SecaaS Working Group Releases Preview of Security as a Service Functional Domain Definitions – Including Continuous Monitoring

February 29, 2016 | Leave a Comment

By John Yeoh, Senior Research Analyst, Global, Cloud Security Alliance

Numerous security vendors are now leveraging cloud-based Security as a Service (SecaaS) models to deliver security solutions. This shift has occurred for a variety of reasons including greater economies of scale and streamlined delivery mechanisms. However, these SecaaS offerings can take many forms causing market confusion and complicating the selection process. Customers are increasingly faced with evaluating security solutions, which do not run on premises, and need a better understanding of these offerings to evaluate the security risks and the shared responsibility over the security of systems for which they are accountable.

In order to improve the perception and reputation of these services, Security as a Service requires a clear definition and direction to ensure it is understood and to improve the adoption across industry sectors. This will lead to greater awareness, understanding and knowledge of SecaaS and its functions.

The CSA SecaaS Working Group is working to address these challenges by working with experienced knowledge leaders and intelligent market research in the industry to align with cloud governance best practices, document use cases, identify standards requirements, and create other innovative research artifacts.  The group’s research will allow the intended users to create guidelines for implementing SecaaS offerings, support those looking to purchase SecaaS solutions, and aid those tasked with implementing or auditing them.

Today, at the RSA Conference, the SecaaS Working Group is releasing Preview of Security as a Service Functional Domain Definitions – Including Continuous Monitoring.”

Continuous Monitoring has been recognized as a new category that the working group has addressed. This overview document is the first in a series of business, technical, and implementation guidance documents for the following security service categories:

  • Business Continuity and Disaster Recovery
  • Continuous Monitoring
  • Data Loss Prevention
  • Email Security
  • Encryption
  • Identity and Access Management (IAM)
  • Intrusion Management
  • Network Security
  • Security Assessments
  • Security Information and Event Management
  • Vulnerability Scanning
  • Web Security

For more information, visit CSA Security as a Service.

CSA’S Virtualization Working Group Publishes New Position Paper on Network Function Virtualization

February 29, 2016 | Leave a Comment

With the broad adoption of virtualized infrastructure, many security teams are now struggling with how to best secure these vital assets from targeted attacks. And because almost anyone can now easily virtualize resources such as compute, storage, networking and applications, the velocity and impact of security threats have increased significantly.

In response to these trends, the CSA’s Virtualization Working Group has convened a forum of experts to help network and data center practitioners adopt new best practices for securing their virtual infrastructure. The result is a new position paper on Network Function Virtualization, which discusses some of the potential security issues and concerns, and offers guidance for securing a Network Virtual Function (NFV) based architecture, whereby security services are provisioned in the form of Virtual Network Functions (VNFs). We refer to such an NFV-based architecture as the NFV Security Framework. This paper also references Software-Defined Networking (SDN) concepts, since SDN is a critical virtualization-enabling technology. The paper is the first step in developing practical guidance on how to secure NFV and SDN environments.

This white paper consists of five core sections:
Section 1: Provides a basic overview.
Section 2: Introduces NFV concepts, and briefly discusses SDN.
Section 3: Expounds on some of the security issues and concerns when introducing NFV into a cloud environment.
Section 4: Explains the benefits and opportunities of an NFV Security Framework.
Section 5: Expounds on the challenges and important elements of the NFV Security Framework.

“NFV and SDN have introduced significant new threat vectors into cloud providers and enterprise environments.  The CSA Virtualization Working Group looks forward to collaborating with the industry to determine how best to mitigate these threats.  We have created an initial step in that direction and hope to accelerate our ability to guide security experts with practical guidance in the near future”, said Kapil Raina, Co-Chair of the Virtualization Working Group

The Virtualization Working Group is sponsored by Trend Micro. Download a free copy of the paper.

You can catch the co-chairs and members of the working group during RSA 2016 at the CSA Research Working Group meetings. Visit CSA Research Working Group more information about the meetings.

