Securing Platform as a Service: A Technical Whitepaper on Security Practices at CloudBees
|
|
- Wendy Chapman
- 8 years ago
- Views:
Transcription
1 Securing Platform as a Service: A Technical Whitepaper on Security Practices at CloudBees As a consumer of cloud services, you are relying on your cloud service provider in ways that were previously limited to your own employees. The real or perceived control you have over employees accessing your sensitive information now includes your cloud service provider s employees in some manner. Second, your cloud service provider is offering its service to other users. Thus, your service provider s practices could potentially expose your sensitive information to other users. In this white paper, we provide details regarding security practices used by CloudBees and within our Platform as a Service (PaaS) to protect your sensitive data and guard against unauthorized access. The Java TM Paas Company
2 Securing Platform as a Service: A Technical Considerations Whitepaper for Continuous Security Integration Practices at in CloudBees the Table of Contents Executive Summary... 3 Background on the CloudBees PaaS... 3 Managing Credentials... 4 AWS Credential Management... 4 Credential Roll-Out... 5 Managing Security Around Remote Login and Development... 6 Remote Server Login... 6 Locked Down Access... 6 Backdoors... 7 Handling Problems... 7 Credentials and Password Policies... 8 Centralized Password Management... 8 OneLogin... 8 Password Resetting... 8 Keeping Credentials Private Conclusions... 9
3 Executive Summary Security should be a high priority for every company. The cloud changes existing security practices in two major ways. First, as a consumer of cloud services, you are relying on your cloud service provider in ways that were previously limited to your own employees. The real or perceived control you have over employees accessing your sensitive information now includes your cloud service provider s employees in some manner. Second, your cloud service provider is offering its service to other users. Thus, your service provider s practices could potentially expose your sensitive information to other users. In this white paper, we provide details regarding security practices used within CloudBees and in the CloudBees Platform as a Service (PaaS) to protect your sensitive data and guard against unauthorized access. When you place your trust in a cloud provider, you deserve direct answers to every question you have about security. If you are attempting to implement a private PaaS yourself, you will need to consider many of the solutions used by CloudBees already in our full service PaaS offering. In addition to this white paper, CloudBees offers even more detailed documentation of security practices under non-disclosure. Background on the CloudBees PaaS We have a detailed white paper ( that documents the architecture of the CloudBees PaaS and some of the technical drivers behind its design. In that white paper, we also discuss security at a high level. The intent of this document is to provide details behind the security processes. Having a high-level understanding of the CloudBees PaaS, its functionality and its architecture is helpful to understand how we treat security. Figure 1 The CloudBees PaaS Architecture 3
4 As an end-user, when you interact with CloudBees, you do so through the GrandCentral console, the CloudBees API or the CloudBees SDK. Through these channels, you gain access to our hosted services for development and runtime. Behind the scenes, CloudBees also hosts our services platform, a set of shared services that interact with the hosted services you are using. These services, in turn, interact via a message bus with agents running in your targeted execution environment. Security concerns cross the entire platform. For example, we must limit access only to authenticated users within an account and allow them access only to the resources they are authorized to use. As the PaaS administrator, CloudBees itself requires access to resources you are prevented from accessing directly. Both services and agents running within our environment must be properly secured, as we manage resources on your behalf and on behalf of other users at the same time. These factors require a well thought-out security architecture as well as auditable processes. Managing Credentials In the cloud world, companies must be vigilant to the types of risk that exist when placing their code and infrastructure into the hands of others. Anytime you place your business data in the hands of a third party, there is risk. While providers like Amazon, Rackspace or VMware have built security credibility behind their names, inherently there is still some sort of risk involved. This is especially true with cloud providers, where the implementation and security behind the scenes is usually not visible to the end customer. You put your trust in the cloud provider, and the cloud provider owes you clear explanations and an ability to verify security practice. At CloudBees, we have a number of security measures in place to help safeguard your applications and code against external threats. We have honed some of these practices over the past few years. Others are best practices that everyone should be doing. Through our AnyCloud offering, the CloudBees PaaS is executing workloads on multiple infrastructure cloud providers. Today our public cloud offerings are primarily hosted on Amazon Web Services (AWS). In this white paper, we will use AWS as the focus of discussions, as it is likely to be more familiar to readers. However, the practices employed on AWS have mirrors in OpenStack or vsphere-based infrastructure cloud environments. AWS Credential Management CloudBees service offerings have been developed over the past few years and, like many others who have spent a few years in Amazon's cloud, we have evolved to take advantage of Amazon s improvements in credential management. Originally, Amazon offered one set of credentials that were universal across an AWS account. To tackle security, a lot of companies, including CloudBees, had multiple Amazon accounts for a layer of separation between services and access needs. In 2010, Amazon released a more fine-grained credential and access management system called AWS Identity and Access Management (IAM). Under the original AWS system, there was one centralized set of credentials for a specific AWS account. This meant that every developer who needed access had to be given these credentials. In addition, all of CloudBees core services that utilized the EC2 API also had to have these credentials distributed to the instances they ran on. Having a single set of credentials effectively a single key to the kingdom has some serious disadvantages. 4
