Feb 23 2021

Security Logging in Cloud Environments – AWS

Category: Cloud computing,Security logs — DISC @ 4:33 pm

Which Services Can We Leverage?

AWS offers multiple services around logging and monitoring. For example, you have almost certainly heard of CloudTrail and CloudWatch, but they are just the tip of the iceberg.

CloudWatch Logs is the default logging service for many AWS resources (like EC2, RDS, etc.): it captures application events and error logs, and allows to monitor and troubleshoot application performance. CloudTrail, on the other hand, works at a lower level, monitoring API calls for various AWS services.

Although listing (and describing) all services made available by AWS is out of scope for this blog post, there are a few brilliant resources which tackle this exact problem:

“How to Enable Logging on Every AWS Service in Existence (Circa 2021)” from Matt Fuller tries to be the definitive guide to answer the question “how do I enable logging?” for every supported AWS service. Alongside this, Matt published a Google Sheet summarising the content of this blog post.
“Logging in the Cloud: From Zero to (Incident Response) Hero” are the annotated slides (131 pages!) of a good talk delivered at RSA 2020 by the Secureworks team which tries to answer questions like “What Should I Be Logging?”, “How Specifically Should I Configure it?”, and “What Should I Be Monitoring?”. Especially interesting since it doesn’t cover only AWS, but also GCP and Azure.
“What You Need to Know About AWS Security Monitoring, Logging, and Alerting” lays out the different AWS security monitoring and logging sources, and how to select the most appropriate collection technique for each of them.
“Overview of AWS Logs” lists main AWS logging sources with a summary table, format, example and a Grok regex to parse log and ingest into a tool like Elastic Stack (ELK).

In the remainder of this section I’ll provide a summary of the main services we will need to design our security logging platform. Before doing so, though, it might be helpful having a high-level overview of how these services communicate (special thanks to Scott Piper for the original idea)

Source: Security Logging in Cloud Environments – AWS

Tags: AWS security, Cloud computing, cloud security

Comments (0)

May 12 2014

Bestselling Books at Infosecurity 2014

Category: cyber security,Information Security — DISC @ 9:36 am

by Lewis Morgan @ITG

It has now been a week since Infosecurity Europe 2014. This year was my first at Infosec, and I found it to be one of the most interesting and diverse events I have ever been to.

During my short time on the IT Governance stand, I spoke to several people who were showing a keen interest in our wide range of books. It was a common opinion that our range of books is one of the broadest in the industry – something of which we are very proud.

To demonstrate our range of books and their popularity, We have created the below list of the 5 bestselling books at Infosecurity 2014*. All of the following books are available in multiple formats.

PCI DSS Pocket Guide

A quick guide for anyone dealing with the PCI DSS and related issues. Now also covers PCI DSS version 3.0.

ISO27001 / ISO27002 Pocket Guide

Now updated for the 2013 editions of ISO27001/ISO27002, this pocket guide gives a useful overview of two important information security standards.

Governance of Enterprise IT based on COBIT®5

A perfect introduction to the principles and practice underpinning the governance of enterprise IT using COBIT®5.

Penetration Testing – Protecting Networks and Systems

An essential guide to penetration testing and vulnerability assessment, which can be used as a preparation guide for Certified Penetration Testing Engineer exams.

Securing Cloud Services

This book provides an overview of security architecture processes, and explains how they may be used to derive an appropriate set of security controls to manage the risks associated with working in the Cloud.

Tags: Certified Penetration Testing Engineer, Cloud computing, cloud computing security, London, Payment Card Industry Data Security Standard, Penetration test

Comments (0)

Sep 15 2010

Cloud Computing: A Treasure Trove for Hackers

Category: Cloud computing — DISC @ 10:10 am

: Image by Ivan Walsh via Flickr

Above the Clouds: Managing Risk in the World of Cloud Computing

By Dick Weisinger
Security usually tops the lists of concerns that people have about the cloud. And now it seems like there is good reason. On a recent survey of 100 “elite” hackers at the 2010 Defcon conferenece, 96 of them said that the cloud offered up more opportunity for them to hack. 89 of them said that they thought that cloud providers weren’t being proactive enough in beefing up their security, and 45 of them admitted to already have engaged in cloud hacking, and 12 of them said that they hack for financial gain.

