Generative AI for Technical Writer or Information Developers
Layer 7: Cloud Security For The Public Sector
1. Cloud Security for Public Sector
Tower Club
Presented by: Adam Vincent, CTO Public Sector, Layer 7 Technologies
avincent@gov.layer7tech.com
2. In the Cloud
Risks to Cloud Consumers:
• Security and Privacy – how can I be
sure that my data and applications will be
secure?
• Business Continuity – what happens if
my Internet provider or cloud provider
goes down?
• Business Value – how can I be sure my
cloud service provider is meeting my
SLA?
• Compliance – how can I ensure
regulatory/legal compliance?
“Sharing the Cloud”
2
Adam Vincent, CTO Public Sector | avincent@gov.layer7tech.com | www.layer7tech.com
3. Traditional Information Assurance - Multi-Tenant
Multi-Tenant Cloud Environments
= Problem
Cloud Consumers
3
Adam Vincent, CTO Public Sector | avincent@gov.layer7tech.com | www.layer7tech.com
4. Introducing New Risk: Cloud Attack Surface
Enterprise Enterprise Enterprise
Perimeter Zone
Internet Zone Perimeter Zone
Internet Zone Perimeter Zone
Internet Zone
Traditional Software/OS
&
Perimeter Defense ApplicationZone
Perimeter Zone ApplicationZone
Perimeter Zone ApplicationZone
Perimeter Zone
Virtual Server Zone
Application Zone Virtual Server Zone
Application Zone Virtual Server Zone
Application Zone
Cloud API’s & Governance
Shared API’s & Cloud Governance
vulnerabilities
Hypervisor Exploitation Shared Hypervisor
Hardware Exploitation Shared Hardware
& Supply Chain
Insider Threat Shared People
4
Adam Vincent, CTO Public Sector | avincent@gov.layer7tech.com | www.layer7tech.com
5. Introducing New Risk: When the Cloud Attacks
Leveraging the Cloud Nefariously:
• Denial of Service – how can I be
sure that my cloud is not being used to
launch a DoS?
• Cryptographic Analysis– how can I
be sure that my cloud isn’t working
towards breaking someone's
encryption?
• Command & Control – how can I
ensure that my cloud is not providing
an adversary a platform to monitor and
control a cyber attack?
“Responsibility for Good not Evil”
5
Adam Vincent, CTO Public Sector | avincent@gov.layer7tech.com | www.layer7tech.com
6. Example: Thunderclap Proof of Concept
Thunderclap – “Cloud Computing – A Weapon of Mass Destruction? (DEFCON
2010)”
• Proof of Concept showing how DDoS attack could be run from the cloud
Value Proposition (my interpretation)
• Performance: Massive Bandwidth & Power = Plentiful
• Up Front Cost: Stolen Credit Card Number = Free
• Time: Little to none once initial R&D is completed = Time for hobbies
• Value: Charge $$$ to highest bidder = Make massive profit
Conclusion: Not a bad business model!
6
Adam Vincent, CTO Public Sector | avincent@gov.layer7tech.com | www.layer7tech.com
7. Conclusions
Cloud provides a powerful & agile capability for small, medium, and large businesses.
Cloud Consumers
- Connect: “your cloud capabilities” to current information assurance/cyber defense
solutions & requirements
- Protect: “your cloud capabilities” from the threat of shared governance, API’s,
networks, virtualization platforms, and hardware
Cloud Providers
- Control: “your cloud infrastructure” with detection and discovery to ensure that it
isn't being abused, directed against others, compromised or used for free
Layer 7 Technologies:
CloudSpan products: CloudConnect, CloudProtect and CloudControl help
organizations at each stage of their cloud adoption curve, from consuming SaaS
services, to running applications securely in the cloud, to becoming a provider of
cloud and SaaS services.
7
Adam Vincent, CTO Public Sector | avincent@gov.layer7tech.com | www.layer7tech.com