Vulnerabilities in the cloud are growing in number and severity, and risk leaders must learn how to respond. IBM reports that cloud vulnerabilities have increased 150% in the last five years.
We are witnessing a global digital transformation, and cloud computing is the foundation and future of the digital world. It offers many benefits, but it’s crucial to understand what cloud security means and how to secure your data, applications, infrastructure, and workloads.
In this free webinar, we get advice from Amazon and Google cloud security experts on how organizations can benefit from cloud security services and features and the challenges around people, processes and technologies when adopting the cloud.
- Pouya Ghotbi, Associate Director of MS. Cybersecurity Program, Security, Risk & Compliance Advisor for Public Sector - Amazon Web Services
- Stefan Avgoustakis, Google Cloud Security Lead AuNZ - Customer Engineering
- Munaf Bhaiji, Senior Program Specialist of MS. Cybersecurity Program
Hosted by St. Bonaventure University's Online Master's in Cybersecurity Program
Learn more about the online Master's in Cybersecurity program at St. Bonaventure University.
Haley: Welcome everyone. We're going to go ahead and get started because I know we have a full agenda for today. So I just want to welcome you all and thank you for joining us today for our webinar: Understanding Cloud Security Benefits and Challenges. Today's webinar is presented by the online Master of Science in Cybersecurity at St. Bonaventure University. I'm Haley, and I'll be moderating for today.
Before we jump in, we do have a few quick housekeeping items to go over. All attendees are muted for this webinar, so if you do have any questions throughout the presentation, please use the Q&A box on your screen. We will be reserving time at the end of the presentation to answer some of these questions.
I also have to note that this event is being recorded for future viewing. We will send out an email with that recording link afterward for on-demand viewing.
And with all that covered, let's go ahead and switch over to introducing today's speakers.
With us today, we have Pouya Ghotbi, an accomplished security professional with over 20 years of experience in IT and cybersecurity. His area of expertise is secure digital transformation for top-tier tier global organizations. Pouya is a Security Risk and Compliance Advisor for Amazon Web Services for the Public Sector and the Associate Director of the MS in Cybersecurity program here at St. Bonaventure University.
Really excited to have Stefan Avgoustakis joining us as our guest speaker today. With over 20 years of security domain experience across the financial, government, and telecommunications industries, Stefan helps organizations adopt cloud solutions with a focus on managing security, identity, and compliance risks. Stefan is the Google Cloud Security Lead - Australia, New Zealand.
Joining us today from Admissions, we have Munaf Bhaiji, Senior Program Specialist of our MS in Cybersecurity Program here at St. Bonaventure. Munaf has worked for almost a decade on graduate recruitment and admissions counseling. He holds a BA with honors in economics and an MBA in marketing to go with his strong retail sales and management background in the wireless industry.
So thank you all again for joining us today. And I'm going to go ahead and pass this over to Pouya to get us started.
Pouya Ghotbi: I Thank you so much, Haley, for the great intro, and good afternoon. Good evening, everyone, depending on where you're connecting. Very excited for today, it's going to be a great session. And I'm super excited to have a Stefan with us with a lot of experience in this field, cloud security.
We're going to walk you through a couple of the top benefits of cloud security and also five top challenges of cloud security that we've seen in the market. So, let's get started.
First of all, what is cloud security? If you look at the world around you, Look at the services that you use, look at the companies that you're dealing with, organizations that you're dealing with.
You see that everyone, every single organization, is going through a digital transformation in a shape or form. And it's quite important to get it right, quite important to move fast, especially from a competition point of view.
So imagine that you're dealing with an airline, you're an airline customer. Which one do you prefer? Do you prefer an organization or an airline that you have to have a paper ticket, and you can't really check-in online? It's all manual. Versus another airline that your check-in experience is online. Everything is on your phone, it's fast. So most people prefer the second one.
Cloud computing is something that enables digital transformation and makes it much faster. And a lot of organizations are using cloud or are moving into cloud, migrating their workloads into cloud. They're modernizing their applications in the cloud. But fundamentally, things in cloud are different from a security point of view. And this is what we're going to talk about.
But before we jump in, Stefan, I’m just going to hand it over to you to see, what's your take on cloud security? How do you think at a high level, how is it different from our traditional infrastructure security?
Stefan Avgoustakis: Yeah. Thank you, Pouya, and thanks everyone, thanks for having me. I guess look, when I started in IT, which is way too long ago, I'm not going to reveal my age, but we were looking at security, and a lot of the security architectures, a lot of the security concepts were tailored around this concept of I've got a data center, or I've got a set of applications that are running somewhere, either on my desk or in a data center.
And there was a boundary around it, and I had some security capabilities. So everything felt really secure and centralized. And then cloud came along, and I think there's two major shifts that cloud introduced.
And the first one was this notion of being able to put your applications out there on the internet, and they were available across the globe. Whether I was a small startup in Australia, and I put my application here in a certain data center, or I wanted to expand to the US and put some applications there. That was very easy to do, but that meant that the whole concept of having a centralized in-and-out gateway kind of disappeared.
