CSA Establishes Quantum-Safe Security Working Group and Releases What is Quantum-Safe Security Position Paper

By Frank Guanco, Research Analyst, CSA

Consider this scenario: A CIO at a Fortune 500 company receives a call from a reporter asking how the company is responding to the announcement of the new commercially available quantum computer that can “break” RSA and Elliptic Curve Cryptography (ECC). This CIO has no plan, so he politely offers a “no comment” to the reporter.  He then calls an emergency meeting with his executive team to figure out what can and should be done to protect the company’s data residing in the cloud.

While this story is fictional today, it could become a reality in the not-too-distant future.  The Quantum-Safe Security Working Group (QSSWG), formed within the Cloud Security Alliance to help promote the adoption of technologies to protect data in the cloud even after quantum computing becomes readily available, recently released a position paper titled ‘What is Quantum-Safe Security?’ The document examines the need for a proactive defense against a multi-purpose quantum computer that should be available by 2030 and able to crack RSA and ECC encryption algorithms.

2030 is still so far away – why should we worry now?  In 1977 when the RSA algorithm was originally introduced, it was estimated that it would take 40 quadrillion years to decrypt an RSA-129 (a variant of RSA) encrypted message.  RSA-129 was cracked in 1994, less than 20 years later.  While most of the encryptions used now are safe, quantum computers will drastically change everything, as they will be able to rapidly factor RSA keys of any length.

There are currently two technologies under development that intend to address the looming threat of quantum computers: Post-Quantum Algorithms (PQAs) and Quantum Key Distribution (QKD).  PQAs consist of a number of new algorithms that are designed keeping in mind the known capabilities of quantum computers. QKD is physics based and allows keys to be exchanged between two different locations by using the quantum properties of photons. If an adversary attempt to intercept the key exchange is detected, changes in the measured quantum properties are made.

For now, the QSSWG recommends using both PQA and QKD, in an integrated solution, to guarantee that encrypted data in the cloud is safe against quantum computers. For more information, please refer to the full paper, ‘What is Quantum-Safe Security?




Who’s backing up BYOD data? One more reason for cloud disaster recovery

By Susan Richardson, Manager/Content Strategy, Code42

liferingIf you’re among the 60% of organizations that don’t have a disaster recovery plan, or among the 59% that only back up data in one location, here are 5 good reasons to shore up your plan and include the cloud as one of your endpoint backup solutions:

  1. There’s no shortage of incidents that can cause an IT disaster, and most are on the rise: Environmental super storms like Katrina in the United States and Niklas in Europe will likely increase with global warming. Acts of terrorism fill news reports. And the cybersecurity industry’s predictions for 2015 don’t look good, either.
  2. You will likely have a disruption in the next 24 months.Almost 70% of worldwide IT practitioners polled in The IBM Global Study on the Economic Impact of IT Risk said their organizations would likely have a minor disruption within two years and 23% said it would be a substantial disruption.
  3. The disruption will cost a lot and damage your reputation. The IBM study found the average total cost of an IT disruption to operations was between $1 million and $14 million, depending on the severity. Broken down, it comes to $32,000 – $53,000 for each minute of disruption — in idle user time, forensics and technical support. Then add another $20,000 to $5 million in reputation–related costs.
  4. BYOD is increasing, but most employees assume the company is backing up their devices. More than half of employees who use their own devices assume their companies back up their most important files, whether or not it’s true, according to a Forrester study commissioned by Code42. Employees do back up their devices, unfortunately not the way you want. According to the Forrester survey, 67% of employees back up to their own USB flash drive, CD/DVD, external hard drive or server. So much for universal access. Not surprisingly, the study found that the top two reasons for adopting an endpoint backup solution were to improve business continuity and to protect the critical data employees are storing on various endpoints.
  5. Physical backup sites may not be accessible. If you syndicate seats at a backup site, over-subscription can be an issue, as it was for some East Coast companies during Hurricane Sandy. Even if you own your own backup site, it may be wiped out or employees won’t be able to get to it.

Cloud-based disaster recovery has gained traction over the years because of its distinct advantages, some of which were highlighted in a 2014 global Forrester study:

  • Self-service restoration for employees
  • Multi-site availability
  • More frequent backups
  • Improved recovery time objectives (RTOs) and recovery point objectives (RPOs)
  • Cost savings on both storage and administration
  • The ability to improve continuity using Opex vs. Capex dollars

To learn more about self-service data recovery, register for the Code42 on-demand webinar: “Productive Amid Disaster: Enabling the Business for Secure, Self-Service Data Recovery.”

Healthcare Duped By “Spellcheck” Phishing Attack Again?

By Chris Hines, Product Marketing Manager, Bitglass

“Fool me once, shame on you. Full me twice, shame on me” – Anonymous

caref1rst_attackThis idiom has rung true in one of our world’s largest industries, healthcare. CareFirst Blue Shield made an announcement Wednesday May 20th, admitting that it had been the victim of a major data breach that compromised the records of 1.1 million customers. There is a very good chance that the same methods used in the Anthem and Premera breached were used again in this latest major breach.

CareFirst announced that the cyber criminals were able to gain access (and most likely steal) names, email addresses, birthdays and ID numbers. Luckily no SSN or credit card numbers were stored within the hacked database.

