Niloufer Tamboly and Mallik Prasad presented 'Securing The Journey To The Cloud' at the first (ISC)2 New Jersey Chapter meeting.
Chapter officers:
Gurdeep Kaur, President
Niloufer Tamboly, Membership Chair
Mallik Prasad, Secretary
Anthony Nelson, Treasurer
Niloufer Tamboly, presented Top Ten Challenges of Securing Smart
Infrastructure at the New York Metro Joint Cyber Security Coalition
2020 Conference & Workshop on October 22, 2020.
Manage Risk By Protecting the Apps and Data InfographicCitrix
In today's security landscape, protecting apps and data should be top of mind for businesses. Our experts share their best practices for ensuring the protection of sensitive company information.
Trust based Mechanism for Secure Cloud Computing Environment: A Surveyinventionjournals
Ubiquitous computing has revolutionized interaction of humans and machines. Cloud computing has been mainly used for storing data and various computational purposes. It has changed the face of using the internet. But, as we know every technology has its pros and cons. Securing cloud environment is the most challenging issue for the researchers and developers. Main aspects which cloud security should cover are authentication, authorization, data protection etc. Establishing trust between cloud service providers (CSP) is the biggest challenge, when someone is discussing about cloud security. Trust is a critical factor which mainly depends on perception of reputation and self-assessment done by both user and CSP. The trust model can act as security strength evaluator and ranking service for cloud application and services. For establishing trust relationship between two parties, mutual trust mechanism is reliable, as it does verification from both sides. There are various trust models which mainly focuses on securing one party i.e., they validate either user or service node. In this survey paper, the study of various trust models and their various parameters are discussed.
In this installment of our 9-part series, we feature our portfolio company, Cylus, a railway cybersecurity solution that helps mainline and urban railway companies avoid safety incidents and service disruptions caused by cyber attacks.
Cybersecurity | Meta Networks: Software defined perimeter platformVertex Holdings
In this installment of our 9-part series, we feature our portfolio company, Meta Networks, a cybersecurity startup that leverages the cloud to build a global, zero-trust network that is agile and scalable for the way business is done today. Meta Networks was recently acquired by Proofpoint for USD 120M.
Industry experts share how to embrace the coming merger of information technology (IT) and operation technology (OT) – originally, two very distinct domains of business.
Read more at: http://tripwire.me/adaptitot and www.belden.com/adaptitot
Niloufer Tamboly, presented Top Ten Challenges of Securing Smart
Infrastructure at the New York Metro Joint Cyber Security Coalition
2020 Conference & Workshop on October 22, 2020.
Manage Risk By Protecting the Apps and Data InfographicCitrix
In today's security landscape, protecting apps and data should be top of mind for businesses. Our experts share their best practices for ensuring the protection of sensitive company information.
Trust based Mechanism for Secure Cloud Computing Environment: A Surveyinventionjournals
Ubiquitous computing has revolutionized interaction of humans and machines. Cloud computing has been mainly used for storing data and various computational purposes. It has changed the face of using the internet. But, as we know every technology has its pros and cons. Securing cloud environment is the most challenging issue for the researchers and developers. Main aspects which cloud security should cover are authentication, authorization, data protection etc. Establishing trust between cloud service providers (CSP) is the biggest challenge, when someone is discussing about cloud security. Trust is a critical factor which mainly depends on perception of reputation and self-assessment done by both user and CSP. The trust model can act as security strength evaluator and ranking service for cloud application and services. For establishing trust relationship between two parties, mutual trust mechanism is reliable, as it does verification from both sides. There are various trust models which mainly focuses on securing one party i.e., they validate either user or service node. In this survey paper, the study of various trust models and their various parameters are discussed.
In this installment of our 9-part series, we feature our portfolio company, Cylus, a railway cybersecurity solution that helps mainline and urban railway companies avoid safety incidents and service disruptions caused by cyber attacks.
Cybersecurity | Meta Networks: Software defined perimeter platformVertex Holdings
In this installment of our 9-part series, we feature our portfolio company, Meta Networks, a cybersecurity startup that leverages the cloud to build a global, zero-trust network that is agile and scalable for the way business is done today. Meta Networks was recently acquired by Proofpoint for USD 120M.
Industry experts share how to embrace the coming merger of information technology (IT) and operation technology (OT) – originally, two very distinct domains of business.
