Malware P.I. – Odds Are You’re Infected

February 19, 2018 | Leave a Comment

By Jacob Serpa, Product Marketing Manager, Bitglass

In Bitglass’ latest report, Malware P.I., the Next-Gen CASB company uncovered startling information about the rate of malware infection amongst organizations. Additionally, experiments with a new piece of zero-day malware yielded shocking results. Here is a glimpse at some of the outcomes.

Nearly half of organizations have malware in one of their cloud apps
While the cloud endows organizations with great flexibility, efficiency, and collaboration, cloud apps and personal devices accessing corporate data can inadvertantly house and spread malware. However, this does not mean that operating in the cloud is inherently more dangerous than the traditional way of doing things. In the cloud, threats merely adopt new forms and require novel methods of defense. For organizations that fail to adopt cloud-first security solutions like cloud access security brokers (CASBs) that are complete with advanced threat protection (ATP), the consequences can be severe. A single piece of malware is enough to inflict massive damage to any enterprise.

Zero-day malware “ShurL0ckr” deteced by Cylance and not Microsoft or Google
In addition to uncovering the above information, Bitglass’ Threat Research Team also discovered a new variety of ransomware. Dubbed “ShurL0ckr,” the threat encrypts users’ data and demands a ransom in exchange for decryption. Armed with this zero-day malware, tests were performed with a variety of antivirus engines. Cylance, a Bitglass technology partner that uses machine learning to detect unknown threats, was able to detect the ransomware. However, few other engines proved capable of doing so.

Somewhat alarmingly, native ATP tools within Microsoft SharePoint and Google Drive were unable to detect ShurL0ckr. This highlights the growing dangers of relying solely upon cloud applications’ native security features. When adopting cloud apps, it is imperative that organizations also adopt advanced, specialized security solutions. In this way, they can ensure that their data is completely secured.

To learn more about malware’s assault on the enterprise, download Malware P.I.

Agentless Mobile Security: No More Tradeoffs

February 15, 2018 | Leave a Comment

By Kevin Lee, Systems QA Engineer, Bitglass

Have you ever seen a “Pick two out of three” diagram? They present three concepts and force individuals to select the one that they see as the least important. The tradeoffs between convenience, privacy, and security serve as a perfect example of a “Pick two” situation for many mobile security solutions. 

Industries have seen massive growth in the number of personal devices that touch sensitive information, resulting in a need to secure data as it is accessed by these endpoints. Various solutions have been adopted by many companies, but all tend to fall into the classic “Pick two” scenario. When evaluating these inadequte solutions, companies normally select security as one of their two priorities, leaving them to choose from only the two scenarios below.

Security and Convenience

Mobile device management (MDM) is a fairly popular solution for securing data on personal mobile devices. Using MDM is often seen as a good strategy because, in theory, it permits employees to use their personal devices and allows employers to monitor and control data as they see fit. However, the major downside to MDM is the need for agents to be installed on personal devices. These agents give employers visibility into employees’ personal traffic. Obviously, this raises questions about employee privacy. 

Security and Personal Privacy
For individuals who wish to keep their personal information private, using one or more work-only devices is an option. Whether these devices are mobile phones with MDM or managed computers on-premises, the strategy allows employers to monitor corporate data without touching employees’ personal data. The large disadvantage with this approach is the lack of convenience for employees. They are required either to carry multiple devices at all times or to access work-related information from few, select locations.  

The Solution
As seen above, there always seems to be a tradeoff when choosing a mobile security strategy. However, does it have to be that way? What if there were a security tool that could ensure data security, provide convenience for employees, and respect the right to privacy all at the same time? It only seems far-fetched when one assumes that agents are necessary to secure data.

To learn about cloud access security brokers and agentless mobile security, download the solution brief.

Saturday Security Spotlight: Military, Apps, and Threats

February 12, 2018 | Leave a Comment

By Jacob Serpa, Marketing Manager, Bitglass

Here are the top cybersecurity stories of recent weeks:

—Fitness app exposes military bases
—Soldiers’ names revealed by app
—Google Play filled with fake apps
—Medical devices easily hacked
—The internet of things creates risk for the enterprise

Fitness app exposes military bases
Strava, the creators of a fitness tracking app, released heatmaps of its users’ movements. Unfortunately, this revealed the inner workings of military bases abroad by highlighting the movements of soldiers who use said app within their bases. Naturally, making this information publicly available raises questions of privacy and national security.

