This document discusses configuring Office 365 security using DevOps practices. It describes exporting Office 365 configurations as JSON files and programmatically configuring environments using PowerShell. It also discusses using Azure DevOps pipelines to release configurations through test and production environments. Compliance of configurations is tested using Pester tests. The document advocates applying the NIST Cybersecurity Framework to identify risks and select controls to reduce risk through implementing configurations in a phased manner.
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentRoy Kim
This is a presentation I held at a local Azure user group. The session abstract: Azure Key Vault is a tool for securely storing and accessing secrets. We will go through a popular Azure PaaS Architecture pattern using Key Vault to store a password. I will demo and walk through the general configuration of a dedicated Azure Function app, Azure SQL and Key Vault that was deployed with automation. I will then go through fairly advanced techniques and best practices on how to deploy Azure Key Vault and a password secret with ARM templates. Finally, a very brief look at my Azure DevOps Pipeline to deploy the ARM template. You will come away with an understanding of an applied use case of leveraging Azure Key vault for a PaaS solution in better managing a password secret.
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Amazon Web Services
Are you interested in becoming an expert in managing access to your AWS resources? Have you ever wondered how to best scope down permissions for least privilege access? Do you have multiple AWS accounts and need to know how to manage access to resources centrally? In this session, we take an in-depth look at AWS Identity and Access Management (IAM) and AWS Organizations. You will learn how to quickly create IAM policies to manage fine-grained access to your resources. Throughout the session, we will cover common use cases, such as how to grant a user access to an Amazon S3 bucket or permissions to launch an Amazon EC2 instance of a specific type. You will also learn how to create and use Service Control Policies (SCPs) through Organizations to manage AWS service use across all your accounts centrally.
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...Amazon Web Services
It is critical to maintain strong identity and access policy to prevent unexpected access to your resources for whatever applications you are running on AWS. It is equally important to track and alert on changes being made to your AWS resources.
In this webinar, you will learn about the different ways you can use AWS Identity and Access Management (IAM) to control access to your AWS services and integrate your existing authentication system with AWS IAM. We will cover how you can deploy and control your AWS infrastructure using code templates, including change management policies with AWS CloudFormation.
In addition, we will explore different options for managing both your AWS access logs and your Amazon Elastic Compute Cloud (EC2) system logs using Amazon CloudWatch Logs. We will also cover how to use these logs to implement an audit and compliance validation process using services such as AWS Config, AWS CloudTrail, and Amazon Inspector.
Learning Objectives:
• Understand the AWS Shared Responsibility Model.
• Understand AWS account and identity management options and configuration.
• Learn the concept of infrastructure as code and change management using CloudFormation.
• Learn how to audit and log your AWS service usage.
• Learn about AWS services to add automatic compliance checks to your AWS infrastructure.
Who Should Attend:
• IT administrators, architects, and security engineers, or anyone interested in controlling access to AWS resources, deploying infrastructure on AWS, or performing compliance checks on their infrastructure
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
Are you interested in learning how to control access to your AWS resources? Have you ever wondered how to best scope down permissions to achieve least privilege permissions access control? If your answer to these questions is "yes," this session is for you. We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type.
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentRoy Kim
This is a presentation I held at a local Azure user group. The session abstract: Azure Key Vault is a tool for securely storing and accessing secrets. We will go through a popular Azure PaaS Architecture pattern using Key Vault to store a password. I will demo and walk through the general configuration of a dedicated Azure Function app, Azure SQL and Key Vault that was deployed with automation. I will then go through fairly advanced techniques and best practices on how to deploy Azure Key Vault and a password secret with ARM templates. Finally, a very brief look at my Azure DevOps Pipeline to deploy the ARM template. You will come away with an understanding of an applied use case of leveraging Azure Key vault for a PaaS solution in better managing a password secret.
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Amazon Web Services
Are you interested in becoming an expert in managing access to your AWS resources? Have you ever wondered how to best scope down permissions for least privilege access? Do you have multiple AWS accounts and need to know how to manage access to resources centrally? In this session, we take an in-depth look at AWS Identity and Access Management (IAM) and AWS Organizations. You will learn how to quickly create IAM policies to manage fine-grained access to your resources. Throughout the session, we will cover common use cases, such as how to grant a user access to an Amazon S3 bucket or permissions to launch an Amazon EC2 instance of a specific type. You will also learn how to create and use Service Control Policies (SCPs) through Organizations to manage AWS service use across all your accounts centrally.
