System Security on Cloud

System Security on Cloud
Tu Pham
CTO @ DYNO

CTO @ DYNO
Data As A Service
Technologies: Java, Python, all kind of databases and Cloud
platform from Google, Aws, Azure.
Interests: Cloud computing, machine learning, system
architecture, technology evolution, distributed
systems.
Husband, Father, GDE, Open source contributor
Tu Pham
foto: Lars Kruse, Aarhus Universitet
2

Current system
> 10 000 users
- 4 countries: US, UK, VN,
Singapore
- 1.3B user profiles
- > 1B new raw data daily
(~110 GB)
- Hundred of jobs daily
Images by ConnieZhou

Let’s compare: 10 TB
- 45,813,058.125 book (200
pages of 240,000 characters)
- 2,621,440 MP3 files (with
4MB average file size)
- 3,495,250 MP3 files (with
3MB average file size)
Images by ConnieZhou

From 2014, we bring success to
hundreds of thousands online
marketing campaigns based on
our big data system.

DYNO
DYNO has ability to build, organize, and
operate a Big Data system with an
efficiency and speed then apply Machine
Learning algorithms to make magic happen.
These are our advantages: unique technology, talents,
company culture, growth hack, extreme product
focus.

Organize the world’s
information and make it
universally accessible and
useful.
Our mission is aligned with Google’s mission
With Sundar Pichai - CEO of Google
2

Yes, We Can Power that
User Identify Social User Modeling Social CRM
Advertising Network Big Data System Data Mining

Real estate Ecommerce Beauty Fashion Food & Drinks
Our Clients

Our Clients
Education Co-working
space
Retail Finance Other
vaytaichinh.info
Vay Tiền Mặt

HOW TO PROTECT
YOUR SYSTEM, PARTNERS &
CUSTOMERS ?

Infrastructure Has Changed
EARLY 2000’s MID 2000’s NOW
Buying Hardware

Infrastructure Has Changed
Infrastructure As a ServiceBuying Hardware

Cybercrime Has Also Changed
Single Actors

Cybercrime Has AlsoChanged
Single Actors Highly Organized Groups

Cybercrime is Flourishing
508 is the average
number of applications
in an enterprise
Evolution of AdversariesExpanding Attack Surfaces Overwhelmed Defenses
37% of US companies
face 50,000+ alerts
per month
390,000 new malicious
programs every day with
a viable ecosystem
Forbes, 2014
FireEye, 2015
AV-TEST, 2016

Attack methods are evolving
• Security risks
-Perception of increased risk due to lack of control
-Blind spots: no way to connect on-premise and cloud attacks
-Increased threat surface
-Tuning tools for relevant notifications
Cloud Environment On Premise Environment
Source: Alert Logic CSR 2016
42%
25%
19%
8%
4% 2%
application-attack brute-force
recon trojan-activity
suspicious-activity
denial-of-service
51%
22%
5% 3% 1%
18%
brute-force
trojan-activity
suspicious-activity application-attack
recon denial-of-service

Today’sAttacks Have Several Stages

Who is being targeted?And Small

The Cloud Can be Secure
“Public cloud workloads can be at least as
secure as those in your own data center, likely
better.”
Neil McDonald – Gartner Security and Risk Management Summit
London Sept 2015

Cloud has disrupted traditional security
DEPLOYMENT & MANAGEMENT PERFORMANCE & OPERATIONS
CUSTOMER APPLICATION
REQUIREMENTS
TRADITIONAL
SECURITY
CLOUD
DRIVERS
AGILITY & AUTOMATION HYPER-SCALABILITY PRIORITY: WEB APPLICATIONS
SCALING CHOKEPOINTS
POOR DETECTION OF
WEB APP ATTACKS
vs
SLOW, COMPLEX
CONFIGURATIONS
vs vs

Challenges of being Secure in the Cloud
SECURITY TOOLSARE
Complicated to use
Difficult to deploy
Expensive to manage
and tune
HUMAN EXPERTISE IS
Hard to find
Harder to keep
Very expensive
THREAT INTELLIGENCE
AND SECURITY CONTENT
Gets stale quickly
Requires specific
know-how
Validation required to avoid
false positives

Cloud Security – NewApproach
The Principles of security do not change
but your Approach to security needs to
change:
• Security best practices are no different in the cloud
• You need to apply the same security standards to
cloud workloads as applied to on-premises
• Understand the Shared Responsibility of Cloud
Security

• Security Monitoring
• Log Analysis
• Vulnerability Scanning
• Network Threat Detection
• Security Monitoring
• Secure Coding and Best Practices
• Software and Virtual Patching
• Configuration Management
• Access Management (including multi-
factor authentication)
• Access Management
• Configuration Hardening
• Patch Management
• TLS/SSL Encryption
• Network Security
Configuration
• Web Application Firewall
• Vulnerability Scanning
• Application level attack monitoring
• Hypervisor Management
• System Image Library
• Root Access for Customers
• Managed Patching (PaaS, not IaaS)
• Logical Network Segmentation
• Perimeter Security Services
• External DDOS, spoofing, and
scanning monitored
APPS
CUSTOMER ALERT LOGICMICROSOFT
VIRTUAL MACHINES
NETWORKING
INFRASTRUCTURE
SERVICES
Cloud Security is a Shared, but not Equal, Responsibility