5 If a developer left the company, this would necessitate a forced change of all of the credentials. Every developer would need to be given a new set of credentials, and every application would need to be updated to have the new set of credentials in place. No amount of automation makes this problem tractable at scale. When the number of CloudBees developers was small, and everyone did everything, everyone needed access. However, as more people joined the team and had different access needs, it became not only a security threat, but also just a development threat for everyone to have full access to all systems. Today the CloudBees access management system takes advantage of the Amazon IAM system. Even in an AnyCloud deployment, where CloudBees is managing workloads on a tethered cloud, access management is handled centrally by CloudBees. CloudBees uses both developer and service-specific credentials throughout our system. Not only can we have specific credentials now for each developer and each service, but we can also lock those credentials down to minimize security risks. One such example is our DNA service. This is an internal facing service that we use to monitor and manage instance and service health. The DNA application needs the ability to access instance lists, start and stop instances, and update IP address information, amongst other things. Not only does DNA now have its own credentials that are specific to its service, but those credentials are locked to a single fixed IP address. AWS will not accept commands using those credentials unless they originate from that single IP address. This approach helps minimize and contain any threat of DNA credentials being used maliciously. With developer-specific credentials comes the ability to much more easily rotate and disable access as needed. We can easily/quickly remove access for a specific set of developer credentials, without impacting other services or developers in the process. We can also limit developer access to the pieces of infrastructure they need in order to do their work. The concern here is not a rogue developer causing issues, but cases like a stolen laptop or even someone at a coffee shop seeing login credentials on the screen. Restricted access also limits what a developer can do accidentally, if they target the wrong thing or try something when they don't completely understand the potential outcome. Credential Roll-Out Rolling out new credentials to all developers and services is not easy. At CloudBees, this process has required considerable planning and execution, as any large enterprise already knows. For one, when people have restricted access to the system, they now are not able to react to major system issues that may creep up. When service access becomes limited, it can cause future potential issues. For example, if new features are added that make use of restricted API calls - nobody may remember they are restricted and a significant amount of debugging time may be spent trying to figure out why things don't work. You must also think through scenarios when developers still have access to change other developer or services permissions. For example, locking down our DNA service to a specific IP address increases security, but if any developer can go in later and change that lockdown, it may not be obvious that change ever happened. During some of our initial audits, we discovered security-related changes that were done ad hoc to quickly get something that had been broken working again, but then the security change was never later reversed. 5
6 As a result, part of our policy now is to disallow developers or services from making Identity Access Management (IAM) changes. Those changes are handled by a group of three administrators and are performed via an administrative account, only. This account is the only one able to make IAM changes. Later, we will also discuss how we control access to this account. By distributing credentials in this manner, we feel we have much better protection of our infrastructure in the cloud that, in turn, allows us to keep our customers data more secure. Managing Security Around Remote Login and Development With the earlier background on credential management, let s now look at how we manage security around remote login and remote development. Again, we will use AWS as the specific example in our discussion. Remote Server Login One major advantage in using the CloudBees PaaS is that you do not have to manage servers anymore. Using our platform, developers develop, deploy and scale applications with minimal server interaction. Behind the scenes, however, CloudBees engineers do need to manage server lifecycle. This is true not only for instances that run customer code, but for web proxying layers, databases, Git/SVN repos, and many other administrative areas. Earlier, we discussed the credentials that allow developers to see, and perhaps manage, the lifecycle of these servers. However, we also need to manage the ability to remotely login to these machines to perform maintenance or fix problems that may occur. In addition, we need to limit traffic from the outside world in a way that allows applications to work, but does not allow malicious attempts to break into the systems. Locked Down Access Our first strategy is to make prodigious use of EC2 security groups and rules. Each of our instances has a particular role it serves, and as such is tied to a specific security group that reflects that type of role. Our application servers, our proxying layer and our databases each have separate EC2 security groups attached to them. Within our development services, DEV@cloud, our Jenkins master instances, the executor machines and the proxying layer also have their own EC2 security groups. It is within these security groups that we can restrict outside traffic to only the ports needed and then also limit inside traffic between the EC2 security groups, where things need to "talk" internally. For example, our web proxying layer allows outside traffic from ports 80 and and that's it. Our application servers don't allow outside traffic at all, and only allow connections to specific ports coming from the web proxying layer. This tiered and locked down approach ensures we don't succumb to attackers looking for a backdoor into our environment. 6
