A look back at Cloud Expo Europe, DevOps Live, Cloud & Cyber Security Expo

Matthieu GAILLARD-MIDOL, Practice Leader Cloud Sec, and Florian COULON, GRC expert, share their insights from their favorite conferences and workshops at Cloud Expo Europe 2023in Paris.
A quick 360° tour of the topics covered during this superb edition dedicated to cloud professionals.

The opportunities and limitations of democratized AI for businesses

We begin this RETEX with the round table discussion held on Wednesday, November 15, bringing together:

• Pierre Delort, Visiting Professor at Telecom Paris - IP Paris 
• Benoit Rigaut, Director of Technological Innovation at CHANEL
• Clémence Panet, Head of Data at La Banque Postale
• Jean-Christophe Leboucher, Chief Data Officer at Alain Afflelou Franchiseurs
• Yohann Laloue, Consulting & Data Partner at SOMA. 

A truly interesting debate and discussion that highlighted the advantages and risks of AI for businesses.

Benefits of AI:

• Operational improvement: AI offers opportunities to improve operations and make operators more efficient.
• Data valorization: Chatbots and language models such as GPT-3 are identified as tools for valorizing unstructured data.
• Process optimization: The use of AI, particularly in sectors such as distribution (CHANEL), enables the optimization of calculations and processes.

Risks associated with AI:

• Fad effect and model impoverishment: Participants warned against the fad effect of AI and highlighted the risk of model impoverishment with automated data management.
• Environmental challenges: The environmental implications of AI were mentioned as a potential risk to be considered.
• Data security: The need to evaluate models, particularly in the context ofgenerative AI, has been emphasized to ensure data security.
• Risk of hallucination and massive misinformation: The uncontrolled spread of false information on a large scale has been identified as a major risk associated with AI.

Data protection and the Cloud Act – contradictions and European solutions

This second roundtable brought together renowned experts in the field of data security, particularly in relation to the Cloud Act. Among them were: 

• Didier Simba, President and Founder of CESIA - Club of Information Security Experts in Africa
• Sélim-Alexandre Arrad, Data Protection Officer ( DPO) and member of the Institut du Numérique Responsable (INR)
• Adila Sakhraji, Data Protection Officer (DPO) - Compliance Officer - Secours Catholique – Caritas France

After a brief historical overview (SCA, origin of the Cloud Act, etc.), the focus will shift to the coexistence of the GDPR and the Cloud Act. The Cloud Act only applies to cloud service providers (CSPs), not customers. As a French company, you are not subject to it; it is your CSP (AWS/GCP/Azure) that is subject to it. Following the invalidation of Schrems 2, Schrems 3 is in preparation and will certainly be just as challenging.

Contradictions between the Cloud Act and the GDPR:

• The blanket ban on data transfers to non-adequate countries: The issue of data transfers outside Europe, particularly to non-adequate countries, is a major challenge. The Schrems rulings and the questioning of the Privacy Shield highlight these issues and encourage companies to find alternative solutions.
• The specific issue of access to data entrusted to US cloud providers: the Cloud Act authorizes US authorities to retrieve metadata without going through a judge or obtaining a warrant, and without notifying customers or the individuals concerned, thereby creating a fundamental contradiction. This possibility is directly contrary to the GDPR, particularly Article 48, which limits transfers for the purposes of mutual legal assistance.

European Solutions:

• Use of open source software and European solutions: Companies face the challenge of reducing the risks associated with the Cloud Act. The use of open source software or European solutions is emerging as a strategy to circumvent the implications of the Cloud Act while complying with the European regulatory framework.
• Third-party encryption key management: One approach is to entrust encryption key management to third parties, thereby creating a technical barrier for cloud providers. This prevents unauthorized access to data, providing additional protection against the provisions of the Cloud Act.
• Data minimization and diversification of service providers: The issue of entrusting all data to a single cloud service provider has been raised. Data minimization and diversification of service providers are recommended to ensure data confidentiality while complying with the law.

