29 Apr Please go through the 2 slides below and summarize the content of each slide in one paragraph each. Use an APA format to conduct separate r
Please go through the 2 slides below and summarize the content of each slide in one paragraph each.
Use an APA format to conduct separate research that is related to the topics in the two slides in another paragraph (now 3 paragraphs), Everything should be between 1 and 2 pages. Kindly provide references.
Cloud Security – Issues and Best Practices
1
Outline
Intro to Cloud Security
Need for Cloud Security
Cloud Security Fundamentals
Cloud Security Issues
OWASP Top 10 – A6:2017– Security Misconfiguration
OWASP Cloud-Native Application Security Top 10
Attacks against Cloud Security Mechanisms
Cloud Security Best Practices
2
Intro to Cloud Security
3
What is the cloud?
According to Microsoft (2022) the cloud refers to “a vast network of remote servers around the globe which are hooked together and meant to operate as a single ecosystem”
Cloud servers are designed to:
Store and manage data
Run applications
Deliver content/service such as streaming videos, web mail, office productivity software, social media to any Internet-connected device
According to NSA (2018), cloud browsers can be used to completely separate the web browser from the user’s O/S by hosting the browser in a remote cloud environment
Intro to Cloud Security
4
What is the cloud? – PowerCert Animated Videos
Intro to Cloud Security (contd.)
5
Source: PowerCert Animated Videos – Cloud Computing Explained –
https://www.youtube.com/watch?v=_a6us8kaq0g/
Cloud deployment methods
Public cloud – shares resources and offers services over the public Internet
Private cloud – does not share resources and offers services over a private internal network typically hosted in an on-premise datacenter
Hybrid cloud – shares resources between public and private clouds depending on their purpose
Community cloud – shares resources only between specific organizations such as government institutions
Intro to Cloud Security (contd.)
6
Source: Microsoft.com – What is the Cloud? –
https://azure.microsoft.com/en-us/overview/what-is-the-cloud/
Cloud service models:
Examples: Amazon SaaS Factory, Office 365, Google Kubernetes Engine
Examples: Elastic Beanstalk, Azure App Service, Google Cloud Run
Examples: Amazon EC2, Azure IaaS, Google Compute Engine
Intro to Cloud Security (contd.)
7
| Cloud Service Model | Hardware | Operating System | Applications | Data |
| SaaS | SP | SP | SP | C |
| PaaS | SP | SP | C | C |
| IaaS | SP | C | C | C |
SP – Service Provider C – Customer
Cloud market share:
Intro to Cloud Security (contd.)
Source: 64 Significant Cloud Computing Statistics for 2022 – FinancesOnline –
https://financesonline.com/cloud-computing-statistics/
8
The big 3 cloud service providers:
Intro to Cloud Security (contd.)
Source: AWS vs Azure vs GCP – bmc –
https://www.bmc.com/blogs/aws-vs-azure-vs-google-cloud-platforms/
9
Customers:
Netflix
Airbnb
Lyft
FDA
Coinbase
Customers:
Starbucks
Walgreens
3M
HP
CDC
Customers:
Toyota
Spotify
Target
UPS
Cloud security refers to “a broad set of technologies, policies, and applications that are applied to defend online IP, services, applications, and other imperative data against cyber threats and malicious activity” (Cisco, 2022)
As per Cisco, 2022, cloud security involves securing data and applications in the cloud by:
Protecting apps, data, and users in the cloud against compromised accounts, malware, and data breaches
Stopping malware before it spreads across the network
Decreasing the time spent remediating data breaches
Improving security without impacting end-user productivity
Extending protection by securing users anywhere and anytime
Intro to Cloud Security (contd.)
10
Cloud security can enable better business outcomes by being:
Intro to Cloud Security (contd.)