CSA’s Consensus Assessments Initiative Releases Minor Update to Version 3.0.1

February 29, 2016 | Leave a Comment

CSA’s Consensus Assessments Initiative Working Group has released an update to version 3.0.1 of the Consensus Assessments Initiative Questionnaire (CAIQ) that included minor updates and corrections.

A tab was created in the spreadsheet titled “CAIQ Change Log” to capture the details of each update. This will be the location where all updates/corrections are logged until the next major version release. Updates included spelling and consistency in the document.

Consensus Assessments Initiative Questionnaire v3.0.1

Cloud Data Security Services Just Got Easier to Build and Assess

February 26, 2016 | Leave a Comment

By Alan Eng, Senior Manager/Product Marketing, Vormetric

vormetricIt is well documented that security is the leading concern hindering cloud adoption. However, it is not so clear cut how to build secure cloud services, or how to assess whether cloud services adhere to relevant security requirements. The Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) framework was specifically designed to offer insights on these topics. The CCM framework provides fundamental security principles to guide cloud service providers (CSPs) and to assist prospective cloud customers in assessing the overall security risk of a cloud offering.

Using the latest CCM framework, version 3.0.1, Vormetric has created two white papers that shed further light on these critical topics. One paper helps cloud providers understand how to meet industry security guidelines with Vormetric data security solutions. The second paper explains how customers looking to adopt cloud services can assess whether their cloud vendors adhere to cloud security best practices. This paper also describes which Vormetric solutions to look for in complying with these standards.

The CCM is aligned with many industry standards and control frameworks, including International Organization for Standardization (ISO) 27001 and 27002, ISACA COBIT, National Institute of Standards and Technology (NIST), Jericho Forum, North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), the Payment Card Industry Data Security Standard, version 3, and several others. As a result, CSPs can meet a number of industry security guidelines simply by adopting CCM requirements. In addition, the CCM framework features the Consensus Assessments Initiative Questionnaire (CAIQ), a detailed questionnaire that customers can use to assess the security capabilities of CSPs.

To develop our white papers, Vormetric staff worked with CSA CCM experts to identify which requirements pertained to data security. These white papers explain how the Vormetric Data Security Platform meets critical data security requirements.

By leveraging these white papers, security teams at CSPs can establish a clear path forward for securing data in their cloud environments. Further, executives at enterprises can use a concrete list of questions to assess and qualify prospective CSP offerings and ensure their data security needs are met. Below is a brief description of each white paper and the link to download the paper directly.

Industry Guidelines for Building Secure Cloud Services: This white paper explains how CSPs can use the Vormetric Data Security Platform to address CCM requirements for data segregation, persistent protection of customer data, data access monitoring and auditability, availability, and data destruction.

Best Practices for Assessing Your Cloud Data Security Services: This white paper offers a detailed look at how Vormetric solutions address the requirements specified in the CAIQ. In addition, the paper details what enterprise decision makers should look for in their cloud data security services.

Both white papers are also available on the Vormetric resources page.

Quantum Technologies and Real World Information Security Challenges

February 25, 2016 | Leave a Comment

By Bruno Huttner, Quantum Safe Product Manager, ID Quantique

Most cyber security applications rely on a few cryptographic primitives, for both encryption and signature. These primitives are now known to be breakable by a Quantum Computer (QC), that is a computer operating according to the rules of quantum mechanics. The design and manufacture of such a computer is still a formidable tasks, which is expected to last for many years. However, a post by the NSA in 2015, which was very recently followed by a NIST report have brought a new sense of urgency to the matter.

Indeed, in view of the devastating effect the QC would have on our cryptographic systems, it is necessary to start thinking now about new ways to protect and authenticate data. Existing tapping techniques, in conjunction with almost unlimited storage abilities, allow malicious entities to gather and store incredible amounts of data. These encrypted data can be kept this way until the  quantum computer is ready,  and then subsequently decrypted. Therefore, data, which has to be kept secret for a long time, say tens of years, should already be encrypted in a quantum-safe manner. We need to prepare for the post-quantum era now.