Strategies and Recommendations:

• Keep resources in-house based on data sensitivity: One strategy is to keep sensitive data in-house or in a more tightly controlled cloud, depending on the nature and sensitivity of the data.
• Compliance with ANSSI recommendations: Alignment with the recommendations of the French National Cybersecurity Agency (ANSSI) is recommended, particularly with regard to the required encryption technologies. Even American cloud providers do not necessarily have effective workarounds.
• Signing standard contractual clauses:The only technical measure proposed is over-encryption. We can add to this the dispersion of data between several cloud providers (a complex but highly effective method). GDPR is also presented as the Schengen of Data, with business opportunities set to emerge within Europe! The wish of the European cloud giant is still being formulated!

Cybersecurity in SMEs/VSEs: risks and solutions

This exchange provided an opportunity to examine the specific cybersecurity challenges faced by SMEs/VSEs. With 99.9% of companies in France falling into this category and generating €1 billion in revenue, the need to understand and prevent cyberattacks has become imperative.

The speakers: 

• Yasmine Douadi - RiskIntel
• Abou NDiaye - CEO of Licanam Cyber & Member of CEFCYS 
• Christophe Husson - Commander of the Gendarmerie in Cyberspace
• Camille Picard - Internal Control / Cybersecurity, shared their expertise to identify risks and propose solutions.

Specific risks for SMEs/VSEs:

• Preferred targets as service providers: SMEs/VSEs have become preferred targets for reaching large corporate customers that are much better protected. Small businesses are de facto more exposed.
• Costs of a cyberattack:
  • The typical costs of restoring service, notifying customers, and communicating vary.
  • Hidden costs: an attack has a psychological impact on teams, causing turnover and therefore a loss of talent. A cyberattack has a psychological cost. This is usually accompanied by a loss of market share due to a loss of confidence among stakeholders, to the benefit of competitors.

Avenues and solutions:

• Regulatory context - DORA: The DORA (Due Diligence on Remote Access) regulation harmonizes existing requirements for managing risks associated with third-party ICT service providers. Financial entities must define a strategy for managing risks associated with these third parties.
• Awareness among senior management: Adequate protection strategies must necessarily come from the top.
• Support and awareness raising:
  • Understanding the challenges faced by SMEs/VSEs by mapping their resources.
  • Hardening of systems: Implementation of quick wins, such as hardening configurations, to enhance security.
• Resilience to attacks:
  • Business continuity plan: SMEs/microbusinesses must learn how to maintain operations in adverse situations.
  • Immediate alert and filing of a complaint: In the event of an attack, SMEs/VSEs must be prepared to respond quickly by reporting the incident and filing a complaint.

Cloud-related cyber threats: security and solutions

Let's explore the Zero Trust model, cloud security, and ways to identify and prevent attacks in a context where threats are evolving with the proliferation of the cloud. Hosted by Addy Sharma, Founder & Cloud Security Architect at SecuriGeek, the discussion highlighted trends in cloud security, recent attacks, and strategies for strengthening the security of cloud environments.

1. Risks associated with the Cloud:

• Responsibility allocation: Regardless of the cloud service level (IaaS, PaaS, or SaaS), responsibility for application data security lies with the customer.
• Most common breaches:
  • Configuration errors in security settings.
  • Attacks related to social engineering and identity theft.

2. Solutions and strategies:

• Quick wins for protection:
  • Adoption of Single Sign-On (SSO).
  • Native solutions provided by the cloud service provider enable the identification of incorrect configurations.
  • User privilege and access management through the integration of Cloud Infrastructure Entitlement Management (CIEM).
• Role of DevSecOps:
  • Integration of security from the design phase onwards (Security by Design).
  • Securing API keys accessible from known sources.
  • Use configuration audit tools to identify vulnerabilities.
• Using and configuring native alert solutions:
  • Leverage native alerts to gain initial visibility into threats.
  • Fine-tuning alerts for a quick and effective response.

The discussion highlighted the needto adopt specific strategies based on the cloud service model, while emphasizing preventive security, the protection of sensitive data, and the integration of security from the earliest stages of development.

New techniques for detecting future threats: how can we defend ourselves?

Speakers:

• Yasmine Douadi, RiskIntel
• Ayoub Louhab, Security and Compliance Expert - American Express Global Business Travel
• Arnaud Rochais, Chief Information Security Officer - European Camping Group
• Maran Madiajagane, Group Chief Information Security Officer - RAJA Group

CTI and the contribution of AI:

Predictive DNS techniques, powered by big data and AI, offer the ability to process massive volumes of data, thereby reducing false positives. By providing relevant leads, AI is positioning itself as a crucial tool in preventing attacks and learning about adversarial tactics. Measuring the effectiveness of these techniques remains a challenge, raising the question of whether AI acts as a brake or a driver in the fight against cyber threats.