Although it has not been confirmed, the same state-sponsored cyber criminals from China that carried about both the Anthem and Premera breach, may be the same that has left CareFirst the latest smeared healthcare organization.

But why is this happening so much?
It’s important to realize that cyber criminals are tactical. They are in most cases driven by the pursuit of financial gain. To them, healthcare data is the new data gold mine. In the past, much emphasis was placed on stealing credit card numbers. Today, the cyber criminal climate has changed. Medical data, which is now worth 50x more money on the black market than credit card data, is what criminals now have their cross hairs on, as it has the chance to turn into a major pay day in a black market bitcoin sale.

Meet the “Spellcheck” Phishing attack
So far, what we at Bitglass call the “Spellcheck” phishing attack, has resulted in two epic healthcare breaches thus far. The Anthem (largest breach in history) and the Premera healthcare breaches that together resulted in the loss of over 100 million sensitive customer records. The news of this new CareFirst breach may be the third in this trend of serial healthcare cyber attacks.

Here’s a break down of what we have seen so far:

On Feb 5th we learned that Anthem had been the victim of a healthcare breach. It was later determined that Anthem employees were fooled by an advanced phishing attack, and wound up delvering their personal access credentials directly to a cyber criminal owned subdomain site “we11point.com.”

On Feb 27th we learned that Premera had also been the victim of a very similar attack. This time, employees were fooled by a subdomain site with the name “prennera.”

On May 20th we have learned that a new subdomain called “caref1rst.com” has been discovered, leading the world to believe that these breaches may be connected.

The “Spellcheck” phishing attack may very well be the most advanced spear phishing attack the world has ever seen. Playing off of human error makes preventing breaches/limiting the damage a people problem, just as much as it is a security technology gap. As you can now see by the examples, the cyber criminals use this attack to trick employees into forking up their credentials, and then revert them back to the legitimate site that the healthcare institutions owns. The employee has absolutely no idea about the cyber theft that just transpired.

The subdomains used are all extremely close in spelling to the legitimate healthcare site. “We11point.com” looks very similar to wellpoint.com. “Prennera.com” if read quickly looks almost exactly like “Premera.com. And now “CareF1rst.com” looks like “CareFirst.com.” I mean it even has a “1” in it!

While this attack is certainly not limited to just healthcare organizations, since the value of medical data is so high, healthcare organization should on extreme alert. Teach your employees about the “Spellcheck” phishing attack, and learn from the breaches that have taken place so far.

Good luck. And remember, always check the spelling.

(Download the Healthcare Breach Report)

Governance, Risk, Compliance and Cloud: A Fresh Look at Benefits, Value Proposition

NandaBy Nanda Ramanujam, Director of GRC Solutions/PS-North America, MetricStream

Today’s world is undergoing phenomenal and unprecedented change. From political chaos and economic volatility, to great strides in the fields of science and technology, to an increasingly savvy and global workforce. All of this together is pushing the envelope forward, but also requiring us to take a step back to ask some tough questions about how we as individuals, organizations, governments, and societies will continue to meet the needs and demands of future generations.

In the context of the past, present, and future ahead, this notion of cloud computing becomes all the more interesting, and all the more critical for us to include as a key topic in our strategic planning discussions. In short, cloud computing represents a fundamental shift and change in the way technology is delivered and consumed.

For organizations operating in today’s increasingly global, social, hyper-connected, and technologically advanced world, a reliable and robust cloud computing environment will continue to play an increasingly significant role in both promoting efficiency as well as improving their ability to innovate.

By providing on-demand access to applications and resources anywhere, cloud computing offers significant cost savings, operational scalability, and an accelerated time-to-market. All businesses have to be agile in order to be competitive, able to quickly address and respond to their customers, partners and supplier ecosystems, as well as continuously deliver an even better experience, product, or service.

So, why are organizations so quick to adopt the cloud? A few reasons stand out:

  1. Improves time to market
  2. Offers scale and increases the capacity to meet a growing demand
  3. Simplifies the delivery of applications
  4. Controls and minimizes capital and operating costs
  5. Eliminates cross functional silos
  6. Improves customer satisfaction

Public cloud service adoption has become mainstream in most organizations. Meanwhile, many larger organizations see a private cloud in their future. Choosing whether to invest in building an internal cloud infrastructure, or buy from an existing cloud service provider is an important question that must be addressed, and savvy IT leaders must fast become experts and brokers of such dynamic business technology solutions. Despite this question, the fact remains — opting for cloud solutions, and making the business for doing so, is important.

For organizations evaluating Governance, Risk, and Compliance (GRC) applications, the cloud can provide an organization with significant benefits. Developing a cloud-based GRC program offers many business benefits, such as:

  • Offers unmatched scalability, reliability and flexibility
  • Achieves economies of scale
  • Reduces CAPEX on technology and infrastructure including software licenses
  • Lowers the cost of ownership
  • Requires less or zero maintenance
  • Supports globalization efforts
  • Improves visibility into operations
  • Promotes continuous availability

The adoption of GRC applications and solutions via SaaS continues to rise, and in large part, is driven by the usage and proliferation of devices — such as tablets — within and throughout the organization and extended enterprise.