The second one that cloud introduced, the second challenge or the second big impact, was the fact that it was pretty much self-service. I mean, I can take out my credit card, and I can spin up whatever I want. I didn't have to go to my manager to ask for funding for a server. I could pretty much spin up whatever I want.
So that notion of highly distributed and that notion of self-service, those are probably the two biggest impacts and shifts that I've seen from traditional to cloud security.
Pouya Ghotbi: Amazing. Yeah, I totally agree. And that's exactly where some of the challenges that we're going to talk about come in to picture. Because, in an traditional environment you had the control, you had this bubble that you were living in, and then you were tightly trying to secure the perimeter of that bubble. Anyone inside was, or any machine or any user inside was considered trusted, and anything outside was not trusted.
And now with the concept of zero trust, those boundaries even for on-premises are changing. But in cloud, to your point, with that agility and that pace that things change, the challenges are a little bit different.
Before we dive into cloud security benefits and challenges, in terms of your experience, because you've got a lot of great experience, you work for two of the top three cloud providers in the market. So when you look at different cloud services providers, do you see fundamentally from a security point of view, is there a lot of difference from how they approach security?
Stefan Avgoustakis: I think the majority of the things that we do or the outcomes that we try to achieve, and just for the audience's understanding, I used to be at AWS before this, I'm now at Google. And if I look at, and I can't speak about Microsoft because I don't have experience with them, but if I look at fundamentally what they do in order to make sure that the infrastructure is secure enough for customers to move on it, I think it's pretty much the same. It's the same type of compliance requirements. It's the same type of making sure that the right security controls are in place.
There are also nuances that are different. But that's more to do with the origin of where the cloud services came from. So, for those of you that are not familiar with it, if you look at AWS, there's a lot of technology that came out of Amazon that is now used as a cloud service and similar with Google Cloud, there's a lot of technology in Google Cloud that were and still are services that Google today uses. Kubernetes is a great example of that.
So, I would say there's more similarity than differences. Yes. Differences in nuances, like the way we do networking, might be slightly different, but at the end of the day, the outcome that both are achieving or trying to achieve is to make sure that it is as secure as possible as you move workloads into the cloud.
Pouya Ghotbi: Absolutely, absolutely. No, I do also agree on that viewpoint, and one of the things that I've experienced in dealing with different customers is that there is a gap in understanding of cloud security, and especially expertise in cloud security. Even building infrastructure into cloud or building services, migrating applications, there is still a gap in the market in terms of expertise.
But when you look at the security of those workloads and how to secure those applications and data, there's even a bigger gap, a larger gap. And there are different reasons for that. Obviously there's a global shortage of security experts, good security experts.
But on top of that, there's probably not a lot of, cloud is still relatively new, there's not a lot of material out there or courses or things that can basically guide someone to learn about cloud security.
And I just want to have a segue into our next slide, but before we go there, I just wanted to talk about the fact that at St. Bonaventure University, this is what we're trying to do. And this webinar is part of that awareness. Raising awareness around cloud security.
We do have a course on cloud security that is very popular in our university. And one of the reasons that we built that course was just to raise this awareness and make sure that our students have enough knowledge about cloud security when they work as security professionals.
So, with that, now I want to talk a little bit about a concept called shared responsibility model.
One of the very interesting quotes that I've heard about Cloud it says," Cloud is nothing but someone else's computer that you put your data or your application in. You're hosting your application or data on that computer." But that doesn't necessarily mean that the service providers are going to be responsible for everything that you've got on their computer.
So there is a shared responsibility model, and different cloud providers call it differently, but the same concept applies to all cloud services.
So you've got a concept of security of the cloud, and that means the infrastructure that is running the cloud, the virtualization software, for example, that the cloud is built on. Any technology that runs the cloud, the security of that infrastructure is the responsibility of the cloud services provider.
And any application that you host in the cloud or any data that you have in the cloud, the security of that is essentially the customer's responsibility.
But cloud is a generic term, and that's where there's a lot of, I would say, misunderstanding about how to secure the cloud.
So Stefan, I'm going to hand it over to you, and maybe you can talk about how different types of cloud services, namely infrastructure as a service, platform as a service, and software as a service, how does that fit into this shared responsibility model?
Stefan Avgoustakis: Yeah. Look, when you talk about cloud and cloud security, inevitably shared responsibility model comes into play. And I just want to make sure that the audience kind of grasps the importance of it.
And as Pouya was saying tongue and cheek, a lot of people go like," Hey, yeah, but cloud is just another person's computer, or you are running something on a server that is owned by somebody else." In this case, AWS or Google Cloud or Microsoft, whoever your cloud provider is.
Let me just put that in concept. When you move your workload to the cloud, and then we'll dive into shared responsibility model, but when you move your workload to the cloud, you move it to an infrastructure that virtually runs zero software that is not tested and secured by the cloud provider. There is no hardware that runs in that data center that is not built by the cloud provider.
So, by definition, by default, those computers that you refer to are insanely more secure than any other platform across the globe. And when I say across the globe, I include government, I include large banks, I include any customer out there. So that's just to put some perspective.
