The document discusses security compliance challenges with public clouds. It provides opinions and facts about known issues with public clouds like threats, privacy, compliance, and vendor lock-in. It also discusses the CSA and NIST security frameworks and how they relate to cloud security and compliance. Specific differences between AWS and Azure regarding third party audits, compliance mapping, encryption, and other areas are also examined.
Cloud Security is essentially a shared responsibility model. (Provider and Subcriber)
Cloud Computing security is generally viewed as a complex area but does not have to be.
However, your essentially performing same functionalities as traditional IT security.
This includes protecting critical information from theft, data leakage and deletion.
Compromise of Platforms
Compromise of Credentials
Privilege Escalation
Denial of Service Attacks (DDoS)
Lack of Compliance Implementations
Inadequate Training for Personnel
DevOps is focused on Agile development and in great demand.
GCP Supports DevOps in a manner similar to AWS.
Differences between API Gateway (CLI support and OpenAPI Support)
GCP uses a NGINX Proxy with Cloud Endpoints.
Microsoft cloud app security or CASB is a critical component of the Microsoft cloud security stack. It provides a comprehensive solution to give organizations improved visibility into cloud activities, uncover shadow IT, assess risks, enforce polices, investigate suspicious activities and stop threats
https://blog.ahasayen.com/microsoft-cloud-app-security-casb/
Cloud Security is essentially a shared responsibility model. (Provider and Subcriber)
Cloud Computing security is generally viewed as a complex area but does not have to be.
However, your essentially performing same functionalities as traditional IT security.
This includes protecting critical information from theft, data leakage and deletion.
Compromise of Platforms
Compromise of Credentials
Privilege Escalation
Denial of Service Attacks (DDoS)
Lack of Compliance Implementations
Inadequate Training for Personnel
DevOps is focused on Agile development and in great demand.
GCP Supports DevOps in a manner similar to AWS.
Differences between API Gateway (CLI support and OpenAPI Support)
GCP uses a NGINX Proxy with Cloud Endpoints.
Microsoft cloud app security or CASB is a critical component of the Microsoft cloud security stack. It provides a comprehensive solution to give organizations improved visibility into cloud activities, uncover shadow IT, assess risks, enforce polices, investigate suspicious activities and stop threats
https://blog.ahasayen.com/microsoft-cloud-app-security-casb/
Managing Cloud Security Risks in Your OrganizationCharles Lim
Any Organization in the World need to prepare themselves before they move to the cloud, i.e. cloud security risk assessment. It is all about managing your risks if you accept to move to the cloud and understanding the risks and benefits should be essential part of any organization thinking to move to cloud infrastructure.
Cloud summit demystifying cloud securityDavid De Vos
During this session we’ll cover the key solutions and steps to securing a cloud environment.
We’ll cover policy creation, security posture management & cybersecurity incident analysis. You’ll see how compliance is made easy in the cloud and how continuous monitoring works. We’ll explain how multi-cloud security works as well!
As we walk through the solutions, we’ll share some best practices and use cases from our experience.
Regardless of whether your data resides on-premises, in the cloud, or a combination of both, you are vulnerable to security threats, data breaches, data loss, and more. Security is often cited as a concern for organizations who are migrating to the public cloud, but the belief that the public cloud is not secure is a myth.
In fact, the leading public cloud service providers have built rigorous security capabilities to ensure that your applications, assets, and services are protected. Security in the public cloud is now becoming a driver for many organizations, but in a rapidly evolving multicloud environment, you must keep up with changes that might impact your security posture.
This eBook outlines the three core recommendations for cloud security across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform
Webinar presentation: November 17, 2016
Subject matter experts from the CSCC present an overview of the security standards, frameworks, and certifications that exist for cloud computing. We also discuss privacy considerations in light of new regulations (e.g., EU’s General Data Protection Regulation (GDPR)). This presentation helps cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers.
Read the CSCC's deliverable, Cloud Security Standards: What to Expect and What to Negotiate: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm
The Cloud & I, The CISO challenges with Cloud Computing Moshe Ferber
The Cloud is a challenge for the Security professional, but also creates opportunities. In this presentation we will overview the different cloud challenges according to each market sector.
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseMoshe Ferber
loud computing is evolving fast, and so are the threats and defense tactics. Cloud consumers and providers should always be aware of the latest risks and attack vectors and explore the latest security events to identify new attack vectors. Here, we’ll provide you with a list of the latest threats and discuss their effect on our security posture, and review a recent case study of attacks relevant to those threats.