Soldiers’ names revealed by app
After learning of the above heatmaps and how they expose military bases and personnel, a Norwegian researcher decided to test other aspects of Strava’s security. In so doing, he succeeded in tricking the app to reveal the names and identities of military personnel who use Strava.

Google Play filled with fake apps
Despite efforts to clean up Google PlayGoogle’s app marketplace still contains many fake applications. While some are fairly innocuous, others can spread malware or steal information from users’ mobile devices. In light of BYOD (bring your own device), this should be a concern for the enterprise.

Medical devices easily hacked
Researchers in cybersecurity have determined that medical devices like MRI machines face a high risk of cyberattack. As healthcare technology evolves and connects to the internet more and more, the risk will only increase. Researchers warn that these devices must be designed in ways that ensure more security.

The internet of things creates risk for the enterprise
As enterprises adopt IoT devices for the efficiency that they provide, they are also increasing the number of attack surfaces that can be exploited by malicious parties. These devices serve as entry points for malware and can enable access to corporate networks.

The cybersecurity landscape is constantly shifting. Organizations must stay ahead of threats with advanced security solutions. To learn about cloud access security brokers, download the Definitive Guide to CASBs.

Why Next-Gen Firewalls Can’t Replace CASBs

February 7, 2018 | Leave a Comment

By Joe Green, Vice President,/WW Solutions Engineering, Bitglass

A security solution is only as good as the data it protects. Some solutions focus on data protection on the corporate network, others focus entirely on cloud data, and a select few enable security at access from any network.

Next-gen firewalls (NGFWs) are the traditional solution for many organizations looking to secure their corporate networks. They are effective at what they do, securing corporate network traffic by routing everything through on-premises appliances. As corporate data begins moving outside the corporate network, as it does with cloud and mobile, the NGFW can no longer provide protection. Major gaps include access from managed devices that don’t use VPN while outside the corporate network, access from unmanaged devices like employees’ personal mobile devices, and cloud data-at-rest.

Why are cloud and mobile such a big gap? With the flexibility and mobility provided by cloud apps, employees often work outside premises-based security infrastructure. Additionally, unmanaged devices with unmitigated access to corporate apps (whether in the cloud or on premises), can be lost, stolen, or abused by malicious insiders. IT needs to secure data in these situations, yet a perimeter-focused security tool like an NGFW has no way to secure this traffic.

Providing security beyond the firewall typically requires a data-centric approach rather than a control-oriented approach. After all, with cloud and BYOD, the organization neither controls the applications nor the underlying infrastructure on which those applications reside. As a result, organizations must move from network- and application-based allow/block controls to robust, data-centric tools like data loss prevention (DLP) and encryption. Other key requirements of a data-centric approach are remediation (such as DRM, redaction, and more), identity integration and strong authentication, and data-at-rest scanning. All of these capabilities must be delivered via an architecture that can intermediate users’ connections to an app, like Office 365, even when they use a personal device or public network – no small task, and definitely not one an NGFW can handle!

Recognizing these gaps, and the future impact on the firewall market, some NGFW vendors have acquired or built basic API-based cloud access security broker (CASB) offerings. Unfortunately, these offerings don’t provide real-time data & threat protection, and have proven unable to keep up with the rapidly evolving CASB use cases in the enterprise. As a result, the last couple of years have seen CASBs rise from an unknown acronym to the de facto standard for data & threat protection in the cloud and mobile enterprise, complete with their own Magic Quadrant from Gartner.

Apps have evolved and moved to the cloud – shouldn’t you?

Only a CASB built from the ground up to protect data in a cloud- and mobile-first environment can secure cloud apps and BYOD. Instead of opting for a tool that simply augments existing firewall capabilities, adopt a solution that provides visibility and control over all corporate data wherever it goes.

Download the Top CASB Use Cases.

