero,
Raed A Abd-Alhameed, Susan Liggett
Hosted by
Creative and Applied Research for the Digital
Society (C.A.R.D.S.)
Glyndŵr University, Plas Coch Campus, Mold Road, Wrexham,
LL11 2AW, UK
i
4. FOREWORD
Croeso i Ogledd Cymru. Croeso i Wrecsam!
Welcome to North Wales. Welcome to Wrexham!
These are the proceedings of the Fifth International Conference on Internet
Technologies and Applications (ITA 13), hosted by the University Centre for Creative
and Applied Research for the Digital Society (C.A.R.D.S.) at Glyndŵr University,
Wrexham, North Wales, UK from Tuesday 10th to Friday 13th September 2013. The
conference has been sponsored by the British Computer Society (BCS) Chester and
North Wales Branch, the British Computer Society (BCS) Health in Wales Group, the
European Union 7th Framework Programme (Project Geryon), the UK National Health
Service (NHS) Wales Informatics Service (NWIS), ENIAC (Project Artemos), The
Applied Computational Electromagnetics Society (ACES) and Modibbo Adama
University of Technology, Yola (MAUTECH). We thank them all for their support.
v
5. SECURITY COMPLIANCE CHALLENGES ON CLOUDS
Yury Chemerkin
Independent Security Researcher / PhD in progress
Russian State University for the Humanities (RSUH)
Moscow, Russia
yury.chemerkin@gmail.com
ABSTRACT
Today cloud vendors provide amount features of integration and optimization in many fields like business
or education; there many way to adopt it for medical purposes, maintaining medical records, or
monitoring patients. Not all cloud solutions totally changed an original security paradigm and customers
still need to manage the accessibility, monitoring and auditing. An appropriate security level has become
very important issue for the customers. The compliance is part of security and a cornerstone when cloud
vendors refer to worldwide standards.
KEYWORDS:
Cloud security, compliance, amazon web services, aws, csa cloud controls matrix, csa, cmm, caiq, csa
consensus assessments initiative questionnaire
1. INTRODUCTION
Cloud Computing has been one of the top security topics for the last several years. The clouds
increasing popularity [1] is based on flexibility of virtualization as a technology for replacing
and improving of complex parts of systems reducing unnecessary computation and usage of
existing resources. Besides the well-known threats, the clouds introduce new security and
management level. Cloud security vendors (not only cloud vendors, almost of all kind of
vendors) claim that the end-user companies prefer a cost reduction instead the security to reduce
the operation complexity of their clouds (or systems) that eventually ends with a lower amount
of security that the end-user will accept. Some security questions about clouds are: how is it
implemented, how are the data or communication channels secured, how are the cloud and
application environments secure, etc. For example, the well-known phrase “physical security
does not exist in clouds” make no serious sense because it was this way as it had been when the
hosting service arrived. Customer must make any improvements than by-default configuration
with each new technology. If the virtual OS is a Windows Server, then the OS has the quite
similar security and patch management state as Desktop/Server OS. In addition, it is mere trust
than downloading and buying third-party solutions and it might be more trustable, than cloud
vendor (they are all third-party solutions).The cloud simply uses well-known protocols like
SMTP, HTTP, SSL, TCP/IP etc. to communicate, send email, file handling and other activity.
The methods that are compliant as a part of the RFC should indicate that they are OK. However,
a key problem is a lack of a systematic analysis on the security and privacy for such cloud
services. Third party organizations like the Cloud Security Alliance (CSA) promote their
recommendations to improve a cloud security and have a registry of cloud vendors' security
controls to help the users to make a right choice on security field.
This research analyzes security aspects, which the customers rely, are basic for cloud and
security standards and represent a minimal set of security state at least. Enterprises need to
comply with of the different regulations and standards (PCI, CSA, HIPAA, ISO etc.). The aim
of research is gaps in the recommendations of security standards (if they are) let cloud vendors
131
6. or their customers successfully pass the cloud audit checks and claim about compliance having
difference security features between clouds capabilities. The guidelines in such documents
operate at the high level that makes unclear them, miss the useful security countermeasures and
adding a superfluity in the customer’s vision about the system (cloud).
2. RELATED WORK
Nowadays, AWS is one of the most popular cloud platforms. It offers a virtual computing,
storage, VPN, archiving, monitoring, health-watching, email and others services environment
for a user to run applications, store data, operates with events and deliver event-data due the
different services and by different ways. AWS offers many services more accessibility that is
important with merging to the cloud. GAE is one more cloud to run web applications written
using interpretation and scripts languages like Java/Python but it has limited features (security
and the rest). Windows Azure makes a data spreading to the cornerstone, via neither storage nor
web-server. These different goals have a huge influence on the security while all of them were
built in accordance with best practices, and have security controls are well documented.
As we have enough security problems and the greater quantity of security solutions to solve
these problems on one hand and standards with best practices that successfully applied to the
clouds (according to the cloud vendors) on another hand, it should be analyzed whether it is so
difficult to pass the cloud compliance audit in accordance with these documents. In this paper,
the AWS services are going to be examined as the most similar to known existing technologies.
The modern recommendations for clouds are quite similar to given in the Table I at least but
improved to the low details like “you should choose the cloud vendor that offers an encryption
and definitely those who offer the strong encryption e.g. AES” the make a little sense. The
answer “why” is relied on the customers willingness to see an action-to-do like ‘whether they
should rely on this AES encryption or they need encrypt their data before uploading’. It
successfully works when the customers need to check clouds to choose those provide the more
security but it is bad for clouds are provided many services and security features because it is
basic rules only.