When asked about what areas of the cloud that they thought were most vulnerable, 21 percent said Software as a Service (SaaS), 33 percent said problems with the Domain Name System (DNS). 16 percent said that cracking the information in log files was on their list of things to hack, and 12 percent said that they’ve hacked into communication profiles.

Barmak Meftah, chief products officer at Fortify, sponsor of the survey, said that “more than anything, this research confirms our ongoing observations that cloud vendors – as well as the IT software industry as a whole – need to redouble their governance and security assurance strategies when developing solutions, whether cloud-based or not, as all IT systems will eventually have to support a cloud resource.”

Another highlight at the Defcon conference was a $1500 device that was able to intercept any GSM mobile phone call.

Hackers see the cloud as ripe territory (news.cnet.com)
DEF CON Survey Reveals Vast Scale of Cloud Hacking – And the Need to Bolster Security to Counter the Problem (prnewswire.com)
Cloud Computing Security One Year in the Cloud (cloudave.com)

Tags: Barmak Meftah, Business, Cloud computing, Defcon, Domain Name System, Hacker (computer security), Information Technology, Software as a service

Comments (4)

Jul 27 2010

What You Can Do About Cloud Computing Security

Category: Cloud computing — DISC @ 9:13 am

Cloud computing security risks are sometimes considered greater than cloud’s rewards. The industry is working to change that, and so can you.

By James A. Martin
Cloud computing offers many compelling benefits to organizations, such as reduced capital and operating costs and as-needed scalability. So why aren’t more businesses taking advantage of the on-demand computing resources services collectively known as ‘the cloud’?

Security concerns are easily the number one inhibitor to deploying the cloud,” says Zeus Kerravala, senior vice president of Global Enterprise and Consumer Research, Yankee Group. “It just gives some people cause for concern.”

How Cloud Technology Enables New Business Models

Although no form of computing is entirely risk-free 100 percent of the time, cloud computing isn’t necessarily any more or less secure than non-virtualized or non-cloud environments, says Christofer Hoff, director of cloud and virtualization solutions for Cisco’s Security Technology Business Unit and author of the Rational Survivability blog.

“It’s how organizations deploy and manage cloud computing that makes the difference,” Hoff explains.

Fortunately, Cisco, its service provider partners and others in the cloud computing industry are collaborating to provide ever-greater security, visibility and control to consumers of cloud services, Hoff adds. And there are plenty of things enterprises can do to take advantage of cloud computing’s benefits without compromising security.

To read the reamining article ….

Tips for building security organization

Category: Security organization — DISC @ 5:54 pm

: Image via CrunchBase

By: Brian Prince

Businesses have increased expectations on the security team in recent years, sometimes producing a disconnect between what is expected and what the security team can deliver. In a new report, Forrester Research lays out some advice for building an effective security organization.

As IT security has become a bigger part of business discussions, security teams have increasingly shifted their focus from operations to strategic business objectives.

For businesses building their security groups, there needs to be a balance between fulfilling operational and strategic goals, and a new report from Forrester Research offers advice on how businesses can find it.

“In a few cases we found that the strategic aspect of security was so important or was so highlighted in terms of the CISO [chief information security officer] role that the CISO was sometimes moved outside the IT organization, [and] sometimes wasn’t as connected with the operation [of] the IT…[but] much more connected with the business side and the strategy side,” explained Forrester analyst Khalid Kark. “What that does is basically creates an ivory tower for the chief security officers, and then they are not able to operate.”

To avoid that, there are several steps Forrester recommends organizations take. Here are a few of them.

— New Roles: To make your security practice more strategic, add these three positions: a business liaison to advocate for the business unit within the security team and communicate the security perspective to business; the third-party security coordinator to address outsourcing, assessments and cloud computing; and a security engineer focused on working with the enterprise architecture team to build security into the architecture and integrate specific infrastructure security components into the architecture.