We protect cloud workloads & web applications
BLOCK COMPLY
FULLY-MANAGED SECURITY, DELIVERED AS A SERVICE
ASSESS DETECT
• Full-stack security
• Integrated analytics & experts
• Built for cloud
• Cost-effective outcomes
Data
Center
Hosting

WebApp
Attacks
OWASP
Top 10
Platform /
Library
Attacks
System /
Network
Attacks
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
CLOUD INSIGHT
Signatures &
Rules
Anomaly
Detection
Machine
Learning
Integrated value chain delivering full stack security, experts included
• Threat Intelligence
• Security Research
• Data Science
• Security Content
• Security Operations
Center
ACTIVEWATCH
DETECTION &
PROTECTION
Web Security
Manager
Log
Manager
Threat
Manager
ALL IN ONE DEFENDER

Which designed security for cloud and hybrid environments
GET STARTED IN MINUTES
MAINTAIN COVERAGE AT
CLOUD SCALEKEEP PRODUCTION FLOWING
with modular services that
grow with you
with integration to cloudAPIs
and DevOps automation
with auto-scaling support and
out-of-band detection
Single pane of glass for workload and application security
across cloud, hosted & on-premises

Leaders
28
8
25
3
11
6 8
4 10
10 15
24
ThreatStack
FortyCloud
CloudCheckr
CloudPassage
Microsoft
Palerra 5
Evident.io 5
JumpCloud
Barricade
Symantec
Okta
Intel Security
Fortinet
Cisco
Chronicle Data
Check Point
Amazon
Other
Alert Logic
A recognized securityleader
PETER STEPHENSON
SC Magazine review
“…the depth and breadth
of the offering’s analytics
and threat management
process goes beyond
anything we’ve seen…”
Who is your primary
in-use vendor for Cloud
Infrastructure Security?
Who are the top vendors
in consideration for Cloud
Infrastructure Security?
Alert Logic

10 Cloud Security Best Practices
1. Secure your code
2. Create access management policies
3. Data Classification
4. Adopt a patch management approach
5. Review logs regularly
6. Build a security toolkit
7. Stay informed of the latest vulnerabilities that may affect you
8. Understand your cloud service providers security model
9. Understand the shared security responsibility
10. Know your adversaries

Top 3 Takeaways
1. Cyber Crime is flourishing – Big and small companies
2. Security in the Cloud has similar overall principles but new complexity
3. You may need a full stack security vendor with experts included

Challenges at DYNO - Advertising Network
• Things we have to do
• Deliver right ad at right time for right people
• Mining user information to help brands understand their
audience
• Build flexible ad targeting infrastructure
• Analyze user behavior to improve ad relevancy at real
time

Challenges at DYNO - User Profiling
• The truth
• 65 social network all around the world
• 2B monthly active user from Facebook (300 PB data
warehouse)
• Unlimited data still offline
• The problem:
• How you know N account from Facebook, Google,
Twitter, Linkedin, StackOverFlow, Github, … belong to
one person or not ?

Challenges at DYNO - Image Processing
• The problem
• Detect board sets of objects (House, Car, Motorbike)
• Find topical entities (Logo, Celebrity, New Event)
• Face detection

Big Data Challenges At DYNO - Image Extraction
• Things we have to do
• Deliver right ad at right time for right people
• Mining user information to help brands understand their
audience
• Build flexible ad targeting infrastructure
• Analyze user behavior to improve ad relevancy at real
time

We are hiring - Data Engineer
Responsibilities
- Designing and developing high-volume, low-latency applications for
mission-critical systems and delivering high-availability and
performance
- Writing well designed, testable, efficient components for ETL system
- Processing, cleansing, verifying the integrity of data
Requirements
- BS/MS degree in Computer Science, Engineering or a related subject
- Language: Java, Python
- Knowledge of API, Databases, Distributed system
- (Plus) Data scraping experience
- (Plus) Familiar with big data system (Volume, variety and velocity)
- (Plus) Domain knowledge (E-commerce / Finance / Retail / Real estate /
Advertising)

We are hiring - Data Scientist
Responsibilities
- Designing, mining, testing machine learning algorithms for
delivering valued information from DYNO data warehouse.
- Doing ad-hoc analytics and presenting results
- Selecting features, building, optimizing algorithms
Requirements
- BS/MS degree in Computer Science, Engineering or a related
subject
- Good at machine learning algorithms
- (Plus) Familiar with big data system (Volume, variety and velocity)
- (Plus) Domain knowledge (E-commerce / Finance / Retail / Real
estate / Advertising)

JOIN THE FLIGHT
IO Extended 2017
Facebook: fb/pham.phuong.tu
Twitter: @phamptu
Slideshare: /phamphuongtu
Email: tu@dyno.vn

System Security on Cloud

More Related Content

What's hot

Viewers also liked

Similar to System Security on Cloud

More from Tu Pham

Recently uploaded

System Security on Cloud