In cloud computing, security is a shared responsibility between the CSP and the customer. The service model will dictate the general responsibilities, but specifics will also vary based on the actual service being consumed. Security Considerations for Infrastructure as a Service (IaaS) Within IaaS, a key emphasis and focus must be placed on the various…
Category: security
ISO/IEC 27017: Information Security Controls for Cloud Computing
ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: Additional implementation guidance for relevant controls specified in ISO/IEC 27002 Additional controls with implementation guidance that specifically relate to cloud services. This standard provides enhanced controls for cloud service providers and cloud service customers and should…
The Prevent-Detect-Recover Cycle
The essence of IT governance is in the selection and application of security controls that adequately protect organizational data while simultaneously minimizing operational friction or disruption. The continuum of security controls extends over three classes or categories: Management (administrative) controls: Policies, standards, processes, procedures, and guidelines set by corporate administrative entities (e.g., executive- and/or mid-level…
Cloud Security
Security on the Cloud doesn’t change drastically from what we have been doing traditionally in our own datacenters. We still need to address: Confidentiality: Confidentiality begins when people, doing their jobs, have a “need to know” to gain access to sensitive resources. Confidentiality is usually provided using the principle of least privilege, which means that…
Intrusion Kill Chain Framework by Lockheed Martin
The “intrusion kill chain” framework is an analytical tool introduced by Lockheed Martin security researchers in 2011. It is also sometimes referred to as the “Cyber Kill Chain”. It is an intelligence- driven, threat-focused approach to study intrusions from the adversaries’ perspective that could give network defenders the upper hand in fighting cyber attackers. So, what is…
Revisiting the Target breach of 2013
Between November 27 and December 18, 2013, the Target Corporation’s network was breached. 40 million credit and debit card numbers and 70 million records of personal information were stolen. The ordeal cost credit card unions over two hundred million dollars for just reissuing cards. Six months prior to the breach, Target deployed a well-known and…
Quantum Cryptography
The first time I stumbled upon the concept of Quantum Cryptography was in the Computer Networks book in my third year of engineering. I immediately found it fascinating and wondered if we would ever come to a point where it wouldn’t just be theoretical – Applied Quantum Cryptography, imagine the possibilities! So, what is Quantum…
Security Assessment: 7 questions to ask
With everything going on in the cybersecurity space, and a general push towards cloud adoption, security is on top of everyone’s mind. Here are some questions to ask your organization to identify security gaps – Incident Management – How well do we detect, accurately identify, handle, and recover from security incidents? Vulnerability Management – How well do…
Cloud Encryption Challenges
There are myriad factors influencing encryption considerations and associated implementations in the enterprise. The usage of encryption should always be directly related to business considerations, regulatory requirements, and any additional constraints that the organization may have to address. Different techniques will be used based on the location of data, whether at rest, in transit, or…
Cloud Data Storage: Key Threats
Are you using cloud storage services? If yes, then you need to be aware of these key threats. In the cloud, data storage can be manipulated into unauthorized usage, for example, by account hijacking or uploading illegal content. The multitenancy of cloud storage makes tracking unauthorized usage more challenging. Unauthorized access: Unauthorized access can happen due to…