7 Backdoors Of course, we still do need backdoors into the systems in order for our own team to get in and perform administrative tasks. Most commonly this access includes remote login (SSH) to a server, but also includes access to backend web interfaces to monitor application health or observe application metrics in order to solve issues. To ensure we maintain as much security around these backdoors as possible, we hide them all behind a Virtual Private Network (VPN) that is accessible only to CloudBees developers. We use openvpn, which is a userspace-based SSL VPN that tunnels traffic over UDP. Each developer who has the need for access is given a private key to access the VPN. Once established on the VPN, the developer now has access to the ports needed to get into the system. Note that this does not mean developers automatically have access into the systems; it just means they have access to the mechanisms to get into the systems. Case in point: once on the VPN, developers have access into port 22 (SSH) on our various machines. However, this still doesn't mean they have the access keys to actually login to those various systems - this is a separate credentialing and distribution mechanism that is handled on an as-needed basis. This two-layer approach gives us a high level of security, while still maintaining usability for our development team. Handling Problems While it provides security, the VPN system can still be a source of friction. Maintenance, or an unplanned outage on the VPN system itself, can halt developer progress across the entire system. In a way, the VPN becomes a single point of failure for our team to be able to handle system level issues, should they occur. To handle this problem, we allow our administrators to make temporary rule changes to the EC2 security groups. This capability facilitates work on system issues if the VPN system itself becomes a bottleneck to progress. As an example, they can open SSH access to a specific external IP address a developer may be using in order to let them login while bypassing the VPN. This change can only be facilitated by an administrator. In addition, our security group rules are monitored by an external script on a nightly basis. A script matches the state of the security group rules with a known state stored in a Git repository; any deviations are noted and an is generated. This mechanism allows all administrators to keep tabs on rule changes and ensure "temporary" changes get reverted, or made permanent by adding them to the Git repository of "good" rules. We feel that our VPN approach, coupled with continuous auditing of security group rules against a known standard, provides us with a very high level of overall security around external facing access into our critical infrastructure. This, in turn, provides our customers with the highest levels of security against intrusion and potential data theft. 7
8 Credentials and Password Policies We will now examine some best practices in credentials and password policies used by CloudBees in managing our PaaS environment. These are important practices that are fairly easy to follow without causing undue burden on the development team. Centralized Password Management Aside from infrastructure cloud providers, like Amazon Web Services, we have a number of external service providers we use to run the day-to-day business at CloudBees. For many of these providers, we have a single account that is used by CloudBees to provide services that are both internally and externally facing. From time to time, our developers may need to log into these services to update information, check settings or get reports. As noted earlier, having a single set of credentials is an undesirable scenario. Each new developer has to be given those credentials and it's hard to keep track of exactly how far and wide they float around. In addition, if a developer leaves or some event happens that necessitates change, then redistributing the new credentials becomes painful. As a small team it was less of a problem, but as the team grew a better way of handling this had to be developed. For the past year and a half, we have tackled this problem largely through the provider we use, OneLogin ( OneLogin Each developer has a separate login to our OneLogin system. This can be username/password based, or can be synced with a Google Apps account to allow use of a Google Apps login via OpenID. Once logged in to OpenID, developers are presented with a menu of services that have been predefined for them to be able to log into. Links are provided directly to the various service providers page for automated login. Developers do not have to remember any specific login credentials, and account passwords don't have to be shared. OneLogin makes it easy for us to control access to all of the important CloudBees systems (including logging into the AWS console). An obvious downside is that OneLogin is now a single point of failure for access to our critical infrastructure. However, we have never experienced a technical issue that has prevented us from using the service. Our admins also maintain a privately secured username/password list of various logins, just in case. As an extra layer of security, our administrators use two-factor authentication via a cell phone app when signing into OneLogin. Password Resetting One often-overlooked area in security control is the address used for service registration. For many of our services, we register an alias@cloudbees.com address that gets forwarded to the development team using that service. This is great for informational updates, but it also means that password reset information goes to that alias -- and then on to the address of the team members from whom we may be trying to abstract that information. 8