EMV Chip Cards Are Working – That’s Good and Bad

February 2, 2018 | Leave a Comment

By Rich Campagna, CEO, Bitglass

For many years, credit card companies and retailers ruled the news headlines as victims of breaches. Why? Hackers’ profit motives lead them to credit card numbers as the quickest path to monetization. Appropriate data in hand and a working counterfeit card could be cranked out in seconds and used to purchase a laptop or TV at the local Walmart — easy to fence in the local black market.

Sick of being the target, the payment card industry got smart about fraud detection, created a set of regulatory compliance requirements (PCI-DSS) and perhaps even more importantly, rolled out EMV “chip-and-pin” technologies, which are meant to reduce counterfeit card fraud by presenting a unique cryptographic code for each transaction — much more difficult to duplicate than the static information embedded in the magnetic stripe of older cards. The results have been astounding — according to Visa, “for merchants who have completed the chip upgrade, counterfeit fraud dollars have dropped 66%!” That’s great news, but bad news at the same time.

The bad news comes in that hackers, still seeking profit motive, will continue to seek out the fastest and most lucrative path to monetization. Since credit card information has essentially become valueless, data that can be used to apply for new cards (or other monetary instruments or services) is now the target. This is why we saw a massive increase in healthcare-related breaches over the past few years. As healthcare gets their act together, hackers will move on to the next most viable target, whatever industry that may be.

Not only does this impact information security professionals in enterprises, but it also impacts consumers in a big way. For consumers, credit cards have always had limited liability, meaning outside of a few calls to the credit card company, fraudulent card use didn’t make much impact. Unfortunately, you can’t “cancel” your social security number, date of birth, and mother’s maiden name — those are permanent. And once someone gets their hands on that data, they own them permanently as well.

So, kudos to credit card issuers and retailers for making tremedous progress. Hopefully peers in other industries will continue to follow suit.

BTW, it’s entirely likely that your organization’s shift to cloud and mobile includes some of the aforementioned data to be protected. Might be time to check out a cloud access security broker (CASB).

Saturday Security Spotlight: Cyberwarfare and Cryptocurrency

January 29, 2018 | Leave a Comment

By Jacob Serpa, Product Marketing Manager, Bitglass

Here are the top cybersecurity stories of recent weeks:

—Cyberattacks deemed a top threat to society
—Hackers target data around the world
—Poor app designs threaten countries’ infrastructure
—Olympic Committee emails leaked by hackers
—Half of UK firms fail to secure cloud
—WiFi can be hacked to mine cryptocurrency

Cyberattacks deemed a top threat to society
The World Economic forum recently released a report detailing the top threats to society. Cybersecurity concerns like cyberwarfare landed within the top three. The fact that these threats were paired with the likes of natural disasters highlights the growing dangers of our cloud-first society and serves as a reminder that organizations everywhere should adopt next-gen security solutions.

Hackers target data around the world
Dark Caracal, a cyberespionage group, has recently been linked to an extensive list of cybercrimes. In over twenty-one countries, the group used Pallas, its custom mobile spyware, to steal data from the mobile devices of healthcare workers, lawyers, reporters, members of the armed forces, and more.

Poor app designs threaten countries’ infrastructure
Mobile applications used for critical infrastructure (water, electricity, etc.) are reported to contain numerous vulnerabilities that can be exploited by malicious parties. These SCADA (supervisory control and data acquisition) applications are often designed without adequate consideration for security, leaving nations vulnerable to attack.

Olympic Committee emails leaked by hackers
Self-proclaimed hacktivist group, Fancy Bears, has leaked email correspondences from within the International Olympic Committee (IOC). While the group claims to hold honorable intentions, their leaking of athlete medical records is believed to be a response to Russia’s ban from the 2018 Winter Games.

Half of UK firms fail to secure cloud
A recent research report uncovered that only half of UK companies have security policies around data in the cloud. These statistics are particularly worrying in light of the approaching General Data Protection Regulation (GDPR).

Public WiFi can be hacked to mine cryptocurrency
A new study, CoffeeMiner, details how public WiFi networks can be used to mine cryptocurrency through connected devices. The research demonstrates the dangers of public WiFi for both individuals and their employers.

Cybersecurity threats are constantly spreading and evolving. To learn about cloud access security brokers, solutions that protect data in the cloud, download the Definitive Guide to CASBs.

