July 15, 2016 | Leave a Comment
By Jim Reavis, Co-founder and CEO, Cloud Security Alliance
As cloud computing and unmanaged endpoints continue to gain traction, it is a foregone conclusion that information security technical controls must become more virtual – that is to say, software-based. Rapidly disappearing are the days of physical perimeters and hardwired network architectures.
One of Cloud Security Alliance’s most promising research projects, Software Defined Perimeter (SDP), looks to accelerate the implementation of virtual controls to make organizations more secure without losing the agility cloud and mobility offer. SDP is inspired by the military’s classified, “need to know” network access model. SDP provides the blueprint for an on-demand, point-of-use security perimeter with a tremendous number of interesting security use cases.
The linked slide deck is a presentation about SDP from Kirk House, who is an SDP Working Group leader as well as Global Director, Enterprise Architecture at The Coca Cola Company. Kirk’s presentation provides an enterprise view of how we need to rethink security with SDP. By starting with zero trust, the ability to achieve application segmentation, eliminate a wide variety of intermediate attack vectors and achieve greater overall security is compelling.
Software Defined Perimeter is coming to you soon, and I hope you will take the time to learn more about it.
July 15, 2016 | Leave a Comment
By Mark Wojtasiak, Director of Product Marketing, Code42
Gartner’s June 2016 article, “Use These Five Backup and Recovery Best Practices to Protect Against Ransomware,” outlines five steps for mitigating the threat and/or risk of being hit with ransomware. I will spare you the market stats and dollar figures intended to scare you into taking action now. If you have an affinity for ransomware horror stories, click here, here, here, or even here.
Or let’s spend time looking at Gartner’s best practices to determine if you believe we are a legit provider of ransomware protection. Heads-up: when it comes to ransomware, one-third of our customers recover from ransomware using our endpoint backup + restore software, so Code42 customers represent.
Gartner Step 1: Form a single crisis management team
Typically, a crisis management team consists of only the customer’s employees, but Code42 does have a virtual seat at this table. Each and every day Code42 system engineers, IT staff, product managers, developers, professional services and customer support staff meet to discuss and address issues raised by our customers. This response team works together to solve customer problems so customers can effectively conduct internal risk assessments and respond to incidents that threaten the health of their endpoint data.
Gartner Step 2: Implement endpoint backup
This IS our responsibility, and we are the best at it, so say our customers. Including one senior IT manager who said, “CrashPlan gives me immense confidence as an IT manager. Case in point: an executive was traveling to Switzerland for a big presentation and had his laptop stolen en route. He was able to go to an Apple store, purchase a new machine, install CrashPlan, sign in and restore his files in time for the presentation. And we won the business. I was able to talk him through this on a five-minute phone call. It does not get better than that.” (Click here to read the entire review.*) Or instead of reading through all the reviews and case studies, we can cut to the chase and simply answer the question: Why are we the best? Because we deliver what matters most to enterprise customers—from end users to admins to executives.
- It just works. Code42 works continuously to back up your data no matter the device, no matter the network. In fact, 7/10 IT admins consider themselves more productive after deploying Code42, which translates to more time focused on projects that are more strategic and rewarding.
- It scales bigger and faster than any other enterprise endpoint backup solution.
- Service and support is “stellar,” according to our customers. But don’t take our word for that, take theirs.
Gartner Step 3: Identify network storage locations and servers vulnerable to ransomware encryption
Yes, you need to protect your servers, but let’s get to the point: or rather, let’s start at the endpoint where 95% of ransomware attacks originate. Server backup wasn’t designed to restore data to endpoints.
Gartner Step 4: Develop appropriate RPOs and backup cadences for network storage and servers
We choose to focus on the source of attack where we are the best at meeting recovery point objectives (RPO) and backup cadences. Our backup frequency is 15 minutes by default, configurable down to one minute; whereas our competitor’s default backup frequency is every four hours, configurable down to five minutes. The more frequent the backup cadence, the better the protection against data loss. Gartner’s “Five Backup and Recovery Best Practices to Protect Against Ransomware,” advises, “The primary goal is to leverage newer backup methodologies to achieve more frequent recovery points…The goal here is backing up more often.” This is not just a server and network-storage best practice, it’s an endpoint best practice too.