The cloud enables organizations to develop and run GRC applications with unbounded scalability and ease-of-use, and with rapidly changing and evolving regulations, adopting a cloud strategy makes long-term business sense. Common GRC related activities such as stress testing, inspections, and audits necessitate temporary and periodic increases in the need for collaborative workspace, computing needs, and archiving of business records — and cloud helps to better address these.

However, it is the opportunity for better risk management and the mitigation of business risk which remains one of the primary investment drivers for cloud-based GRC applications. Listed below are some of the applications where the cloud provides better ROI in the world of GRC:

  1. Field Audits
  2. Compliance Monitoring
  3. Supplier Governance and Vendor Management
  4. Policy Management and Training, with a focus on Social Engineering
  5. Incident Management

As cloud computing becomes a strategic way for businesses to cut costs and increase sales, there has been tremendous capital activity in funding cloud based ventures. Estimates posit that the global cloud computing sector will reach revenues of $20 billon by end of year 2016, growing at a pace of over 30 percent yearly. There is an increasing interest and unrivaled commitment from organizations of all sizes to run most of their mission critical apps — including GRC apps — in the cloud.

Cloud computing is a new paradigm in IT, and new advancements in technology and industries continue to take the cloud to the next level. Collaboration and open communication amongst enterprises and cloud vendors can help strengthen an organizations governance, risk management, and compliance programs, improve overall decision making, and drive superior business performance.

Read more.

LogJam Exposed: 575 Cloud Services Potentially Vulnerable to Man-in-the-Middle Attacks

By Sekhar Sarukkai, VP of Engineering, Skyhigh Networks

LogJamLogJam, the latest in a spate of web vulnerabilities, was exposed on Tuesday evening by a team including Mathew Green, assistant research professor at Johns Hopkins University, experts from University of Michigan and the University of Pennsylvania, and researchers from Microsoft Research and INRA, who were part of the team that initially discovered the FREAK vulnerability. The vulnerability, which is derived from an encryption flaw, is closely related to the FREAK vulnerability which was exposed on March 4, 2015.

How does LogJam work?
Specifically, any servers that support export grade DHE cipher suits are vulnerable to LogJam. This is a subset of FREAK, though in FREAK all export grade ciphers were counted against vulnerabilities. Additionally, if the server supports export grade DHE ciphers and uses a key less than 1024-bit, then it is computationally easy to break private keys as DH uses a known set of prime numbers to derive its private key. Web browsers also support 512 bit keys for encryption. If both the browser and server support 512-bit key encryption, a man-in-the-middle can force the browser to use a weak key. Most VPN (IKEv1 support) devices use 1024-bit keys, which can be easily broken by state sponsored resources. According to tests 61% of VPN devices are vulnerable, as opposed to only 8.4% of HTTPS servers.

Further, the researchers that exposed LogJam show that, “the computation against the most common 512-bit prime used for TLS demonstrates that the Logjam attack can be used to downgrade connections to 80% of TLS DHE EXPORT servers. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers.” (https://weakdh.org/)

How widespread is LogJam?
Security researchers have focused on tracking vulnerable websites. The number of vulnerable sites is less than those vulnerable to FREAK upon its publication. This is due to the fact that websites and services that applied the FREAK patch also removed the yet-to-be surfaced LogJam vulnerability. As of Tuesday at 10pm PDT, 3.4% of browser trusted sites were vulnerable to LogJam, as opposed to 36.7% for FREAK on the day of its exposure, and 8.4% of the Alexa’s top 1M were vulnerable to Logjam, as opposed to 9.7% for FREAK on the day of its exposure. (Note – this website is not vulnerable). For the latest website vulnerability metrics, check https://weakdh.org/.

As a cloud security and enablement company, we’re focused on detailing how this vulnerability affects cloud services and helping enterprises manage their IT security response so they can protect their data and users. We’ll share stats on potentially vulnerable cloud services below and offer steps security teams should take to protect themselves.

How does a LogJam-enabled man-in-the-middle attack work?
The LogJam vulnerability enables man-in-the middle attacks. The attack would occur as follows:

  • In the client’s Hello message, it asks for a standard ‘DH’ ciphersuite.
  • The MITM attacker changes this message to ask for ‘export DH’.
  • The server responds with a 512-bit export DH key, signed with its long-term key.
  • The client accepts this weak key due to the OpenSSL/Secure Transport bug.
  • The attacker factors the DH modulus to recover the corresponding DH decryption key.
  • When the client encrypts the ‘pre-master secret’ to the server, the attacker can now decrypt it to recover the TLS ‘master secret’.
  • From here on out, the attacker sees plain text and can inject anything it wants.

575 cloud services potentially vulnerable to LogJam
Skyhigh’s Service Intelligence Team monitors security breaches and vulnerabilities,including the LogJam vulnerability, across thousands of cloud providers. Six hours after the vulnerability was officially publicized, 575 cloud providers remain potentially vulnerable.

With the average company using 923 cloud services, the chances that an organization uses one or more vulnerable services is high. Across the 400+ enterprises using Skyhigh, 99% are using at least one cloud service that is potentially vulnerable, and the average enterprise uses 71 vulnerable services. We will continue to track these vulnerable services and work with customers to diagnose and remediate their vulnerabilities.

