As companies move towards hybrid cloud solution there are still many private cloud solutions still out there. Traditional risk assessment techniques cannot be applied to such virtual servers. This paper is an attempt to identify key assets and assess risks related to these critical assets.
Getting Started with AWS | AWS Tutorial for Beginners | AWS Training | EdurekaEdureka!
( AWS Training: https://www.edureka.co/cloudcomputing ) This Edureka "Getting Started With AWS" Tutorial will help you get started AWS Web Services and will talk about why AWS is the best cloud service provider in the global market. This video would help you understand following topics: 1. Why Cloud? 2. What Is Cloud? 3. Features Of Cloud Computing 4. What IS AWS? 5. AWS Global Architecture 6. AWS Domains Check out our AWS Playlist: https://goo.gl/8qrfKU
This session will review design principles and considerations when developing your e-commerce solution on AWS. Hear how Popsa, a machine learning start-up, built its e-commerce solution on AWS; and how AO.com, an online retailer of electrical goods, migrated a bespoke e-commerce platform into AWS. Discover what the cultural impact was, and what the future holds.
[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안BESPIN GLOBAL
AWS와 함께 하는 바이오 ∙ 헬스케어 ∙ 제약사를 위한 클라우드 세미나
'안전하게 클라우드로 날자'
어떻게 하면 클라우드를 통한 디지털 혁신과 비즈니스 성장을 이룰 수 있을까요?
AWS 를 통해 어떤 기업들이 혁신적인 서비스를 제공하고 있을까요?
도입 후에는 어떤 변화가 있고 어떻게 관리해야 할까요?
지난 6월 8일. AWS와 클라우드 전문가 베스핀글로벌이 바이오 · 헬스케어 · 제약 고객들만을 위해 쉽고 빠르게 클라우드를 도입할 수 있는 방법을 제시하는 세미나를 진행했습니다.
클라우드가 뭔지 궁금하지만 잘 모르겠다면, 클라우드를 도입하고는 싶지만 어디서부터 시작해야 할지 감이 오지 않으신다면, 베스핀글로벌과 상의하세요.
Getting Started with AWS | AWS Tutorial for Beginners | AWS Training | EdurekaEdureka!
( AWS Training: https://www.edureka.co/cloudcomputing ) This Edureka "Getting Started With AWS" Tutorial will help you get started AWS Web Services and will talk about why AWS is the best cloud service provider in the global market. This video would help you understand following topics: 1. Why Cloud? 2. What Is Cloud? 3. Features Of Cloud Computing 4. What IS AWS? 5. AWS Global Architecture 6. AWS Domains Check out our AWS Playlist: https://goo.gl/8qrfKU
This session will review design principles and considerations when developing your e-commerce solution on AWS. Hear how Popsa, a machine learning start-up, built its e-commerce solution on AWS; and how AO.com, an online retailer of electrical goods, migrated a bespoke e-commerce platform into AWS. Discover what the cultural impact was, and what the future holds.
[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안BESPIN GLOBAL
AWS와 함께 하는 바이오 ∙ 헬스케어 ∙ 제약사를 위한 클라우드 세미나
'안전하게 클라우드로 날자'
어떻게 하면 클라우드를 통한 디지털 혁신과 비즈니스 성장을 이룰 수 있을까요?
AWS 를 통해 어떤 기업들이 혁신적인 서비스를 제공하고 있을까요?
도입 후에는 어떤 변화가 있고 어떻게 관리해야 할까요?
지난 6월 8일. AWS와 클라우드 전문가 베스핀글로벌이 바이오 · 헬스케어 · 제약 고객들만을 위해 쉽고 빠르게 클라우드를 도입할 수 있는 방법을 제시하는 세미나를 진행했습니다.
클라우드가 뭔지 궁금하지만 잘 모르겠다면, 클라우드를 도입하고는 싶지만 어디서부터 시작해야 할지 감이 오지 않으신다면, 베스핀글로벌과 상의하세요.
VMware Ready vRealize Automation Program
Author: Meena Nagarajan
IT’s quest for maximum speed, flexibility and accountability is driving a shift in thinking about cloud management platforms. VMware’s new cloud management platform provides automated management for heterogeneous and hybrid clouds.
Learn more about how VMware delivers the foundation for the Software Defined Enterprise:
- Managing a multi-vendor, multi-cloud infrastructure
- Providing centralized automation of infrastructure services
- Creating extensibility opportunities for cloud management
This slides focuses on Virtualization concepts, types of virtualization, Hypervisors, Evolution of virtualization towards cloud and QEMU-KVM architecture.
Microsoft Cloud's Front Door: Building a Global APIC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/25GPsXo.
Charles Lamanna talks about the scale and architecture of Microsoft’s Azure Management Gateway. Lamanna presents how Azure API’s are built for high availability and for data sovereignty from a key Microsoft Azure Architectural resource. Filmed at qconlondon.com.
Charles Lamanna is a Principal Group Development Manager in the Microsoft Azure team. Lamanna joined Microsoft in 2013 when Microsoft acquired MetricsHub, a company he cofounded. His team works on the Azure API front door, monitoring and auto-scaling capabilities, template deployments, resource groups and other management capabilities.
Estimating Development Security Maturity in About an HourPriyanka Aash
The session describes a simple method of estimating a development team’s security maturity, i.e. how well they make a secure software product, by looking at five key factors. The factors and a simple rating system will be shown coupled with real-world samples. Applicable usage scenarios as well as comparison to other security maturity models will be given.