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...Amazon Web Services
It is critical to maintain strong identity and access policy to prevent unexpected access to your resources for whatever applications you are running on AWS. It is equally important to track and alert on changes being made to your AWS resources.
In this webinar, you will learn about the different ways you can use AWS Identity and Access Management (IAM) to control access to your AWS services and integrate your existing authentication system with AWS IAM. We will cover how you can deploy and control your AWS infrastructure using code templates, including change management policies with AWS CloudFormation.
In addition, we will explore different options for managing both your AWS access logs and your Amazon Elastic Compute Cloud (EC2) system logs using Amazon CloudWatch Logs. We will also cover how to use these logs to implement an audit and compliance validation process using services such as AWS Config, AWS CloudTrail, and Amazon Inspector.
Learning Objectives:
• Understand the AWS Shared Responsibility Model.
• Understand AWS account and identity management options and configuration.
• Learn the concept of infrastructure as code and change management using CloudFormation.
• Learn how to audit and log your AWS service usage.
• Learn about AWS services to add automatic compliance checks to your AWS infrastructure.
Who Should Attend:
• IT administrators, architects, and security engineers, or anyone interested in controlling access to AWS resources, deploying infrastructure on AWS, or performing compliance checks on their infrastructure
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
Are you interested in learning how to control access to your AWS resources? Have you ever wondered how to best scope down permissions to achieve least privilege permissions access control? If your answer to these questions is "yes," this session is for you. We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type.
(SEC312) Reliable Design & Deployment of Security & ComplianceAmazon Web Services
"No matter how you use AWS resources, you can design your AWS account to deliver a reliably secure and controlled environment. This session will focus on ""Secure by Design"" principles and show how you can configure the AWS environment to provide the reliable operation of security controls, such as:
Organizational governance
Asset inventory and control
Logical access controls
Operating system configuration
Database security
Applications security configurations
This session will focus on using AWS security features to architect securing and auditing the architecture capabilities of AWS cloud services such as AWS Identity and Access Management (IAM), Amazon Elastic Compute Cloud (EC2), Amazon Elastic Block Storage (EBS), Amazon S3, Amazon Virtual Private Cloud (VPC), Amazon Machine Images (AMIs), and AWS CloudFormation templates. The session will include demonstrations with the governance perspective in mind and discuss how AWS technology can be used to create a secure and auditable environment."
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...Amazon Web Services
Customers using AWS resources such as EC2 instances, EC2 Security Groups and RDS instances would like to track changes made to such resources and who made those changes. In this session, customers will learn about gaining visibility into user activity in their account and aggregating logs across multiple accounts into a single bucket. Customers will also learn about how they can use the user activity logs to meet the logging guidelines/requirements of different compliance standards. AWS Advanced Technology Partners Splunk/Sumologic (exact partners TBD) will demonstrate applications for analyzing user activity within an AWS account.
by RedLock
In order to confidently scale your AWS deployments, continuous security must be built into your continuous integration and continuous delivery architecture. Participate in a series of interactive capture the flag challenges to get hands on experience with DevSecOps. We’ll teach you how to think like a Security Ninja, highlight common mistakes that can have catastrophic consequences, and provide tips to avoid them.
Geek Sync | Taking Control of Your Organization’s SQL Server SprawlIDERA Software
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/PsuV50A5bSh
You have SQL Server sprawl throughout your organization. There are SQL Servers installed on servers in all of your environments, some of which you may not even be aware of. IT personnel and developers also have SQL Servers installed; even if they are approved, there’s no guarantee of a minimal configuration. How do you get your arms around this situation?
Join IDERA and K. Brian Kelley on Wednesday, July 26 at 11 AM CT as he looks at the various ways to detect SQL Server in your environment. He will take the next step to document what he finds, noting what’s approved and what’s not. Brian will also explore the various means to disable and uninstall unapproved SQL Servers. Finally, he will look at how you can configure existing, approved SQL Servers to a minimum standard. At each step of the way Brian will explain how to automate these tasks to reduce the amount of manual work required. This is a Geek Sync you will not want to miss!
We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type.
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB
Long live RDBMs! For years they have been a staple of large data set storage, manipulation & retrieval. But what if I told you that we were able to simplify every aspect of our new ODS; from data maintenance and implementation to API design, scalability and maintainability by doing one simple thing?
Azure Security Center provides security posture management and threat protection for your hybrid cloud workloads. Cloud Security Posture Management includes Policies, initiatives, recommendations, secure scores, and security controls. Cloud Workload Protection protects threats against servers, cloud-native workloads, databases, and storage security alerts and incidents.