9 This is one important detail we have focused on in setting up our Amazon EC2 accounts. We want to ensure that if a set of credentials did get stolen, particularly from a hacked account, that an attacker would find it difficult to reset an account password in order to gain access to a system. Keeping Credentials Private At CloudBees, we are big fans of GitHub, and we have a number of public and private repositories there. However, we also maintain a local private Git server for a handful of critical repositories that, for internal security reasons, we've decided are better kept closer to home. This set of repositories includes ones that don't need to be widespread and are more critical for behind-the-scenes operation. We tend to keep repositories that may have services credentials stored in them contained completely within our own infrastructure, as opposed to storing them in a third party location. As a matter of policy, we never use plain text to send important credentials to end users. When sharing AWS credentials with a new developer, or getting an SSH key set up, we always transact using GPG-encrypted data. This added step adds only about 30 seconds to the process, but helps ensure if a developer's is ever compromised, then credentials are not part of the leaked data. We have found that a lot of developers use as a permanent archive of data. If you send them some kind of login information, it will stay in their inbox/archive forever for "future reference." By sending encrypted credentials, the credentials will continue to be available in the future, if needed, but will ensure that security breaches won't lead to data loss. Conclusions As a developer or IT operations person, you almost certainly have existing security practices and procedures in place. Platform as a Service changes the level at which you interact with underlying infrastructure resources, so it necessitates a reexamination of your existing practices. Operations that would previously be performed by a sysadmin are, within the PaaS, performed by services. The security of those services, and the way in which you and the PaaS provider operate them must be considered. If you are attempting to implement a private PaaS yourself, you will need to consider many of the solutions used by CloudBees already in our full service PaaS offering. In this paper, we have documented much of CloudBees own security practices as well as best practices overall, and the ways in which PaaS changes security considerations. For more information or a deeper dive into our security practices (under non-disclosure), please contact CloudBees directly: info@cloudbees.com CloudBees, Inc. CloudBees is a registered trademark and DEV@cloud, RUN@cloud and AnyCloud are trademarks of CloudBees, Inc. Other product or brand names may be trademarks or registered trademarks of their respective holders v00 9
Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
More informationIDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience
IDENTITY & ACCESS Privileged Identity Management controlling access without compromising convenience Introduction According to a recent Ponemon Institute study, mistakes made by people Privilege abuse
More informationIntroduction to the Mobile Access Gateway
Introduction to the Mobile Access Gateway This document provides an overview of the AirWatch Mobile Access Gateway (MAG) architecture and security and explains how to enable MAG functionality in the AirWatch
More informationNetop Environment Security. Unified security to all Netop products while leveraging the benefits of cloud computing
Netop Environment Security Unified security to all Netop products while leveraging the benefits of cloud computing Contents Introduction... 2 AWS Infrastructure Security... 3 Standards - Compliancy...
More informationVICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui
VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui School of Engineering and Computer Science Te Kura Mātai Pūkaha, Pūrorohiko PO Box 600 Wellington New Zealand Tel: +64 4 463
More informationSTABLE & SECURE BANK lab writeup. Page 1 of 21
STABLE & SECURE BANK lab writeup 1 of 21 Penetrating an imaginary bank through real present-date security vulnerabilities PENTESTIT, a Russian Information Security company has launched its new, eighth
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationRemote Access Securing Your Employees Out of the Office
Remote Access Securing Your Employees Out of the Office HSTE-NB0011-RV 1.0 Hypersecu Information Systems, Inc. #200-6191 Westminster Hwy Richmond BC V7C 4V4 Canada 1 (855) 497-3700 www.hypersecu.com Introduction
More information3 Email Marketing Security Risks. How to combat the threats to the security of your Email Marketing Database
3 Email Marketing Security Risks How to combat the threats to the security of your Email Marketing Database Email Marketing Guide June 2013 Security Threats PROTECTING YOUR EMAIL DATABASE FROM HACKERS
More informationSecurely. Mobilize Any Business Application. Rapidly. The Challenge KEY BENEFITS
Mobilize Any Business Application. Rapidly. Securely. The Challenge Today's enterprises are increasingly leveraging mobility solutions to improve productivity, decrease response times and streamline operational
More informationLync SHIELD Product Suite
Lync SHIELD Product Suite The Natural Solution For Securing Lync Connectivity For today s mobile enterprise, the need to connect smartphones to the corporate network has become a vital business requirement.
