Databricks Enterprise Security Guide
|
|
- Edward Spencer
- 6 years ago
- Views:
Transcription
1 Databricks Enterprise Security Guide 1
2 Databricks is committed to building a platform where data scientists, data engineers, and data analysts can trust that their data is secure. Through implementing industry-wide best practices and building upon the many security related features provided by AWS, Databricks addresses the most commonly required security controls, highlighted in this document. This document describes Databricks deployment architecture in detail, illustrating how security is addressed throughout. Contents Deployment Model... 3 Compliance Program... 4 Defense in Depth... 5 Customer Data... 6 Databricks Access to Customer Environment... 6 Employee Access... 7 Data Governance... 7 Data Flow & Encryption... 7 Customer Credentials Management Backups Application Authentication and Authorization - End User Access Control Role-based Access Controls (ACL) Change Management & Secure Coding Host Hardening Standards Vulnerability Management Network Security Network Isolation Spark Cluster Network Isolation VPC Isolation of Customer s Service in Databricks Account Security Groups & Network ACLs No Public IPs Monitoring Physical Security Infrastructure Office Logging and Monitoring Policies & Procedures
3 Deployment Model Databricks Enterprise offering is a single tenant deployment. Data plane Spark clusters are deployed in a customer AWS account. Customer datasets are stored in customer owned and managed storage e.g. AWS S3, RDBMS, NoSQL. Control plane Runs in Databricks account in a VPC dedicated to a single customer. Databricks Dedicated VPC Databricks VPC Customer Controlled Audited Access* Databricks Admin TLS Home Workspace Notebooks Tables Jobs TLS Central Services SOC 2 Type 2 (3/17) VPN gateway Customer VPC IAM Role Cross-Account API Access Customer VPCs Customer Choice of Connectivity Clusters Clusters Clusters Clusters Clusters Data Sources * Refer to Audited Controls End-to-End encryption, & integrity protection KMS Encryption Controlled by Customer Zero Maintenance Single-Tenant VPC Isolation of Control Plane Secured Internal Communication Secured Access and Authorization Encrypted Customer State Isolated AWS Accounts Apache Spark Cluster Network Isolation Smarter cost controls 3
4 Compliance Program Databricks engages with an independent CPA firm to perform annual and semi-annual audits. We currently hold: A SOC 2, Type 2 attestation. SOC 2 report covers design and operational effectiveness of controls to meet the trust criteria for the security, availability, and confidentiality. An attestation of HIPAA compliance. Additionally, Databricks is engaged with an independent third party organization, NCC Group (formerly isec Partners) to conduct annual code reviews and penetration tests. 4
5 Defense in Depth Databricks follows the Defense in Depth approach in order to address security as a whole. This comprehensive strategy spans technology, policies and procedures, as well as promoting a security first culture. Databricks Defense in Depth covers Customer Data, Application, Host, Network, Physical, Logging and Monitoring, Policies, Procedures and Awareness. Customer Data Application Host Network Security Physical Security Logging and Monitoring Policies and Procedures 5
6 Customer Data CUSTOMER DATASETS Databricks is built to work with a customer s existing data. It does not provide a persistent storage layer in-and-of-itself, but is instead designed to leverage Spark s excellent support for various preexisting data sources and data formats, and provides additional optimizations where applicable. Databricks customers most often utilize AWS Simple Storage Service (S3), but can also access a number of other sources (e.g. RDBMS, NoSQL, CSV uploads, etc.) A wide range of data formats are supported, including CSV, Parquet, JSON, Hadoop (e.g. Sequence Files, Avro). All sources and formats are accessible using whatever client authentication mechanisms are required for the given source. CUSTOMER METADATA Customer metadata, including customer queries, outputs of the queries, as well as web user accounts, is stored in Databricks AWS RDS and encrypted with AWS KMS. Databricks provides customers with an option to user their own encryption (AWS KMS) to secure data at rest. SECURED INTERFACES TO SPARK CLUSTERS Spark clusters are ultimately responsible for accessing and processing data in the Databricks environment, and access to Spark clusters occurs primarily through the web frontend interface. Access to frontend services requires authenticated identities and is encrypted through SSL. Commands are pushed from the frontend to the Spark cluster through an SSL-encrypted connection and utilizes certificate based authentication. VPC PEERING TO ADDITIONAL CUSTOMER VPC Network access from the Databricks Spark clusters to any additional customer data sources can be conveniently enabled through VPC peering between the Spark clusters VPC and the external VPC. In lieu of VPC peering, standard network routing or VPN configurations can be used. Databricks Access to Customer Environment PROGRAMMATIC Privileged Databricks services have the ability to monitor and update customer deployments. Our monitoring agent has the ability to make metadata-only black box checks against the customer environment, such as listing clusters or jobs to ensure that the respective services are healthy and resulting in valid data. Additionally, we make EC2 describe calls to ensure the health of the AWS resources. Our update agent has the ability to provision new EC2 instances in the customer environment and to request that existing instances pull new artifacts from the Databricks artifact repository and self-update. 6