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAmazon Web Services
How do you protect your private information and customer PII in the cloud when you don’t control all the hardware or software components that might access that information? AWS allows you to offload many management and data-handling tasks, but how do you evaluate the risks to your data as it passes through these services? AWS offers many options for using encryption to protect your data in transit and at rest. A variety of features let you determine how much control you want over your encryption keys in order to meet your security goals. This webinar will help you understand which AWS encryption features are available, when to use them, and how to integrate them in your workloads. In this webinar, you will learn:
• Learn how to think about using encryption to protect your private information in the cloud • Learn how to evaluate key management architectures to determine whether they meet your needs • Learn how to use AWS encryption features to accomplish your data security goals.
Who Should Attend: • Developers, DevOps Engineers, and IT Security Administrators
Data protection is more important than ever. Maintaining confidentiality and integrity of your data at scale does not have to be a burden. In this session we will discuss encryption options on AWS and how to leverage AWS Key Management Service (KMS) for data encryption. We will also cover how AWS KMS integrates with other AWS services.
Speaker: Koorosh Lohrasbi, Solutions Architect, Amazon Web Services
The future of Hadoop security and its evolution by Alejandro González at Big ...Big Data Spain
This talk defines the state of the art for Hadoop security and describes the planned security features to be added. Hadoop initially was not designed with security in mind, multiple security features had being developed for some components without designing and integrated security architecture.
https://www.bigdataspain.org/2017/talk/the-future-of-hadoop-security-and-its-evolution
Big Data Spain 2017
16th - 17th November Kinépolis Madrid
This presentation targets to guiding security expert and developer to protect PaaS deployment to eliminate security threats. This also introduces Threat Modeling.
Enterprise-class security with PostgreSQL - 1Ashnikbiz
For businesses that handle personal data everyday, the security aspect of their database is of utmost importance.
With an increasing number of hack attacks and frauds, organizations want their open source databases to be fully equipped with the top security features.
(SEC312) Reliable Design & Deployment of Security & ComplianceAmazon Web Services
"No matter how you use AWS resources, you can design your AWS account to deliver a reliably secure and controlled environment. This session will focus on ""Secure by Design"" principles and show how you can configure the AWS environment to provide the reliable operation of security controls, such as:
Organizational governance
Asset inventory and control
Logical access controls
Operating system configuration
Database security
Applications security configurations
This session will focus on using AWS security features to architect securing and auditing the architecture capabilities of AWS cloud services such as AWS Identity and Access Management (IAM), Amazon Elastic Compute Cloud (EC2), Amazon Elastic Block Storage (EBS), Amazon S3, Amazon Virtual Private Cloud (VPC), Amazon Machine Images (AMIs), and AWS CloudFormation templates. The session will include demonstrations with the governance perspective in mind and discuss how AWS technology can be used to create a secure and auditable environment."
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...Amazon Web Services
Customers using AWS resources such as EC2 instances, EC2 Security Groups and RDS instances would like to track changes made to such resources and who made those changes. In this session, customers will learn about gaining visibility into user activity in their account and aggregating logs across multiple accounts into a single bucket. Customers will also learn about how they can use the user activity logs to meet the logging guidelines/requirements of different compliance standards. AWS Advanced Technology Partners Splunk/Sumologic (exact partners TBD) will demonstrate applications for analyzing user activity within an AWS account.
by RedLock
In order to confidently scale your AWS deployments, continuous security must be built into your continuous integration and continuous delivery architecture. Participate in a series of interactive capture the flag challenges to get hands on experience with DevSecOps. We’ll teach you how to think like a Security Ninja, highlight common mistakes that can have catastrophic consequences, and provide tips to avoid them.
Geek Sync | Taking Control of Your Organization’s SQL Server SprawlIDERA Software
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/PsuV50A5bSh
You have SQL Server sprawl throughout your organization. There are SQL Servers installed on servers in all of your environments, some of which you may not even be aware of. IT personnel and developers also have SQL Servers installed; even if they are approved, there’s no guarantee of a minimal configuration. How do you get your arms around this situation?
Join IDERA and K. Brian Kelley on Wednesday, July 26 at 11 AM CT as he looks at the various ways to detect SQL Server in your environment. He will take the next step to document what he finds, noting what’s approved and what’s not. Brian will also explore the various means to disable and uninstall unapproved SQL Servers. Finally, he will look at how you can configure existing, approved SQL Servers to a minimum standard. At each step of the way Brian will explain how to automate these tasks to reduce the amount of manual work required. This is a Geek Sync you will not want to miss!