Sometimes people go like," Yeah, but what if somebody runs into the data center and pulls out my disc, and now they've got my data?" Well, first of all, it's nearly impossible to get into the data center. Even for people that work for AWS or for Google Cloud to get into the data center, you need to have a whole set of credentials and a whole set of capabilities.
But even if you would manage to do that, it's a distributed system. So there is no way for us to tell if your data sits there. Data gets chunked and moved across the infrastructure. So just to give people an idea that a server is not a server, it's a distributed system.
Now, when it comes back to shared responsibility model, we do all these things. So, we make sure that the operating system and that the drivers and that the software is patched, that the network is secure, that pretty much anything that you need to run those workloads, that you want to run on us are going to run on a secure platform. But there is a point where we hand over some of the responsibility to you as a customer. And you choose as a customer.
I'll give you an example. Let's say you want to run an application. You have a few options to run that application. You can run that application on a virtual machine, which means that we tell you that everything below the virtual machine level is secured. But if you wish to run Windows as the operating system, you will have to patch Windows and the application that you install. You will have to patch that application. And access to the application that's something that you will have to manage.
If you don't feel comfortable in doing that and you say, "Hey, I don't want to do all that patching." Then we could potentially have you run that on Kubernetes or a containerized system, where we take further responsibility, in which we patch the operating system. We patch the services that lay on top of it. You just need to provide access.
If that even is too much for you, or that's not a risk that you want to take, then you can run it as a function, for example, a cloud function. So, you just write the code, you put it on that cloud function. The only thing that you have to do is make sure that somebody gets access to that function.
So shared responsibility model is really the option for a customer to choose what type of risk they feel comfortable in managing and what type of risk they want the cloud provider to manage. So it's really a choice that the cloud providers provide to their customers.
Pouya Ghotbi: Amazing. Good insight. So I'm just curious Stefan, when we met. I was going to ask you this when we met a couple of months ago at that conference.
In your experience and with the customers that you are dealing with, do you see a shift towards using more platform as a service and software as a service versus infrastructure as a service, essentially what you were referring to?
Do customers now prefer to transfer their responsibility to cloud service providers mainly?
Stefan Avgoustakis: Yeah, so here's the thing, if you put IT in perspective and cloud within that, cloud is just a nascent technology at the moment. I mean, if you look at the total spend that customers or the IT industry has in general in cloud, it's single digit compared to anything else. So, cloud has really just started.
Now, when we look at when Amazon, or sorry, when AWS started, the majority of the focus was having or providing customers the ability to run servers in the cloud, for them to be elastic, and for cost reduction, and more efficiency and all that, that was kind of the focus. So, AWS' focus was around that.
But what you are seeing is that cloud has kind of evolved to this capability where containers and cloud functions are now becoming the more prevalent kind of consumption model for applications.
And what we're seeing is that as customers get more mature in their cloud journey, they start to choose those services above a VM. And that's just common sense because unless you are a company that is going to make money by managing IT, there really is no reason for you to manage IT.
If you are a pharmaceutical company and you need to do millions and millions of tests on products that you are developing, having IT is just there to support that capability. If you can do those tests, literally by simply uploading some of the samples that you have, or those millions of samples that you have, and you run that 24 hours on a cloud environment, and then two days later, you've got the results. That is what you want. You don't want all that management.
So, the more you can take away, the more operational overhead you can take away, the better it seems to be for customers.
So, yes, I see that shift happening, but again for a lot of customers, we're still in early days. So we'll see more and more, but at the moment, it's predominantly still looking at, "Hey, how can we run those virtual machines in there?"
Pouya Ghotbi: Absolutely. And the reason for that, what I've seen in the market, is when you look at a customer cloud journey it typically starts with migrations.
They've got some workloads they want to the cloud. They want to be able to, and I've heard this so many times, they said that we want to have same thing that we had on-prem in the cloud.
And when it comes to security, say, "Oh, we want to have the same security that we had on-prem in the cloud," which often is not necessarily the same thing because your environment is different. How you're doing or how you're dealing with your workloads in the cloud is different.
Alright. Cool. Thank you so much. That was really great insight.
So let's now dive deep into the benefits of the cloud. Why do we love cloud? And why we think that cloud security actually enables us to do things much better and allows us to move faster and use all the benefits of cloud.
Alright. So, Stefan, I'll probably start the first one with you. What's your take on the first benefit (security democratization)?
Stefan Avgoustakis: Look, one of the reasons I like cloud a lot, and one of the reasons why I looked at cloud all these years back, is what we like to refer to as cloud being the immune system for IT. And what I mean by that is if you look at AWS and you look at Google Cloud, literally as a company, we ship hundreds of security updates to customers every month.
So whether that is operating systems that need to be patched, or whether that is hardware that needs to be patched, whether that is drivers that need to be patched, they get updated.
And as a customer, you don't have a choice in that. It is what it is. It gets updated. We want to make sure there's no vulnerabilities. There's also the fact that we provide some key security capabilities that a regular organization can never achieve. Everything within the cloud, or everything within Google Cloud is encrypted by default, everything within AWS Cloud can be encrypted by default.
So try to achieve that within an on-prem environment. You can't, unless you have an army of security engineers that look after that 24/7.