Table 1 The common security recommendations
Object
Data Ownership
Data Segmentation
Data Encryption
Backup/Recovery
Data Destruction
Access Control
Log Management
Incident Response
Security Controls
Patch Management
What to do
Full rights and access to data
An isolation data from other customers’ data
A data encryption in transit/memory/storage, at rest
An availability for recovery
An Ability to securely destroy when no longer needed
Who has access to data?
A data access that logged and monitored regularly
Are there processes and notifications in place for incidents (including breaches)
that affect data?
An appropriate security and configuration control to data protection
Patching for the latest vulnerabilities and exploits?
One more example is how such documents may substitute the customer understanding. NIST
[25] talks about cloud limits on security: “the ability to decide who and what is allowed to
access subscriber data and programs … the ability to monitor the status of a subscriber’s data
and programs …” may follow the idea “no one cloud provides such abilities” by mistake
without a knowledge about cloud infrastructure. Another misthought is about cloud firewall
takes place with opinion that cloud features are useless due the following statement: a cloud
132
7. firewall should provide a centralized management, include pre-defined templates for common
enterprise server types and enable the following:
Source and Destination Addresses & Ports filtering
Coverage of protocols, DoS prevention
An ability to design policies per network interface
Location checks who/where accessed to data
Besides such detailed ‘how-to’ sets, there are enough statements that the clouds can’t provide
with it, so it is still a security hole, while some of them (ex. AWS) provides these features. The
Table II [7] shows a brief difference between AWS and Azure on compliance vs. documented
technologies to secure and protect data. As a part of ‘non-transparency’, it is quite interesting
that the different offered security features and controls have passed e.g. ISO 27xxxx, while the
cloud difference (comparing each other) looks like a medium feature reduction. The cloud
attributes examined [2] are backup, encryption, authentication, access controls, data isolation
and monitoring, security standards, disaster recovery, client-side protection, etc. This paper
provides a medium-detailed comparison and presents the cloud security/privacy attributes
mapped to NIST guidelines. The [2-6], [26] give a brief examination of AWS S3 and GAE but a
summary comparison over [10], [12], [14], [15] makes clear that AWS offers the most powerful
and flexible features and [7][8].
Table 2 Compliance difference between AWS and Azure
Type
Compliance
Physical Security
Data Privacy
Network Security
Credentials
ISO 27001, CSA, HIPAA
PCI DSS, FISMA, FIPS 140-2, NIST
Actions, events logging, logs audit
Minimum access rights
Auto revocation access after N days, role changed,
MFA, escort
Backup, redundancy across the location
Redundancy inside one geo location, encryption,
DoD/NIST Destruction
MITM Protection, Host-Based Firewall (ip,port,mac),
Mandatory Firewall, Hypervisor protection from
promiscuous
Pentesting offer of services
Pentesting offer of apps
DDoS Protection, featured firewall
Login and Passwords, SSL
Cross account IAM, MFA hardware/software, Key
Rotation
+
+
+
+
Cloud Vendor
AWS
Azure
+
N/A
+
+
+
N/A
+
+
+
N/A
+
+
+
+
+
+
+
N/A
+
+
N/A
Such recommendations may also advise the different sanitizing technique to use on client of
cloud side. Effective and efficient sanitization is a forensics statement. There are a lot of
methods and techniques but some of them rely on brute-force wiping that extremely useless for
the clouds due financial matters. The ERASERS proposed in [24] computes the entropy of each
data block in the target area and wipes that block specified number of passes and pattern then.
Patterns and entropy are valuable because the file types (docx, mp3, odf, pgp, acid*) have a
quite different characteristics. It means that ERASERS has many subpopulations which of them
applied to certain cases. It gives a faster wiping vs. regular brute force methods of overwriting.
As the disk sizes increase up to petabyte scale (recently AWS offer such storage), the brute
133
8. force methods is becoming near impossible in time. Many drives contain areas do not have data
needing overwriting, as known as for SSD that shuffles data between data block every time, but
keeps the encrypted area untouched. According to NIST SP800-88 [9], “studies have shown that
most of data can be effectively cleared by one overwrite with random data rather than zeroing”.
The original version of DoD 5220.22-M (AWS implements this one) recommends a 3-pass wipe
with one pass of a uniform character, one pass of its complement, and one pass of random
characters, while the current DoD 5220.22-M does not specify the number of passes or the
pattern. As ERASERS shows the good results, it should be implemented to AWS EC2 or other
cloud VM.