— Understand IT security vs. information risk: “Many security organizations fail to get management attention because they’re always focused on the IT security activities, which the business doesn’t understand,” according to the report. “On the other hand, the business understands risk well, and if you articulate those same problems in the risk context, the business is much more likely to react and respond to them.”

— Develop a cross-functional security council: “Focus on ‘who’ not ‘how.’ Forrester has long professed the benefits of a security council, but one thing that is absolutely essential for the success of this council is its composition,” the report continues. “The trick is not to aim for the highest ranking businessperson but the one most interested in security and risk issues who has a reasonable level of visibility in the business. When you have a passionate team working on the security issues, the ‘how’ will be easy to determine.”

— Equip the business to perform risk assessments: “To meet the security and risk obligations effectively, you have to delegate, and risk assessments are ideal for this,” Forrester said. “Provide the checklists and basic training to the business to perform the basic risk assessment tasks so that it takes the pressure off your resources. Make it easy and seamless for the business to incorporate these into its existing processes.”

Complicating things is today’s economic environment in which businesses may be forced to reshuffle or even cut their security personnel. When that happens, organizations may have to refocus their attention from strategic projects and get back to basics, the report noted.

“As security organizations get leaner, delegation, formalized and documented processes, and good monitoring and metrics become key,” said Forrester analyst Rachel Dines, who worked on the report with Kark. “Security organizations don’t need to have direct ownership of all security-related processes, but they do need to monitor and control them.”

How to create a security culture in your organization: a recent study reveals the importance of assessment, incident response procedures, and social engineering … article from: Information Management Journal

Tags: Business, Chief Information Security Officer, Cloud computing, Consultants, Forrester Research, General and Freelance, Information Security, Security

Comments (0)

Jan 22 2010

How to manage risk in the cloud

Category: Cloud computing — DISC @ 3:06 am

What is Cloud Computing and does it provide more protection to your business?

Pre-order the Softcover;

Pre-order the eBook.

Cloud Computing will bring many benefits to organisations, some of which include reducing operating costs, reducing power consumption and freeing you up to focus on your core business.
The concept of shifting computing to a shared service provider is not new. What may be new is that the cost of Cloud Computing is falling so dramatically that considering outsourcing to the Cloud is no longer rare, and it is now accessible enough that any individual or organisation can use it to their advantage.

Above the Clouds: Managing Risk in the World of Cloud Computing
For Cloud Computing to be a viable option, you need to be confident that your business information will be secure and that the service you offer to your customers will still be reliable. So if you want to adopt a Cloud Computing strategy, you need to make sure you carry out due diligence on the service provider before you entrust this firm with your vital data. However, the author challenges the assumption that Cloud Computing will offer less protection to your data than relying on an in-house server. Buy Now!>

Cloud Computing not only allows you to make economies of scale; it can also offer you the increased security that comes from sharing the resource. The author argues that moving over to Cloud Computing can actually help to defend your organisation from threats such as denial of service attacks, viruses and worms.

Cloud service providers will tell you that Cloud Computing is bound to be better, faster and cheaper. The reality is that before switching over to Cloud Computing, you need to think carefully about whether it will really work for your business. This book shows you what you need to do to ensure that with Cloud Computing you will continue to give the standard of service your customers require. It also offers you some valuable tips on how to choose your provider of Cloud services.

Published date: 9th February 2010.

Pre-order this book using Voucher Code: “cloud2010” to save 10%!

Pre-order the Softcover;

Pre-order the eBook.

Is Your Head in the Cloud? (mikemoran.com)
Migrating To The Cloud. Are You “All In” on The Wrong Hand? (thoughtpick.com)
The Cloud Bubble: Is Computing Becoming a Utility? (java.sys-con.com)
Musings on why Cloud Computing will prevail… (punetech.com)
Why the cloud may be the final frontier for scammers (backupify.com)

Tags: Business, cloud, Cloud computing, cloud computing benefits, cloud computing concerns, cloud computing risks, cloud computing security, cloud security, cloud services, cloudcomputing, Computer Science, Denial-of-service attack, Distributed Computing, due diligence, Economy of scale, Outsourcing, Security

Comments (4)

Nov 25 2009

ENISA Cloud Computing Risk Assessment

Category: Cloud computing — DISC @ 4:22 pm

: Image via Wikipedia

Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance

The ENISA (European Network and Information Security Agency) released the Cloud Computing Risk Assessment document.