Securing Servers in Public and Hybrid CloudsRightScale
RightScale Webinar: Security and compliance remain major challenges to adoption of public cloud infrastructure hosting. Technical differences in public cloud environments render many established security models and controls inoperable. Understanding these differences and the options available to you are key to running a secure cloud environment.
Join Carson Sweet, co-founder and CEO of CloudPassage and Uri Budnik, Director, ISV Partner Program of RightScale for a free webinar where industry experts discuss why security and compliance are different in the cloud, outline a model for securing cloud-based hosting environments, and explain best practices for implementing a secure cloud infrastructure.
We will discuss:
- What's different about security in the cloud
- Shared responsibility
- Architectural challenges
- Key features to secure your cloud servers
- Secure deployment via RightScripts
Don't miss out on this opportunity to find out about all you need to secure your cloud servers!
My SACON.IO conference presentation about how to architect secure IaaS/PaaS services.
Presentation mostly uses AWS examples, but relevant also to Azure / GCE and similar services.
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Netskope
Security teams are constantly keeping up with complex attacks leveraging the cloud, but traditional security stacks just can’t keep pace with malicious actors or insiders. In the session, we’ll explore Gartner’s new SASE framework and how organizations can utilize Zero Trust, visibility into cloud-based traffic and cloud threat protection to build a modernized cloud-first stack.
Managing Cloud Security Risks in Your OrganizationCharles Lim
Any Organization in the World need to prepare themselves before they move to the cloud, i.e. cloud security risk assessment. It is all about managing your risks if you accept to move to the cloud and understanding the risks and benefits should be essential part of any organization thinking to move to cloud infrastructure.
Cloud summit demystifying cloud securityDavid De Vos
During this session we’ll cover the key solutions and steps to securing a cloud environment.
We’ll cover policy creation, security posture management & cybersecurity incident analysis. You’ll see how compliance is made easy in the cloud and how continuous monitoring works. We’ll explain how multi-cloud security works as well!
As we walk through the solutions, we’ll share some best practices and use cases from our experience.
Regardless of whether your data resides on-premises, in the cloud, or a combination of both, you are vulnerable to security threats, data breaches, data loss, and more. Security is often cited as a concern for organizations who are migrating to the public cloud, but the belief that the public cloud is not secure is a myth.
In fact, the leading public cloud service providers have built rigorous security capabilities to ensure that your applications, assets, and services are protected. Security in the public cloud is now becoming a driver for many organizations, but in a rapidly evolving multicloud environment, you must keep up with changes that might impact your security posture.
This eBook outlines the three core recommendations for cloud security across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform
Webinar presentation: November 17, 2016
Subject matter experts from the CSCC present an overview of the security standards, frameworks, and certifications that exist for cloud computing. We also discuss privacy considerations in light of new regulations (e.g., EU’s General Data Protection Regulation (GDPR)). This presentation helps cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers.
Read the CSCC's deliverable, Cloud Security Standards: What to Expect and What to Negotiate: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm
The Cloud & I, The CISO challenges with Cloud Computing Moshe Ferber
The Cloud is a challenge for the Security professional, but also creates opportunities. In this presentation we will overview the different cloud challenges according to each market sector.
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseMoshe Ferber
loud computing is evolving fast, and so are the threats and defense tactics. Cloud consumers and providers should always be aware of the latest risks and attack vectors and explore the latest security events to identify new attack vectors. Here, we’ll provide you with a list of the latest threats and discuss their effect on our security posture, and review a recent case study of attacks relevant to those threats.
Securing Servers in Public and Hybrid CloudsRightScale
RightScale Webinar: Security and compliance remain major challenges to adoption of public cloud infrastructure hosting. Technical differences in public cloud environments render many established security models and controls inoperable. Understanding these differences and the options available to you are key to running a secure cloud environment.
Join Carson Sweet, co-founder and CEO of CloudPassage and Uri Budnik, Director, ISV Partner Program of RightScale for a free webinar where industry experts discuss why security and compliance are different in the cloud, outline a model for securing cloud-based hosting environments, and explain best practices for implementing a secure cloud infrastructure.
We will discuss:
- What's different about security in the cloud
- Shared responsibility
- Architectural challenges
- Key features to secure your cloud servers
- Secure deployment via RightScripts
Don't miss out on this opportunity to find out about all you need to secure your cloud servers!
My SACON.IO conference presentation about how to architect secure IaaS/PaaS services.
Presentation mostly uses AWS examples, but relevant also to Azure / GCE and similar services.
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Netskope
Security teams are constantly keeping up with complex attacks leveraging the cloud, but traditional security stacks just can’t keep pace with malicious actors or insiders. In the session, we’ll explore Gartner’s new SASE framework and how organizations can utilize Zero Trust, visibility into cloud-based traffic and cloud threat protection to build a modernized cloud-first stack.
