The first part of this presentation is designed to scare the cloud out of you by talking about some of the common and often overlooked concerns with cloud security. Then we'll bring you right back by showing you how cloud technology publishers as well as VARS, like BCS Prosoft are taking steps to mitigate potential threats and keep you business up and running 24/7/365.
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
• What is Gateway Level Protection?
What is Firewall?
What is the need of Unified Management?
What is UTM?
Difference between UTM & Firewall
• Why you should switch to UTM-Gateway Level Protection
• Features and advantages offered by UTM.
• How Seqrite-Terminator helps to attain highest Safety, management and security
The Cloud Security Rules on hour presentation as given at The Norwegian Developer Conference in Oslo, June 2012 (NDC Oslo 2012).
Targeting managers and decision makers, helping them to understand how to choose the best cloud supplier for their needs.
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
This talk will help you, as a decision maker or architect, to understand the risks of migrating a thick client or traditional web application to the modern web. In this talk I’ll give you tools and techniques to make the migration to the modern web painless and secure so you can mitigate common pitfalls without having to make the mistakes first. I’ll be doing demos, and telling lots of stories throughout.
Making some good architectural decisions up front can help you:
- Minimize the risk of data breach
- Protect your user’s privacy
- Make security choices easy the easy default for your developers
- Understand the cloud security model
- Create defaults, policies, wrappers, and guidance for developers
- Detect when developers have bypassed security controls
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
• What is Gateway Level Protection?
What is Firewall?
What is the need of Unified Management?
What is UTM?
Difference between UTM & Firewall
• Why you should switch to UTM-Gateway Level Protection
• Features and advantages offered by UTM.
• How Seqrite-Terminator helps to attain highest Safety, management and security
The Cloud Security Rules on hour presentation as given at The Norwegian Developer Conference in Oslo, June 2012 (NDC Oslo 2012).
Targeting managers and decision makers, helping them to understand how to choose the best cloud supplier for their needs.
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
This talk will help you, as a decision maker or architect, to understand the risks of migrating a thick client or traditional web application to the modern web. In this talk I’ll give you tools and techniques to make the migration to the modern web painless and secure so you can mitigate common pitfalls without having to make the mistakes first. I’ll be doing demos, and telling lots of stories throughout.
Making some good architectural decisions up front can help you:
- Minimize the risk of data breach
- Protect your user’s privacy
- Make security choices easy the easy default for your developers
- Understand the cloud security model
- Create defaults, policies, wrappers, and guidance for developers
- Detect when developers have bypassed security controls
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Threat Modeling and OWASP Top 10 (2017 rc1)Mike Tetreault
This session introduces the OWASP Top Ten Web Application Security Risks, provides the basics of threat modeling, and helps understand how a Web Application Firewall (WAF) can help address security defects.
Webinar topic: Cloud Security Introduction
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing Cloud Security Introduction
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
Patch, patch and patch !
This has been the go-to mantra of security professionals and the recent WannaCry ransomware attack has highlighted its importance once again.
Seqrite EPS with Centralized Patch Management -
Proven Security Approach for Ransomware Protection
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Private Cloud
The idea that purchasing services from a cloud service provider may allow businesses to save money while they focus on their core business is an enticing proposition. Many analysts view the emerging possibilities for pricing and delivering services online as disruptive to market conditions. Market studies and the ensuing dialogue among prospective customers and service providers reveal some consistent themes and potential barriers to the rapid adoption of cloud services. Business decision makers want to know, for example, how to address key issues of security, privacy and reliability in the Microsoft Cloud Computing environment, and they are concerned as well about the implications of cloud services for their risk and operations decisions.
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
This presentation provides an overview of the OWASP Top Ten Web Application Security Risks, approaches to mitigate them, and a framework for addressing the inherent risk.
Guide to Cybersecurity Compliance in ChinaAlibaba Cloud
See Webinar Recording at https://resource.alibabacloud.com/webinar/detail.htm?webinarId=8
This presentation features a comprehensive introduction to China’s Cybersecurity Law, including analysis of key articles and their implementation so far. It aims to provide a roadmap to help global companies understand regulatory risks related to network security, content security, personal information protection and data cross-border transfer.
More Webinars: https://resource.alibabacloud.com/webinar/index.htm
Blog: Navigating Through China's Cybersecurity Legislation
https://www.alibabacloud.com/blog/Navigating-Through-China's-Cybersecurity-Legislation_p570635
ICP License: www.alibabacloud.com/icp
China Connect: www.alibabacloud.com/chinaconnect
User management - the next-gen of authentication meetup 27012022lior mazor
Authentication is evolving. Customers are expecting much more from the user management experience in applications they are using today. Join us virtually for our upcoming "User Management - the next-gen of Authentication" meetup to learn about the secrets of building user management the right way, the secure way.
Cloud Security Engineering - Tools and TechniquesGokul Alex
Cloud Security Engineering Education Materials prepared by Gokul Alex. It covers the essential tools and techniques to protect cloud enterprise architectures and cloud information systems.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Top 10 AWS Security and Compliance best practicesAhmad Khan
Learn how to secure your AWS from Hacks, and Misconfigurations. These 10 controls will lock down for all compliance regulations like HIPAA, PCI, FISMA, NIST and so on.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
PCI compliance is a steep enough challenge, but what happens when your entire infrastructure is in AWS? Do the same concepts of network segmentation and separation apply, and if so how? At what point do AWS compliance efforts intersect with your compliance efforts? This session will cover how Warren Rogers Associates is using the Palo Alto Networks VM-Series for AWS to maintain separation of data and traffic in AWS to improve security and achieve PCI compliance.
Warren Rogers Associates pioneered the development of Statistical Inventory Reconciliation Analysis (SIRA) and Continual Reconciliation for monitoring underground fuel tanks and associated lines. These methods are certified in accordance with EPA requirements and have been used by petroleum marketers for more than 25 years. Today, Warren Rogers specializes in statistical analysis and precision fuel system diagnostics for the retail petroleum industry and develops innovative ways to identify and combat fuel shrinkage and theft. Session sponsored by Palo Alto Networks.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Threat Modeling and OWASP Top 10 (2017 rc1)Mike Tetreault
This session introduces the OWASP Top Ten Web Application Security Risks, provides the basics of threat modeling, and helps understand how a Web Application Firewall (WAF) can help address security defects.