(Source: RSA USA 2016-San Francisco)
Iolaire Mckinnon, Senior Consultant, Security, Risk & Compliance, AWS
A Deep Dive into the best practice guidelines for securing your workloads in AWS cloud.
AWS re:Invent 2016: Building a Solid Business Case for Cloud Migration (ENT308)Amazon Web Services
Learn how to create a compelling business case for a large-scale migration to AWS. We present a framework and tools for creating your business case, and guidelines for using AWS services to maximize value and optimize cost for migrations to the AWS Cloud. Learn a new way of thinking about cost that includes automation, new technologies, organizational change, and other factors.
There are options beyond a straight forward lift and shift into Azure IaaS. What are your options? Learn how Azure helps modernize applications faster with containers and how you can use serverless to add additional functionality while keeping your production codebase 'clean'. We'll also learn how to incorporate DevOps throughout your apps lifecycle and take advantage of data-driven intelligence. Demo intensive session integrating the likes of Service Fabric, AKS VSTS and more.
Learn how customers are leveraging AWS hybrid cloud capabilities to easily extend their datacenter capacity, deliver new services and applications, and ensure business continuity and disaster recovery.
Hybrid- and Multi-Cloud by design - IBM Cloud and your journey to CloudAleksandar Francuz
The following presentation is a strategic view on digital transformation initiatives, underpinned with examples in several industries and how IBM Cloud can support enterprises on their journey to Cloud.
Application Threat Modeling In Risk ManagementMel Drews
How to perform threat modeling of software to protect your business, critical assets and communicate your message to your boss and the Board of Directors
Today’s cyber criminals are more sophisticated, more agile and more aggressive than traditional security measures can protect against. One simply needs to open a news source today to find a headline on a new breach - Office of Management Personal, Sony, Target are just a few examples of note. The increase in attacks and breaches can be attributed to a variety of factors, not the least of which include: a rise in asymmetric threats, commoditization of threats/attacks and incomplete security strategies. By incorporating cyber threat analysis in your security strategy, however, you can better counter and mitigate these threats.
VMware Ready vRealize Automation Program
Author: Meena Nagarajan
IT’s quest for maximum speed, flexibility and accountability is driving a shift in thinking about cloud management platforms. VMware’s new cloud management platform provides automated management for heterogeneous and hybrid clouds.
Learn more about how VMware delivers the foundation for the Software Defined Enterprise:
- Managing a multi-vendor, multi-cloud infrastructure
- Providing centralized automation of infrastructure services
- Creating extensibility opportunities for cloud management
This slides focuses on Virtualization concepts, types of virtualization, Hypervisors, Evolution of virtualization towards cloud and QEMU-KVM architecture.
Microsoft Cloud's Front Door: Building a Global APIC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/25GPsXo.
Charles Lamanna talks about the scale and architecture of Microsoft’s Azure Management Gateway. Lamanna presents how Azure API’s are built for high availability and for data sovereignty from a key Microsoft Azure Architectural resource. Filmed at qconlondon.com.
Charles Lamanna is a Principal Group Development Manager in the Microsoft Azure team. Lamanna joined Microsoft in 2013 when Microsoft acquired MetricsHub, a company he cofounded. His team works on the Azure API front door, monitoring and auto-scaling capabilities, template deployments, resource groups and other management capabilities.
Estimating Development Security Maturity in About an HourPriyanka Aash
The session describes a simple method of estimating a development team’s security maturity, i.e. how well they make a secure software product, by looking at five key factors. The factors and a simple rating system will be shown coupled with real-world samples. Applicable usage scenarios as well as comparison to other security maturity models will be given.
(Source: RSA USA 2016-San Francisco)
Iolaire Mckinnon, Senior Consultant, Security, Risk & Compliance, AWS
A Deep Dive into the best practice guidelines for securing your workloads in AWS cloud.
AWS re:Invent 2016: Building a Solid Business Case for Cloud Migration (ENT308)Amazon Web Services
Learn how to create a compelling business case for a large-scale migration to AWS. We present a framework and tools for creating your business case, and guidelines for using AWS services to maximize value and optimize cost for migrations to the AWS Cloud. Learn a new way of thinking about cost that includes automation, new technologies, organizational change, and other factors.
There are options beyond a straight forward lift and shift into Azure IaaS. What are your options? Learn how Azure helps modernize applications faster with containers and how you can use serverless to add additional functionality while keeping your production codebase 'clean'. We'll also learn how to incorporate DevOps throughout your apps lifecycle and take advantage of data-driven intelligence. Demo intensive session integrating the likes of Service Fabric, AKS VSTS and more.
Learn how customers are leveraging AWS hybrid cloud capabilities to easily extend their datacenter capacity, deliver new services and applications, and ensure business continuity and disaster recovery.
Hybrid- and Multi-Cloud by design - IBM Cloud and your journey to CloudAleksandar Francuz
The following presentation is a strategic view on digital transformation initiatives, underpinned with examples in several industries and how IBM Cloud can support enterprises on their journey to Cloud.
Application Threat Modeling In Risk ManagementMel Drews
How to perform threat modeling of software to protect your business, critical assets and communicate your message to your boss and the Board of Directors
Today’s cyber criminals are more sophisticated, more agile and more aggressive than traditional security measures can protect against. One simply needs to open a news source today to find a headline on a new breach - Office of Management Personal, Sony, Target are just a few examples of note. The increase in attacks and breaches can be attributed to a variety of factors, not the least of which include: a rise in asymmetric threats, commoditization of threats/attacks and incomplete security strategies. By incorporating cyber threat analysis in your security strategy, however, you can better counter and mitigate these threats.