Soloten — Ваш гид в мир корпоративной мобильности. Если Вы думаете, что Ваши сотрудники зарабатывают деньги, уставившись в мониторы, то, скорее всего, Вы ошибаетесь. Отправляйте их на деловые встречи, в командировки, пусть изучают конкурентов и знакомятся с потенциальными клиентами на выставках. Вскоре Вы поймете: им не нужны компьютеры.
Вы можете уже сегодня сокращать офисные расходы, позволив сотрудникам использовать свои собственные мобильные устройства (BYOD), работать там, где им удобно, возвращаться в офис только для рабочих встреч и мозгового штурма. Больше не нужно арендовать огромный офис и покупать персональные компьютеры, которые придется обслуживать и регулярно обновлять.
Using of mobile loyalty programmes is the best way to keep current clients and to attract new customers. Client always remember about your company and he feels glad about it.
If you what to learn more about mobile loyalty programmes have a look at our presentation.
The Ultimate Guide for Cloud Penetration Testing. Cloud penetration testing is an artificial attack that is launched by a known ethical hacker in the disguise of a potential hacker just to check the number of vulnerabilities, threats, and loopholes in a particular cloud provider that can sincerely pass on any backdoor access to the real-time hackers and weaken the security posture of the organization.
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentCryptzone
Managing tightly-controlled user access in AWS is complex. And complexity leads to errors and sloppiness. There are six main reasons why this operational complexity is the biggest security threat to your AWS Environment. Paul Campaniello at Cryptzone discusses in this eBook.
CloudPassage Best Practices for Automatic Security ScalingAmazon Web Services
Organizations that are transitioning from a traditional data center to an on-demand IT environment, such as AWS, are quickly finding that automating and scaling legacy security services for comprehensive workload security can be challenging. In light of these challenges, it is necessary to deploy a security solution that employs the same versatility and elasticity as the cloud workloads it is meant to protect. CloudPassage® Halo® provides virtually instant visibility and continuous protection for servers in any combination of data centers, private clouds and public clouds like AWS. Join Xero and CloudPassage to learn about best practices for migrating your security workloads to the cloud.
Join us to learn:
- Best practices for maintaining workload security
- How you can align cloud security deployment methods with on-premises deployment methods
- Key considerations for architecting your infrastructure to scale quickly and securely
Who should attend: CTOs, CIOs, CISOs, Directors and Managers of Security, IT Administers, IT Architects and IT Security Engineers
Cloud Breach - Forensics Audit Planning
The goal of this presentation is to assist IT Risk and Security professionals with adding Cloud computing forensics to their Incident Response team.
It should assist them with understanding the technical ways of capturing forensic data from cloud service providers using security controls that incorporate and integrate logging, chain of evidence, virtualization and cloud security architecture
Will your organization or enterprise expand cost-effectively with the power of a managed cloud? We outline 10 key reasons why this strategy will help you improve security, simplify compliance, reduce costs and streamline scalability.
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREIJNSA Journal
In a typical cloud computing diverse facilitating components like hardware, software, firmware,
networking, and services integrate to offer different computational facilities, while Internet or a private
network (or VPN) provides the required backbone to deliver the services. The security risks to the cloud
system delimit the benefits of cloud computing like “on-demand, customized resource availability and
performance management”. It is understood that current IT and enterprise security solutions are not
adequate to address the cloud security issues. This paper explores the challenges and issues of security
concerns of cloud computing through different standard and novel solutions. We propose analysis and
architecture for incorporating different security schemes, techniques and protocols for cloud computing,
particularly in Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) systems. The proposed
architecture is generic in nature, not dependent on the type of cloud deployment, application agnostic and
is not coupled with the underlying backbone. This would facilitate to manage the cloud system more
effectively and provide the administrator to include the specific solution to counter the threat. We have also
shown using experimental data how a cloud service provider can estimate the charging based on the
security service it provides and security-related cost-benefit analysis can be estimated.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
4. Cloud Issues
Known Issues
Threats
Privacy
Compliance
Legal
Vendor lock-in
Open source / Open standards
Security
Abuse
IT governance
Ambiguity of terminology
Known Solutions/Opinions
Customization , security solutions
Crypto anarchism
CSA, ISO, PCI, SAS 70
Typically US Location
Platform, Data, Tools Lock-In
Top clouds are not open-source
Physical clouds more secured than Public
Botnets and Malware Infections/Misuse
Depends on organization needs
Reference to wide services, solutions, etc.
