Zen and the Art of Acing Your Cloud Compliance Audit

December 9, 2014 | Leave a Comment

By Mike Pav, VP of Engineering, Spanning by EMC

cloudiconWe all know cloud adoption is rampant, even though cloud security remains a big concern; a recent study from CloudEntr showed that 89% of IT pros said they were worried about cloud security. While IT admins are busy ensuring compliance for sanctioned IT, shadow IT runs rampant, causing headaches they don’t even know they have. Because of this, the word “audit” often brings to mind the onerous thudding of storm troopers marching in. A heavy weight settles into the stomach as blood pressure spikes with a sharp intake of breath.

But what if you could approach an audit with zen-like calm? Good news: it’s possible. It’s all about creating an audit-friendly culture within your company such that an auditor could walk in any time and you’d get a clean bill of health. Here’s how to do it:

  • Understand the alphabet soup of regulations and frameworks. Which ones apply to your organization? What controls apply to you? The Cloud Security Alliance offers a Cloud Controls Matrix (CCM) that is a great place to get started.
  • Embrace Shadow IT. Accept that shadow IT will exist whether you like it or not, and take the necessary steps to ensure that what you don’t know doesn’t hurt you the next time a compliance audit comes your way. First, you need to discover what rogue apps are being used to store or transmit company data. Then, you need to analyze each one for risk by evaluating the SaaS vendor using tools like the Cloud Controls Matrix or Skyhigh Networks’ risk assessment. Finally, you can either take the appropriate measures to secure these apps or find an alternative that satisfies the employees needs in terms of productivity and the company’s needs in terms of compliance.
  • Build compliance into your company’s DNA. If we may modify the old saying a bit, live each day like it’s your last before the auditor arrives. Educate your entire staff about how using shadow IT might harm the well-being of the company, and build in audit-proofing as you create or revise processes.
  • Move to the cloud – with your eyes wide open. Cloud providers have already done a lot of the security work for you, so they’ll have built-in protection better (and cheaper) than any you could build yourself in-house. But it’s important to understand what they have covered and what blanks are left for you to fill in. Before signing up for cloud services, put the provider through their paces in terms of security, and make sure that the security evaluation is SaaS-specific and not just reusing your on-premises checklist.

If you want to greet your next audit feeling calm and secure, we invite you to join CSA’s Jim Reavis, Harold Byun of Skyhigh Networks and me, Mike Pav of Spanning to explore these issues more in-depth at our upcoming webinar “Cloud Security: 3 Ways to Embrace and Ace Your Compliance Audits” on Thursday, December 11 at 10:00am CT. Click here to register now.

CSA Guide to Cloud Computing – Now Available

December 4, 2014 | Leave a Comment

By Jim Reavis, Executive Director CSA (Twittter @jimreavis); Brian Honan, President CSA Chapter Ireland (Twitter @BrianHonan); and Raj Samani, Chief Innovation Officer CSA & EMEA CTO Intel Security (Twitter @Raj_Samani)

41+-DCqY0yL._AA160_We are pleased to announce the availability of “CSA Guide to Computing: Implementing Cloud Privacy and Security.” The first of its kind for the CSA, this book aims to incorporate as much of the excellent research conducted by the CSA community into one single publication. Not only does it incorporate research from within the CSA community but also the latest information across the industry relating to threats and measures that can be used to protect those using or considering using the cloud.

In 2014, we witnessed a number of attacks that led to headlines declaring that the cloud is not a safe platform to host data. The reality is that such a conclusion is not so binary; therefore, this publication aims to dispel some of these myths and provides real, practical information on how someone can leverage a Cloud Service Provider, whilst managing the risk to a level that they and their customers would be comfortable with.

So what does the book entail?

