Welcome!

Java IoT Authors: Yeshim Deniz, Elizabeth White, Liz McMillan, Pat Romanski, Zakia Bouachraoui

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Blog Post

Rethinking Cloud FUD | @CloudEXPO @Imperva #DDos #GDPR #DataSecurity #CloudNative #Serverless #DevOps #DigitalTransformation

Agility means screwing up your security on somebody else's computer

Somebody Else's Security: Rethinking Cloud FUD

Almost every single day-I talk to people who are planning to move their organization's data to the cloud. What's more, this cloud excitement is vertical-agnostic. It's hard to find an industry that isn't thinking about cloud migration. Cisco predicts that, by 2021, 94% of global data center traffic will be processed in the cloud.

This is dramatically different from just a few years ago. Back then, if you asked an enterprise organization if they had plans to move to the cloud, it was like flipping a coin. At the time, enterprises were worried that the cloud inherently lacked security-because of the old bromide that the cloud is "somebody else's computer."

The major cloud providers listened, upping their security and compliance game while continuing to demonstrate the business agility cloud solutions could offer. Now, enterprises, on the whole, can't seem to get enough cloud.

And, for many, their security has suffered.

But their fears were staring back at them in the mirror.

There's a Hole in My AWS Bucket, Dear Liza

Consider just one example of an archetypal cloud security disaster: An IT administrator looks around his office and data center, sees all of his on-prem security solutions-database security, intrusion prevention system, anti-malware software, firewalls, physical security measures, etc.-and from there assumes that (or, at least, acts like) his cloud environment is just as secure. Consequently, he fails to build in additional security layers into the cloud environment-probably while utterly botching his security configurations.

The problem is endemic. In Amazon Web Services alone, an estimated 7% of AWS S3 buckets are configured to allow unrestricted access (which is at least down from five years ago, when that figure was nearly 16%). The list of enterprise IT organizations who had their private data publicly exposed in 2017 because of misconfigured AWS S3 buckets (whether because they did it themselves or because one of their third-party vendors put their data at risk) is long. The list includes consulting firms like Accenture, military contractors like Booz Allen Hamilton and TigerSwan, telcos like Verizon and Orange, financial institutions like Capital One, retailers like Walmart, and entertainment companies like WWE, Viacom, and the Australian Broadcast Corporation

And that's just one common way that enterprises in the cloud shoot themselves in the foot.

M&M Security in the Cloud

Now here's Part 2 of the cloud security disaster I began to describe.

Let's say, miraculously, no ill comes out of the failings of our IT administrator from the earlier example. He may even have accidentally done something right.

But now one of our lead developers looks around, sees the same things that the IT administrator did, and comes to the same conclusions as the IT administrator did about being in a "secure environment." And so, because every keystroke he can save represents precious time, our lead developer uses his recycled, easily guessable password (assuming he bothers to change the default). From there, he proceeds to upload production data (which, in a truly secure development lifecycle (SDLC), he shouldn't have access to in the first place) to the cloud. Then-completely forgetting that his code includes sensitive API keys-the developer posts said code to his GitHub repository.

Now comes an outside hacker, running a dictionary attack to get into our lead developer's GitHub repository. When the dictionary attack succeeds in a matter of seconds, the hacker gains access to our lead developer's user credentials, uses them to breach the company's AWS buckets, and holds the company's data for ransom.

This is an example of locking the door but leaving the key under the mat and having no alarm system, guard dog, or other "inner" security once the outer security of the door is breached.

Consider the tragedy of Code Spaces-a code-escrow company that publicly lauded its "well-practiced" and "proven to work" backup-recovery plan as a selling point. Code Spaces put its entire business-right down to the backups-on AWS. Then-somehow (probably in a manner not too far off from what I just described)-someone compromised or otherwise misappropriated the Code Spaces login for its AWS control panel and used the access to hold everything there for ransom. Code Spaces did not pay the money.

