Rhm2ktmi's List: Cloud - Security

• By many accounts, Satoshi came up with a real-world solution to a longstanding computer science paradox known as the double-spend problem, or the Byzantine General's problem (the professor who named it explains why he did so here). The challenge is how to send and receive money online without the need for a trusted third party, such as PayPal, ensuring that the same digital credit standing in for the amount being exchanged isn't being spent twice.
• A startup called Ripple represents the most active threat to the mega-processors. (We profiled Ripple, and the group that created it, last month.)
• This allows transactions to be processed instantly and without a third party. It's even faster than the Bitcoin network, because everyone using the Ripple ledger gets their own copy of the whole ledger, in contrast with the nodes on the Bitcoin network all sharing a single one.
• Two groups, BitShares and Ethereum, are hoping to blockchain-ify ... everything.
• The entirety of Hearn's talk is pretty amazing, and we recommend you watch it.
• With a handful of exceptions, like Proof of Existence, it's too early to see fully functional applications of blockchain technology.

4 more annotations...

• -Financial inclusion has become a long overdue buzzword among aid agencies and international economic policymakers of late – and it’s opening the door for bitcoin and blockchain technology to become a part of the discussion among international policymakers.

• According to Oliver Bussmann, CIO of Swiss bank UBS , the biggest disrupting force is the blockchain – the underlying technology behind Bitcoin, the electronic-only currency which is created on computers and isn’t controlled by any government or centralized authority.

   
• The blockchain is the open, decentralized online ledger which verifies transactions in the digital currency
• He said: “When somebody with a strong brand and security level establishes it as a reliable service, then the whole industry will follow. That is my personal prediction.”

1 more annotation...

• At Rivetz, we make it possible to connect web services to  trusted hardware in the user's device. When you can trust a device to provide basic uncompromised keys and transactions,  you can deliver more value with more convenience.
• Rivetz runs local applets in the hardware of Android phones and PC's that provide a collection of services for securing an online relationship  with a user.
• Trusted Execution is the ability to run applets on consumer devices  that are not visible to the OS, can't be tampered with by malware or users, and provide core cryptographic functions  that underlie our relationship to online services.

1 more annotation...

• IBM has been buying up a load of computer security firms over the past three years to strengthen its chops in the area – and now it has decided to take that gobbled tech to the cloud
• Dynamic Cloud Security (DCS)
• Marc van Zadelhoff, IBM's VP of strategy for security systems
• That effort involved taking 12 acquired security products and melding them into a protection system for public, private, and hybrid clouds: the goal is to allow IT managers to see and control what is being done to data by users at all times.

• In short, Big Blue reckons DCS can "automatically discover, classify and assess sensitive data stored in cloud-hosted repositories, including activity monitoring for both structured and unstructured data."
• DCS covers what IBM says are three key areas of protecting cloud data: managing access, hardening applications, and protecting data.
• The service will roll out on Amazon Web Services and IBM's own Softlayer systems

5 more annotations...

• There are many players in the field of identity and access management (IAM) ranging from the old guard of Oracle, CA, and IBM to newer players that are built specifically for the cloud.
• the harder aspect of IAM is to extend this security model to the traditional enterprise, so the entire environment is secure.
• As cloud adoption increases, identity-based approaches to security are the best fit.
• The use of IAM within cloud application deployment will back-fill into the enterprise as well, as companies modernize their security approaches and technologies to align with the use of public clouds.
• The benefit of centralized identity management is the ability to quickly add identities for resources outside of the enteprise’s direct control while ensuring that they are both valid and have the proper credentials.

3 more annotations...

• There’s this emerging trend that is becoming apparent as apps and infrastructure become more closely tied but also uniquely separate across sophisticated, distributed infrastructures that may be running on a corporate data center or on a cloud service.
• Binding the app to this new kind of stack is an ecosystem of loosely coupled, adaptive software and service technologies that follow the workload, no matter what the infrastructure may be.
• In announcing the round, Herrod notes that we’re increasingly using applications that are mash-ups of multiple services running in multiple places, meaning the firewall model of security don’t work that well anymore. Virtualization is becoming the norm, and services might be in a public or private cloud – or running across both.
• “How an application is protected should be independent of where that application is running or what infrastructure it is running on,” Herrod wrote.

2 more annotations...

• NGFW (next-generation firewall)
• We could see this being useful in cases where Skyhigh detects a SaaS-related threat coming from a particular source (which could be as simple as an IP address) and pushing a blocking rule to Palo Alto that blocks all traffic from that source (rather than just Web-based SaaS).
• Far from simply being a 'cloud firewall,' we think of the CAC market as providing key pieces of the security stack for off-premises application (SaaS) use. In other words, it could be thought of as cloud NAC, cloud DLP, cloud threat detection and prevention, cloud encryption gateway, etc., depending on how the customer decides to use it.

1 more annotation...

• Securing any system requires you to implement layers of protection.  Access Control Lists (ACLs) are typically applied to data to restrict access to data to approved entities. Application of ACLs at every layer of access for data is critical to secure a system. The layers for hadoop are depicted in this diagram and in this post we will cover the lowest level of access… ACLs for HDFS.