Download the Definitive Guide to CASBs

Nine Myths of Account Takeover

January 25, 2018 | Leave a Comment

By Dylan Press, Director of Marketing, Avanan

Account takeover attacks are a nearly invisible tactic for conducting cyber espionage. Because these breaches can take months or years to detect, we are slowly discovering that this attack vector is much more common than we thought. The more we learn about new methodologies, the more we realize just how misunderstood account takeover attacks can be. Many of the common myths about account takeover attacks are making it easier for the attackers to continue undetected, which is why we feel obligated to debunk them.

What Is an Account Takeover Attack?

Account takeover is a strategy used by attackers to silently embed themselves within an organization to slowly gain additional access or infiltrate new organizations. While ransomware and other destructive attacks immediately make the headlines, a compromised account may remain undiscovered for months, years or not at all. (See the Verizon 2017 Data Breach Report graph.)

On average we find at least one compromised account in half of our new installs, oftentimes finding that they have been there for months. We hope this blog can provide a better understanding of how they work and how to defend against them.

Scan your own account for an historical breach.

Myth 1: I’ve installed the latest antivirus software. I’m safe.

Reality: Account takeover attacks seldom use malware or malicious links.

You may have the latest patches. You might have the latest URL filters. You might have installed an MTA mail gateway to scan every message. None of these, however, would have detected the most common attacks of 2017. Few, if any, used an attachment or malicious link. Instead they relied upon convincing a user to authorize an app or share credentials via an otherwise legitimate site. Account takeover attacks do not want to infect a desktop or steal a bank account’s routing number. They seek only to gain access to a legitimate user’s account for as long as possible. Step one in their methodology is to avoid detection by the most common tools.

Myth 2: We’ve all had security training. Attacks are obvious.

Reality: User training is not enough to defend against targeted attacks.

Everyone would like to believe that they are smart enough to notice an attack before they are compromised, but even the most vigilant user would miss the more recent strategies. A CISO once called user training an “attack signature that gets updated once a year.” While you may be able to identify the traits of an older method, new, more sophisticated techniques are developed every day. It is no longer enough to look for misspelled words or bad grammar. They are now highly personalized, well timed and sent in moderation. It is easy to forget that attackers read the same best practice documents you read, and use them as their checklist of things to evade.

Myth 3: An account takeover always starts with an email.

Reality: Attackers are starting to use other collaboration tools.

As organizations are moving away from email to Slack, Teams, and Chatter for internal collaboration, so are the attackers. Your employees are naturally wary of messages that come by email, but they seldom transfer that suspicion to internal messaging tools. While only 12 percent of employees might be likely to click on a malicious email, more than half would click on the same message when it arrives via internal Slack chat from a ‘trusted’ user. While there are dozens of tools to monitor and protect user email, these internal tools typically have no phishing or malware protection at all.

Scan your own account for an historical phishing attack.

Myth 4: Account takeover always starts with a phishing message.

Reality: Hackers can get your credentials without a phishing attack.

Although phishing messages are the most common way for hackers to gain access to an account, they are far from the only method. Large, third-party data leaks like Yahoo and LinkedIn have created a market for hackers to exchange stolen passwords. Even Post-It Notes are not safe from online distributionA breach might include passwords for one service that employees have re-used on corporate accounts. Even a breach that doesn’t include raw credentials might include the personal information (street address, high school, mother’s maiden name) that make it possible for attackers to gain temporary access by requesting a password change. The Equifax breach probably contains more personal information than the average person even knows about themself. Although anti-phishing security is important, it is only one part of the equation when it comes to defending against account takeover.

Myth 5: I would notice right away if my account was compromised.

Reality: Account takeovers are specifically designed to evade detection.

Although it may seem like you would have to be blind to not notice a second user in your email inbox, hackers have become incredibly adept at navigating and using compromised accounts without detection. Tactics like the alternate inbox method, in which the attacker uses hidden and unchecked trash folders as their inbox, can make even the most active attacker invisible to the account’s rightful owner. When your account is compromised, you will likely never notice anything out of the ordinary.

Myth 6: The hacker will log in from a suspicious location.

Reality: Hackers can appear to log in from anywhere.