7 Employee Access Databricks has developed a proprietary system for requesting, approving, revoking, and logging access to customer data - Genie. As a general practice, Databricks employees do not access customer data unless specifically requested by a customer (e.g. to troubleshoot). Such requests should be documented in a Zendesk ticket and include consent for Databricks to access their environment. Following receipt of a Zendesk ticket, a Databricks engineer will review the issue reported and, if needed, submit a request to Genie to grant him/her access to the customer environment in order to address the issue. Genie, upon successful validation of the ticket number and customer consent, approves the engineer s access to the customer environment. Such access is approved for a specified period of time after which the access permission is automatically revoked. Genie can approve access only for a limited group of engineers, which is reviewed and revalidated quarterly. All access to a customer environment by Databricks personnel, including any actions taken, is logged and available for customers to review as part of the Databricks service audit logs. Data Governance Customer data is stored in Amazon S3 and Databricks designates which physical region individual customers data and servers will be located. Data replication for Amazon S3 data objects is done within the regional cluster where the data is stored and is not replicated to data center clusters in other regions. For example, by default, all data from Databricks customers in the EU will have their cloud data, logs, databases, and cluster management stored in the AWS data center in the EU, and that data will not be transferred to data centers outside the EU. Data Flow & Encryption This section details data flow, where a user s data enters Databricks, how it moves through the system and gets stored, with the particular goal of ensuring the data is always encrypted in transit and at rest. 7
8 CUSTOMER DATA ENTERS DATABRICKS THROUGH TWO MECHANISMS: 1. Data sources that are accessed through Databricks 2. User-entered data (typically credentials) The data flow below illustrates (i) the Databricks-owned instances for Databricks Services and (ii) customer-owned Worker instances on which the customer-owned Container Processes and Databricksowned Data Daemon reside. RDS (8) (8) (9) Root Bucket (9) (1) Customer Data (1) Customer Input (2) Service (6) (3) Container Process (6/7) (4) (5) Data Daemon (6/7) EBS EBS EBS (10) (10) (10) Logs S3/Kinesis Container Process Lines indicate where data is in transit and disks indicate where data lies at rest. Orange is input to the system (customer data) and green is Databricks-owned, where customer data initially does not reside. 1. Customer data stored in customer-owned data sources (e.g., S3, RedShift, RDS) is read directly by the container. The customer is responsible for using encrypted connections. Databricks provided defaults always use encryption for S3 access. The Data Daemon (which always uses S3 Root Bucket) always uses HTTPS to talk to S3. 2. Data input by the customer to Databricks services (or secrets which may give access to customer data) always uses HTTPS (either through a browser session or through our API which requires TLS 1.1 or 1.2). a) For AWS-related calls, customers are recommended to use roles. 3. Communication between the Databricks Service (Control Plane) and Container Process (Data Plane) occurs over an RPC mechanism which uses TLS 1.2 and client/server mutual authentication. 4. Communication between the Container Process and Data Daemon is not encrypted but it is colocated on the same physical instance and iptables rules prevent other containers from observing the traffic. 5. Spark will transfer data between executors in order to perform distributed operations. This data is not encrypted and travels between physical instances within the same VPC. 6. Databricks Services, the Data Daemon, and the Container Process write logs to their local EBS volumes. Encryption depends on the configuration of the EBS (see below). 8
9 (Figure repeated) RDS (8) (8) (9) Root Bucket (9) (1) Customer Data (1) Customer Input (2) Service (6) (3) Container Process (6/7) (4) (5) Data Daemon (6/7) EBS EBS EBS (10) (10) (10) Logs S3/Kinesis Container Process 7. The Container Process and Data Daemon additionally write customer data to their local EBS volumes for the sake of caching. Same encryption story as 6. a) Local disks are used for logs and data caching. When Amazon launches a new instance, the bootstrap disk can either be a copy of a local disk image stored in S3 or an EBS volume snapshot. Our AMIs are based on EBS volumes. The bootstrap EBS volume snapshot may be encrypted with KMS, but then the AMI cannot be directly shared with other accounts. As a result of this stipulation, our current solution regarding encrypted EBS volumes is a bit nuanced: i) Instances running in our account (Databricks Services) use an encrypted EBS volume, and as a result, are encrypted using KMS. ii) Instances running in the customer account do not use an encrypted EBS volume on boot, but we instead request additional data EBS volumes encrypted with KMS and put all container data on these disks. 8. The Databricks Services and in some configurations, the Container Process, share an RDS instance in which they store user-input data (including access keys) as well as results of customer queries. The instance uses a per-customer KMS key to encrypt its EBS and backups. The database is also backed up to S3 where it is also KMS-encrypted using the same key. 9. Databricks Services and the Data Daemon store certain data (namely, mount point metadata) in the Databricks Root bucket which may contain customer data. Customer-input secret keys are encrypted with SSE-S Log data is uploaded to the Databricks Log Pipeline via Kinesis. Logs at rest are encrypted with AWS KMS and logs in flight are encrypted with TLS
10 Customer Credentials Management Data input by the customer to Databricks services (or secrets which may give access to customer data) always uses HTTPS (either through a browser session or through our API which requires TLS 1.1 or 1.2). Customer AWS credentials are stored encrypted with client side encryption on a private and secure S3 bucket. The key used to encrypt the credentials are stored encrypted on S3 in separate private and secure S3 bucket. The stored credentials are only accessed by our automated deployment process and no Databricks personnel has direct access to the credentials. Backups Databricks performs automated scheduled backups of metadata and systems every 24 hours. The backups are stored in AWS RDS with access restricted to authorized employees. Backup and recovery procedures are tested on an annual basis. 10