Webinar topic: Cloud Security Introduction
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing Cloud Security Introduction
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
Patch, patch and patch !
This has been the go-to mantra of security professionals and the recent WannaCry ransomware attack has highlighted its importance once again.
Seqrite EPS with Centralized Patch Management -
Proven Security Approach for Ransomware Protection
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Private Cloud
The idea that purchasing services from a cloud service provider may allow businesses to save money while they focus on their core business is an enticing proposition. Many analysts view the emerging possibilities for pricing and delivering services online as disruptive to market conditions. Market studies and the ensuing dialogue among prospective customers and service providers reveal some consistent themes and potential barriers to the rapid adoption of cloud services. Business decision makers want to know, for example, how to address key issues of security, privacy and reliability in the Microsoft Cloud Computing environment, and they are concerned as well about the implications of cloud services for their risk and operations decisions.
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
This presentation provides an overview of the OWASP Top Ten Web Application Security Risks, approaches to mitigate them, and a framework for addressing the inherent risk.
Guide to Cybersecurity Compliance in ChinaAlibaba Cloud
See Webinar Recording at https://resource.alibabacloud.com/webinar/detail.htm?webinarId=8
This presentation features a comprehensive introduction to China’s Cybersecurity Law, including analysis of key articles and their implementation so far. It aims to provide a roadmap to help global companies understand regulatory risks related to network security, content security, personal information protection and data cross-border transfer.
More Webinars: https://resource.alibabacloud.com/webinar/index.htm
Blog: Navigating Through China's Cybersecurity Legislation
https://www.alibabacloud.com/blog/Navigating-Through-China's-Cybersecurity-Legislation_p570635
ICP License: www.alibabacloud.com/icp
China Connect: www.alibabacloud.com/chinaconnect
User management - the next-gen of authentication meetup 27012022lior mazor
Authentication is evolving. Customers are expecting much more from the user management experience in applications they are using today. Join us virtually for our upcoming "User Management - the next-gen of Authentication" meetup to learn about the secrets of building user management the right way, the secure way.
Cloud Security Engineering - Tools and TechniquesGokul Alex
Cloud Security Engineering Education Materials prepared by Gokul Alex. It covers the essential tools and techniques to protect cloud enterprise architectures and cloud information systems.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Top 10 AWS Security and Compliance best practicesAhmad Khan
Learn how to secure your AWS from Hacks, and Misconfigurations. These 10 controls will lock down for all compliance regulations like HIPAA, PCI, FISMA, NIST and so on.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
PCI compliance is a steep enough challenge, but what happens when your entire infrastructure is in AWS? Do the same concepts of network segmentation and separation apply, and if so how? At what point do AWS compliance efforts intersect with your compliance efforts? This session will cover how Warren Rogers Associates is using the Palo Alto Networks VM-Series for AWS to maintain separation of data and traffic in AWS to improve security and achieve PCI compliance.
Warren Rogers Associates pioneered the development of Statistical Inventory Reconciliation Analysis (SIRA) and Continual Reconciliation for monitoring underground fuel tanks and associated lines. These methods are certified in accordance with EPA requirements and have been used by petroleum marketers for more than 25 years. Today, Warren Rogers specializes in statistical analysis and precision fuel system diagnostics for the retail petroleum industry and develops innovative ways to identify and combat fuel shrinkage and theft. Session sponsored by Palo Alto Networks.
All presentation slides for the Chicago AWS user group meetup held at Mediafly on June 24, 2014. Thanks to speakers:
Ben Hagen, Senior Cloud Security Engineer at Netflix @benhagen
Bryan Murphy, Technical Architect at Mediafly @bryanmurphy
Aaron Botsis, Lead Product Manager at ThreatStack @aaronb
Mattew Long, Founder and CEO at roZoom, Inc @mlong168
Thanks to sponsors:
Hosts: Mediafly
Beers and drinks: ThreatStack
Pizza: el el see
Organizers: CohesiveFT
See you in July!
RSVP here: http://www.meetup.com/Chicago-Amazon-Web-Services-Group/
Microsegmentation from strategy to executionAlgoSec
Organizations heavily invest in security solutions to keep their networks safe, but still struggle to close the security gaps. Micro-segmentation helps protect against the lateral movement of malware and minimizes the risk of insider threats. Micro-segmentation has received lots of attention as a possible solution, but many IT security professionals aren’t sure where to begin or what approach to take.
In this practical webinar, Prof. Avishai Wool, AlgoSec’s CTO and co-founder will guide you through each stage of a micro-segmentation project – from developing the correct micro-segmentation strategy to effectively implementing it and continually maintaining your micro-segmented network.
Register now for this live webinar and get a practical blueprint to creating your micro-segmentation policy:
What is micro-segmentation.
Common pitfalls in micro-segmentation projects and how to avoid them.
The stages of a successful micro-segmentation project.
The role of policy change management and automation in micro-segmentation.
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...Priyanka Aash
Breaches are at all time high. In this webinar learn the do's and don't of handling breach disclosure. Best practices of how to set up a bounty program . How to respond to responsible disclosures? Do's and Don'ts and learning from the industry.
Key Points To Be Discussed:
-How to build a vulnerability disclosure program?
-What are various types of vulnerability disclosures programs?
-When and when NOT to have a bug bounty program?
-Do's and Don'ts for handling a breach disclosure
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...Amazon Web Services
The cloud is not an 'All or Nothing' approach with regards to replacing workloads inside your datacenter. Enterprises with existing datacenters can easily extend their Infrastructure into the cloud to seamlessly leverage the benefits of cloud while using the same set of controls familiar to their business. However availability and security still remain among the top two concerns for CIOs when deciding on cloud adoption for their organization.