National Cybersecurity - Roadmap and Action PlanDr David Probert
Analysis, strategies and practical action plans for National Government Cybersecurity based upon the United Nations - International Telecommunications Union - UN/ITU Cybersecurity Framework and their Global Cybersecurity Agenda - GCA.
At the EDIST 2017 the OEB outlined the upcoming Cyber Security Framework for all LDCs in Ontario. The official announcement is to be published sometime early March this year.
Build an Information Security StrategyAndrew Byers
Organizations are struggling to keep up with today’s evolving threat landscape.
From technology sophistication and business adoption to the proliferation of hacking techniques and the expansion of hacking motivations, organizations are facing major security risks.
Every organization needs some kind of information security program to protect their systems and assets.
Organizations today face pressure from regulatory or legal obligations, customer requirement, and now, senior management expectations.
Building an effective Information Security RoadmapElliott Franklin
As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.
Need for Virtualization – Pros and cons of Virtualization – Types of Virtualization –System VM, Process VM, Virtual Machine monitor – Virtual machine properties - Interpretation and binary translation, HLL VM - supervisors – Xen, KVM, VMware, Virtual Box, Hyper-V.
Virtual versions of servers, applications, networks and storage can be created through virtualization. Its main types include operating system virtualization (VMs), hardware virtualization, application-server virtualization, storage virtualization, network virtualization, administrative virtualization and application virtualization.
The process of virtualization enables the creation of virtual forms of servers, applications, networks and storage. The four main types of virtualization are network virtualization, storage virtualization, application virtualization and desktop virtualization.
VIRTUALIZATION: Basics of Virtualization, Types of Virtualizations, Implementation Levels of Virtualization, Virtualization Structures, Tools and Mechanisms, Virtualization of CPU, Memory, I/O Devices, Virtual Clusters and Resource management, Virtualization for Data-center Automation, Introduction to MapReduce, GFS, HDFS, Hadoop, Framework.)
The benefits of employing virtualization in the corporate data center are compelling – lower operating
costs, better resource utilization, increased availability of critical infrastructure to name just a few. It is an
apparent “no brainer” which explains why so many organizations are jumping on the bandwagon. Industry
analysts estimate that between 60 and 80 percent of IT departments are actively working on server
consolidation projects using virtualization. But what are the challenges for operations and security staff
when it comes to management and ensuring the security of the new virtual enterprise? With new
technology, complexity and invariably new management challenges generally follow.
Over the last 18 months, Prism Microsystems, a leading security information and event management
(SIEM) vendor, working closely with a set of early adopter customers and prospects, has been working on
extending the capability of EventTracker to provide deep support for virtualization, enabling our customers
to get the same level of security for the virtualized enterprise as they have for their non-virtualized
enterprise. This White Paper examines the technology and management challenges that result from
virtualization, and how EventTracker addresses them.
Virtualized Infrastructures are increasingly deployed in many data centers. One of the key
components of this virtualized infrastructure is the virtual network – a software-defined
communication fabric that links together the various Virtual Machines (VMs) to each other and
to the physical host on which the VMs reside. Because of its key role in providing connectivity
among VMs and the applications hosted on them, Virtual Networks have to be securely
configured to provide the foundation for the overall security of the virtualized infrastructure in
any deployment scenario. The objective of this paper is to illustrate a deployment-driven
methodology for deriving a security configuration for Virtual Networks. The methodology
outlines two typical deployment scenarios, identifies use cases and their associated security
requirements, the security solutions to meet those requirements, the virtual network security
configuration to implement each security solution and then analyzes the pros and cons of each
security solution.
DEPLOYMENT-DRIVEN SECURITY CONFIGURATION FOR VIRTUAL NETWORKScscpconf
Virtualized Infrastructures are increasingly deployed in many data centers. One of the key components of this virtualized infrastructure is the virtual network – a software-defined
communication fabric that links together the various Virtual Machines (VMs) to each other and to the physical host on which the VMs reside. Because of its key role in providing connectivity
among VMs and the applications hosted on them, Virtual Networks have to be securely configured to provide the foundation for the overall security of the virtualized infrastructure in any deployment scenario. The objective of this paper is to illustrate a deployment-driven methodology for deriving a security configuration for Virtual Networks. The methodology
outlines two typical deployment scenarios, identifies use cases and their associated security requirements, the security solutions to meet those requirements, the virtual network security configuration to implement each security solution and then analyzes the pros and cons of each security solution.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
Risk Analysis and Mitigation in Virtualized Environments
1. EAI Endorsed Transactions on
Risk Analysis and Mitigation in virtualized environment
02 -04 2015 | Volume 1 | Issue __ | e_
EAI Endorsed Transactions
On Risk Analysis and Mitigation in Virtualized Environments
Editorial
1
Risk Analysis and Mitigation in Virtualized Environments
Abstract
Virtualization technology is extensively used across almost all IT departments today as it allows you
to increase your network capacity without significantly increasing your capital investment. But with
the advent of virtualization, you might ask whether your current security investments are still valid.
Will proven strategies continue to work? If they do, are they just as effective? What about all the tools
you have invested in? Perhaps the best way to answer these questions is to consider the changes that
virtualization will bring and how it impacts the core of your information technology. The objective of
this paper is to outline a risk analysis and discuss about mitigation techniques in such virtualized
environments.