11
Source: Secure Cloud – Accenture –
https://www.accenture.com/_acnmedia/PDF-143/Accenture-Secure-Cloud.pdf
Need for Cloud Security
12
As per IBM (2022):
Organizations need cloud security as they incorporate cloud-based tools and services as a part of their digital strategy
Organizations must make their own considerations when protecting data and applications on the cloud since the responsibility of data asset security and accountability does not necessarily shift to the cloud service provider
Threats targeting cloud providers continues to evolve
Lack of cloud security can make organizations face significant governance and compliance risks
Cloud security is a necessity to ensure continuity of business operations
Need for Cloud Security
13
As per the Accenture (2021) Cyber Threat Intelligence Report:
Spending on public cloud services are expected to rise 21.7% from 2021 ($396B) to 2022 ($482B)
Cloud centricity prompts new attack vectors
Public-facing cloud environments serve as initial entry vectors through which threat actors can gain access to individual endpoint devices
Some organizations do not monitor cloud platforms as closely as they do their own on-premise servers
Need for Cloud Security (contd.)
14
As per the Accenture (2021) Cyber Threat Intelligence Report (contd.):
Ransomware attacks on cloud infrastructure is on the rise
Cloud malware has evolved faster than traditional ones
Cloud-centric toolset threats are escalating
Expanding cloud infrastructure also creates highly scalable and reliable command-and-control infrastructure and botnets
Moving to the cloud has increased both the risk and consequences of supply chain attacks
Need for Cloud Security (contd.)
15
According to the McAfee (2019) Cloud Adoption and Risk Report:
Need for Cloud Security (contd.)
16
Sharing of sensitive data in the cloud has increased 53%
An average organization has 2,269 IaaS misconfiguration incidents per month
80% of organizations will experience at least 1 compromised account threat in the cloud each month
92% of organizations currently have stolen cloud credentials for sale on the Dark Web
According to the McAfee (2019) Cloud Adoption and Risk Report:
Need for Cloud Security (contd.)
17
Poor cloud security continues to be a major cause data breaches (Privacy Rights Clearinghouse, 2020)
Need for Cloud Security (contd.)
18
Poor cloud security continues to be a major cause data breaches (Privacy Rights Clearinghouse, 2020)
Need for Cloud Security (contd.)
19
Cloud Security Fundamentals
20
What is AWS Security? – Amazon Web Services
Cloud Security Fundamentals
Source: Amazon Web Services – What is AWS Security? –
https://www.youtube.com/watch?v=_2HFqANE4gw
21
AWS cloud architecture for web application hosting:
Cloud Security Fundamentals (contd.)
22
Source: AWS – Web Application Hosting in the AWS Cloud – https://docs.aws.amazon.com/whitepapers/latest/web-application-hosting-best-practices/web-application-hosting-best-practices.pdf
AWS cloud security includes:
Infrastructure security
AWS WAF defends against XSS, SQL injection, & DDoS
AWS Shield provides DDoS mitigation technologies available for layer 3, 4, and 7 protection
Amazon VPC offers built-in network firewalls
Inventory and configuration management
Deployment tools offered
Inventory and configuration management tools available
Template tools exist to create standard, preconfigured, hardened VMs for EC2 instances
Cloud Security Fundamentals (contd.)
23
AWS cloud security includes:
Data encryption
At rest built into EBS, S3, RDS, and most other services
AWS Key Management Service available
AWS CloudHSM for secure key storage
Identity and access control
AWS IAM allows account and permission management
AWS MFA available for privileged accounts
AWS SSO allows central management of SSO access
Cloud Security Fundamentals (contd.)
24
AWS cloud security includes:
Monitoring and logging
AWS CloudTrail can monitor AWS deployments including API call history
Amazon CloudWatch provides a reliable, scalable, and flexible monitoring solution
Amazon GuardDuty available for intelligent threat detection and notification
Cloud Security Fundamentals (contd.)
25
Cloud Security Issues
26
Specific cloud security issues include the following:
Lack of visibility
Multitenancy
Access management and shadow IT
Access control may be more challenging in cloud environments
Compliance
Accountability for data privacy and security still rests with the enterprise
Misconfigurations
Accounted for 86% of breached records in 2019
Cloud Security Issues
Source: IBM – What is Cloud Security? –
https://www.ibm.com/topics/cloud-security
27
Specific cloud security issues include the following:
Cloud Security Issues (contd.)
