Want To Empower Remote Workers? Focus On Their Data

By Jeremy Zoss, Managing Editor, Code42

Here’s a nightmare scenario for IT professionals: Your CFO is working from the road on a high-profile, highly time sensitive business deal. Working late on documentation for the deal, a spilled glass of water threatens everything. His laptop is fried; all files are lost. What options does your organization have? How can you get the CFO these critical files back, ASAP, when he’s on the other side of the country?

Remote user downtime has high costs
It’s not just traveling executives that worry IT pros. Three-quarters of the global workforce now regularly works remotely, and one in three work away from the office the majority of the time. Across every sector, highly mobile, on-the-go users play increasingly important roles. When these remote users lose, destroy or otherwise corrupt a laptop, the consequences can be serious.

  • On-site consultants: Every hour of downtime is lost billable time.
  • Distributed sales teams: Downtime can threaten deals.
  • On-site training and technical support: Downtime interrupts services, which can hurt relationships and reputations.
  • Work-from-home employees: These might not be high-profile users, but downtime brings productivity to a halt—a cost magnified across the growing work-from-home workforce in most organizations.

Maximizing remote productivity starts with protecting remote user data
Businesses clearly recognize the huge potential in empowering remote workers and mobile productivity. That’s why they’re spending time and money on enabling secure, remote access to digital assets. But too many forget about the other end of the spectrum: collecting and protecting the digital assets that remote workers are creating in real-time—files and data that haven’t made it back to the office yet. As productivity moves further away from the traditional perimeter, organizations can’t let that data slip out of view and beyond backup coverage.

Get six critical tips to empower your mobile users
Read the new white paper and see how endpoint visibility provides a powerful foundation for enabling and supporting anytime-anywhere users.

New CSA Report Offers Observations, Recommendations on Connected Vehicle Security

By John Yeoh, Research Director/Americas, Cloud Security Alliance

Connected Vehicles are in the news for introducing new features and capabilities to the modern automobile. Headlines also highlight security hacks that compromise vehicle operations and usability. While sources note that the vulnerabilities identified so far have been addressed, a greater understanding is needed on how tomorrow’s Connected Vehicle will operate in an environment composed of both legacy and modernized traffic infrastructure. The Connected Vehicle will be designed to communicate with countless other devices and interfaces. Security systems, tools, and guidance are needed to aid in protecting vehicles and the supporting infrastructure.

Through research and development within the CSA Internet of Things Working Group and the United States Department of Transportation Federal Highway Administration, CSA is introducing “Observations and Recommendations on Connected Vehicle Security” to keep consumers and manufacturers up to date on the evolution of vehicle connectivity, areas of concern, and recommendations for securing the connected vehicle environment. The paper will provide a “big picture” view of the various aspects of vehicles and infrastructure components to better understand their interrelationships, dependencies and threats to the traffic ecosystem.

Learn about:
  • Connected Vehicle reference architectures and messaging protocols
  • V2V, V2I, V2X interactions
  • Potential System-of-System attacks and outcomes
  • Cross collaboration of IoT devices and systems
  • Vehicle design, platform, and infrastructure security best practices

The CSA Internet of Things Working Group continually evaluates and conducts research on new technologies involving cloud and the Internet of Things. CSA collaborates with other industry organizations to bring the latest guidance and security best practices to IT and enterprise.

A Management System for the Cloud – Why Your Organization Should Consider ISO 27018

By Alex Hsiung, Senior Associate, Schellman & Co.

Cloud computing technologies have revolutionized the way organizations manage and store their information.  Where companies used to house and maintain their own data, a host of organizations have now made the switch to a cloud-based model due to the ease of use and cost-saving benefits promised by the cloud.

But what is a cloud without a little rain?  The benefits of cloud technologies have not come without their costs.