1.0 Introduction
Virtualization has made a dramatic impact in a
very short time on IT and networking and has
already delivered huge cost savings and return
on investment to enterprise data centers and
cloud service providers. Typically, the drivers
for machine virtualization, including
multitenancy, are better server utilization, data
center consolidation, and relative ease and speed
of provisioning. Cloud service providers can
achieve higher density, which translates into
better margins. Enterprises can use
virtualization to shrink capital expenditures on
server hardware as well as to increase
operational efficiency.
Server virtualization is the masking of server
resources, including the number and identity of
individual physical servers, processors, and
operating systems, from server users. The server
administrator uses a software application to
divide one physical server into multiple isolated
virtual environments. The virtual environments
are sometimes called virtual private servers, but
they are also known as guests, instances,
containers or emulations.
Virtualization brings significant value to
business managers and engineers attempting to
keep pace with business pressure for additional
servers. It enables maximum use of hardware
resources while introducing an increased
flexibility in how organizations design and
implement new solutions. However, it also
introduces new security concerns. Until
recently, organizations had to leverage security
controls not specifically designed to protect
virtual environments.
As enterprises embark on their virtualization
journeys, it is critical to review existing
processes and develop strategies to address
security risks across physical and virtual
environments in order to ensure compliance and
security visibility in the data center. In that view
the objective of this paper is stress on the
analysis and mitigation of common risks
observed in virtual environments.
In the next section we shall discuss the overview
of a virtualization technology, section 3 shall
discuss architecture of server virtualization and
then section 4 emphasizes in identifying the
risks in virtual environment, finally section 5
will discuss risk assessment and mitigation
techniques in the virtual environment.
2. Siddharth Coontoor
2
2.0 Overview of Virtualization
Technology
Server virtualization allows multiple operating
systems and applications to run concurrently on
a single hardware. The OSs run independent of
each other in isolated environments (the VMs).
A virtualization layer is required to run on the
computer’s OSs as an application or service to
create multiple VM environments. OSs and
applications running in a VM can access the
CPU, memory, and disk and network resources
that are similar to a physical computer.
Figure 1: Virtual Server
The virtual server divides physical resources
into virtual resources called virtual machines as
seen in Figure 1. In this way virtualization adds
a layer of abstraction between two layers in that
computer system. The layer of abstraction is a
software layer between the hardware and the
guest operating systems. The layer acts as a
resource manager to enable the sharing of
processing power and memory. This software is
called a virtual machine monitor (VMM) or
hypervisor. VMMs virtualise the hardware of a
physical machine and partition it into multiple,
logically separated VMs. The VMM monitors
everything that happens inside a VM, and it
enforces resource management policies on the
VM. Multiple operating systems (OSs) can
coexist on the same virtual machine in isolation
from one another and can operate
simultaneously on a single server.
Virtualization in a distributed environment is the
basis for grid computing and cloud computing
supplying a computing infrastructure as a utility,
on-demand service. Virtualization can be
categorised into three areas:
Storage virtualization — Virtualizes the
physical storage from multiple network storage
devices so that they appear to be a single storage
device. In general, ‘virtualization’ refers to
server virtualization.
Network virtualization — Combines
computing resources in a network by splitting
the available bandwidth into independent
channels that can be assigned to a particular
server or device in real time.
Server virtualization — Hides the physical
nature of server resources, including the number
and identity of individual servers, processors
and OSs from the software running on them.
The term workload is increasingly used to
describe the a vast array of virtualized
resources. For example, a virtual machine is a
type of workload. While VMs are the
predominant virtualization technology
implemented today, there are a number of other
workloads to consider, including application,
desktop, network, and storage virtualization
models.
3.0 Architecture of Server
Virtualization Technology and
Identification of critical assets
Server virtualization allows multiple operating
systems and applications to run concurrently on
a single hardware. The OSs run independent of
each other in isolated environments (the VMs).
A virtualization layer is required to run on the
computer’s OSs as an application or service to
create multiple VM environments. OSs and
applications running in a VM can access the
CPU, memory, and disk and network resources
that are similar to a physical computer.
Figure 2: Server Virtualization Architecture
3. Risk Analysis and Mitigation in Virtualized Environments
3
Figure 2 shows architecture of server
virtualization. As seen in the figure there are
four major components in the virtualization
technology, they are as follows:
Physical hardware - Physical machine on
which the VM environments reside. The
number of VMs that can be supported on a
single physical machine depends on the
hardware configuration and specifications.
Operating system Layer - Primary OS on
the physical machine. The virtualization
layer resides on this OS.
Virtualization layer - Virtualization
software that co-ordinates with the host OSs
for requests from VMs regarding CPU time,
physical memory, disk read and write,
network input/output (I/O), etc. The
virtualization software is called hypervisor.
Virtual machine - Independent and isolated
environment created by the virtualization
software. OSs can run VMs independent of
each other.
Guest operating systems - The OSs
installed on VMs. These run on the host OS.
Virtualization technology allows multiple
VMs with heterogeneous guest OSs to run in
isolation, side by side on the same physical
machine. The VMs have their own virtual
hardware (e.g., CPU, RAM, disks, network
cards) on which the guest OSs and
applications are loaded. The guest OSs
perform consistently, irrespective of the
physical components.
The virtualization software mentioned earlier is
known as the hypervisor. The hypervisor plays
an important role in virtualization technology.