Amazon Web Services has infrastructure across multiple geographical Regions spanning five continents, with multiple Availability Zones in each Region along with a set of global edge locations. Building a similar infrastructure for high availability with your traditional datacenter would be non-trivial and cost prohibitive. Join this session to understand how you can achieve high availability across geographies, deploy your applications close to your users, control where your data is located, achieve low latency, and migrate your applications around the world in a cost-effective and easy manner using AWS services. You will also learn how AWS builds services in accordance with security best practices, provides appropriate security features in those services, has achieved industry standard certifications, and other third-party attestations. In addition, in line with the shared security model on the cloud, AWS customers must leverage on security features and best practices to architect an appropriately secure application environment. Enabling customers to ensure the confidentiality, integrity, and availability of their data is of the utmost importance to AWS, as is maintaining trust and confidence.
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
Your organisation’s data are now everywhere: on your servers and your desktop PCs; on your employees’ smart phones, tablet computers and laptops; on social networks; and in public clouds. Some of these data require special protection but they also need to be accessed remotely, which makes security a considerable challenge. Can you trust public clouds to keep your data safe and secure? Can you trust your own internal systems? And on what criteria and risk management strategies should you base your trust? -- Dr Mark Ian Williams's presentation at the April 2012 'Why Cloud? Why now?' conference at the headquarters of the Institute of Chartered of Accountants of England Wales.
Cloud Security for Regulated Firms - Securing my cloud and proving itHentsū
As a regulated cloud user, security and compliance are two of your primary concerns, a workshop on how to keep secure and demonstrate your compliance to key stakeholders.
Specifically, what can be done to secure cloud resources and show compliance for auditors, investors, DDQs, SSAE16, covering:
- Strategies for securing data in transit and at rest
- Federating with your internal directory for role based access to your cloud
- Capturing and processing audit logs for security event notifications
- Fun with Infrastructure as Code – detecting and reverting misconfigurations and manual changes
Securing The Clouds with The Standard Best Practices-1.pdfChinatu Uzuegbu
The Technology adoptions in the Cloud are overwhelming . The global shift towards the Cloud is also overwhelming! It is important to build the stronger walls of Security around the Cloud.......
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
Join the CASC Wednesday April 30 for a Google+ hangout on the Heartbleed Bug. We’ll cover everything from what the bug does to how to tell if your site is at risk and how certificate authorities are responding.
Panel of CASC members:
• Robin Alden- Comodo
• Jeremy Rowley- DigiCert
• Bruce Morton- Entrust
• Rick Andrews- Symantec
• Wayne Thayer- Go Daddy
Watch the recording: http://bit.ly/1jAQCtk
Security in the cloud Workshop HSTC 2014Akash Mahajan
A broad overview of what it takes to be secure. This is more of an introduction where we introduce the basic terms around Cloud Computing and how do we go about securing our information assets(Data, Applications and Infrastructure)
The workshop was fun because all the slides were paired with real world examples of security breaches and attacks.
Similar to The Notorious 9: Is Your Data Secure in the Cloud? (20)
External Roadmap – Sage 100 and 100cloudBCS ProSoft
Sage 100 is a platform designed to help small and mid-sized businesses manage their resources with a very effective enterprise resource planning (ERP) toolkit. The system delivers a comprehensive financial and operation functionality, which includes manufacturing and inventory features right out of the box.
This is the presentation from our Deltek Vision user group meeting in Baton Rouge, Houston and Honolulu. During this presentation we talked about project set-up best practices, Deltek Vision in the Cloud, Deltek for Professional Services, and much more. Want to attend a user group in your city? http://www.bcsprosoft.com/deltek-vision/user-groups/
This is the presentation from our Sage 100 (MAS 90/200) user group meeting in San Antonio, Houston and Denver. During this presentation we talked about what's new in v2018 and some Year-End processing tips. Want to attend a user group in your city? http://www.bcsprosoft.com/sage-100/user-groups/
This is the presentation from the Sage 100 user groups we held this October and November in Denver, Houston and San Antonio. We went over some important year-end review procedures, supported versions, some Sage 100 Tips & Tricks, and had a fran discussion about how Sage 100c and cloud alternatives.
BCS ProSoft hosts Sage user group meetings all over the country so check out http://www.bcsprosoft.com/sage-100/user-groups/ to find a group near you.
Deltek Vision User Group | October 2016BCS ProSoft
This is the presentation from the Deltek Vision user groups we held this October in Honolulu, Houston and Baton Rouge. We went over some importing year-end review procedures, new features in version 7.6, some Deltek Vision Tips & Tricks, and talked about Deltek's acquisition of Union Square and Project Information Management Systems (PIMS).
BCS ProSoft hosts Deltek Vision user group meetings all over the country so check out http://www.bcsprosoft.com/deltek-vision/user-groups/ to find a group near you.
These Deltek Vision Processing Procedures were presented at our Vision user groups in Baton Rouge, Honolulu, Houston, San Antonio and San Diego. For more information please visit http://www.bcsprosoft.com/blog/december-2015-deltek-vision-user-group-recap/
Deltek Clarity A&E Industry Study - Houston, TXBCS ProSoft
A full summary of this presentation can be found at http://www.bcsprosoft.com/overview-of-texas-burgeoning-ae-industry/
This presentation was from the Deltek Clarity A&E Industry Study - Houston, TX hosted by BCS ProSoft and Deltek.
Business Insights Explorer Tips & Tricks | Q1 2015 Sage 100 ERP User GroupBCS ProSoft
During this Sage 100 User Group we spoke about one of the most underutilized features in Sage 100 ERP (formerly MAS 90 and MAS 200), Business Insights Explorer.