Within the world of cloud computing, there have been three persistent concerns:

  1. Security
  2. Security
  3. Security

A quick search for the pitfalls and concerns organizations face with cloud computing yields a recurring motif.  Every company looking to incorporate a cloud-based service has to weigh the benefits that a cloud environment affords against the risks associated with entrusting an organization with its sensitive data.  This data tends to include personally identifiable information (henceforth referred to as PII), which is generally the most scrutinized category of data and is subject to some of the strictest legal and regulatory requirements.

Customers of cloud service providers want to rest assured that the PII they have entrusted a cloud service provider with is maintained and held to at least the same level of security standards that they would have placed if the data had remained within their control.  For some organizations, the stakes are even higher as this is mandated by certain legal and regulatory requirements such as the Health Insurance Portability and Accountability Act (HIPAA) for electronic personal health information and the Graham-Leach-Bliley Act (GLBA) for sensitive financial information.

Many cloud service providers maintain that they are ignorant to the data ingested on behalf of their customers.  However, in the event of a security breach involving either personal health information or sensitive financial data, significant fines and reputational damage can be incurred by the cloud service provider if appropriate security and privacy measures are not in place.  This is where an effective information security management system, with specific control considerations tailored to cloud security and privacy surrounding PII, can prove invaluable to a cloud service provider.

You may have questions regarding what an information security management system is.  To define an information security management system, it may be easier to first understand what it is not.  An information security management system is not referring to an actual “system”, “application”, or “tool” that performs information security functions.

A broader definition is as follows: an information security management system represents the organization’s holistic approach to addressing information security concerns.  This includes top management’s buy-in to addressing these risks which can be demonstrated in its actions by performing the following:

  • Fostering a top-down approach to information security that encourages personnel throughout the organization to be aware of information security best practices
  • Performing risk assessments that are tailored to its organization’s unique threats and vulnerabilities
  • Proactively searching for issues and concerns through the use and selection of internal auditors
  • Monitoring and measuring the performance and effectiveness of the information security management system
  • Establishing a commitment to continually improving the information security management system
  • Ensuring that security controls are implemented and applicable to its organization’s goals and purpose

The standard most commonly used to demonstrate an organization’s effective implementation of an information security management system is the ISO 27001 standard.  The ISO 27001 standard serves as a baseline framework which virtually all service providers, cloud-based or otherwise, can work toward implementing.  It is worth noting that ISO 27001 provides a multitude of benefits to organizations that implement an effective information security management system, but two are perhaps the most pertinent and deserve to be mentioned:

  • An effective information security management system demonstrates to prospective and current customers that the service organization means business about protecting the data that it is entrusted with and responsible for.
  • An effective information security management system assists organizations with establishing a forward-thinking, proactive approach to addressing information security concerns as opposed to enabling a backward-looking mindset which is generally fostered by audit culture, which typically focuses on historical information.

The above-mentioned points may be enough for any service organization to consider implementing an information security management system.  The reputational benefit that an organization can enjoy by demonstrating to its customers that it takes its handling of information seriously is difficult to measure.  The cost-savings that an organization can enjoy by implementing effective response procedures in the event of a security incident are also incalculable – just ask United Airlines.  Sure, maybe that was a different kind of incident, but the age-old adage remains: failing to prepare is preparing to fail – this is the essence of ISO.

However, the buck does not stop at ISO 27001, especially for cloud service providers who by virtue of their trade must take information security more seriously.  This is where organizations can implement, in addition to the requirements held forth by the ISO 27001 standard, a slew of measures to increase the security and privacy measures in place when handling sensitive data, such as PII.  This standard is referred to as ISO 27018, which can be achieved in tandem with an effective information security management system in accordance with the ISO 27001 standard.

ISO 27018, otherwise referred to as ISO/IEC 27018:2014, builds upon an organization’s information security management system by establishing a group of privacy-based controls that are dedicated to protecting PII in public clouds that act as PII processors, with an emphasis on protecting PII in the cloud.  ISO 27018 provides a new subset of controls dedicated to the protection of sensitive personal data.