Eliminating the LogJam vulnerability for cloud services
To patch the vulnerability, cloud providers should disable support for export suites, deploy elliptic-curve Diffie Hellman, and generate a strong, unique Diffie Hellman Group. For specific details, visit: https://weakdh.org/sysadmin.html.

Protecting your company from LogJam
Organization must determine and contain both their client-side and service-side exposure. Skyhigh is contacting each of the cloud providers affected to ensure they are aware of their vulnerability and perform the required steps towards remediation. We‘re also informing our customers who use potentially vulnerable services.  Here are 5 steps to protect your company from LogJam:

  1. Contain your client-side exposure: Require that employees use only browser versions that are not vulnerable (i.e. patched versions of Chrome, Firefox, IE).
  2. Determine your service-side exposure: Skyhigh informs customers of the potentially vulnerable cloud services in use at their organization. If you’d like to look up an individual service to see if it’s vulnerable, visit: https://tools.keycdn.com/freak (If they have applied the FREAK patch, the service has eliminated the LogJam Vulnerability, as well).
  3. Validate your proxy configurations: If your enterprise uses a MITM proxy (like a web proxy) ensure that the configurations are properly set so it does not degrade.
  4. Ensure any OpenSSL use within the enterprise is updated: If not careful, external facing sites may be fixed first while internal sites/development environments are never fixed. Ensure that you don’t neglect internal deployments as well.
  5. Update your VPN Server: VPN servers that support IKEv1 protocol for encryption should be updated to disable any keysize less than 1024 bits – or better yet, use elliptical curve keys. Organizations should also consider using SSL VPN technology, which is better supported as its underlying OpenSSL is updated regularly against various encryption protocol vulnerabilities.

Lifehack: 4 Things to Stop Doing When It Comes to O365 Security

By Chris Hines, Product Marketing Manager, Bitglass

I’m sure you have read a million blogs about what you should be doing when it comes to achieving security for cloud applications like Office 365. I know because admittedly I have written some of them myself. But an idea came to me yesterday as I was training my 7-month-old puppy, Odin, on what NOT to do. He has the tendency to bark at other dogs and becomes extra alert at the sight of strangers. Naturally, I can’t have that taking place. The training is still a WIP…

Now securing Office 365 is not the same as training a puppy, but as IT security professionals, I think we can all benefit from a lesson on what NOT to do when it comes to securing one of the most popular cloud-based productivity suites (O365 is slated to outpace Google Apps 29% to 13% in future years.). This reverse approach should make it easier for folks to eliminate the bad, shining some much needed light on some of the mistakes you might be making in your enterprise.

So here is the O365 security lifehack.

1. Stop ignoring the need for SSO and Multi-Factor Authentication.

Single-sign-on plays a crucial role in reducing the attack surface that criminals can use to access your sensitive data. By centralizing access to Office 365 and other cloud apps, you can get hold of unused accounts, identity sprawl, and weak passwords.

– Multi-factor authentication is a quick win for added security, making it tougher for cyber criminals to be successful in nabbing employee credentials and stealing sensitive data.

2. Stop viewing mobile security as a separate issue.

– Cloud apps have made it easy for any device, located anywhere, to access company data, leading to a proliferation of “cloud” data to “mobile” devices. Cloud security and mobile security must be part of the same conversation.

Controlling data accessibility from unmanaged mobile devices, and revoking data when required, such as when an employee leaves the company or when the device is lost or stolen, is key.

3. Stop being unaware of suspicious activity.

– Many companies make the mistake of thinking that O365 has enough security, out of the box cloud. But Office 365 does not provide visibility or audit logging for employee activity taking place within the application, making it impossible to tell that the sales rep that just left the company lifted next quarter’s financial projections out of OneDrive on his last day.

4. Stop the leakage!

– JP Morgan, Sony, Anthem and HSBC serve as nasty reminders of the damage leaked data can cause. Office 365 offers some fairly limited DLP, but this only works for data sent between senders and email recipients already within O365. Classifying data and setting policies that secure your data, but don’t inhibit the productivity of your work for is a must have.

If your enterprise is struggling with any of these 4 topics then it’s your mission to make sure your CIO, CSO, CISO, CTO, or whomever has the decision making power, is aware.

Balancing IT Risk and Opportunity

By David Williamson, CISSP, CGEIT, CRISC, Vice President – Professional Services, MetricStream

davidwilliamsonFor business managers, moving portions of our company’s most valued information assets into the public cloud, while compelling economically, raises a thicket of difficult risk and compliance questions.

  • From a business perspective, considering reputational and other risks, do the economic advantages outweigh the risks?
  • Can anybody in my company really answer:  if we move these processes and data into the cloud, will we still be fully compliant with all of the necessary “legs and regs” we must comply with?  How do we really prove that?
  • Frankly, our IT partners are hardly impartial in the decision; we’re allocating our IT shop’s funds to buy cloud services.  Are their security concerns perhaps a little overblown?

To answer these questions, risk and other professionals need to perform the business equivalent of alchemy:  transforming security “bits and bytes” into business data we can understand and operate upon.  This is where a good GRC framework can be pure gold.