Year-End Processing with Sage 100 ERP (MAS 90 and MAS 200) | Q4 2014 Sage 100...BCS ProSoft
During this Sage 100 ERP (formerly MAS 90 and MAS 200) user group meeting we spoke about important Year-End processing procedures as well as year-end reporting, order of closing modules and some Sage 100 tips and tricks, including:
-Learn how to create an archive company
-Review Setup Options and potential changes for new year
-Year End Forms and Electronic Reporting
BCS ProSoft hosts quarterly Sage 100 user groups in San Antonio, Houston, Denver and Honolulu as well as online as a webcast. If you'd like to join us or view the upcoming schedule of events, please visit http://www.bcsprosoft.com/sage-100/user-groups/
Year-End Processing with Deltek Vision | Q4 2014 Vision User GroupBCS ProSoft
During this webinar BCS ProSoft Deltek Vision Consultant, Nedra Roberson, spoke about Year-End processing procedures and how to use the information in Vision to create reports for professional liability audits, employee review and worker compensation audits, including:
-Year-End review processes
-How to use User-Defined Fields for report creation in Vision
-How to create reports for professional liability audits, employee review and worker compensation audits
BCS ProSoft hosts quarterly Deltek Vision user groups in San Antonio, Houston, Denver and Honolulu as well as online as a webcast. If you'd like to join us or view the upcoming schedule of events, please visit http://www.bcsprosoft.com/deltek-vision/user-groups/
What's New in Deltek Vision 7.3 | Deltek Vision User Group MeetingBCS ProSoft
During this user group meeting we spoke about what's new and on the horizon for Deltek Vision 7.3, enhancements to Navigator 1.9, and some Deltek Vision tips & tricks. If you'd like to join us at one of our local Vision User Group Meetings in San Antonio, Houston, Denver, Honolulu or online as a webcast please visit us online at http://bit.ly/deltekvisionugm
Consultant Accruals in Deltek Vision | Deltek Vision User Group Meeting | Q2 ...BCS ProSoft
This presentation was the topic of the Houston, San Antonio, Denver and Honolulu Deltek Vision User Group Meetings held throughout June 2014.
For more information about Deltek Vision for your project-based AE or consulting firm, Vision training or consulting, or joining one of our User Group Meetings visit http://www.bcsprosoft.com/deltek-vision.
Custom Office A to Z in Sage 100 ERP (MAS 90 & MAS 200)BCS ProSoft
This presentation was the topic of the Houston, San Antonio, Denver and Honolulu Sage 100 ERP (formerly MAS 90 & MAS 200) User Group Meetings held throughout March 2014. During the user group we discussed the reasons we customize using Sage 100, the benefits of the Custom Office Module, a review of the key concepts and terms, and how to find examples of VBScript. Then to top things off we ended by covering come of the newest features in Sage 100 and covered some tips & tricks.
For more information about Sage 100 for your company, training, consulting, or joining one of our User Group Meetings visit http://www.bcsprosoft.com/sage-100.
Improve Billing Process and Performance with Deltek VisionBCS ProSoft
This presentation was the topic of the Houston, San Antonio, Denver and Honolulu Deltek Vision User Group Meetings held throughout March 2014. During the user group we spoke about daily entry of time and expenses in Deltek Vision, the importance or following and enforcing the time and expense approval process, why billing procedures are started at the same time every month, compliance and the draft review period, and changes or corrections to accounting withing the review period. Then to top things off we ended by covering come of the newest features in Deltek Vision and covered some tips & tricks.
For more information about Deltek Vision for your project-based AE or consulting firm, Vision training or consulting, or joining one of our User Group Meetings visit http://www.bcsprosoft.com/deltek-vision.
This webcast was presented by BCS Prosoft on October 23, 2013. It highlights the new and changes to existing feature in the Deltek Vision 7.1 update. These items include changes to the invoice & approvals process, the system interface, system security, advanced WBS search / list views, transaction auto numbering, transactional document management.
For more information on Deltek Vision, training or consulting please visit http://www.bcsprosoft.com/deltek-vision. For more events hosted by BCS Prosoft please see http://www.bcsprosoft.com/events.
Straight Talk About the Cloud: Why Some Company's Are Leveraing Modern Techno...BCS ProSoft
This presentation was the Q3 installment of BCS Prosoft's Executive Seminar Series: Your Firm In The Cloud. These lunch & learns were held throughout the month of September in San Antonio, Houston, Denver and Honolulu. This slideshow covers historical and current trends in business technology and what's most important to buyers today, the technical requirements, maintenance, cost and ROI of on-premise, hosted and cloud software, and the telltale signs that your firm should consider moving to the cloud at some point in the future.
To register for a lunch & learn near you please visit http://www.bcsprosoft.com/cloud
What's New in Deltek Vision 7.1, Invoice Approvals, Overhead Allocation and 5...BCS ProSoft
These slides are from BCS Prosoft's 2013 third quarter Deltek Vision User Group Meetings held in San Antonio, Houston, Denver and Honolulu. To register for your local UGM please visit http://www.bcsprosoft.com/deltekugm
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Mission to Decommission: Importance of Decommissioning Products to Increase E...
The Notorious 9: Is Your Data Secure in the Cloud?
1.
2. http://www.bcsprosoft.com
• Cloud Recap
• What’s keeping you up at night (aka – “The
Notorious Nine”)
• How Cloud publishers are securing your data
• With security in mind, why would you move to
the cloud?
• Questions to ask Cloud publishers
• Q&A
3. http://www.bcsprosoft.com
• 27+ Years Experience
• 1,500 Clients across all 50 States, Canada, and
Mexico
• Offices in San Antonio, Houston, Denver,
Honolulu
• Award winning partners with
4. http://www.bcsprosoft.com
• Cloud computing…
– The word "cloud" is used as a metaphor for "the Internet"
– Cloud computing is the process of outsourcing IT services – such
as servers, storage and applications – to a shared platform
accessed via the Internet.
– End users access cloud based applications through a web
browser or a light weight desktop or mobile apps while business
software and data are stored on servers at a remote location.
– Services are provided as a utility, most often on a subscription
basis
– Saves money and energy, as a vendor maintains the
infrastructure and applications that run in the cloud
environment instead of the organization.