We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type.
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB
Long live RDBMs! For years they have been a staple of large data set storage, manipulation & retrieval. But what if I told you that we were able to simplify every aspect of our new ODS; from data maintenance and implementation to API design, scalability and maintainability by doing one simple thing?
Azure Security Center provides security posture management and threat protection for your hybrid cloud workloads. Cloud Security Posture Management includes Policies, initiatives, recommendations, secure scores, and security controls. Cloud Workload Protection protects threats against servers, cloud-native workloads, databases, and storage security alerts and incidents.
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAmazon Web Services
How do you protect your private information and customer PII in the cloud when you don’t control all the hardware or software components that might access that information? AWS allows you to offload many management and data-handling tasks, but how do you evaluate the risks to your data as it passes through these services? AWS offers many options for using encryption to protect your data in transit and at rest. A variety of features let you determine how much control you want over your encryption keys in order to meet your security goals. This webinar will help you understand which AWS encryption features are available, when to use them, and how to integrate them in your workloads. In this webinar, you will learn:
• Learn how to think about using encryption to protect your private information in the cloud • Learn how to evaluate key management architectures to determine whether they meet your needs • Learn how to use AWS encryption features to accomplish your data security goals.
Who Should Attend: • Developers, DevOps Engineers, and IT Security Administrators
Data protection is more important than ever. Maintaining confidentiality and integrity of your data at scale does not have to be a burden. In this session we will discuss encryption options on AWS and how to leverage AWS Key Management Service (KMS) for data encryption. We will also cover how AWS KMS integrates with other AWS services.
Speaker: Koorosh Lohrasbi, Solutions Architect, Amazon Web Services
The future of Hadoop security and its evolution by Alejandro González at Big ...Big Data Spain
This talk defines the state of the art for Hadoop security and describes the planned security features to be added. Hadoop initially was not designed with security in mind, multiple security features had being developed for some components without designing and integrated security architecture.
https://www.bigdataspain.org/2017/talk/the-future-of-hadoop-security-and-its-evolution
Big Data Spain 2017
16th - 17th November Kinépolis Madrid
This presentation targets to guiding security expert and developer to protect PaaS deployment to eliminate security threats. This also introduces Threat Modeling.
Enterprise-class security with PostgreSQL - 1Ashnikbiz
For businesses that handle personal data everyday, the security aspect of their database is of utmost importance.
With an increasing number of hack attacks and frauds, organizations want their open source databases to be fully equipped with the top security features.
Every enterprise system has tons of sensitive data like database passwords or third-party API keys. Quite often people store this data openly in internal repositories, continuous integration pipeline or configuration managements systems. The bigger company the stricter security rules. It is more complex and important when you have thousands of different applications and each one has its own secrets. In this talk I am giving an overview of my personal experience on Vault technology and will show by example how you can build your own policies and move your secrets to the Vault.
Securing Microservices using Play and Akka HTTPRafal Gancarz
Going down the microservices route makes a lot of things around creating and maintaining large systems easier but it comes at a cost too, particularly associated with challenges around security. While securing monolithic applications was a relatively well understood area, the same can't be said about microservice based architectures.
This presentation covers how implementing microservices affects the security of distributed systems, outlines pros and cons of several standards and common practices and offers practical suggestions for securing microservice based systems using Play and Akka HTTP.
MongoDB World 2019: Securing Application Data from Day OneMongoDB
All too often the trend is to build an application first and then secure it second.
Luckily, with MongoDB Stitch it's easy to put data security first without slowing down development.
This session will provide a walkthrough of the best practices for authentication, data access, and data validation. We'll even provide a full sample application that you can use to get started after the session.
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
Speaker: Jay Runkel, Principal Solution Architect, MongoDB
Level: 200 (Intermediate)
Track: Operations
When architecting a MongoDB application, one of the most difficult questions to answer is how much hardware (number of shards, number of replicas, and server specifications) am I going to need for an application. Similarly, when deploying in the cloud, how do you estimate your monthly AWS, Azure, or GCP costs given a description of a new application? While there isn’t a precise formula for mapping application features (e.g., document structure, schema, query volumes) into servers, there are various strategies you can use to estimate the MongoDB cluster sizing. This presentation will cover the questions you need to ask and describe how to use this information to estimate the required cluster size or cloud deployment cost.