A high-level overview of some of the ISO 27018 requirements are included below:

  • Providing cloud customers with the ability to access, correct, and erase their own PII
  • Ensuring that data is processed according to its intended purpose and not taken out of context
  • Procedures for the deletion of temporary files
  • Implementing defined disclosure procedures
  • Providing open, transparent notice in the event that sub-contractors are utilized
  • Encouraging accountability on behalf of the cloud service provider through the implementation of breach notification procedures
  • More stringent information security requirements on the part of the cloud service provider

Hopefully after considering the above, it is more clear that implementing an information security system aligned with ISO 27001 is tremendous for a service organization, but for cloud service providers hoping to assuage any security and privacy concerns for their customers, aligning these controls with ISO 27018 may be the organization’s best option.

As the technologies around us evolve, so do their underlying threats and vulnerabilities.  An effective information security management system affords an organization a proactive, forward-thinking approach to information security.  This is all the more important given that cloud computing technologies have been plagued with security and privacy concerns since their inception; the risks will only continue to increase.

If you represent a cloud service provider, it may be time to consider how your organization can benefit from the implementation of an information security management system that aligns its 27001 controls with the ISO 27018 objectives.

For more information on ISO 27018, you can view our webinar on-demand: Privacy in the Cloud – an introduction to ISO 27018

Ransomware 101

By Jacob Serpa, Product Marketing Manager, Bitglass

Unless you’ve been living under a rock for the last few weeks, you know that there has been a notable increase in cyberattacks around the world. Hackers have been spreading a type of ransomware called “WannaCry” via emails that trick recipients to open attachments that make them vulnerable to the attack.

Since Friday, over 150 countries have been affected by WannaCry, with the largest impact being on the NHS in England and Scotland. The attack hit over 16 organizations, crippling hospitals and general practices, forcing them to shut down and turn away patients.

What you need to know about ransomware
Once your system is infected, ransomware will encrypt your files, rendering them useless without a key. The guilty hackers will then demand some form of payment (typically via bitcoins) for the return of the hostage information.

Ransomware’s effects are not limited to the files on a device – they can also affect the device as a whole. Hackers can put locks on user profiles that make it impossible for individuals to log into their devices without paying a ransom. Similarly, they may alter a computer’s startup process so that it cannot finish unless a ransom is paid.

What you need to do to protect against ransomware
Companies must ensure adequate employee training to protect from ransomware. For example, employees must be able to identify phishing attempts and illegitimate emails. Additionally, users must be sure to keep their systems, software, and applications up to date. Finally, regular backups of data are a necessity.

In addition to the above, organizations must embrace technological solutions that can protect against ransomware. While traditional, signature-based solutions can detect previously identified threats, advanced solutions that utilize capabilities like machine learning must be adopted to protect against unknown threats.

As hackers become more sophisticated, companies must use a multi-pronged approach to prevent the spread of ransomware.

CTRL-Z and the Changing Data Landscape

By Mark Wojtasiak, Director of Product Marketing, Code42

The massive “WannaCry” ransomware attack that appeared in Europe last week and spread to over 150 countries is a perfect illustration of why enterprise data storage is in a period of flux. Today, organizations can choose to keep their data in the cloud, on-premise, or across both in a hybrid deployment. This variety of choice is great – it caters to pretty much every type of organization and allows IT decision makers to see where sensitive corporate information is at all times—right?


In 2017, 50 percent of all corporate data is actually held locally, at the endpoint, on employee devices. This is according to 800 IT decision makers (ITDMs) and 400 business decision makers (BDMs) surveyed as part of our brand new CTRL-Z Study, a pan-global report looking into the data practices of some of the world’s largest organizations and most senior stakeholders—including the C-suite—across the U.S., U.K., and Germany. The endpoint is also where 78 percent of ransomware attacks begin, and WannaCry has reportedly spread to over 100,000 organizations so far.

When ‘benefits’ outweigh the risks
The serious security implications and risks to productivity that this shift in data repositories represents are well understood at the top of the organization, with 65 percent of CIOs and 63 percent of CEOs stating that losing all the data held at the endpoint would destroy their business. But, in reality, awareness of the risk is doing little to dissuade poor security practices.