An integrated GRC framework will allow you to understand how security threats and vulnerabilities affect the systems that support your core business processes.

Security “sensors” which detect malicious behavior in the networks, or the existence of threats and vulnerabilities, can be viewed through a risk and compliance lens.  Different types of IT risks can be assessed for probability and impact, mitigated, transferred, or accepted, and the residual risk impact compared against the economic consequences of other risk types.

It’s just a simple fact that there will always be some degree of risk in systems.  The Executive Suite craves objective data about how these risks, including the risks of non-compliance with key regulatory requirements, compare against other risks to the enterprise.  An integrated GRC framework can allow executives to meaningfully weigh IT risks and opportunities against other corporate risk and opportunities, and make informed decisions about where to invest scarce corporate assets.

HIPAA-Compliant BYOD After the Honeymoon

By Nat Kausik, CEO, Bitglass

We met with the head of compliance of a large state healthcare organization last week. They were struggling with achieving HIPAA compliant mobility and shared their experiences and insights with us.

To start, mobile technologies are changing so rapidly that any attempt to install software on the end-point to secure or manage the device is doomed to fail. The organization had purchased and deployed a high-end Mobile Application Management (MAM) solution two years ago. The MAM solution worked great during the honeymoon period after deployment. 100% compliance on 20% of the devices.

Then cracks began to appear. First, the deployment stalled as users beyond the first 20% refused to install the app on their BYO devices. Then, users with the app upgraded their devices and needed help porting the MAM clients at each upgrade. Then, the MAM clients stopped working with certain types of devices. Calendar invites appeared weeks after the meetings were done. Emails were getting dropped. Physicians would have none of that nonsense, and IT was forced to open up ActiveSync direct for all users. Pretty soon, 90% of users were connecting directly their native email clients on BYOD via ActiveSync. So 100% compliance on 10% of devices plus 0% compliance on 90% meant a net 10% compliance. And physicians had the most non-compliant BYO devices, dealt with most PHI.

The same story plays out at even the largest healthcare organizations. Indeed, following the above meeting we met with the newly minted Chief Data Officer at a very large healthcare organization with over a 100K employees. Same story. MobileIron MDM for all users. But after the honeymoon ended, physicians get to connect any device direct. And so did any other user who figured out that ActiveSync direct was open.

How do you maintain HIPAA compliance on any device after the honeymoon? Bitglass, of course.


The Top 10 Cloud Services in Government That Don’t Encrypt Data at Rest

By Cameron Coles, Sr. Product Marketing Manager, Skyhigh Networks

Sensitive data in the cloud is more widespread than you may think. Analyzing cloud usage for 15 million users, Skyhigh found that 22% of documents uploaded to file sharing services contained sensitive data such as personally identifiable information (PII), protected health information (PHI), or payment information. Far from being an isolated problem, 37% of file sharing users have uploaded sensitive data at some point. For public sector organizations, the stakes are higher due to unique regulatory requirements, but all organizations struggle with visibility into the thousands of cloud services available and wide variance in security controls amongst them.

A recent study found that two-thirds of US Federal government agencies failed to meet a June 2014 deadline to follow FedRAMP cloud security guidelines. FedRAMP is just one way of assessing the security of cloud providers. Skyhigh assesses cloud providers across over 50 attributes of enterprise readiness including those found in the Cloud Security Alliance Cloud Controls Matrix. Of the 10,000+ cloud services in use today, just 9.4% meet the strict security and data privacy standards required to achieve the highest rating of “enterprise-ready” by Skyhigh’s CloudTrust Program.

However, in the last 12 months an increasing number of cloud services offer more robust security features and certifications. 1,459 services (17%) provide multi-factor authentication, as opposed to 705 last year; 533 (5%) are ISO 27001 certified, as opposed to 188 last year; and 1082 (11%) encrypt data at rest, as opposed to 470 last year. The last statistic shows just how much room there is for improvement. Security analysts say that information encryption is one of the best measures to protect organizations from a wide range of data leakage issues:

  • If an attacker compromises the data, they will not be able to read it without the encryption keys
  • Encryption removes the breach notification requirements for regulations like HIPAA
  • Encrypting data can help satisfy cross-border data privacy requirements when data is stored in the cloud
  • When organizations maintain control of their encryption keys, encryption prevents the cloud provider from viewing the information

Despite the benefits of encryption, some of the biggest names in cloud computing do not encrypt data stored at rest in their cloud services today.

blog image - government encryption list 600

Based on data from Skyhigh’s Service Intelligence Team, the top cloud services used in government that don’t encrypt data at rest includes three email providers: Gmail, Hotmail, and AOL Mail. Some of the services found in the top 10 like Paypal can be used to store payment card numbers and bank account information. Another service that doesn’t encrypt data stored at rest is eBay, which suffered one of the biggest data breaches of 2014 when 145 million account credentials were stolen.

While all of the above services would be considered “personal” vs. “enterprise/government”, there have been highly publicized examples of shadow IT use in even the highest levels of government. This list of wildly popular services that don’t encrypt data serves as a timely reminder of the potential risks of going around IT when employed by a government organization or agency.