The following defines how the book is structured:

  • Chapter One: We start with a view into what the cloud actually is, the various models, and also consider the benefits and role it plays within the internet economy.
  • Chapter Two: A practical guide into how to select and engage with a Cloud Service Provider, this looks at the available mechanisms to measure the security deployed by prospective providers.
  • Chapter Three: A view into the top threats to cloud computing that will include references to CSA research as well as third parties that have evaluated the threat landscape.
  • Chapter Four: Analysis into the top threats associated with mobile computing for the cloud.
  • Chapter Five: Building security into the cloud – Following two chapters considering the threats to cloud computing, we will turn our focus to the steps that end customers need to consider in order to make the move to the cloud.
  • Chapter Six: Certification standards for cloud computing – Whilst the previous chapter presents the security controls to mitigate the threat, the reality is that for many end customers their ability to influence the security measures will be limited. Indeed, even the level of transparency into the controls deployed will be limited. This is why cloud certifications will be so important, they are used more and more as the vehicle to provide assurance regarding the security deployed by providers to potential customers.
  • Chapter Seven: The Privacy imperative – The discussion about privacy associated within the cloud is one of the most contentious issues within technology. This chapter will consider the overall debate, and provide mechanisms for both providers, and end customers to address many of these concerns.
  • Chapter Eight: CSA Research topics – As mentioned earlier, our intention is to provide a singular reference for all CSA research. This chapter will provide the reader with an overview of the various working groups within the CSA, and details of their current findings.
  • Chapter Nine: Dark Clouds, managing security incidents in the cloud – With corporate resources now stored, and managed (to some extent) by third parties, the need to have a strong security incident management policy is imperative. This chapter will recommend the steps required to address the fundamental question; what happens when something does go wrong?
  • Chapter Ten: The Future Cloud – Cloud computing is evolving, and this chapter considers its role within critical national infrastructure, as well what will be required to secure such critical assets. It is intended to provide a view into the components required to secure the cloud of tomorrow.

We hope you enjoy the book and find the information contained as useful in your journey into the cloud.

The CSA Guide to Cloud Computing is available in Paperback and Kindle versions and can be found here on Amazon.

Right to Be Forgotten: Guidelines from WP29

December 2, 2014 | Leave a Comment

Update: The final document regarding the right to be forgotten has been published. A new article, which goes more in depth, and analyzes the details of the Guidelines published by the Article 29 Working Party is available here: http://itlawgroup.com/resources/articles/237-right-to-be-forgotten-guidelines-casting-a-wider-net

The following blog excerpt on “Right to Be Forgotten: Guidelines from WP29” was written by the external legal counsel of the CSA, Ms. Francoise Gilbert of the IT Law Group. We repost it here with her permission. It can be viewed in its original form at: http://www.francoisegilbert.com/2014/11/right-to-be-forgotten-guidelines-from-wp29/

The Article 29 Working Party (WP29) has adopted Right to Be Forgotten Guidelines, to help Data Protection Authorities in the implementation of the May 13, 2014 judgment of the Court of Justice of European Union (CJEU) in the case Google Spain SL and Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez (C-131/12) (“Google Spain”). The WP 29 Guidelines provide the WP29’s view on the interpretation of the CJEU’s ruling, and identify the criteria that will be used by the data protection authorities when addressing complaints.

The Apple-IBM Alliance: Illuminating the Future of BYOD

November 26, 2014 | Leave a Comment

By Yorgen Edholm, CEO, Accellion

Accellion-Blog-Apple-IBM-FINALThe mobile revolution, while firmly embedded in the consumer world, is now beginning to hit its stride in the enterprise world. This can be seen in the recent announcement from Apple and IBM, whose strategic alliance to develop joint solutions leveraging Apple devices and IBM software is an important next step for how enterprises consider mobile technology.
Ginni Rometty, IBM’s CEO, described the partnership as combining two complementary sets of assets, stating that IBM has the big data, the analytics capabilities, the integration work, and the cloud. On the other hand she mentions that Apple has the devices, the development environment, and the focus on usability. The combination of these elements is what will make a truly groundbreaking enterprise experience on mobile devices.

So what can we conclude from the Apple/IBM alliance?

  • iPhones and iPads, are clearly ready for enterprise-grade computing. Whatever skepticism businesses had about the iPhone back in 2007 and 2008 has largely dissipated, so much so that IBM is willing to bet major R&D and sales initiatives on iOS devices.
  • Enterprises like iOS devices, but they’re also looking for a mature software platform with proven capabilities in the areas of security, scalability, and control.
  • IBM and Apple see the opportunity to bridge the gap between consumer mobile devices and enterprise-grade solutions for data access, data management, and communication.