Three quarters (75 percent) of CEOs and more than half (52 percent) of business decision makers admit that they use applications/programs that are not approved by their IT department. The vast majority (80 percent) of CEOs and 65 percent of BDMs also say they use these unauthorized solutions to ensure productivity. This is despite 91 percent of CEOs and 83 percent of BDMs acknowledging that their behaviors could be considered a security risk to their organization.

So, to put it bluntly, there’s behavior at the top of numerous enterprises that favors productivity and getting the job done over data security, and CEOs and key BDMs realize this. Therefore, especially in light of coordinated global cyberattacks, the big question is: “Where does the enterprise go from here?”

Recovery is the key to data security
Productivity is undoubtedly the key to business success. At the same time, it is integral to business continuity to protect data and to be able to rapidly recover from a breach or to undo a ransomware infection. Around 50 percent of respondents to the CTRL-Z study admitted that their organization had suffered a data breach in the last 18 months. As evidenced by these numbers, the days of a ‘prevention only’ approach to security is not sufficient. Tried and tested recovery must now be at the core of enterprise data protection strategy—to get employees back up and running quickly should a breach occur. After all, the biggest cost of a ransomware attack isn’t the ransom payment—it’s the lost productivity that can result from not having the right backup and restore solution in place.

When it comes to security, there are three pillars to ensure success. First, organizations must be able to spot risk sooner. Gaining visibility over where data is, how it moves, who accesses it and when could act as an early warning system to alert ITDMs to both insider and external threats. Second, the enterprise as a whole always needs to be able to bounce back. When a data incident occurs, internal teams and the backup solutions in place need to be tested and ready to face the challenge. Finally, if the organization is to remain competitive, it needs to recover quickly. Time is money, and in the modern enterprise, so is data. Whatever goes wrong, whether that be a company-wide breach or an insider leaking a single file, IT professionals need to be able to identify the where, when and who of the situation immediately if they hope to mitigate the risk.

Now is definitely the time for change, and the enterprises that want to remain competitive are starting to act. As many organizations around the world have learned in recent days, it’s not if you will be hit by a cyberattack, but when.


Malware: Painting a Picture

By Jacob Serpa, Product Marketing Manager, Bitglass

Part One
Now more than ever, companies are flocking to the cloud. Through a variety of software as a service (SaaS) and infrastructure as a service (IaaS), enterprises are able to raise their efficiency, increase their flexibility, and decrease costs. However, pursuing these benefits does come with some risk. In particular, malware and ransomware have transformed from issues on endpoints to systematic threats to organizations’ suites of cloud apps.

While it may be tempting to run from the cloud (and the threats hiding in its billows), the fact remains that it is a staple of modern business – it’s here to stay. So, enterprises must take steps to understand malware and safely capture the benefits of the cloud. This process is similar to composing a painting in that there are many items to consider when trying to complete a picture of the ideal future. Each piece of secure cloud migration corresponds with one aspect of painting – see how in this two-part blog series.

The Saboteur: Types of Malware
Malware can be thought of as a sly saboteur waiting for an opportunity to throw paint at your canvas and ruin your design.

Malware can be divided into a number of smaller classifications. For example, horror stories often revolve around worms, spyware, trojan horses, ransomware, and many other types of Malware. Despite this lengthy list, two overarching categories are of primary importance. When evaluating malware, one must think in terms of known threats and unknown threats. While a known threat is a common piece of malware that has been seen in the past, an unknown threat (or zero-day threat) is malware that is relatively new and has not yet been identified. Zero-day malware is a particular risk because it is harder to detect – there can be months of damage, theft, and infection before it’s noticed. They each present different challenges and must be addressed in unique ways – as will be discussed in Part Two.

Data Loss Threatens M&A Deals

By Jeremy Zoss, Managing Editor, Code42

One of the most popular breakout sessions at Evolution17 featured a great merger and acquisition (M&A) scenario: Midway through the deal, critical information leaks, devastating the value of the deal. How can you figure out how much info leaked—by whom and to whom?