For a complete look at trends shaping government cloud usage including the top services in use in government overall, fastest growing apps, and the gap between cloud services organizations intend to block and actual block rates, download the Cloud Adoption & Risk in Government Report.


CSA Releases New Whitepaper on Virtualization Security Best Practices

At this year’s RSA Conference, the Cloud Security Alliance released a new whitepaper entitled: “Best Practices for Mitigating Risks in Virtualized Environments” which provides guidance on the identification and management of security risks specific to compute virtualization technologies that run on server hardware.

The whitepaper was developed by CSA’s Virtualization Working Group which is co-chaired by Kapil Raina, of Elastica, and
Kelvin Ng of Nanyang Polytechnic and sponsored by TrendMicro. The 35 page paper identifies 11 core risks related to virtualization, including:

  1. VM Sprawl
  2. Sensitive Data within a VM
  3. Security of Offline and Dormant VMs
  4. Security of Pre-Configured (Golden Image) VM / Active VMs
  5. Lack of Visibility Into and Controls Over Virtual Networks
  6. Resource Exhaustion
  7. Hypervisor Security
  8. Unauthorized Access to Hypervisor
  9. Account or Service Hijacking Through the Self-Service Portal
  10. Workload of Different Trust Levels Located on the Same Server
  11. Risk Due to Cloud Service Provider API

The report is free and can be downloaded in full here.





Cloud Security Alliance Releases Candidate Mapping of FedRAMP Security Controls

By the CSA Research Team

Today at the Cloud Security Alliance Federal Summit being held in Washington, DC, the CSA today announced the release of the Candidate Mapping V4 of the FedRAMP security controls to version 3.0.1 of the CSA Cloud Controls Matrix (CCM).

The FedRAMP controls are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53r4 which defines 17 families of Security and Privacy Controls to be used by Federal agencies. The CSA CCM provides a control framework that is aligned to the Cloud Security Alliance guidance in 13 security domains and builds on the foundations of other industry-accepted security standards, regulations and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, Jericho Forum, NERC CIP as well as NIST.

“In closely mapping the two security controls, Federal agencies can now better assess a cloud provider’s security controls and also address what controls need to be in place to ensure the provider is compliant with FedRAMP standards,” said Jim Reavis, CEO of the CSA. “The mapping will also help reduce the burden of getting the assessments and certifications for cloud vendors wanting to serve the Federal agencies.”

The Candidate Mapping shows that 90% of the FedRAMP controls correlate to the controls defined in the CCM. The documentation of this alignment will support a variety of constituents in the Federal cloud marketplace:

  • Cloud Service Providers (CSPs) will be provided with guidance on how their security frameworks can be developed and documented to address the requirements of multiple assessment standards, reducing the level of effort associated with obtaining multiple security certifications;
  • Assessors and auditors will be able to use the alignment to leverage documentation and artifacts to enable them to assess CSP security postures across multiple standards in an efficient manner
  • Federal agencies will be able to evaluate CSPs who have been assessed and certified against the CCM under the CSA Security Trust and Assurance Registry (STAR) program in order to determine the likelihood of a CSP to qualify for FedRAMP certification
  • The FedRAMP Program will be able to leverage the various industry standards that are integrated into the CCM framework to further the alignment of FedRAMP controls with other industry standards.

CSA will continue to collaborate with the FedRAMP Program Office to determine the best ways to leverage the Candidate Mapping to support the goals and objectives of the FedRAMP program to improve the security of cloud services utilized by Federal government agencies.

To access the mapping visit https://cloudsecurityalliance.org/download/fedramp-cloud-controls-matrix-v3-0-1-candidate-mapping/

3 Things Startups Need to Know to Move to the Cloud

By Shellye Archambeau, CEO, MetricStream

Shellye_Headshot 2014Despite concerns around data security, businesses are optimistic about the cloud. In fact, software-as-a-service adoption has more than quintupled from 13 percent in 2011 to 72 percent in 2014, according to a cloud computing survey conducted by North Bridge Venture Partners and Gigaom Research.

For startups, the cloud has always been a great equalizer, enabling nascent businesses to compete on par with their larger, more established counterparts. In a Rackspace survey on the economic impact of the cloud, a quarter of small and medium enterprises indicated that they had increased profits by at least 25 percent, and up to 75 percent, as a result of cloud computing. What’s more, 84 percent of companies were able to increase their investment back into the business by up to 50 percent, and 34 percent saved between $7,500 and $45,000 on IT spend—all because of cloud computing.

Lower upfront costs, greater flexibility, and scalability—these are just a few reasons why your startup might be excited about jumping onto the cloud bandwagon. Before you do, here are a few things to think about:

1. Public, Private, or Hybrid Cloud?
Deciding what kind of cloud model to adopt will depend on various factors, such as the mission criticality of your applications and data, regulatory compliance obligations, and the scope of your IT budget.

Most businesses that are just starting out find great value in opting for public clouds, where the core infrastructure is shared by many organizations and hosted by a third party. The perks are many—easy access to computing resources and relatively low costs due to a pay-as-you-go model.