We agree – the enterprise is ready to seriously take on the mobile revolution. At Accellion we have already begun bridging the enterprise mobile gap by enabling secure file sharing, synchronization and collaboration on mobile devices. The kiteworks solution enables business users with iPhones, iPads, Android devices and Windows Phones to have access to their enterprise content wherever it is stored inside or outside the firewall to be able to share and collaborate on those files securely. The kiteworks platform provides rigorous security features such as 256-bit encryption, built-in AV scanning, and rule-based access controls, along with critical enterprise features, such as LDAP support, Data Loss Prevention (DLP) support, and essential enterprise content connectors for integrating mobile solutions with existing enterprise infrastructure and enterprise content systems.

I’m looking forward to see what kind of enterprise solutions for analytics, cloud services, and mobility Apple and IBM create through their best-of-breed partnership. There should be interesting opportunities for combining our enterprise mobile technologies to unleash the productivity gains of a mobile workforce.

Shared Responsibilities for Security in the Cloud, Part 2

November 25, 2014 | Leave a Comment

By Alexander Anoufriev, CISO, ThousandEyes

Shared Responsibilities for Security in the Cloud continues…

Infrastructure Protection Services
This domain uses a traditional defense in depth approach to make sure that the data containers and communications channels are secure. For infrastructure protection services, all server, network, and application-related processes are fully owned by the service provider (see Figure 5).

Fig 5
Figure 5: Responsibility for Infrastructure Protection Services

End-point security remains an independent object on both sides of the responsibility matrix. The service provider is responsible for securing the end-points used by its workers, while the service consumers ensure the security of their own desktops, laptops, and other end-user computing devices.

Data Protection
This domain is really the most central to information security, since data is the asset we protect. Data protection needs to cover all data lifecycle stages, data types, and data states. Data stages include creation, storage, access, roaming, sharing, and retention. Data types include unstructured data such as word processing documents, structured data such as data within databases, and semi-structured data such as emails.

Fig 6
Figure 6: Responsibility for Data Protection

As is to be expected, this is one of the most involved areas of information security for both parties. See Figure 6 for detailed information on the responsibilities of these two parties. Data lifecycle management is a process driven by the asset owner. Often, the customer of the service is also the owner. At ThousandEyes, this is always the case. Other processes/services have their own implementations on both sides.

Policies and Standards
Security policies and standards are derived from risk-based business requirements. They include Information Technology security (infrastructure and applications), physical security, business security, and human resources security. Security policies are statements that capture requirements specifying what type of security and how much should be applied to protect the business. Figure 7 provides details on responsibility relating to policies and standards.

Fig 7
Figure 7: Responsibility for Security Policies and Standards

As we can see, in the cloud era, the provider owns the operational security baseline (the consumer still owns their part, which is minimal for the scope of provided services and represents end-point and connectivity parts). Job aid guidelines traverse both parties, and the data owner (consumer) defines data classification. All other processes/services exist in their scope at both sides.

In a shared security model it is really important to understand who is responsible for what. This must be defined in associated security level agreements. Ask your CSP what you should do to ensure that security is implemented end-to-end and your data stays secure despite changing operational responsibilities.

Security and Risk Management TCI Domain.

Shared Responsibilities for Security in the Cloud, Part 1

November 24, 2014 | Leave a Comment

By Alexander Anoufriev, CISO, ThousandEyes

Introduction: Security Responsibilities in the Cloud Era

When businesses owned their applications and all underlying infrastructure, they also owned their security. Now this is changing with a shift in ownership and operational responsibilities over many applications as they are moving to the Cloud. In the cloud era, security is not owned solely by the cloud service provider (CSP) or consumer. Cloud security is a shared responsibility.