If a hacker is regularly logging into your account, wouldn’t their location raise a flag? It is reasonable to assume that to detect a compromised account, you just need to keep an eye out for suspicious locations in your account history. Unfortunately, publicly available VPNS are an easy way to avoid this obvious giveaway. A competent hacker based in North Korea can appear to be from an IP address in your own town, looking as benign as a login from your local CoffeeCafe. If they’ve already compromised another victim, they could even stage their attack from a partner’s network.

Myth 7: Changing my password will get rid of them.

Reality: Hackers can continue to access your account without a password.

Many cyber-security best-practices guides will advise you to change your password if your account is compromised. The first step in most attacks, however, includes creating a secondary back door so they can avoid using the primary login. For example, they may install malicious cloud applications that provide full rights to the account. These API-based connections use their own, permanent tokens that must be individually revoked and often never get logged. Or they may create rules to forward and redirect messages through the account without the need to log in again. Even if you change your password or turn on multi-factor authentication within seconds of a breach, they may no longer have need of your password.

Scan your own account for an historical breach.

Myth 8: I’m not “important” enough to be valuable to an attacker.

Reality: Every employee’s account is useful to a hacker.

It can be comforting to think that cyber security is only a concern for executives or employees with high levels of access to sensitive company data. Typically, however, the initial account takeover breach is imprecise and opportunistic. The initial goal of the hacker is to simply get access to any internal account. Once they have access, they take advantage of internal trust relationships to move from employee to employee until they find the sensitive data they need. A user doesn’t need to be high up or have a high level of access to serve as a hub for a hacker to base their operations. In fact, lower level employees are often under less scrutiny and can serve as a better vessel to use and remain undetected.

Myth 9: Our company is not worth targeting.

Reality: Your company can be used to attack your customers and partners.

If your company has customers, their employees will likely trust yours. If your company has providers, it could serve as the attacker’s way in. Although the hacks of major financial institutions and Fortune 500 companies make the headlines, hundreds of small ‘invisible’ companies in niche industries are attacked every day. Because smaller companies typically do not have the security staff of the larger firms, they can be an easy path into a much more lucrative target.

Cloud App Encryption and CASB

January 19, 2018 | Leave a Comment

By Kyle Watson, Partner/Information Security, Cedrus Digital

Many organizations are implementing Cloud Access Security Broker (CASB) technology to protect critical corporate data stored within cloud apps. Amongst many other preventative and detective controls, a key feature of CASBs is the ability to encrypt data stored within cloud apps. At the highest level, the concept is quite simple – data flowing out of the organization is encrypted, as it is stored in the cloud. However, in practice there are nuances in the configuration options that may have impact on how you implement encryption in the cloud. This article outlines important architectural decisions to be made prior to the implementation of encryption solutions through CASB.


Gateway Delivered, Bring Your Own Key (BYOK), or Vendor Encryption

There are three generic methods in cloud-based encryption.

Gateway delivered encryption – In this model, the CASB may integrate with your organization’s existing key management solution through Key Management Interoperability Protocol (KMIP) or provide a cloud-based key management solution. In either case, the keys used to encrypt your data never leave your CASB.

  • Data is encrypted before it leaves your environment and is stored at the vendor
  • You control the keys
  • The vendor retains no capability to access your data

BYOK encryption – In this model, the keys are generated and managed by your organization, and then are supplied to the vendor. BYOK allows you to manage the lifecycle of the keys, which are then shared with the vendor. This includes revoking and rotating keys. The keys are then provided to and utilized by the vendor to decrypt requested data for use by authorized users. CASB can be involved as a broker of the keys to simplify, centralize, and streamline the process of key management by allowing you to perform this administration directly in the CASB User Interface (UI). This also may be done using KMIP with your existing key management solution. Alternatively, without a CASB you may still enjoy the benefits of encryption with your own keys, but administration would be manual on an app-by-app basis.

  • Data is encrypted at the vendor
  • You can control the keys
  • The vendor retains the capability to access your data

Vendor provided encryption – In this model, the vendor provides keys and key management. The administration may be provided through user interfaces provided by the vendor. The CASB is not involved.

  • Data is encrypted at the vendor
  • The vendor controls the keys
  • The vendor retains the capability to access your data


Important Considerations

There is not a “best” way to manage encryption for cloud apps. One important consideration for you to make the best decisions for your company begins with your motivation. Is your primary concern compliance, mitigating risk of vendor compromise, protecting data from being disclosed in blind subpoenas, all three?

