October 12, 2015 | Leave a Comment
CSA’s Incident Management and Forensics Working Group today released its “Cloud Forensics Capability Maturity Model”, a new research report that describes a Capability Maturity Model (CMM) that can be used by both cloud consumers and Cloud Service Providers (CSPs) in assessing their process maturity for conducting digital forensic investigations in the cloud environment.
Even the most capable enterprise cannot avoid data breaches entirely. As such, there is a rising need for enterprises to adopt mature forensic security processes. This need will rise at least at the speed at which adversaries improve their attack strategies and techniques. This situation is even more complex in the world of cloud computing. Only with close cooperation between the cloud consumer (who has given up some control) and the CSP (who has inherited it) can adequate, timely and accurate forensic analysis occur.
The target audience for this paper is enterprise users that deal with all aspects (technical and organizational) of their forensic processes, and that plan to or have already integrated cloud IaaS services into their IT infrastructure. The starting point for the model was the Carnegie Mellon University Software Engineering Institute’s (SEI) “Software Process Maturity Framework” which identifies five progressive levels of process maturity:
|LEVEL||SEI Capability||Forensics Question|
|1||Initial||How are we ever going to do this?|
|2||Repeatable||Have we done this before?|
|3||Defined||What is our process for doing this?|
|4||Managed||What resources did this require?|
|5||Optimizing||How can we do this better?|
The report provides detailed guidance for each question via scenario planning and recommended process mapping.
To download a free copy of the report, visit: https://cloudsecurityalliance.org/download/cloud-forensics-capability-model/
October 9, 2015 | Leave a Comment
By Kelly P. Baig, Education Services Instructor, HP
Are you aware of the latest trends in cyber-security attacks and the tactics used by bad actors to exploit your security weak points? More importantly, have you put in place appropriate protection against these threats? One starting point as cited by one of our Education Services instructors, Lauri Harris, is the HP 2015 Cyber Risk Report.
If you are wondering how to be sure you are controlling your risks, you are not alone. In my conversation with Lauri Harris, I found her advice and insights to be invaluable to understanding the scope of the threat environment – as well as some practical starting points for closing the threat exposures. If you are interested in hearing from Lauri directly yourself, you may find it useful to attend one of her HP security courses.
For more information on the upcoming CSA Summits – and to register to attend Lauri’s course – see these registration pages:
- CSA Summit NYC 2015 at 1601 Broadway NY, NY – CCSK Training from HP instructed by Lauri Harris on Thursday, Oct 29th
- CSA Summit Los Angeles 2015 at 4100 Admiralty Way Maria del Rey, CA – CCSK Training from HP instructed by Lauri Harris on Friday, Dec 4th
Conversation with Lauri Harris
Kelly: Lauri, thanks for taking some time from your busy training schedule to speak with me! I’m interested to hear your opinions of the latest threats and trends. But let’s start with you; what is your background and how long have you been with HP?
Lauri: I started originally with HP in 1998. Then I took a leave of absence to serve active duty with the USAF following 9/11. I also had a short service with the US Patent & Trademark Office as a Patent Examiner. But, I couldn’t stay away from HP. I’ve been back as an HP Education Consultant since 2010. I am an instructor for all ITIL and security courses, as well as the Cloud Security courses.
Kelly: What did you work on originally for HP?
Lauri: I was always an instructor; I taught HP-UX in the beginning – all the UNIX System and Network Administration courses. I also had technologies like MC Service Guard for high availability, Data Protector for enterprise backup solutions, Network Node Manager and Operations for network discovery and remote node management on both Windows and UNIX. I taught everything from POSIX shell scripting to Service Manager; I tried to teach just about everything that I could get my hands on.
Kelly: Do you find that your varied technology background – and your real-world service – helps with your security training?
Lauri: Yes, I think that a varied background really helps a lot. I find that a holistic approach to the practice of security is what is needed. Security cuts across technologies – across hardware, software, and networking. The advantage of my varied background is that I can talk to the whole picture of what you might run into from a security perspective.
Kelly: Who do you find attends your security courses? What types of students to you get?
Lauri: I get people from all different types of backgrounds, some are very technical and some are non-technical leaders; it runs the gamut. For me as an instructor – and I hope for the students in the courses – teaching security is very interesting because of the varied questions that I get. It is an opportunity to sketch out the flow of data and determine the appropriate controls depending on the data type, laws governing the data, and the necessary processing and required hardware and software to process the data.