There are two possible roads towards this goal. The first one is to keep algorithmic-based cryptography, but use different algorithms, known as Post–Quantum Algorithms (PQAs) or Quantum Resistant Algorithms (QRAs), which, we hope, will remain quantum-safe. The second one is to adopt an entirely different principle, and base some of our cryptographic primitives on physical methods. In this case, security does not depend on mathematical analysis, but on the laws of quantum mechanics. This is what is achieved by Quantum Key Distribution (QKD).

These two approaches are by no means exclusive. Each have different domains of application, and will most probably complement one another. Since QKD requires a physical infrastructure, it will be restricted to  large communication hubs, for example links between large data centres, such as the ones used for cloud infrastructure. In addition, as it is provably secure, QKD shall be used for high value data, which has to remain secret for a long period. However, QKD only deals with key distribution which is only one part of a quantum-resistant cryptosystem. QRAs, necessary for authentication, will also be used in links between end-users and communication infrastructure, for example mobile applications to antennas or telecom hubs. It could also be used for data with high privacy content, but shorter validity period.

Quantum Safe Security @ RSA 2016
Quantum technologies represent both a threat to current cyber security methods, and an asset to guarantee long-term cyber security in the post-quantum era. The “Quantum technologies and real world information security challenges” panel is the first of its kind, which will be presented at RSA Conference this year. The panellists have been chosen among real information security professionals from a variety of fields. The specific topics they will cover include:

  • The threat of the quantum computer against current cryptographic techniques.
  • The immediate and medium-term challenges faced by each industry that could be mitigated by quantum security approaches.
  • Different quantum solutions, the problems they can help address, and how they compare to the current approaches in use.
  • What are the perceived risks and weaknesses of Quantum Key Distribution solutions?
  • Discussions on any work / partnerships they have done in this area.

If you ever wondered whether you should start thinking about these issues, their stories are your own stories. This session will provide you with a clearer picture and possible action points for the future.

Session Details
Date: Friday,  March 4, 2016
Time: 10:10 AM
Venue: Moscone West, Room 2005

For more information about the session, click here.

Apple vs. FBI: The “Bad” Guys Always Get the “Good” Weapons

February 24, 2016 | Leave a Comment

By Susan Richardson, Manager/Content Strategy, Code42

02_19_16_apple_fbi_social_blogIt’s a powerful tool, created for good—until it falls into the wrong hands. Sounds like a classic James Bond plot, right? That’s how we see the battle surrounding government-mandated “backdoors” playing out—and why we side with Apple (and most of the tech world) in supporting the individual’s right to privacy. Because unfortunately, 007 doesn’t stand a chance against today’s cyber criminals.

Backdoors: the classic “good” tool that falls into “bad” hands
The FBI’s court order to Apple—and Apple’s official and very public response—is just the latest in an ongoing debate and struggle to find the balance between the need for security and the right to privacy. The pro-backdoor camp believes these tools are essential for investigating criminals, terrorists and other nefarious actors, preventing them from “going dark” behind the wall of encryption. This all seems reasonable in the short term. Their cause is just. It’s a means to an end we all want—safety and security. It’s a one-time thing, right?

Wrong. Once the technology exists, there’s no going back—and there’s no sure way to completely control how it’s used or how it evolves. So, what happens when these backdoor keys fall into the wrong hands? It’s the classic plot of the James Bond series and other spy thrillers. But this time, it won’t be a single villain; it will be the entire shadowy world of cyber criminals, wreaking havoc with the newly created (and hacked) “keys to the kingdom.”

“But the government will protect the keys!”
Think the bad guys won’t get the backdoor keys? Think again. The U.S. government is already being hacked with alarming frequency and ease. Just last week, President Obama acknowledged that government IT infrastructure is woefully outdated and easily outgunned by agile cybercriminals. Even if the government moves to shore up these vulnerabilities, the mere existence of backdoor keys will be blood in the water for hungry cybercriminals, giving even greater incentive to target government IT infrastructure.

Code42 supports the individual right to privacy
At Code42, we recognize the need to balance security with privacy, but we ultimately believe in the individual’s right to privacy. We’ve talked about the problems with backdoors before—and industry experts agree that the risks outweigh the benefits. Our consumer tools, including Code42 CrashPlan, help our customers protect this right. In the enterprise world, we designed Code42 CrashPlan to empower the enterprise to define their security policies, providing employees with a respectful sense of privacy.