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationVirtualization and Cloud: Orchestration, Automation, and Security Gaps
Virtualization and Cloud: Orchestration, Automation, and Security Gaps SESSION ID: CSV-R02 Dave Shackleford Founder & Principal Consultant Voodoo Security @daveshackleford Introduction Private cloud implementations
More informationHow to Grow and Transform your Security Program into the Cloud
How to Grow and Transform your Security Program into the Cloud Wolfgang Kandek Qualys, Inc. Session ID: SPO-207 Session Classification: Intermediate Agenda Introduction Fundamentals of Vulnerability Management
More informationSRG Security Services Technology Report Cloud Computing and Drop Box April 2013
SRG Security Services Technology Report Cloud Computing and Drop Box April 2013 1 Cloud Computing In the Industry Introduction to Cloud Computing The term cloud computing is simply the use of computing
More informationThreat Modeling Cloud Applications
Threat Modeling Cloud Applications What You Don t Know Will Hurt You Scott Matsumoto Principal Consultant smatsumoto@cigital.com Software Confidence. Achieved. www.cigital.com info@cigital.com +1.703.404.9293
More informationHow To Manage Web Content Management System (Wcm)
WEB CONTENT MANAGEMENT SYSTEM February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
More informationRemotelyAnywhere. Security Considerations
RemotelyAnywhere Security Considerations Table of Contents Introduction... 3 Microsoft Windows... 3 Default Configuration... 3 Unused Services... 3 Incoming Connections... 4 Default Port Numbers... 4 IP
More informationSecret Server Qualys Integration Guide
Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server
More informationBuilding Energy Security Framework
Building Energy Security Framework Philosophy, Design, and Implementation Building Energy manages multiple subsets of customer data. Customers have strict requirements for regulatory compliance, privacy
More informationCOORDINATED THREAT CONTROL
APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,
More informationSecuring Office 365 with MobileIron
Securing Office 365 with MobileIron Introduction Office 365 is Microsoft s cloud-based productivity suite. It includes online versions of Microsoft s most popular solutions, like Exchange and SharePoint,
More informationAuthors Bram van Pelt Sander Mastwijk
AMIS Edisonbaan 15 Postbus 24 3430 AA Nieuwegein T +31(0) 30 601 60 00 E info@amis.nl I amis.nl BTW nummer NL8117.70.400.B69 KvK nummer 30114159 Statutair gevestigd te Enschede Whitepaper: How to reach
More informationDatacenter Hosting - The Best Form of Protection
Datacenter Hosting Scalable Technology and Insurance for Your Business nsacom.com Datacenter Hosting Scalable Technology and Insurance for Your Business Datacenter Hosting Gives You the Best of Both Worlds
More informationWICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise
WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Corporation http://www.wicksoft.com Copyright WICKSoft 2007. WICKSoft Mobile Documents
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationAssignment # 1 (Cloud Computing Security)
Assignment # 1 (Cloud Computing Security) Group Members: Abdullah Abid Zeeshan Qaiser M. Umar Hayat Table of Contents Windows Azure Introduction... 4 Windows Azure Services... 4 1. Compute... 4 a) Virtual
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationEnterprise Data Protection
PGP White Paper June 2007 Enterprise Data Protection Version 1.0 PGP White Paper Enterprise Data Protection 2 Table of Contents EXECUTIVE SUMMARY...3 PROTECTING DATA EVERYWHERE IT GOES...4 THE EVOLUTION
More informationWhen enterprise mobility strategies are discussed, security is usually one of the first topics
Acronis 2002-2014 Introduction When enterprise mobility strategies are discussed, security is usually one of the first topics on the table. So it should come as no surprise that Acronis Access Advanced
More informationMobile Admin Security
Mobile Admin Security Introduction Mobile Admin is an enterprise-ready IT Management solution that generates significant cost savings by dramatically increasing the responsiveness of IT organizations facing
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationWhite Paper. BD Assurity Linc Software Security. Overview
Contents 1 Overview 2 System Architecture 3 Network Settings 4 Security Configurations 5 Data Privacy and Security Measures 6 Security Recommendations Overview This white paper provides information about
More informationIdentity & Access Management in the Cloud: Fewer passwords, more productivity
WHITE PAPER Strategic Marketing Services Identity & Access Management in the Cloud: Fewer passwords, more productivity Cloud services are a natural for small and midsize businesses, with their ability
More informationA HELPING HAND TO PROTECT YOUR REPUTATION
OVERVIEW SECURITY SOLUTIONS A HELPING HAND TO PROTECT YOUR REPUTATION CONTENTS INFORMATION SECURITY MATTERS 01 TAKE NOTE! 02 LAYERS OF PROTECTION 04 ON GUARD WITH OPTUS 05 THREE STEPS TO SECURITY PROTECTION