5. What is about Public Clouds
Some known facts about AWS & Azure
Top clouds are not OpenSource
OpenStack is APIs compatible with Amazon EC2
and Amazon S3 and thus client applications written
for AWS can be used with OpenStack with minimal
porting effort, while Azure is not
Platform lock-in
There are Import/Export tools to migrate from/to
VMware, while Azure doesn’t have
Data Lock-in
Native AWS solutions linked with Cisco routers to
upload, download and tunneling as well as 3rd party
storage like SMEStorage (AWS, Azure, Dropbox,
Google, etc.)
in order to issues mentioned above
Tools Lock-in
Longing for an inter-cloud managing tools that are
industrial and built with compliance
APIs Lock-In
Longing for inter-cloud APIs, however there were
known inter-OS APIs for PC, MDM, Mobiles, etc.
No Transparency
Weak compliance and transparency due to SAS 70
and NDA relationships between cloud vendor and
third party auditors and experts
Abuse
Abusing is not a new issue and is everywhere
AWS Vulnerability Bulletins as a kind of quick
response and stay tuned
6. Clouds: Public vs. Private
Known security issues of Public Clouds
"All Your Clouds are Belong to us – Security Analysis of
Cloud Management Interfaces", 3rd CCSW, October 2011
A black box analysis methodology of AWS control
interfaces compromised via the XSS techniques,
HTML injections, MITM
[AWS] :: “Reported SOAP Request Parsing Vulnerabilities”
Utilizing the SSL/HTTPS only with certificate
validation and utilizing API access mechanisms
like REST/Query instead of SOAP
Activating access via MFA and creating IAM
accounts limited in access, AWS credentials
rotation enhanced with Key pairs and X.509
Limiting IP access enhanced with API/SDK & IAM
and significant researches on it as a POC
“The most dangerous code in the world: validating SSL
certificates in non-browser software”, 19th ACM
Conference on Computer and Communications Security,
October 2012
Incorrect behavior in the SSL certificate validation
mechanisms of AWS SDK for EC2, ELB, and FPS
[AWS] :: “Reported SSL Certificate Validation Errors in API
Tools and SDKs”
Despite of that, AWS has updated all SDK (for all
services) to redress it
7. Clouds: Public vs. Private
It is generally known, that private clouds are most secure There is no a POC to prove a statement on public clouds
[AWS] :: “Xen Security Advisories”
There are known XEN attacks (Blue Pills, etc.)
No one XEN vulnerability was not applied to the
AWS, Azure or SaaS/PaaS services
Very customized clouds
[CSA] :: “CSA The Notorious Nine Cloud Computing Top
Threats in 2013”
Replaced a document published in 2009
Such best practices provides a least security
No significant changes since 2009, even examples
Top Threats Examples
“1.0. Threat: Data Breaches // Cross-VM Side
Channels and Their Use to Extract private Keys”,
“7.0. Threat: Abuse of Cloud Services // Cross-VM
Side Channels and Their Use to Extract private
Keys”
“4.0. Threat: Insecurity Interfaces and APIs”
Besides of Reality of CSA Threats
1.0 & 7.0 cases highlight how the public clouds
e.g. AWS EC2 are vulnerable
1.0 & 7.0 cases are totally focused on a private
cloud case (VMware and XEN), while there is no a
known way to adopt it to AWS.
4.0 case presents issues raised by a SSO access
not related to public clouds (except Dropbox,
SkyDrive) and addressed to insecurity of APIs.
14. NIST Framework
The consolidated framework over all NIST documents
Logically clearly defined documents, e.g.
Categorization systems
Selecting control
FIPS
Forensics
Logging (SCAP)
Etc.
Complementarity
Interchangeability
Expansibility
Dependence
Mapping (NIST, ISO only)
15. NIST Framework
Complementarity
NIST Enhance Control
Your own security control
Interchangeability
Replacing basic controls by enhanced controls
Expansibility
impact or support the implementation of a particular security control or control enhancement
Your own way to improve a framework
Mapping (NIST, ISO only)
NIST->ISO
ISO->NIST
NIST->Common Criteria (rev4 only)
16. NIST Framework
Interchangeability
Basic controls aren’t applicable in case of
Information systems need to communicate with other systems across different policy
APT
Insiders Threats
Mobility (mobile location, non-fixed)
Single-User operations
Interchangeability
Replacing basic controls by enhanced controls
Expansibility
impact or support the implementation of a particular security control or control enhancement
Your own way to improve a framework
Mapping (NIST, ISO only)
NIST->ISO
ISO->NIST
NIST->Common Criteria (rev4 only)
23. Cloud & Compliance Specific
There is no one “cloud”
There are many models and architectures
There is no one “standard”
There are many ways to built cloud in
alignment to…
What vision is adopted by cloud vendors?