The one of the most serious work on AWS security [27] gives results as a "black box" analysis
methodology in regards to the control interfaces (AWS EC2 and S3) compromised via the novel
signature wrapping and advanced XSS techniques, HTML injections, as well as SOAP issues
with validation and man-in-the-middle attacks. Authors examined the possible way of
protection and found that AWS EC2 & S3 services do not provide the suitable opportunities to
implement their solutions. Despite of that, there was found solutions based on native AWS
security features to protect against these attacks [28]:
Utilizing the SSL/HTTPS only with certificate validation and utilizing API access mechanisms
like REST/Query instead of SOAP
Activating access via MFA and creating IAM accounts limited in access, AWS credentials
rotation enhanced with Key pairs and X.509 certificates
Limiting IP access enhanced with API/SDK & IAM
The virtualization refers to a hypervisor, while a virtual machine works with a configured
snapshot of an OS image and requires well-known shared resources like memory, storage, or
network. It is generally agreed that even isolation these shared resources without affecting other
instances, VMs can be trusted in few cases only, while it is vulnerable under the most known
XEN attacks. However, no one XEN vulnerability has not applied to AWS services [29]that
brings to understanding the term “customize” in regards to clouds. Other ability to control due
the AMT commands [30] is applied to VMware but there is not known successful
implementations for AWS, Azure, GAE or other clouds. Also may have serious performance
problems such as overloading the virtual OS with analysing CPU commands and system calls,
regardless of where the trusted/untrusted control agents are, multiplied by known issues the best
of all demonstrated in case of GPU [31].
There are security virtualization issues even in clouds, no doubt, and it should be taken in
consideration. One exciting example [32] talks about an incorrect behavior in the SSL certificate
validation mechanisms of AWS SDK for EC2, ELB, and FPS. Despite of that, AWS has
updated all SDK (for all services) to redress it [13].
3. EXAMINATION THE CSA DOCUMENTS ON CLOUDS
The CSA documents provide vendors and their customers with a medium-detailed overview
what the statements do the cloud security features applied to as it defined in the Consensus
Assessments Initiative Questionnaire (CAIQ) and Cloud Control Matrix (CCM). The cloud
vendors announce that their services operate in according to them: However, the customers have
a responsibility to control their environment and define whether it is really in compliance. In
other words, how much are cloud controls and configurations transparent. Here the regulations
meet the technical equipment as a public technical proof is going to be examined from that point
at first. Each control ID (CID) will be kept to find it CAIQ [33] & CCM [34], while his
explanation is rewritten to reduced amount of text and grouped by domain/control group,
similar questions/metrics. Some considerations are used in tables III, IV: each abbreviation is
reduced name of Control Group ID: CO-Compliance, DG - Data Governance, FS-Facility
134
9. Security, HR - Human Resource Security, IS - Information Security, RS – Resiliency, SA Security Architecture. Requirements from section [LG–Legal, OP–Operation Management, RI–
Risk Management, RM–Release Management] and other non-technical are removed as are
compliant in order to ISO 27xxx, SOC, COBIT by independent auditors and reviewers.
Table 3 AWS solutions against a CAIQ
CID
CO-01.1
CO-02.1-7
Questions
Any certifications, reports and other
relevant documentation in regards to the
standards
An ability to provide the tenants the 3rd
party audit reports, and conduct the
network/application cloud penetration tests
as well as internal/external audits regularly
(in regards to the guidance) with results
CO-03.1-2
An ability to perform the vulnerability
tests for customers (means their own tests)
on applications and networks.
CO-05.1-2
An ability to logically split the tenants data
into the segments (additionally, due the
encryption) as well as data recovering for
specific customers in case of failure or
data loss
DG-01.1
An implementation of structured datalabeling standard
An identifying ability of the VM via policy
tags/metadata to perform any quality
control/restrict actions like identifying
hardware via policy & tags/metadata,
using the geolocation as an authentication,
providing a physical geolocation, allowing
to choose suitable geolocations for
resources and data routing
DG-02.1-5
DG-03.1
Any policies and mechanisms for labeling,
handling and security of data
135
AWS Response
AWS has this one and provides it under NDA.
AWS engages with independent auditors
reviewing their services and provides the
customers with the relevant 3rd party
compliance/attestations/certifications reports
under NDA. Such audit covers regularly scans
of their (non-customer) services for
vulnerabilities [22-23] the customers are also
available to make pentest [21] of their own
instances due the tentative agreement.
Customers are able to perform it due the
permission (writing email with the instances
IDs and period) request via AWS
Vulnerability/Penetration Testing Request
Form [21]
All data stored by the customers has canonical
isolation by path and additional security
capabilities like the permissions, personal
entry points to access the data as well as
MFA. AWS encryption mechanisms are
available for S3 (Server Side Encryption),
EBS (encryption storage for EC2 AMIs),
SimpleDB, EC2 (due the EBS plus SSL), VPC
(encrypted connections and sessions).
Additionally, the customer can use any cloud
services offered a backup from and to AWS
services like SME Storage for cloud vendors
or Veeam Backup Cloud Edition for VMs
Depends on the customers’ needs and their
requirements.
The tenants are featured to apply any metadata
and tagging to the EC2 VMs to set the userfriendly names and enhance searchability.
AWS offer several regions [19]. Each of them
is covered by geo location policy and access
as well as is able to be restricted by SSL, IP
address and a time of day. They offer move
data between each other directly by the
customers via API/SDK
As the customers retain ownership, they are
responsible to implement it.
10. DG-04.1-2
DG-05.1-2
The technical capabilities to enforce tenant
data retention policies and documented
policy on government requests
A secure deletion (ex. degaussing /
cryptographic wiping) and providing the
procedures how a cloud vendor handles
this deletion
DG-07.1-2
A presence of the controls to prevent data
leakage / compromising between AWS’
tenants
DG-08.1
An availability of control health data to
implementation a continuous monitoring to
validate the services status
FS-04.1
A ability to provide the customers a
knowledge which geo locations are under
traversing into/out of it in regards law
FS-06.1
FS-07.1
Availability of docs that explain if and
where data may be moved between
different locations, (e.g. backups) and
repurpose equipment as well as sanitizing
of resources
IS-04.1-3
An ability to provide the documents with
security recommendations per each
component, importing the trusted VMs as
well as capability to continuously monitor
and report the compliance
IS-05.1
An ability to notify the customers on
information
security/privacy
polices
changes
IS-08.1-2
A docs described how the cloud vendor
grant and approve access to tenant data
and if provider & tenant data classification
methodologies is aligned with each other
A revocation/modification of user access
to data upon any change in status of
employees, contractors, customers, etc.