11 Application Authentication and Authorization - End User Access Control SSO Databricks provides Single Sign-On (SSO) to enable a customer to authenticate its employees using a customer s identity provider. As long as the identity provider supports SAML 2.0 protocol (e.g. OKTA, Google for Work, OneLogin, Ping Identity, Microsoft Windows Active Directory), a customer can use Databricks SSO to integrate with your identity provider and sign in. Databricks provides several ways to control access to both data and clusters inside of Databricks. Role-based Access Controls (ACL) CLUSTERS IAM ROLES An IAM role is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. IAM Roles allow you to access your data from Databricks clusters without having to embed your AWS keys in notebooks. CLUSTER ACL There are two configurable types of permissions for Cluster Access Control: Individual Cluster Permissions - This controls a user s ability to attach notebooks to a cluster, as well as to restart/resize/terminate clusters. Cluster Creation Permissions - This controls a user s ability to create clusters. WORKSPACE ACL Workspace ACL provides control over who can view, edit, and run notebooks. You can assign five permission levels to notebooks and folders: No Permissions, Read (View Cells, Comment), Run (Run Commands, Attach/Detach Notebooks), Edit Cells, and Manage (Change Permissions). NOTEBOOKS ACL All notebooks within a folder inherit all permissions settings of that folder. For example, if you give a user Run permission on a folder, that user will have Run permission on all notebooks in that folder. LIBRARY AND JOBS All users can view libraries. To control who can attach libraries to clusters, use Cluster Access Control. A user can only create jobs from notebooks that they have read permissions to. Also, users can view a Notebook Job run result only if they have Read permissions on the notebook of that job. If a user deletes a notebook, only admins can view the runs. 11
12 Change Management & Secure Coding Databricks has a formal change management process in place. All changes must be authorized, tested, approved, and documented. Databricks has implemented a secure development lifecycle (SDL) to ensure that security best practices are integral part of development. The SDL covers formal design reviews by the security team, threat modeling, automated and manual code peer review, as well as penetration testing by a leading security firm. Additionally, all developers are provided with secure coding practices training as part of their onboarding. 12
13 Host Databricks has formal host hardening and vulnerability management processes in place. Hardening Standards All hosts run the latest version on Ubuntu operating system and are hardened according to Center for Internet Security (CIS) benchmarks. In summary the hardening standards cover the following: Changing of all vendor supplied defaults and elimination of unnecessary default accounts. Enabling only necessary services, protocols, daemons, etc., as required for the function of the system. Implementing additional security features for any required services. Configuring system security parameters to prevent misuse. Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. Vulnerability Management PATCHING UPDATES All hosts are patched periodically for security updates and critical patch fixes. All patches are authorized, tested, and approved in accordance with Databricks change management process. Zeroday exploits are patched as soon as possible after testing. SCANNING All hosts are scanned periodically for vulnerabilities with Nessus. All security vulnerabilities are investigated by the security team and remediated according to Databricks security incident remediation SLA: Critical Immediately High Within five days Medium Within 60 days Low Based on the business requirements 13
14 Network Security Network Isolation Databricks is deployed in a customer AWS account. We recommend that a customer uses a separate AWS account for deploying the Databricks service because the IAM role required for running the service could theoretically affect other services within the account. Spark Cluster Network Isolation The Spark deployments are firewalled by default and isolated from each other. Access to these clusters is limited to the frontend of Databricks by default, but can also be opened up by adding an Elastic IP address (Databricks provides sample notebooks for performing this operation). VPC Isolation of Customer s Service in Databricks Account Databricks operates and maintains the web frontend and cluster management resources on behalf of the customer, but isolates those resources from other customer deployments by deploying within a dedicated VPC. The VPC uses dynamic IPs in the range /16. Security Groups & Network ACLs A Databricks deployment utilizes multiple AWS security groups to control and protect egress and ingress traffic. The external facing resources such as the Databricks web portal instance uses a security group that exposes port 443 which provides the ability for users to login. The login to the web portal via port 443 is secured by SSL encryption. There are no other ports exposed externally on the Databricks webapp instance. Other instances such as the Databricks cluster manager instance and Spark workers, do not expose any external facing ports. The AWS security groups attached to these instances only allow internal facing traffic between instances. In addition to security groups, a Databricks deployment utilizes network ACLs to control inbound and outbound traffic at the subnet level. No Public IPs The Databricks customer success team can enable a feature flag to turn off not having public IPs in the workers as well as white list IP addresses that are allowed to access the Databricks web portal. Monitoring All network activity is logged and monitored. Databricks leverages AWS VPC flow logs to capture information about the IP traffic going to and from network interfaces as well as all VPC and AWS Cloudtrail logs to capture all APIs made by a Databricks AWS account. The log data is retained for a minimum of 365 days and access to the logs is restricted to prevent tampering. 14