Gartner Step 5: Create reporting notifications for change volume anomalies
Step five centers on endpoint backup reporting capabilities. Here Code42 is resoundingly on point. In the first half of 2016, in the 5 series release of Code42 CrashPlan, a reporting web app that makes it easy to assess when users are not backing up frequently enough—putting your RPO in jeopardy. In addition, the ability to securely index and search user data archives helps security and IT teams find and identify malicious files through MD5 hash, keyword or metadata searches. Combine indexing and searching capabilities with web reporting capabilities to identify anomalies at the individual, department or group-level.
For our take on how to mitigate the risk and remediate quickly from ransomware attacks, check out our white paper “Reeling in Ransomware – Data Protection for You and Your Users.”
*Gartner Peer Insights reviews constitute the subjective opinions of individual end-users based on their own experiences, and do not represent the views of Gartner or its affiliates.
What You Need to Know: Navigating EU Data Protection Changes – EU-US Privacy Shield and EU General Data Protection Regulation
July 12, 2016 | Leave a Comment
By Marshall England, Industry Marketing Director, Technology & Cloud, Coalfire
If you’re an organization with trans-Atlantic presence that transmits and stores European citizen data (e.g. employee payroll & HR data, client & prospect data) in the U.S. you will want to pay attention. What we will discuss was administered under the European Union’s Data Protection Directive and a previous EU-U.S. agreement called Safe Harbor. We will cover what happened, what’s next, new rules (and penalties) that are set to go into effect and our recommendations.
Safe Harbor, invalidated by a European Court of Justice (ECJ) ruling (PDF) in October 2015, allowed companies to transmit and store EU citizen data in the US so long as the U.S. companies agreed to meet requirements as described in Decision 2000/520/EC otherwise known as ‘Safe Harbor Privacy Principles’. The European Court of Justice ruled to invalidate the Safe Harbor agreement as it determined that US companies were not able to meet Safe Harbor Privacy Principles as they conflicted with National Security Agency or other government agency subpoenas request for information and other government data collection programs. Data on EU citizens was found as a result of US government surveillance program information being made public. In other words, if U.S. companies were complying with Safe Harbor Privacy Principles, that information would not have been found or made public as a result of those programs.
In early February 2016, the US Department of Commerce and the European Commission announced a new framework called the Privacy Shield. Since then, a group known as the Article 29 Working Party, Europe’s data protection body, issued its own statement (PDF) about the Privacy Shield framework and expressed their reservations regarding the adequacy of the “Privacy Shield.” On July 8, 2016 the European Union Member States Representatives approved the final version of the Privacy Shield. The new Privacy Shield framework allows for transatlantic data transmission and outlines obligations on companies handling the data, in addition to written assurances from the U.S. that among other items rules out indiscriminate mass surveillance of European citizens’ data.
Additionally, in early 2016 the European Union enacted a new data protection framework that has been in the works since 2012, known as the General Data Protection Regulation. This new Regulation repeals and replaces the pre-existing European Union’s Data Protection Directive. While not much has changed in the new ‘Regulation’ U.S. companies should note that policies and procedures as it relates to employee data transmission from the EU to U.S. be updated as well as be aware of new penalties. The new rules of the Regulation (and penalties) “will become applicable two years thereafter.” So, in 2018, the rules and penalties around the General Data Protection Regulation will go into effect.
New Rules that will go into effect (enforceable, starting in January 2018):
- Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
- Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
- Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
New Penalties that will go into effect (enforceable, starting in January 2018):
Under Article 79 of the Regulation, penalties and enforcements are described for Organizations less than 250 personnel and Enterprises. Violations of certain provisions for Enterprise organizations (> 250 employees) will carry a penalty of “up to 2% of total worldwide annual [revenue] of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual [revenue] of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organization.”
What should U.S. companies consider?
There are a few options we’ll highlight here such as conducting Privacy Assessments with Privacy Shield and GDPR regulations in mind, ISO 27001 / 27018 certification, cyber risk program development to include vendor risk management, incident response planning and cyber risk assessments.
What to do – Privacy Shield
As it relates to the new EU-U.S. Privacy Shield, companies should review and be aware of the legal requirements outlined in the Privacy Shield (PDF). For certified Safe Harbor organizations, continue to abide by those elements within Safe Harbor, as you still have an obligation to protect EU data transfers, and begin to incorporate the Privacy Shield requirements as you will have to obtain certification (in-house or third-party) to gain listing on the Privacy Shield website maintained by the Department of Commerce.