IS-09.1-2
136
The customers have capability manage
retention, control, and delete their data except
case when AWS must comply with law.
At the end of a storage useful life, AWS
performs a decommissioning process to
prevent data exposing via DoD 5220.22M/NIST 800-88 techniques. In additional the
device will be degaussed or physically
destroyed.
There were not known the serious security
bugs of AWS environment successfully
applied or that cannot ‘patched’ by using the
implemented PCI controls [27-29] to make the
resources segmented from each other. A
hypervisor is designed to restrict non-allowed
connections between tenant resources
AWS provides the independent auditor reports
under NDA and customers on their own
systems can build a continuous monitoring of
logical controls additionally implementing
[19].
AWS imposes not to move a customers'
content from them without notifying in
compliance the law. The rest is similar to the
DG-02.5.
AWS imposes control the customers to
manage the data locations. Data will not be
moved between different regions, only inside
that were chosen to prevent failure. The rest is
similar the DG-05.1-2 (talks about the AWS
side only)
Customers are able [11] to use their own VMs
due the image importing via AWS VM
Import, as well as AWS Import/Export
accelerates moving large amounts of data
into/out in case of backup or disaster recover.
The rest is similar to the DG-08.1 in order to
ISO (domain 12.1, 15.2)
Despite of AWS provides a lot of how-todocs, binary & sources [10-18], [28-29] are
regularly updated, it’s better to subscribe to
the news via RSS and email, because there is
no other directly way to be notified
The customers as data owners are responsible
for the development, content, operation,
maintenance, and use of their content.
Amazon provides enough security control to
maintain an appropriate security policy and
permissions not to let spreading the data if it is
11. IS-12.1-2
IS-13.1
IS-17.1-3
IS-18.1-2
IS-19.1-4
A participation in the security groups with
benchmarking the controls against
standards
A documentation clarifying the difference
between administrative responsibilities vs.
those of the tenant
Any policies to address the conflicts of
interests on SLA, tamper audit, software
integrity, and detect changes of VM
configurations
Ability to create and manage unique
encryption keys per a tenant, to encrypt
data to an identity without access to a
public key certificate (identity based
encryption) as well, to protect a tenant data
due the transmission, VMs, DB and other
data via encryption, and maintain key
management
IS-20.1-6
An ability to perform vulnerability scans in
regards to the recommendations on
application-layer, network-layer, local OS
layer and patching then. Providing the info
about issues to AWS who makes it public
IS-23.1-2
IS-24.1-4
An ability of SIEM to merge data sources
(app logs, firewall logs, IDS logs, physical
access logs, etc.) for granular analysis and
alerting. Additional providing an isolation
of the certain customers due incident.
IS-28.1-2
IS-29.1
An ability to use an open encryption
(3DES, AES, etc.) to let tenants to protect
their data on storage and transferring over
public networks. As well, an availability of
logging, monitoring and restriction any
access to the management systems
controlled hypervisors, firewalls, APIs,
etc.)
IS-34.1-3
An ability to monitor and segment/restrict
the key utilities managed virtualized
137
explicitly not allowed that also built by AWS.
The rest is similar to the IS-07.1-2 in regards
AWS staff
AWS policies is based on COBIT, ISO
27001/27002 and PCI DSS
AWS provides these roles among the general
security documents (it means not among the
specific services documents)
AWS provides the details SOC 1 Type II
report in compliance with ISO 27001 (domain
8.2, 11.3) that validated by independents
auditors
If keys created on server side, AWS creates
the unique keys and utilizes it, if it did on
client side due the own or 3rd party solutions,
the customers can manage it only. AWS
encryption mechanisms are available for S3
(Server Side Encryption), EBS (encryption
storage for EC2 AMIs), SimpleDB, EC2 (due
the EBS plus SSL), VPC (encrypted
connections and sessions), etc.
Similar to the CO-03.1-2 but more detail that
means the customers are should performing
vuln scan and patching despite of the VMs’
OS are coming with the latest updates; they
are obliged to come to the agreement with
AWS and not violate the Policy. Also similar
to the CO-02.6-7 on providing the results [2123]
AWS have this one in compliance with ISO
and Even the customers’ data stored with
strong isolation from AWS side and
restrictions made by them all data should be
encrypted on client side, because it leads to
participation with law directly as AWS does
not get the keys in this case.
AWS encryption mechanisms are available for
S3 (Server Side Encryption), EBS (encryption
storage for EC2 AMIs), SimpleDB, EC2 (due
the EBS plus SSL), VPC (encrypted
connections and sessions). Customers may use
third-party encryption technologies too as well
as rely on the AWS APIs are available via
SSL-protected endpoints. AWS has a logging
feature, delineates the minimum standards for
logical access to AWS resources and provides
details with SOC 1 Type II report
AWS has this one and provides details with
SOC 1 Type II report. AWS examines such
12. partitions (ex. shutdown, clone, etc.) as
well as ability to detect attacks (blue pill,
etc.) to the virtual key components and
prevent from them
SA-02.1-7
A capability to use the SSO, an identity
management
system,
MFA Policy
Enforcement
Point
capability
(ex.
