Working with public cloud services, increases the attack surface, and requires us to adapt our security controls and policies. Public cloud environments reside outside the organizational network, and as a result are exposed to the internet and shared with other customers, even if we consider multi-tenancy and the ability to limit access to cloud environments using VPN tunnels. The traditional approach whereby organizational assets are kept inside a secure perimeter does not work for cloud environments. In this post, I will review some of the common policies and procedures we need to review and adapt, in-order to mitigate the risk of working with public clouds. Identity management In our local environments (on premise), we typically manage...
Latest Articles
The goal of the training is to raise awareness of cloud technology and building of cloud capability in Europe through interactive sessions and live discussion. This cloud training will be first and foremost for the European NRENs (both the CEOs and CTOs) to meet the GÉANT cloud team,Microsoft, AWS and Google cloud experts. Priority will be given to Eastern European countries participating EAPConnect project and NRENs in the GN4-3 project that have not attended the GÉANT cloud workshops before GÉANT cloud team in collaboration with the Learning and Development team GLAD will introduce the GÉANT cloud portfolio, tools and necessary skills and knowledge needed for making the decisions about clouds. The participants will bring along their...
Working with cloud environments may certain security threats to an organization. In this post, we will review the most common threats and what measures are available to mitigate them. Data Breach A data breach is when sensitive data (such as research data, healthcare data, personal or financial data) is exposed to the public. Possible mitigations: Access control lists – making sure data is accessible only for intended people Encryption – making sure data is readable only by intended people Monitoring and auditing – having the ability to log and alert about possible data breaches Classification – ability to configure access rights by data sensitivity Misconfiguration In this type of threat, an attacker takes advantage of the fact that a...
In the past couple of years, a new range of solutions and technologies known as Cloud Access Security Brokers (CASB) have emerged in-order to provide additional security controls for cloud environments where many traditional tools and controls cannot be used. A CASB allows organizations to apply their security policies beyond their own infrastructure and provide visibility of usage of risky or unsanctioned cloud applications. There is no official standard for defining what exactly a CASB (Cloud Access Security Broker) is, however, in this post we will discuss common terminology and common capabilities most CASB solutions have. CASBs are very common for SaaS applications such as Office 365, SalesForce, Box, Dropbox, etc. Network topology...
In a previous post we explained the basic concepts of encryption. In this chapter we will focus on the various solutions offered by public cloud vendors, in the area of encryption and cryptography: AWS AWS Key Management Service – a managed service for creating, storing and using both symmetric and asymmetric encryption keys, generated by AWS or by using customer managed keys. Reference articles: AWS CloudHSM – a hardware security module for managing encryption keys, as part of AWS managed services, for use cases where there is a regulatory requirement or highly sensitive data that needs to be encrypted using the FIPS 140-2 level 3 standard. Reference articles: AWS Secrets Manager – managed service for encrypting, storing and retrieving...
Representatives from the GÉANT Cloud team participated in outreach and training events throughout the year. The last quarter of 2019 was particularly busy. Here are some highlights: National Cloud Trainings Four national cloud trainings took place in Ireland, Spain, Belgium and Switzerland during November. These training were organised in collaboration with NRENs and cloud providers. GÉANT Project Collaboration The GÉANT Cloud team participated in the meetings of two very active GÉANT project Special Interest Groups (SIG) – SIG-Marcomms and SIG-MSP (Management of Service portfolio). The separate and joint meetings were held in Montpelier France during September 2019. The GÉANT Cloud team provided updates and moderated important discussions...
After much deliberation and surveys indicating insufficient demand, it was decided to table the planned pan-European Learning Management Tender (LMS) which was supposed to be completed 2019. Instead, the GÉANT Cloud team is working on a tender document bundle that will be made available for the national communities who need them, based on estimated consumption volumes.
The goal of this post is to present a common case study for building a research environment in Google Cloud Platform (GCP). Building an environment in the cloud involves several topics we need to take under consideration (such as how do I access resources in the cloud, where and how do I store data in the cloud, how do I protect the infrastructure, etc.) Let’s consider the following architecture: Researchers will connect to the cloud environment remotely over the internet and connect to a Linux machine with data analytics tools Original data sets will be stored using file storage Output data will be processed in a MySQL database Due to data sensitivity, data must be protected at all times In the following sections we will break-down the...
An exciting development from the GÉANT project is the successful launch of the eduMEET WebRTC web-conferencing platform. Designed and developed within the GÉANT project, eduMEET is the result of a comprehensive and transverse approach to video conferencing. Created by the research community for the research community, eduMEET offers a compelling alternative to commercial solutions. The goal of eduMEET is to significantly simplify real-time communication for the Research, Education and Arts communities. The browser-based conferencing tool runs without the need to install additional clients or plugins. Only a web-browser, microphone and simple web-camera are needed to start using the eduMEET service. eduMEET supports both desktop and mobile...
The goal of this post is to present a common case study for building a research environment in Azure. Building an environment in the cloud involves several issues we need to take into consideration, such as how to access resources in the cloud, where and how to store data in the cloud, how to protect the infrastructure, etc. Let’s consider the following architecture: Researchers remotely connect to the cloud environment over the internet and connect to a Windows machine with data analytics tools Original data sets will be stored using file storage Output data will be processed in an Azure SQL database Due to data sensitivity, data must be protected at all times Here are some best practices for a research team to adopt using built-in Azure...