So what that means is that we need to do those things because we have Department of Defense in the US that says, "Hey, we want to put workloads in the cloud." So they have to be secure. We have the largest banks in the world that want to put their workload in the cloud. So, they have to be secure.
We can't do all that only for them because the server that some startup or some small company that has five people that runs in AWS or in Google Cloud might end up in the same environment as those other ones.
So what that means is that regardless of who you are, whether you're Department of Defense, whether you are Goldman Sachs, whether you are whoever, you will get exactly the same security capabilities. And that's huge. That is absolutely huge. You pay the same dollar amount as anybody else, regardless of how big you are and regardless of how many people work for you.
And I believe that is one of the, call that the democratization of security, whatever you want to call it, but I think that is absolutely huge. That gives you confidence that you can start building and have the basic core security capabilities enabled.
Pouya Ghotbi: Awesome. Thank you so much. Just bear with me for a second. Apologies. My slide deck wasn't showing. Hopefully, I'm going to share it again. Is it better now?
Stefan Avgoustakis: Yeah, I can see it.
Pouya Ghotbi: Okay. Awesome. Alright. No, thank you so much. That's great. And that's why we see a lot of smaller organizations, and a lot of startups also looking at moving into cloud because they can really benefit without spending that much money or without having an extensive security team. They can benefit from cloud.
So, the second benefit that I'll talk about is continuous visibility. And what do we mean by that?
In an on-prem environment when you want to have log in and monitor your workloads, the applications that you have, if you want to see who can access that application, all of that visibility around security of the data and application, you have to configure that, and you need to probably have tools to do that, and then you need to aggregate them. And then if you, yeah, there's a lot to do to achieve that.
And sometimes, it's not even continuous. Sometimes you're going to miss some applications. It may take time for those applications to be visible in your security tooling.
One of the benefits of cloud is that visibility is built into the whole cloud platform, and you can easily get logs anywhere from application logs, to service logs, to access logs. So anything, any user that gets access to the cloud environment, that access is actually logged and can be shared with your security tools.
So that's quite an important benefit of cloud and allows your security team to be on top of everything. Do you have any other points, Stefan, on continuous visibility?
Stefan Avgoustakis: No, I think you covered all of it. Maybe one little nuance there as well that we have within cloud. There are customers that are literally bringing up containers at the pace of thousands every day. So imagine trying to create an inventory of those containers and trying to understand whether those containers are running the right operating systems. That there are no vulnerabilities.
But that's what happens when you move to the cloud. You can literally spin up thousands of containers or workloads and get visibility around whether or not they're secure. There is absolutely no way that you can do that in an on-prem environment again without having an army of people that do that for you.
Pouya Ghotbi: Absolutely. Yeah, totally agree. Alright. So, the next benefit that I'm going to talk about is increased availability and resiliency.
Think about an on-prem environment, and in an on-prem environment that let's say you have data centers, different data centers, and then you need to create high availability between different applications and then service fail.
Let's say you've got a physical server, and that server fails. Then you need to go and purchase a new server, reconfigure everything, reconfigure the application.
So, achieving high availability, it's a little bit more challenging, but resiliency is something that on-prem really lacks.
And when it comes to cloud it's essentially built into the cloud. So, you can easily have, you can scale your application based on demand and the load on the application. You have essentially unlimited resources at your fingertips, and you can throw that in.
From a security point of view that becomes quite important. So think about DDoS attacks, for example. When you have an on-prem environment, you may have a pipe with a limited bandwidth, or your application, or your service may not be able to handle that.
In cloud, apart from having very good DDoS services, DDoS protection services that cloud providers provide that can stop those attacks.
So let's say you don't even use those. Worst case scenario, your cost of service is going to go up, but you still are able to provide services because you can scale in and out as well as up when required.
So Stefan, what's your take on availability, high availability, and resiliency in cloud?
Stefan Avgoustakis: Yeah, you touched on a couple of things that are really important. I guess if you look at it from the infrastructure level, so we talked a little bit about shared responsibility model. Remember what you, as a customer are responsible for, what we as cloud providers are responsible for. So, let's just look the shared responsibility part of the cloud provider in this case.
So, when you build an application, and you want to build it resilient, it's really hard. It's hard because a lot of these applications are distributed. They might have different layers of infrastructure. There is a network. There are services like load balancing and DDoS and all that. So you need to make sure that you build those apps really resilient. And that means you need to design. You need to architect around that capability.
If you look at that, what the cloud provider provides you without you ever doing anything, is this concept of regions and zones. So, if you're not familiar with them, the region is an independent geographic area that has different zones. And they are logically abstracted by physical resources. So that means you have multiple data centers sitting in a zone, and multiple zones can become a region.
Now, why is that important? It is important because your application, as I mentioned before, that data example that I gave you, when you build your application, it's not going to sit on a single server in a single data center. Your application literally is going to sit across tens, hundreds, maybe even thousands of servers that sit across three to four data centers that sit across three to four zones.
And then within a region, and if you want to make that even more redundant, you can make sure that that application sits across regions.