Here’s why that storyline was so riveting: 2016 saw more than $3.5 trillion in M&A deals. And the vast majority of those deals revolved around valuations of intellectual property (IP), which today makes up about 80 percent of a typical company’s value. If you’re a buyer organization, consider these questions:

  • Are you aware of all the IP within the target company?
  • Can you be sure all this IP will come with the deal?
  • Can you be certain it won’t leak to a competitor?

Data loss is a growing M&A problem
For most buyers, the answers to the questions above are no, no and no. This lack of visibility and security for the very assets a company is buying is startling, and it’s increasingly impeding the success of M&A deals. A 2016 survey of dealmakers found that about three in four M&A deals end up getting delayed—sometimes indefinitely—by data loss. Those that eventually get back on track often end up hobbled by missing data. Experts say this is a big part of the reason that 80 percent of M&As fail to achieve their potential or expected value.

M&A amps up the insider threat
Data loss is increasingly common in M&A for the same reason it’s increasingly common throughout the business world: More than half of all enterprise data now lives on endpoints, beyond traditional visibility and security tools centered on a network drive or central server. If the target company can’t see what its employees are doing with data on their laptops and desktops, then a potential buyer has near zero visibility. Couple that with the unique circumstances of an M&A deal and you’ve got a much higher risk of insider data theft. Laid-off employees freely take their endpoint data—sometimes for personal gain, other times just to sabotage their former employer. Those that do stick around tend to feel little loyalty toward their new company, lowering their inhibitions toward selling or taking data for personal gain.

There’s a better way to protect IP during M&A deals
IP is what an acquiring company is buying—the info that is critical to the value and competitive advantage gained through a deal. To make the most of an M&A opportunity, buyers need a better way to collect, protect and secure all data living on a target company’s endpoints—before, during and after a deal. Fortunately, with the right tools, a buyer can gain complete visibility of all endpoint data, take control of valuable IP and drive a deal to its most successful outcome.

Don’t let data loss sink an M&A. Read our new white paper, Best Practices for Data Protection During Mergers and Acquisitions.

What You Need to Know About Changes to the STAR Program

By Debbie Zaller, CPA, CISSP, PCI QSA, Principal, Schellman & Co., LLC

The CSA recently announced that the STAR Program will now allow a one-time, first-year only, Type 1 STAR Attestation report. What is a Type 1 versus Type 2 examination and what are the benefits for starting with a Type 1 examination?

Type 1 versus Type 2
There are two types of System and Organization Control (SOC) 2 reports, Type 1 and Type 2. Both types of reports examine a service organization’s internal controls relating to one or more of the American Institute of CPAs’ (AICPA) Trust Services Principles and Criteria, as well as the Cloud Security Alliance’s (CSA) Cloud Controls Matrix (CCM). Both reports include an examination on the service organization’s description of its system.

A Type 1 report examines the suitability of the design of the service organization’s controls at a point in time, also referred to as the Review Date. A Type 2 report examines not only the suitability of the design of controls that meet the criteria but also the operating effectiveness of controls over a specific period of time, also referred to as the Review Period.

In Type 2 examination, the auditor is required to perform more detailed testing, request more documentation from the organization, and spend more time performing a Type 2 examination than with a Type 1 examination. The additional documentation and testing requirements can put a greater strain on an organization and require more resources to complete the audit.

A service organization that has not been audited against the criteria in the past may find it easier to complete a Type 1 examination during the first audit as it requires less documentation, less preparation, and the organization can respond quicker to gaps noted during the examination.

The cost for a Type 1 examination is less than for a Type 2 examination because the examination testing efforts are less than what is needed for a Type 2. Additionally, fewer organization resources will be utilized for a Type 1, resulting in additional cost savings.

If the service organization, or specific service line or business unit of the organization, was recently implemented, the organization would have to not only ensure that controls were put in place to meet the criteria, but also ensure the controls have been operating for a certain period of time prior to completing a Type 2 examination. In this situation, there would not be enough history or length of time for a service auditor to perform a Type 2 examination. A Type 1 examination would allow for a quicker report rather than waiting for the review period in a Type 2 examination.