Virtualizing of anything able to be virtualized
What vision is adopted by cloud operators
(3rd party)?
Data distribution, service distribution, unified
management
What is your way to use and manage cloud?
Clear
All of that reflected in the
compliance requirements
24. Cloud & Compliance Specific
There is no one “cloud”
There is no one “standard”
The Goal is bringing a transparency of cloud controls and
features, especially security controls and features
Such documents have a claim to be up-to-date with
expert-level understanding of significant threats and
vulnerabilities
Unifying recommendations for all clouds
Up to now, it is the 3rd revision
All recommendations are linked with other standards
PCI DSS, ISO, COBIT
NIST, FEDRAMP
CSA’ own vision how it must be referred
There are many models and architectures
There are many ways to built cloud in alignment to…
Top known cloud vendors announced they are in
compliance with it
Some of reports are getting old by now
Customers have to control their environment by their
needs
Customers want to know whether it is in compliance in,
especially local regulations and how far
Customers want to know whether it makes clouds quite
transparency to let to build an appropriate
25. Cloud & Compliance Specific
Compliance,
Transparency,
CAIQ/CCM provides equivalent of recommendations over
several standards, CAIQ provides more details on security
and privacy but NIST more specific
CSA recommendations are pure with technical details
It helps vendors not to have their solutions worked
out in details and/or badly documented
It helps them to put a lot of references on 3rd party
reviewers under NDA (SOC 1 or SAS 70)
Bad idea to let vendors fills such documents
They provide fewer public details
They take it to NDA reports
Elaboration
Vendors general explanations multiplied by general
standards recommendations are extremely far away from
transparency
Clouds call for specific levels of audit logging, activity
reporting, security controlling and data retention
It is often not a part of SLA offered by providers
It is outside recommendations
AWS often falls in details with their architecture documents
AWS solutions are very well to be in compliance with old
standards and specific local regulations
NIST 800-53, or even Russian security standards
(however the Russian framework is out of cloud
framework)
26. Description
Third Party Audits
DIFFERENCE (AWS vs. AZURE)
As opposed to AWS, Azure does not have a clearly defined statement whether their customers able to perform their own
vulnerability test
Compliance: from Cloud Vendor’s viewpoint
Information
System
Regulatory AWS falls in details to comply it that results of differences between CAIQ and CMM
Mapping
Handling / Labeling / Security Policy
AWS falls in details what customers are allowed to do and how exactly while Azure does not
Retention Policy
AWS points to the customers’ responsibility to manage data, exclude moving between Availability Zones inside one region; Azure
ensures on validation and processing with it, and indicate about data historical auto-backup
Compliance,
Transparency,
Elaboration
Secure Disposal
Not seriously, AWS relies on DoD 5220.22 additionally while Azure does NIST 800-88 only
Information Leakage
Policy, User Access, MFA
Baseline Requirements
Encryption,
Encryption
Key
Management
Vulnerability / Patch Management
AWS relies on AMI and EBS services, while Azure does on Integrity data
No both have
Nondisclosure Agreements,
Party Agreements
User ID Credentials
(Non)Production
Network Security
Segmentation
Mobile Code
AWS provides more high detailed how-to docs than Azure, allows to import trusted VM from VMware, Azure
AWS offers encryption features for VM, storage, DB, networks while Azure does for XStore (Azure Storage)
AWS provides their customers to ask for their own pentest while Azure does not
Third AWS highlights that they does not leverage any 3rd party cloud providers to deliver AWS services to the customers. Azure points to
the procedures, NDA undergone with ISO
Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requirements while Azure addresses to
the AD to perform these actions
environments, AWS provides more details how-to documents to having a compliance
Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, while Azure points to features built in
infrastructure on a vendor side
AWS points their clients to be responsible to meet such requirements, while Azure points to build solutions tracked for mobile code
27. Compliance: from CSA’s viewpoint
Examinationof CSA
Consumer Relationship only
Everything except SA-13 “Location-aware technologies may be used to validate connection
authentication integrity based on known equipment location”
Vendor Relationship only
Requirements include technical and management solutions
Consumer Relationship shared with Vendor
Include non-technical solutions only
Such policies, roles, procedures, training
All requirements cover SaaS, PaaS, IaaS cloud types
General requirements only
Missing details (like DoD)
28. Compliance: from CSA’s viewpoint
Examinationof CSA
References NIST
Data Governance - Information Leakage (DG-07).