So, what that means is that let's say, for example, I'm sitting here in Australia. So, the region that we have here, most of the providers have something in Melbourne, and have something in Sydney. If by any chance, Melbourne floods or Sydney floods, more likely nowadays with the weather, you can still have your application running because the Melbourne region is still there.
Now, what if Australia goes down? Well, if you want to cater for that risk, you should have put some capabilities in Singapore. So now your application runs in Singapore.
So that is important from an availability and a resilience perspective. Not only do we have that infrastructure across all these zones and regions, but as Pouya was also saying, is that you get by default protection that a distributed system provides. Like DDoS and service availability, like no other structure in the world.
If you look at Amazon if you look at Google, probably the most attacked websites in the world. And literally, there are terabytes of DDoS attacks that we deal with on a daily and weekly basis, and customers don't even notice it.
So all that is very vital and important for you when you build your applications. And again, a huge, huge challenge if you want do that by yourself in an on-prem data center.
I think you're still on mute, mate.
Pouya Ghotbi: Yes. Yeah. I think it worked now. So no great point, Stefan. One thing I wanted to mention about regions and availability zones, a very good point that you mentioned is, while you've got the, and this is, again, the beauty of cloud. While you've got that high availability and resiliency through different regions, but you're still able to, if you've got any data sovereignty issues or requirements that you need to meet, you are still able to do that, maintain that in cloud.
So, for example, you may have organizations that want to keep all of their data. Like, for example, let's say government. So the US Government wants to make sure that their data is only within the US or even within certain protected data centers from cloud providers, or let's say in Australia or in Europe.
They want to make sure that only, let's say you've got an organization in European Union, and they only want to keep all the data within Europe for GDPR requirements.
So while you have that high availability and resiliency through region, you still can maintain data sovereignty requirements.
Amazing. Alright cool. So, the next one I'm going to talk about is defense-in-depth.
For those of you that are not familiar with this term, that means you're going to have a layered approach in your defense. You're going to have different layers of the controls that give you that defense-in-depth and allow you to have, if one of those controls fails, or if attacker is able to bypass one of those layers, we can stop them in the next layer or the layer after.
So that's quite an important concept. So Stefan, again, I want to pick your brain around defense-in-depth in cloud and how we can achieve that.
Stefan Avgoustakis: Look, yeah, defense-in-depth is obviously an important concept. And for those of you not familiar with it, it's the ability, like Pouya was saying to look at a threat vector, look at an attack vector and say, "Hey, we probably need multiple gates to kind of look at an attack" because the philosophy behind it is really stopping an attack.
Yeah. I mean, you can just not let anything in, and the attack is stopped. But what you want really is for the good traffic to be separated from the bad traffic. So how do you do that?
It's really having this layer of gateways and defenses. And we talked about it a little bit, but let's maybe give an example, I'm running an application, and that application is going to be consumed by the outside world via HTTP. Or HTTPS, let's do that. So what does that mean? That means that it's sitting on the outside world. There's probably billions of people that could connect to it. So we need DDoS protection. So that's one thing.
Because it's SSL. We also need to be able to proxy the TLS connection. And because it's an application, we want to make sure that there is a web application firewall in front of it that is going to look at the requests that we're getting, and any bad requests need to be stopped. Good requests can be proxied through.
And then, we get to the network layer, and we want to make sure that only from my proxy connections are allowed. And then I get to the virtual machine. And then, on a virtual machine, I might have some host detection and IDS capabilities.
So that is what? Four, five layers.
They are all there in cloud. You just have to choose which one you want to activate. So, you don't have to go and think, "Hey, I've got this application or set of applications that I'm going to design. Now I need to go and purchase a DDoS solution. I need to purchase a web application firewall. I need to purchase a normal firewall," et cetera, et cetera. No, you just design your application, and you choose which services you want to enable across your application stack.
Now, not only does it give you defense-in-depth, but I also like to call it defense-in-width. And what I mean by that is, as Pouya was already saying, almost infinite scale. If today your application has 100 users, that's great. Then we'll cater for 100 users that are going to connect to it, but if it's widely successful and in the next six months, it ramps up to 10 million, then, hey, what? We'll ramp up those capabilities to 10 million, whereas on-prem, you would probably have to go and buy a multitude of hardware to go and accompany that growth.
So it's not only defense-in-depth where we have all these services and you choose which ones you want to enable, but it's also having the ability to scale those services as you grow or as your applications grows.
Pouya Ghotbi: Yeah. Awesome. And one thing that is interesting with cloud is one aspect is when you grow your user base, but also when your user base may shrink for whatever reason as well, in on-prem environment, you can't really return those. The service that you bought.
Alright. Great. So the last one that I'm going to talk about is security and compliance automation.
So one of the things that happens in cloud again across cloud providers is there's a concept of infrastructure as code. So you can create your infrastructure as code. You just define what you want, you run the code, and your infrastructure gets created for you.
So, let's say you've got a web server that you want to provision. So, what you can do, you can code it so it creates that web server being a virtual machine, let's say as a simple example, and then all the networking around it, all the security controls around it you can code this.