Read more at: http://tripwire.me/adaptitot and www.belden.com/adaptitot
Efficiency, effectiveness, productivity: Dell Connected Security in actionKenneth de Brucq
Dell Solutions Tour 2014 Norge
Florian Malecki, Product Marketing Director at Dell
Silos of disconnected security information are killing your efficiency and effectiveness, making it more difficult than ever to be productive. These silos are cause by the layers of disjointed security tools and structure your organization has implemented. But Dell's approach to managing security is different. Attend this session to see how Dell's integrated approach knocks down security silos and brings solutions together to improve your efficiency and effectiveness.
Cybersecurity | D-fend: Counter drone solution for urban environmentsVertex Holdings
In this installment of our 9-part series, we feature our portfolio company, D-fend, a counter drone solution for securing a stationary perimeter and portable usage in urban environments.
Leveraging Identity to Manage Change and ComplexityNetIQ
Presented at this year European Identity and Cloud Conference 2012, Jim Taylor's Leveraging Identity to Manage Change and Complexity looks at controlling the risks and challenges of computing across multiple environments; providing users the appropriate access at the right time to the computing services they need to do their jobs; and ensuring computing is secure, compliant and portable. He discussed how identity, identity management and governance serve as the foundation for coping with an ever-changing IT environment, new business models, cloud models and more.
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Unisys Corporation
The Unisys Stealth suite of solutions uses identification, authentication, and encryption to provide security for endpoints, remote users, data centers, and data. The unique design of the solution enables Unisys to create undetectable authenticated user groups that appear invisible to the normal network, allowing critical information to be delivered in a secure network and enabling Unisys to effectively isolate, encrypt, and cloak networks. With its strong overall performance and demonstration of helping clients reduce risk, while also reducing complexity and cost, Unisys has earned Frost & Sullivan’s 2015 New Product Innovation Award.
Key Challenges Facing IT/OT: Hear From The ExpertsTripwire
When you think of Information Technology (IT) and Operational Technology (OT), which side are you on? You may not feel that you fall on any side of that technological skirmish, but when you stop to carefully consider the differences in these two disciplines, it is nearly impossible to avoid a tendentious leaning.
However, the time may be upon us when the conflicts of IT and OT will be put to rest for the broader purpose of making businesses more agile, efficient, resilient and ultimately, more profitable. We spoke with experts in the field who offered their insights about the challenges facing IT and OT convergence. Here’s what they shared!
A keynote presentation I gave for BELTUG in June 2015 based on ISACA research on cloud computing security and based on experiences in industry with proper references to SMALS, ISACA, ENISA, CSA and NIST
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Troy Marshall
CyCon 3.0 presentation- February 15, 2020
Successful digital transformations don’t begin with technology, they begin with people. As organizations adopt DevOps and cloud and realize the increased release velocity, ensuring the security of software and systems at the same velocity is a necessity but doing so isn’t easy. In this talk you will learn about common security challenges in DevOps and cloud and the skills cybersecurity professionals need to solve these challenges.
I want to thank everyone who attended this presentation at AFCOM Data Center World Fall 2011 in Orlando, FL.
Studies show the number of data centers deploying virtual cloud computing will rapidly increase in the next five years. Other studies show that the number of Internet attacks and their level of sophistication will also grow significantly. This session identifies approaches to reduce the risk of business disruptions resulting from inadequate virtual security controls in a data center. It will cover utilizing best practices for security configurations, measuring information security status, and making rational decisions about security investments.
Connect with me if you have any questions or need additional information.
Please favorite this if you like it. I look forward to seeing you again soon.
Regards,
Hector Del Castillo
http://linkd.in/hdelcastillo
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?Codero
Codero is an Infrastructure-as-a-Service provider that offers dedicated, cloud, managed and hybrid hosting services to over 3,400 domestic and international customers from three data center locations. We are at an interesting vantage point where we see all sorts of interesting things – this presentation will focus as a ‘report from the field’ related to cybersecurity from our position.
Not so long ago, the only way to access a new application was to install it from a floppy disk.
Prehistory, huh? Now we have the Internet. Anytime. Anywhere. Everywhere: in the office,
at home, in cafés, on the street, even on the beach. We live in a world where we are connected
all the time. This influences our lifestyle, our interests and attitude, it changes the way we work.
This means a whole new era for the software industry. And this era should be called “Cloud”.