More informationAWS Service Catalog. User Guide
AWS Service Catalog User Guide AWS Service Catalog: User Guide Copyright 2016 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in
More informationSECURITY DOCUMENT. BetterTranslationTechnology
SECURITY DOCUMENT BetterTranslationTechnology XTM Security Document Documentation for XTM Version 6.2 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of
More informationSIEM is only as good as the data it consumes
SIEM is only as good as the data it consumes Key Themes The traditional Kill Chain model needs to be updated due to the new cyber landscape A new Kill Chain for detection of The Insider Threat needs to
More informationSOLUTION BRIEF MOBILE SECURITY. Securely Accelerate Your Mobile Business
SOLUTION BRIEF MOBILE SECURITY Securely Accelerate Your Mobile Business CA Technologies allows you to accelerate mobile innovation for customers and employees without risking your enterprise data or applications.
More informationWhite Paper: Cloud Identity is Different. World Leading Directory Technology. Three approaches to identity management for cloud services
World Leading Directory Technology White Paper: Cloud Identity is Different Three approaches to identity management for cloud services Published: March 2015 ViewDS Identity Solutions A Changing Landscape
More informationData Security using Encryption in SwiftStack
Data Security using Encryption in SwiftStack May 2015 Copyright 2015 SwiftStack, Inc. swiftstack.com Page 1 of 11 Table of Contents Introduction... 3 Defining Three Threat Models... 3 Encrypted Data and
More informationDeploy Remote Desktop Gateway on the AWS Cloud
Deploy Remote Desktop Gateway on the AWS Cloud Mike Pfeiffer April 2014 Last updated: May 2015 (revisions) Table of Contents Abstract... 3 Before You Get Started... 3 Three Ways to Use this Guide... 4
More informationMaaS360 Mobile Enterprise Gateway
MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2014 Fiberlink, an IBM Company. All rights reserved. Information in this document is subject to change without notice. The software described
More informationKeyword: Cloud computing, service model, deployment model, network layer security.
Volume 4, Issue 2, February 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com An Emerging
More informationExecutive s Guide to Cloud Access Security Brokers
Executive s Guide to Cloud Access Security Brokers Contents Executive s Guide to Cloud Access Security Brokers Contributor: Amy Newman 2 2 Why You Need a Cloud Access Security Broker 5 You Can t Achieve
More informationMulti-Factor Authentication
Making the Most of Multi-Factor Authentication Introduction The news stories are commonplace: Hackers steal or break passwords and gain access to a company s data, often causing huge financial losses to
More informationEvolution from FTP to Secure File Transfer
IPSWITCH FILE TRANSFER WHITE PAPER Evolution from FTP to Secure File Transfer www.ipswitchft.com Do you know where your organization s confidential and sensitive files were transferred today? Are you sure
More informationGET IN NOW Step 2: Add Users
GET IN NOW Step 2: Add Users 1. Match My Email User Roles During the set-up of Match My Email Lite, a MME account is created. The individual whose credentials are used to create an account becomes the
More informationProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary
VISIBILITY DATA GOVERNANCE SYSTEM OS PARTITION UNIFIED MANAGEMENT CENTRAL AUDIT POINT ACCESS MONITORING ENCRYPTION STORAGE VOLUME POLICY ENFORCEMENT ProtectV SECURITY SNAPSHOT (backup) DATA PROTECTION
More informationSecuring Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits
A Clear View of Challenges, Solutions and Business Benefits Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide
More informationSOA Software API Gateway Appliance 7.1.x Administration Guide
SOA Software API Gateway Appliance 7.1.x Administration Guide Trademarks SOA Software and the SOA Software logo are either trademarks or registered trademarks of SOA Software, Inc. Other product names,
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationEnhancing Organizational Security Through the Use of Virtual Smart Cards
Enhancing Organizational Security Through the Use of Virtual Smart Cards Today s organizations, both large and small, are faced with the challenging task of securing a seemingly borderless domain of company
More information10 Quick Tips to Mobile Security
10 Quick Tips to Mobile Security 10 Quick Tips to Mobile Security contents 03 Introduction 05 Mobile Threats and Consequences 06 Important Mobile Statistics 07 Top 10 Mobile Safety Tips 19 Resources 22
More informationReference Architecture: Enterprise Security For The Cloud
Reference Architecture: Enterprise Security For The Cloud A Rackspace Whitepaper Reference Architecture: Enterprise Security for the Cloud Cover Table of Contents 1. Introduction 2 2. Network and application
More informationHacking Database for Owning your Data
