A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
How Cloud DLP can help with compliance, security, and privacy (Google Cloud, Jul 05 2020)
A look back at the history of DLP before discussing how DLP is useful in today’s environment, including compliance, security, and privacy use cases.
FTC Guidance – Six Steps Toward More Secure Cloud Computing (Cloud Security Alliance, Jul 06 2020)
The June 15, 2020 FTC Blogpost, titled Six Steps Towards More Secure Cloud Computing provides a concise, valuable checklist for businesses that use or intend to use cloud services, so that they make their use of cloud services safer. The document is a reminder of the basic golden rules concerning data security when using a third-party service provider.
Chinese Software Company Aisino Uninstalls GoldenSpy Malware (Dark Reading, Jul 01 2020)
Follow-up sandbox research confirms Aisino knew about the malware in its tax software, though it’s still unclear whether it was culpable.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~15,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Businesses Invest in Cloud Security Tools Despite Concerns (Dark Reading, Jul 01 2020)
A majority of organizations say the acceleration was driven by a need to support more remote employees.
Open S3 bucket exposes one million files of fitness brand V Shred (SC Media, Jul 06 2020)
A misconfigured AWS S3 bucket at V Shred exposed more that one million files, including PII on 99,000 people associated with the fitness brand’s customers.
Ending the Cloud Security Blame Game (Infosec Island, Jul 08 2020)
Security is primarily your responsibility – with help from the cloud provider.
Monitoring AWS Certificate Manager Private CA with AWS Security Hub (AWS Security Blog, Jul 02 2020)
Certificates are a vital part of any security infrastructure because they allow a company’s internal or external facing products, like websites and devices, to be trusted. To deploy certificates successfully and at scale, you need to set up a certificate authority hierarchy that provisions and issues certificates.
Enhancing multi-cloud data governance on Google Cloud (Google Cloud Blog, Jul 07 2020)
Data governance is an essential part of managing your cloud infrastructure, particularly if you’re taking advantage of multiple cloud providers. In many industries, you need to show where data has been stored, and how it’s been used, to meet regulations.
Cloud Risk Management (Cloud Security Alliance, Jul 02 2020)
Cloud risks can also be termed as vendor or third-party risks. From a 2019 report by IAPP and EY, it was understood that less than 50% organizations had some kind or formal audit process covering data privacy and majority of these who did have some kind of assurance process relied on the ISO 27001 or ISMS which is more of information security and hardly covers privacy. There were very few organizations that used external audits to manage assurance for privacy risks. Majority of organizations still use some kind of self-assessments or their legal teams to manage privacy risks.
Azure Firewall Manager is now generally available (Microsoft Azure Blog, Jul 01 2020)
Azure Firewall Manager is now generally available, and includes Azure Firewall Policy, Azure Firewall in a Virtual WAN Hub (Secure Virtual Hub), and Hub Virtual Network.
New Azure Firewall features in Q2 CY2020 (Microsoft Azure Blog, Jun 30 2020)
“We are pleased to announce several new Azure Firewall features that allow your organization to have more customization, improve security, and ease your management experience.”
Stay ahead of attacks with Azure Security Center (Microsoft Azure Blog, Jun 24 2020)
Now more than ever, organizations need to reduce costs, keep up with compliance requirements, all while managing risks in this constantly evolving landscape.
Azure Container Registry: Securing container workflows (Microsoft Azure Blog, Jun 23 2020)
Since the keys are stored in Key Vault, customers can also closely monitor the access of these keys using the built-in diagnostics and audit logging capabilities in Key Vault. Customer-managed keys supplement the default encryption capability with an additional encryption layer using keys provided by customers. See details on how you can create a registry enabled for customer-managed keys.
Cloud Security Alliance Publishes New Paper, The Six Pillars of DevSecOps: Automation (Cloud Security Alliance, Jul 07 2020)
Produced by CSA’s DevSecOps Working Group in collaboration with SAFECode, the document provides a holistic framework for facilitating security automation within DevSecOps and best practices for automating those security controls, as well as clarification of common misconceptions surrounding DevSecOps security testing.
Flaw Fixed in Hotels.com Generator as Tesco Clubcard Users Impacted (Infosecurity Magazine, Jul 06 2020)
Weakness exploited in way Hotels.com generates vouchers