  • Compliance – Encryption for compliance can be met easily by any of the three approaches, and is simplest with vendor provided encryption.
  • Mitigating risk of vendor compromise – Using encryption to mitigate the risk of vendor compromise implies the need to manage your own key, since your data will not be accessible without the key. Gateway delivered encryption is the approach that can provide the highest level of risk mitigation due to vendor compromise, as your keys never leave your environment. Cyber- attackers stealing your data will not be able to decrypt it without using your key or breaking your encryption. Risk may also be mitigated through BYOK, but agreements must be secured from the vendor to communicate breaches in a timely fashion. Then you must take appropriate revocation actions in your key management process.
  • Protecting data from being disclosed in subpoenas / blind subpoenas – Using encryption to protect data from being disclosed in subpoenas also implies the need to manage your own key. Gateway delivered encryption is the approach that can provide the highest level of risk mitigation from blind subpoena through a completely technical means, as third parties retrieving your data will not be able to decrypt it without your key. Risk may also be mitigated through BYOK, but agreements must be secured from the vendor to communicate third-party requests for your data in a timely fashion. Then you must take appropriate revocation actions in your key management process.


Unstructured and Structured Data

To further explain these approaches we must break out two very different types of data prevalent in the cloud: Unstructured and structured data. Unstructured data refers to data generated and stored as unique files and is typically served through end user apps, for example, Microsoft Word documents. Structured data refers to data that conforms to a data model and is typically served through relational databases and User Interfaces (UI), for example, Salesforce UI.


Structured Data

  • Gateway delivered encryption – Since the CASB sits between your end user and the application, structured data can represent a challenge to usability. From a usability perspective, whenever the application vendor changes field structures, the encryption must be addressed in order to maintain usability. From a security perspective, the app must decrypt and reveal some information in order to allow search, sort, and type-ahead fields to work properly in a cloud app UI. This is known as “Format Preserving”, “Order Preserving”, and “Order Revealing” encryption, which can lower the overall standard. A growing body of research is challenging this method and exposing weaknesses that may lead to compromise. For example, if you were to type “JO” in a field and it revealed all of the persons with names beginning with JO, this data has to be retrieved decrypted to support the UI.
  • BYOK encryption – since you supply the keys to the vendor, encryption/decryption occurs within the vendor application architecture. This reduces the risk of usability problems when using encryption, because the decryption happens under vendor control. From a security perspective, BYOK does not suffer from the same risk of compromise in “reveal”, as exists in gateway delivered encryption.
  • Vendor provided encryption – Since the vendor owns the keys, encryption/decryption occurs within the vendor application architecture. This reduces the risk of usability problems when using encryption, because the decryption happens under vendor control. From a security perspective, vendor provided encryption does not suffer from the same risk of compromise in “reveal”, as exists in gateway delivered encryption.


Unstructured Data

  • Gateway delivered encryption – Risk of usability problems is low on unstructured data in cloud storage. However, an important consideration is key rotation. Data encrypted under one set of keys can only be opened with those keys. Keys may need to remain available in archive, for reads, even if they have been retired.
  • BYOK encryption – Since the keys are supplied to the vendor, encryption/decryption occurs within the vendor application architecture as does key rotation and management.
  • Vendor provided encryption – Since the vendor owns the keys, encryption/decryption occurs within the vendor application architecture. This reduces the risk of usability problems when using encryption, because the decryption happens under vendor control. Key management processes will be dependent upon the vendor.


Industry Direction

Most major cloud vendors are moving toward the support of a BYOK model. Some of these include Salesforce, ServiceNow, Box, Amazon Web Services (AWS), and Microsoft Azure to name a few. As more and more vendors are offering this type of capability, at Cedrus we believe that this is the direction of cloud encryption.


Opinion

  • Gateway delivered encryption – This is the highest level of security that can be provided when it comes to cloud app encryption, but may have an impact to the business in usability issues, especially when applied to structured data. High-risk apps and data are safest in this configuration and require the most care and feeding.
  • BYOK encryption – This implementation can provide a very high level of security without the impact that comes with gateway encryption. Through integration with a CASB as a broker of keys to centralize this management, this solution provides an excellent balance between protection and usability for high-risk apps and data.
  • Vendor provided encryption – This implementation provides a much higher level of security than not implementing encryption. This solution may be best suited for apps and data of lower criticality or meeting compliance requirements, only.