Hacking Database for Owning your Data 1 Introduction By Abdulaziz Alrasheed & Xiuwei Yi Stealing data is becoming a major threat. In 2012 alone, 500 fortune companies were compromised causing lots of money
More informationHow To Secure Your System From Cyber Attacks
TM DeltaV Cyber Security Solutions A Guide to Securing Your Process A long history of cyber security In pioneering the use of commercial off-the-shelf technology in process control, the DeltaV digital
More informationBuilding a Continuous Integration Pipeline with Docker
Building a Continuous Integration Pipeline with Docker August 2015 Table of Contents Overview 3 Architectural Overview and Required Components 3 Architectural Components 3 Workflow 4 Environment Prerequisites
More informationThe Cloud App Visibility Blindspot
The Cloud App Visibility Blindspot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Introduction Today, enterprise assets are more at risk than ever before
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationChapter 9 PUBLIC CLOUD LABORATORY. Sucha Smanchat, PhD. Faculty of Information Technology. King Mongkut s University of Technology North Bangkok
CLOUD COMPUTING PRACTICE 82 Chapter 9 PUBLIC CLOUD LABORATORY Hand on laboratory based on AWS Sucha Smanchat, PhD Faculty of Information Technology King Mongkut s University of Technology North Bangkok
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationRSA Authentication Manager 7.1 Security Best Practices Guide. Version 2
RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks
More informationSecurity Overview Enterprise-Class Secure Mobile File Sharing
Security Overview Enterprise-Class Secure Mobile File Sharing Accellion, Inc. 1 Overview 3 End to End Security 4 File Sharing Security Features 5 Storage 7 Encryption 8 Audit Trail 9 Accellion Public Cloud
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationNCTA Cloud Operations
NCTA Cloud Operations 093018 Lesson 1: Cloud Operations Topic A: Overview of Cloud Computing Solutions Identify the core concepts of cloud computing. Operations Terminology Identify the terminology used
More informationPREVENTIA. Skyhigh Best Practices and Use cases. Table of Contents
PREVENTIA Forward Thinking Security Solutions Skyhigh Best Practices and Use cases. Table of Contents Discover Your Cloud 1. Identify all cloud services in use & evaluate risk 2. Encourage use of low-risk
More informationMobile Security Threats: Get Ready for 2016
GUIDE Mobile Security Threats: Get Ready for 2016 As enterprise-grade data analytics, predictive intelligence and cognitive computing grow, security is on the forefront of everyone s mind. Hacks have become
More informationMTP. MTP AirWatch Integration Guide. Release 1.0
MTP MTP AirWatch Integration Guide Release 1.0 FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United States and other countries. All other trademarks are the property of
More informationidentity as the new perimeter: securely embracing cloud, mobile and social media agility made possible
identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible IT transformation and evolving identities A number of technology trends, including cloud, mobility,
More informationYubiKey Authentication Module Design Guideline
YubiKey Authentication Module Design Guideline Yubico Application Note Version 1.0 May 7, 2012 Introduction Disclaimer Yubico is the leading provider of simple, open online identity protection. The company
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationWeb Application Firewall
Web Application Firewall Getting Started Guide August 3, 2015 Copyright 2014-2015 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks
More informationMcAfee Public Cloud Server Security Suite
Installation Guide McAfee Public Cloud Server Security Suite For use with McAfee epolicy Orchestrator COPYRIGHT Copyright 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766,
More informationIdentity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities
Identity and Access Management Integration with PowerBroker Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 4 BeyondTrust
More informationSecuring Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption
THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has
More informationHow to Achieve Operational Assurance in Your Private Cloud
How to Achieve Operational Assurance in Your Private Cloud As enterprises implement private cloud and next-generation data centers to achieve cost efficiencies and support business agility, operational
More informationServer Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4
Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Aliases 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical Access
More informationIdentity and Access Management for the Cloud
Identity and Access Management for the Cloud What you need to know about managing access to your clouds Organizations need to control who has access to which systems and technology within the enterprise.