New requirements for Privacy Shield participating companies as outlined on the Commerce.gov site include:
- Informing individuals about data processing
- Maintaining Data Integrity and purpose limitation
- Ensuring accountability for data transferred to third parties
- Cooperating with the Department of Commerce
- Transparency related to enforcement actions
- Ensuring commitments are kept as long as data is held
What to do – EU GDPR
Under the new EU General Data Protection Regulation (Chapter 4, Section 2), not only is there also a requirement for an annual assessment, but the Regulation requires for data breach notification, incident response planning and security awareness training for staff involved in the data transmission process.
As it pertains to incident response plan and handling, the regulation stipulates notification to a supervisory authority within the European Union within 24 hours and notification to data owners without undue delay. Having an incident response plan in place will be critical to an organizations ability to respond to a data compromise incident.
On vendor risk management, Article 26 stipulates that subcontractors cannot process or transmit data on behalf of the organization (e.g Data controller). Since most organizations have programs for vendors to access systems or assist in data management, you’ll want to evaluate your vendors’ security and risk posture, since you could be affected by their negligence and entangled into one of those 2% or 4% of total revenue fine situations.
There are many other certifications and services that organizations should consider if they are not being done already including ISO 27001/27018 certification and attestation, privacy assessments and vendor risk management services to ensure data processors participate with Privacy Shield requirements and GDPR regulations.
ISO 27001 AND 27018 Certifications are an international security framework for securing information systems. ISO 27001 establishes an Information Security Management System and is an independent verification that your organization meets the ISO 27001 security standard.
ISO 27018 is a compliment to ISO 27001 and specifically focuses on protecting Personally Identifiable Information (PII) transmission and storage in the cloud. For Data Controllers and Data processors, meeting ISO 27018 will provide your organization with a method to establish control objectives, controls and guidelines for implementing measures to protect PII in the cloud in accordance with privacy principles in ISO/IEC 29100.
The finalized Privacy Shield and the updated EU General Data Protection Regulation will require U.S. Companies to make EU citizen privacy a paramount priority to avoid any ramifications from EU regulations. Contact Coalfire to discuss any of the above information. Where needed we can also pull in our partner law firm to further educate and provide guidance on the updated EU privacy and data changes.
July 11, 2016 | Leave a Comment
By Jane Melia, VP/Strategic Business Development, QuintessenceLabs
“If your security sucks now, you’ll be pleasantly surprised by the lack of change when you move to cloud.” — Chris Hoff, Former CTO of Security, Jupiter Networks
The chances are, almost everyone in your organization loves the convenience of the cloud for data storage and for collaborative workflow needs. And why wouldn’t they when documents and files are now easily accessible to all team members, whether down the hall, in another state or even on another continent? From a cost and operations perspective, cloud storage is certainly pretty compelling. However “almost everyone” might not include CIOs, CISOs and their teams, who often harbor concerns about the security of data in the cloud, and particularly where sensitive data is involved. I have similar misgivings. I’m not saying that we should not use the cloud, but I do believe that we can improve how we secure sensitive data stored on it.
Blue Skies or Dark Clouds Ahead?
In a recent report titled “Blue Skies Ahead? The State of Cloud Adoption,” Intel Security said that IT decision makers are warming to the cloud along with the rest of us with 77 percent saying they trusted the cloud more than they did a year ago. This hides a darker reality that only 13 percent of respondents actually voiced full trust in the public cloud, with 37 percent trusting their private cloud. Surprisingly, a full 40 percent of respondents claim to process sensitive data in the cloud, indicating that there is both room and a real need for cloud security improvement.
Adding Peace of Mind to Cloud Storage
When I hand over data to a third party, I want to be sure that they are not only contractually obliged to look after it properly but are actually equipped to do it. This means protecting it from accidental loss, malicious attacks and from silent subpoenas, among other threats. Logging and multi-factor authentication are part of the tool kit that can be implemented, as is encryption. There is an existing (and growing) awareness of the importance of encryption which is why most cloud service providers offer encryption options of one kind or another. But too frequently the third-party vendor is doing the encrypting, and holding the keys, which isn’t very reassuring to say the least.