To illustrate this model of shared responsibility I will be using:

  • ThousandEyes SaaS Platform as an example of a cloud application which is owned and operated by ThousandEyes
  • Cloud Security Alliance (CSA) Trusted Cloud Initiative (TCI) reference architecture

We’ll need to understand the high level architecture of this specific solution. The ThousandEyes solution consists of three major components (see Figure 1):

  1. SaaS Platform, which is installed and operated in the ThousandEyes data center
  2. Enterprise Agent, which is installed in the customer’s network
  3. Cloud Agent, which is installed in hosting providers’ networks and managed by ThousandEyes

We monitor the performance of networks and applications inside of an enterprise, on the internet and in the cloud. As a part of our service, we process and store the following data elements:

  • User accounts (name, email)
  • Hashes of passwords (only if local authentication is in place; in Web SSO with SAML scenario this is not applicable)
  • Definitions of network performance tests
  • Results of the tests (measurements)
  • Alerts
  • Reports
  • Support tickets

Fig 1
Figure 1: ThousandEyes solution overview

Responsibilities by TCI Domain

Governance, Risk and Compliance
Figure 2 illustrates responsibility for the governance, risk and compliance (GRC) domain of TCI architecture. This domain is responsible for the identification and implementation of the appropriate organizational structures, processes, and controls to maintain effective information security governance, risk management and compliance. Both parties, the service provider (ThousandEyes in this example) and the consumer, are independently responsible for all of the listed processes.

Fig 2
Figure 2: Responsibility for Governance, Risk and Compliance

Responsibility for specific processes will differ between provider and consumer, for example: the service provider manages compliance with its internal policies, control standards and procedures, while it designs, develops, deploys and operates the service. The customers manage compliance while they use the service.

Privilege Management Infrastructure
Privilege Management Infrastructure ensures that users have the access and privileges required to execute their duties and responsibilities with Identity and Access Management (IAM) functions. Figure 3 illustrates shared responsibilities in IAM.

Fig 3
Figure 3: Responsibility for Privilege Management Infrastructure

In our example, the identity management process extends from a service provider to a service consumer while other related processes and services exist independently in both entities. With the ThousandEyes SaaS Platform, customers are able to take advantage of their own web single sign on (SSO) technologies. In this case, they become responsible for authentication, authorization, and privilege management. Alternatively, they can use ThousandEyes-supplied identity information.

Threat and Vulnerability Management
This domain provides core IT security service and processes. Figure 4 demonstrates how responsibilities are allocated between the service provider and consumer.

Fig 4
Figure 4: Responsibility for Threat and Vulnerability Management

Here we can see that some of the security processes/services are fully shifted to the service provider. All infrastructure-related compliance testing, vulnerability management and penetration testing are operated by the service provider, while threat management exists on both sides and often covers different threats. Due to this, they are two different processes.

(Part 2 of this post will run tomorrow.)

Lessons from Apple iCloud Data Leak

November 19, 2014 | Leave a Comment

By Paul Skokowski, Chief Marketing Officer, Accellion

Accellion-Blog-Apple-iCloud-FINALThe theft of celebrity photos from Apple iCloud is a stark reminder of the need to think twice before storing data. For many people using a Mac the default behavior is to automatically back up and save data to iCloud. It’s wonderfully appealing and convenient and seamlessly integrates into practically everything you do on the Mac.  In fact it is so easy most people don’t think twice about what they are storing and that is where the problem begins.

When I recently updated my Macbook it felt as if I was being repeatedly nudged, reminded, coaxed, and invited to store my data in iCloud. Saying “no” to each of these invitations wasn’t easy and most people cave in quite quickly, because they think “what could be the harm?” The recent Apple iCloud scandal clearly illustrates the potential risks. While in this case the target of the iCloud theft was celebrity photos, the theft could have been similarly damaging to a business if sensitive information had been stolen and shared.

One of the biggest concerns that companies have around cloud technologies is the security of their digital content. Personal pictures are one thing, but it’s important to remember that companies manage sensitive data ranging from upcoming product plans to employee personnel files every single day, and that it all needs be secured. That’s why, instead of allowing employees to use solutions such as iCloud for work-related information, companies must take the time to map out a cloud security strategy and deploy enterprise grade solutions to share and store their business data.