15 Physical Security Infrastructure Databricks is hosted on AWS. AWS data centers are frequently audited and comply with a comprehensive set of frameworks including ISO 27001, SOC 1, SOC 2, SOC 3, PCI DSS. AWS physical data centers are located in secret locations and have stringent physical access controls in place to ensure that no unauthorized access is permitted including biometric access controls and twenty-four-hour armed guards and video surveillance. Office Databricks implements physical controls in its office including badge readers, a staffed reception desk, visitor sign-in, and a clean desk policy. Logging and Monitoring Databricks provides comprehensive end-to-end audit logs of activities done by the users on the platform, allowing enterprises to monitor the detailed usage patterns of Databricks as the business requires. The audit logs cover Accounts, Notebooks, Clusters, DBFS, Genie, Jobs, SQL Permissions, Customer SSH Access, Tables. Once enabled for your account, Databricks will automatically start shipping the audit logs in human readable format to that location every 24 hours. The logs will be available within 72 hours of an activation. Databricks encrypts audit logs using Amazon S3 server-side encryption. Policies & Procedures Databricks has implemented a number of policies and procedures aimed at enforcing security best practices. The policy and procedures documents are accessible to all employees, reviewed and updated at least annually, and communicated to all employees upon hire and periodically thereafter. The suite of security policies includes the following: Data Classification Defines levels of data sensitivity (public, private, sensitive, confidential, secret) and describes acceptable methods for storage, access, sharing. Access Management Describes procedures for provisioning and deprovisioning of access, periodic access reviews, password and MFA requirements (provisioning, deprovisioning, 2fa, reviews). Acceptable Use Describes acceptable and unacceptable use as well as enforcement. Security Training Outlines types of security trainings per function (engineering vs. general), frequency, and delivery methods. Incident Response Describes incident response process, responsibilities, SLA. 15
16 Risk Management Describes risk management methodology and frequency of assessment. Threat Modeling Describes threat modeling methodology and tools. Performance Monitoring Defines system performance KPIs and describes escalation process. Hardening Standards Describes system hardening standards and process. Databricks has a dedicated security team focused on product security, corporate security, security operations, as well as privacy and risk and compliance. Secure Your Enterprise Workload Today Hundreds of organizations have deployed the Databricks virtual analytics platform to improve the productivity of their data teams, power their production Spark applications, and securely democratize data access. Databricks is available in Amazon Web Services globally, including the AWS GovCloud (US) region. Contact Databricks for a personalized demo, or register to try Databricks for free. 16
Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY
Managing and Auditing Organizational Migration to the Cloud 1 TELASA SECURITY About Me Brian Greidanus bgreidan@telasasecurity.com 18+ years of security and compliance experience delivering consulting
More informationLayer Security White Paper
Layer Security White Paper Content PEOPLE SECURITY PRODUCT SECURITY CLOUD & NETWORK INFRASTRUCTURE SECURITY RISK MANAGEMENT PHYSICAL SECURITY BUSINESS CONTINUITY & DISASTER RECOVERY VENDOR SECURITY SECURITY
More informationSECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry
SECURITY ON AWS By Max Ellsberry AWS Security Standards The IT infrastructure that AWS provides has been designed and managed in alignment with the best practices and meets a variety of standards. Below
More informationSecurity and Compliance at Mavenlink
Security and Compliance at Mavenlink Table of Contents Introduction....3 Application Security....4....4....5 Infrastructure Security....8....8....8....9 Data Security.... 10....10....10 Infrastructure
More informationSecurity Information & Policies
Security Information & Policies 01 Table of Contents OVERVIEW CHAPTER 1 : CHAPTER 2: CHAPTER 3: CHAPTER 4: CHAPTER 5: CHAPTER 6: CHAPTER 7: CHAPTER 8: CHAPTER 9: CHAPTER 10: CHAPTER 11: CHAPTER 12: CHAPTER
More informationSignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer
SignalFx Platform: Security and Compliance MARZENA FULLER Chief Security Officer SignalFx Platform: Security and Compliance INTRODUCTION COMPLIANCE PROGRAM GENERAL DATA PROTECTION DATA SECURITY Data types
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationWatson Developer Cloud Security Overview
Watson Developer Cloud Security Overview Introduction This document provides a high-level overview of the measures and safeguards that IBM implements to protect and separate data between customers for
More informationAWS Security. Stephen E. Schmidt, Directeur de la Sécurité
AWS Security Stephen E. Schmidt, Directeur de la Sécurité 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationRAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures
RAPID7 INFORMATION SECURITY An Overview of Rapid7 s Internal Security Practices and Procedures 060418 TABLE OF CONTENTS Overview...3 Compliance...4 Organizational...6 Infrastructure & Endpoint Security...8
More informationVMware vcloud Air SOC 1 Control Matrix
VMware vcloud Air SOC 1 Control Objectives/Activities Matrix VMware vcloud Air goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a
More informationOptiSol FinTech Platforms
OptiSol FinTech Platforms Payment Solutions Cloud enabled Web & Mobile Platform for Fund Transfer OPTISOL BUSINESS SOLUTIONS PRIVATE LIMITED #87/4, Arcot Road, Vadapalani, Chennai 600026, Tamil Nadu. India
More informationHOW SNOWFLAKE SETS THE STANDARD WHITEPAPER
Cloud Data Warehouse Security HOW SNOWFLAKE SETS THE STANDARD The threat of a data security breach, someone gaining unauthorized access to an organization s data, is what keeps CEOs and CIOs awake at night.
