 My name is Rajavi Kringan-Shraaf and I'm excited to be presenting with the Linux Foundation. So let me start a little bit of a screen share here. Okay. So today's topic is going to be cloud security, the beauty of open source. And I thought to start off here with a little bit of an introduction. So I'm a high school junior and I'm passionate about cybersecurity. I'm the founder of Project Cyber. We're an organization for teens by teens interested in cybersecurity. So what we do is create content on cybersecurity, such as articles on various topics. And we also have cybersecurity related events for teens to participate in. And outside of Project Cyber, I've spoken at several SANS events and also placed nationally at two cybersecurity competitions. So I've listed Project Cyber's website here and we also have a YouTube channel. So please feel free to check it out. And as I've mentioned, I've given talks on cybersecurity before. And I was able to keynote at the SANS Pentez TACFAS Summit. I presented at the cyber camp for teens. And I also gave a technical talk on cryptography and the internet for the SANS Mutu Cyber Summit. And I've placed nationally in Girls Go Cyber Start and also in the Cyber Start America competition. Over the summer, I was also an instructor for a cyber arts camp called Hacker Simulator for teens. All right, so let's set the stage for what the presentation format will look like. I've split it into a few chapters so that we can start from the fundamentals, since this is a technical talk that will be built from the ground up. And I'll also be emphasizing the cloud security and open source aspects of it. Cool, so let's jump in. To begin, a big idea about the cloud is that it's actually a term that has come to encompass many services and technology models. The term cloud is a pretty huge term, but at its core, the cloud refers to servers that are accessed through the internet instead of locally. So this means we also have access to the servers and, I mean, the software and the services that run on these cloud servers. And it's important to remember that cloud servers are actually stored in data centers globally and they're managed by a cloud service provider or a CSP. So that's kind of similar to what we have with an ISP, which is something we'll talk more about later in the presentation. Okay, so this should lead us to the national question. What is cloud computing? There's a lot of hype surrounding it, a lot of businesses using it, so it's sometimes good to fresher memory about what cloud computing really is. So cloud computing refers to this idea that there's on demand access to computing resources, all of which takes place over the internet. Whenever we talk about computing resources, what we really mean are applications, servers, these can be physical or virtual, data storage, development tools, things like that. And another thing to note is that all of our data is hosted at a remote data center, which means that some other organization is responsible for managing some of this for us. Another example is that the phrase cloud computing can also be used to refer to technology that makes the cloud work. This includes some form of virtualized IT infrastructure, servers, OS software, really anything that's abstracted. So now let's take a step back and understand what was traditionally done in terms of servers and what the cloud allows us to leverage. And traditionally we would have companies building huge data centers with servers to deliver applications and services. In our modern world, we trade off this ownership, this physical access to our servers for greater flexibility, greater convenience, because this allows the company to focus on their service and application delivery, rather than putting in a lot of effort to manage the data center, which means that this sort of business strategy is more cost effective. And I think this understanding is really key because this enables us to see that the design of the cloud is actually something that could cause security concerns. And this is kind of also why I led us from the basics of what the cloud is, so that we can come to this conclusion about what cloud security will really mean, and why it stems from what cloud computing is and really how it's just designed. Now let's take a look at the security standpoint. So in an on-premises model, all the security responsibility would fall on the business, which makes sense because we also have access to the physical data centers. And we're free to disconnect and reconfigure the machines. But with the cloud, there is a shared responsibility, this idea, this model which comes into play. So management and security assessment of the cloud becomes a little bit more difficult. But the idea is that both the business and the cloud service providers share responsibilities. There's both parties involved and no one party is responsible for it all. And so here I thought to add a little bit of a picture to kind of motivate why cloud security is so important and why we should be paying attention to it. And the bottom here, we have, we can see that we as end users are relying on the cloud on a day-to-day basis. So we have all of these like architecture built around it. We have servers that rely on cloud computing. We have applications, we store data in the cloud and things like that. And all of that is really just something we interact with on a day-to-day basis. So it's why it's crucial why security should be a central part of the discussion around cloud computing. And another quick little bit I wanted to add before I finish off this segment is that I wanted to add a few statistics to this talk that we're having. So we have 5 billion people accessing and storing data on cloud and their services. We also have hundreds Zeta bytes of volume of data that's stored in the cloud by 2025 and a huge amount of money for the cloud computing market size. Okay, so let's move on to segment two now that we know the significance of cloud security. Let's jump into a few of the cloud models. Okay, so there are three main types of cloud services. We have IS which we can