The Apple iCloud scandal offers several important lessons:

  • Use Two-Factor Authentication: Two-factor authentication that requires the user to enter not only a password but also a one-time PIN sent to a trusted cell phone should be the default setting for cloud-storage services. While it is possible to set up two-factor authentication for iCloud, it was not easy or obvious how to do so.  If the victims’ accounts had been configured to require two-factor authentication, the hackers would not have been able to log in even knowing the account passwords.
  • Store With Care: While automatic backup and sync makes life easy, it is not always the best bet when you’re working with sensitive materials.  For work, this sensitive information could include personal data from employment records, financial data, customer information or product roadmap details. Ensuring that sensitive material is only being saved into secure solutions is essential for sensitive work-related information.
  • Trust Private Clouds: For the highest degree of confidence in and control over cloud storage, enterprises should deploy private-cloud solutions, so they are not at the mercy of the security practices (and security lapses) of third-party software providers.

So what do I use to securely sync and store my work information and make sure I have a backup?

I use Time Machine with an external hard drive to make sure I can easily restore all my content if my computer gets damaged or when I want to copy over all my content to a new machine.  And to help me do my work on a daily basis I use kiteworks by Accellion for syncing and sharing information across my iPad, iPhone and Macbook since it encrypts all data in transit and at rest, supports two-factor authentication, and automatically detects and stops brute-force password attacks.

So next time that pop up window invites you to store data to iCloud – remember the celeb photos scandal and think twice. By deploying kiteworks on trusted private clouds, enterprises can greatly reduce their vulnerability to sensitive information being exposed.

From BYOD to WYOD: Get Ahead of Wearable Device Security

November 11, 2014 | Leave a Comment

By Paula Skokowski, Chief Marketing Officer, Accellion

Accellion-Blog-WYOD-FINALWearable technology is the new “it” thing. From FitBit, to Google Glass, to Samsung Galaxy Gear, and now the Apple iWatch, users are literally arming themselves with the latest gadgets. This is particularly true among early adopters who are counting the days until the release of the Apple iWatch.

While early adopters used to represent only a small number of technology trendsetters, a 2014 study found that of individuals aged 18 to 44, 56% say they have been the first among their friends, colleagues or family members to try a new product or service. With soon-to-be-launched devices promoted widely online and user reviews instantly pushed out to the masses via social media, anyone can step forward to be the first in line to make a purchase – including employees at your company.

This means enterprise IT teams also need to be one step ahead of the trends. While this doesn’t mean that IT needs to camp out overnight at the Apple store, it does mean that IT needs to anticipate what devices will be coming into the workplace and how to keep enterprise security intact. According to a global forecast by CCS Insight, wearable device shipments are expected to hit 22 million this year, up from 9.7 million in 2013, and will continue to grow to 135 million in 2018. The age of Wear Your Own Device (WYOD) is here, and IT needs to include these devices into their security strategies to make sure that any corporate data accessed on these devices is secure. Wearable devices are promising users easy access to applications and data on smartphones, which could eventually include enterprise information

So it’s not too early to start planning how to extend your BYOD policy beyond smartphones to WYOD. Wearable tech is considered fun and hip, but from an enterprise standpoint it needs to be taken seriously. While WYOD offers opportunities for increased mobile productivity it needs to be worked into an organization’s overall mobile security strategy.


November 5, 2014 | Leave a Comment

By Avani Desai, Executive Vice President, BrightLine

rest-in-peace-soc-3-sealOn October 2, 2014, the AICPA and CPA Canada announced their joint decision to discontinue the seal programs for Systrust and SOC 3 Systrust for Service Organizations.

In their announcement, the AICPA and CPA Canada stated that both of these organizations recognize that there has been growth in the attestation/assurance services market, especially in the area of systems reliability and service organization controls – and it’s with this in mind that they will continue to ensure the effectiveness of these services despite the seal program coming to an end.