What You Will Learn:
- How to architect a sharded cluster that provides the required computing resources while minimizing hardware or cloud computing costs
- How to use this information to estimate the overall cluster requirements for IOPS, RAM, cores, disk space, etc.
- What you need to know about the application to estimate a cluster size
AWS Summit 2014 Perth - Breakout 3
The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.
Presenter: James Bromberger, Solutions Architect, Amazon Web Services
Supercharge Your Product Development with Continuous Delivery & Serverless Co...Amazon Web Services
Supercharge Your Product Development with Continuous Delivery & Serverless Computing: AWS Developer Workshop - Web Summit 2018
Continuous Integration (CI) and Continuous Delivery (CD) help developers automate the software release process. The faster you can release new features and fix bugs, the quicker you can innovate and respond to customer needs. Serverless computing has changed the game for application development, including how to properly perform CI/CD for your application. AWS provides developer tools that help you automate the end-to-end lifecycle of your serverless application. In this session, we will discuss a method for automating the deployment of serverless applications running on AWS Lambda, using services such as AWS CodePipeline and AWS CodeBuild, and techniques such as canary deployments and automatic rollbacks.
Speaker: Alex Casalboni - Technical Evangelist, AWS
We will introduce key concepts for a data lake and present aspects related to its implementation. Also discussing critical success factors, pitfalls to avoid operational aspects, and insights on how AWS enables a server-less data lake architecture.
Speaker: Sebastien Menant, Solutions Architect, Amazon Web Services
Office 365 Best Practices That You Are Not Thinking AboutQuest
Microsoft MVP Mike Crowley, Baseline Technologies, will join Quest cloud expert Ron Robbins to explore how to translate your existing on-premises security and compliance strategy to the cloud.
by Brad Dispensa, Sr. Solutions Architect, AWS
Operating a security practice on AWS brings many new challenges that haven't been faced in data center environments. The dynamic nature of infrastructure, the relationship between development team members and their applications, and the architecture paradigms have all changed as a result of building software on top of AWS. In this session we will cover how you can use secure configuration and automation to monitor, audit, and enforce your security policies within an AWS environment. Level 200
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
13. @AlexMags
Subscriptions
AAD Identity
Accounts
Invoicing
EA Portal Enterprise
Agreement
Fabricam
IT
Lab
domain
Azure Lab
O365 Lab
(MPSA)
Test
domain
Azure Test
O365 Test
(MPSA)
Production
domain
Azure Prod
O365
Production
Azure
DevOps
Research
Grid
Contoso
IT
Production
23. @AlexMags
Testing with Pester
https://github.com/pester
Describe 'Notepad’ {
It 'Exists in Windows folder’ {
'C:WindowsNotAtAllPad.exe' | Should -Exist `
-because "law 57 of Windows builds"
}
}
Describing Notepad
[-] Exists in Windows folder 17ms
Expected path 'C:WindowsNotAtAllPad.exe' to exist,
because law 57 of Windows builds, but it did not exist.
24. @AlexMags
Test tenant config compared to JSON
$TenantSettingsJson = get-content $genericJSONPath | ConvertFrom-Json
$currentCompanyConfig = Get-AzureADMSGroupLifecyclePolicy -ErrorAction SilentlyContinue
# Note "-because" parameters requires Pester module v4
Describe "Office365 group lifecycle policy for $($AADtenant.DisplayName)" {
it "Office 365 group lifecycle policy" {
$currentCompanyConfig | should -not -BeNullOrEmpty `
-Because "Office 365 group lifecycle policy ensures projects are closed down and data archived"
}
it "Office 365 Group lifetime" {
$currentCompanyConfig.GroupLifetimeInDays | should -be $TenantSettingsJson.GroupLifetimeInDays `
-Because "Unused o365 groups should be archived after $($TenantSettingsJson.GroupLifetimeInDays)"
}
it "Office 365 group notification mails" {
$currentCompanyConfig.AlternateNotificationEmails | should -be $TenantSettingsJson.AlternateNotificationEmails `
-Because "$($TenantSettingsJson.AlternateNotificationEmails) should be notified of unused o365 groups"
}
}
Read JSON, get current config
Assert that current config shouldn’t be blank/unset
Assert that current config should match JSON
40. @AlexMags
NIST CyberSecurity Framework
• Identify - who/what you’re protecting
• Protect - the data/system
• Detect - problems
• Respond– know who to tell, what to do
• Recover – have a plan
https://www.nist.gov/cyberframework
43. @AlexMags
Example
NIST Function NIST Category Your Risks Your Controls Your Work items
Multifactor authentication (PR.AC) Enable MFA
Priv Identity Management (PR.AC) Enable AAD PIM
Admin roles follow least rights privileged (PR.AC) Implement RBAC
Encrypt communications containing credentails (PR.AC) Disable basic auth
(PR.AC) Rotate service passwords
(PR.AC) Rotate API Keys
Misconfiguration results in
unauthorised access
IT admins complete training module before access (PR.AT) Cloud Admin course tracking
Critical data is uploaded before
environment is ready
Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS
Data Security Data is not protected Classifiy data (PR.DS) Implement AIP
Maintenance software vulnerabilities OS and application secuirty patching (PR.MA) Enforce auto updates
Protective Technology Malware results in outage,
unauthorised access or data loss
antimalware (PR.PT) Enable Windows Defender ATP
(PR.IP) Block inbound internet access
Identity Management
and Access Control
Awareness and Training
Information Protection
Processes and
Procedures
Data loss protection
Protect
Service account password and API keys rotated
Unauthorised access is obtained
Data loss from attack or
accidental disclosure
46. @AlexMags
Categorise
system
and data
Select
controls to
reduce risk
Implement
controls
Assess
controls
Authorise.