Figure 3: View of Hypervisor
It intercepts the hardware resource requests
from the virtual machines that reside on it and
translates the requests to a format that can be
understood by the physical hardware. Similarly,
the requests from the physical hardware are
translated by the hypervisor so that the virtual
machines can understand. This way the
hypervisor decouples the VMs from the physical
hosts by introducing a layer of abstraction
between the VMs and the physical hardware
layer.
Based on the architecture of the virtualized
server and the services it would provide, it
would be essential to identify critical assets
whose working is important to the business.
Similar to traditional risk assessment
approaches, the first step is to identify the assets
that are important to business. Nest step, would
be to identify the risks associated with these
assets and their associated vulnerabilities.
The critical assets in a virtualized environment
are as follows:
Physical server
Host Operating System
Hypervisor
Hypervisor Management tools and API
Virtual Machines
Network
Storage
4.0 Identifying Risk in Virtualized
Environments
While virtualization may provide a number
functional and operational benefits, moving to a
virtual environment doesn’t alleviate the risks
which existed on the physical systems, and may
also introduce new and unique risks. Therefore
as a part of risk assessment, it is important to
identify the virtualization server as an important
asset and take into consideration risks associated
with it. The following are the most common
risks associated with a virtualized servers
4. Siddharth Coontoor
4
identified by virtualization vendors and stake
holders.
Risk 1 - VM Sprawl
Uncontrolled proliferation of VMs can lead to
an unmanageable condition of unpatched and
unaccounted for machines.
Risk 2 - Sensitive Data within a VM
Data confidentiality within VMs can be easily
compromised, because data can be easily
transported and tampered with.
Risk 3 - Resource Exhaustion
Uncontrolled physical resource consumption by
virtual processes can lead to reduced
availability.
A risk factor unique to virtual environments is
the hypervisor. Hypervisor is the software
and/or firmware responsible for hosting and
managing VMs. It provides a single point of
access into the virtual environment and is also
potentially a single point of failure. A
misconfigured hypervisor can result in a single
point of compromise of the security of all its
hosted components. It does not matter how
individual VMs are hardened a compromised
hypervisor can override those controls and
provide a convenient single point of
unauthorized access to all the VMs. The
following security risks related to the use of
hypervisor should be considered by those
planning to use or currently using virtual
technologies:
Risk 4 - Hypervisor Security
Hypervisor security is the process of ensuring
that the hypervisor, the software that enables
virtualization, is secure throughout its life cycle,
including development, implementation,
provisioning, and management.
Risk 5 - Unauthorized Access to Hypervisor
Administrative access controls to the hypervisor
may not be adequate to protect against potential
hacker attacks.
Compared to traditional IT environments,
virtualization of IT systems inevitably leads to
changes in operational procedures. As a result,
some common defence in depth practices used
in securing physical servers may be affected or
ignored, while newly introduced features or
functions may expose the environment to
additional risks. The following security risks
related to changes in operation procedures
should be considered:
Risk 6 - Account or Service Hijacking
Through the Self-Service Portal
Portal vulnerabilities can lead to privilege
escalation attacks.
Risk 7 - Workloads of Different Trust Levels
Located on the Same Server
Ensure that there is sufficient security
segregation of workloads on a physical host.
Some enterprise infocom personnel may elect to
apply virtualization technologies through
outsourcing services from cloud service
providers. In such cases, it may be necessary to
consider additional risk factors, including the
following.
Risk 8 - Risk Due to Cloud Service Provider
APIs
A hybrid (private/public) cloud virtualization
implementation can pose security risks due to
account/authentication federation.
5.0 Risk Assessment and
Mitigation
Once risks have been identified as in the above
section, it is important that a risk table be
maintained for the risks related to the virtualized
server as shown in Appendix A1.
The risk table maintains details about the risk
like Risk name, description, relevant security
aspect(confidentiality, integrity, availability),
risk governance area, vulnerabilities that lead to
this risk, affected assets.
5. Risk Analysis and Mitigation in Virtualized Environments
5
The risk table helps enlist vulnerabilities
associated to that risk. Based on the risk the risk
table for each risk is as follows:
Risk name VM Sprawl
Relevant Security
Aspect
Confidentiality/Integrity/Av
ailability
Relevant Security
Governance Risk Area
Architectural and
configuration risk
Vulnerabilities
associated with the risk
Proper policy and
control processes to
manage VM lifecycle
do not exist.
Placement / zoning
policies or enforcement
of where a dormant VM
can instantiate or reside
do not exist.
A discovery tool for
identification of
unauthorized VMs does
not exist.
Affected Assets VM
Risk name Sensitive Data Within a VM
Relevant Security
Aspect
Risk to confidentiality and
integrity
Relevant Security
Governance Risk Area
Configuration risk
Vulnerabilities
associated with the risk
VM images and
snapshots are not
treated the same way
as the sensitive data
they contain. They
are not protected
from unauthorized
access, modification,
duplication, and
replacement
Policies and procedures
to restrict storage of
VM images and
snapshots do not exist,
including:
Formal change
management processes
that govern image
creation, security,
distribution, storage,
use, retirement, and
destruction
Monitoring and control
of stored images and
snapshots, including
activities logging
Affected Assets VM & Storage
Risk name Resource Exhaustion
Relevant Security
Aspect
Risk to availability
Relevant Security
Governance Risk Area
Architectural and hypervisor
software risk
Vulnerabilities
associated with the risk
Servers can be
burdened by
concurrent
execution of
resource-intensive
software such as
anti- virus software
on multiple VMs.