For example, I taught a Cloud Security course in April at the RSA event. Keep in mind that at these conferences, like the upcoming CSA Summits, these are real courses that I’m teaching. I’m not just doing a summary overview or talk. So, I had a student in that April course that asked me about a particular aspect of how audits fit into cyber security – and we did a deep dive on that based on the interest in the room. We keep the courses small enough to make sure that we have that type of conversation –deep dives– as we go through. I’ve found at the conferences that it’s a lot of fun, because we tend to get the security specialists so we do really deep dives on the technology and processes.
Kelly: You mentioned that having business people in these courses is a more recent trend?
Lauri: Yes, it’s really just more recently that I’m seeing the managers coming in to take security courses. I think this is reflective of a paradigm shift that is happening across the board in business: technology is now embedded as a part of everything we do, from service delivery to customers, to the Internet of Things (IoT). This makes it extremely important for all people to be technology savvy, and especially security savvy.
So what I’m seeing, is that more managers are attending our security courses and cloud security, in particular. They want to gain some understanding of the courses that we offer to determine which team members should attend which courses and to improve their own knowledge of cyber security for making better business decisions.
In short, security is part of the job for business people these days. Digital skills development is also part of the requirement for any professional.
Kelly: On security, what has your students most concerned? What questions do you get asked the most?
Lauri: The topic that comes up the most is cloud: Almost everyone coming to any of our security courses, is asking about cloud. Data in the cloud is the biggest concern. And, they have questions about their continued responsibility of ensuring that the data is safe and protected. They have questions about how much control over data protection they have between purchasing infrastructure as a service (IaaS), platform as a service (PaaS), versus software as a service (SaaS). These are questions we address in class.
Also, the physical location of data in the cloud is a big concern, and we wind up talking about this a lot in our courses. The fact is that all governments can subpoena data that is being collected or stored within their jurisdiction, if they think they have a need for it, not just the US government. But in reality, the vast majority of data collection is being done by private companies, not government agencies. And the data collected is governed by the organization’s security policy along with the local and federal laws.
Kelly: What are the topics that you cover in the HP CCSK Foundation Cloud Security course?
Laurie: We come in and we talk about the basic terms of cloud, security vectors, where the accountability lies in moving data to the cloud. We also talk about where the real risks are in putting applications and data in the cloud – and how to manage them. We help make sure that the students know how to get the right kinds of cloud contracts in place, with the right levels of service and the right types of terms to meet their business needs.
Kelly: Are the perceived risks of putting data in the cloud over-stated?
Lauri: Well, it depends. I like to use this analogy: imagine that you have a $30K diamond ring and you’re going to wear it to a gala event. So, where would you prefer to store it when you are not using it? Would you feel comfortable putting it into a jewelry box on a shelf in your home? Do you have a vault in your floor? Or, would you be better protected using a safety deposit box at the bank – and then have to go to the bank to get that ring when you want to wear it?
If you are a billionaire, then maybe you have great home security. But, if you’re like most people, then the bank is probably better protection for your ring.
Kelly: Are people understanding security better now?
Lauri: I think we are going in the right direction, but it was startling for me to read in our HP 2015 Cyber Threat report that the top two themes noted are: “well-known attacks commonplace” and “misconfigurations are still a problem”.
Kelly: Any closing remarks?
Lauri: As an instructor, I love my job. The thing that I like best is that I’m constantly challenged by new configurations and new questions. It pushes me to keep current with what’s the latest technology or what’s the latest trend. I read constantly, to stay current, because someone is going to come to class and ask about the latest trend or software or gadget. It’s really an on-going relationship and feedback loop between myself, my students, and what is happening with security in the industry.
Want your own opportunity to speak with Lauri and learn from her insights?
You can take the HP CSSK Cloud Security Foundation course to learn directly from Lauri Harris. A great opportunity for this, is at the upcoming CSA Summits in October and December 2015. CSA is partnering with HP to offer the CSSK Cloud Security Foundation course at its lowest possible cost. Lauri will be at the Summits in-person to lead those courses.
October 9, 2015 | Leave a Comment
By Kamal Shah, SVP, Products and Marketing, Skyhigh Networks
If cloud services were used only by employees who worked from the office, on company-issued devices, enforcing cloud policies would be straight-forward. IT Security would simply direct all traffic, for all employees, across all cloud services through a Cloud Access Security Broker (CASB), which would provide the required visibility, threat protection, compliance, and data security for all users.