The rise of IT as Service (ITaaS) is result of the intense rate of change brought about by technologies such as cloud computing, social media, consumerization, mobility, analytics and big data. The pace of change is only increasing, and these emerging technologies need to be rapidly integrated into modern enterprise, almost in real-time. Enter ITaaS, on-demand. In its various forms, ITaaS on-demand solves the myriad problems of modern IT resource consumption. When technology is restructured to be flexible, fast and ready, capabilities are provided based on usage. Transitioning to an on-demand hybrid infrastructure is a complete transformation that can support your future business goals, help fuel business innovation and turn IT from a cost center to a value center. This is the future of IT, it will be hybrid, and it will be on-demand with utmost flexibility, scalability and cost-efficiency.
The cloud has opened up numerous advantages for enterprises in the form of cost-savings, faster adoption of new technology, enhanced collaboration and accessibility for mobile workers. The benefits are so enticing, a recent global study by Morgan Stanley garnered “robust” predictions of
cloud adoption among survey participants, with over 50% expecting to use public clouds within 3 years.1
Efficiency, effectiveness, productivity: Dell Connected Security in actionKenneth de Brucq
Dell Solutions Tour 2014 Norge
Florian Malecki, Product Marketing Director at Dell
Silos of disconnected security information are killing your efficiency and effectiveness, making it more difficult than ever to be productive. These silos are cause by the layers of disjointed security tools and structure your organization has implemented. But Dell's approach to managing security is different. Attend this session to see how Dell's integrated approach knocks down security silos and brings solutions together to improve your efficiency and effectiveness.
Cybersecurity | D-fend: Counter drone solution for urban environmentsVertex Holdings
In this installment of our 9-part series, we feature our portfolio company, D-fend, a counter drone solution for securing a stationary perimeter and portable usage in urban environments.
Leveraging Identity to Manage Change and ComplexityNetIQ
Presented at this year European Identity and Cloud Conference 2012, Jim Taylor's Leveraging Identity to Manage Change and Complexity looks at controlling the risks and challenges of computing across multiple environments; providing users the appropriate access at the right time to the computing services they need to do their jobs; and ensuring computing is secure, compliant and portable. He discussed how identity, identity management and governance serve as the foundation for coping with an ever-changing IT environment, new business models, cloud models and more.
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Unisys Corporation
The Unisys Stealth suite of solutions uses identification, authentication, and encryption to provide security for endpoints, remote users, data centers, and data. The unique design of the solution enables Unisys to create undetectable authenticated user groups that appear invisible to the normal network, allowing critical information to be delivered in a secure network and enabling Unisys to effectively isolate, encrypt, and cloak networks. With its strong overall performance and demonstration of helping clients reduce risk, while also reducing complexity and cost, Unisys has earned Frost & Sullivan’s 2015 New Product Innovation Award.
Key Challenges Facing IT/OT: Hear From The ExpertsTripwire
When you think of Information Technology (IT) and Operational Technology (OT), which side are you on? You may not feel that you fall on any side of that technological skirmish, but when you stop to carefully consider the differences in these two disciplines, it is nearly impossible to avoid a tendentious leaning.
However, the time may be upon us when the conflicts of IT and OT will be put to rest for the broader purpose of making businesses more agile, efficient, resilient and ultimately, more profitable. We spoke with experts in the field who offered their insights about the challenges facing IT and OT convergence. Here’s what they shared!
A keynote presentation I gave for BELTUG in June 2015 based on ISACA research on cloud computing security and based on experiences in industry with proper references to SMALS, ISACA, ENISA, CSA and NIST
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Troy Marshall
CyCon 3.0 presentation- February 15, 2020
Successful digital transformations don’t begin with technology, they begin with people. As organizations adopt DevOps and cloud and realize the increased release velocity, ensuring the security of software and systems at the same velocity is a necessity but doing so isn’t easy. In this talk you will learn about common security challenges in DevOps and cloud and the skills cybersecurity professionals need to solve these challenges.
I want to thank everyone who attended this presentation at AFCOM Data Center World Fall 2011 in Orlando, FL.
Studies show the number of data centers deploying virtual cloud computing will rapidly increase in the next five years. Other studies show that the number of Internet attacks and their level of sophistication will also grow significantly. This session identifies approaches to reduce the risk of business disruptions resulting from inadequate virtual security controls in a data center. It will cover utilizing best practices for security configurations, measuring information security status, and making rational decisions about security investments.