Most of the cloud operations happen as code. Although you can log in to cloud consoles, you can configure things, but typically it happens through DevOps. And the auto one is called also called ClickOps. Like you can go and click and create or configure your services.
So now, being able to use code and using automation allows you to bake security into your cloud operations. And that to me, is one of the biggest advantages of cloud. So you can essentially have those controls built into your code, or you can have services that monitor the poster of your workloads in the cloud against a certain compliance or regulation.
For example, just to give you an example, you may have an organization, a health organization that needs to comply with HIPAA, and there's certain controls that you need to have. So, what will happen when you're not in cloud, every couple of months you need to have an auditor come in with a piece of paper going through a checklist, and checking if you're meeting those requirements, and then you're going to pass the audit. But between then and the next audit your environment may change. And then there's a lot of manual processes to do to get back to that compliant state.
In cloud, you can automate a lot of that. You can have basically code, you can build it into code. So, for example, if you need to have your disks encrypted as part of the compliance regulations that you need to meet, you can have controls in a way that no one can provision those virtual machines without the disk to be encrypted.
So again, that's one of the biggest benefits of the cloud. And again, it's common between different cloud providers.
Just for the interest of time, let's go and talk a little bit about the challenges with cloud security. I did talk about some of challenges, the fact that there are not many skilled talents around that know about cloud security. There's a skill shortage. There's a global lack of knowledge around cloud security and misconceptions. As I mentioned, after migrations, they want to have the same security posture as on-prem, without understanding the differences.
But specifically, today, we want to make it a little bit more technical and look at some of the technical challenges that typically happen with cloud workloads.
The first one is misconfigurations.
That's one of the biggest and probably the largest threats to cloud workloads. So think about data. So in AWS, we've got a service called S3, and S3 is a data storage service. A lot of our customers use S3 to host their data. It's very cost-effective. You can have different tiering, all sorts of things. So it's a very good place to store data.
One of the threats around that is if you make an S3 bucket publicly available, that means anyone from anywhere in the world can potentially go and get access to that data. If I'm not mistaken, Stefan, correct me if I'm wrong, but I think Uber had a data breach, and I think a couple of other large organizations had data breaches that the source of that data breach was, they stored really sensitive data on an S3 bucket, and then someone went in and ticked, and made that bucket publicly available. And that's a misconfiguration.
Yeah. Can you talk about that point a little bit for us?
Stefan Avgoustakis: Yeah. So what we're seeing a lot is, so here's the thing. So if you put it in context, when companies move to the cloud they aspire a certain flexibility and speed, and agility in building applications and moving workloads.
But what we're also seeing is that they tend to neglect some configuration capabilities, and to Pouya's point, when you build an application in the cloud, at some point in time, there's always a data storage component. Whether that's an S3 bucket or some database.
The problem is S3 buckets are easy object storage solutions, but the origin of an S3 bucket in the case of AWS, the origin of an S3 bucket was to run websites on it. That's pretty much what we did first with S3 buckets. You run a website on it, and people go and communicate with your website. So by default, they were always open.
Now when customers move data onto it, then, and there have been cases like, for example, Uber, but a couple of other big ones as well, like a couple of banks and some insurance companies, and they put data on it that they shouldn't put on it. And then people can just access the data, download the data and misuse it.
That's probably one of the biggest frustrations that we have. Now, I still remember when this was by default, and people came to me and said, "Oh yeah, how can you make this by default?" And then we said, "Okay, do you want us to turn it off?" Because if we turn it off, there are literally millions of websites that will not function anymore because they are built on S3.
Okay. So what we're going to do is we're going to give you a big fat warning. And literally, it's a fat warning. It's like this. Like, "Hey, your bucket is open. Your bucket is open. Your bucket is open," and it still happens.
So it's one of those things where to the point that was made earlier, automation becomes really interesting because when something like this happens and you automatically get informed by an email and not only you, but maybe even your managers and whoever needs to be informed that there is this misconfiguration, then it might have a better impact, then you can go and fix it.
But yeah, it's probably one of the most frustrating things at the moment. Misconfigurations are the biggest source of challenges that we see.
Pouya Ghotbi: Yeah, absolutely. And one of the again, going back to the benefits of cloud, one of the things that we typically use in the cloud is the concept of guardrails. And the concept of guardrails means that within the organization you can define what things are potentially possible and what things are not possible.
Like, for example, you can say, "No one in my organization can make these S3 buckets publicly available."
Alright. I'm going to be a little bit more fast-paced. So the second one is unauthorized access.
So you've got users that are accessing the environment, and then the credentials that they use potentially in the environment, they may be compromised.
One of the famous ones, that a number of attacks have happened, which we were talking about automation and code. They had the key, access key, and the secret key to get access to the cloud environment in the code. And then they pushed the code into public code repositories, and then people were going and searching for these access keys and then using those access keys to connect to the cloud services and then do whatever they want, essentially. A lot of them were actually privileged users.
But GitHub has blocked that now, you can't really do that. But it still happens all the time, depending on how users are protecting their credentials and making sure that access is basically secure. That's one aspect.