If you were to Google "Code Spaces" right now, you would see headlines like "Murder in the Amazon Cloud" and "Code Spaces: A Lesson In Cloud Backup." Code Spaces is out of business.

Somebody Else's Problem

All of this is to say that the cloud is indeed somebody else's computer, in the same way that an apartment is "somebody else's property." You may be renting the resources, and your "landlord" may be liable for particularized maintenance items-but you're still on the hook for losses and damages if you share your keys, leave the windows open, or leave the door unlocked.

The cloud is secure-or, at least, it can be. But a lot of cloud implementations aren't secure-because enterprises have turned the security fears of the "somebody else's computer" philosophy into a self-fulfilling prophecy. Specifically, the perception of the cloud has evolved from that of "somebody else's computer" to one of "somebody else's problem." The breaches described above were all user caused. All the cloud vendors can do is offer decent UX and training, and then cross their fingers.

4 Cloud Security Tips You Can Use

So what can you do? Here are some places to start:

Address the fundamentals. Let's start with the basics. AWS buckets are private by default. To leave an AWS bucket completely unsecured requires that the administrator do more work-suggesting that probably you have security problems far greater than the scope of this article. Ditto for those administrators and developers who never change the default login credentials-or who leave their login information exposed (whether on a sticky note on a computer monitor, or in a GitHub repository).

Monitor Everything. Let's say you hire a new administrator who inherits an IT environment.  Configuration issues often go overlooked as the new administrator gets acquainted with his or her new world-especially if thorough activity monitoring hasn't been implemented. And headline-splashing cloud security issues will only continue until organizations are truly monitoring what's happening in their cloud environments at the network, API, user access and raw data layers. Your central IT department, therefore, needs to be empowered with greater visibility and monitoring solutions-particularly as they may not be aware as to which workloads have been migrated to the cloud. They also need to be able to keep track of what is connecting to that cloud environment-because for every new API or other connection that is talking to your cloud environment, you have a new potential attack vector to secure.

And most will admit that they should already be monitoring all of this activity for regulatory compliance and/or forensic purposes anyway, though most simply aren't.

Have a Cloud Config Expert. Still, you need to have people who know what they are doing in the first place. It's not enough to have a team of data scientists who can work more efficiently on a cloud-based data platform. At least one of those data scientists needs to also know how to configure and secure that cloud-based data platform.

Audit Your Providers. Cloud vendors, also need to meet all of these standards-beyond mere simplicity and accessibility. (It's 2018; most of them are already sufficiently simple and accessible by now. That's why you wanted to go to the cloud in the first place.) Technology in the cloud should be leveraged to provide the visibility and transparency   to inform you who in your environment-and who in their environment-is touching which data, and when. And they need to be able to prove their compliance with whatever regulations to which you and your data are subject-beyond a mere certification that may or may not be real.

But the responsibility for checking all of this-as with all cloud-security concerns-lies with you. It may be somebody else's computer, but it's your data.

Terry Ray has served as Chief Technology Officer for Imperva since July 2017. He is responsible for developing and articulating the company's technical vision and strategy. Previously, he served as Imperva's Chief Product Strategist where he consulted directly with strategic global customers on industry best practices, threat landscape, data security implementation and industry regulations. Terry is a frequent speaker for RSA, Gartner, ISSA, OWASP, ISACA, IANS, CDM, NLIT, and other organizations worldwide. He holds a B.A. in Management Information Systems from the University of North Texas.


DXWorldEXPO LLC, the producer of the world's most influential technology conferences and trade shows has announced the conference tracks for CloudEXPO |DXWorldEXPO 2018 New York.

DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City.

Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term.

A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 Here

Speaking Opportunities Here

Sponsorship and Speaking Inquiries: [email protected].

2018 Conference Agenda, Keynotes and 10 Conference Tracks

DXWordEXPO New York 2018 and Cloud Expo New York 2018 agenda present 222 rockstar faculty members, 200 sessions and 22 keynotes and general sessions in 10 distinct conference tracks.