Solutions for organizations with limited budgets:

• AI training: Implement training programs to maximize the use of AI, including best practices for interacting with models such as ChatGPT.
• Moving away from the public cloud: Explore alternatives outside the public cloud to enhance security while taking into account the associated costs.
• AI for cyber defense: Although AI has been integrated into technical solutions for years, its rapid adoption requires constant evaluation of new offerings on the market.
• CTI cost: Cyber Threat Intelligence (CTI) pricing depends on the scope, including DNS protection, brand monitoring, and attack surface. Services such as the takedown of malicious sites are determined based on these criteria.
• Cyberattack preparedness strategy: Engage in crisis exercises with management, focus efforts on communication, and use tools such as EDR ( Endpoint Detection and Response), MDR ( Managed Detection and Response), and SIEM ( Security Information and Event Management) to automate responses and isolate compromised workstations.
• Small organizations and resilience: For organizations with limited budgets, preparing for resilience is crucial. This involves strengthening visibility, correlating information, and developing the skills necessary to respond quickly in the event of an attack.

Cyber awareness: how to better define your needs? 

• Antonin CAORS - 42k.io & Cyberun
• Stéphane DARGET - 42k.io & Cyberun
• Michel GERARD - 42k.io & Cyberun

The challenge is to develop a cyber culture and change behaviors within the company by clearly defining cybersecurity awareness needs.

Educational engineering:

• Thematic catalog
• Mandatory courses by theme
• Construction according to user profile
• User content vs. business content
• Ability to import company-specific content

Timing: 

• Possible termination due to training
• Defining a duration per module
• Total duration

Technical integration:

• SaaS solution vs. on-premise solution
• Supported devices (PC, smartphone, tablet)
• SSO Possible
• Integration into an LMS (Learning Management System)
• Restriction / IP Range

Safety:

• SLA, incident support
• GDPR (contractual clauses)
• Reversibilities (modality)

Learner profile management

• Ability to upload attributes for learners (groups)
• Creating groups on the platform

Measures and KPIs:

• On participation
• On completeness
• On the results (quizzes, tests)
• On time spent/modules

Types of content:

• Course to be delivered (slides)
• Animated sequences
• Videos by theme
• Conversational chat
• Scheduled live sessions

Pricing model:

• To the user (named/token)
• Per module
• Per connected device

Languages:

• Catalog available / Contents
• Available catalog / Interface
• Language can be added
• By the customer
• By the bidder: on estimate / Standard

Awards:

• Achievement labels / Module
• Certificate that can be published on the platform
• Organization of competitions

Before purchasing:

• Is PoC possible?
• Cost/timeframe
• Demonstration

Supply chain risk assessment

• Bertrand Blond, Director of Cyber Defense Information Systems - Ministry of the Armed Forces
• Yasmine Douadi - RiskIntel
• Clara Le Gros, Deputy Head of Technology Risk Management - Natixis Investment Managers
• David Ofer, President - French Cybersecurity Federation

Introduction:

The supply chain is a prime target for attackers, who often exploit the vulnerability of subcontractors to reach their customers. This roundtable discussion addresses the risks inherent in the supply chain and explores the new dynamics introduced by regulations, particularly DORA in the banking sector. Participants will also discuss risk assessment strategies and best practices for strengthening supply chain resilience.

Converging approaches in the military and banking sector:

• Risk analysis at the Ministry of Defense: Military operations in cyberspace require a significant technological transition, increasing the attack surface. Attacking subcontractors is becoming an effective option for attackers, offering cost-effective desynchronization.
• New Regulations and Monitoring of Service Providers in the Banking Sector: The highly regulated banking sector is adapting to new regulations such as DORA, which involve direct assessment of service providers by European regulators. Supplier ratings are emerging as crucial indicators.