More informationTwilio cloud communications SECURITY
WHITEPAPER Twilio cloud communications SECURITY From the world s largest public companies to early-stage startups, people rely on Twilio s cloud communications platform to exchange millions of calls and
More informationIntroduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview
IBM Watson on the IBM Cloud Security Overview Introduction IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential
More informationSecurity and Privacy Overview
Security and Privacy Overview Cloud Application Security, Data Security and Privacy, and Password Management 1 Overview Security is a growing concern and should not be taken lightly across an organization.
More informationSecurity & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web
Security & Compliance in the AWS Cloud Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web Services @awscloud www.cloudsec.com #CLOUDSEC Security & Compliance in the AWS Cloud TECHNICAL & BUSINESS
More informationUnderstanding Perimeter Security
Understanding Perimeter Security In Amazon Web Services Aaron C. Newman Founder, CloudCheckr Aaron.Newman@CloudCheckr.com Changing Your Perspective How do I securing my business applications in AWS? Moving
More informationSecurity & Compliance in the AWS Cloud. Amazon Web Services
Security & Compliance in the AWS Cloud Amazon Web Services Our Culture Simple Security Controls Job Zero AWS Pace of Innovation AWS has been continually expanding its services to support virtually any
More informationPrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps
PrepAwayExam http://www.prepawayexam.com/ High-efficient Exam Materials are the best high pass-rate Exam Dumps Exam : SAA-C01 Title : AWS Certified Solutions Architect - Associate (Released February 2018)
More informationRAPID7 INSIGHT PLATFORM SECURITY
RAPID7 INSIGHT PLATFORM SECURITY Understanding the architecture, security mechanisms, and technical foundations that make up the Rapid7 Insight platform 051618 TABLE OF CONTENTS Overview...3 Data Collection...4
More informationCloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.
George Gerchow, Sumo Logic Chief Information Security Officer Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops. Agenda Sumo Security
More informationDaxko s PCI DSS Responsibilities
! Daxko s PCI DSS Responsibilities According to PCI DSS requirement 12.9, Daxko will maintain all applicable PCI DSS requirements to the extent the service prov ider handles, has access to, or otherwise
More information8/3/17. Encryption and Decryption centralized Single point of contact First line of defense. Bishop
Bishop Encryption and Decryption centralized Single point of contact First line of defense If working with VPC Creation and management of security groups Provides additional networking and security options
More informationHackproof Your Cloud Responding to 2016 Threats
Hackproof Your Cloud Responding to 2016 Threats Aaron Klein, CloudCheckr Tuesday, June 30 th 2016 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Changing Your Perspective Moving
More informationSecurity Architecture
Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationCPM. Quick Start Guide V2.4.0
CPM Quick Start Guide V2.4.0 1 Content 1 Introduction... 3 Launching the instance... 3 CloudFormation... 3 CPM Server Instance Connectivity... 3 2 CPM Server Instance Configuration... 4 CPM Server Configuration...
More informationAt Course Completion Prepares you as per certification requirements for AWS Developer Associate.
[AWS-DAW]: AWS Cloud Developer Associate Workshop Length Delivery Method : 4 days : Instructor-led (Classroom) At Course Completion Prepares you as per certification requirements for AWS Developer Associate.
More informationSimple Security for Startups. Mark Bate, AWS Solutions Architect
BERLIN Simple Security for Startups Mark Bate, AWS Solutions Architect Agenda Our Security Compliance Your Security Account Management (the keys to the kingdom) Service Isolation Visibility and Auditing
More informationINCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.
INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS Protect Critical Enterprise Applications and Cardholder Information with Enterprise Application Access Scope and Audience This guide is for
More informationSAP Vora - AWS Marketplace Production Edition Reference Guide
SAP Vora - AWS Marketplace Production Edition Reference Guide 1. Introduction 2 1.1. SAP Vora 2 1.2. SAP Vora Production Edition in Amazon Web Services 2 1.2.1. Vora Cluster Composition 3 1.2.2. Ambari
More informationSecurity on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance
Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance Agenda: Overview AWS Regions Availability Zones Shared Responsibility Security Features Best Practices
More informationAmazon AWS-Solution-Architect-Associate Exam
Volume: 858 Questions Question: 1 You are trying to launch an EC2 instance, however the instance seems to go into a terminated status immediately. What would probably not be a reason that this is happening?
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationIntroduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS
Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS September 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document
More informationGetting Started with AWS Security
Getting Started with AWS Security Tomas Clemente Sanchez Senior Consultant Security, Risk and Compliance September 21st 2017 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Move
More informationCloud Security Whitepaper
Cloud Security Whitepaper Sep, 2018 1. Product Overview 3 2. Personally identifiable information (PII) 3 Using Lookback without saving any PII 3 3. Security and privacy policy 4 4. Personnel security 4
More informationFAQs. Business (CIP 2.2) AWS Market Place Troubleshooting and FAQ Guide
FAQs 1. What is the browser compatibility for logging into the TCS Connected Intelligence Data Lake for Business Portal? Please check whether you are using Mozilla Firefox 18 or above and Google Chrome
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationQuick Install for Amazon EMR
Quick Install for Amazon EMR Version: 4.2 Doc Build Date: 11/15/2017 Copyright Trifacta Inc. 2017 - All Rights Reserved. CONFIDENTIAL These materials (the Documentation ) are the confidential and proprietary
More informationMagento Commerce Architecture and Security Model Last updated: Aug 2017
Magento Commerce Architecture and Security Model Last updated: Aug 2017 Architecture The Magento Commerce architecture is designed to provide a highly secure environment. Each customer is deployed into
More informationAre You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus
Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus 1 60 Second AWS Security Review 2 AWS Terminology Identity and Access Management (IAM) - AWS Security Service to manage
More informationCloudera s Enterprise Data Hub on the Amazon Web Services Cloud: Quick Start Reference Deployment October 2014
Cloudera s Enterprise Data Hub on the Amazon Web Services Cloud: Quick Start Reference Deployment October 2014 Karthik Krishnan Page 1 of 20 Table of Contents Table of Contents... 2 Abstract... 3 What
More informationData Security and Privacy at Handshake
Data Security and Privacy at Handshake Introduction 3 A Culture of Security 3 Employee Background Checks 3 Dedicated Security and Privacy Teams 3 Ongoing Team Training 4 Compliance 4 FERPA 4 GDPR 4 Security
More informationInterCall Virtual Environments and Webcasting
InterCall Virtual Environments and Webcasting Security, High Availability and Scalability Overview 1. Security 1.1. Policy and Procedures The InterCall VE ( Virtual Environments ) and Webcast Event IT
More informationAmazon Web Services (AWS) Solutions Architect Intermediate Level Course Content
Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content Introduction to Cloud Computing A Short history Client Server Computing Concepts Challenges with Distributed Computing Introduction
More informationAWS Solution Architect Associate
AWS Solution Architect Associate 1. Introduction to Amazon Web Services Overview Introduction to Cloud Computing History of Amazon Web Services Why we should Care about Amazon Web Services Overview of
More informationHow-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018
How-to Guide: Tenable.io for Microsoft Azure Last Updated: November 16, 2018 Table of Contents How-to Guide: Tenable.io for Microsoft Azure 1 Introduction 3 Auditing the Microsoft Azure Cloud Environment
More informationDocument Sub Title. Yotpo. Technical Overview 07/18/ Yotpo
Document Sub Title Yotpo Technical Overview 07/18/2016 2015 Yotpo Contents Introduction... 3 Yotpo Architecture... 4 Yotpo Back Office (or B2B)... 4 Yotpo On-Site Presence... 4 Technologies... 5 Real-Time
More informationHow-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018
How-to Guide: Tenable Nessus for Microsoft Azure Last Updated: April 03, 2018 Table of Contents How-to Guide: Tenable Nessus for Microsoft Azure 1 Introduction 3 Auditing the Microsoft Azure Cloud Environment
More informationWHITE PAPER- Managed Services Security Practices
WHITE PAPER- Managed Services Security Practices The information security practices outlined below provide standards expected of each staff member, consultant, or customer staff member granted access to
More informationCloud Computing /AWS Course Content
Cloud Computing /AWS Course Content 1. Amazon VPC What is Amazon VPC? How to Get Started with Amazon VPC Create New VPC Launch an instance (Server) to use this VPC Security in Your VPC Networking in Your
More informationAWS Solutions Architect Associate (SAA-C01) Sample Exam Questions
1) A company is storing an access key (access key ID and secret access key) in a text file on a custom AMI. The company uses the access key to access DynamoDB tables from instances created from the AMI.