  • Cloud-Native | Serverless
  • DevOpsSummit
  • FinTechEXPO - New York Blockchain Event
  • CloudEXPO - Enterprise Cloud
  • DXWorldEXPO - Digital Transformation (DX)
  • Smart Cities | IoT | IIoT
  • AI | Machine Learning | Cognitive Computing
  • BigData | Analytics
  • The API Enterprise | Mobility | Security
  • Hot Topics | FinTech | WebRTC

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

DXWorldEXPO | CloudEXPO 2018 New York cover all of these tools, with the most comprehensive program and with 222 rockstar speakers throughout our industry presenting 22 Keynotes and General Sessions, 200 Breakout Sessions along 10 Tracks, as well as our signature Power Panels. Our Expo Floor brings together the world's leading companies throughout the world of Cloud Computing, DevOps, FinTech, Digital Transformation, and all they entail.

As your enterprise creates a vision and strategy that enables you to create your own unique, long-term success, learning about all the technologies involved is essential. Companies today not only form multi-cloud and hybrid cloud architectures, but create them with built-in cognitive capabilities.

Cloud-Native thinking is now the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, as well as the public sector.

CloudEXPO is the world's most influential technology event where Cloud Computing was coined over a decade ago and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals.

FinTech Is Now Part of the DXWorldEXPO | CloudEXPO Program!

Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expensive intermediate processes from their businesses.

Accordingly, attendees at the upcoming 22nd CloudEXPO | DXWorldEXPO November 11-13, 2018 in New York City will find fresh new content in two new tracks called:

  • FinTechEXPO
  • New York Blockchain Event

which will incorporate FinTech and Blockchain, as well as machine learning, artificial intelligence and deep learning in these two distinct tracks.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 Here

Speaking Opportunities Here

Sponsorship and Speaking Inquiries: [email protected].

FinTech brings efficiency as well as the ability to deliver new services and a much improved customer experience throughout the global financial services industry. FinTech is a natural fit with cloud computing, as new services are quickly developed, deployed, and scaled on public, private, and hybrid clouds.

More than US$20 billion in venture capital is being invested in FinTech this year. DXWorldEXPOCloudEXPO are pleased to bring you the latest FinTech developments as an integral part of our program.

DXWorldEXPO | CloudEXPO are accepting speaking submissions for this new track, so please visit Cloud Computing Expo for the latest information or contact us at [email protected]

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 Here

Speaking Opportunities Here

Sponsorship and Speaking Inquiries: [email protected].

Download Slide Deck ▸ Here

Only DXWorldEXPO | CloudEXPO bring together all this in a single location:

Attend DXWorldEXPO | CloudEXPO. Build your own custom experience. Learn about the world's latest technologies and chart your course to Digital Transformation.

22nd International DXWorldEXPO | CloudEXPO, taking place November 11-13, 2018, in New York City, will feature technical sessions from a rock star conference faculty and the leading industry players in the world.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 Here

Speaking Opportunities Here

Sponsorship and Speaking Inquiries: [email protected].

Download Slide Deck: ▸ Here

Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises are using some form of XaaS - software, platform, and infrastructure as a service.

With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.

Every Global 2000 enterprise in the world is now integrating cloud computing in some form into its IT development and operations. Midsize and small businesses are also migrating to the cloud in increasing numbers.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 Here

Speaking Opportunities Here

Sponsorship and Speaking Inquiries: [email protected].

Download Slide Deck: ▸ Here

Companies are each developing their unique mix of cloud technologies and services, forming multi-cloud and hybrid cloud architectures and deployments across all major industries. Cloud-driven thinking has become the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, and the public sector.

Sponsorship Opportunities

DXWorldEXPO | CloudEXPO are the single show where technology buyers and vendors can meet to experience and discus cloud computing and all that it entails. Sponsors of DXWorldEXPO | CloudEXPO will benefit from unmatched branding, profile building and lead generation opportunities through:

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers.
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 35-minute technical session
  • Online advertising on 4,5 million article pages in SYS-CON's i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage.
  • Unprecedented PR Coverage: Unmatched editorial coverage on Cloud Computing Journal.
  • Tweetup to over 100,000 plus Twitter followers
  • Press releases sent on major wire services to over 500 industry analysts.