Source: Accenture – State of Cybersecurity Resilience 2021 –
https://www.accenture.com/_acnmedia/PDF-165/Accenture-State-Of-Cybersecurity-2021.pdf
28
More than 66% of workloads will shift to the cloud
32% of organizations
will move more than 75% into the cloud
say security is not part of the cloud discussion to begin with
say poor governance and compliance practices are an issue
say cloud security is too complex
do not have the skills needed
Cloud Security Issues (contd.)
29
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html
OWASP Top 10–A6:2017 – Security Misconfiguration
Cloud Security Issues (contd.)
30
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html
Common cloud security vulnerabilities:
OWASP Cloud-Native Application Security Top 10:
Cloud Security Issues (contd.)
31
Source: OWASP Foundation – OWASP CNAS Top 10 –
OWASP Cloud-Native Application Security Top 10:
Insecure cloud, container or orchestration configuration
Injection flaws
Improper authentication & authorization
CI/CD pipeline & software supply chain flaws
Insecure secrets storage
Over-permissive or insecure network policies
Using components with known vulnerabilities
Improper assets management
Inadequate compute resource quota limits
Ineffective logging & monitoring
Cloud Security Issues (contd.)
32
Cloud Security Attacks
33
Most common cloud security attacks:
Cloud Security Attacks
| Attack Type | Description |
| Cross-Site Scripting (XSS) | A type of injection in which malicious scripts are injected into otherwise benign and trusted websites |
| SQL Injection | An untrusted source uses an application’s user input features to enter data that is used to dynamically construct a SQL query to read sensitive database data |
| DDoS | The attacker floods the server with so many requests from compromised computers that act as a part of a larger botnet that the server can no longer fulfill requests from legitimate users |
| Human Error | Accidents, weak passwords, password sharing, and other unwise or uninformed user behaviors |
34
Most common cloud security attacks (continued):
Cloud Security Attacks (contd.)
| Attack Type | Description |
| Ransomware | The attacker encrypts and locks the victim’s data and then demands a ransom to unlock and decrypt the data. Ransomware operators abused cloud infrastructure and introduced new encryption techniques to better evade detection (Accenture, 2021). |
| Malware | Software written specifically to exploit vulnerabilities. Cloud-related malware has evolved faster than more traditional malware (Accenture, 2021). |
| Server-Side Request Forgery (SSRF) | The attacker can abuse functionality on the server to read or update internal resources |
35
What is an SSRF Attack? – Professor Messer
Cloud Security Attacks (contd.)
Source: Professor Messer – Request Forgeries – SY0-601 CompTIA Security+: 1.3 –
https://www.youtube.com/watch?v=fmtqMzP7aXI
36
Cloud Security Best Practices
37
Cloud Security Best Practices
Best practices for cloud security include :
Implementing a strong identity foundation
Enabling traceability
Applying security at all layers
Automating security best practices
Protecting data in transit and at rest
Keeping people away from data
Preparing for security events
Source: AWS – Well-Architected Framework –
38
Cloud Security Best Practices (contd.)
39
Best practices for cloud security include :
Implementing a cloud-based secure web gateway (SWG) so corporate devices are protected against web-based threats without routing through VPN
Protecting data with a cloud access security broker (CASB)
Setting CASB policy to include device checks, data controls, and protection for SaaS accounts
Implementing MFA to reduce the risk of stolen credentials being used to access accounts
Letting employees use their personal devices to access SaaS applications for productivity with conditional access to sensitive data
Source: McAfee – Cloud Adoption and Risk Report –
Cloud Security Best Practices (contd.)
Best practices for cloud security include (continued):
Taking a risk-based view
Understanding the shared responsibility model
Driving a collaborative culture between application, IT/ops, and security teams
Considering security as a forethought and not an afterthought
Monitoring continuously for security and compliance
Planning proactively for cybersecurity events
Source: IBM – Cloud Security White Paper –
https://www.ibm.com/cloud/architecture/files/ibm-cloud-security-white-paper.pdf
40
Cloud Security Best Practices (contd.)
41
Use the following cloud security best practices to protect against security misconfiguration:
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration
Cloud security issues are among the OWASP Top 10 list of web application security risks
This is due to issues in cloud security such as misconfiguration, lack of visibility, multitenancy, identity and access management, compliance, monitoring and logging, etc.