Simultaneous
automated
operating system
patches on a group
of VMs can create
an enormous excess
strain on a common
storage resource.
Affected Assets VM
Risk name Hypervisor Security
Relevant Security
Aspect
Risk to confidentiality,
integrity, and availability
Relevant Security
Governance Risk Area
Architectural and hypervisor
software risk
Vulnerabilities
associated with the risk
Hypervisor
configuration may
not be hardened to
reduce areas of
vulnerability, such
as unused services.
Vendor-
recommended best
practices have not
been adopted.
Unused physical
hardware devices
are connected, and
clipboard / file-
sharing services are
not disabled.
Vendor security
bulletins / alerts are
not implemented
promptly.
Hypervisor self-
integrity checks (or
the equivalent) are
6. Siddharth Coontoor
6
not conducted upon
boot-up.
Ongoing
monitoring,
including analysis
of hypervisor logs,
does not occur.
The attack surface
is further increased
through
uncontrolled use of
hypervisor
management APIs
by IT / DevOps
tools and scripts
and other
infrastructure
technologies.
Affected Assets Hypervisor
Risk name Unauthorized Access to
Hypervisor
Relevant Security
Aspect
Risk to confidentiality,
integrity, and availability
Relevant Security
Governance Risk Area
Architectural, hypervisor
software, and configuration
risk
Vulnerabilities
associated with the risk
Access to the
virtualization layer
is not restricted as
with any sensitive
OS (i.e., using
console access
restricted by
firewalls).
The hypervisor may
not support role-
based access
control of
administrative
responsibilities.
Additional third-
party tools designed
to provide tight
administrative
control are not
deployed.
Separate
authentication is not
used to restrict
access.
Hypervisor
management APIs /
CLIs are not
adequately
protected.
A separate
“management
LAN” is not
deployed to manage
access to
hypervisors.
Remote
management of
hypervisors is not
disabled.
Administrative
interfaces are
accidentally
exposed through
network
configuration errors
and lack of change
management
procedures.
Affected Assets Hypervisor, Management
tools and API
Risk name Account or Service
Hijacking Through the Self-
Service Portal
Relevant Security
Aspect
Risk to confidentiality,
integrity, and availability
confined to the designated
virtual environment
Relevant Security
Governance Risk Area
Architectural and hypervisor
software risk
Vulnerabilities
associated with the risk
Strong authentication
control is lacking.
Policy governing the
creation and use of self-
service portals does not
exist.
Policy-based self-
service portal
management is not used.
Unauthorized activity is
not proactively
monitored.
Account management
(e.g., password reset
sent in clear text) is
“relaxed.”
Affected Assets Applications, VMs, and
virtualization platform
7. Risk Analysis and Mitigation in Virtualized Environments
7
Risk name Workloads of Different
Trust Levels Located on the
Same Server
Relevant Security
Aspect
Risk to confidentiality,
integrity, and availability
Relevant Security
Governance Risk Area
Architectural and
configuration risk
Vulnerabilities
associated with the risk
VMs of different trust-
levels are hosted on or
migrated to the same
physical server (host).
Physical or logical
software-defined
networks for VMs of
different trust levels are
not segregated.
Physical and virtual
firewalls are not
deployed to isolate
groups of VMs from
other hosted groups, for
example, production
from development
systems or development
from other cloud-
resident systems.
Virtual desktop
workloads are not
isolated from rest of the
physical data center.
Administrative
separation of duties may
not be implemented,
allowing unauthorized
changes or accidental
misconfiguration that
violates the logical
zoning.
Affected Assets VMs on physical server
Risk name Risk due to Cloud Service
Provider API
Relevant Security
Aspect
Risk to confidentiality,
integrity, and availability
Relevant Security
Governance Risk Area
Architectural and
configuration risk
Vulnerabilities
associated with the risk
The cloud service
provider’s API set is not
secured.
Data transmitted or
stored in the cloud is
not protected by
encryption.
Strong authentication /
access control is not
implemented for
external systems.
Identity and credential
federation, such as
Active Directory
services or another
LDAPv3 directory, is
not used. Traffic is not
transmitted via a private
/ out-of-band encrypted
channel that is separate
from normal internal
traffic.
Security, compliance,
and governance controls
and monitoring are not
consistently enabled.
Affected Assets Security of Hybrid
Environment
The risk table helps enlist the vulnerabilities
associated with each risk scenario based upon
which the impact and likelihood can be derived
that would finally form a risk matrix.
As vulnerabilities are enlisted and risk
calculated for them, suitably mitigation
techniques for these vulnerabilities can be
derived which would help calculate the residual
risk.
The likelihood rating is provided in Appendix
A2, which provides the rating notation for
creating risk matrix. Similarly Appendix A3
provides impact rating for CIA compromise and
Appendix A4 provides risk matrix defining the
risk levels.
The risk evaluation is based on the likelihood of
a particular vulnerability being exploited and the
impact it would have on the business.
8. Siddharth Coontoor
8
Vulnerability Likelihood
(See
Appendix A2)
Impact Due
to
Confidentialit
y
Compromise
(See
Appendix A2)
Impact Due
to
Integrity
Compromis
e (See
Appendix
A2)
Impact Due
to
Availability
Compromis
e (See
Appendix
A2)
Evalu
ate
Risk
Level
(See
Appen
dix
A3)
Risk
Treatment
Control to be
implemented
Evaluate
Residual
Risk
Level
(See
Appendix
A3)
Type of Risk: 1 – VM Sprawl
Asset exposed to risk: VM
Lack of effective
control process to
manage VM lifecycle
Low Low Low Low 1 Put effective
policies,
guidelines, and
processes in place
to govern and
control VM
lifecycle
management,
including self-
service and
automated scripts /
DevOps tools.