Security mechanisms shall be implemented to prevent data leakage refer
AC-2
Account Management
AC-3
Access Enforcement
AC-4
Information Flow Enforcement
AC-6
Least Privilege (the most correct reference)
AC-11
Session Lock General requirements only
Security mechanisms shall be implemented to prevent data leakage missed in turn (no references at all)
AC-7
Unsuccessful Login Attempts
AC-8
System Use Notification
AC-9
Previous Logon (Access) Notification
AC-10
Concurrent Session Control
29. Compliance: from CSA’s viewpoint
Examinationof CSA
References ISO
Data Governance - Information Leakage (DG-07).
Security mechanisms shall be implemented to prevent data leakage also refers to ISO
A.10.6.2 Security of network services
A.10.6.2 refers to NIST in turn
CA-3
Information System Connections
SA-9
External Information System Services
SC-8
Transmission Integrity
SC-9
Transmission Confidentiality
DG-07 should refer to PE-19 Information Leakage in fact
It could include the NIST requirement “AC-6. Least Privilege” too
A few of them applicable in case of Cloud MDM and should be extended by different toolkit
30. Cloud & Compliance Specifics. Example
CSA
Data Governance
NIST :: access control, media
management, etc.
Ownership / Stewardship
Classification
Handling / Labeling / Security Policy
Retention Policy
Secure Disposal
Non-Production Data
Information Leakage
Risk Assessments
Cloud :: Azure
Azure’s vision - Distribution of information
CSA , ISO is better applicable than NIST
NIST is applicable as a custom controls’ collection
Best way is adopt NIST enhancements with CSA
Need to remap CSA->NIST rev4
Technical / Access Control / Security
Attributes
Attribute Configuration
Permitted Attributes for Specified
InfoSystems
Permitted Values and Ranges for Attributes
31. Cloud & Compliance Specifics. Example
NIST
Access Control
Account, Session Management
Access / Information Flow Enforcement
Least Privilege, Security Attributes
Remote / Wireless Access
Cloud :: AWS
AWS’s Vision is not Data Distribution
NIST is better applicable than CSA
NIST is applicable as a custom controls’ collection
There are many enhancements to include (rev4)
Dynamic Account Creation
Restrictions on Use of Shared Groups Accounts
Group Account Requests
Appovals/Renewals
Account Monitoring - Atypical Usage
e.g. :: log-delivery-write for S3
32. Cloud & Compliance Specifics. Example
CSA / NIST
AWS’s Vision is not Data Distribution, however
CSA :: Data Governance is applicable from the
resource-based viewpoint
Resource based policy Attached to
resource
AWS’s Vision is not Data Distribution, however
NIST :: Access Control is applicable from the userbased viewpoint
Account based policy Attached to users
define that policy for MDM users to
access internal network resources
Combine with a mobile policy
Cloud :: AWS
33. COMPLIANCE AND MDM
CSA Mobile Device Management: Key Components
Device diversity
Configuration management
Software Distribution
Device policy compliance & enforcement
Enterprise Activation
Logging
Security Settings
Security Wipe, Lock
IAM
Make you sure to start managing security under
uncertain terms without AI
NIST-124
Refers to NIST-800-53 and other
Sometimes missed requirements such as
locking device, however it is in NIST-800-53
A bit details than CSA
No statements on permission management
Make you sure to start managing security under
uncertain terms without AI
34. [ DEVICE MANAGEMENT ]
Concurrencyover native & additional security features
𝚫 = 𝚨 ∪ 𝚩 ∪ 𝚪 ∪ 𝚼 , 𝚨 ⊂ 𝚩, 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀
𝛥 – set of OS permissions, 𝛢 – set of device permissions, 𝛣 – set
of MDM permissions, 𝛤 – set of missed permissions (lack of
controls), 𝜰 – set of rules are explicitly should be applied to gain
a compliance
𝚮 = 𝚬+ 𝚭, 𝚬 ⊃ 𝚨∪ 𝚩
𝛨 – set of APIs , 𝛦 – set of APIs that interact with sensitive data,
𝛧 – set of APIs that do not interact with sensitive data
To get a mobile security designed with full granularity the set 𝛤
should be empty set to get 𝚬 ⊇ 𝚨 ∪ 𝚩 instead of 𝚬 ⊃ 𝚨 ∪ 𝚩, so
the matter how is it closer to empty. On another hand it should
find out whether assumptions 𝚼 ⊆ 𝚩, 𝚼 ⊂ 𝐀 are true and if it is
possible to get ⊆ 𝐀.