Connect with me if you have any questions or need additional information.
Please favorite this if you like it. I look forward to seeing you again soon.
Regards,
Hector Del Castillo
http://linkd.in/hdelcastillo
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?Codero
Codero is an Infrastructure-as-a-Service provider that offers dedicated, cloud, managed and hybrid hosting services to over 3,400 domestic and international customers from three data center locations. We are at an interesting vantage point where we see all sorts of interesting things – this presentation will focus as a ‘report from the field’ related to cybersecurity from our position.
Not so long ago, the only way to access a new application was to install it from a floppy disk.
Prehistory, huh? Now we have the Internet. Anytime. Anywhere. Everywhere: in the office,
at home, in cafés, on the street, even on the beach. We live in a world where we are connected
all the time. This influences our lifestyle, our interests and attitude, it changes the way we work.
This means a whole new era for the software industry. And this era should be called “Cloud”.
The rise of IT as Service (ITaaS) is result of the intense rate of change brought about by technologies such as cloud computing, social media, consumerization, mobility, analytics and big data. The pace of change is only increasing, and these emerging technologies need to be rapidly integrated into modern enterprise, almost in real-time. Enter ITaaS, on-demand. In its various forms, ITaaS on-demand solves the myriad problems of modern IT resource consumption. When technology is restructured to be flexible, fast and ready, capabilities are provided based on usage. Transitioning to an on-demand hybrid infrastructure is a complete transformation that can support your future business goals, help fuel business innovation and turn IT from a cost center to a value center. This is the future of IT, it will be hybrid, and it will be on-demand with utmost flexibility, scalability and cost-efficiency.
The cloud has opened up numerous advantages for enterprises in the form of cost-savings, faster adoption of new technology, enhanced collaboration and accessibility for mobile workers. The benefits are so enticing, a recent global study by Morgan Stanley garnered “robust” predictions of
cloud adoption among survey participants, with over 50% expecting to use public clouds within 3 years.1
Cloud Computing is a versatile technology that can support a broad-spectrum of applications. The low cost of cloud computing and its dynamic scaling renders it an innovation driver for small companies, particularly in the developing world. Cloud deployed enterprise resource planning (ERP), supply chain management applications (SCM), customer relationship management (CRM) applications, medical applications and mobile applications have potential to reach millions of users. In this paper, we explore the different concepts involved in cloud computing. Leveraging our experiences on various clouds, we examine clouds from technical, and service aspects. We highlight some of the opportunities in cloud computing, underlining the importance of clouds and showing why that technology must succeed. Finally, we discuss some of the issues that this area should deal with. The paper aims to provide a means of understanding the model and exploring options available for complementing your technology and infrastructure needs.
Best cloud computing training institute in noidataramandal
TECHAVERA is offering best In Class, Corporate and Online cloud computing Training in Noida. TECHAVERA Delivers best cloud Live Project visit us - http://www.techaveranoida.in/best-cloud-computing-training-in-noida.php
cloud computing is a growing field in computer science. This ppt can help the beginners understand it. contains information about PaaS, Iaas, SaaS and other concepts of Cloud Computing.It also contains a video on cloud computing.
Cloud computing of late has become the new buzz word joining the ranks of terms including; grid computing, utility computing, virtualization, clustering, etc. However the problem is that everyone seems to have a different definition..
The Slide Explains the concepts of Cloud Computing. Covers various definitions of Cloud Computing. Its Models, Types, Advantages, Challenges. A must to understand what is Cloud Computing.
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue ...RapidValue
This whitepaper addresses the primary reasons for enterprises migrating to the cloud infrastructure, various types of cloud deployment (technology & services) models IaaS, PaaS, SaaS, public cloud, private cloud and hybrid cloud, feature comparison of two popular cloud platforms – AWS and Microsoft Azure, and some examples of how enterprises and consumers are using the cloud technology.
Security of Data in Cloud Environment Using DPaaSIJMER
The rapid development of cloud computing is giving way to more cloud services, due to
which security of services of cloud especially data confidentiality protection, becomes more critical.
Cloud computing is an emerging computing style which provides dynamic services, scalable and payper-use.
