Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How Cloud Security Drives Business Agility
Oldest First  |  Newest First  |  Threaded View
WKash
WKash,
User Rank: Apprentice
1/7/2014 | 11:31:40 AM
Cloud security
Any enterprise that wants a glimpse of what industrial strength cloud security controls look like should take a closer look at the FedRAMP protocols and controls establshed by the federal government and gaining wider adoption by leading cloud service providers.

Not familiar with FedRAMP? Read more at http://www.informationweek.com/security/risk-management/qanda-fedramp-director-discusses-cloud-security-innovation/d/d-id/1112142 or visit www.fedramp.gov.

 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/7/2014 | 1:07:34 PM
Re: Cloud security -- FedRAMP
Thanks for the heads up about FedRAMP, Wyatt. I notice they have a cloud best practices document with a section devoted to cloud security. To access the link, click here
Stratustician
Stratustician,
User Rank: Moderator
1/7/2014 | 1:34:53 PM
Secure begins in VM infancy
A great article, with some really great advice on how to properly secure these environments.  Another point to perhaps bring up is to create a secure VM image that is used to create additional VMs.  This way you can almost guarantee the right security controls are in place as long as they exist in the master image.  This means spinning off new VMs are quicker, more secure and have the right policies in place right from the start.
cbabcock
cbabcock,
User Rank: Apprentice
1/7/2014 | 1:35:16 PM
Continuous protection is a good idea
Bankim Tejani has come up with an excellent idea. Scanning cloud applications as they start or restart is continuous protection, instead of occasional, manual protection. If there's any suspicion of intrustion, shut it down and restart. And the central idea of automating the task is a core idea of cloud operations. With such a scanning procedure in place, the public clolud would become a more secure scene of operations than most enterprise data centers.
Ulf Mattsson
Ulf Mattsson,
User Rank: Moderator
1/7/2014 | 1:57:04 PM
New interesting data security method for Cloud data
I agree that "Looking at today's security problems, the landscape is littered with methods that are largely manual and disconnected".

I agree that "Business systems are launched and retired faster than security teams can identify, analyze, and track", but I think that data is more constant.

I agree that "Risks are implicitly accepted by business sponsors during design, development, and operation, but mitigated only when pressed by security and risk management", but I think that security should be built into the data values.

I agree that "Security policies are enforced primarily by manually executed audits and processes", but I think that they should instead be automated.

I agree that "Scaling today's information security and risk management problems to cloud velocity is untenable, but I found interesting new in a report from the Aberdeen Group that "saw a big advantage in performance" and also scalability over traditional security methods.

The report also revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than credit card data. The name of the study, released a few months ago, is "Tokenization Gets Traction". 

I think that the Aberdeen approach based on data tokenization is an interesting data security method for Cloud data.

Ulf Mattsson, CTO Protegrity.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Creating an Effective Incident Response Plan
Security teams are realizing their organizations will experience a cyber incident at some point. An effective incident response plan that takes into account their specific requirements and has been tested is critical. This issue of Tech Insights also includes: -a look at the newly signed cyber-incident law, -how organizations can apply behavioral psychology to incident response, -and an overview of the Open Cybersecurity Schema Framework.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-45909
PUBLISHED: 2022-11-26
drachtio-server 0.8.18 has a heap-based buffer over-read via a long Request-URI in an INVITE request.
CVE-2022-45907
PUBLISHED: 2022-11-26
In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.
CVE-2022-45908
PUBLISHED: 2022-11-26
In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution.
CVE-2022-44843
PUBLISHED: 2022-11-25
TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the port parameter in the setting/setOpenVpnClientCfg function.
CVE-2022-44844
PUBLISHED: 2022-11-25
TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the pass parameter in the setting/setOpenVpnCfg function.