However, the public cloud comes with its own concerns around data security and performance slowdowns. So, if you’re in a highly regulated or sensitive industry such as banking and financial services, healthcare, or online retail, it might be wise to consider a private cloud.

Or better yet, you might opt for a hybrid cloud model which combines the best of both public and private clouds. RightScale’s 2015 State of the Cloud Report indicated that 82 percent of enterprises today have a hybrid cloud strategy, up from 74 percent in 2014.

With the hybrid cloud model, you get to keep confidential customer and financial information and high performance applications on the private cloud, while using the public cloud for less mission-critical operations, like e-mails and data backup.

2. Know Which Services and Applications to Move to the Cloud
According to RightScale’s report, 68 percent of enterprises run less than 20 percent of their applications on the cloud. However, 55 percent of enterprises also reported that a significant portion of their application portfolio is built using cloud-friendly architecture, and is therefore able and ready to be moved to the cloud.

When it comes to cloud workloads, the RightScale report revealed that 38 percent of enterprises run all or most development and testing on the cloud, while 34 percent run all or most websites on the cloud, and 30 percent run all or most Web applications on the cloud.

My advice for startups is to begin your cloud journey with applications that don’t require very low latency or high performance and availability. Once you get a feel for how these apps function in the cloud, you can move your core databases in there.

Generally, most services can be easily migrated to the cloud, including e-mail, messaging, file sharing and backup, as well as accounts, expense reporting, and customer relationship management. However, if you have any critical applications or transaction-intensive systems where the risk of network outages or downtime could seriously hamper your business, you will want to consider this carefully.

So, do the research, and make informed decisions about how the cloud can help your business. Also, don’t neglect to plan a cloud exit strategy. If, for whatever reason, you no longer want to depend on a particular cloud service provider, you need to be able to get your data back as effectively and cost-efficiently as possible.

3. Balance the Rewards and Risks of the Cloud
For startups, the cloud equals low capital expenditure—you don’t have to buy servers, or hire dedicated IT personnel. You can use as much or as little capacity as you need, and you can deploy and scale quickly. One of our customers, Zurich Insurance, discovered the benefits of the cloud when they were able to implement and derive value from the MetricStream Vendor Risk Management App over the MetricStream GRC cloud in just 12 weeks.

The other bonus of the cloud is better collaboration—in today’s global, mobile, social world, the cloud makes it easier to communicate and exchange information with teams and customers across different time zones.

Startups have a lot of options when it comes to the cloud. Cloud service giants like AmazonGoogle, and Rackspace offer a number of incentives including free cloud credit, technical training, and support for new businesses who are looking to get started on the cloud.

Yet, as with everything else, there are risks associated with the cloud—primarily around data security. The good news is that most major cloud service providers have extremely sophisticated security mechanisms built into their offerings, which are much better than what most startups could afford to invest in themselves.

There are things that startups can and must do in order to protect their data and assets in the cloud. Remember, make cloud security a top business priority. Check the credentials and certifications of your cloud service provider. Also, evaluate their security measures against established frameworks such as the Cloud Controls Matrix from Cloud Security Alliance (CSA).

Then, assess your security risks, and prioritize your assets and data accordingly. Establish risk tolerance levels—particularly when using public clouds with multi-tenancy models. For each cloud application, identify potential threats, and define a detection and incident response plan. Also, ensure that there are controls in place to comply with data security laws such as PCI DSS, HIPAA, GLBA, and relevant state regulations.

With attractive incentives, as well as strong security measures, the cloud is becoming an increasingly hospitable environment for startups to get their business up and running. The key is to find a cloud model that suits your unique business needs. Identify which services and applications will work best for you on the cloud. Most importantly, be risk-aware—when you know and understand your risks in the cloud, you can better protect your business, while reaping all the benefits that the cloud has to offer.

(Originally published in Xconomy

Shellye Archambeau is CEO of MetricStream, a Palo Alto, CA-based company offering governance, risk, compliance, and quality management solutions to enterprises in the pharmaceutical, medical device, high tech manufacturing, energy, financial services, healthcare, manufacturing, food and beverage, and automotive industries.

CSA to Hold Inaugural Federal Summit on May 5th in Washington DC

The CSA is excited to announce that it will be holding its inaugural Federal Summit 2015 on May 5th in Washington DC. The Cloud Security Alliance Federal Summit is a free for government event, comprised of information security professionals from civilian and defense agencies to share experiences and learn about the best practices for securing cloud computing and emerging security topics.

The one day event will feature security experts from the CSA including Jim Reavis, CEO of the CSA as well as Matt Goodrich, Program Director of FedRAMP and Dr. Michaela Iorga, Sr. Security Technical Lead for Cloud Computing, NIST. In addition to these featured speakers there will also be two panel discussions, the first one the topic of “”Managing Cloud Security: Considerations and Best Practices” and the second on “Cloud Implementation Lessons Learned”. The event will close with a keynote presentation by Keith Trippie , founder of The Trippie Group on the topic of “The Business of Cloud”.

Federal employees who are interested in attending the Federal Summit can register for the event here:

CSA Federal Summit 2015


By Vibhav Agarwal, Senior Manager of Product Marketing, MetricStream

VibhavAn integrated GRC approach to cloud acceptance, adoption and scale includes the risk perspective from the beginning. Harnessing the power of cloud security with a GRC framework can promote and improve information security practices and drive better business performance.