Assessment and maturity strategies:

• Certifications and risk assessment: Certifications, such as ISO 27001, provide a framework and structure, offering objective assessment criteria. However, the discussion raises the question of the value of these certifications in assessing supply chain risks.
• Challenges of supplier assessment: Identifying the weak link in the supply chain is crucial. The supplier's IT charter may include a cyber risk assessment, but veracity remains a challenge.
• A contractual approach that proves difficult in practice: Imposing cyber clauses in contracts could make services more expensive. Similarly, the inclusion of audit clauses in contracts is at the client's expense but requires the client to assume this responsibility.
• Cyber maturity framework at the Ministry of Defense: An alternative is to strengthen the maturity of the supply chain by using common criteria to map critical service providers. A cyber maturity framework, with 21 questions covering governance, protection, incident management, and resilience, provides a rating for the service provider, adapting the responses according to its importance. Business continuity plans (BCPs) and disaster recovery plans (DRPs) are a priority.

How to adapt your security strategy to a multi-cloud environment?

Speakers:

• Manon Dubien, Vice President of CEFCYS and Business Engineer at InfosecCEFCYS
• Anne Leslie, Member of CEFCYS
• Christine Grassi, Member of CEFCYS
• Clémence Philippe, Member of CEFCYS
• Romain Marcoux, Member of CEFCYS

Another roundtable discussion focused on adapting security strategies to multi-cloud environments. Speakers share their perspectives on enabling businesses to develop effective strategies in an environment characterized by the complexity and diversity of cloud services.

Issue:

Spreading risk across a multi-cloud environment while maintaining effective security is a major challenge. The diversity of cloud services and national and international regulations (FR: LMP/HDS/SecNumCloud, EU: GDPR/NIS2/EUCS/DORA, US: Cloud Act/Data Privacy Framework) add further complexity.

Monocloud vs. multicloud: strategy and challenges 

• The choice between monocloud and multicloud is crucial, especially in sectors experiencing a shortage of cybersecurity talent. The diversity of cloud providers and their services complicates security management.
• Knowledge of Identity and Access Management (IAM) on one cloud platform does not easily transfer to another. Internal training for cloud experts is essential.

Diversity of cloud services: risks and solutions 

• The proliferation of clouds increases the attack surface. Hyperscalers offer their own security building blocks.
• A unified solution for multi-cloud environments, linked to on-premise systems, is necessary to maintain a unified view that is crucial for effective security.
• Third-party security solutions are becoming relevant for achieving unification in a multi-cloud environment.

Advice from the speakers:

• Christine Grassi: I recommend starting with a single-cloud approach using native security solutions, which are less expensive and automated. This helps you understand the level of maturity and facilitates the transition to an agnostic multi-cloud approach.
• Clémence Philippe: Suggests including the Data Protection Officer (DPO) in strategic decisions, particularly when establishing the processing register.
• Anne Leslie: Emphasizes the need to find a compromise between various solutions.
• Romain Marcoux: Emphasizes the importance of bringing together crucial solutions such as IAM while promoting encryption.

Cybersecurity and police investigations

Franck Cormary, Deputy Cyber Mission Officer at the Paris Police Prefecture, Ministry of the Interior, shares insights on what it takes to understand and resolve cybercrime incidents.

Conducting a cyber investigation involving an ADP (Automated Data Processing) system requires a comprehensive approach, combining human and technical elements.

Evidence in Investigations:

• Human Factor: Ransom demands, screenshots, original emails, employee lists, schedules, computer access rights, building access logs, video surveillance, telephone logs, detailed subcontracting information, temporary workers, interviews with managers.
• Technical Elements: Administration logs, firewall logs, Active Directory details, sample of the loader or payload in the event of a virus infection, disk copy of an infected machine, server access logs.

It should be noted that the judge may request that hosting providers disclose their customers' connection and identification data.

Law and Procedures:

• The statute of limitations for a misdemeanor is three years.
• For crimes committed in flagrante delicto, an initial investigation period of eight days is authorized, which may be extended with the prosecutor's consent.
• Preliminary investigations: If they exceed 8 days, the powers of the police are reduced.
• Letter rogatory: Used in cases involving organized crime.

Jurisdiction of the French judge:

In the event of a complaint, the French judge may have jurisdiction if one of the following three criteria is met:

• Place where the offense was committed: The place where the offense was committed may be a determining factor. However, the scope of this consideration may be broadened by other factors.
• Attacker's domicile: If the attacker has a known domicile in France, this may also establish French legal jurisdiction.
• Nationality of the victim: The nationality of the victim may confer jurisdiction on the French court, particularly when the victim is a legal entity or a company.