Recommendations

As with all security decisions, risk and compliance must be the yardstick in any decision. Since we do not know the industry, application, or risk to your business; this is a generic recommendation.

Where possible, always leverage your own keys over vendor-provided keys. Remember, a breach into a lower-risk app may provide clues to breach other apps.

When provided as an option, the best trade-off between security and usability is BYOK. It is very important to gain agreement from vendors for proactive communication. Where BYOK is not offered, the risks must be weighed carefully between vendor provided and gateway delivered encryption, especially for structured data.

When considering a move to gateway encryption, risk analysis of the app and data are critical. The risk of compromise should be clear and present danger. This is because a decision to move to gateway encryption for structured data means a commitment to the management and maintenance at a much higher level than BYOK or vendor provided encryption. This is not a recommendation against taking this course, but advice to consider this path carefully and plan the resources necessary to maintain this type of implementation. In a recent exchange with a customer they articulated the challenge: “We use CASB to provide field level encryption for our Salesforce instance. There are many issues requiring a lot of support and we have plans to move away from it and leverage encryption that is part of the Salesforce platform.”

Saturday Morning Security Spotlight: Breaches and Intel

January 15, 2018 | Leave a Comment

By Jacob Serpa, Product Marketing Manager, Bitglass

Here are the top cybersecurity stories of recent weeks:

—Data on 123 million US households leaked
—Tech giants investing in healthcare technology
—Intel chips contain security vulnerability
—DHS suffers breach of over 247,000 records
—Forever 21 finds malware in PoS systems

Data on 123 million US households leaked
Alteryx, an analytics firm, was found to have an AWS misconfiguration that exposed the personal data of 123 million US households. This was the largest such leak to date. While it is unclear how much the data was actually accessed by malicious parties, it remained publicly available for a number of months.

Tech giants investing in healthcare technology
Large technology companies are beginning to focus their time and energy on healthcare. As the industry is large, growing, and profitable, organizations like Google, Apple, and Microsoft are investing in technologies that will help them to serve healthcare providers (and their customers) in innovative ways.

Intel chips found to contain security vulnerability
Intel’s chip-level technology (spanning the last two decades) was found to contain a vulnerability that exposes sensitive information to hackers. Passwords, encryption keys, and more can be taken from affected computers’ kernels. Obviously, this discovery has massive security ramifications.

DHS suffers breach of over 247,000 records
The Department of Homeland Security experienced an unauthorized data transfer that leaked over 247,000 records. The breach (which was caused internally rather than by an external hacker) exposed the personally identifiable information (PII) of many current and former employees; for example, their Social Security numbers.

Forever 21 finds malware in PoS systems
Point-of-sale devices at retailer Forever 21 were used by hackers to install malware and gain access to the company’s network. While not all PoS systems were infected, the culprits still gained access to the credit card information of many customers. The extent of the malware infection and data theft are not yet known.

Whether it’s breaches, leaks, malware, or anything else, these news stories highlight the importance of cybersecurity. Organizations must adopt complete security solutions in order to protect their data. To learn about cloud access security brokers, download the Definitive Guide to CASBs.

GDPR and the Art of Applying Common Sense

January 11, 2018 | Leave a Comment

By Daniele Catteddu, Chief Technology Officer , Cloud Security Alliance

On November 21, the CSA released the Code of Conduct for GDPR Compliance. This new document is part of CSA’s continuous effort to support the community with best practices that will help cloud providers and customers alike face the tremendous challenge of General Data Protection Regulation (GDPR) compliance.

Our code has been officially submitted to the attention of the Information Commissioner’s Office, the UK Data Protection Authority, for its review, as well as to all the other European Data Protection Authorities (DPAs). We are confident that we’ll receive positive feedback that will allow CSA to proceed with the final submission to the Article 29 Working Party (WP29) and European Commission for their endorsement.

GDPR, as many have already commented, represents a substantial change in the privacy and security landscape. It will affect every business sector, and cloud computing won’t be exempt. GDPR imposes on companies doing business in Europe a set of new obligations, but perhaps most importantly it demands a change in attitude vis-a-vis the way organizations handle personal data.