Although cloud computing provides numerous advantages, a key challenge is how to ensure
and build confidence that the cloud can handle user data securely. This paper highlights some major
security issues that exist in current cloud computing environments. The status of the development of
cloud computing security, the data privacy analysis, security audit, information check and another
challenges that the cloud computing security faces have been explored. The recent researches on data
protection regarding security and privacy issues in cloud computing have partially addressed some
issues. The best option is to build data-protection solutions at the platform layer. The growing appeal
of data protection as a service is that it enables to access just the resources you need at minimal
upfront expense while providing the benefits of enterprise-class data protection capabilities. The
paper proposes a solution to make existing developed applications for simple cloud Systems
compatible with DPaaS. The various security challenges have been highlighted and the various
necessary metrics required for designing DPaaS have been investigated.
Quick Summary:
What are cyber threats and why are they a big deal
How to figure out what risks your business might face
Cool tricks and tools to keep those cyber baddies away
How to put it all together into a plan that makes sense for you
Title: How To Fix The Most Critical API Security Risks
Description:
Businesses are constantly looking for ways to improve their operations. One way to do this is by using APIs. APIs allow businesses to automate workflows, systems and applications. This can be helpful in many ways, but it can also be a source of security risks. If your business uses APIs, it is important to take precautions to protect them from cyberattacks.
Learning Objectives:
Importance of APIs in the digital ecosystem.
Understand the top API Security risks.
Practical tips to effectively secure APIs and workloads.
QR code is being leveraged for fraud and degrades public trust when some bad actors weaponize technology like using email for phishing or deploying ransomware or calling users to intercept one-time passwords.
Once users are scammed or know people who tell them about the scams, there is a distrust created for the technology which results in distrust towards its use.
We rely on technology like emails, one time passwords, QR codes, and others for efficiently delivering service to our customers, securing them, reducing cost in this presentation we are going to learn how to drive digital trust one code at a time.
The Scholarship For Service program provides funds to colleges and universities for student scholarships to support education in areas relevant to cybersecurity. In return for their scholarships, recipients must agree to work after graduation for the Federal Government .
https://www.sfs.opm.gov/ProspectiveStud.aspx
As IoT devices are deployed in physically exposed environments there is a need to protect the hardware. Medical IoT, Consumer IoT, Secure Smart Cities, Industrial IoT
(ISC)² IT security certification CISSP - Certified Information Systems Security Professional is the industry's Gold Standard. These are the 5 Ways To Improve CISSP Exam Score Without Studying.
More from Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE (11)
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Securing The Journey To The Cloud
1. Securing The Journey To
The Cloud
Niloufer Tamboly
Mallik Prasad
January 31, 2013
2. Securing the journey to the Cloud
Ø The Essentials of Cloud Computing
Ø Cloud Deployment and Service Delivery Models
Ø Cloud Security and Risk Considerations
Ø Assessing Risk, Audit Program Considerations
Ø Virtualization Concepts
3. How cloud is impacting business models
The New Normal Challenges
Ø Traditional brick and mortar companies are being challenged by competitive
new lean upstart companies utilizing cloud technologies.
Ø Business Demand on IT is increasing while expectations are for IT to do more
with less.
Ø Companies are embracing the mobile proliferation and the race for market
share utilizing these newer cloud technologies.
Ø What was about the Data Center is now about the data
4. The New Normal
The New Normal
Ø It’s a Digital world — The boundaries between work and home are no longer
relevant.
Ø Open Enterprise — The boundaries between businesses and the consumer
have been redrawn.
Ø Consumerization of Technology (Online, Mobile, Social Media) are changing
the shopping experience.
Ø Smarter shopper experience — The consumer is now multi-channel
6. What is Cloud Computing?
Definition
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage, applications, and services) that can
be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model promotes availability and is composed of five essential characteristics, four deployment
models and three service models.
Source: http://csrc.nist.gov/groups/SNS/cloud-computing/
8. Cloud Is Not…
…simply
virtualization
While many cloud solutions, both public and private, leverage virtualized
infrastructure resources to deliver functionality, cloud raises the bar by
providing on-demand provisioning. Publicly-announced private clouds are
essentially an aggressive virtualization program on top of the traditional
enterprise IT stack
…just applying SOA
principles
Service Oriented Architecture (SOA) is a set of design principles, whereas cloud
is a service. Cloud based services will be defined and enabled through SOA. As
such SOA is a prerequisite to reap cloud computing benefits. However, following
SOA design principles alone does not guarantee the ability to easily transition to
a cloud based solution
…only traditional
hosting
Cloud and traditional hosting share many characteristics but unlike traditional
hosting cloud service is offered on-demand, is scalable and elastic — a user can
have as much or as little of the service as they need and pay for the resources
actually used
10. Private Cloud
The cloud infrastructure is operated solely for a single organization. It may be managed by
the organization or a third party, and may exist on-premises or off premises.