6. http://www.bcsprosoft.com
On Premise IaaS PaaS
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Youmanage
Managedbyvendor
Managedbyvendor
Youmanage
Youmanage
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
SaaS
Managedbyvendor
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
7. http://www.bcsprosoft.com
• All resources managed by the
end-user organization.
• Everything is private and
controlled.
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Youmanage
9. http://www.bcsprosoft.com
On Premise IaaS PaaS
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Youmanage
Managedbyvendor
Managedbyvendor
Youmanage
Youmanage
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
10. http://www.bcsprosoft.com
On Premise IaaS PaaS
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Youmanage
Managedbyvendor
Managedbyvendor
Youmanage
Youmanage
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
SaaS
Managedbyvendor
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
11. http://www.bcsprosoft.com
• Multi-Tenant – Single instance of software
runs on a server, serving multiple client
organizations (tenants).
• Single Tenant – Physical or virtual machine is
exclusively dedicated to a single client, i.e.
software is not shared with multiple
customers. This is more expensive for a
vendor to setup and maintain.
14. http://www.bcsprosoft.com
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service
6. Malicious Insiders
7. Abuse of Cloud Services
8. Insufficient Due Diligence
9. Shared Technology Issues
18. http://www.bcsprosoft.com
4. Cloud computing providers expose a set of
software interfaces (APIs) that customers use to
manage and interact with cloud services. Lack of
(or inadequate) security opens the possibility of
unauthorized access.
19. http://www.bcsprosoft.com
5. Denial-of-Service attacks are meant to
prevent users of cloud service from being able
to access their data and/or applications by
forcing the victim cloud service to consume
inordinate amounts of finite system resources.
20. http://www.bcsprosoft.com
6. A current or former employee, contractor, etc.
with authorized access misuses that access in a
manner that negatively affects the
confidentiality, integrity, or availability of
company data.
21. http://www.bcsprosoft.com
7. Use of the power of distributed cloud services
to perform power intensive tasks, formerly not
feasible/possible from a single computer
24. http://www.bcsprosoft.com
• Perhaps not!
– Is your staff properly trained?
– Are your servers really secure?
– Do you have adequate backups?
– What about natural disasters?
• Your data security is only as good as your
system manager and your weakest user!
26. http://www.bcsprosoft.com
• American Institute of Certified Public Accountants
(AICPA)
– SSAE 16 (supersedes SAS 70)
• International Federation of Accountants (IFAC)
– ISAE 3402 (Type 1 or Type 2)
• PCI Security Standards Council
– PCI DSS
• US Department of Commerce
– US-EU Safe Harbor
27. http://www.bcsprosoft.com
• 24/7-365 Monitoring
• Continuous Monitoring with Intrusion
Detection Systems (IDS)
• Separation of Duties
• Strong Management of Physical Access
• Fully Guarded Premises
• Continuous Data Center Performance Audits
28. http://www.bcsprosoft.com
Tier 1 Tier 2 Tier 3 Tier 4
Non-redundant capacity
components
X X X
Redundant capacity
components
X X
Dual-powered equipment
and multiple uplinks
X
All components are fully
fault-tolerant including
uplinks, storage, chillers,
HVAC systems, servers,
etc.
Everything is dual-
powered
31. http://www.bcsprosoft.com
• Reduced internal IT infrastructure
• Backup & redundancy in the Cloud
• Predictable monthly costs
• Low/no cost upgrades – always running the latest
version
• Anywhere, anytime access, on ANY device, i.e.
everything through a browser
• No/limited install of local files & programs
36. http://www.bcsprosoft.com
• What encryption mechanisms do you use for
customers’ data?
• In how many locations do you store customer data?
• What safeguards do you employ to ensure that
different customers’ data in a multitenant cloud is kept
separate?
• How is your data center physically protected?
• Which of your employees have access to customers’
data?
• How do you authenticate users?
• How precisely can you specify the degree of access that
individual users have to data?
37. http://www.bcsprosoft.com
• How many and what types of security breaches have
you experienced in the last 12 months? If you had any,
what were they? What new protections have you put
into place?
• What disaster recovery protections do you have in
place?
• What are your security scenarios? Why should I trust
you?
• What tracking, reporting, and auditing capabilities do
you offer?
• Do you comply with all relevant government and
industry laws and regulations?
38. http://www.bcsprosoft.com
• What Security Certifications do you hold? Can
you provide me with copies?
• What happens to data when you “delete” it? Is
it actually wiped out?
• What happens if we decide we want to
discontinue using your services?
• Who owns the rights to the data?
39. http://www.bcsprosoft.com
• Complete the Questionnaire
• I’ll send you more detail:
– The Notorious Nine from the Cloud Security
Alliance
– What to Look for in a Service Level Agreement
(SLA)
In a moment, I’m going to ask you to introduce yourself and I’m going to ask you to tell me what you are hoping to get from attending this meeting. Before we get in to Security in the cloud, I thought it would be useful to do a little review of some of the terms associated with Cloud Computing today. Next we’ll talk about the “Notorious Nine” security issues and what you SHOULD be worried aboutDon’t panic! There is hope and once we understand the concerns, we’ll discuss how top publishers are addressing these security issuesOnce you understand the good and the bad of cloud computing, we’ll provide you with some tools to decide who you can trust to partner with in the cloudFinally, we’ll end this session with Q&ABefore we begin, let’s do a bit of housekeepingThis is a “No Spin Zone.” There isn’t any blue or red in the room which means that I’m going to present the facts without a slant one way or the other – and you’ll decide how you feel about the cloud. RestroomsTime CheckQuestions before we begin?
Ha! I was doing this presentation a few days ago in San Antonio and one of the attendees stopped me and said, “What decade was THAT picture taken in!” And I had to admit, it wasn’t even taken in this CENTURY! We all have different visions of ourselves and the people around us. This is how my kids see meAnd this is how my wife sees meAnd this is how our staff sees meAnd, well, this is how I see me.