Forcing tech companies to sabotage their own products and hack their own customers will have a disastrous impact on the tech economy. But expecting a technology to only be used for good is a shortsighted move with the potential for far greater harm than good. And like we said, James Bond won’t be saving the day on this one.

The Netskope Cloud Report: The Cloud Malware Fan-out

February 23, 2016 | Leave a Comment

By Krishna Narayanaswamy, Co-founder and Chief Scientist, Netskope

NS-Cloud-Report-Feb16-WW-IG-00 (1)Today we released our Cloud Report in which we highlight cloud security findings from October through December of 2015.

This quarter we focus on an important finding from our research team. In scanning many hundreds of our customers’ tenants, we found that 4.1 percent of those enterprises’ sanctioned apps are laced with malware such as trojans, viruses, and spyware. The volume of malware in those apps ranged from a handful of files to many dozens in a customer tenant.

We analyzed the infections and found a “fan-out” pattern in the spread of the malware (or in some cases, the effect of the malware). This is due, ironically, to two critically useful capabilities that the cloud is known for – sync and share.

I’ll show an example of this in full forensic detail during my keynote at next week’s CSA Summit, but let me describe what we saw happen in a number of enterprises that got hit with ransomware recently:
– A user becomes infected with ransomware
– Upon detonation, the ransomware encrypts the files on the user’s hard drive
– Some of the files on the user’s hard drive are in sync folders of a cloud app
– The encrypted versions of the files sync with the cloud app, replacing the cloud versions with the encrypted ones
– Then additional users, with whom the original user had shared the sync folder, sync their desktop client folders with the cloud, and those desktop files become encrypted

We have observed the fan-out effect both for the spread of malware itself and for the spread of the effect of malware, such as encryption in the above example.

Note that our initial research was only on enterprises’ sanctioned apps, which represent less than five percent of total cloud usage. Given this, we believe that both malware, and this fan-out effect, are far more widespread than the 4.1 percent we observed. As we begin applying this research to unsanctioned apps in our cloud access security broker, we’ll report on what we find in future reports.

What do we recommend to combat this? Five things:
1. Back up versions of your critical content in the cloud. Enable your app’s “trash” feature and set the default purge to a week or more
2. Scan for and remediate malware at rest in your sanctioned apps
3. Detect malware incoming via sanctioned and unsanctioned apps
4. Detect anomalies in your sanctioned and unsanctioned cloud apps, such as unusual file upload activity or other out-of-the-norm behaviors
5. Monitor uploads to sanctioned and unsanctioned cloud apps for sensitive data, which can indicate exfiltration in which malware is communicating with a cloud-based command and control server

Top Ten Reasons You Need to Attend the CSA Summit @ RSA February 29th

February 22, 2016 | Leave a Comment

Cloud Security Alliance’s 7th annual CSA Summit @ RSA will be our biggest yet, with educational sessions covering cloud security from every angle. This Monday event is free for any type of RSA Conference pass holder, so make your plans to attend. If you need any more enticement, below are the Top Ten reasons you need to be there:

  1. Leading edge discussions of containerization, new cloud attack vectors, Cloud Access Security Brokers (CASBs ), identity, Internet of Things (IoT) and much more!
  2. It is held on Leap Day, so if you are operating on an old calendar you probably didn’t have anything scheduled for February 29 anyway.
  3. Former SEC Commissioner Luis A. Aguilar provides his vision of how Boards of Directors must address emerging cybersecurity issues, how private and public companies must cope with rapid technological innovation and the role of the U.S. Securities and Exchange Commission must play now and in the future.
  4. Free lunch.
  5. Enterprise experts abound to share experiences. Learn how cloud is causing GE to completely rethink their network architecture and security controls. Hear Cisco CISO John Stewart discuss managing cloud security at scale in a decentralized world. Don’t miss Vinay Patel from Citi launch the CSA Global Enterprise Advisory Board.
  6. See a noted security celebrity get the annual CSA Leadership Award (hint: it won’t be Leonardo DiCaprio)
  7. Security experts provide guidance to overcome the CSA’s Top Threats to Cloud Computing, with the new report to be released at the Summit.
  8. Guaranteed no ransomware-infected USB drives in attendee bags.
  9. Herjavec Group CEO and top “Shark” Robert Herjavec discusses information security innovation and puts the industry’s top cloud providers on the hot seat