3 megatrends that make Cloud Security a bit more challenging
Three IT megatrends render this type of simplicity impossible:
- BYOD: According to a CompTIA survey, 47 percent of companies have a Bring Your Own Device (BYOD) policy in place, allowing employees to access corporate data from their own devices. With the BYOD, employees access corporate data in cloud services from a variety of devices, most of which are unmanaged.
- Telecommuting: According to statistics from the American Community Survey, telecommuting has risen 79 percent between 2005 and 2012. With many employees logging hours from home and on the road, it can be difficult to get in the path without forcing users to adopt the dreaded VPN.
- 3rd Party Collaboration: According to Skyhigh’s recent Cloud Adoption and Risk report, the average enterprise collaborates with 1,555 partners via cloud services. Agents and VPN are not options for 3rd parties (many would suggest they aren’t an option for employees on BYOD either), making it impossible to get in path for policy enforcement.
API access offers a frictionless path to visibility, but for companies with policy enforcement requirements, such as real-time DLP with closed-loop remediation, contextual access and collaboration control, and structured and unstructured encryption, a new technique is required in order to get in path and enforce security, compliance, and governance policies.
Skyhigh solves policy enforcement challenges with new, patented technology
Today, Skyhigh announces that the United States Patent and Trademark Office has issued US Patent 9,137,131 for Pervasive Cloud Control. The patent covers SAML-based Identity Provider (IdP) redirection, which enables customers to enforce their cloud security, compliance and governance policies across all devices – managed or unmanaged – and across all user – on-premises, remote, or third party.
Best of all, the solution meets two universal requirements for cloud security and enablement – pervasiveness and zero-friction.
Pervasiveness: It is impossible to circumvent the CASB control point, regardless of the device or user.
Zero-friction: The solution requires no device agents and has no impact to the user experience or the cloud service providers.
Skyhigh Pervasive Cloud Control extends Skyhigh’s leadership in the Cloud Access Security Broker space and enables policy enforcement while supporting BYOD access to cloud services, off-network access to cloud services, and collaboration between employees, customers, and partners.
Three killer use cases for Skyhigh’s Pervasive Cloud Control
BYOD Access to Cloud Services: With Skyhigh Pervasive Cloud Control, IT and Security teams can support BYOD policies while enforcing corporate security, compliance, and governance policies. As an example, a sales person may be authorized to access a Customer Relationship Management service, such as Salesforce, from their personal iPhone to view or update their sales forecast. However, when the salesperson tries to download their monthly forecast to their iPhone, Skyhigh’s Pervasive Cloud Control automatically prevents the download because it violates the company’s security policies.
Off-Network Access to Cloud Services: With Skyhigh Pervasive Cloud Control, IT and Security teams can secure off-network access to cloud services, and best of all they can do so without an agent on the device or VPN access to the corporate network. As a example, an executive needs to download an encrypted file stored on a file sharing and collaboration cloud service, such as Box, while logged in from the airport. Skyhigh’s Pervasive Cloud Control seamlessly decrypts the encrypted file and the executive can access the encrypted file in a readable format
Collaboration Between Employees, Customers and Partners: With Skyhigh Pervasive Cloud Control companies can satisfy security, compliance and governance requirements while collaborating seamlessly with third parties such as vendors, customers, and partners and without breaking business workflows. As an example, while collaborating with a customer’s HR department, a third party HR vendor uploads a document containing PII to the customer’s Office 365 SharePoint site. Skyhigh’s Pervasive Cloud Control flags the file containing PII for policy violation, puts the file in quarantine as the PII is identified, and replaces the file with a tombstone file.
How Pervasive Cloud Control works (according to Gartner)
“Reverse Proxy Mode – This mode involves traffic redirection by making configuration changes to how traffic arrives from clients to the SaaS application. One way this can occur is by configuration applied to the SaaS application so that, during the SaaS authentication workflow, each individual app in question is directed to use the CASB provider as the authentication source. The CASB then forwards the authentication request to the IAM solution, and directs future traffic through it as well. This SAML redirection method is a popular way to force end-user traffic through the CASB so that it can perform inspection, even from unmanaged devices.” — Gartner, Select the Right CASB Deployment for Your SaaS Security Strategy, Craig Lawson, Neil MacDonald, Sid Deshpande, March 2015.