XACML), to delegate authentication
capabilities, to support identity federation
standards (SAML, SPML, WS-Federation,
etc.), use 3rd party identity assurance
services
SA-03.1
SA-04.1-3
SA-05.1
Any industry standards as a background
for a Data Security Architecture standards
(NIST) to build-in security for SDLC,
tools detecting the security defects and
verify the software. An availability of I/O
integrity
routines
for
application
interfaces, DB to prevent errors and data
corruption
SA-06.1-2
SA-08.1
SA-07.1
Environment
separation
for
SaaS/PaaS/IaaS, providing how-to-docs
A MFA features are strong requirement for
all remote access
A segmentation of system and network
environments with a compliance, law,
protection, and regulatory as well as a
protection of a network environment
parameter
SA-09.1-4
SA-10.1-3
SA-11.1
SA-12.1
A NTP or other similar services
SA-13.1
An equipment identification is as a method
to validate connection authentication
integrity based on known location
A mobile code authorization before its
installation, prevention from executing and
using to a clearly defined security policy
SA-15.1-2
138
attacks and provides information if they apply
in section “Security Bulletins” [35]. An
example of blackbox attack [27],[28] was
given in the Section II of this paper with a
native security features as a solution
AWS IAM [15-18] provides the securely
access and roles to the resources with features
to control access, create unique entry points of
users, cross AWS-accounts access due
API/SDK or IAM console, create the
permissions with duration and geo auth. AWS
offers identity federation and VPC tunnels to
utilize existing corporate identities to access.
Additionally, customers may avoid the
mistakes and risks by using AWS Policy
Generator and MFA devices [20].
AWS Security based upon the best practices
and standards (ISO 27001/27002, CoBIT, PCI
DSS) that certified by independent auditors to
build threat modeling and completion of a risk
assessment as a part of SDLC. AWS
implements this one through all phases
including transmission, storage and processing
data in compliance to ISO 27001 (domain
12.2) that certified by independent auditors.
AWS provides a lot of how-to-docs, binary &
sources [10-18],[28-29]
MFA is not strong and depends on the
customer configuration [20]
An internal segmentation is in alignment with
ISO and similar to the CO-05.1-2 while
external is a part of the customer
responsibility. Internally, a traffic restriction is
under ‘deny/allow’ control by default.
Externally, customers may use SSL,
encryption key, encryption solutions, security
policies to explicitly approve the security
settings
AWS services rely on the internal system
clocks synchronized via NTP
AWS provides such ability, for example due
the AWS metadata, geo tags and other tags
created by the customers
The customers are responsible to manage it to
meet their requirements.
13. Table 4 AWS solutions against a CCM
CID
CO-01
CO-02
CO-03
CO-06
DG-01
DG-02
DG-03
DG-04
DG-05
DG-06-07
Control Specification
Audit plans, activities and operational
action items focusing on data duplication,
access, and data boundary limitations with
aim to minimize the risk of business
process disruption.
Independent reviews shall be performed
annually/planned intervals to aim a high
effective compliance policies, standards
and regulations (i.e., internal/external
audits, certifications, vulnerability and
penetration testing)
3rd party service providers shall
demonstrate compliance with security due;
their reports and services should undergo
audit and review.
A policy to safeguard intellectual property
All data shall be designated with
stewardship with assigned responsibilities
defined, documented and communicated.
Data, and objects containing data, shall be
assigned a classification based on data
type, jurisdiction of origin, jurisdiction
domiciled, etc.
Policies/mechanisms for labeling, handling
and security of data and objects which
contain data
Policies for data retention and storage as
well as implementation of backup or
redundancy mechanisms to ensure
compliance with regulatory and other
requirements that validated regularly
Policies and mechanisms for the secure
disposal and complete removal of data
from all storage media, ensuring data is not
recoverable by any computer forensic
means.
Security mechanisms to prevent data
leakage.
139
AWS Response
AWS has appropriate technical solutions,
internal controls to protect customer data
against alteration/destruction/loss/etc. Any
kind of additional audit information is
provided to the customers under NDA
AWS shares 3rd audit reports under NDA
with their customers. Such audit covers
regularly scans of their (non-customer)
services for vulnerabilities [22-23] while the
customers are allowed to request for a pentest
[21] of their own instances
AWS requires to meet important privacy and
security requirements conducting 3rd parties
in alignment ISO 27001 (domain 6.2)
AWS will not disclose customer data to a 3rd
party unless it is required by law and will not
use data except to detect/repair problems
affecting the services
Customers are responsible for maintaining it
regarding their assets
AWS allows customers to classify their
resources by themselves (ex. applying any
metadata and tagging to the EC2 VMs to set
the user-friendly names & enhance
searchability)
Similar to DG-02
AWS infrastructure is validated regularly any
purposes in alignment with security standards
and featured by AWS EBS and Glacier (for
data archiving and backup), but the customers
have capability manage it due the API/SDK
AWS rely on best practices to wipe data via
DoD 5220.22-M/NIST 800-88 techniques; if it
is not possible the physical destruction
happens
AWS has implemented logical (permissions)
and physical (segmentation) controls to
prevent data leakage. (ex. a hypervisor is
designed to restrict non-allowed connections
between tenant resources, however the endusers are responsible to manage the right
sharing permissions
14. FS-06
FS-07
FS-08
IS-01
IS-02
IS-03
IS-04
Policies and procedures shall be
established for securing and asset
management for the use and secure
disposal of equipment maintained and used
outside the organization's premise.