11. Examples of a Private Cloud
Ø Openstack software delivers a scalable cloud operating system
Ø Some VMWare or Citrix installations
Ø Some Social Networks offer private clouds as: MangoApps, Huddle
IL3, and Jive
12. Public Cloud
The cloud infrastructure is made available to the general public or a large
industry group and is owned by an organization selling cloud services.
13. Examples of a Public Cloud
Ø Gmail
Ø SalesForce
Ø Amazon Elastic Compute Cloud (EC2)
Ø Facebook
14. Community Cloud
The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example,
mission, objectives, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party,
and may exist on-premise or off-premise.
15. Examples of a Community Cloud
Ø NYSE Technologies Capital Markets Cloud Platform: is the first financial
services cloud offering platform services to the capital markets community.
The platform is for banks, broker-dealers, systematic traders, and buy-side
institutions seeking to reduce the costs trading infrastructure and to
streamline access to a wide variety of trading applications, and provides
turnkey access to trading infrastructure and services, making it far simpler to
benefit from the world’s most vibrant capital markets community.
16. Hybrid Cloud
The cloud infrastructure is a composition of cloud models (private or public) that remain unique entities but are
bound together by standardized or proprietary technology that enables data and application portability (e.g.,
cloud bursting for load-balancing between clouds).
17. Examples of a Hybrid Cloud
Ø Organizations may host critical applications on private clouds and
applications with relatively less security concerns on the public cloud. The
usage of both private and public clouds together is called hybrid cloud. A
related term is Cloud Bursting. In Cloud Bursting, an organization can use
their own computing infrastructure for normal usage, but access the cloud
for high/peak load requirements. This ensures that a sudden increase in
computing requirement is handled gracefully.
Ø An organization might use a public cloud service, such as Amazon Simple
Storage Service (Amazon S3) for archived data but continue to maintain in-
house storage for operational customer data.
19. Service Delivery Models
Ø Software as a Service (SaaS)
Ø Platform as a Service (PaaS)
Ø Infrastructure as a Service (IaaS)
Ø X as a Service (XaaS)
20. Software as a Service (SaaS)
Ø Definition - Delivers software as a service over the Internet. In most cases,
there is no need to install and run the application on the customer's own
computers hence simplifying maintenance and support.
Ø Customization - User of service have limited customization since they no
longer develop the application.
Ø Benefits - User of cloud maintains very little or no technical staff to run the
application software. User of service could realize additional savings as
expenses go from a Capital Expense to an Operating Expense and a reduction
in staff.
21. Platform as a Service (PaaS)
Ø Definition – Delivers a computing platform as a service. It facilitates deployment
of applications while limiting or reducing the cost and complexity of buying and
managing the underlying hardware and software layers. User of Cloud writes
application code that integrates with the providers platform.
Ø Customization – User of service has moderate customization — build
applications within the constraints of the platform.
Ø Benefits - User of service maintains the technical staff to develop and maintain
the application. User of service could realize additional savings as expenses go
from a Capital Expense to an Operating Expense and a reduction in staff.
22. Infrastructure as a Service (IaaS)
Ø Definition - Delivers computer infrastructure, typically a platform
virtualization environment as a service. Service is typically billed on a utility
computing basis and amount of resources consumed.
Ø Customization – Not much as a subscriber of the cloud customization where
technology being deployed requires minimal configuration.
Ø Benefits -User of service maintains the technical staff to develop and
manage its platform and application software. User of service could realize
savings as expenses go from a Capital Expense to an Operating Expense.
24. Cloud Standards and Related
Regulations Are Still Evolving
Leading organizations trying to establish Security Standards in the Cloud are:
Ø NIST (National Institute of Standards and Technology)
Ø CSA (Cloud Security Alliance)
Ø ENISA (European Network and Information Security Agency)
25. Audit Program and Frameworks
ØThe National Institute of Standards and Technology (NIST) SP
800-30
ØISACA Cloud Computing Audit Program
ØCloud Security Alliance - Cloud Controls Matrix (attached Slide 34)
ØFederal Risk and Authorization Management Program
(FedRAMP)
27. Cloud issues can impact you
It is important for cloud consumers to
consider and address security when
migrating to cloud
28. Public Cloud – Amazon view of Security
• Amazon Web services
– EC2, EBS, S3, VPC
etc.