October 7, 2015 | Leave a Comment
By Frank Guanco, Research Project Manager, CSA Global
Last week, the CSA Congress and IAPP Privacy Academy teamed up in Las Vegas, Nevada for the Privacy.Security.Risk. (PSR) conference. This was the second privacy and security conference that the Cloud Security Alliance (CSA) and the International Association of Privacy Professionals (IAPP) co-hosted and the conference was a successful event with cloud security and privacy professionals learning about best practices, the current state of affairs in their respective fields, and cross-training and learning new disciplines. During CSA Congress at PSR, there were a number of releases, events, awards, speakers, and sessions that ran the gamut of the CSA’s Research Portfolio. Below are links that recap some of the activity during CSA Congress 2015 at PSR.
Ron Knode Award Winners 2015
Each year at Congress, the CSA recognizes a few of our members around the globe for their excellence in volunteerism and leadership. Named in honor of Ron Knode, a member of the CSA family who passed away in 2012, these awards are a means toward recognizing members whose contributions have been invaluable. Learn more about the winners of the 2015 Ron Knode Service Awards.
Cloud Security Alliance Releases New Guidance for Identity and Access Management for the Internet of Things
The CSA’s Internet of Things (IoT) Working Group released a new summary guidance report titled Identity and Access Management for the Internet of Things. The Internet of Things (IoT) has been experiencing massive growth in both consumer and business environments. In response to this emerging market and the particular security requirements of these connected devices, the CSA established the IoT Working Group to focus on providing relevant guidance to its stakeholders who are implementing IoT solutions. Get more information on the report.
Cloud Security Alliance Releases New Document on Post-Quantum Cryptography
The CSA’s Quantum-Safe Security working group released their latest document, “What is Post-Quantum Cryptography,” a report that takes a closer look at post-quantum cryptography and what institutions need to know and need to do in order to protect themselves against quantum computers. Read more on the report.
Cloud Security Alliance Research Working Group Sessions
When CSA’s big events happen in North America, like CSA Summit at RSA and CSA Congress at PSR, the CSA’s Research team hosts working group sessions for the various projects, groups, and initiatives that comprise the research portfolio. This year, the following working groups and initiatives gave their updates: Virtualization, Service Level Agreement, International Standards Council, Top Threats, Cloud Controls Matrix, Cloud Cyber Incident Sharing Center, Internet of Things, and the Open Certification Framework. See presentations from CSA Congress at PSR 2015.
Thanks to all that attended CSA Congress at PSR in Las Vegas. It was a successful event and we look forward to seeing everyone at Privacy.Security.Risk 2016 as it returns to San Jose, California from 9/15-16, 2016. Save the date!
October 7, 2015 | Leave a Comment
By Aimee Simpson, Integrated Marketing Manager, Code42
President Obama designated October as National Cyber Security Awareness Month (NCSAM). This U.S. observance is meant to engage, educate and raise awareness of the importance of cybersecurity to our nation. This month, Code42 is celebrating with a series of blog posts, giveaways and juicy content all about protecting your users and network from the growing threats that haunt our digital lives. This post covers one of the darkest, greediest threats out there: ransomware.
Over the last few decades, hundreds of thousands of computer users have had the great misfortune of having messages like these pop up on their screens (see Example A).
Becoming infected with a ransomware program—be it CryptoLocker, CryptoWall, CTB-Locker, TorrentLocker, or one of their many variants—can feel like the digital equivalent of getting mugged. The software encrypts targeted files on the infected computer and holds them hostage until a payment is made when a decryption key is delivered. Demands for payment range from $100-$500, depending on the victim. This past year, several U.S. city police departments admitted to paying ransoms around $500 each for retrieving files that were stolen from them.
(Example A. Screengrab: PCRisk.com)
With criminal groups all over the world reaping exponential rewards, ransomware is now big business. By tracking bitcoin transactions, a computer science grad student reported that on January 15, 2013, a single address associated with ransomware received over $1 million in bitcoin. For criminals in the ransomware game, the average ROI is 1,425%.
With returns like that, it is no wonder that ransomware has grown into an enormous, notorious global extortion machine. It’s one of the web’s most costly nemeses—a true super villain—with an equally evil origin story.