Benefits of a Type 1
There are several benefits to starting with a Type 1 report that include:

  • Quicker report turn-around time and STAR Registry
  • Shorter testing period
  • Cost efficiencies
  • Easier to apply to new environment or new service line

An organization might be trying to win a certain contract or respond to a client’s request for a STAR Attestation in a short period of time. A Type 1 examination does not require controls to be operating for a period of time prior to the examination. Therefore, the examination and resulting report can be provided sooner to the service organization.

Starting with a Type 1 report has many benefits for a first-year STAR Attestation. The organization will find this useful when moving to a Type 2 examination in the following year.

It is important to note, though, that Type 1 shall be considered just as an intermediate and preparatory step prior to achieving a Type 2 STAR Attestation.

Mind the Gap

By Matt Piercy, Vice President and General Manager EMEA, Zscaler

The sheer number of IT departments that are not acknowledging the numerous security gaps for cyber-attackers to exploit is astonishing. The problem is that many of those within the industry believe they have their security posture under control but they haven’t looked at the wider picture. The number of threats is increasing every day and as new technologies and opportunities emerge, companies need new security infrastructure to cope with the modifications of the threat landscape. Currently, C-level executives struggle to keep up with the necessity to approve budget requirements to bring their enterprise security up to the next level of protection. If companies are not up to date with the latest trends, businesses are being left more vulnerable to data breached as a consequence.

Executives are well advised to check, whether they have the following points considered in their security shield.
  1. More than 50% of all internet traffic is SSL encrypted today. This may sound secure, but has unfortunately an opposite effect as well. It is too easy to hide modern cyber-attacks in SSL-encrypted traffic as a lot of companies are not inspecting that traffic for various reasons. One may be performance issues of their existing security infrastructure, as SSL-scanning needs high bandwidth and powerful engines. Regulatory reasons may be another excuse, as companies have not yet worked out how they can scan the encrypted traffic compliant with their local regulations. As a consequence over 50% of all internet related traffic remains uninspected for modern malware – and attackers are aware of that situation.
  2. Mobile devices are another issue – with users potentially accessing corrupted websites or applications on devices that are not controlled under the company’s security umbrella. As the mobile user is the weakest link in the security shield, there exists a real danger that an infected mobile device is logging on to the corporate network and allows the malware to spread further. The device could be owned by the employer, and if it isn’t secured, sensitive customer and business data could also be easily retrievable. What is surprising is that despite mobile traffic accounting for more than half of all internet traffic, it isn’t yet thought of as an important part to secure. There are modern security technologies available, that are effectively able to monitor traffic on every device at every location the user is visiting. Organisations need to start thinking about implementing these technologies to close more gaps in their security shield.
  3. Office 365, for all of its success stories as a cloud application, also needs to be considered by security executives. Companies struggle to cope with the increased MPLS network traffic and bandwidth requirements going along with O365, so they might be tempted to break out that traffic directly to the internet where it bounces between users, devices and clouds freely. To avoid devastating effects on an organisation, companies are well advised to think about modernising their security infrastructure to take into account that all locations and branch offices need fast and secure access to the cloud to enable a great user experience.
  4. The incoming EU General Data Protection Regulations (GDPR) will require companies to secure Personal Identifiable information (PII) more than ever before, or risk huge fines as well as subsequent reputational damage in case of a data breach. What is important to note is that even UK companies will have to comply with GDPR after the Brexit if they process personal data of European Citizens. Companies will need to get valid consent for using personal data, hire a data protection officer (DPO), notify the local data protection watchdog when they have been hit with a data breach and perhaps most crucially companies could be fined up to €20m or 4% of their annual turnover if they are breached. With so much to do, businesses need to do their homework to ensure they’re compliant by May 2018.

Companies are setting off on their path towards digital transformation. They do well, if they start considering security requirements going along with the needs of a modern world before they set off on that path.