Fundamentally, the best way to ensure data is safe and managed well is to pre-encrypt it before it’s sent to the cloud. Coupled with a policy of keeping key management in house, these precautions should allow for several hours of blissful sleep each night for members of the IT security team whether the cloud is public, private, or a hybrid of the two! Other approaches include using 2 or more different vendors to handle the different parts of the storage solution: one vendor can manage the keys while the other manages storage itself. Key wrapping is another way to reduce risk: the end customer can manage master keys that in turn wrap the document keys, giving you some assurance of isolation between your data and that of other customers stored on the same cloud, as well as control for document access. Through these approaches, you can provide a significantly higher level of protection for data stored in the cloud.
Encryption is the best tool we have for protecting sensitive information so we need to use it to support and enable our expansion to the cloud. As seen above, the devil is in the details of how we do it, but keeping control of keys is fundamental. Of course, there is also the issue of how strong the keys are that you are using, but that is a topic for another day….
July 7, 2016 | Leave a Comment
Rolf Haas, Enterprise Technology Specialist/Network Security and Content Division, Intel Security
Cloud use continues to grow rapidly in the enterprise and has unquestionably become a part of mainstream IT – so much so that many organizations now claim to have a “cloud-first” strategy.
That’s backed up by a survey* we commissioned here at Intel Security that questioned 1,200 cloud security decision makers across eight countries. One of the most startling findings: that 80% of respondents’ IT spend will go to cloud services within just 16 months.
Even if that outlook overestimates cloud spend it still shows a dramatic shift in mindset, and it’s often the business, rather than the IT department, that is driving that shift. In today’s digital world the pull of the cloud and its benefits of flexibility, speed, innovation, cost, and scalability are now too great to be dismissed by the usual fears. To compete today businesses need to rapidly adopt and deploy new services, to both scale up or down in response to demand and meet the ever-evolving needs and expectations of employees and customers.
This new-found optimism for the cloud inevitably means more critical and sensitive data is put into cloud services. And that means security is going to become a massive issue.
If we look at our survey results the picture isn’t great when it comes to how well organizations are ensuring cloud security today. Some 40% are failing to protect files located on SaaS with encryption or data loss prevention tools, 43% do not use encryption or anti-malware in their private cloud servers, and 38% use IaaS without encryption or anti-malware.
Many organizations have already been at the sharp end of cloud security incidents. Nearly a quarter of respondents (23%) report cloud provider data losses or breaches, and one in five reports unauthorized access to their organization’s data or services in the cloud. The reality check here is that the most commonly cited cloud security incidents were actually around migrating services or data, high costs, and lack of visibility into the provider’s operations.
Trust is growing in cloud providers and services, but 72% of decision makers in our survey point to cloud compliance as their greatest concern. That’s not surprising given the current lack of visibility around cloud usage and where cloud data is being stored.
The wider trend to move away from the traditional PC-centric environment to unmanaged mobile devices is another factor here. Take a common example: an employee wants to copy data to their smartphone from a CRM tool via the Salesforce app. The problem is they have the credentials to go to that cloud service and access that data, but in this case are using an untrusted and unmanaged device. Now multiply that situation across all an organization’s cloud services and user devices.
There is clearly a need for better cloud-control tools across the stack. Large organizations may have hundreds or even thousands of cloud services being used by employees – some of which they probably don’t even know about. It is impossible to implement separate controls and polices for each of them.
To securely reap the benefits of cloud while meeting compliance and governance requirements, enterprises will need to take advantage of technologies and tools such as two-factor authentication, data leakage prevention, and encryption, on top of their cloud services and applications.
Increasingly, organizations are also investing in security-as-a-service (SECaaS) and other tools that can help orchestrate security across multiple providers and environments. These help tackle the visibility issue and ensure compliance needs are met. That’s why I believe we are starting to see the rise of so-called “broker” security services. These cloud access security brokers (CASBs) will enable consolidated enterprise security policy enforcement between the cloud service user and the cloud service provider. That’s backed up by Gartner, which has picked out CASBs as a high-growth spot in the security market. Gartner predicts by 2020, 85% of large enterprises will use a CASB for their cloud services, up from fewer than 5% today.
This will all be driven by the rapid growth in enterprise cloud adoption and the need for a new model of security that enables the centralized control or orchestration of the myriad cloud services and apps employees use across the enterprise. Cloud security is now a critical element of any business, and it needs to be taken seriously from the boardroom right down to the end users.