The situationis very serious
Set of permissions < Set of activities efficiency is
typical case < 100%,
ability to control each API = 100%
More than 1 permission per APIs >100%
lack of knowledge about possible attacks
improper granularity
AV, MDM, DLP,
VPN
Non-app features
MDM features
Kernel protection
Permissions
35. [ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACK’SVECTOR
GOALS - MOBILE RESOURCES / AIM OF ATTACK
DEVICE RESOURCES
OUTSIDE-OF-DEVICE RESOURCES
ATTACKS – SET OF ACTIONS UNDER THE THREAT
APIs - RESOURCES WIDELY AVAILABLE TO CODERS
SECURITY FEATURES
KERNEL PROTECTION , NON-APP FEATURES
PERMISSIONS - EXPLICITLY CONFIGURED
3RD PARTY
AV, FIREWALL, VPN, MDM
COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY
IN ALIGNMENT WITH COMPLIANCE TO…
Goals
AV, MDM,
DLP, VPN
Non-app
features
MDM features
Kernel
protection
Permissions
APIs
Attacks
APIs
36. [ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK
Background processing
BlackBerry Messenger
Calendar, Contacts
Camera
Device identifying information
Email and PIN messages
GPS location
Internet
Location
Microphone
Narrow swipe up
Notebooks
Notifications
Player
Phone
Push
Shared files
Text messages
Volume
BB 10 AIR SDK
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
PB (NDK/AIR)
+
via invoke calls
+
+
via invoke calls
+
+
+
+
+
+
+
+
37. [ iOS. Settings ]
Component
Unit
Safari
Camera, FaceTime
iTunes Store, iBookstore
Siri
Manage applications*
Manage applications*
Explicit Language (Siri)
Privacy*, Accounts*
Content Type Restrictions*
Restrictions :: Native application
Restrictions :: 3rd application
Unit subcomponents
Privacy :: Location
Privacy :: Private Info
Accounts
Content Type Restrictions
Game Center
Manage applications
Per each 3rd party app
For system services
Contacts, Calendar, Reminders, Photos
Bluetooth Sharing
Twitter, Facebook
Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts
Find My Friends
Volume limit
Ratings per country and region
Music and podcasts
Movies, Books, Apps, TV shows
In-app purchases
Require Passwords (in-app purchases)
Multiplayer Games
Adding Friends (Game Center)
Installing Apps
Removing Apps
38. [ Android. Permissions ]
List contains~150 permissions
I have ever seen that on old BlackBerry devices
ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,
OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC
RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS
ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM
TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_
,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH,
ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE,
PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE
SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION
ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_
ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P
,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P
MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT
ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK
ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S
TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET
GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T
ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA
,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE
OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_
TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR
VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL
PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN
ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C
PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_
MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_
REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET
PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY,
OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_
TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC
BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA
CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE
TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI
MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO
R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L
STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN
NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M
OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_
GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W
ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C
SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS,
RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY,
LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE
READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET
TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN
ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
39. [ Android. Permission Groups ]
But there only 30 permissions groups
ACCOUNTS
AFFECTS_BATTERY
APP_INFO
AUDIO_SETTINGS
BLUETOOTH_NETWORK
BOOKMARKS
CALENDAR
CAMERA
COST_MONEY
DEVELOPMENT_TOOLS
DEVICE_ALARMS
DISPLAY
HARDWARE_CONTROLS
I have ever seen that on old BlackBerry devices too
LOCATION
MESSAGES
MICROPHONE
NETWORK
PERSONAL_INFO
PHONE_CALLS
SCREENLOCK
SOCIAL_INFO
STATUS_BAR
STORAGE
SYNC_SETTINGS
SYSTEM_CLOCK
SYSTEM_TOOLS
USER_DICTIONARY
VOICEMAIL
WALLPAPER
WRITE_USER_DICTIONARY
40. MDM . Extend your device security capabilities
Android
CAMERA AND VIDEO
HIDE THE DEFAULT CAMERA APPLICATION
PASSWORD
DEFINE PASSWORD PROPERTIES
REQUIRE LETTERS (incl. case)
REQUIRE NUMBERS
REQUIRE SPECIAL CHARACTERS
DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
INCORRECT PASSWORD ATTEMPTS
DEVICE PASSWORD
ENABLE AUTO-LOCK
CONTROLLED FOUR GROUPS ONLY
LIMIT PASSWORD AGE
LIMIT PASSWORD HISTORY
RESTRICT PASSWORD LENGTH
MINIMUM LENGTH FOR THE DEVICE
PASSWORD THAT IS ALLOWED
ENCRYPTION
APPLY ENCRYPTION RULES
ENCRYPT INTERNAL DEVICE STORAGE
TOUCHDOWN SUPPORT
MICROSOFT EXCHANGE SYNCHRONIZATION
EMAIL PROFILES
ACTIVESYNC
41. MDM . Extend your device security capabilities
iOS
BROWSER
CONTROLLED 16 GROUPSONLY
DEFAULT APP,
AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
MESSAGING (DEFAULT APP)
BACKUP / DOCUMENT PICTURE / SHARING
ONLINE STORE
CAMERA, VIDEO, VIDEO CONF
CERTIFICATES (UNTRUSTED CERTs)
MESSAGING (DEFAULT APP)
CLOUD SERVICES
PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES)
PHONE AND MESSAGING (VOICE DIALING)
CONNECTIVITY
OUTPUT, SCREEN CAPTURE, DEFAULT APP
BACKUP / DOCUMENT / PICTURE / SHARING
ONLINE STORES , PURCHASES, PASSWORD
DEFAULT STORE / BOOK / MUSIC APP
PROFILE & CERTs (INTERACTIVE INSTALLATION)
NETWORK, WIRELESS, ROAMING
DATA, VOICE WHEN ROAMING
SOCIAL (DEFAULT APP)
CONTENT (incl. EXPLICIT)
RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
CONTENT
DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
STORAGE AND BACKUP
SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER
DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS
DEVICE BACKUP AND ENCRYPTION
VOICE ASSISTANT (DEFAULT APP)
42. MDM . Extend your device security capabilities
BlackBerry (new, 10, qnx)
CONTROLLED 7 GROUPSONLY
GENERAL
MOBILE HOTSPOT AND TETHERING
PLANS APP, APPWORLD
PASSWORD (THE SAME WITH ANDROID, iOS)
BES MANAGEMENT (SMARTPHONES, TABLETS)
SOFTWARE
OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER
TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE
BBM VIDEO ACCESS TO WORK NETWORK
VIDEO CHAT APP USES ORGANIZATION’S WI-FI/VPN NETWORK
SECURITY
CERTIFICATES & CIPHERS & S/MIME
HASH & ENCRYPTION ALGS AND KEY PARAMS
TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC
WI-FI PROFILES
WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
VOICE CONTROL & DICTATION IN WORK & USER APPS
BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
PERSONAL SPACE DATA ENCRYPTION
EMAIL PROFILES
NETWORK ACCESS CONTROL FOR WORK APPS
PERSONAL APPS ACCESS TO WORK CONTACTS
SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING
WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS
PROXY PASSWORD/PORT/SERVER/SUBNET MASK
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS
TOKENS, IKE, IPSEC OTHER PARAMS
PROXY PORTS, USERNAME, OTHER PARAMS
43. MDM . Extend your device security capabilities
Blackberry (old)
THERE 55 GROUPS CONTROLLED IN ALL
EACH GROUP CONTAINS FROM 10 TO 30 UNITS
ARE CONTROLLED TOO
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs
INSTEAD OF A WAY ‘DISABLE/ENABLED &
HIDE/UNHIDE’
EACH EVENT IS
CONTROLLED BY CERTAIN PERMISSION
ALLOWED TO CONTROL BY SIMILAR
PERMISSIONS TO BE MORE FLEXIBLE
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
MORE THAN OTHER DOCUMENTS
Huge amount of permissions are MDM & device built-in
EACH UNIT CAN’T CONTROL ACTIVITY UNDER
ITSELF
‘CREATE, READ, WRITE/SAVE, SEND,
DELETE’ ACTIONS IN REGARDS TO
MESSAGES LEAD TO SPOOFING BY
REQUESTING A ‘MESSAGE’ PERMISSION
ONLY
SOME PERMISSIONS AREN’T REQUIRED (TO
DELETE ANY OTHER APP)
SOME PERMISSIONS ARE RELATED TO APP,
WHICH 3RD PARTY PLUGIN WAS EMBEDDED
IN, INSTEAD OF THAT PLUGIN
44. CONCLUSION
The best Security & Permissions ruled by AWS
Most cases are not clear in according to the roles
and responsibilities of cloud vendors & customers
May happen swapping responsibilities and shifting
the vendor job on to customer shoulders
Referring to independent audits reports under
NDA as many times as they can
CSA put the cross references to other standards
that impact on complexity & lack of clarity more
than NIST SP800-53
Apply
CSA as
common
Select
Security
Controls
CSA
Check
Scope
Define
Granularity
Remap
to NIST
NIST
enhanc.
Improve
basic
CSA
Combine
custom
sets