One of my favorite Dilbert cartoons shows Mordac, the “Preventer of Information Service,” saying, “cloud computing is no good because strangers would have access to our data.” Dilbert tries to explain encryption technology is trustworthy—certainly more trustworthy than Mordac himself. The grain of truth here is that, within any organization, there are still mixed responses to cloud computing.

Today, enterprises are adopting cloud computing in a big way. According to CIO.com, the National Association of State CIOs (NASCIO) recently surveyed its members and reported cloud adoption is the second biggest priority for CIOs, only after cybersecurity. But CIOs today are still choosy about what data they want to place in the cloud. The majority have asserted that they do NOT want to put confidential company financial data or credit card data in the cloud. Makes sense—personal information data leaks are terrible PR.

Simply stated, the perception of cloud computing at most companies is mixed. Those advocating for the cloud speak to its improved agility, flexibility, high performance and lowered costs. Those who are still on the fence are concerned about data security, decentralization of their IT team, service reliability and the loss of control over their IT ecosystem. Both sides of the debate have valid points.

10 Key Imperatives
To increase acceptance and adoption of cloud computing at your organization, there are 10 must-haves that can be sub-divided into two groups – infrastructure imperatives and information security imperatives. The first set is the infrastructure imperatives, which affect the cloud-hosting environment:

  1. Federated identity management & access control– The cloud-based system must permit several users at a time, with differing levels of access to ensure proper segregation of duties.
  2. Centralized control and visibility over the IT landscape– The IT manager should have the capability to monitor and manage the system from a centralized console.
  3. Dynamic failover protection & data replication– The system should guarantee 99.5 percent reliability as a minimum.
  4. Automated application performance management– For a uniform user experience, the system should ensure performance as per the service-level agreement (SLA).
  5. Network segmentation– The ability to segment and segregate the networks, across various customers, will ensure minimal propagation of any cybersecurity issue. Given the proliferation of cybersecurity threats and vulnerabilities, the remaining five are information security imperatives that apply to both hosted and otherwise.
  6. Continuous threat and vulnerability assessments– Data center security needs to be assessed regularly to ensure adherence to latest information and network security standards.
  7. Security upgrades and monitoring on demand– Monitor security posture and ensure that regular updates are being provided as per the latest set of cyber-threats.
  8. Meta-data driven information security– Analysis of meta-data being generated across the security and system logs will identify significant, potentially malicious, patterns.
  9. Continuous control monitoring of policies– It is vital to have continuous monitoring and adherence to security, access and other policies across the cloud.
  10. Virtualized security & perimeter controls– The security and perimeter controls need to percolate to the virtualized machine level.

How can we achieve these imperatives across cloud-based deployments?
The enterprise needs to implement a robust governance-risk management-compliance (GRC) framework across the complete cloud infrastructure, which can act as a the single source of truth across all regulatory compliances, security and access controls as well risk and vulnerability assessments.

Wish list for a GRC Framework

Basic Components
First, let’s look at the “bare minimum” requirements for a GRC framework for cloud computing:

  • Continuous system monitoring– Feed regular system related logs and reports into the GRC framework for continuous risk assessments.
  • Penetration Testing audits– Audit the third-party penetration test results, findings and remediations on a pre-determined schedule.
  • Incident response management– Create and manage a defined workflow within the organization to ensure a coordinated response from various departments such as IT, Legal, Finance, etc. and respond appropriately to any cloud security events.
  • Data portability testing– Perform a yearly or quarterly audit and document the process and audit findings to ensure that the data is portable across data centers.
  • Disaster recovery & business continuity– Ensure that proper disaster recovery and business continuity measures are in place along with regular tests and documentation.
  • Onsite & offsite backup audits– Audit backups to check for their ability to restore data.

Advanced Components
Once the must-haves have been checked off, here is a list of “nice to haves”:

  • Data encryption audits– Audit and document the storage control and key management procedures for encrypted data. This is typically applicable for sensitive data only.
  • Forensics log management and reporting– Analyze meta-data continuously generated by system and security logs, and identifying any adverse patterns.
  • Elasticity & load tolerance testing– Ensure that resources can be augmented in the peak performance periods by performing regular load tolerance and elastic demand management testing.
  • Advanced cyber-attack prevention measures– Monitor and implement cyber attack prevention measures pro-actively by integrating with new threat and vulnerability solutions.
  • Advanced cloud security analytics– Establish an advanced cloud security analytics information center as part of the GRC dashboard and centralize its monitoring and management.

Apart from the components listed above, as the cloud computing world evolves, there is an increasing number of regulations and checklists coming up to ensure its adherence to established standards, including SSAE16 SOC 2 controls, FedRAMP certification, HIPAA regulation and Cloud Security Alliance (CSA). Your organization’s GRC framework for cloud should be able to streamline the audit and checklist-based assessments around these and ensure proper adherence to world-class standards for cloud adoption and security.

An integrated GRC approach to cloud acceptance, adoption and scale includes the risk perspective from the beginning. Harnessing the power of cloud security with a GRC framework can promote and improve information security practices and drive better business performance.