Showing posts from February, 2021
In the ever-evolving landscape of cloud computing, the concepts of dynamic resource allocation and elasticity play pivotal roles in ensuring optimal performance, scalability, and cost-efficiency. In this blog post, we delve into these concepts, explor…
1 .Resource Sharing + Reservation: minimum availability of resources. + Limits: maximum availability of resources. + Shares: provisioning through prioritization. 2 .Distributed Resource Scheduling / Compute Resource Scheduling + Hi…
1 .Server Best Practices + Secure Build and Initial Configuration Base-lining + Host Hardening ,patching and lock down + Block non-privileged access. + Limit remote access ; Ensure security protocols are used if remote …
Provides a Tier Standard that many enterprise use to evaluate their data center's design + Tier 1 Basic Data Center Site infrastructure + Tier 2 Redundant site Infrastructure Capacity. + Tier 3 Concurrently maintainable Site Infras…
Physical Design 1 .Temperature and Humidity guidelines : 64 - 80 °C roughly 40 - 60 % 2 .HVAC consideration:redundancy,energy efficient,filtration. 3 . Air management : air should be able to circulate freely. 4 . Cable management : Under floor or over…
1. SAST (Static Application Security Testing) : White-box test used to determine structure and logic and to detect coding errors without executing the code. Should be done early in the life cycle. 2. DAST (Dynamic Security Testing): It is used with ap…
1.WAF (Web Application Firewall) is layer 7 firewall that can understanding HTTP traffic and help prevent DoS attacks. 2.DAM (Database Activity Monitoring) is a layer 7 monitoring device that understand SQL commands and can limit code injection. 3 .X…
1 . Threat : Spoofing Mitigation : Authentication 2 . Threat : Tampering Mitigation : Integrity Verification (Message digest / CRCs) 3 . Threat : Repudiation Mitigation : Non-Repudiation (Digital signatures,keys) 4 . Threat : Information …
1 .Identify security objectives + Legislative Drivers + Contractual Requirements + Alignment with Business Objectives. 2 .CIA Triad 3 .Tools for Threat Modeling + Data Flow Diagrams + Use/Misuse cases
1 .User provides their OpenID URL. 2 .Relaying party discovers via XPDS and initiates association with OpenID provider. 3 .OpenID provider generates key and association then returns key and association then returns key and association to relaying part…
1 .Open standard for authentication,promoted by the non-profit OpenID foundation. 2 .As of March 2016,there are over a billion OpenID enabled accounts on the internet and organizations such a Google etc use OpenID to authenticate users 3 .A user must …
1 .User attempts to access a hosted corporate application 2 .Service provider generates and sends SAML request to the user. 3 .User is redirected to the identity provider together with the SAML request. 4 .Identity provider authenticates user,parses S…
Relevant Standards/Protocols 1.WS-Federation Define mechanisms to allow different security realms to federate,such that authorized access to resources managed in one realm can be provided to security principals whose identities reside in other realm. …
1 .Identity control 2 .Accounts Provisioned 3 .Subject Identifies 4 .Subject Authenticates 5 .Subject is Authorized 6 .Auditing/Accountability is based on identification information 7 .Account Deprovisioned
1 .Specified in ISO 27034 2 .Defines components of application security best practices: + Business context + Regulatory context + Technical context + Specifications + Roles + Processes + ASC Library (Application Secu…
1.Planning and Requirement analysis: All business requirements should be defined and risks should be identified. 2.Analyzing/Defining : clearly defines the requirements,such as language and platform through a requirements specification documents. 3.…
1 .Mode of operation of software where multiple independent instances share the same environment. 2 .Physical environment is generally shared + Segmentation: Separating tenant resources/data/applications etc + Isolation: Logical isolation is…
1 .On-premises does not always transfer to the cloud. + Current configurations and applications may be difficult, as they may not have been designed for the cloud environment. 2 .Cloud development and testing can be difficult in hardened,secure e…
SOAP (Simple Object Access Protocol) is a protocol specification providing for the exchange of structured information or data in web services. + Similar to an envelope and is based on the WS standards (Widely implemented and provide standards f…
Programming code that governs how a web service can request information or services . APIs define three primary elements: 1. Access: Who is allowed to ask for data or services 2. Request: what data or services can be asked for. Requests have two ma…
Determining Data sensitivity What would the impact be if: + Information was widely distributed. + An employee of cloud provider accessed the application. + The process was manipulated by an outsider. + The process failed to provide…
1 .Cloud providers running data center operations should demonstrate to customers their compliance to current regulations and standards. 2 .CSPs can/should share results of independent audits + Cloud Trust Protocol is intended to establish digita…
Physical location of CSP should be evaluated for location in relation to + Regions with a high rate of natural disasters. + Regions me,social/political unrest + Frequency of inaccessibility
1 . CSPs should provide assurance in securing customer data backed up to the cloud for the purpose of fault tolerance and disaster recovery. 2 .Solutions might include + SSL/TLS secure transfer + Encrypted storage + Password protections…
Physical and Environment controls Regulations like PCI DSS,HIPAA and other regulations may apply. + Policies to maintain a safe and secure facility / office / room / secure area. + Physical access restriction. + Perimeter security,physi…
1 .Results should be published. 2 .Action items should be tracked until resolved. 3 .Action items should be identified to address issue. 4 .Plan should be updated. 5 .Plan should be reviewed at least once per year or as risk dictates.