• Customer
responsibility to
maintain security,
protection and backup
of their data and
applications on AWS
Source: http://aws.amazon.com/security/
29. CSA Threats – Public Cloud
# Threat Examples
1 Abuse and Nefarious Use of Cloud
Computing
IaaS offerings have hosted the Zeus botnet, InfoStealer trojan
horses, botnets, Spam
2 Insecure Interfaces and APIs Anonymous access and/or reusable tokens/passwords/keys,
clear text authentication, inflexible access controls, limited
monitoring and logging
3 Malicious Insiders Lack of Privileged user management monitoring policies, audits
4 Shared Technology Issues Red and Blue Pill exploits
5 Data Loss or Leakage Insufficient AAA controls; inconsistent use of encryption and
software keys, operational failures, disposal challenges,
reliability and DR
6 Account or Service Hijacking Lack of internal security controls and detailed
auditing/monitoring
7 Unknown Risk Profile IRS asked Amazon EC2 to perform a Certification & Audit;
Amazon refused, Heartland Data Breach
30. Scope and control among cloud service models
Application
Platform Architecture
Virtualized
Infrastructure
Hardware
Facility
Cloud Consumer
Cloud Provider
IaaS
PaaS
SaaS
IaaS
PaaS
SaaS
Regulatory Compliance is a key concern in public cloud - the cloud consumer has to
ensure controls for compliance are appropriately addressed either by the provider or
by including controls for data & applications on the cloud
Source: NIST Guidelines on Security and Privacy in
Public Cloud Computing
31. Cloud – Security Observations
Secure Cloud Infrastructure environment
•Secure setup and configurations
•Inter-VM traffic inspection and control
•Manage Privileged Users and their activities
How to manage identity and access across physical and virtual environments
•Identity Lifecycle Management
•Authentication Authorization Audit,
Application Security Assurance
•Varied trust levels requires different security controls
•Application Vulnerabilities
•Bespoke Application Re-factoring for Cloud
How to manage and monitor the entire Cloud infrastructure
•Configuration and Patch Management
•Compliance Management and reporting
•Incident detection and response
Policy and risk Management for Cloud
•Extension of ISMS incorporating Cloud Security
•Segregation of duties for Cloud
How to ensure Data Security
•Different classifications of data
•Data leakage from suspended, stored images
•Production data in orphan test, QA images
A
B
C
D
E
F
Test
Customer
Employee
COTS
Home-Grown
Legacy
HYPERVISOR
IaaS
PaaS
SaaS
32. A view of technical security controls
• Approval by Information Security
• Process/Policies defined/fine tuned
• Risk identification and mitigation
Security
Governance
• Identity and access Management
• Privileged user management
Privileged
Users & SOD
• Application Vulnerability Assessment
• Zoning/VLAN segregation
• Data encryption and obfuscation
Application/Data
Segregation
• Guest and host security
• Inter-VM Traffic inspection
• Patch and configuration management
Virtualization
security
• Guest /Hypervisor/Application log monitoring
• VM/Admin level activity monitoring
• Incident Detection and Response capability within Cloud
Auditing&
Monitoring
A
B
C
D
E
F
Challenges Controls
33. Top Ten Cloud Security Concerns
1. Architecture of the environment (Public V/s. Private, SAAS / PAAS / IAAS)
2. Misconfiguration of the environment, where breaches are caused by errors,
omissions and misconfigurations (e.g. hypervisor, OS, storage, switch).
3. Segmentation from other customers (e.g. Multi-tenant Environments)
4. Authentication and Authorization (e.g. form factor, lack of granular
permissions).
34. Top Ten Cloud Security Concerns
contd.
5. DDOS attacks (e.g. cloud to cloud, inter/intra cloud).
6. Data location and storage e.g. data loss / privacy / leakage.
7. Security Monitoring e.g. cloud perimeter and inside cloud.
8. Incident Response (e.g. availability of resources).
9. Auditability, Certification and Compliance (e.g. which standards to follow, is
the CSP compliant or has been certified, how do I check that?).
