TSA Releases Cloud Strategy 2.0

TSA’s Cloud Strategy 2.0 was released recently, “[calling] for a mix of public and private cloud” to properly deal with both sensitive and transactional data. According to Nextgov: “the most significant principle” of this strategy “requires TSA programs to only purchase agency-approved cloud services.” Although “the document does not provide details on TSA’s preferred procurement strategies,” the document did detail clearance criteria for potential cloud products:

• Its security posture must be certified by the Federal Risk and Authorization Management Program, or FedRAMP
• It must have an open architecture in order to avoid lock-in to a closed set of vendors
• It must be capable of integrating with multiple clouds, platforms, and infrastructures

According to FedScoop, “the agency will first consider software-as-a-service (SaaS) solutions and then infrastructure- and platform-as-a-service alternatives.”

Investigating Worldwide VPN Vulnerabilities

The NCSC published an alert describing “vulnerabilities [that] exist in several SSL VPN products which allow an attacker to retrieve arbitrary files, including those containing authentication credentials.” The alert claims that “an attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure.” The list of “highest-impact vulnerabilities known to be exploited by APTs” are as follows:

Pulse Connect Secure:

• CVE-2019-11510 : Pre-auth arbitrary file reading
• CVE-2019-11539: Post-auth command injection

Fortinet:

• CVE-2018-13379: Pre-auth arbitrary file reading
• CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
• CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.

Palo Alto:

• CVE-2019-1579: Palo Alto Networks GlobalProtect Portal

The NCSC recommends the following steps to “mitigate these vulnerabilities”

1. Apply the latest security patches released by vendors
2. Reset authentication credentials associated with affected VPNs and accounts connecting through them

How Much is Google’s Cloud Really Worth?

Barron’s recently published an article discussing a Deutsche Bank valuation of Google’s Cloud offering. Two Deutsche Bank analysts “place a 15 times revenue multiple on GCP” and “find that the total Google Cloud business is worth about $225 billion.” This valuation is presented in contrast to the market’s current valuation of the Google Cloud business at “zero” and might cause investors to rethink their GOOGL share valuation. The analysts are particularly optimistic about Tom Kurian’s continued positive influence on the success of Google Cloud.

The Cloud-Native and Serverless Future is Now

In an articlewritten for Forbes by Eugene Khazin, Principal and Co-Founder at Prime TSR, calls our attention to the fact that Amazon has “[started] an initiative to re-train 100,000 peopleacross their organization” as a clear sign that “cloud-native and serverless are the future” and the future is now. The article attributes the success of digital transformations to leveraging cloud-native data to “[build] a data-driven culture that includes self-service analytics as part of the company DNA.” This cultural transformation necessitates not only “[training] employees for a new way to build software” but emphasizes the importance of technological, programming, and analytical knowledge in other areas of the business.

AWS re:Invent 2019 Reserved Seating Opens Soon!

Here’s a friendly reminder for those of you joining us at AWS re:Invent 2019 that reserved seating for sessions opens this coming Tuesday, October 15, 2019. As you probably know, sessions tend to fill up pretty quickly so make sure to take a look at the se s sion schedule and pick out your favorites beforehand! If you have any questions about re:Invent, we recommend taking a look at the “ 2019 AWS re:Invent Ultimate Guide ” published by a re:Invent regular from A Cloud Guru. If you are planning to join us at re:Invent this year and would like to meet with our team we encourage you to contact usand let us know!