An Evil Villain with an Evil Origin
Ransomware, first known as cryptoviral extortion, was born in 1989. The malware was quaintly distributed on 20,000 floppy disks by post. Instead of an adult website advertisement or an email attachment promising 70 percent off select items at J.Crew—two of the many ways malware distributes and disguises itself today—this first incarnation’s disguise was something much crueler.
The floppy disks, distributed to scientific research institutions throughout 90 countries, were masquerading as AIDS education software. The program became known as the “AIDS Trojan.” When you first inserted the disk, you were taken through a questionnaire that calculated your risk of contracting AIDS. The file encryption was programmed to begin after the computer was rebooted a certain number of times. When their ransom notes arrived—also by post—the victims were instructed to turn on their printers, which spat out the demand for a payment of $189. They had no clue that the seemingly innocent AIDS app was to blame. Payments were made to a P.O. box in Panama. Only then did the victims receive the decryption key—also on a floppy disk in the mail.
After analysis, the code used in this first iteration of ransomware was found to be weak and easily reversible. The story was well covered by British media where the first attacks were reported. The mastermind, Dr. Joseph L. Popp, was a Harvard-educated biologist loosely associated with the victims through the World Health Organization, where he had recently been denied a job. In the end, Popp pled insanity and was set free. (Read the whole story here.)
More important than Popp’s fate, the World Health Organization scandal or the product of the software itself was the concept. In 1989, an idea was born. You could steal someone’s files without physically stealing them. You could blackmail the owner. You could perform cyber extortion.
This legacy left a massively destructive blueprint for a generation of criminals to come. Today’s cybercriminals are smarter, stealthier and have the benefits of ubiquitous Internet connectivity, unbeatable open-source cryptography resources and nearly anonymous online bitcoin depositories. Today, ransomware follows the same pattern as Popps’ AIDS Trojan, only everything is bigger: larger criminal organizations, higher ransom payments and malware with greater reach.
Earlier this year a strain called VirRansom was released. Experts have already dubbed it, “the AIDS of ransomware.” How evil! How…fitting.
October 6, 2015 | Leave a Comment
By Krishna Narayanaswamy, Co-founder and Chief Scientist, Netskope
Today we released our Cloud Report for Fall 2015 – global as well as and Europe, Middle East and Africa versions. Each quarter we report on aggregated, anonymized findings such as top used apps, top activities, and top policy violations from across our customers using the Netskope Active Platform.
This season we focus primarily on app usage and data policy violations by industry grouping as well as activities in cloud apps. Plus, we distill that information down into a few “quick wins” for IT. Here’s an overview:
Industry App Usage
For the first time, this report breaks down trends by industry group, focusing on five key groupings with similar usage characteristics. They are:
- Healthcare and life sciences;
- Financial services, banking, and insurance;
- Retail, restaurants, and hospitality;
- Manufacturing; and
- Technology and IT services
The average number of cloud apps per enterprise climbed from 715 in our last report to 755, with 91.2 lacking in the areas of security, audit and certification, service-level agreement, and other key attributes that we adapted from the Cloud Security Alliance’s Cloud Controls Matrix. Technology and IT services saw the highest number of cloud apps, with an average of 1,157 apps per enterprise, with healthcare and life sciences a close second, with 1,017.
Industry Data Policy Violations
A key area of focus for us this season is Data Loss Prevention (DLP) in the cloud. Healthcare and life sciences enterprises had the highest number of DLP policy violations in content at rest in sanctioned apps, with 21.1 percent of files scanned matching at least one DLP profile, such as personally-identifiable information (PII), payment card industry information (PCI), protected health information (PHI), source code, profanity, and “confidential” or “top secret” information. The second highest was Technology and IT services, with 14.2 percent. Overall, healthcare and life sciences enterprises accounted for the vast majority of total DLP policy violations (for both content at rest and en route to and from cloud apps), at 76.2 percent of the total. Not surprisingly, when we drill deeper into violation type, PHI makes up the bulk of such violations in cloud apps, at 68.5 percent. A full run-down on data violations by industry is in the report.
Activities In The Cloud
The top five cloud app activities in this season’s report include “send,” “post,” “login,” “download,” and “view.” Activities associated with data leakage or exposure, such as “share” and “download,” are alive and well in key app categories such as Cloud Storage, HR, and Business Intelligence. In Cloud Storage, for every “login,” there are four “shares.” Within HR, “download” is the fourth most common activity. And within Business Intelligence, “share” – an activity many don’t expect even to be available in this category – is the top activity.