Hackers are able to exploit the weaknesses using attacks such as XSS, SQL injection, DDoS, human error, ransomware, malware, SSRF, etc.
Cloud security best practices include understanding the shared responsibility model, using strong IAM policies, implementing MFA, using CASBs, using SWGs, encrypting data in transit and at rest, enabling traceability, preparing proactively for security events, etc.
Recap
42
Thank you!!!
43
,
Code Security – Issues and Best Practices
1
Outline
Intro to Code Security
Need for Code Security
Code Security Fundamentals
Code Security Issues
OWASP Top 10 – A4:2017– XML External Entities (XXE)
OWASP Top 10 – A8:2017– Insecure Deserialization
OWASP Top 10 – A9:2017– Using Components with Known Vulnerabilities
Attacks against Code Security Mechanisms
Code Security Best Practices
2
Intro to Code Security
3
What is Code?
Code refers to instructions issued to a computer that tells it which actions to perform and in what order
Code is made of strings of typed letters, numbers, and figures, which constitute a language complete with spelling rules and syntax
Code is used to do all sorts of activities including:
Building websites
Flying airplanes
Running NASA satellites
Making cars/cellphones/TVs/gaming consoles, etc. work
Intro to Code Security
Source: Indeed.com – How to Write Code in 6 Steps? –
https://www.indeed.com/career-advice/career-development/how-to-write-code
4
Code Types
Markup Languages – Use start tags (<>) and end tags (</>) to represent different components
Examples:
HTML – Is the code that describes the structure and content of a web application
XML – Is code that is designed to store and transport data in both human– and machine–readable format
SAML – Is a framework for describing and exchanging security information between online business partners
Intro to Code Security (contd.)
5
Code Types (continued)
Scripting Languages – Used to write small programs that are usually interpreted at runtime by a runtime environment
Examples (client-side):
JavaScript – Is a cross-platform scripting language that can be embedded within web pages to create interactive documents
AJAX – Is a collection of technologies that allows web developers to improve the response times between web pages
Intro to Code Security (contd.)
Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf
6
Code Types (continued)
Scripting Languages – Can also be used from server-side
Examples (server-side):
CGI – Is used to make web sites interact with databases and other applications
SSI – Is a limited scripting language supported by most web servers
ASP – Is used to create dynamic and interactive web applications for servers that serve “.asp” web pages using the .NET framework
PHP – Is used to create dynamic web pages that extract data from a database and present it on a web page
Intro to Code Security (contd.)
Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf
7
Code Types (continued)
Programming Languages – Used to code the business logic behind the web applications
Examples:
Java – Is a cross-platform programming language that is secure, fast, powerful, open-source, and free
C# – Is an object-oriented programming language created by Microsoft that runs on the .NET framework
Python – Is an interpreted programming language used to create web applications that can be used to handle big data and perform complex math
Ruby – Is an open-source programming language with a focus on simplicity and productivity
Intro to Code Security (contd.)
8
Code Market Share:
Intro to Code Security (contd.)
Source: Programming Languages Market Share Report – Datanyze –
https://www.datanyze.com/market-share/programming-languages–67/
9
Secure Coding Concepts – Professor Messer
Intro to Code Security (contd.)
Source: Professor Messer – Secure Coding Concepts – CompTIA Security+ SY0-401: 4.1 –
https://www.youtube.com/watch?v=N-tQtS5uQoo
10
Code security refers to “a set of technologies and best practices for making software as secure and stable as possible. It encompasses everything from encryption, certificates, and federated identity to recommendations for moving sensitive data, accessing a file system, and managing memory” (Red Hat, 2020)
As per Apple (2016), code security involves writing software that:
Is resistant to attack by malicious or mischievous people or programs
Stops an attacker from accessing and taking co
Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteEdu. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.
Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.
Do you need help with this question?
Get assignment help from WriteEdu.com Paper Writing Website and forget about your problems.
WriteEdu provides custom & cheap essay writing 100% original, plagiarism free essays, assignments & dissertations.
With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Chat with us today! We are always waiting to answer all your questions.