*Blue Skies Ahead? The State of Cloud Adoption
The survey of 1,200 IT decision makers with responsibility for cloud security in their organizations was conducted by Vanson Bourne in June 2015. Respondents were drawn from Australia, Brazil, Canada, France, Germany, Spain, the UK, and the US across a range of organizations, from those with 251 to 500 employees to those with more than 5,000 employees.
July 6, 2016 | Leave a Comment
By Peter Wood, Cyber Security Consultant, Code42
Boring training videos, box-ticking to meet regulations, blacklisting software at the expense of productivity: large enterprise has been reliant on these methods of “cyber security control” for too long. They are outdated and don’t work. Cyber criminals don’t follow the steps outlined in a training video from 2006—they innovate, manipulate, penetrate and steal information in many different ways and by many different means.
Internally, employees can also represent a real and significant danger to corporate information—whether by accident or design—they are the insider threat. Think about it this way. Dropbox might be an easy way to transfer a file to a client—but has it been sanctioned by IT? Ask every knowledge worker in a company that question, and you can guarantee you won’t get a single, clear cut answer. In fact, according to Code42’s 2016 Datastrophe Study, 22% of knowledge workers surveyed said their IT department doesn’t know they use third-party cloud sharing solutions.
So in 2016, what are the right ways to educate your employees about data security from both an internal and external perspective?
We briefly covered that training videos and generic presentations don’t work that well. Within 10 minutes, staff will have switched off and words will be going in one ear and out of the other—unless you’ve invited Snowden himself to present the training.
To encourage employees to take responsibility and ownership of sensitive corporate data, a more direct approach is needed. Fortunately, cybersecurity consultancy and threat-based penetration testing is something we’re well versed in at First Base Technologies, and we’d recommend the following to drive employee awareness:
- Faking data loss—by targeting specific departments (or even the entire company) with a well-designed program of phishing attacks, you can easily demonstrate the real risk to the business and start the process of education. No information is actually compromised, and the affected employees are told it’s been a simple training exercise. I can guarantee that over time, with the right messages it’ll hammer home the importance of double-checking whether to click that link, install that file, or respond to that unknown request in the future. Think of it as the cyber security equivalent of regular fire drills.
- Physical penetration testing—this involves hiring third-party security consultants to visit an office disguised as “help-desk” computer engineers, visitors or even cleaners. In actuality, they are penetration testers evaluating both the physical security of an organization and its network infrastructure, with the goal of demonstrating unauthorized access to sensitive information. The resulting report, often accompanied by video footage of the exercise, provides valuable guidance on security weaknesses and remediation. Staff is briefed on what happened and the potential gravitas of the situation—providing another important lesson as a result.
- Company-wide warnings—as information security professionals, we are well versed in the latest threats and the results of high-profile breaches. And thanks to the recent media agenda, it does seem to be filtering down to non-IT folk too. According to Datastrophe, 74% of knowledge workers say that IT staff’s ability to protect corporate and customer data is very important to their company’s brand and reputation. To communicate these facts to the remaining 26% of employees, breach and security risk information should be regularly delivered to staff at all levels.
Education. It really is the most important weapon in IT and security professionals’ arsenals. It’s a fact that in 2016 and beyond, organizations are under attack pretty much constantly, and if employees aren’t wise to this, the insider threat they present is realized with devastating results. With Datastrophe highlighting that 36% of knowledge workers think the business they work for may be at risk of a public data breach in the next year, it seems people are fortunately starting to understand the threat. And by IT and senior management enacting some of the training methodology above, knowledge workers will start getting well versed in information security practices too.
July 1, 2016 | Leave a Comment
By Abel Sussman, Director, TAAS–Public Sector and Cyber Risk Advisory, Coalfire
The Federal Risk and Authorization Management Program (FedRAMP) Project Management Office officially released its High baseline for High impact-level systems. This baseline is at the High/High/High categorization level for confidentiality, integrity, and availability in accordance with FIPS 199; and is mapped to the security controls from the NIST SP 800-53, Rev. 4 catalog of security controls. Previously, the FedRAMP authorization process was only designed for low and moderate impact systems. The number of controls for each of the FedRAMP defined impact system levels is presented below:
The release cumulates several months of work from the FedRAMP PMO, numerous agencies, cloud service providers and key stakeholders that established the draft baseline, collected industry and federal comments, and completed pilot programs.