Three Quick Wins For Enterprise It
Based on this report’s findings, here are some quick wins for enterprise IT to enable cloud apps while minimizing risk:
- Discover and secure sensitive content both at rest in and en route to your cloud apps. Focus on most common DLP violations that carry penalties and can result in negative press, including PHI, PII, and PCI.
- In defining cloud app policies, consider not just popular Cloud Storage, Social, and Webmail apps, but also focus on business-critical apps like HR, Finance/Accounting, and Business Intelligence.
- Go beyond coarse-grained “allow” or “block” decisions on cloud apps, and enforce contextual policies on risky activities such as “download” (e.g., to mobile), “share” (e.g., outside of the company), or “delete” (e.g., if you’re not in the enterprise directory group “HR Directors”).
What are your quick wins for dealing with cloud app risk? We want to hear them!
October 6, 2015 | Leave a Comment
By Frank Guanco, Research Project Manager, CSA Global
You are sitting at your computer about to login to your bank account to complete a transaction. Did you notice the lock icon on the browser address bar? If you didn’t, you’re not alone. Most people pay little attention to the lock icon on their browser address bar that signifies a secure HTTPS connection. They don’t realize that there is an exchange of keys to assure that the communications are secure and a signature with the data to assure its integrity. But what if that connection is not secure and cannot be trusted? Now think about the situation on a global scale. Such unsecured communications could be devastating, potentially making eCommerce, Cloud applications and storage, Online Stock Trading, and anything that relies on HTTPS, useless.
While it may seem like doomsday, this scenario is possible in the not-too-distant future. The US National Security Agency (NSA) and the Chinese government, as well as researchers and engineers at universities and corporations, are all working to create a quantum computer with enough computing power to break the secure HTTPS connection. Thankfully, solutions exist today that can resist quantum computing attacks and avoid this economic Armageddon. Post-quantum cryptography refers to the different classes of new cryptographic algorithms that are currently believed to resist quantum computer attacks. The most pressing issue today is these cryptographic algorithms need to be proactively in place several years before quantum computers are available. That’s why it is necessary to start integrating post-quantum algorithms in cryptographic protocols today.
Today, the Cloud Security Alliance’s (CSA) Quantum-Safe Security Working Group released “What is Post-Quantum Cryptography,” a report that takes a closer look at post-quantum cryptography and what institutions need to know and need to do in order to protect themselves against quantum computers.
Current secure HTTPS communications rely on an exchange of keys generated by asymmetric cryptography to ensure that the parties are who they say they are. Once these keys are exchanged, the data is then encrypted with symmetric cryptography and signed with asymmetric cryptography. A quantum computer could potentially run on an algorithm that could be used to break asymmetric public-key cryptography schemes. Protection, however, is not far off. Post-quantum symmetric cryptography does not need to be changed significantly from current symmetric cryptography, other than by increasing current security levels. With a few security tweaks and some careful planning, organizations can start preparing now for the post-quantum computer world
To learn more about post-quantum cryptography and to read the entire report, please visit here. For more details about CSA and its Quantum-Safe Security working group, please visit the Cloud Security Alliance.
October 2, 2015 | Leave a Comment
By Jim Reavis, CEO, Cloud Security Alliance.
I would like to thank my friends at Code42 for again giving me a platform to talk about the cloud security issues on my mind. In this blog post, I wanted to discuss some of the changes I am seeing in how security professionals are rethinking best practices as a result of being exposed to cloud computing and what some of the security priorities are as organizations begin to depend upon a critical mass of cloud services.
From comfortable stasis…
Traditional IT systems have been characterized as being static in nature. Indeed, I spent the first 20 years of my career focused on architecture, implementation and security of traditional computer networks. File servers, routers, firewalls and hosts would be carefully sized, designed and put into production, with the hope that they could go years without a single reboot. We valued stability perhaps most of all, and would even develop odd, fond relationships with servers—treating them a bit like favorite pets. Systems would be patched and upgraded of course, but only when deemed absolutely necessary, and only after significant research and regression testing of the updates.
The information security solutions that grew up around this environment recognized the relative permanence of these systems and developed their security strategies accordingly. Detection and prevention of viruses, performing forensics on breaches and several other tasks are carefully integrated with systems, lest we disturb these permanent servers. Sometimes we couldn’t even eradicate malware, as the cure (a reboot with downtime) was worse than the disease. These static systems are actually very fragile.