Lack of placement / zoning
policies or enforcement
of where a dormant VM
can instantiate or reside
Low Low Low Low
1
Lack of discovery tool to
identify unauthorized VMs
Low Low Low Low 1
Type of Risk: 2 – Sensitive Data in VM
Asset exposed to risk: VM and Storage
VM images and snapshots
are not treated in the same
way as the sensitive data.
Medium High High Low 4 Encrypt data stored
on virtual and
cloud servers to
make it unreadable.
Develop policies to
restrict storage of
VM images and
snapshots.
1
Policies and processes are
not in place to control
storage of VM images and
snapshots.
Low High High Low 3 1
Type of Risk: 3 – Resource Exhaustion
Asset exposed to risk: VM
Servers are burdened by
concurrent execution of
resource-intensive software.
High Low Low High 5 Implement
operating
procedure that
detects VMs that
are throttled due
to resource
exhaustion and
puts a remedy in
place instantly.
2
Simultaneous OS automated
patching on a group of VMs
causes enormous access strain
on a common storage
resource.
Medium Low Low High
4 2
Type of Risk: 4 – Hypervisor Security
Asset exposed to risk: Hypervisor
Configuration of
hypervisor may not be
hardened to reduce areas
of vulnerabilities.
Medium Medium Low Medium
3 Harden the
hypervisor’s
configuration to
reduce areas of
vulnerability.
Put vendor-
provided best
practices in place
where applicable.
2
Vendor- recommended best
practices are not adopted.
Low Low Low Low 1
Unused physical hardware
devices are connected.
Clipboard / file-sharing
services are not disabled.
Low Low Low Low
1
9. Risk Analysis and Mitigation in Virtualized Environments
9
Vulnerability Likelihood
(See Appendix
A2)
Impact Due to
Confidentialit
y Compromise
(See Appendix
A2))
Impact Due
to
Integrity
Compromis
e (See
Appendix
A2)
Impact Due
to
Availabiliy
Compromis
e (See
Appendix
A2)
Evaluate
Risk
Level
(See
Appendix
A3)
Risk
Treatment
Control to
be
implemente
d
Evaluate
Residual
Risk
Level
(See
Appendix
A3)
Vendor security bulletins
/alerts are not subscribed
to. Security updates are
not implemented
promptly
Low Low Low Low
1 Disconnect
unused
physical
hardware
devices and
disable
clipboard or
file-sharing
services.
Use a
hypervisor
integrity
monitoring
technology,
for example,
Intel Trusted
Platform
Module/Trust
ed Execution
Technology.
Self-integrity checks or
equivalence are not
conducted upon boot-
up to confirm whether
or not hypervisor has
been compromised.
Low Low Low Low
1
Ongoing monitoring
including
analysis of hypervisor
logs does not occur.
Medium Low Low Low
2 1
Attack surface is further
increased through
uncontrolled use of
hypervisor management
APIs by IT/DevOps tools
and scripts and other
infrastructure
technologies.
Medium Medium Medium Medium
3 2
Type of Risk: 5 – Unauthorized Access to hypervisor
Asset exposed to risk: Hypervisor and Management Tools
Access to virtualization
layer is not restricted as
with any sensitive OS.
High High Medium Medium
5 Restrict
access to the
virtualization
layer by
firewalls that
restrict
console
access.
Evaluate
implemented
role based
access control
policies in
order to
ensure that
they are
functionally
correct.
Deploy a
separate
“management
LAN” to
manage
access to
hypervisors.
3
Hypervisor may not
support role-based access
control.
Low Low Low Low 1
Additional third-party
tools that provide tight
administrative control are
not deployed.
Low Low Low Low
1
A separate authentication
is
not used to restrict access.
Low Medium Medium Low 2 1
Hypervisor management
APIs/CLIs are not
adequately protected.
Low Medium Low Low 2 1
Separate LAN
authentication is not used
to restrict access.
Medium High Low Low 4 2
Remote hypervisor
management is not
disabled.
Low High Low High 3 1
10. Siddharth Coontoor
10
Vulnerability Likelihood
(See
Appendix A2)
Impact Due to
Confidentiality
Compromise
(See Appendix
A2))
Impact Due
to
Integrity
Compromis
e (See
Appendix
A2)
Impact Due to
Availabiliy
Compromise
(See
Appendix
A2)
Evalu
ate
Risk
Level
(See
Appe
ndix
A3)
Risk
Treatment
Control to
be
implemente
d
Evaluate
Residual
Risk
Level
(See
Appendix
A3)
Administrative interfaces
are accidentally exposed
through network
configuration errors and
lack of change of
management procedures
Low Medium Medium Medium
2 Deploy a
separate
“management
LAN” to
manage
access to
hypervisors.
1
Type of Risk: 6 – Account or Service Hijacking through Self- Service Portal
Asset exposed to risk: Privileged access to applications, VM, and Virtualization Platform
Strong authentication
control is lacking.
Low High High Medium 3 Use
administrative
controls
selectively,
based on
users’ roles
and needs.
Enforce
secure
management
of accounts,
identities, and
credentials.
2
Policy governing creation
and use of self-service
portals is lacking.
Low Low Low Low 1
Policy-based management
of self-service portal is not
used.