The document does well by including a focus on SMEs (Small and Medium sized Enterprises) because, as the report says, “Given the reduced cost and flexibility it brings, a migration to cloud computing is compelling for many SMEs”.

Three initial standout items for me are:

1. The document’s stated Risk Number One is Lock-In. “This makes it extremely difficult for a customer to migrate from one provider to another, or to migrate data and services to or from an in-house IT environment. Furthermore, cloud providers may have an incentive to prevent (directly or indirectly) the portability of their customers services and data.”

Remember that the document identified SMEs as a major market for cloud computing. What can they do about the lock-in? Let’s see what the document says:

The document identifies SaaS lock-in:

Customer data is typically stored in a custom database schema designed by the SaaS provider. Most SaaS providers offer API calls to read (and thereby ‘export’) data records. However, if the provider does not offer a readymade data ‘export’ routine, the customer will need to develop a program to extract their data and write it to file ready for import to another provider. It should be noted that there are few formal agreements on the structure of business records (e.g., a customer record at one SaaS provider may have different fields than at another provider), although there are common underlying file formats for the export and import of data, e.g., XML. The new provider can normally help with this work at a negotiated cost. However, if the data is to be brought back in-house, the customer will need to write import routines that take care of any required data mapping unless the CP offers such a routine. As customers will evaluate this aspect before making important migration decisions, it is in the long-term business interest of CPs to make data portability as easy, complete and cost-effective as possible.

And what about PaaS Lock-In?:

PaaS lock-in occurs at both the API layer (ie, platform specific API calls) and at the component level. For example, the PaaS provider may offer a highly efficient back-end data store. Not only must the customer develop code using the custom APIs offered by the provider, but they must also code data access routines in a way that is compatible with the back-end data store. This code will not necessarily be portable across PaaS providers, even if a seemingly compatible API is offered, as the data access model may be different (e.g., relational v hashing).

In each case, the ENISA document says that the customer must develop code to get around the lock-in, in order to bridge APIs and to bridge data formats. However, SME’s generally do not have developers on staff to write this code. “Writing code” is not usually an option for an SME. I know – I worked for an EDI service provider who serviced SMEs in Europe – we would provide the code development services for the SMEs when they needed data transformation done at the client side.

But there is another answer. This bridging is the job of a Cloud Service Broker. The Cloud Service Broker addresses the cloud lock-in problem head-on by bridging APIs and bridging data formats (which, as the ENISA document mentions, are often XML). It is unreasonable to expect an SME to write custom code to bridge together cloud APIs when an off-the-shelf Cloud Service Broker can do the job for them with no coding involved, while providing value-added services such as monitoring the cloud provider’s availability, encrypting data before it goes up to the cloud provider, and scanning data for privacy leaks. Read the Cloud Service Broker White Paper here.

2. “Customers should not be tempted to use custom implementations of authentication, authorisation and accounting (AAA) as these can become weak if not properly implemented.”

Yes! Totally agree. There is already a tendency to look at Amazon’s HMAC-signature-over-QueryString authentication scheme and implement a similar scheme which is similar but not exactly like it. For example, an organization may decide “Let’s do like Amazon do and make sure all incoming REST requests to our PaaS service are signed by a trusted client using HMAC authentication”, but omit to include any timestamp in the signed data. I can certainly imagine this, because this would happen all the time in the SOA / Web Services world (an organization would decide “Let’s make sure requests are signed using XML Signature by trusted clients”, but leave the system open to a simple capture-replay attack). Cloud PaaS providers should not make these same mistakes.

3. STRIDE and DREAD
Lastly, the document’s approach of examining the system in terms of data-at-rest and data-in-motion, identifying risks at each point (such as information disclosure, eavesdropping, or Denial-of-Service), then applying a probability and impact to the risks, is very reminiscent of the “STRIDE and DREAD” model. However I do not see the STRIDE and DREAD model mentioned anywhere in the document. I know it’s a bit long in the tooth now, and finessed a bit since the initial book, but it’s still a good approach. It would have been worth mentioning here, since it’s clearly an inspiration.