generalize to be hosting or storage of data. We also have pass which is often used by developers to run and deploy their applications. And finally SAS and SAS products are referred to as fully baked services that are ready for end users to use. So here we see in the chart how IS is kind of generalized to hosting. So that would be servers. And then pass would be like building, you build with it. You have middleware and OS provided on top of the servers. And then finally SAS which is the next layer up, which is like as a user consuming these goods. So that would be service middleware OS and the application portion of it. And so the three different models that we just saw actually give us different advantages and offer different resources. So often you can see a chart with all of this outlined. And this is vital information actually because we see here how in the orange part how others manage and then the blue being you manage how there's different people responsible for different parts of this. And we see here how IS, you have virtualization server storage networking as something the CSP manages. Whereas pass, you only manage the applications and data. SAS, everyone, like everything that is involved in there is what the CSP manages. And I think this is understanding, this understanding is really key is because it's inherently possible to have increased risks because of the fundamental design behind the cloud. So if we have to be extra vigilant for security. And moving on, I also thought to talk about this one analogy we can use to wrap our head around the cloud models. So you can think of the on-premises management as if you were making pizza at home. And then IS would be similar to using a take and bake pizza area. Well, pass would mean that you simply have the pizza delivered to your home. On the other hand, SAS is kind of analogous to having an experience with eating restaurant. So this is just a cool little model for what the different services look like if you were getting pizza as a service. Okay. And I added some examples here of the different cloud services many people interact with on a daily basis, especially the SAS services, which I think goes to show how prevalent and integral cloud is for us. And also how important the field of cloud security is today, and especially going forward. So that's, it's a very important thing to be talking about cloud security. And so that kind of leads us to our next discussion here. I kind of also want to talk about the difference between public cloud and private cloud, because both will have different security risks associated with them. So here we have a public cloud. It's often referred to as a multi-tenant environment, meaning that a single environment serves many customers or tenants. We have private cloud as well, which is an environment just for one user or one customer. And we also have something called multi-cloud and then hybrid cloud. Multi-cloud would be more than one cloud deployment of the same type. So let's say you have public-public and private-private from different renders, whereas hybrid cloud would be cloud that misses two or more types of cloud environments. So you can kind of see how these rely and build upon public and private clouds. Okay, so now let's jump into a little bit of the security risks, starting with public cloud. Now, there are factors about the environment that would be out of the customer's hands, because there's a lack of direct control over security measures. You are not able to directly control the exact settings and specifications, so that becomes something to consider. And then we also have private clouds, which are usually safer than public cloud. But what often happens is that the customer will entrust the cybersecurity to a third party or will need to do this through an IT team. But what happens with a private cloud is that you usually have very niche problems that you as a company will need to like face and kind of solve. So it's something that kind of pertains to you, so there may not be enough support or customer service, which if you're on time and like you're wanting to do things fast, because security risks you have assessed and then you want to find a patch or fix for it, those become harder to do if you're having to constantly have this back and forth with other support systems and things like that. And so this also leads us to this idea of update cycles. Usually update cycles can be fewer or they can take longer, so security vulnerabilities can take longer to resolve. So this is actually where open source comes in, since another alternative is to actually use the open source cloud model. And in general, the open source community and vendors have security as one of their main concerns or are open to fixing it and believe it is important, which may or may not be the case for private vendors. So let's define open source cloud really quickly. It's a cloud where services are developed using open source technologies and software that can be public private or hybrid cloud models, and they could provide all or any of the three models that we talked about earlier SAS, IAS and pass. Another important note is that, although open source can also have its cons, because vulnerabilities in the open source code or software can become public knowledge. Pretty quickly, the thing is that the pros usually outweigh the cons, because vulnerabilities are also solved faster. And with the company have usually a lot more protocols and hoops to jump through. And so it can be audited and fixed well, when it's behavior or maybe it's security is in doubt. So just to kind of provide both sides of the same coin. And I think it's important to say that open source is definitely its pros outweigh the cons. It has a good track record when it comes to security and so that's why we really recommend it. And there are three other bullet points I wanted to talk about. One is that it's more security minded. Usually, the community is very, very mindful of the fact that security is a very important thing today. And so it's going to come with this idea that security is one of the main concerns. So