A complete inventory of critical assets
shall be maintained with ownership
defined and documented.
An implementation of ISMP included
administrative, technical, and physical
safeguards to protect assets and data from
loss,
misuse,
unauthorized
access,
disclosure, alteration, and destruction
An implementation of baseline security
requirements for applications / DB /
systems / network in compliance with
policies / regulations/standards.
IS-05
An information security policy review at
planned intervals
IS-07-08
An implementation of user access policies
and for granting/revoking access to apps to
apps, DB, and the rest in accordance with
security, compliance and SLA.
Implemented policies / mechanisms
allowing data encryption in storage (e.g.,
file servers, databases, and end-user
workstations) and data in transmission
(e.g., system interfaces, over public
networks, and electronic messaging) as
well, key management too
IS-18
IS-19
IS-20
Implemented policies and mechanisms for
vulnerability and patch management on
side of apps, system, and network devices
IS-21
A capability of AV solutions to detect,
remove, and protect against all known
types of malicious or unauthorized
software with antivirus signature updates
at least every 12 hours.
Policies and procedures to triage security
IS-22
140
AWS imposes control the customers to
manage the data locations. Data will not be
moved between different regions, only inside
that were chosen to prevent failure.
AWS maintains a formal policy that requires
assets, the hardware assets monitored by the
AWS personnel and maintain the relationships
with all AWS suppliers are possible in comply
ISO 27001 (domain 7.1) for additional details.
AWS implements ISMS to address
security/privacy best practices and provides
details under NDA the appropriate
documentation
Baseline security requirements are technically
implemented with ‘deny’ configuration by
default and documents among the AWS
security documents for all services (ex. [1018])
Despite of AWS provides a lot of how-todocs, binary & sources [10-18], [28-29] are
regularly updated, it’s better to subscribe to
the news via RSS and email, because there is
no other directly way to be notified by AWS
All AWS services featured by IAM that
provides powerful permissions items with
predefined templates;
If keys created on server side, AWS creates
the unique keys and utilizes it, if it did on
client side due the own or 3rd party solutions,
the customers can manage it only. AWS
encryption mechanisms are available for S3
(Server Side Encryption), EBS (encryption
storage for EC2 AMIs), SimpleDB, EC2 (due
the EBS plus SSL), VPC (encrypted
connections and sessions), etc.
AWS provides their services with the latest
updates, performs analyzing software updates
on their criticality as well as customer
partially ability to perform vuln scans and
patching despite of that and not violate the
Policy [21-23]
AWS does manage AV solutions & updates in
compliance to ISO 27001 that confirmed by
independent auditors. Additionally, customers
should maintain their own solutions to meet
their requirements
AWS has defined role responsibilities and
15. related events and ensure timely and
thorough incident management.
IS-23
IS-24
IS-26
IS-32
IS-33
RS-01-08
SA-02
SA-06
SA-08
Information security events shall be
reported
through
predefined
communications channels in a prompt and
expedient manner in compliance with
statutory, regulatory and contractual
requirements
Policies and procedures shall be
established for the acceptable use of
information assets.
Policies and mechanism to limit access to
sensitive data (especially an application,
program or object source code) from
portable and mobile devices
Documented policy and procedures
defining continuity and disaster recovery
shall be put in place to minimize the
impact of a realized risk event on the
organization to an acceptable level and
facilitate recovery of information assets
through a combination of preventive and
recovery controls, in accordance with
regulations and standards. Physical
protection against damage from natural
causes and disasters as well as deliberate
attacks including fire, flood, etc. shall be
implemented.
An implementation of user credential and
password controls for apps, DB, server and
network infrastructure, requiring the
following minimum standards
A segmentation of production and nonproduction environments to prevent
unauthorized access, restrict connections
between trusted & untrusted networks for
use of all services, protocols, ports allowed
141
incident handling in internal documents in
compliance with ISO and provides the SOC 1
Type Report
AWS contributes with it over [21-23]
According to AWS, the customers manage
and control their data only unless it needs due
the law requirements or troubleshooting aimed
at fix services issues
AWS has this one, delineates the minimum
rights for logical access to AWS resources and
provides details with SOC 1 Type II report
Such policies are in alignment with ISO 27001
( domain 14.1);
AWS provides a Cloudwatch services to
monitor the state of AWS EC2, EBS, ELB,
SQS, SNS, DynamoDB, Storage Gateways as
well as a status history [19]. AWS provides
several Availability Zones in each of six
regions to prevent failures, but the customers
are responsible to manage it across regions or
other clouds vendors via API and SDK. A
physical protection is in compliance ISO
27001 and 27002. Information about the
transport routes is similar to the FS-06.1
AWS IAM [15-18] provides the securely
access and roles to the resources with features
to control access, create unique entry points of
users, cross AWS-accounts access due
API/SDK or IAM console, create the powerful
permissions with duration and geo auth. AWS
offers identity federation and VPC tunnels led
to utilizing existing corporate identities to
access, temporary security credentials.
Additionally, the customers may avoid the
mistakes and risks by using an AWS Policy
Generator and MFA devices [20]. IAM allows
creating and handling the sets defined in
accordance with the subrules of SA-02 (in
original of CMM).