Risk is
acceptable
Monitor
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management Framework
Assess Controls
• Do they work?
• Can they be circumvented?
• How much residual risk remains?
47. @AlexMags
NIST Function NIST Category Your Risks Your Controls Your Work items
Multifactor authentication (PR.AC) Enable MFA
Priv Identity Management (PR.AC) Enable AAD PIM
Admin roles follow least rights privileged (PR.AC) Implement RBAC
Encrypt communications containing credentails (PR.AC) Disable basic auth
(PR.AC) Rotate service passwords
(PR.AC) Rotate API Keys
Misconfiguration results in
unauthorised access
IT admins complete training module before access (PR.AT) Cloud Admin course tracking
Critical data is uploaded before
environment is ready
Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS
Data Security Data is not protected Classifiy data (PR.DS) Implement AIP
Maintenance software vulnerabilities OS and application secuirty patching (PR.MA) Enforce auto updates
Protective Technology Malware results in outage,
unauthorised access or data loss
antimalware (PR.PT) Enable Windows Defender ATP
(PR.IP) Block inbound internet access
Identity Management
and Access Control
Awareness and Training
Information Protection
Processes and
Procedures
Data loss protection
Protect
Service account password and API keys rotated
Unauthorised access is obtained
Data loss from attack or
accidental disclosure
Background infrastructure engineering teams investment banking, asset management
High availability, high security, regulatory compliance.
Come off Office365 deployment. Sprinked DevOps on it
On prem vs IaaS
Terrafrom Why youre here. WHAT it is
Terraform workflow HOW to use it
Demo
Terraform for Dev, Sec, and Ops
News
Warning: Fetish for excruciating PowerPoint transitions.
All the configuration needs to be tracked, maintained
Office365 Security Portal
Graph API you can export this list of improvement actions and see if any flipped from completed to not completed?
Most accessible intro to release pipelines. Esp OPS guys
When you’ve been configuring Conditional Access by hand, and locked yourself and the entire company out, you know it.
http://www.jklossner.com/humannature
EA (250 users minimum)
MPSA (points, # users vary on E3 or E5)
LOGICALLY
The account provided gives the code context
Onmicrosoft.com
Config exported to JSON
Assert things that should be true and you want to know if they’re not
Assert things that should be true and you want to know if they’re not
Test current config compared to JSON
Additional approval required to deploy prod
Additional approval required to deploy prod
Went to Security to ask how they want stuff set
Cyber/IT Sec OS, patching, pen testing intellectual property, regulatory compliance, business/financial integrity, insider abuse, industrial espionage, data privacy, governance, crisis management, business continuity, risk analysis, and organizational view
Click through
Click to releases
CSF!!!
Secret weapon number 3
Risk – whats the bad thing that could happen Control – what makes it unlikely or lower impact
Work items – well defined so people can crack on
Talk with infosec, which risks and controls will get you to next stage on your roadmap?
Controls == safe guards == countermeasures
Residual risk decreases as controls are implemented
Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss
Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk. Technical/process
Implement the controls and describe how the controls are employed within the system and its environment of operation.
Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.
Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable.
Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
50% green
Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss
Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk.
Implement the controls and describe how the controls are employed within the system and its environment of operation.
Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.
Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable.
Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