Secrets of Our Most Popular Sponsors and Exhibitors ▸ Here

For more information on sponsorship, exhibit, and keynote opportunities, contact [email protected].

Show Prospectus V041818 Here

Download Slide Deck:Here

Speaking Opportunities

The upcoming 22nd International DXWorldEXPO | CloudEXPO November 11-13, 2018 in New York City, NY announces that its Call For Papers for speaking opportunities is now open.

Secrets of Our Most Popular Faculty Members ▸ Here

Submit your speaking proposal Here or by email [email protected].

Download Slide Deck: ▸ Here

About DXWorldEXPO LLC

DXWorldEXPO LLC is a Lighthouse Point, Florida-based trade show company and the creator of DXWorldEXPODigital Transformation Conference & Expo. The company produces and presents CloudEXPO, DevOpsSummitFinTechEXPO Blockchain Event, the world's most influential conferences and trade shows.

More Stories By Terry Ray

Terry Ray has served as Chief Technology Officer for Imperva since July 2017. He is responsible for developing and articulating the company's technical vision and strategy. Previously, he served as Imperva's Chief Product Strategist where he consulted directly with strategic global customers on industry best practices, threat landscape, data security implementation and industry regulations. Terry is a frequent speaker for RSA, Gartner, ISSA, OWASP, ISACA, IANS, CDM, NLIT, and other organizations worldwide. He holds a B.A. in Management Information Systems from the University of North Texas.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...
Where many organizations get into trouble, however, is that they try to have a broad and deep knowledge in each of these areas. This is a huge blow to an organization's productivity. By automating or outsourcing some of these pieces, such as databases, infrastructure, and networks, your team can instead focus on development, testing, and deployment. Further, organizations that focus their attention on these areas can eventually move to a test-driven development structure that condenses several l...
The graph represents a network of 1,329 Twitter users whose recent tweets contained "#DevOps", or who were replied to or mentioned in those tweets, taken from a data set limited to a maximum of 18,000 tweets. The network was obtained from Twitter on Thursday, 10 January 2019 at 23:50 UTC. The tweets in the network were tweeted over the 7-hour, 6-minute period from Thursday, 10 January 2019 at 16:29 UTC to Thursday, 10 January 2019 at 23:36 UTC. Additional tweets that were mentioned in this...
Over the course of two days, in addition to insightful conversations and presentations delving into the industry's current pressing challenges, there was considerable buzz about digital transformation and how it is enabling global enterprises to accelerate business growth. Blockchain has been a term that people hear but don't quite understand. The most common myths about blockchain include the assumption that it is private, or that there is only one blockchain, and the idea that blockchain is...
Never mind that we might not know what the future holds for cryptocurrencies and how much values will fluctuate or even how the process of mining a coin could cost as much as the value of the coin itself - cryptocurrency mining is a hot industry and shows no signs of slowing down. However, energy consumption to mine cryptocurrency is one of the biggest issues facing this industry. Burning huge amounts of electricity isn't incidental to cryptocurrency, it's basically embedded in the core of "mini...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
The term "digital transformation" (DX) is being used by everyone for just about any company initiative that involves technology, the web, ecommerce, software, or even customer experience. While the term has certainly turned into a buzzword with a lot of hype, the transition to a more connected, digital world is real and comes with real challenges. In his opening keynote, Four Essentials To Become DX Hero Status Now, Jonathan Hoppe, Co-Founder and CTO of Total Uptime Technologies, shared that ...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Every organization is facing their own Digital Transformation as they attempt to stay ahead of the competition, or worse, just keep up. Each new opportunity, whether embracing machine learning, IoT, or a cloud migration, seems to bring new development, deployment, and management models. The results are more diverse and federated computing models than any time in our history.