Archive for the ‘Security’ Category

Cloud Architecture Security & Reliability

January 31, 2014

Yesterday, I was doing a presentation at SSIT, Tumkur on Cloud Architecture Security & Reliability to the faculty members of SSIT and SIT Tumkur.

With the advent of Cloud Computing paradigm there are at least five categories of “Actors” emerged.
1. Cloud Consumers, 2. Cloud Providers, 3. Cloud Brokers, 4. Cloud Auditors, 5. Cloud Carriers. The NIST conceptual reference model gives a nice overview of these. ( http://www.nist.gov/itl/cloud/upload/NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf )

Image description not specified.

The security of more specifically “Information Security” is a cross cutting concern across all these actors. The CSA publishes top threats regularly here. The top threats 2013 are

  1. Data Breaches
  2. Data Loss
  3. Account Hijacking
  4. Insecure APIs
  5. Denial of Service
  6. Malicious Insiders
  7. Abuse of Cloud Services
  8. Insufficient Due Diligence
  9. Shared Technology Issues

All these threats translate to protecting four major areas of Cloud Architecture…

  1. Application Access – Authentication and Authorization
  2. Separation of Concerns – Privileged user access to sensitive data
  3. Key – Management – of encryption keys
  4. Data at Rest – Secure management of copies of data

Interestingly the ENISA threat landscape also points to similar emerging threats related to Cloud Computing –

Image description not specified.

Is there any shortcut to achieve security to any of the actors in the Cloud? I do not think so. The perspective presented by Booz & Co on cloud security has a nice ICT Resilience life clycle that was discussed.

Finally, there was a good discussion on the Reliability and Redundancy. The key aspect was how do we achieve better reliability of a complex IT system consisting of multiple components across multiple layers (i.e., web, application, database) to make best utility of non failing components to share the load while isolating the failure component and decoupling it from the cluster and seamlessly re-balancing the workload to the rest of the working components.

Overall it was a good session to interact with academia!

The slide deck that was used:

web age of WWW

August 8, 2011

As the WWW turns 20 years over the weekend (Link to the first webpage), my association with the computers turns 23 years today. The WWW is estimated to have approx. 20 billion pages as of today.

The information hungry world started making “Assets” out of information. Information has been classified as confidential, sensitive, internal, limited circulation, public etc., and some companies purely live only on “Informational Assets” today…

Protecting these information assets in the current day scenario of (operation shady RAT and reports stating that the claims of shady RAT themselves are shady!! ) hacking is truly a challenge. The information storage and its regulated flow to different end points need to be fully governed and secured.

My past blog posts related to the Information Security:

1. Data Security Technologies

2. Maximum Security Architecture

3. Identity and Access Management

with all these technology still there is a lot of “insecurity” among the technologists. Why?

Originally the information is published by the owner of that information and he/she would secure it with necessary proven authentication. Overall the information flow is between two known entities. (e-mail etc.,)

OR

Public information is broadcasted to reach maximum number of recipients. (spam mails etc.,)

As the WWW advanced to “Social” media the information is now being published by individuals for consumption by different like minded individuals who are directly known or unknown to the original publisher. This mode of information flow makes the whole process of information security very complex.

Technology surely can live up to the challenges that are posed by the trends in the information management area. Only thing needed now is cleaver brains to tackle the threats… It is all in the proper implementation of the available technology…



On this 8400 day of my association with computers and software, I am working on securing the information in the financial industry… Let us all hope we will have another 20 years flourishing, safe and secure WWW….

Maximum Security Architecture

May 1, 2010

In one of the past posts, I have just listed different technologies that are available in the Data Security area. (in Feb 2008)

With Oracle 11g database, the security focus has taken more methodical and architectural approach.

To put things together data security is placed under the following broad (four) categories:
1. User Management
2. Access Control
3. Encryption and Masking
4. Auditing/Monitoring

Just like Maximum Availability Architecture for Highly available architectural patterns, we can call this as Maximum Security Architecture for highly secure architecture….

One should choose the required options and implement it properly to really make the data SECURE!

This Link gives more details of MSA on Oracle 11g database.