Low Low Low Low 1
Proactive monitoring of
unauthorized activity does
not occur.
Low Low Low Low 1
Account management is
“relaxed” (e.g., password
reset sent in clear text)
Low High High Low 3 2
Type of Risk: 7 – Workload of Different Trust Levels Located on the Same Server (Commingling of Data)
Asset exposed to risk: VMs in the same physical server
Different VM trust levels
are hosted on to the same
physical server.
High High Medium Low 5 Carefully
design and
implement
access from
each trust
level to
physical and
virtual
management
and security
systems.
Implement
policies and
processes to
categorize
systems and
data
according to
different
security
classifications
.
3
Physical/logical s/w defined-
n/w for VMs of different
trust levels are not separated.
High High Low Low
5 3
Physical and virtual
firewalls
are not deployed to isolate
groups of VMs from other
hosted groups.
Medium Medium Low Low
3 2
Virtual desktop workloads
are not isolated from the
rest..
Low Low Low Low 1
Administrative separation
of duties may not be
implemented, allowing
unauthorized changes or
accidental
misconfiguration that
violates logical zoning.
Low Low High High
3 1
11. Risk Analysis and Mitigation in Virtualized Environments
11
The Risk matrix once created, risk evaluation
can be performed and given a point in the scale
of 1-5 as seen in Appendix 3. The risk can also
be mitigated by providing a remediation
technique in "Risk Treatment control to be
implement" and accordingly the risk evaluation
can be done again after mitigation as residual
risk.
Above is the Risk evaluation along with
mitigation techniques for all the risks discussed.
6.0 Conclusion
Inside a cloud, it is difficult to identify where
data is stored and how it is segregated. This lack
of visibility and the ability to control, audit, and
verify poses a number of security and
compliance concerns for IT personnel, end-
users, and regulators. While the cloud
community is still grappling with these
emerging risks, virtualization technologies are
continuing to be rapidly innovated. To manage
such a dynamic risk environment, organizations
Vulnerability Likelihood
(See Appendix
A2)
Impact Due to
Confidentiality
Compromise
(See Appendix
A2))
Impact Due to
Integrity
Compromise
(See
Appendix
A2)
Impact Due to
Availabiliy
Compromise
(See
Appendix
A2)
Eva
luat
e
Ris
k
Lev
el
(See
Ap
pen
dix
A3)
Risk
Treatment
Control to
be
implemente
d
Evaluate
Residual
Risk
Level
(See
Appendix
A3)
Type of Risk: 8 – Risk Due to CSP API)
Asset exposed to risk: Security of the hybrid environment
Cloud service provider API
set is not secured.
Medium Medium Low Low 3 Implement
strong
authentication
and granular
access control
with
encrypted
transmission.
Transmit
Active
Directory
traffic via a
private / out-
of-band
encrypted
channel that is
separate from
normal
Internet traffic
if it is used
across the
Internet.
2
Data transmission is not
protected by encryption.
Low High Low Low 3 2
Strong authentication/
access control is not
implemented for external
systems.
Low Medium Medium Low 2 1
Active Directory traffic is
not transmitted via a
private/out- of- band
encrypted channel
(separated from normal
internal traffic)
Low High High Low
3 2
Identity federation is not
used.
Low Low High Low 3 1
Security, compliance, and
governance controls and
monitoring are not
consistently enabled.
Low Medium Medium Medium 3 1
12. Siddharth Coontoor
12
should put effective governance and risk
management processes and controls in place to
continually monitor and proactively mitigate the
evolving risks.
7.0 Appendix
A1: Risk Table
Risk name
Relevant Security
Aspect
Confidentiality/Integrity/Av
ailability
Relevant Security
Governance Risk Area
Configuration/Architectural/
Operational
Vulnerabilities
associated with the risk
Affected Assets VM/Hypervisor/Network/O
S/Applications/Physical
Server
A2: Likelihood Rating for Vulnerability
Likelihood Rating Evaluation Criteria
High Relevant security control
not in place
Medium Relevant security control in
place but not effective
Low Relevant security control in
place and effective
A3: Impact Rating for CIA Compromise
Impact Rating Evaluation Criteria
High Significant Business
Impact to the enterprise
Medium There is tangible or
intangible loss to
enterprise.
Low There is insignificant loss
due to minor inconvenience
in business operations.
A4: Risk Matrix showing the defined risk
levels
Impact
Likelihood Low Medium High
Low 1
(Insignificant)
2
(Minor)
3
(Medium)
Medium 2
(Minor)
3
(Medium)
4
(High)
High 3
(Medium)
4
(High)
5
(Very
High)
References
[1] http://resources.infosecinstitute.com/chapter-10-
virtualization-security/
[2] https://www.vmware.com/files/pdf/partners/security/mcafe
e-key-security-ent-arch-wp.ion
[3] http://www.isaca.org/Journal/archives/2011/Volume-
1/Pages/Auditing-Security-Risks-in-Virtual-IT-
Systems.aspx
[4] http://www.symantec.com/content/en/us/enterprise/media/s
ecurity_response/whitepapers/threats_to_virtual_environm
ents.pdf
[5] https://www.pcisecuritystandards.org/documents/Virtualiz
ation_InfoSupp_v2.pdf
[6] https://www.vmware.com/pdf/virtualization_consideration
s.pdf
[7] https://downloads.cloudsecurityalliance.org/whitepapers/B
est_Practices_for%20_Mitigating_Risks_Virtual_Environ
ments_April2015_4-1-15_GLM5.pdf