This doesn’t mean that the SOC 3 examination is gone, just the seal. According to Bryan Walker, Director of Practitioner Support, CICA:

“The SOC 3 for SysTrust for Service Organizations will remain as part of the initiatives for Service Organization Controls. The SOC 3 seal program will be terminated and the SOC 3 seal will no longer be available.”

Therefore, service organizations still complete a SOC 3 examination, which provides a shorter report than a SOC 2 examination including only the auditor’s opinion, management’s assertion and the system description.

So what does that mean for service organizations that underwent a SOC 3 examination?

After December 31, 2014, only the seal that was jointly managed by the AICPA and CPA Canada will not be provided to service organizations.. Meanwhile, a seal that has already been issued under an existing license will remain active through its expiration date. Seals will still be issued through to December 31, 2014, to any SysTrust and SOC 3 engagements currently in progress – including renewals of existing SOC 3 SysTrust for Service Organization and SysTrust seals. After that date, however, anyone who continues to use SysTrust related marks must disclose to clients that the seal program is not active, and is not supported by or associated with AICPA and CPA Canada.

Also, do not fret; service organizations can still complete the SOC 2 examination, which will still provide the user entity the same level of comfort – just not freely distributed.

You should also know that CPA Canada stated in the announcement that they are reviewing the WebTrust for Certification Authorities seal program. While it currently continues, the review is to determine whether the benefits of the program justify the resources necessary for its continuation.

Clearly, there is a lot of assessment and change underway – however, every effort has been made to see that these changes will not cause a disruption within the service organization control reporting world.


The Data Factory: 12 Essential Facts on Enterprise Cloud Usage & Risk

November 4, 2014 | Leave a Comment

By Kamal Shah, VP of Products and Marketing

carr blog imageBetween headlines from the latest stories on data breaches and the hottest new apps on the block, it’s easy to be captivated with what people are saying, blogging, and tweeting about the state of cloud adoption and security. But let’s face it: It’s hard to separate the hype from the truth, and stories about security can range from hyperbolic to accurately frightening.

The fifth installment of our quarterly Cloud Adoption and Risk (CAR) Report presents a data-based analysis of enterprise cloud usage. With cloud usage data from over 13 million enterprise employees and 350 organizations spanning all major verticals, the report is the industry’s most comprehensive and authoritative source of information on how employees are using cloud services. For the first time in the report’s history, we’ve partnered with the Cloud Security Alliance to gather IT managers’ perceptions on cloud adoption and risk and compare their perceptions with hard data. The results reveal a disparity between perception of enterprise cloud use and reality.

You can download the full report here. In addition to popular recurring features such as the Top 20 Enterprise Cloud Services and the Ten Fastest-Growing Applications, the latest report contains several shocking findings.

Mind the Cloud Enforcement Gap
IT often blocks cloud services that fail to meet their organization’s acceptable use policies. Due to changing cloud service URLs, inconsistent policy enforcement, and unmonitored exceptions, the cloud enforcement gap is a shocking 6x. For example, more than 50% of the enterprises intended to block Apple iCloud, but actual usage data showed iCloud was blocked in only 9% of the enterprises.

Don’t Underestimate Insider Threat
Security professionals believe insider threat incidents are rare, with only 17% of respondents aware of an incident at their organization in the past year. The reality is 85% of companies had cloud usage activity strongly indicative of insider threat.

The Cloud 1% and the 80-20 Rule
While the average organization employed 831 cloud services, the distribution of data revealed that 80% of data uploaded to the cloud goes to just 11 cloud services – less than 1% of the total number. Still, enterprises can’t ignore other cloud services: The remaining 20% of data account for 81.3% of anomalous activity indicative of malware, compromised account, and insider threat.

IT’s Worst Nightmare: The World’s Riskiest User
One anonymous user uploaded more than 15 GB of data to high-risk services such as Sourceforge and ZippyShare over 3 months. This individual used 182 high-risk cloud services, any one of which could have been a vector for confidential data to be inappropriately leaked or for malware to be introduced into the enterprise, thus proving that even a single employee is capable of significant damage to corporate security.

The Data Factory: 12 Essential Factors on Enterprise Cloud Usage and Risk from Skyhigh Networks Cloud Security Software