AWS provides a lot of how-to-docs, binary &
sources (as an example [10-18],[28-29])
16. SA-07
SA-09
SA-10
SA-11
SA-12
SA-13
A requirement of MFA for all remote user
access.
A system and network environments
separation via firewalls in regards to
isolation of sensitive data, restrict
unauthorized traffic, enhanced with strong
encryption
for
authentication
and
transmission, replacing vendor default
settings (e.g., encryption keys, passwords,
SNMP community strings, etc.)
An external accurate time to synchronize
the system clocks of all informationprocessing systems (US GPS & EU
Galileo Satellite)
A capability of an automated equipment
identification as a part of authentication.
SA-14
Audit logs recording privileged user access
activities, shall be retained, complying
with applicable policies and regulations,
reviewed at least daily and file integrity
(host) and network intrusion detection
(IDS) tools implemented to help
investigation in case of incidents.
SA-15
A mobile code authorization before its
installation, prevention from executing and
using to a clearly defined security policy
MFA is not by default and depends on the
customer configuration [20]
An internal segmentation is in alignment with
ISO and similar to the CO-05.1-2 while
external is a part of the customer
responsibility. Internally, a traffic restriction is
too and has ‘deny/allow’ option in EC2/S3 by
default (but the explicitly cfg is
recommended), etc. Externally, the customers
are able to use SSL, encryption key,
encryption solutions, security policies to
explicitly approve the security settings (AWS,
3rd party or their own)
AWS services rely on the internal system
clocks synchronized via NTP
AWS provides such ability, for example due
the metadata, geo tags and other tags created
by the customers
AWS have this one in compliance with ISO
and provides the results with SOC 1 Type II
Report. AWS has the incident response
program in compliance too. Even the
customers’ data stored with strong isolation
from AWS side and restrictions made by
them, additional materials (SOC 1 Type II
report) must be requested to clarify all
questions on forensics. All data should be
encrypted on client side, because it leads to
the customers participation with law directly
as AWS do not have the keys in this case.
The customers are responsible to manage it to
meet their requirements.
4. CONCLUSION
Any complex solutions and systems like AWS, Azure, or GAE tend to prone to security
compromise, because they have to operate large-scale computations, dynamic configuration.
Clouds vendors do usually not disclose the technical details on security to the customers, thus
raising question how to verify with appropriate requirements. The cloud security depends on
whether the cloud vendors have implemented security controls that documented and enhanced
with policy. However, there is a lack visibility into how clouds operate; each of them differs
from other in levels of control, monitoring and securing mechanisms that widely known for
non-cloud systems. The potential vulnerability requires a high degree of security combined with
transparency and compliance. AWS relies on security frameworks based on various standards
that certified by auditors and help customers to evaluate if/how AWS meets the requirements.
CAIQ/CCM provide equivalent of them over several standards. Partially bad idea is public
documents filled by vendors with general explanations referred to NDA reports multiplied by
common recommendations.
142
17. Besides the details from 3rd party audit reports customers may require assurance in order to local
laws and regulations. It is quite complicated of reducing the implementation and configuration
information as a part of proprietary information (that is not bad or good, just complicated). In
other words it may call for specific levels of audit logging, activity reporting, security
controlling and data retention that are often not a part of SLA offered by providers. A result of
an examination of AWS security controls against security standards/regulations shown in [8]
and partially in [7] is successfully passing standards by use of native security features
implemented in AWS Console, CLI and API/SDK only. It additionally includes cases that the
current AWS security features should to be enhanced via third party security solutions like
national encryption on client side before uploading data and ability to indirectly comply with
requirements. Talking about security enhance, not only security controls belong to cloud layer
(outside the VMs) should be used to protect data, communications, memory etc. but also
internal OS controls and 3rd party solutions together. It excludes obsolescent clauses and cases
‘just wait’ a solution from AWS of inability to build and implement appropriate. OS and third
party solutions are known for non-clouds system allow protecting critical and confidential
information is present in different system, configuration and other files to avoid alteration,
exposing, accessing of them.
Examination cloud solutions such as Azure, BES with AWS & Azure, and Office365 with
Cloud BES against other standards is a part of further research, however the signification
direction is improving existing CSA and NIST recommendations in order to enhance
transparency via utilization primarily technical requirements: on cloud layer, on inter-VM/DB
& inter-cloud-services layer, on VM/DB layer.