The GDPR requests that companies take a new approach to privacy and security and be good stewards of the data that is entrusted to them. Further, they are being asked to demonstrate accountability and transparency. In theory, this shouldn’t be a big shock to anyone since the principles of accountability, responsibility and transparency are meant to be the basic foundations of any company’s corporate code of ethics. Unfortunately, we have realized that not all of the companies out there have been applying these principles of common sense in a consistent manner.

Perhaps the biggest change that GDPR is imposing is related to the stricter approach to the enforcement of the rules that regulators have taken.

But perhaps the biggest change that GDPR is imposing is related to the stricter approach to the enforcement of the rules that regulators have taken. The fines that will be imposed for non-compliance definitely reflect a punitive logic. Fines will be substantial and are meant to be a deterrent to those organizations looking for short cuts.

In such a context, we are all noticing a crazy rush to GDPR compliance, with countdowns all over the internet reminding us how quickly the May 25 deadline is approaching.

So just in case you weren’t confused enough on how to tackle GDPR compliance, you can be even more stressed about it.

A cultural change doesn’t happen overnight though. The radically new attitude requested by GDPR and the related updates to policies and procedures can’t possibly be defined, tested and implemented in one day. Those familiar with the management of corporate governance are well aware of how lengthy and expensive the process of changing the internal rules and approaches can be. Rome wasn’t built in a day, and likewise this privacy revolution won’t magically happen one minute past midnight on May 25.

Given the magnitude of the effort requested by GDPR compliance, both in terms of cultural change and money, it is unlikely that all of the organizations, especially small- and medium-sized companies and public administrations, will be able to meet the May deadline.

My bet is that given the magnitude of the effort requested by GDPR compliance, both in terms of cultural change and money, it is unlikely that all of the organizations, especially small- and medium-sized companies and public administrations, will be able to meet the May deadline.

This is because beside the objective difficulty of the task there are still some provisions and requirements to be clarified, for instance, the Data Breach Notification (the WP29 is working on it). Moreover, there are some known and some hidden problems. For example, the tension between data back up and data deletion that will manifest itself when the new rules are put into practice.

To complicate matters further, in the period leading up to May 25, companies will still need to do business and sign contracts that in the majority of cases aren’t GDPR-ready, and it is likely that a supplemental effort will be requested for a retrofitting compliance exercise.

It will take time to achieve 100-percent compliance and in some cases, even that won’t be entirely possible.

None of above is an excuse for not working hard to achieve compliance, but rather to say that it will take time to achieve 100-percent compliance and in some cases, even that won’t be entirely possible.

What to do? I’d personally look at the GDPR compliance project as a journey that has already started and won’t finish in May. I’d focus on defining the policies and procedures for GDPR compliance, and I’d start implementing them. I’d base my new approach, as much as possible, on standards and best practices. That typically provides me with a good direction. Perhaps standards won’t be the ideal route for me, but that’s not important since to find the ideal route some correction to the general trajectory is always required.

Standards will assure me that the approach I’m using and the policy I’m defining are likely to be understood by my business partners. Policy interoperability between the cloud service provider and the customer is a fundamental requirement for a sound cloud governance approach, and it will be a key requirement for a successful GDPR compliance journey.

So, adoption of standards, policy interoperability, and what else? Well, transparency of course.

I’d aim for transparency within my organization, and I’d seek out transparency in my business partners. If I want to be a proper steward of data, if I want to make proper risk decisions, if I need to implement accountability, then I need to rely on data, evidence, and facts, which means that I need to work with partners that are willing to collaborate with me and be transparent.

And what if I won’t be 100-percent ready by May? I’d make sure I’m documenting all the actions taken in order to build and implement my GDPR compliance framework. This will help me provide evidence of my strategy, my good faith, my direction, and my final goal for the regulators. After all, the law is not demanding perfect privacy and security, it’s asking for a risk-based approach to privacy.

I recommend that everyone reading this post seriously consider the adoption of the CSA Code of Conduct for GDPR compliance in association with our Cloud Control Matrix (or any equivalent information security best practice). Those are the free standards we offer the community members for supporting their GDPR compliance journey.