To ephemeral clouds
By contrast, cloud computing is highly dynamic. We turn services on or off at will. Virtual machines are very transient, not eligible for pet names, unless as part of a cloud orchestration tool we are instantiating Rover001..RoverNNN. This ephemeral cloud is causing security professionals to tackle problems differently. Instead of a painstaking malware mitigation program, why not just turn the virtual machine off, start a new VM and point it at your data sets? Maybe we don’t care about all of the malware details from an operational perspective when we can just make it go away and start over.
This is just one example. The reality is, I don’t think we as a security community have yet grasped all of the implications of cloud computing’s essential characteristics, and have not employed enough imagination yet to replace our security strategies with brand new approaches; but clearly the wheels are turning. It is exciting to see the experts start with a blank slate, rather than duplicating a questionable security tool in cloud.
New approaches to old (and new) security problems
As we are in this phase of transitioning to cloud, security professionals are seeking their ground zero for sound security strategies. Many organizations are starting with their data and working outward from there. A lot goes into protecting data, so I’ll just mention a few priorities. Strong authentication is becoming so common, that it makes an old security professional positively giddy. When you think about some of the early so-called cloud breaches, they were actually not direct attacks on cloud providers, but account takeovers caused by attacks upon a user’s ID and password. We have a lot more to implement here, but it is going in the right direction. Closely related is identity federation. We simply cannot afford to have an employee’s login credentials stored at hundreds of provider locations and must federate our directories rather than duplicating them.
Encryption has proven to be a remarkably resilient security control. When you have the option, take it. CSAexpounds upon the importance of customer control of keys to create an appropriate separation of duties. The challenge for encryption going forward is to make it applicable in as many cloud use cases as possible. Notably, providing encryption for Software-as-a-Service (SaaS) is an important area CSA is focused on, with our new OpenAPI working group seeking to provide an approach that creates seamless encryption that works across any cloud provider.
Taking new approaches to old security problems is a great thing to see. Of course cloud will bring some interesting new security problems, but we’ll leave that for another blog post.
(This post first appeared on Code42’s blog Data on the Edge)
September 29, 2015 | Leave a Comment
By Cameron Coles, Sr. Product Marketing Manager, Skyhigh Networks
Given the explosive growth of cloud computing and numerous high-profile security and compliance incidents, it’s not surprising that surveys of IT leaders find that cloud tops the list of security priorities this year. In its latest technology overview (download a free copy here), Gartner gives a detailed overview of the emerging security category called cloud access security brokers (CASB) that offer a control point for enforcing security policies across cloud services. By 2016, Gartner predicts 25% of enterprises will secure their cloud usage using a CASB, up from less than 1% in 2012. Organizations across all industries are deploying CASB solutions because they enable them to migrate to the cloud securely.
As corporate data moves to the cloud and employees access data from mobile devices, they bypass existing security technologies. Gartner says this has created a “SaaS security gap”. In response, many organizations have attempted to block cloud services en masse using their firewall or proxy. However, with thousands of cloud services available today, organizations block the ones that are well known and that causes employees to seek out lesser-known, potentially riskier cloud services that are not being blocked. CASB solutions will, according to Gartner, enable IT to shift from the “no” team to the “let’s do this and here’s how” team.
Gartner’s 4 Pillars of Required CASB Functionality
Gartner organizes CASB capabilities into four pillars of required functionality: visibility, compliance, data security, and threat protection. While cloud providers are starting to offer some limited policy enforcement capabilities, one benefit of using a cross-cloud CASB solution that addresses each functional area, says Gartner, is that an organization has a centralized place to manage and enforce policies. Since capabilities vary widely among cloud providers (and even CASB vendors) this also ensures a consistent set of controls across cloud services.