The second aspect of it is authorization. Yeah. So excessive permissions of different users. So you may have, in cloud, you've got, the access is very granual. It's one of the benefits of the cloud. You can be very, very granual with the top of access you give. But often, what happens when customers are using workloads in cloud, what they do, just for simplicity and just to make things work, they overly grant permissions, or we call them a star permissions. You can do any action you want on S3, for example. And then that can be like, if it's a malicious user they can use or misuse that excessive permission.
Insecure interfaces and APIs. Stefan, I'll get you to talk about this quickly. We've got two more, and then we're going to go to Munaf to walk us through the program.
Stefan Avgoustakis: Yeah. Look, when you look at cloud, we call them cloud endpoints, but literally a cloud service, whether that's a virtual machine or a cloud function or whatever, it's an API. It's an API that you call, and it does something for you.
Now, obviously, we put security capabilities against those APIs, encryption, and authentication, and all that. But at the end of the day, you still need to make sure as a customer that you protect some of these interfaces that you make public to the website, or sorry to the internet.
So, your application as you expose it to the internet needs to have those security controls like we mentioned before, defense-in-depth. So if it's an API or if it's the website, then yeah, it needs to have some web application firewall. It needs to have an API gateway in front of it, but we still see that happening way too often that people just assume that, hey, because it's on the cloud, it must be okay if I just expose it to the world.
There is some due diligence that you have to do as a customer as well.
Pouya Ghotbi: Yeah, absolutely. No, thank you so much. Hijacking of accounts, which sort of goes hand-in-hand with authorized access.
Again, if you have credentials that are privileged and very important, make sure that those accounts are secure and those accounts are not hijacked by malicious users.
And the last one, external sharing of data.
We already talked about S3. The misconfiguration is the root cause, but essentially the threat is you have the data that you're sharing externally, and with cloud being more accessible, it's much easier for sensitive data to be shared with unauthorized users.
Alright, cool. Thank you so much, Stefan. That was really great insight. You've a lot of experience in this field that really helped us today. I'm going to hand it over to Munaf to walk us through the master's program that we've got, and then there are a couple of questions I can see around the program, specifically around cloud security and certifications that I'm going to answer after that.
So Munaf over to you.
Munaf Bhaiji: Alright. Great. Thank you. Thank you, Pouya, and thank you, Stefan. I think wonderful technical insight. Thank you so much. I learned so much, actually because I only deal with the admission side, but I got some great insight today. So, thank you so much.
So yeah, my name's Munaf. As introduced earlier, I do work on the admission side on the Master's in Cybersecurity program here. But first, I just want to share a few things about St. Bonaventure University itself.
We are a very long-established university that goes all the way back to 1858, so that makes us what? Over 150 years old. We are pretty well known in the New York area. Our main campuses are in the Allegheny area Upstate New York. And the university itself was formed under the, it's a Catholic university that follows Franciscan values of citizenship and service.
In terms of our accretitations, St. Bonaventure University Online is accredited by the Middle States Commission on Higher Education. This is an accrediting agency that's recognized by the US Secretary of Education and the Commission on Recognition of Post-Secondary Education.
And a lot of accolades that have come our way over the last so many years, for instance, from the US News & World Report, we have been ranked as the Top 5 Best Value Schools, and Top 20 Regional Universities in the North. The Princeton Review has also recognized us as the Best 387 Colleges, and also recognized by the Security Degree Hub as the number 11 Best Cybersecurity Master's Program. So yeah, that's a little bit about us.
Now about the degree itself. In a bit of a nutshell, I guess, first and foremost. This is a fully online program, which is run, in certain online terms, it's run asynchronously. It gives the students full flexibility to log in whenever they want through their MySBU account, which is accessible to them 24 /7. Now, although there will be live classes, there are lots of cloud-based labs also.
The duration of the program itself, it does take approximately 18 months to complete the program, which is split over five terms. So typically, here, you only take one class at a time. That's what we want you to focus on. We follow a 7-1-7 structure pretty much. So, you take a seven-week course, followed by short break, and then you take another seven-week course. So, you take two classes in one term.
We have three terms in a year spring, summer, and fall. Our next intake that we're working for as far as enrollments that's going to be our next fall term. The official start date is going to be on August 29th.
Now, as with the great insights that were already given to us by Stefan and Pouya, this degree itself will brings a tremendous amount. Obviously, you would be learning a lot of skills. I can't go too much into that because otherwise, I think it's just going to take up a lot of time, but just to give you a little insight into what sort of, there's so many skills that can be acquired as a result of this degree, some hard skills, and soft skills.
Now, this program it's divided into 10 core classes, which makes up 30 credits. Each course is three credits. And as I said, each class is seven weeks long. And once you complete that successfully, you earn three credits, and you need to complete a total of 30 credits in order to earn your Master's in Cybersecurity.
Now one of the great things about this program itself, the Master's in Cybersecurity. Although, as you already know, the IT industry itself typically does, most of cybersecurity positions do require a bachelor's degree in typically a computer-related specialization such as computer science, software engineering, or sometimes experience in a related field. And at times certifications also.
Now professionals with a master's degree or even higher are seen as more desirable hires for employers and are eligible for more sort of managerial leadership and senior leadership roles. And organizations, employers also look for professionals with specific technical and soft skills, as I mentioned earlier.