More informationMaaS360 Mobile Enterprise Gateway
MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2013 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software
More informationEnterprise SSO Manager (E-SSO-M)
Enterprise SSO Manager (E-SSO-M) Many resources, such as internet applications, internal network applications and Operating Systems, require the end user to log in several times before they are empowered
More informationThe Essential Security Checklist. for Enterprise Endpoint Backup
The Essential Security Checklist for Enterprise Endpoint Backup IT administrators face considerable challenges protecting and securing valuable corporate data for today s mobile workforce, with users accessing
More informationDevice-Centric Authentication and WebCrypto
Device-Centric Authentication and WebCrypto Dirk Balfanz, Google, balfanz@google.com A Position Paper for the W3C Workshop on Web Cryptography Next Steps Device-Centric Authentication We believe that the
More informationHow to survive in a world of Virtualization and Cloud Computing, where you even can t trust your own environment anymore. Raimund Genes, CTO
How to survive in a world of Virtualization and Cloud Computing, where you even can t trust your own environment anymore. Raimund Genes, CTO Data everywhere but protection? Unprotected Data Needing Protection
More informationBryan Hadzik Network Consulting Services, inc. Endpoint Security Data At Rest
Bryan Hadzik Network Consulting Services, inc. Endpoint Security Data At Rest Look back on 2010 Agenda Incident types Inside Job? Source of Risk Role of Encryption Some Conclusions 2010 A Year In Review
More informationData Protection Act 1998. Bring your own device (BYOD)
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
More informationWhy back up the Cloud?
Why back up the Cloud? The CloudBerry Lab Whitepaper The introduction Always backup your data, even if it is in the cloud. The 3-2-1 rule of data protection says keep three copies of your data, on two
More informationIBM Security Privileged Identity Manager helps prevent insider threats
IBM Security Privileged Identity Manager helps prevent insider threats Securely provision, manage, automate and track privileged access to critical enterprise resources Highlights Centrally manage privileged
More informationWHITE PAPER AUGUST 2014
THE DEFINITIVE GUIDE TO CLOUD ACCESS SECURITY BROKERS WHITE PAPER AUGUST 2014 For many enterprises, security and compliance concerns hamper adoption of cloud applications. Furthermore, cloud applications
More informationMastering Continuous Integration with Jenkins
1. Course Objectives Students will walk away with a solid understanding of how to implement a Continuous Integration (CI) environment with Jenkins, including: Setting up a production-grade instance of
More informationJAVA IN THE CLOUD PAAS PLATFORM IN COMPARISON
JAVA IN THE CLOUD PAAS PLATFORM IN COMPARISON Eberhard Wolff Architecture and Technology Manager adesso AG, Germany 12.10. Agenda A Few Words About Cloud Java and IaaS PaaS Platform as a Service Google
More informationPassword Management: History, Costs, Problems and Pain Points, and Solutions
Password Management: History, Costs, Problems and Pain Points, and Solutions by Dean Weich, Tools4ever Everyone in the business world uses passwords. Whether you are a bank teller logging into several
More informationThe Elephant in the Room
The Elephant in the Room Cloud Security and What Vendors and Customers Need To Do To Stay Secure Through this year-long series of whitepapers and webinars, independent analyst Ben Kepes will be building
More informationAPIs The Next Hacker Target Or a Business and Security Opportunity?
APIs The Next Hacker Target Or a Business and Security Opportunity? SESSION ID: SEC-T07 Tim Mather VP, CISO Cadence Design Systems @mather_tim Why Should You Care About APIs? Amazon Web Services EC2 alone
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationMark Bennett. Search and the Virtual Machine
Mark Bennett Search and the Virtual Machine Agenda Intro / Business Drivers What to do with Search + Virtual What Makes Search Fast (or Slow!) Virtual Platforms Test Results Trends / Wrap Up / Q & A Business
More informationFileMaker Security Guide The Key to Securing Your Apps
FileMaker Security Guide The Key to Securing Your Apps Table of Contents Overview... 3 Configuring Security Within FileMaker Pro or FileMaker Pro Advanced... 5 Prompt for Password... 5 Give the Admin Account
More information