As the founder of BCS ProSoft, I where many hats and fill different roles – and I always STRIVE to be the best at what I do, which is help businesses meet their potential through the intelligent use of technology. I’m here before you today because I believe the Cloud offers you as business owners and managers a set of tools that has the potential to revolutionize your business. My job today is to help you understand what is possible in the cloud and you to give you confidence that your business can be run securely and efficiently in the cloud. So enough about me….now it’s your turn…
Please provide your name, company, and what you’re HOPING to get from your time here today.
BCS ProSoft is a leading ERP software reseller with offices in Texas, Colorado, and Hawaii. We have well over 1,500 clients throughout the US and Canada and we’ve been successful through the last 27+ years because we work hard for our customers and while we may make a mistake or two along the way, we do what we say we’re going to do – we deliver as promised. Our customers are the reason for our success. We represent several different accounting/business management products – some are in the cloud and others are not. We believe there is no one single product that is perfect for all.
So let’s take a few minutes to define some of the terms that are thrown around today with regard to the internet. Cloud Computing – Metaphor for “The Internet” , but it’s really more than that. Think of Cloud Computing as a process of outsourcing IT services on a subscription (rental) basis.
When you move applications to the “Cloud,” they are technically available from any device that has access to the internet, via Wifi or Wireless – tablet, smart phone, PC, or Laptop. I say “Technically Available” because usability issues with some legacy products may preclude them from being accessible on today’s mobile devices. Applications have to be smart enough to understand what device is accessing it and tailor the output for that device.
We really need to better define what is pushed to the Cloud and how that correlates to what you are currently doing today. We classify the outsourcing to the cloud three ways: IaaS – Infrastructure as a ServicePaaS – Platform as a ServiceSaaS – Software as a ServiceLet’s talk about each of these in a bit more detail
Most likely, you are currently accessing your critical business systems in an “On Premise” model. In other words, you have a server(s) located at your office that store all your programs and data. This(these) servers are networked to your PC’s in the office so that everyone has access. You are totally responsible for the care & maintenance of the server(s) as well as securing and backing up your data. In most organizations, this is the most vulnerable method of business systems delivery.
Infrastructure as a Service is the most basic of services. Think of this as having your server hosted by a 3rd party service. Vendors gain ECONOMIES OF SCALE by employing Virtualization to lower costs of maintaining multiple servers. In San Antonio, we have Rack Space
Platform as a Service takes on more responsibility for the infrastructure in that the database is also managed by the vendor. Think of this as a set of building blocks provided by a 3rd party and you are responsible for building what you want IN THEIR SANDBOX. MS Ajure, Google App Engine, etc.
So finally we come to Software as a Service, in which the vendor manages all aspects of your business management systems. Servers, data, backup, and applications are all managed by the vendor.
This brings us to how the data is stored in the cloud. You have probably heard the term, “Multi-Tenant” when talking about SaaS software. Multi-Tenant is a single database that serves multiple organizations. Single Tenant is when a vendor sets up a Physical or Virtual machine for every client. The results are generally the same, but the Multi-Tenant solution is much less expensive for the vendor to maintain because: Updates only have to be performed once on the single databaseMaintenance is performed on a single databaseMulti-Tenant offers a potential security issue, however, because data from multiple companies reside in a single, large database. Database design and security are critical factors in providing highly secure systems.
I’m going to spend the next 30 minutes or so scaring the cloud out of you – but don’t worry, I’ll bring you back off the ledge before we’re done today, I promise! Any time you expose your business or personal data via a cloud application, you are potentially opening yourself up to loss of data or loss of access to your data. It is wise for you to understand your areas of vulnerability so that you can plan to overcome them.
According to the Cloud Security Alliance, a recent study (February 2013) indicates that the unprecedented pace of cloud computing adoption in business and government has created new security challenges. Recognizing both the promise of cloud computing and the risks associated with it is good business. Ultimately, you are still responsible for the security of your systems and data – whether on premise or in the cloud.
To identify top threats, the Cloud Security Alliance has conducted a survey of industry experts to compile professional opinion on the greatest vulnerabilities within cloud computing. According to the survey, the top security threats are: Data Breaches, Data Loss, Account Hijacking, Insecure APIs, Denial of Service, Malicious Insiders, Abuse of Cloud Services, Insufficient Due Diligence, and Shared Technology Issues. It is important to remember that this list is compiled from the responses to a 2013 CSA survey and does not represent every possible vulnerability. (Lawyer disclaimer…)
Data falling in to the wrong hands has been an executive nightmare since the beginning of commerce. The advent of networked computers has amplified the danger. There are multiple ways for data breaches to occur, including the extraction of private cryptographic keys and in a poorly designed multitenant cloud service database, if one account is breached, all accounts are vulnerable. Today, data breaches are achieved through sophisticated operations and depending on the nature of the data, certain organizations may be targeted directly by foreign governments and/or nefarious organizations. Sound familiar????
For both consumers and businesses, the prospect of permanently losing one’s data is terrifying. Malicious attack is a real threat in which someone gains access to your data and performs a data wipe. Malicious attackers are not the only cause of data loss. Accidental deletion by your cloud service provider or catastrophic loss by tornado, flood, etc. are real possibilities.
Account or Service hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. The most common causes of hijacking: (1) using the same password across multiple systems, (2) using too simple of passwords (eg: 1234 or password), and responding to phishing emails that look like “official” requests for information. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities/transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites.
In order to provide good integration between multiple, disparate systems, cloud developers provide access to their data using a set of software interfaces, generally called APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. But it gets worse. Many cloud publishers rely heavily on multiple third party vendors to fill the gaps in the base software by providing add-on applications that interface via these APIs. This policy introduces a new level of complexity in a layered API. As more vendors become involved, risk increases because the cloud publisher must relinquish control of their credentials to multiple third party vendors.
Denial of Service is like being caught in rush-hour traffic with no way to get to your destination and nothing you can do about except sit and wait. Most of us have dealt with slow network connections from time to time but, Denial of Service (DOS) is caused by malicious programs that force the victim cloud service to consume system resources beyond the bandwidth of the services.