And the number one reason you need to attend the CSA Summit @ RSA February 29th:

  1. No 2016 Presidential Candidates Allowed in the Room.

Come to the Summit to Learn, Engage and Start your RSA week off right:

Something’s Gotta Give, And It’s You

February 17, 2016 | Leave a Comment

By David Payne, VP Systems Engineering, Code42

02_10_16_it_employee_partnering_blogIT has lost the ability to unilaterally command which software employees access and what devices they carry. Anybody with a credit card can get the tools he or she needs to work fast and unencumbered. This freedom has significant impact on data security. But there’s no going back to a time when employees acquiesce just because IT says no.

The adversarial relationship that has festered between IT and “end users” prevents learning and increases vulnerability.

For example: Is it the user’s fault when a window pops up on his screen suggesting he update his Flash player and the false link unleashes a virus into the network?

Or what about this one: Despite the policy (written for the company road warriors) about always using the VPN and never storing sensitive data on laptops, who’s to blame when the device is breached, with hundreds of customer documents and details, during a week-long international sales trip?

In a lot of scenarios, the right technology and small shifts in behavior can change (and mend) the relationship between employees and IT and InfoSec—and in so doing improve data security.

German philosopher, critic and poet Friedrich Nietzsche summarized the way people live and think in the phrase, “He who has a why to live for, can bear almost any how.” I use this aphorism to describe the new relationship IT must forge with workers. Instead of policing end users and erecting barriers to protect them from themselves, IT needs to innovate around the people it supports. That means seeing them as people striving to meet their business goals, not end users who must be admonished for their own good.

Does that mean IT has lost the war? Not at all. When IT supports the work of employees—without sacrificing data security and integrity—they must deeply understand the way and the why employees do what they do. The question becomes not, “Why don’t employees save files on the file server like I told them to?” but, “What technology will make file backup automatic and inconspicuous so employees don’t have to worry about it?”

In reverse, this shift will help employees better understand the “why” of IT and InfoSec and encourage employees to examine how their behavior affects the security posture of the organization.

“I understand some of these restrictions are here to protect all of us, not to prevent me from getting my work done.”

When IT sees people (rather than end users) trying to get important jobs done with the least resistance, and employees see IT and InfoSec as protecting the business, data security feels and looks more like a team sport than a boxing match.

Tentative Safe Harbour Agreement Reached—For Now

February 12, 2016 | Leave a Comment

By Rachel Holdgrafer, Business Content Strategist, Code42

02_03_16_safeharbour_blogThe European Union and the United States have reached a preliminary agreement that would allow companies doing business on both sides of the Atlantic to resume transmitting individuals’ digital data.

Struck down in October 2015 for failing to sufficiently protect European citizens’ data, transatlantic data transfer governed by the Safe Harbour Agreement is the life blood of thousands of companies including Google, Amazon and Pfizer. European privacy groups demanded that an agreement be reached by January 31 and while negotiators missed the deadline, they reached agreement on February 2.

The new legislation guarantees that U.S. intelligence agencies would not have:

indiscriminate access to Europeans’ digital data when it is sent across the Atlantic in the course of business.

It also puts more responsibility on U.S. companies to protect the data of European citizens. Additionally, the European Commission reports that European citizens who believe that their data has been misused will have several possibilities for redress.

Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

But companies doing business in both Europe and the United States are not in the clear yet. The New York Times reports:

Many obstacles still await the deal, which must be officially approved by the union’s 28 member states. National data protection regulators have yet to give their support to the pact, and European privacy-rights advocates are preparing to file legal challenges seeking to overturn it.

European privacy groups are skeptical that the U.S. will uphold the data protection rights that European citizens demand and “support further restrictions on how companies can move the data if they suspect it may still be misused.”