It is important to note that the jurisdiction of French courts may be extraterritorial and extend to cases involving French citizens abroad.

Focus on the complaint:

• As soon as ransomware is identified, it is likely that data has been exfiltrated.
• Use resources such as Cybermalveillance.fr and ANSSI to help companies file complaints.
• Server administration logs are crucial in the context of the complaint and investigation.

Posture to adopt in case of attack:

• File a complaint promptly to maximize the chances of resolving the incident.
• Authorities to contact: Use resources such as Cybermalveillance.fr and ANSSI.
• Disconnect from the network and let the police collect evidence.

In conclusion, Franck Cormary emphasizes the importance of collaborating with authorities, filing complaints promptly, and following procedures to maximize the chances of resolving cybercrime incidents.

Florian Coulon 

GRC Expert - PARIS Squad

The Future of Native Cloud DevOps

An interesting format where three people answer questions. They promote the cloud but also encourage using technologies to become independent from CSPs (Kubernetes, for example). The European cloud giant often comes up in the questions. OVH is suggested, but the response is that it does not offer the same level of service/integration as AWS/GCP/Azure. We discuss the packaged services offered by generalist CSPs versus customizable services, using PostgreSQL as an example. Using a dedicated CSP for this service allows for maximum optimization (the company mentioned contributes to the PostgreSQL code). One could argue that, yes, theoretically, using a specialized CSP for each service would be better, but it would be a nightmare to secure, or in the event of contractual/forensic issues.

DevSecOps by GitHub

The speaker begins with a quote from former ANSSI CEO Guillaume Poupard: "Not doing cyber security is like riding a motorcycle at 200 km/h without a helmet." This sets the tone for a reminder of what DevSecOps is (the image of the DevOps unicorn with security cleaning up behind it is not there, but it would have been appropriate). This is followed by a reminder of the different types of application security testing (AST): SAST, DAST, IAST, and threat modeling. With a focus on GitHub's SAST, CodeQL, and in particular its ability to offer direct remediation to developers (based on Flow Chart and AI). To my surprise, DAST is not identified as a particularly relevant tool. An open source solution will suffice; it should not be a major expense because there are too many false positives and it requires significant fine-tuning, which, in the end, can cause vulnerabilities to be overlooked. It is better to opt for IAST instead.

Reduce multi-cloud risk with WIZ

The speaker talks about Wiz's CNAPP . Reminder: CNAPPs are a fusion of CWPP (workload configuration monitoring) and CSPM ( cloud configuration compliance). These tools are currently at the forefront of cloud security (1/3 of attacks are due to configuration errors). Wiz's solution focuses on DevOps onboarding, with the aim of enabling them to remedy issues directly and independently without security teams having to remind them. The speaker compares it to Total Football (Ajax Amsterdam's strategy in the 1970s, where every player can defend/attack). Everyone can and must contribute to security. With the solution being used 70-80% by DevOps, the gamble seems to have paid off. I am more familiar with Palo Alto's Prisma Cloud and Microsoft's Defender for CSPM/CNAPP, but undeniably, in terms of interface, Wiz will be more appealing to DevOps, particularly with its contextualization of alerts, which seems interesting. Worth exploring!

Société Générale hybrid cloud

Feedback on Société Générale's adoption of the cloud, with a focus on cost management. It's always nice to get feedback from a client I've worked with. They presented the situation to us with three ecosystems operating in parallel: on-premises, private cloud, and public cloud (on two CSPs).

Business units have a wide range of deployment options to choose from, which leaves plenty of opportunities to blow their budget. Pay-as-you-go pricing is widespread across all platforms in order to make business units more accountable. Capacity planning is key to forecasting hardware purchases for on-premises and private cloud environments, as well as for negotiating with cloud service providers. This is done centrally by a dedicated FinOps team. The goal is to obtain discounts on the most frequently used services. This team also manages the tagging strategy, reservation/saving plan purchases, and the production of global dashboards for business units (including on-premises/private/public cloud).

Matthew GAILLARD-MIDOL

Cloud Security Practice Leader - Lyon Squad