Security in Cloud Based Integration Solutions
Sindhu Gangadharan, Vice President, SAP
Journey to the Cloud
Katherine Krieger, Analyst, External Cloud Access Platform of Goldman Sachs
Cloud Security from the Inside
Brian Chess, Senior Vice President of Infrastructure and Security of NetSuite, Inc.
How exactly did Brian Chess end up at this cloud provider? He was originally involved in integrated circuit design, but was more interested in software. He liked the rigorous quality process that hardware was using, but discovered software people didn’t care. So – he started Fortify 🙂
Then he found that the top reason people were not moving to the cloud was concern over security – so, he moved into the cloud!
Again, keep in mind that the cloud provider’s priority are no the same as yours.
Security is really hard to measure. The difference between a secure system and a very insecure system can be whisker thin. This is a really hard problem. So much of this is about trust.
The largest risk here, like the financial industry, is from bad insiders. Insider problems.
Like banks, public cloud will need regulation – but we’ll always have to worry about the insider threat.
An Overview of DDOS Impact on Cloud Performance
Yasmine Kandissounon, Software Security Engineer of Rackspace
We all have to worry about distributed denial of service attacks – they are on the rise, and new types of targets are being attacked.34% more attacks in the first half of 2015 vs 2014, and the average attack size is increasing as well!
The bad guys want to make the systems crash, plane and simple. In the past, the attacker would use just one system to attack your system. But, they got smarter. They are taking control of systems and turning them into zombies, then they use these as botnets to do the attack. This increases their chances of doing the attack and makes it harder to track the real bad guy.
But why? Often, politics. For example, people were mad about a new law in Canada, so an attack was launched against them.
There are a few types of attacks. Protocol abuse, like ping-of-death, teardrop, smurf. There are flooding attacks, where they overwhelm the system. Application layer attacks – like encryption/decryption attacks, Http requests, DB queries. Finally, amplification attacks.
Now… bring in he cloud. Even with multi-tenant systems, if the cloud provider is attacked – all people using that service are impacted.
Protect yourself with
- Hardening: updates, patches, firewalls and access control lists and intrusion prevention systems.
- Packet filtering: deep packet inspection, blackholing and clean pipes
- Traffic routing: CDN (Content Delivery Network)