5. REFERENCES
[1]
Mell P. & Grance T. (2011) The NIST definition of cloud computing. recommendation of the
national institute of standards and technology, NIST
[2]
Abuhussein, H. Bedi, S. Shiva, (2012) “Evaluating Security and Privacy in Cloud Computing
Services:A Stakeholder’s Perspective”, The 7th International Conference for Internet Technology
and Secured Transactions, pp. 388 – 395, Dec 2012
[3]
Feng, J., Chen, Y.& Liu, P. (2010) “Bridging the Missing Link of Cloud Data Storage Security in
AWS,” 7th Consumer Communications and networking Conference (CCNC), pp.1-2, Jan 2010
[4]
Hu, Y., Lu F., Khan, I. & Bai, G. (2012) "A Cloud Computing Solution for Sharing Healthcare
Information”, The 7th International Conference for Internet Technology and Secured
Transactions, pp. 465 – 470, Dec 2012
[5]
“Google cloud services – App Engine”. [Online resource:
www.google.com/enterprise/cloud/appengine/, Accessed:23-Nov-12]
[6]
“Technical Overview of the Security Features in the Windows Azure Platform”. [Online resource:
www.google.com/enterprise/cloud/appengine/, Accessed:23-Nov-12]
[7]
Chemerkin, Y. (2012) “AWS Cloud Security from the point of view of the Compliance”, PenTest
Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa, vol. 2 №10 Issue 10/2012 (12)
ISSN 2084-1116, pp. 50-59, Dec 2012
[8]
Chemerkin, Y. “Analysis of Cloud Security against the modern security standards”, draft (is going
to be published in PenTest Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa in
May
[9]
Kissel, R., Scholl, M., Skolochenko, S. & Li, X. (2006) “Guidelines for media sanitization:
Recommendations of the national institute of standards and technology,” in NIST SP 800-88
Report
[10]
“Amazon EC2 Microsoft API Reference. [Online resource:
docs.aws.amazon.com/AWSEC2/latest/APIReference/, Accessed:05-Dec-12]
143
18. [11]
“AWS Import/Export Developer Guide. [Online resource:
aws.amazon.com/documentation/importexport/, Accessed:16-Dec-12]
[12]
“Amazon Virtual Private Cloud Network Administrator Guide. [Online
resource:docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide, Accessed:05-Dec-12]
[13]
“Reported SSL Certificate Validation Errors in API Tools and SDKs”, [Online resource:
aws.amazon.com/security/security-bulletins/reported-ssl-certificate-validation-errors-in-api-toolsand-sdks/, Accessed:15-Jan-13]
[14]
“Amazon S3 API Reference. [Online resource: docs.aws.amazon.com/AmazonS3/latest/API/,
Accessed:20-Dec-12]
[15]
“Amazon IAM API Reference. [Online resource:
docs.aws.amazon.com/IAM/latest/APIReference/, Accessed:29-Dec-12]
[16]
“Amazon Using Temporary Security Credentials. [Online resource:
docs.aws.amazon.com/IAM/latest/UsingSTS/, Accessed:29-Dec-12]
[17]
“Amazon AWS Security Token Service API Reference. [Online resource:
docs.aws.amazon.com/STS/latest/APIReference/, Accessed:29-Dec-12]
[18]
“Amazon Command Line Reference. [Online resource:
docs.aws.amazon.com/IAM/latest/CLIReference/, Accessed:29-Dec-12]
[19]
“AWS Services Health Status” [Online resource: status.aws.amazon.com/, Accessed:16-Feb-13]
[20]
“AWS MFA” [Online resource: aws.amazon.com/mfa, Accessed:16-Feb-13]
[21]
“AWS Vulnerability/Pentesting Request Form” [Online resource:
portal.aws.amazon.com/gp/aws/html-formscontroller/contactus/AWSSecurityPenTestRequest,Accessed:16-Feb-13]
[22]
“AWS Abuses reports (EC2, other AWS services)” [Online resource:
portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse, Accessed:16-Feb13]
[23]
“AWS Vulnerability Reporting” [Online resource: aws.amazon.com/security/vulnerabilityreporting/, Accessed:16-Feb-13]
[24]
Medsger, J. & Srinivasan, A. (2012) "ERASE- EntRopy-based SAnitization of SEnsitive Data for
Privacy Preservation", The 7th International Conference for Internet Technology and Secured
Transactions, pp. 427 – 432, Dec 2012
[25]
“DRAFT Cloud Computing Synopsis and Recommendations,” NIST Special Publication 800-146.
[Online resource: csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf,
Accessed:06-Jan-13]
[26]
“Security Whitepaper. Google Apps Messaging and Collaboration Products”, [Online resource:
cryptome.org/2012/12/google-cloud-sec.pdf, Accessed:23-Nov-13]
[27]
Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N. & Iacono, L.L. (2011) "All
Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces", 3rd ACM
workshop on Cloud computing security workshop (CCSW), pp.3-14, Oct 2011
[28]
“Reported SOAP Request Parsing Vulnerabilities”, [Online resource:
aws.amazon.com/security/security-bulletins/reported-soap-request-parsing-vulnerabilities-reso/,
Accessed:15-Jan-13]
[29]
“Xen Security Advisories”, [Online resource: aws.amazon.com/security/security-bulletins/xensecurity-advisories/, Accessed:15-Jan-13]
[30]
“The Essential Intelligent Client”, [Online resource:
www.vmworld.com/servlet/JiveServlet/downloadBody/5700-102-18823/Intel%20The%20Essential%20Intelligent%20Client.pdf, Accessed:15-Jan-13]
144
19. [31]
Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR [Online resource:
news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html/, Accessed:22-Nov-13]
[32]
“The most dangerous code in the world: validating SSL certificates in non-browser software”, 19th
ACM Conference on Computer and Communications Security, pp. 38-49, Oct 2012
[33]
“CSA Consensus Assessments Initiative Questionnaire v1.1” [Online resource:
cloudsecurityalliance.org/research/cai/, Accessed:22-Dec-12]
[34]
“CSA Cloud Controls Matrix v1.3” [Online resource: cloudsecurityalliance.org/research/cai/,
Accessed:22-Jan-13]
[35]
“AWS Securtiy Bulletins” [Online resource: aws.amazon.com/security/security-bulletins/,
Accessed 16-Feb-13]
145