Evaluating the plan for accuracy and completeness + Expectations for business units to demonstrate ability to achieve objectives within metrics specified in BIA (RTO,RPO,RSL) + Degree of testing to be accomplished. + Roles and Responsi…
1 .Scope should be embedded in an information security strategy and includes roles,risk assessment,classification,policy,awareness,training. 2 .Gathering requirements and context + Identification of critical business processes and dependencie…
Threat types: 1 . Man-made 2 . Natural 3 . Technical Strategy Risks: 1 . Complexity is added with redundancy / fail over + Qualified staff + Budget + Compatibility 2 . Need for protection at all layers + Data / Hard drive / clust…
1 .Identifies and priorities business processes based on criticality. 2 .Establishes metrics to be integrated into the infrastructure and the SLAs + Service Level Objectives + RPO (Recovery Point Objective) + MTD (Maximum Tolerable …
1. On-premises,cloud on BCDR + Infrastructure is on premises,whereas the CSP provides alternate capabilities. This has traditionally been most common. + Concerns : different environment in the cloud.For instance,may need to convert workloa…
Virtualization systems Controls 1 .Isolation/separation of Zones + DMZ,VLAN,physical segmentation 2 .Encryption 3 .Secure Images with DLPs,firewalls,auto-generated logs. 4 .Secure data transmit protocols. 5 .Protected management plane 6 .Detectiv…
Further Attack Vector 1 .New technology for federation identities,provisioning,virtualization,automation etc. 2 .External service providers. 3 .Guest breakout. 4 .Identity compromise at provider. 5 .API compromise 6 .Attacks on provider infrastructure…
1.Resource exhaustion + DDoS 2.Data Protection + PII,PHI,PFI have special requirements.SLAs must include contractual obligations to maintain necessary compliance. 3.Jurisdiction 4.Law enforcement + Who is responsible + Seiz…
Cloud-specific Risks 1 .Breach of management plane (compromise of management interfaces) 2. Resource exhaustion + DDoS + Traffic analysis + Manipulation/Interception of data + Isolation control failures + Insecure of incomplet…
Policy and Organizational Risk 1. Provider lock-in 2. Loss of governance 3 .Compliance issues 4 .Provider Exit General Risk 1. Requirement issues 2. Consolidation of infrastructure 3 .Changing environment 4 .Scalability requires skill at CSP 5 .Tech…
Object Storage : 1 .Cloud storage can provide a storage structure to customers called object storage. 2 .Files and metadata can be stored. 3 .Accessible to web-interfaces of containers. 4 .Uses a flat organization of containers (Amazon S3 calls the…
1 .Evaluate,negotiate and refine the licensing agreements with major vendors for virtualized environments -- SLAs. 2 .Secure each virtualized OS by using software in each guest or using an inline virtual machine combined with hypervisor-based APIs suc…
1.Inter VM attacks + traffic between the VMs traverses a virtual network and are invisible to the physical security elements and is sometimes referred to as the "Blind spot". + Blind Spot - Monitoring of the virtual network…
1 .Follow the recommended practices for managing the physical OS, e.g , time synchronization,log management,authentication,remote access etc. 2 .Install all updates to the guest OS promptly.ALL modern OS's have features that will automatically che…
The SDN Architecture is : 1. Directly programmable: Network control is directly programmable because it is decoupled from forwarding functions. 2. Agile: Abstracting control from forwarding lets administrators dynamically adjust network-wide…
1 .Address allocation ensuring that cloud resources are assigned IP addresses statically or dynamically. 2 .Access control: Regulation of subject/object access (physical,administrative,technical). 3 .Sufficient bandwidth Allocation: control the …
1 .Expensive hardware-hundreds of thousand of server. 2 .Massive density of power. 3 .Downtime affects all dependent businesses + Redundancy on all levels is essential. 4 .Power,pipe (cooling),ping (connectivity) limitations. 5 . Temper…
1 .Separation on Duties 2 .Training 3 .Authentication and Authorization procedures. 4 .Vulnerability assessments 5 .Backup and Recovery processes. 6 .Logging 7 .Data retention control 8 .Secure disposal Technical requirements 1 .Creati…
1 .Audit Assurance and compliance. 2 .Application and Interface security. 3 .Business Continuity Management and Operational Resilience. 4 .Change control and configuration management 5 .Data center security 6 .Data security and Information…
1 .The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the cloud Security Alliance guidance organized by domain. 2 .Designed to provide fundamental security principle…
1 .Data could be modified + Accidentally through corruption. + Intentionally through malicious alteration. 2 .Hashing is only good for accidentally modification/corruption,because a malicious attacker world simply modify the hash to evade …
Redundancy 1 .Data : Backups,Archives,Dispersion 2 .Hard drives : RAID 3 .Servers/Services : Clustering 4 .Links 5 .Physical locations 6 .Disaster Recover and Business continuity Data Protection policies: Retention 1.Data retention : …
A service level agreement is a contract in which the level of service to be provided is formally defined.May be specify performance,window of time,accuracy etc.A SLA is a legally binding document. Threats to Data storage:Denial of Service Denial of s…
Corporate policies,standards,procedures and guidelines show and implement due diligence and due care. 1.Due Diligence: An organization's attempt to understand the risk if faces.research and risk analysis are two way an organization demonstrates …
Outline Introduction What is Data Privacy? Why is Data Privacy Important? Types of Data Privacy Personal Data Privacy Online Data Privacy Workplace Data Privacy Laws and Regulations for Data Privacy Challenges in Data Privacy Data Breaches Lack of Awa…