FedRAMP High Baseline
The establishment of the FedRAMP High Security baseline is critical for federal agencies to migrate more high-impact level data to the cloud. The High baseline is the strongest FedRAMP level to date, covering sensitive, unclassified data. According to FedRAMP Director Matt Goodrich, most of the information to be covered under the High baseline will be law enforcement data and patient health records. This should cover the needs of several civilian agencies, the Department of Defense (DoD), and the Department of Veterans Affairs (VA).
FedRAMP High Baseline Authorized Cloud Service Providers
The three Infrastructure-as-a-Service (IaaS) providers who participated in the FedRAMP High baseline pilot program and achieved Authorization are:
- Microsoft’s Azure GovCloud
- Amazon Web Services GovCloud
- CSRA / Autonomic Resources’ ARC-P
Federal agencies are able to review these vendor’s security packages, through OMB MAX, to begin to use these services immediately.
Coalfire was one of the earliest Third Party Assessment Organizations (3PAO) in FedRAMP, providing FedRAMP assessment or advisory services to cloud service providers in pursuit of their FedRAMP P-ATO or Agency ATO. If you’d like to talk to one of our staff about the new FedRAMP High baseline or have questions about the FedRAMP process, please contact us.
June 29, 2016 | Leave a Comment
Percentage of Enterprise Computing Workloads in the Public Cloud Expected to Reach 41.05% This Year
By Cameron Coles, Director of Product Marketing, Skyhigh Networks
Industry analyst firm Gartner predicts that the infrastructure as a service (IaaS) market will grow 38.4% in 2016 to reach $22.4 billion by the end of the year. A new report from the Cloud Security Alliance (download a free copy here) finds that Microsoft is quickly catching up with industry leader Amazon in the race to tap this growing market. Amazon, Google, and Microsoft collectively own 82.0% of the IaaS market today. Even at companies that have a strict “no cloud” philosophy, IT leaders admit that nearly one fifth of their computing workloads will be in the public cloud this year versus their own data centers.
Amazon remains the dominant IaaS provider but Microsoft is closing their gap in market share. IT professionals at 37.1% of companies indicated that Amazon AWS is the primary IaaS platform at their organization. Microsoft Azure is a close second, at 28.4% followed by Google Cloud Platform at 16.5%. Enterprises using public cloud benefit in many ways including greater agility, lower cost of ownership, and faster time to market. IaaS providers, meanwhile, are also benefitting. In April 2016, Amazon reported that AWS is its most profitable division and is growing 64% annually.
IaaS adoption trends
Enterprises are increasingly relying on public cloud infrastructure providers such as Amazon, Microsoft, and Google for their computing resources, rather than managing their own data centers. A plurality of organizations (45.1%) have a “hybrid cloud” philosophy, another 25.1% prefer private cloud, and 21.5% take a predominantly public cloud approach. Just 8.2% of enterprises have a “no cloud” philosophy. Today, 31.2% of an enterprise’s computing resources come from infrastructure as a service (IaaS) providers. IT professionals expect that number to rapidly grow to 41.0% of computing workloads in the next 12 months.
Not surprisingly, companies with a “public cloud” philosophy have more computing in the public cloud. At these companies, nearly one half (47.8%) of computing resides in the public cloud today and IT professionals at these organizations expect a majority of their computing (56.5%) will reside in the public cloud 12 months from now. Even companies with a “no cloud” philosophy estimate that 14.6% of their computing nevertheless resides in the public cloud, and they expect that number will grow to 18.8% in the next 12 months. There is a sizable amount of computing in public cloud IaaS even for organizations that are philosophically opposed to cloud.
There is a clear correlation between company size and IaaS adoption. Companies with fewer employees rely on public IaaS platforms for more of their computing today. Companies with 1-1,000 employees have the largest share of computing workloads in the public cloud (37.1%) versus companies with more than 10,000 employees (22.3%). However, in the next 12 months, companies with more than 10,000 employees are anticipating growing their use of IaaS to 32.9%, which would eclipse companies with 5,000-10,000 employees and would put them roughly on par with companies with just 1,000-5,000 employees. Public IaaS appears to be reaching an inflection point in the enterprise.