• Thomas Davenport, in his keynote at the Hadoop Summit San Jose 2014, said that the big data analytics has entered a new phase: From Analytics 2.0 to 3.0. One aspect of the new phase is data discovery, curation, and relationships, creating new products and services in the data economy.
• However, while they’ve accelerated an organization’s ability to quickly explore and analyze data, they struggle to help link disparate data sets. These data sets lack a foreign key such as an account number to link them. Without a key, users are forced to overlay the data models without the ability to use algorithms to aid in the deconfliction process, leading to collisions and duplication.
• These data sets lack a foreign key such as an account number to link them. Without a key, users are forced to overlay the data models without the ability to use algorithms to aid in the deconfliction process, leading to collisions and duplication.
• Other users are applying ETL processes written for existing sources to these new data sets, but cannot support semi-structured and unstructured sources.
• entity resolution and relationship dimension-building application
• By building foundational entity indices of people, organizations, locations, product, and events, organizations have the ability to understand how a person or product is represented in different systems across the enterprise.

• The questions that analysts can now ask:

   
   
  • Who is an individual and to whom or what are they connected?
   
  • What is an organization, both formal and informal?
   
  • What is a product?
   
  • What events are interconnected between the people, organizations and products that we offer?
   
  • What types of relationships could I uncover that drive operational efficiency, improve customer satisfaction, and better measure risk or detect fraud?
   
  • How can these new data sets and data points transform our business by incorporating the use of leading indicators instead of lagging indicators?

5 more annotations...

• On the webinar, Hortonworks’ Vinod Nair presented the recently-announced Apache Argus incubator: a central policy administration framework across security requirements for authentication, authorization, auditing and data protection. Sudeep Venkatesh, of Voltage Security, defined data-centric protection technologies that easily integrate with Hive, Sqoop, MapReduce and other Hadoop interfaces.
• Apache Argus incubator: a central policy administration framework across security requirements for authentication, authorization, auditing and data protection.

• The fundamentals and best practices of securing your Hadoop cluster are top of mind today. In this session, we will examine and explain the components, tools, and frameworks used in Hadoop

• Data Security for Hadoop is a critical requirement for adoption within the enterprise. Organizations must protect sensitive customer, partner and internal information and adhere to an ever-increasing set of compliance requirements. The security challenges these organizations are facing are diverse and the technology is evolving rapidly to keep pace. 

   
• protect sensitive data across various data stores including Hadoop, securing the data from unauthorized access while at rest, in use and in motion, still maintaining the value of the data for analytics, even in its protected form. Hortonworks and Voltage together are collaborating to provide comprehensive security for the enterprise to enable rapid and successful adoption of Hadoop

• There are several traditional data de-identification approaches that can be deployed to improve security in the Hadoop environment, such as storage-level encryption and data masking.

   
   
• With storage-level encryption the entire volume that the data set is stored in is encrypted at the disk volume level while “at rest” on the data store, which protects against unauthorized personnel who may have physically obtained the disk, from being able to read anything from it.
• Data masking is a useful technique for obfuscating sensitive data, most often used for creation of test and development data from live production information.

3 more annotations...

• Cupertino, CA – June 12, 2014 - Voltage Security, the leading expert in data-centric encryption and tokenization, today announced Voltage SecureData™ Suite for Test/Dev, a new solution providing maximum data protection with industry standards-accepted, next-generation Voltage Format-preserving Encryption™ (FPE) and Secure Stateless Tokenization™ (SST) technologies. 

   

• The Hadoop 2.x update has made it possible for Hadoop-based platforms to expand the scope of this framework like never before. With additions such as YARN, Hadoop-based platforms can now be used to efficiently create Data Hubs.  Zaloni’s Bedrock Management Platform™ is a logical and superior choice for creating these data hubs for several reasons.

• The fundamentals of a comprehensive security strategy start with user authentication and authorization, and network access control to evaluate the devices to which users are requesting access
• t goes on to include rights management, directory services, data encryption, and decryption, with intrusion protection services constantly monitoring the environment for potential intruders. Missing on any of these fundamentals creates that “weakest link” that defines the true effectiveness of your security
• The establishment of a thorough BYOD policy should begin with stated and enforced requirements for acceptable devices – ones that support the required level of encryption, user authentication, and other access security capabilities that the rest of your network adheres to.
• Many security pros have commented that MDM, which stands for “mobile device management,” should stand for “mobile data management,” because data safety and security is the biggest concern.
• The primary strategy to protect against mobile users sharing data in unauthorized ways is data containerization in a secure workspace. Specialized software is used to establish two distinct and separated storage spaces, or data containers, on the mobile device.
• Virtual device infrastructure (VDI) is another strategy that has been used with great success because it completely avoids transferring any data from the corporate network to the user’s device.

4 more annotations...

• CloudMask's technology works on the premise that no one can be trusted with data - including cloud administrators, governments, employees, and even company IT administrators.
• Its "zero trust mode" means only the owner of the data maintains control of decryption keys and decides who should get access to data. Workers in the same group can decrypt shared data which is nonetheless accessible to others in an organisation.
• Its Selective Intelligent Masking technology allows CloudMask to track, protect and control access of the sensitive data throughout its lifecycle.
• Strong encryption, tokenisation and masking ensure data protection, even if a hacker has infiltrated a network.

2 more annotations...