The Certified Cloud Security Professional certification is offered by the ISC2 and is one of the many courses I have helped develop at ALC Training.  It is proving to be one of the most popular certifications that I run....I have 11 others that cover cloud computing, agile, cybersecurity and big data areas.  But why?

As you can see, it covers 6 domains and we focus on a range of techniques and best practices associated with cloud computing.  For those studying CCSP, I have created a free flashcard quiz below.  This is handy for anyone that is involed in CyberSecurity and is a good way to re-enforce your knowledge.

​​​For a detailed list of learning outcomes check out the ISC2 website below....

 The reason I think CCSP is popular, is because CyberSecurity is in the Top 5 items that keep senior leaders awake at night.  The fear that the organisation you have worked hard to protect, could one day be maliciously attacked is a troubling thought for many...resulting in a cold sweat nightmare at 3am in the morning. 

To be honest there are many things that business leaders need to consider.  So let me outline 2 of the key items that spring to mind this morning....

1 - Secure the use of Identity and Access Management Systems

The key here is people....because they are the solution....not the problem.   Here is a simple checklist that everyone can follow...not just at work...but also at home.  

Tip 05 can be adapted for business, by building a list of trusted sources, i.e. a whitelist.  You can do this manually, or by using a whitelisting tool, preferably one based on Artificial Intelligence technology.  That way it can detect not just trustued sources that you list, but predict or warn when something looks malicious.  
​
2 - Simulate Probable Security Scenarios

Again the key here is people.  Create a realistic scenario....data breaches are the most common, so this is a good place to start.  Brief a small number of individuals, including leadership, that you're creating a simulated security challenge....execute the scenario for real on a non-production system with the team....then treat it like a fire drill and allow the remainder of the team to see how they react and recover from the simulation. It's a bit like paintballing...where one team attacks the castle....and the other team defends it.  Although in this scenario....the defending team is really ascertaining what happened and how best to protect the organisation going forward. 

If you need inspiration for what threats you should be simulating....take a look at the Treacherous 12....which we cover in the CCSP course.  

This blog article is designed to be ready by everyone.  By everyone, I mean people who are new to the cloud, and maybe uploading a picture of their great grand children to Facebook, for the first time. Or maybe you're a seasoned technologist, like myself, with over 300 cloud-based logins.  Chances are, you're probably somewhere in the middle, and this is perfect for you too.  

The 5 simple tips I have outlined above, will help everyone.  They're universal to everyone that uses the cloud.  They are simple to implement, and need you to put aside a little time.  They will protect you from cyber attacks. 

Oh...and I also follow these 5 tips myself.  Probably for about the past 5 years.  I will not only explain how to implement each tip, but I will give you a specific personal examples. That way, you know my advice is real and that I follow my own advice.  Only a fake person wouldn't follow their own security advice....right.....?

​Each image in this blog is clickable, offering additional information about that subject.

Let me show you what a complex password looks like:

If you click on the image, it will take you to Troy Hunt's blog on passwords and hacking, which explains a bit more around why complex passowrds are important.  

Let me break this down for you. 

• You pick a word, with at least 6 letters and capitalise the first letter.  This is your first password.  In this example, it is Pencil
• Think of 3 letters: 135.  Add them to the password.  In this example, it is 135Pencil
• Reverse the 3 letters: 531.  Add them to the end of the password.  In this example, it is 135Pencil531
• Then add a symbol at the beginning and end, and you have your final password: #135Pencil531#
• Next thing, tell no-one, not even your partner.  It's yours to keep secret.
• Each time you change your password, simply change the 6 letter word, and re-use the same numbers and symbols.
• I recommend changing the numbers and symbol combinations every year.

It's a service, that most well-known cloud providers, now offer, as a means of additional security protection.  Let me break it down with a specific example.  I'm going to outline the overall approach using a cloud app called Xero.  It is used for accounting and I love it:

Using Xero as an example,  here is how it works, once it is configured:

• You login to Xero as normal.
• Enter your email address and password, and click Login.  These credentials are known as First Factor Authentication (1FA or 1SA).
• It prompts me to enter my 6 digit code

•  This example is setup to use the Google Authenticator App.  This is now asking for my Second Factor Authentication (2FA or 2SA).