A malicious insider, such as a system administrator, in an improperly designed cloud scenario can have access to potentially sensitive data and a disgruntled employee with mal intent can wreak havoc on a companies business system before anyone even realizes it. In the old Unix days, we used to kid about performing a command line function, “rm –r” which, if executed, wipes the disk of all files and folders, including the boot sector of the drive. 5 key strokes and you’re down for the count!!BTW, this is an even greater risk in an on-premise implementation because the system is more easily accessed and most firms don’t have multi-day backups.
It might take an attacker years to crack an encryption key using his own limited hardware, but using an array of cloud servers, he might be able to crack it in minutes. Alternately, he might use that array of cloud servers to stage a DDOS (distributed denial of services) attack, serve malware, or distribute pirated software. This is really more of an issue for cloud service providers than cloud consumers, but it does raise a number of serious implications for those providers. How will you detect people abusing your service? How will you define abuse? How will you prevent them from doing it again?
An organization that rushes to adopt cloud technologies subjects itself to a number of issues. Contractual issues arise over obligations of liability, response, or transparency by creating mismatched expectations between the cloud provider and the customer. In addition, pushing applications that are dependent on “internal” network level security controls to the cloud is dangerous when those controls disappear or do not match the customer’s expectation. Finally, unknown operational and architectural issues arise when designers and architects unfamiliar with cloud technologies are designing applications being pushed to the cloud.
Improperly designed applications (whether in IaaS, PaaS, or SaaS models) can expose customers to possible data loss or data breaches. This vulnerability is dangerous because it potentially can affect an entire cloud at once, taking everyone down with it.
- Some organizations probably have the resources to build out and maintain a security plan that covers all contingencies, but I doubt most small businesses have the expertise or money to provide the level of security provided by the established cloud software providers. Your employees pose the largest threat to your data: Betty clicks on a Cat Video and brings your network to a crawl. Todd is a disgruntled employee and when he’s leaving he wipes out your ERP data. Samantha brings a thumb drive to the office with pictures of her grandbaby and you end up with a crippling virus that brings you down for days while a hired expert works to remove the virus from your servers and workstationsMost companies don’t have adequate backups of their programs and data. At least once each year we get a call from a customer that needs to restore data, only to discover that their backup software hasn’t been working for months. And what about natural disasters? Last year, we had a customer in NJ that lost their data, even though they thought they were being smart. They had multiple, off-site backups – but the office where the server was located AND the homes where the backup tapes were stored all flooded. They lost everything!
The Notorious 9 is not a new concept. It is well known to the most prominent cloud publishers and they have designed their software, built server farms, and implemented security procedures to overcome these and dozens of other potential security risks. Does it mean that your data is secure in the cloud? Not really, but in almost all cases, your data would be more secure in the cloud than sitting on your servers in your office.
There is no LAW that requires that a cloud publisher meet any specific standard when it comes to security and infrastructure, but the players want to make sure they are following the best practices set out by various independent organizations like the AICPA, IFAC, and the US Department of Commerce. These organizations provide auditing services and certification designed to help publishers insure they are doing everything they possibly can in order to secure your data. SSAE 16 insures that the service provider meets a set of standards that insures the ability to fully audit their capabilities – It DOES NOT set any standards of compliance for security – it just insures that they have the controls in place to perform a full audit. ISAE 3402 Type 1 – the auditor will express an opinion on whether the service organizations description of controls are suitably designed to achieve control objectivesISAE 3402 Type 2 – the auditor has performed tests and the controls were found to be operating with sufficient effectiveness to reasonably assure that control objectives were achieved. PCI DSS – Security related to credit card security via computer based information systems. Vendors that have passed PCI DSS scrutiny have allowed their software to be tested by a third party participant. US-EU Safe Harbor – Privacy standard set by EU for non-EU countries. Self regulation/enforcement with backing of rules/regulations provided by Dept. of Commerce.
24/7-365 – You would think this would go without saying, but we had a client recently that needed to restore a file and the cloud vendor didn’t have anyone available to assist. The employees were all at a company retreat (the bar?)!Intrusion Detection Monitoring is a science in to itself. A cloud provider must continuously monitor for malicious attempts to access data and/or inappropriately use system resources. The folks that are managing the servers shouldn’t be the same people that are monitoring the security systems. They must be independent of each other and answer to different authorities. This precludes any one person from having full access to the system. Management of the physical facilities is critical as well. A strong security policy includes a hardened facility with strict rules for entry to the facility. For example, using sophisticated bio-security systems, single-person portals, perimeter monitoring by armed guards and cameras, etc. Continuous performance auditing is imperative. A cloud vendor should be able to provide current industry certifications and describe how they continuously monitor for compliance.
When someone tells you they are a tier 1 data center, it is important to understand what they’re talking about. The difference between a Tier 1 and Tier 4 data center is the amount of redundancy that is built in to the physical systems. Tier 1 may be adequate, but it’s certainly not the best! A tier 4 data center will be the most secure and provide the best up-time guarantee.
You may think that anything over 99% is plenty good – and that may be true. Redundancy also means your data is less likely to be damaged or lost.
There are some great reasons that business is moving to the cloud. Reliability, Security, Scalability
But there’s another more sinister cost associated with On-Premise implementations. It’s called “Version Lock.”91% of all IT Budgets are focused on maintaining the status quo and only 9% is allocated towards innovation. The result? 66% of all customers running on-premise business management systems are on OLD VERSIONS of the software. Why is this important? Because companies that don’t stay current on their software will get locked in to the “OLD WAY” of doing business and won’t innovate. But it gets worse – After 4-6 years of being locked in to an old version of the software, the cost of upgrading is as much or more than the cost of changing systems entirely, so many business owners/managers opt to change entire systems. Businesses running on Cloud products are automatically updated as new version become available – it’s part of the fee. Plus, since vendors need to keep you on the current version, they have to make available training so that you’ll know what’s new in the software.