Barriers to IaaS projects
Despite the rapid growth of public cloud infrastructure, there are still barriers holding back IaaS adoption. The most common barrier reported by IT professionals is concern about the security of the IaaS platform itself (62.1% of respondents). The next most common roadblock is also security related – 40.5% of respondents indicated that concern about the ability to secure applications deployed on IaaS platforms is a barrier to adoption. The third most common barrier, reported by 37.9% of respondents, is the inability to store data within their country to comply with data privacy laws (e.g. EU General Data Protection Regulation).
Despite concerns, overall confidence in cloud
Despite concerns about security, an overwhelming 61.6% of IT leaders believe that, generally speaking, custom applications they deploy on IaaS platforms are as secure, if not more secure, than applications they deploy in their own datacenter. That may be due in part to the significant investments cloud providers have made in their own security, and in achieving compliance certifications such as ISO 27001 and 27018 to demonstrate their investments. It could also be due to a growing sentiment that cloud companies such as Amazon, Microsoft, and Google can dedicate far more resources to IT security than the average company where IT is not their core business.
June 27, 2016 | Leave a Comment
By Darren Pulsipher, Enterprise Solution Architect, Intel Corp.
Cloud environments have made some things much easier for development teams and IT organizations. Self-service portals have cut down the amount of “hands on” intervention to spin up new environments for new products. Provisioning of new infrastructure has moved from weeks or days to minutes. One thing that barely changed with this transformation is security. But new techniques and tools are starting to emerge that are moving security to the next level in the Cloud. One of these technologies is called micro-segmentation.
Traditional datacenter security
To understand micro-segmentation let’s first look at current datacenter security philosophy. Most security experts focus on creating a hardened outer-shell to the datacenter. Nothing gets in or out without logging it, encrypting it, and locking it down. Firewall rules slow malicious hackers from getting into the datacenter. With the increase of more devices connected to the datacenter, security experts are looking at ways to secure, control, and authenticate all these connected devices.
Inside the datacenter, security measures are put into place to make sure that applications do not introduce security holes. Audit logs and incident alerts are analyzed to detect intrusions—notifying security analysts to lock things down. Security policies and procedures are created to try and mitigate human error in order to protect vital data. All of this creates a literal fortress, with multiple layers of protection from a myriad of attacks.
Micro-segmentation adds a hardened inner shell
Wouldn’t it be nice if I could create a hardened shell around each one of my applications or services within my datacenter? Opening access to the applications through firewalls and segmented networks that would make your security even more robust? If my outer datacenter security walls were breached, hackers would uncover a set of additional security walls—one for each service/application in your IT infrastructure. The best way to envision this is to think about a bank that has safety deposit boxes in the safe. Even if you broke into the safe there is nothing to take—just a set of secure boxes that also need to be cracked.
One of the benefits of this approach is when someone hacks into your datacenter, they only get access to at most one application. And they need to breach each application one by one. This extra layer of protection gives security experts a very powerful tool to slow down hackers wreaking havoc on your infrastructure. The downside to this approach is it can take time and resources setting up segmented networks, firewalls, and security policies.
SDI (Software-Defined Infrastructure) increases risk or security
Now I want you to imagine that you have given developers or line of business users the ability to create infrastructure through a self-service portal. Does that scare you? How are you going to enforce your security practices? How do you make sure that new applications are not exposing your whole datacenter to poorly architected solutions? Have you actually increased the attack surface of your datacenter? All of these questions keep security professionals up at night. So, shouldn’t a good security officer be fighting against SDI and self-service clouds?
Not so fast. There are some great benefits to SDI. First off, you can programmatically provision infrastructure (storage, compute and yes, network elements.) This last one, software-defined networking, gives you some flexibility around security that you might not have had in the past. You can create security policies enforced through software and templates that can increase your security around applications and the datacenter outer shell.
Software-defined infrastructure enabling micro-segmentation
Now take the benefits of both SDI and micro-segmentation. Imagine that you put together templates and/or scripts that create a segmented network, setup firewall rules and routers, and manages ssh keys for each application that is launched. Now when a user creates a new application or set of applications a micro-segmented “hardened shell” is created. So even if your application developer is not practicing good security practices you are only exposed for that one application.
The beginnings of micro-segmentation is available in some form from all of the major SDI platforms. The base functionality and most prevalent in all of the SDI platforms is the ability to provision a network, router, and firewall in your virtual infrastructure. Both template-driven and programmable APIs are available. So there is some work that needs to be done by the security teams. And enforcing the use of these templates is always a battle. The key is to make them easy to consume.