More informationAwareness Technologies Systems Security. PHONE: (888)
Awareness Technologies Systems Security Physical Facility Specifications At Awareness Technologies, the security of our customers data is paramount. The following information from our provider Amazon Web
More informationSecurity in Bomgar Remote Support
Security in Bomgar Remote Support 2018 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their
More informationAWS Administration. Suggested Pre-requisites Basic IT Knowledge
Course Description Amazon Web Services Administration (AWS Administration) course starts your Cloud Journey. If you are planning to learn Cloud Computing and Amazon Web Services in particular, then this
More informationAmazon Web Services (AWS) Training Course Content
Amazon Web Services (AWS) Training Course Content SECTION 1: CLOUD COMPUTING INTRODUCTION History of Cloud Computing Concept of Client Server Computing Distributed Computing and it s Challenges What is
More informationBest Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ
Best Practices for Cloud Security at Scale Phil Rodrigues Security Solutions Architect Web Services, ANZ www.cloudsec.com #CLOUDSEC Best Practices for Security at Scale Best of the Best tips for Security
More informationArchitecting for Greater Security in AWS
Architecting for Greater Security in AWS Jonathan Desrocher Security Solutions Architect, Amazon Web Services. Guy Tzur Director of Ops, Totango. 2015, Amazon Web Services, Inc. or its affiliates. All
More informationThe Nasuni Security Model
White Paper Nasuni enterprise file services ensures unstructured data security and privacy, enabling IT organizations to safely leverage cloud storage while meeting stringent governance and compliance
More informationCloud FastPath: Highly Secure Data Transfer
Cloud FastPath: Highly Secure Data Transfer Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. Tervela has been creating high performance
More informationAPPLICATION & INFRASTRUCTURE SECURITY CONTROLS
APPLICATION & INFRASTRUCTURE SECURITY CONTROLS ON THE KINVEY PLATFORM APPLICATION KINVEY PLATFORM SERVICES END-TO-END APPLICATION & INFRASTRUCTURE SERCURITY CONTROLS ENTERPRISE DATA & IDENTITY 2015 Kinvey,
More informationAmazon Web Services Training. Training Topics:
Amazon Web Services Training Training Topics: SECTION1: INTRODUCTION TO CLOUD COMPUTING A Short history Client Server Computing Concepts Challenges with Distributed Computing Introduction to Cloud Computing
More informationDevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY
DevOps Anti-Patterns Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! 31 Anti-Pattern: Throw it Over the Wall Development Operations 32 Anti-Pattern: DevOps Team Silo
More informationTIBCO Cloud Integration Security Overview
TIBCO Cloud Integration Security Overview TIBCO Cloud Integration is secure, best-in-class Integration Platform as a Service (ipaas) software offered in a multi-tenant SaaS environment with centralized
More informationTitle: Planning AWS Platform Security Assessment?
Title: Planning AWS Platform Security Assessment? Name: Rajib Das IOU: Cyber Security Practices TCS Emp ID: 231462 Introduction Now-a-days most of the customers are working in AWS platform or planning
More informationIntroduction to Cloud Computing
You will learn how to: Build and deploy cloud applications and develop an effective implementation strategy Leverage cloud vendors Amazon EC2 and Amazon S3 Exploit Software as a Service (SaaS) to optimize
More informationAWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
Security Practices Freshservice Security Practices Freshservice is online IT service desk software that allows IT teams of organizations to support their users through email, phone, website and mobile.