​There are 3 common ways this second factor authentication can work:

• Most common is that a code is sent to your mobile phone via SMS.
• A code is sent to an app, or a token.  In this example it's the Google Authenticator App, but could also be the MIcrosoft Azure Authentication App.
• A code is sent to your email address.

So I check my Google Authenticator app on my phone, read off the number it displays, type in into the Xero prompt, and there you have it.  I have now used Two Factor Authentication (2FA or 2SA) to log into my cloud service.  When using two or more factors to authenticate, we call this Multi Factor Authentication (MFA).

If you're not sure, whether you cloud service offers MFA, either contact them directly, or perform a Google search to look up whether they offer the service.  You may need someone technical to help setup for you, or if you have paid support, you call up your cloud provider.

You can also reach out to me publicly on twitter:

@MusicComposer1

I'm always willing to help 'coach' you through to success.

t's an app that you download that stores all your passwords for you.  It's very, very important that you create a complex password to open the app, as this becomes your key to all your other passwords.  You also want to setup multi-factor authentication.

Typically the average technical person probably has around 200-500 cloud accounts they use or have used.  So for the average person, 50-100 cloud accounts is not unusual. 

If you're using an app on your mobile phone, then you most likely have a username and password for that app.  Therefore if you have 100 Apps on your phone, you will probably have close to 100 usernames and passwords.  Clearly it's very difficult to remember 100 different passwords, so the password manager really comes into play here for everyone.

There are also two extra benefits, among many, that password managers provide:

• The app rates whether your password is complex or not.
• The app can help you identify cloud services, where you have not changed your password in a long time.

When changing your password, I would recommend doing this every 12-24 months, for all your accounts.  And also delete cloud accounts that you no longer use. 

WHY? 

Because that cloud provider may suffer a data breach in the future.  A data breach is where a hacker gains data from a cloud provide.  This could mean a malicious actor, could use your account to attempt to steal your money, damage your reputation or worse still assume your identity.

My top pick is Last Pass and I would recommend the Premium (Paid) version:

This is an app that helps detect any malicious activity on your device.  Sometimes known as anti-virus software, however devices can be attacked not just via virus, but also via many other attack vectors.  So I prefer the term anti-malware.

​I personally install anti-malware software on my Android phone and my Windows 10 machine.  I don't install it on my Mac or my iPad.  However, I would recommend that you install it on all your devices.  Generally when you buy anti-malware software they give you a number of licences to run on different types of device, so it probably won't cost you extra.  So I always recommend this extra level of protection.

The reason I don't do that, is because I have additional security controls to mitigate this risk.  These are a little complex to explain.  I also don't want to give away this information to potential hackers, who could also exploit me personally.  I hope that makes sense.  :-)

My top pick here is to use the Kaspersky.

Never click on links in an email, that are sent from outside your company.  

WHY?

Because you are opening yourself up to a Spearphising attack.  Sometimes also known as a Phising attack for short.

So a Phising attack, is when a malicious actor, sends you an email with a link inside.  You click on the link and a number of bad things can happen:

• It redirects you to a website, which attempts to download some malware.  Generally your anti-malware may detect and stop this, but it's not 100% guaranteed.
• It redirects you to a website, which looks like a site you're used to using.  It might be fake version of your bank for example.  You then think, it's real, enter your username and password....and boom....the attacker has your passwords for you bank account.  You can see here that as long as your bank is setup for multi-factor authentication, then they will not be able to access your account.
• It redirects you to a website and ask for some personal information.

Also, there are some rules around emails.  Immediately delete any emails that ask for the following.

• Ask for money.
• Mention a prize.
• Ask for usernames and/or passwords.
• Ask for any personal information.

I call these the 'tells', as they are common tactics used by scammers.

Here is an example, of a reasonably sophicated phising attack:

Click on the link above to be redirected to another simple definition of Phising.

But what about if you do business with external companies?