10. Legal (e.g. regional, who has access to my data?)
35. How Do You Scope A Cloud Audit?
ØRemember it is not prescriptive
ØYou need to understand the environments, service delivery and
deployment models
ØYou need to understand the risks associated with the
environment
36. Risk Areas In A Cloud Environment
Governance
Ø All changes logged
Ø Reporting on roles, separation of duties.
Ø Security monitoring of cloud environment and possible security
incidents.
Ø Patch Management
41. Risks
Physical Security
ØHighly secure physical facility, employee
background checks, multi-level / tiered access
controls in accordance with a least privilege policy
ØAccess logging and monitoring - Video monitoring,
Keycard and biometric palm readers, Fixed and
roving security guards (depending on data center).
43. SSAE16 – SOC Decision Tree
Which Report To Use SSAE 16 - SOC
Will the report be used by your customers and their auditors to plan
and perform an audit or integrated audit of your customer’s financial
Yes SOC 1 Report
Will the report be used by your customers as part of their compliance
with the Sarbanes-Oxley Act or similar law or regulation?
Yes SOC 1 Report
Will the report be used by your customers or stakeholders to gain
confidence and place trust in a service organization’s systems?
Yes SOC 2 or 3 Report
Do your customers have the need for and ability to
understand the details of the processing and controls at a
service organization, the tests performed by the service
auditor and results of those tests?
Yes SOC 2 Report
No SOC 3 Report
Do you need to make the report generally available or use a
seal?
Yes SOC 3 Report
44. SSAE16 SOC 2 Overview
Five attributes of a system are known as principles and are defined as
follows:
Ø Security - The system is protected against unauthorized access
(both physical and logical).
Ø Availability - The system is available for operation and use as
committed or agreed.
Ø Processing integrity - System processing is complete, accurate,
timely, and authorized.
Ø Confidentiality - Information designated as confidential is protected
as committed or agreed.
Ø Privacy - Personal information is collected, used, retained,
disclosed, and destroyed in conformity with the commitments in the
entity’s privacy notice and with criteria set forth in Generally
Accepted Privacy Principles (GAPP)
45. SOC 3 Report - SysTrust for Service
Organizations
Use
ØDistribute the SOC 3 report to customers and publicly
display a seal of approval using the SOC 3 Report:
SysTrust for Service Organizations seal.
Scope
ØSOC 3 reports can be issued on one or multiple Trust
Services principles (security, availability, processing
integrity, confidentiality, and privacy).
For more information about the SysTrust for Service
Organization seal program go to www.webtrust.org.
47. Exercise 2
Background
HotShot Enterprise (“HSE”) is a global consumer products company, producing household
products with annual revenues of approximately 80 billion USD.
HSE Products is ready to expand and is looking for ways to penetrate nontraditional
markets. HSE, CEO, has plans to grow the company in size, revenue, and profits in addition
to expanding its horizon.
However, to maintain a balanced budget HSE is looking to restructure some cost centers
and reduce company expenses considerably. Plans are under way to restructure the
Information Technology (IT), human resources and supply chain divisions.
The three divisions currently have over 10,000 employees across the world and are
estimated to incur expenses of up to 20 billion annually.
48. Exercise 2 contd.
It is apparent HSE’s competitors have moved into the cloud and are experimenting with new
ways to reach consumers.
For example, one of HSE’s competitors, NoShot Enterprise (“NSE”) is utilizing social media
and other mobile platforms to reach the consumers.
NSE’s quarterly revenue increase highly suggests that their strategy on the cloud has played
a vital role. From HSE’s perspective the boundaries between consumers and businesses are
being redrawn and the cloud is facilitating this move.
Accordingly, HSE’s board of directors accepts the new normal — cloud computing and
focuses more on data.
Exercise:
1) You are asked to test that controls that Data is securely transmitted and
maintained to prevent unauthorized access and modification.
2) Also validate that controls over Virtualized operating systems are hardened to
prevent cross-contamination with other customer environments.
50. Virtualization
Hypervisor
• A hypervisor is a piece of software/hardware platform-
virtualization software that allows multiple operating
systems to run on a host computer concurrently. Also called
Virtual Machine Monitor (VMM)
• Type 1: A type 1 hypervisor runs directly on the computer
hardware and manages all operating systems running as
guests above it. This is also known as running on ‘Bare
Metal’
• Type 2: A type 2 hypervisor is a software application that
runs on an operating system.