Read the source entry…

Five competitive differentiators for cloud services (news.cnet.com)
The Future of collaboration platforms (vator.tv)
Is IaaS (as a term) Doomed? (elasticvapor.com)

Tags: Application programming interface, Business, Cloud computing, Platform as a service, Service-oriented architecture, Small and medium enterprises, Software as a service, Web service

Comments (1)

Sep 10 2009

Way beyond the edge and de-perimeterization

Category: Cloud computing,Information Security — DISC @ 2:59 pm

: Image by pittigliani2005 via Flickr

De-perimeterization term has been around almost for a decade and finally industry is taking it seriously because of virtualization and cloud computing popularity. Is it time for businesses to emabrace de-perimeterization?

De-perimeterization is a double edge sword for industry which creates scalable options for operation and huge challenges for safeguarding the assets beyond the edge. One of the major advantages for de-perimeterization is that user can access corporate information over the internet; in this situation user can access corporate data from any where, it’s hard to draw the line where the edge begins and where it ends. All you basically need a functional laptop with internet connection. On the other hand, de- perimeterization poses a great challenge due to possibility of viruses, spywares and worms spreading in your internal protected infrastructure.

In de-perimeterized environment, security attributes shall follow the data, wherever the data may go or reside.

In security architecture where firewall was considered a very effective perimeter defense has been weakens by virtualization and cloud computing. In early days of firewall defense, organization only needed to open few necessary protocols and ports to do business. Internet accessible systems were located on the DMZ and the communication was initiated from the corporate to internet. Now there are whole slew of protocols and ports which needs to be open to communicate with application in the cloud. As corporate application move out of the organization network into the cloud, the effectiveness of firewall diminished.

Defense in depth is required for additional protection of data because as new threats emerge, the firewall cannot be used as an only layer of security. The key to the security of de-perimeterization is to push security at each layer of infrastructure including application and data. Data is protected at every layer to ensure the confidentiality, integrity and availability (CIA). Various techniques can be utilized for safeguarding data including data level authentication. The idea of data level authentication is that data is encrypted with specific privileges, when the data move, those privileges are moved with the data.

layered-defense

Endpoint security is relevant in today’s business environment especially for laptop and mobile devices. Agents on laptops and mobile devices utilized pull/push techniques to enforce relevant security policies. Different policies are applied depending on the location of the laptop. Where security policy will ensure which resources are available and what data need to be encrypted depending on the location of the device.

When corporate application and important data reside in the cloud, SLA should be written to protect the availability of the application and confidentiality of the data. Organizations should do their own business continuity planning so they are not totally dependent on the cloud service provider. For example backup your important data or utilize remote backup services where all data stored is encrypted.

Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance

Download a free guide for following cloud computing applications

Hosted email solution
Hosted email archiving
Hosted web monitoring
Hosted online backup

Tags: business continuity, Cloud computing, cloud computing article, cloud computing concerns, cloud computing email, cloud computing hosting, cloud computing information, cloud computing security, cloud computing services, cloud security, cloud services, de-perimeterizations, DMZ, iso assessment

Comments (1)

Jul 07 2009

Cloud Computing Pros and Cons

Category: Cloud computing — DISC @ 6:19 pm

Cloud Application Architectures: Building Applications and Infrastructure in the Cloud

Cloud computing is the future of the computing, which happens to provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Basic idea behind cloud computing is the accessibility of application and data from any location as long as you are connected to the internet. Cloud computing makes the laptop the most essential tool to get the job done.

For example Hosted Email (SaaS) Security provides safeguards at the Internet level, eliminating spam and malware before they reach your internal network infrastructure. The hosted email provides centralized security with built-in redundancy, failover, and business continuity, while easing network and security administration. In the hosted email software as a service the security controls are at work at the internet level. It’s about time to expand the corporate perimeter beyond firewall and one of the major benefit of cloud computing is to give organizations capability to implement security controls at internet level and eliminate threats before they reach the internal network.

An online backup service is another example of software as a service (SaaS) which provides users with an online system for backing up and storing computer files.