Now the IT industry itself does value certifications that I'm sure Pouya and Stefan will tell you. Just a few facts according to the US News & World Report, 91% of employers do look for some type of IT certification when hiring in cybersecurity roles.
Now the master's degree that we do, we do believe that once you complete all those 10 core courses will equip students to earn credentials that will improve their job prospects. And some of these certifications that the degree is going to prepare you for are very sought after in the cybersecurity industry.
Just to name a few one of them is very, very popular. It's a CISSP Certification, which is Certified Information Systems Security Professional, AWS Solutions Architect, AWS Security Specialty, CEH is also one of them, Certified Ethical Hacker, and CND. And just to name a few. So that's what our master's degree can actually prepare you for.
Now, just in terms of admissions. We do have a very simplified admissions process here. So, people that want to apply here, they will submit an online application here, which is very nice and simple, it takes about 15, 20 minutes to complete. It's free.
Typically, obviously, being, this being a master's degree will require students to have a bachelor's degree from an accredited university, ideally in a related field or with the relevant work experience. Or now if students that don't have a related degree, we still encourage them to apply, as long as, obviously applications will be looked at on a merit basis, depending on experience also, but they may also be required to take on a couple of additional foundation courses also.
Together with the online application, you would also submit all your transcripts from any institutions you've attended. And we also require a copy of your resume. Once we have everything on file, it typically takes about three to five working days for us to then give you a decision.
Yes, that's, I guess that's what I have, and thanks.
Pouya Ghotbi: Thanks, Munaf.
Munaf Bhaiji: Sure.
Pouya Ghotbi: Cheers. Thank you. Thank you so much. Two questions that we had, I can see here and quickly answer. We are running out of time, and thanks, Stefan, for staying with us over time.
The first one, there was a question that "I'm considering doing some certification cybersecurity. Do I still need to do a master's degree as well?"
I think Munaf briefly talked about it, but essentially in my view, the difference between certifications and doing a formal degree is that a formal degree stays with you, and you learn all the basics of security across different areas. And then that's something that you can carry with you in life, and that's your status.
Certifications are great. I deal with certifications all the time, myself as well. But they expire, the technology changes, and then they often become irrelevant. Some of the certifications, especially in cybersecurity, is very fast-paced, and some certifications a couple of years ago were considered really prestigious, but now no one cares about them anymore.
So having that foundation, this is what we offering as part of this program is give you a good solid foundation in different areas of security. And then, you can take it to the next level by doing different certifications.
That was the first one. Second one. "What advice do you have for someone that wants to specialize in cloud security?"
I'm going to hand over to Stefan because Stefan has got a lot of experience in that area. I know he's mentored a lot of people, and he's running the practice for Google Cloud now. Stefan, what is your advice around someone that wants to specialize in cloud security?
Stefan Avgoustakis: Look, I think the number one piece of advice is just do it. I mean, cloud is there. You can literally after this, we hang up, you go to AWS, Google Cloud, Microsoft, whatever, and you start doing it. Most of us provide a free tier capability. So you can start playing around with the solutions.
But just do it, go and do it. I would also say that cloud security or security, cybersecurity in general.
And it kind of comes back to also to having a master's degree versus, or together with certifications. You can't become a cybersecurity specialist without having foundation. How do I secure the cloud? Well, do you understand what cloud is? How do I secure an IT environment? Do you understand what IT is? Because that's the number one thing.
I did not become cyber, and I don't call myself a specialist, but I did not become a cybersecurity expert or whatever you want to call me overnight. I did almost 10 years of non-security to really understand the basics. And then, I launched into cybersecurity.
So, my advice would be yes, go and do cyber stuff as security stuff. Go online, make use of the free credits, but also make sure that you understand the basics. Know what cloud means.
Maybe look at, a master's degree is a great example of that. But also look at, for example, becoming a cloud architect and then also focus on security. So I would say those are kind of the things that I would take away from this, nothing stops you from doing it today.
Go ahead. Do it, but make sure you also know the basics.
Pouya Ghotbi: Hopefully, my mute is off now. Very good point that you mentioned, and when I interview people, I'll always ask these types of questions. I ask very fundamental questions. And my point, and the reason I do that is I just want to know if they know what they're talking about before they jump in and start talking about the projects that they've done.
The basics, the foundations are very important. When you've got the foundations, right, you can build on top of that. In any market, cloud changes as well. Cloud is changing rapidly. And so, even if you get a certification today, if you don't have those foundations, you won't be able to pick up the next big thing. So that's quite important.
Alright, cool. That's all we had today, and time, Haley over to you to close off. Thank you so much.
Haley: Yes. Wonderful. Thank you. So as I mentioned at the beginning, we did record this. So we'll be sending that out to you along with more information on how you can reach out if you have additional questions or want to learn more about the program.
I've dropped the URL in the chat as well if you're interested in taking a look at our website for more information on our master's program. Thank you again to our amazing speakers for taking the time for this wonderful presentation today, and thank you everyone for joining us.
Have a great rest of your day.
Pouya Ghotbi: Thank you.