|Visibility||Compliance||Data Security||Threat Protection|
|Gives organizations visibility into users, services, data, and devices.||Provides file content monitoring to find and report on regulated data in the cloud.||Adds an additional layer of protection including encryption.||Analyzes traffic patterns to identify compromised accounts and malicious usage.|
Using cloud access security brokers, organizations can:
- Identify what Shadow IT cloud services are in use, by whom, and what risks they pose to the organization and its data
- Evaluate and select cloud services that meet security and compliance requirements using a registry of cloud services and their security controls
- Protect enterprise data in the cloud by preventing certain types of sensitive data from being uploaded, and encrypting and tokenizing data
- Identify threats and potential misuse of cloud services
- Enforce differing levels of data access and cloud service functionality based on the user’s device, location, and operating system
CASBs Have Multiple Deployment Models
While many CASBs leverage log data from firewalls and web proxies to gain visibility into cloud usage, Gartner defines two major deployment architectures that CASB solutions use to enforce policies across cloud services: proxies and APIs. In proxy mode, a CASB sits between the end user and the cloud service to monitor traffic and enforce inline policies such as encryption and access control. CASBs can leverage a forward proxy, reverse proxy, or both. Another deployment mode is direct integration to specific cloud providers that have exposed events and policy controls via their API. Depending on the cloud provider’s API, a CASB can view end user activity and define policies.
Certain security capabilities are dependent on the deployment model, and Gartner recommends organizations look to CASB solutions that offer a full range of architecture options to cover all cloud access scenarios. They also note that vendors offering API-based controls today are not well-positioned to extend their platforms to include proxy-based controls given the significant investment needed to develop a robust proxy architecture that scales to the large data volumes exchanged between end users and cloud services. Depending on industry regulations, customers may also look for on-premises proxy solutions, so Gartner recommends looking for a vendor that offers both on premises and cloud-based proxy models.
CASB Evaluation Criteria
According to Gartner, while many providers focus on limited areas of the four CASB functionality pillars, most organizations prefer to select a single CASB provider that covers all use cases. Gartner recommends that organizations carefully evaluate CASB solutions based on multiple criteria. One consideration is how many cloud providers the CASB solution can discover and the breadth of attributes tracked in the CASB’s registry of cloud providers. Another consideration is whether the CASB supports controls for the business-critical cloud services currently in use or planned in the near future.
Finally, Gartner notes that the CASB market is crowded and expects that consolidation will occur and some vendors will exit the market in the next five years. A good predictor of whether a vendor will continue operating is whether they are one of the leaders in the market in terms of customer traction. Companies with more customers will naturally have a more complete view of customer needs, which will enable them to develop better solutions to meet those needs that will, in turn, attract more customers and support a sustainable business. To read more about Gartner’s view of the market, I encourage you to download a free copy today.
September 22, 2015 | Leave a Comment
By Susan Richardson, Manager/Content Strategy, Code42
It’s been almost 18 months since Symantec officially declared antivirus software “dead” in an interview with the Wall Street Journal. So why did a recent study by ESG find that 73 percent of enterprises have at least two AV products deployed and nearly one-third use three or more?
With antivirus, more is less
In the face of industry reports that AV software is only 50 percent effective in identifying malware, it seems that many enterprises are adopting a “more is better” mindset: More AV products mean a bigger database of known malware “signatures,” which increases the chances of catching malware before it breaches the enterprise environment—right?
Wrong. Deploying multiple AV products might expand the total number of known malware signatures in your AV armor, but this approach doesn’t combat the biggest flaw: new, zero-day malware that no AV product has ever encountered (and therefore can’t possibly recognize). Even with frequent updates to the signature database, AV software just can’t keep up. The September 2015 release of Symantec’s AV product includes a total of 37 million malware signatures. But the AV-TEST Institute registers over 390,000 new pieces of malware every single day—and sophisticated cybercriminals are doing their own QA, running new malware against common AV products to make sure they will go undetected.
As AV piles up, productivity goes down
It’s a game of cat and mouse that you’re destined to lose, and it’s eating up your IT budget—and hampering productivity. IT staff have to learn and configure multiple platforms, and all your staff are impacted by the frequent required updates. And if you’ve ever run a manual AV scan, you know that your computing capacity is reduced to a crawl.
Focus on detection and response
AV software remains a valuable first line of malware defense—and often a requirement for regulatory compliance. But instead of investing time and money in layering AV products on top of each other, enterprises need to shift to a “detect and respond” mindset. This means leveraging a centralized, real-time repository of all the data in your enterprise environment—including laptops and other mobile endpoints—to enable ongoing forensic analysis that will catch aberrations and anomalies across your entire system.
With this progressive security approach, you have the power to quickly isolate malicious code, identify where it entered and what data was affected in the environment, and mitigate the impacts of the breach. You might not be able to stop a new piece of malware from breaching your environment, but you’re in a strong position to corner the “mouse” before it does serious damage.