Cloud computing incorporates several different types of computing, including:
 software as a service (SaaS)
 platform as a service (PaaS)
 infrastructure as a service (IaaS)

It is a range of technologies that have come together to deliver scalable, tailored and virtualized IT resources and applications over the Internet.

Cloud Computing have several benefits and potential risks which you may want to know before signing a contract with a cloud vendor.

Cloud Computing benefits

Users can avoid capital expenditure on hardware, software, and other peripheral services, when they only pay a provider for those utilities they use;

Consumption is billed as a utility or subscription with little or no upfront cost;

Immediate access to a broad range of applications, that may otherwise be out of reach, due to:

The lowering barriers to entry;

Shared infrastructure, and therefore lower costs;

Lower management overhead.

Users will have the option to terminate a contract at any time, avoiding return on investment risk and uncertainty.

Greater flexibility and availability of ‘shared’ information, enabling collaboration from anywhere in the world – with an internet connection.

Cloud computing associated risks

Cloud computing does not allow users to physically possess the storage of their data which leaves responsibility of data storage and control in the hands of their provider;

Cloud Computing could limit the freedom of users and make them dependent on the cloud computing provider;

Privileged user access – how do you control who has access to what information?

Security of sensitive and personal information lay with the vendor. How do you explain this to your customers when their data is compromised without sounding like you’re ‘passing the buck’?

From a business continuity stand point, can you rely on each vendor to have adequate resilience arrangements in place?

Long-term viability — ask what will happen to data if the company goes out of business; how will data be returned and in what format?

Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

Recomended books on cloud computing

Tags: Cloud computing, cloud computing article, cloud computing benefits, cloud computing concerns, cloud computing email, cloud computing hosting, cloud computing information, cloud computing network, cloud computing platform, cloud computing risks, cloud computing security, cloud computing services, cloud computing solutions, cloud security, cloud services, Infrastructure as a service, Platform as a service

Comments (1)

Jun 04 2009

Virtualization and compliance

Category: Cloud computing,Virtualization — DISC @ 1:04 am

: Image by lodev via Flickr

The core technology utilized in the cloud computing is virtualization. Some organization may not want to jump into cloud computing because of inherent risks can take a shot at virtualization in their data centers. Virtualization can be utilized to reduce hardware cost and utility cost. Organization that might have 100 servers can consolidate into 10, where each physical machine will support 10 virtual systems will not only reduce the size of data center, but also hardware cost, and huge utility bill savings.

Virtualization was being utilized to increase efficiency and cost saving, which is now turning into centralized management initiative for many organizations. In centralized management patches, viruses and spam filter and new policies can be pushed to end points from central management console. Policies can be utilized to impose lock out period, USB filtering and initiate backup routines, where policies can take effect immediately or next time when user check in with the server.

The way virtualization works is OS sits on an open source hypervisor which provides 100% hardware abstractions where drivers become irrelevant. With OS image backed up at management console, which allows virtualization technology a seamless failover and high availability for desktop and servers.

As I mentioned earlier, virtualization allows enforcing of policies on end points (desktops). As we know compliance drive security agenda. If these policies are granular enough which can be map to existing regulations and standards (SOX, PCI and HIPAA) then virtualization solution can be utilized to implement compliance controls to endpoints. It is quite alright if the mapping is not 100% that is where the compensating controls come into play. The compliance to these various regulations and standards is not a onetime process. As a matter of fact standard and regulation change over time due to different threats and requirements. True security requires nonstop assessment, remediation’s and policy changes as needed.

The Real Meaning of Cloud Security Revealed (devcentral.f5.com)
White Paper: Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services (aws.typepad.com)
Virtual Reality (devcentral.f5.com)

Tags: Cloud computing, Data center, Health Insurance Portability and Accountability Act, hipaa, Hypervisor, Open source, PCI, Security, sox, Virtualization

Comments (2)

Apr 22 2009

RSA and cybersecurity

Category: Information Security — DISC @ 6:52 pm

: Image by Getty Images via Daylife

This week I was in attendance with thousands of people from all over the globe at RSA conference in Moscone Center San Francisco. The conference offers variety of training tracks and this year included two new tracks physical security & governance and risk & compliance. Since Novell CNE was one of my first professional certification, I was glad to see Novell making some headway’s in information security arena, especially Deloitte was promoting Novell identity management solution in the conference.