Here are the top 5 reasons business owners are turning to the cloud to solve their business issuesImproved Business Agility – Create, deploy, and manage business critical applications – quickly. Let’s say, for example that you get a new contract that requires you to hire an additional 20 employees. If your business systems are deployed on premise, you will have to upgrade or possibly replace your current hardware/software systems. This is time consuming and expensive. If you are implemented in the cloud, it is a simple phone call to add the additional users. Plus, when the project is over the costs sunk in to upgrading the on premise systems are sunk costs that cannot be recovered or reduced.Generate an attractive ROI – When comparing the cost of on premise vs. cloud, you have to consider the cost of purchasing, maintaining, and upgrading hardware over time. You must also calculate the potential cost of down time due to various hardware failures (virus, drive failures, natural disasters, etc.). There are also various labor costs that must be included in the analysis, such as cost of managing upgrades, backups, etc. Accelerate Time to Value – Time is money and putting your business systems on the cloud is FAST. On premise implementations require the creation of infrastructure and that takes time and money. Jump Start Innovation Programs – Once your business systems are implemented in the cloud, it is easy to provision a “Sandbox” to test new processes before going live. Elasticity and Scale – One of the key promises of cloud computing is limitless capacity. This elasticity and scalability are key factors in allowing small businesses to compete against the big boys. As your business expands, you don’t have to rely on IT staff and DBA’s to give you the tools you need to grow.
There are a host of security and licensing issues to think about when considering a partnership with a Cloud provider. As a lay user, you may not understand the significance of each of these questions and you may not be able to determine if the answer provided is totally adequate, but if they CAN’T answer these questions, or WON’T answer your questions, you know you have a problem.
In most cases, a vendor should be willing/able to provide copies of Security Certifications – and those certs deal with most of the questions on the previous slide, however, you need to ask a couple of questions, specifically: What happens to data when you “Delete” it? Is it actually wiped out? – It should be gone and non-retrievable within a backup cycle. You don’t want your data living out there to be discovered and misused in the future. Who Owns the Rights to Your Data? – You own your data and should you choose to quit working with a cloud vendor, you should be allowed to take your data – in a form that can be imported elsewhere – with you. If they cannot provide you with that, then you shouldn’t be considering the vendor as a possible partner.
Service Summary or DescriptionThe service summary section usually appears in the introductory section of the SLA. It should always state the name of the provider and the name of the customer. This summary will enumerate the obligations that you, the customer, must fulfill in order to satisfy the SLA. For example, you may be asked to provide up-to-date contacts, network topologies and customer escalation paths. This section will usually list the support level (e.g., gold or platinum) you have purchased. The support level determines how fast the service provider will respond to your service requests, how many service requests you’re allowed per week or month, how often you will be notified during emergencies, and most important, what your general service availability guarantee is. HardwareService providers host security services in a variety of ways. Some will install dedicated hardware at your site. Some will provide you with dedicated hardware, but it will sit in the provider’s own network operations center. And others will provide the security service through virtual domains that share, with other customers, the same physical hardware located (again) at the service provider's site. Regardless of the method used, the service provider should state clearly in the SLA how the service is to be provided. Once you’re sure of the hardware in use, you will be able to ask intelligent questions about hardware specification, performance, throughput, size, upgrades and so forth. SoftwareMost service providers use products from name-brand companies such as Check Point, ISS, Cisco, and others. Other service providers will use open-source software such as Snort for IDS. It’s important to know what software will be used for the service you have purchased. Your company may have specific requirements, such as avoiding unsupported open-source software on any of your IT infrastructure. In that case, software such as Snort may be out and the service provider must use vendor-supported products. Knowing what software is used also allows you to better understand the relationship between the service provider and the software vendor. For instance, if your service provider is using Cisco PIX as the firewall software but there’s no CCIE on staff, that would certainly be a cause for concern. Service AvailabilityThe service availability section may be the section you're most familiar with. This section describes exactly what service level guarantee you will receive. One of the most critical service-level guarantees is uptime percentage. For example, 99.5% uptime means that your site can potentially be down for 216 minutes per month without any penalty for the service provider. If the service is down more than the guaranteed level, the service provider will compensate you for that period of time. It is critical to understand what the service provider considers to be downtime. For example, most service providers will not consider upgrades to constitute service downtime; therefore, you will not be compensated for those periods of unavailability. Other service-level guarantees the agreement may specify include how fast the service provider will respond to your service requests, how long upgrades will take, how fast service providers will detect and report problems, and so forth. Another critical consideration is how the service provider will be penalized if the service-level guarantee is not met. In most cases it simply means the service provider won’t bill you for that period of time. Service RequestsSLAs generally provide for a number of standard service requests per month and a number of emergency service requests per month. Understanding when the service call will be considered an emergency request will allow you to properly plan for changes. For example, if the service provider considers any requests you want performed outside of standard business hours (8 a.m. to 5 p.m., Monday through Friday) to be emergency, and most of the changes you want fall outside of that time frame, you may have a problem. There are other things to consider when negotiating your service-request needs. Some service providers may limit the number of IT personnel from your company allowed to open service requests. Others may consider certain service requests to count as two requests. Some service providers may charge extra for certain service requests. Naturally, the list goes on. Monitoring and ReportingNetwork administrators can find it extremely frustrating if they’re unable to quickly perform troubleshooting when the network is unexpectedly down, or if they don't have the resources to quickly do forensic analysis when an incident is detected. These days, service providers are doing a much better job of providing reports to customers on bandwidth utilization, uptime analysis and log management. However, there’s still quite a bit of difference among service providers, and you'll need to ask a number of questions. For example, does your service provider offer the most up-to-date configuration online for your review? Will you receive daily, weekly or monthly reports based on your firewall, IDS or VPN logs? What about ad hoc or custom reports so you can perform troubleshooting or forensic analysis? And will you be assured of backups of all configurations? Availability, responsiveness, quality and communication are important elements to consider for any service provider SLA. In the next four articles in this series, we will discuss each of the above sections in detail, including the specific considerations for each topic, why it matters, what you should expect and the norms are among service providers.