Don’t ignore the details
One thing that SDI does bring to your infrastructure is the propagation of bad policies and tools. If you make it easy to use, people will use it. Pay attention to the details. Setup the right policies and procedures and then leverage SDI to implement them. Don’t be like the banker that writes the combination to the safe on a piece of paper and tapes it to the top of their desk. And then photocopies it and shares it with everyone in the office.
SDI can make micro-segmentation a viable tool in the security professional’s toolkit. Just like any tool, make sure you have established the processes and procedures before you propagate them to a large user community. Otherwise you are just making yourself more exposed
June 22, 2016 | Leave a Comment
By Susan Richardson, Manager/Content Strategy, Code42
The 2016 Verizon Data Breach Investigations Report (DBIR) paints a grim picture of the unavoidable enterprise data breach. But accepting the inevitability of breaches doesn’t mean accepting defeat. It’s like severe weather: you can’t prevent a tornado or hurricane. But with the right visibility tools, you can recognize patterns and mitigate your risk.
Likewise with data security, visibility is critical. “You cannot effectively protect your data if you do not know where it resides,” says Verizon.
Most enterprises plagued by poor data visibility
The report shows that most organizations lack the data visibility tools for effective breach remediation. Hackers gain access more easily than ever, with 93 percent of attacks taking just minutes to compromise the enterprise ecosystem. Yet without the ability to see what’s happening on endpoint devices, 4 in 5 victimized organizations don’t catch a breach for weeks—or longer.
Here’s a look at how data visibility solves many of the major threats highlighted in the 2016 DBIR:
Phishing: See when users take the bait
The report showed users are more likely than ever to fall for phishing. One in ten users click the link; only three percent end up reporting the attack. Instead of waiting for the signs of an attack to emerge, IT needs the endpoint visibility to know what users are doing—what they’re clicking, what they’re installing, if sensitive data is suspiciously flowing outside the enterprise network. The “human element” is impossible to fix, but visibility lets you “keep your eye on the ball,” as Verizon put it, catching phishing attacks before they penetrate the enterprise.
Malware and ransomware: Encryption + endpoint backup
With laptops the most common vector for the growing threats of malware and ransomware, Verizon stresses that “protecting the endpoint is critical.” The report urges making full-disk encryption (FDE) “part of the standard build” to gain assurance that your data is protected if a laptop falls into the wrong hands. Continuous endpoint backup is the natural complement to FDE. If a device is lost or stolen, IT immediately has visibility into what sensitive data lived on that device, and can quickly restore files and enable the user to resume productivity. Plus, in the case of ransomware, guaranteed backup ensures that you never truly lose your files—and you never pay the ransom.
Privilege abuse: “Monitor the heck” out of users
Authorized users using their credentials for illegitimate purposes “are among the most difficult to detect.” There’s no suspicious phishing email. No failed login attempts. No signs of a hack. And for most organizations, no way of knowing a breach has occurred until the nefarious user and your sensitive data is long gone. Unless, of course, you have complete visibility into the endpoint activities of your users. Verizon urges enterprises to “monitor the heck out of authorized daily activity,” so you can see when a legitimate user is breaking from their use pattern and extricating sensitive data.
Forensics: Skip the hard part for big cost savings
The most costly part of most enterprise data breaches—accounting for half of the average total cost—involves figuring out what data was compromised, tracking down copies of files for examination, and other forensic tasks required for breach reporting and remediation. Most often, an organization must bring in legal and forensic consultants—at a steep price. If you have complete visibility of all enterprise data to begin with, including endpoint data, you can skip much of the hard work in the forensics phase. If you already have continuous and guaranteed backup of all files, all your files are securely stored and easily searchable. Modern endpoint backup solutions go a step further, offering robust forensic tools that make it easy and cost-effective to conduct breach remediation, forensics and reporting tasks without eating up all of IT’s time, or requiring expensive ongoing consultant engagement.
See your data, understand your patterns, mitigate your risk
The whole point of the DBIR is to shed light on data to see the patterns and trends in enterprise data security incidents—to mitigate risk through greater visibility. So read the report. Understand the common threats. But make sure you apply this same methodology to your own organization. With the right data visibility tools in place, you can see your own patterns and trends, learn your own lessons, and fight back against the inevitable data breach.
Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.