The cloud computing is the buzz word for this year conference. As far as virtual environment boundaries are concerned , it’s hard to say where it start and where it ends which complicate the matters and complexity of the cloud will introduce new threats and risks. With that in mind cyber security appears to be worse than last year. Attendance might be bit low this year due to budget cut but the conference floor was packed with vendors and enthusiastic audiences.

Most of the security expert understand that companies are cutting budgets and might be decreasing their investment in security. Having a proactive security strategy and spending the security dollars wisely is the key to success of a business in this downturn economy. One thing to understand about information security, there is no ROI (return on investment) in security. ROI is a total cost of ownership.

Another concern in the conference is that the threats and fraud goes up during downturn economy. Companies should have comprehensive policies to tackle insider threats regarding disgruntled employees who might be at verge of getting laid off to prevent them from stealing intellectual property.

There is an outstanding line of keynote speakers like Melissa Hathaway, federal acting senior director of cyberspace. She advised the current (Obama) administration. She will be discussing issues like how much federal government should be involved in protecting critical assets like power grids. The conference like RSA helps security professionals to sharpen their skills and work in collaborative manners to successfully defend their organizations from attackers.

Call for concerted cyber-crime fight (news.bbc.co.uk)
RSA Conference launches its own bailout plan (stillsecureafteralltheseyears.com)
RSA 2009 Conference Session on Cloud Computing Security (blogs.adobe.com)

RSA Conference 2009 Highlights
httpv://www.youtube.com/watch?v=BAxAagvmu6w

Tags: Cloud computing, Consultants, Information Security, Melissa Hathaway, Moscone Center, Obama, RSA Conference, San Francisco, Security

Comments (4)

Apr 02 2009

Cloud computing and security

Category: Cloud computing — DISC @ 5:55 pm

https://commons.wikimedia.org/wiki/File:Cloud_comp_architettura.png

Cloud computing provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Main concern for security and privacy of user is who has access to their data at various cloud computing locations and what will happen if their data is exposed to an unauthorized user. Perhaps the bigger question is; can end user trust the service provider with their confidential and private data.

“Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.”

Three categories of cloud computing technologies:

Infrastructure as a Service (IaaS)

Platform as a Service (PaaS)

Software as a Service (SaaS)

Cloud computing is offering lots of new services which increase the exposure and add new risk factors. Of course it depends on applications vulnerabilities which end up exposing data and cloud computing service provider transparent policies spelling out responsibilities which will increase end user trust. Cloud computing will eventually be used by criminals to gain their objectives. The transparent policies will help to sort out legal compliance issues and to decide if the responsibility of security breach lies on end user or service provider shoulders.

Possible risks involved in cloud computing
Complete data segregation
Complete mediation
Separation of duties
Regulatory compliance (SOX, HIPAA, NIST, PCI)
User Access
Physical Location of data
Availability of data
Recovery of data
Investigative & forensic support
Viability and longevity of the provider
Economy of mechanism

`Related articles by Zemanta`

Cloud Computing Security Framework May Nudge The Enterprises Towards Clouds (cloudave.com)
Security in the clouds - or clouds in security? (theregister.co.uk)
Your privacy: cloud computing report & tips; privacy notices & ICO consultation (consumingexperience.com)
Are your bumper stickers revealing too much about your family?

Continue reading “Cloud computing and security”

Tags: Cloud computing, cloudcomputing, compliance, Computer security, iaas, IBM, Information Privacy, Infrastructure as a service, paas, Platform as a service, Policy, privacy, saas, Security, security assessment, Security Breach, Services

Comments (1)

Which Services Can We Leverage?

To demonstrate our range of books and their popularity, We have created the below list of the 5 bestselling books at Infosecurity 2014*. All of the following books are available in multiple formats.

Related articles

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Download a free guide for following cloud computing applications

Cloud Computing benefits

Cloud computing associated risks

Recomended books on cloud computing

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

vCISO as a service

`Related articles by Zemanta`