More informationASD CERTIFICATION REPORT
ASD CERTIFICATION REPORT Amazon Web Services Elastic Compute Cloud (EC2), Virtual Private Cloud (VPC), Elastic Block Store (EBS) and Simple Storage Service (S3) Certification Decision ASD certifies Amazon
More informationLaunching a Highly-regulated Startup in the Cloud
Launching a Highly-regulated Startup in the Cloud Poornaprajna Udupi (@poornaudupi) 1 Starting in the 86%by 2020 Cloud Cisco Global Cloud Index: Forecast and Methodology, 2015 2020 2 Building blocks, Cost,
More informationSoftLayer Security and Compliance:
SoftLayer Security and Compliance: How security and compliance are implemented and managed Introduction Cloud computing generally gets a bad rap when security is discussed. However, most major cloud providers
More informationMake Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)
Make Cloud the Most Secure Environment for Business Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks) Enterprise cloud apps Consumer cloud apps The average organization now uses
More informationMinfy MS Workloads Use Case
Contents Scope... 3 About Customer... 3 Use Case Description... 3 Technical Stack... 3 AWS Solution... 4 Security... 4 Benefits... 5 Scope This document provides a detailed use case study on Hosting GSP
More informationEnroll Now to Take online Course Contact: Demo video By Chandra sir
Enroll Now to Take online Course www.vlrtraining.in/register-for-aws Contact:9059868766 9985269518 Demo video By Chandra sir www.youtube.com/watch?v=8pu1who2j_k Chandra sir Class 01 https://www.youtube.com/watch?v=fccgwstm-cc
More informationVerasys Enterprise Security and IT Guide
Verasys Enterprise Johnson Controls Milwaukee WI, USA www.verasyscontrols.com LIT-12013026 March 2018 Contents Introduction... 3 Microsoft Azure security and privacy... 5 Security... 5 Privacy...5 Compliance...5
More informationSecurity Overview of the BGI Online Platform
WHITEPAPER 2015 BGI Online All rights reserved Version: Draft v3, April 2015 Security Overview of the BGI Online Platform Data security is, in general, a very important aspect in computing. We put extra
More informationSecurity Principles for Stratos. Part no. 667/UE/31701/004
Mobility and Logistics, Traffic Solutions Security Principles for Stratos Part no. THIS DOCUMENT IS ELECTRONICALLY APPROVED AND HELD IN THE SIEMENS DOCUMENT CONTROL TOOL. All PAPER COPIES ARE DEEMED UNCONTROLLED
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationAutomate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds
EXECUTIVE BRIEF SHAREBASE BY HYLAND Automate sharing. Empower users. Retain control. With ShareBase by Hyland, empower users with enterprise file sync and share (EFSS) technology and retain control over
More informationTraining on Amazon AWS Cloud Computing. Course Content
Training on Amazon AWS Cloud Computing Course Content 15 Amazon Web Services (AWS) Cloud Computing 1) Introduction to cloud computing Introduction to Cloud Computing Why Cloud Computing? Benefits of Cloud
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More informationOverview of AWS Security - Database Services
Overview of AWS Security - Database Services June 2016 (Please consult http://aws.amazon.com/security/ for the latest version of this paper) 2016, Amazon Web Services, Inc. or its affiliates. All rights
More informationNGF0502 AWS Student Slides
NextGen Firewall AWS Use Cases Barracuda NextGen Firewall F Implementation Guide Architectures and Deployments Based on four use cases Edge Firewall Secure Remote Access Office to Cloud / Hybrid Cloud
More informationVirtual Machine Encryption Security & Compliance in the Cloud
Virtual Machine Encryption Security & Compliance in the Cloud Pius Graf Director Sales Switzerland 27.September 2017 Agenda Control Your Data In The Cloud Overview Virtual Machine Encryption Architecture
More informationOnCommand Cloud Manager 3.2 Deploying and Managing ONTAP Cloud Systems
OnCommand Cloud Manager 3.2 Deploying and Managing ONTAP Cloud Systems April 2017 215-12035_C0 doccomments@netapp.com Table of Contents 3 Contents Before you create ONTAP Cloud systems... 5 Logging in
More informationLook Who s Hiring! AWS Solution Architect AWS Cloud TAM
Look Who s Hiring! AWS Solution Architect https://www.amazon.jobs/en/jobs/362237 AWS Cloud TAM https://www.amazon.jobs/en/jobs/347275 AWS Principal Cloud Architect (Professional Services) http://www.reqcloud.com/jobs/701617/?k=wxb6e7km32j+es2yp0jy3ikrsexr
More informationCYBER SECURITY WHITEPAPER
CYBER SECURITY WHITEPAPER ABOUT GRIDSMART TECHNOLOGIES, INC. GRIDSMART Technologies, Inc. provides Simple, Flexible, and Transparent solutions for the traffic industry that collect and use data to make
More informationBuilding a Modular and Scalable Virtual Network Architecture with Amazon VPC
Building a Modular and Scalable Virtual Network Architecture with Amazon VPC Quick Start Reference Deployment Santiago Cardenas Solutions Architect, AWS Quick Start Reference Team August 2016 (revisions)
More informationThe following security and privacy-related audits and certifications are applicable to the Lime Services:
LIME SECURITY, PRIVACY, AND ARCHITECTURE Last Updated: September 26, 2016 FinAccel s Corporate Trust Commitment FinAccel (FinAccel Pte Ltd) is committed to achieving and maintaining the trust of our customers.
More informationAccelerating the HCLS Industry Through Cloud Computing
Accelerating the HCLS Industry Through Cloud Computing Use cloud computing to accelerate life sciences and healthcare specific workloads, and meet the unique computation, storage, security, and compliance
More informationW H IT E P A P E R. Salesforce Security for the IT Executive
W HITEPAPER Salesforce Security for the IT Executive Contents Contents...1 Introduction...1 Background...1 Settings Related to Security and Compliance...1 Password Settings... 1 Session Settings... 2 Login
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationSOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2
Requirement Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence
More information