also an involved community open source community are usually very passionate about what they do they're very helpful so a company can always go to an open source tool and kind of chat off people and kind of get their solutions that way. Finally, you also get better control over your data. And so all three things considered open source cloud is usually a very safe alternative. And it's more secure than our general cloud models to kind of add on to this idea with some more statistics. While I was researching about the intersection between open source and security, I came across an interesting survey. So in 2019 and 2020, Red Hat actually took a survey from 950 IT leaders in four different regions. So from that survey, I compiled a few of the statistics that can help us understand the potential for more secure cloud models. So for instance, this top one here says that 83% of IT leaders said enterprise open source has been instrumental in their organization's ability to take advantage of architectures. So that's the open source aspect of it. And then also the fact that is just as if not more secure. And then finally the last bullet point that 29% of the survey respondents said that better security is why one chooses open source. So all things considered here open source and security are a very good combination. And I have this slide here to kind of get us thinking about where we can take open source and security from here. So that brings us to our third segment. Okay, so going back to what we mentioned earlier about the shared responsibility model. Here we see how different kind of responsibilities are outlined for different parties. And again, this idea that shared responsibility means that everyone is responsible, everyone involved, it needs to take care of the security. So this is another kind of idea that we should keep in mind because sometimes maybe organizations or companies are not taking into account this consideration and our idea here is that the more we increase awareness about cloud security, the better we all will be in the end. Okay, and here I have a little bit more in depth about just kind of what cloud customer versus the cloud provider are kind of responsible for. And here we move on to our fourth segment. Okay. There are three things I wanted to kind of add on to the open sources security segment. First is that the open source cloud as we discussed is a very strong solution. And another thing that we're going to talk about now is actually open source tools that help kind of assess security. So let's start with the OS query, which I'll talk about later. And also the fact that involvement and awareness go hand in hand. And that will go a long way in ensuring cloud security is maintained and be improved upon it. So let's start with OS query. So, what is it. OS query is an open source universal endpoint agent, which is a very big phrase so universal endpoint agent means that it can be used in endpoint security. Now endpoint security is essentially trying to manage and monitor every endpoint that accesses the network to ensure security. So what OS query does is it helps you make environments queryable via as well. And another fun fact about it is that it's recently been welcomed into the Linux foundation family. Okay, so you may be curious what this OS query kind of look like. So here I have OS query I. I think this shift would kind of help demonstrate what it kind of looks like. We see here how OS query is kind of like a CLI. And this is kind of how it runs how it looks like. Okay, so I guess we can now move on to the OS query community and these are all facts that I learned from just kind of researching and one quote that really stuck with me is how the OS query community is among the most vibrant in advancing operating system health and security with more than 280 contributors and 5000 commits. And I think this kind of quote really showed me and I hope will show you as well how cloud security is really better with open source in it. And the future looks good with cloud security and open source because we can see here we have a project here's a proof for project that kind of made those two things work. Okay, so that kind of brings me to my next point about involvement and awareness going hand in hand. So drawing on what I was saying earlier, knowing that cloud is designed to be extra religion. And this is actually why we spent a lot of extra time to go over how the cloud kind of works, what the mechanism mechanism behind it really is. It really helps if we have more people get involved with cloud computing open source cloud computing because the safer the end products will be the safer. We all will be in the end. And I think to leave us off on the note of the beauty of open source. The fact that we are all people trying to solve one big problem one overarching solution that will kind of fit everyone and their needs and the idea that we can all come from different places, different backgrounds and we could be anywhere in this world right now and we could all help try to find a solution for something and I think that's just a really beautiful idea and I think the beauty of open source is that we all can have something, we all have something to contribute to open source and anything in life in general as well. So to conclude on open source projects, I think will contribute much to ensure a long lasting way of securing our digital world in the years to come. I think the possibilities, the advantages and defects open source cloud computing will have on cyber security is really just amazing and I think the rise of open source tools means that we as we going forward will just build a better community and you would be able to progress much faster. Okay, so thank you for bringing yourself along in this journey with me and kind of learning about open source and cloud security. Thank you for listening. So my email address is mentioned on here if you would like to email it's rksmissionpossible at the rate gmail.com, and I'd love to now hop into the time for q&a see what questions you guys have. So, thank you and I'll see you guys all in there. Bye.