That's fine, we can modify this advice.  Make a note of all the people you personally deal with outside your company.  Agree with them, using the phone, how you're going to communicate via email and how you're going to share information.  I personally use the OneDrive cloud links to share read-only files and I always set the link to expire after 30 days.

By creating a list, you're effectively creating a 'whitelist'.  A list of people whom you trust.  There is no guarantee, that someone else won't impersonate them, so by having an agreed format for the exchange, you can validate if it is genuinely from that person.  If in doubt, give them a telephone call.  You know that old-fashioned thing, that emails has replaced.......LOL.

If you're dealing with clients directly via email, then you'll hopefully be validating them as leads anyway, so there shouldn't be any reason to click on the links they are sending you.  

If you're business is truly an exception to this rule, and clients need to send you a link then you're need additional security:

• Think about the types of security controls you need in place, to ensure that you're not subject to a phising attack. 
• No matter how tech savvy you are, they could well get you one day.  The attacks are becoming incredibly sophistcated.

​
And remember...be aware but not alarmed.  Cybercrime is relatively rare.  Follow these tips and you'll put yourself in the Top 10% of the population, which means you're highly unlikely to be scammed.   

Below is a great website to check for the latest scams too:

For the first time in 2018, it's become easier than ever to gauge the state of the cloud market.  New data from the top cloud providers, mean we can really see who is dominating the landscape.  In this blog, I've chosen to look at the total revenue as an indicator of success.  Partly because it's easy to measure, but also because it given an indication of relative market opportunity and growth.

This chart is taken from a great ZDNET article that was published earlier this year:
www.zdnet.com/article/cloud-providers-ranking-2018-how-aws-microsoft-google-cloud-platform-ibm-cloud-oracle-alibaba-stack/

It clearly shows Microsoft as the dominant force, which I predicted would be the case back in 2016.  My colleagues at DXC Technology will attest to that prediction.  I think it's also a reflection on a number of compelling events that have materialised over the past few years:

• Microsoft have invested significant amounts of money into their cloud strategy and you can see it's paying off.   www.onmsft.com/news/microsoft-spending-more-10b-year-azure-data-centers
• Microsoft's cloud portal was reskinned around 3 years ago, which put AWS on the back foot.  azuretalk.wordpress.com/2015/02/24/azure-portal-new-look-and-feel/
• All medium and large corporate companies of note, already have a relationship with MIcrosoft through an Enterprise Agreement (EA).  This EA provides Microsoft with significant scope for commercial leverage, through price reductions, discounts and bundled services, across the Azure and Office 365 platforms.  en.wikipedia.org/wiki/Microsoft_Enterprise_Agreement
• Office 365 is a serious force to be reckoned with.  There is no real competition in this space and the vast majority, if not all companies, use some components of the product suite.  Integrated with Active Directory technologies for authentication, authorisation and access control.

Although Google offers their G-Suite, I don't really see it as a serious competitor or replacement for Office 365. In fact they complement each other.  I typically use Google for managing both business and personal data on my Google Pixel and then Office 365 for Surface Pro, MAC and iPad and then OneDrive across all of them.  Below is a quick snapshot of how Google and Office stack up:

On the Amazon Web Services side, there is much progress and improvement especially in the area of new services.  AWS are very good in the Serverless and PaaS spaces, adding a whole series of new innovations.  These and exciting innovations were announced at the AWS ReInvent 2017 conference last year and include:

• AWS Fargate - Serverless Containers
• Amazon ECS for Kubernetes - Container Management
• Amazon Neptune - Graph Database
• Amazon Sumerian - Create and run 3D apps for Virtual Reality & Augemented Reality Use Cases
• AWS IoT Analytics - Analyse IoT data at scale
• Amazon Rekognition Video - Video Analysis using Machine Learning

You definitely can not accuse Amazon of being static, boring, with all this innovation coming thick and fast.  Amazon are certainly pushing the curve, as there are no Microsoft Azure equivalents for some of these services.  Amazon Sumerian is a case in point.  See the screenshot below:

Oracle are coming up fast, probably as a result of their push in the past 12-18 months.  A rep at Oracle invited me to attend Oracle Cloud World, which introduced me to the maturity and sleek look of their latest cloud offerings.  The pics below gives a quick overview of the Oracle Cloud offerings:

And here is a good article that articulates how large and dangerous Alibaba really is.  I do apologise for all the popups, but the free content on the site IS worth the pain:
​www.cbinsights.com/research/amazon-alibaba-international-expansion/

The link below gives another perspective on the Microsoft / AWS revenue growth story, outlining some of the great customers stories to come out of the Azure platform.  These include:

• Coca Cola
• UPS
• Toyota

​www.forbes.com/sites/bobevans1/2018/04/27/microsoft-tops-amazon-in-q1-cloud-revenue-6-0-billion-to-5-44-billion-ibm-third-at-4-2-billion/#57a5358a5d4b

Finally if you feel you need some specialised training or business advice on AWS, Microsoft Azure, IBM, Oracle or Cloud CyberSecurity, feel free to reach out to me or to ALC Training:
www.alctraining.com.au/courses/cloud-computing/

#CloudComputing #Cloud #AWS #Amazon #Microsoft #Azure #Office365 #CyberSecurity #CCSP #Training #Coaching #AI

Klout was a social media tool that helped online influencers measure their influence in the virtual world.  It was bought for $200 million by a company called Lithium in 2014.  It targeted the most popular social media platforms such as twitter, instagram, linkedin and youtube and provided you with an influencer score.  The higher the score, the more influential you were likely to be.

As of the 25th of May, Klout was retired.  This co-incided with the timing of the new European Union, General Data Protection Regulation (GDPR) laws.  These  came into force on the same date.  So why did Lithium retire Klout?

It really boils down to return on investment.  Lithium bought the people, intellectual property and the technology, to help them inprove their products.  They specialise in creating products that improve your business customer service, via social media channels.  Understanding the influence and pervasiveness of a brand, was crucial to their strategy, and Klout provided this service.  This allowed Lithium to acquire talent and knowledge. 

In addition, Klout does not provide an obvious or known revenue stream for Lithium, as it's a free tool.  It's a similar problem that Facebook and Twitter had faced in the past, until they utilised advertising and promotion as a means of making revenues.  

Finally GDPR is complex legislation with a heap of complexities associated with it.  Let's provide some real examples using Klout:

Klout is used by millions of social media users around the world.  A proportion of them live in the EU, which consists of 28 separate countries.  That means Lithium would need to comply with the GDPR legisation.  This would include some key investments in the Lithum business to comply with GDPR.  Here are some examples:

• To provide a means to report data breaches for any EU person, to their respective data authority.  There is 1 data authority in each member state.  So a breach of users that live in all 28 separate countries, would likely result in notification breaches to 28 separate authorities.  It's likely that each authority will insist on breach notifications for the users in their respective jurisdiction. The initial response to this, has to be done within 72 hours!
• Allowing customers the 'right to be erased' in the system.  This means erasing all the data associated with a user.  If you've ever worked with social media analytics, especially streaming services like twitter, you'll know that the potential data stored is both vast and complex.  So this is not an easy task and it's likely that evidence will need to be shown that the data has indeed been erased.

For more information on GDPR, check out my easy to read blog:

https://www.alctraining.com.au/blog/what-is-gdpr/​

I also really like the friendly introductory video on their site:

www.skorr.social/

The only downside, seems to be from a developer perspective, as the APIs are not available for general use.  This means it can't be used by 3rd parties.  You could argue that is a good thing, if you don't want your score to be used autonomously in an app.  Or a bad thing, if you want to see how you rate against other influencers in a 3rd party charting system.  Overall I believe in open APIs, so I see this as a downside for the world of influencing.

Interesting in learning more about social media scoring, GDPR or cloud security, please feel free to check out my portfolio of cloud training courses at ALC Training:

www.alctraining.com.au/courses/cloud-computing/

And don't forget to follow my social media adventures on twitter:

twitter.com/MusicComposer1