2015 PCI SIG Presentations—Rallying the Vote for Securing Keys and Certificates Arrow to Content

October 3, 2014 | Leave a Comment

By Christine Drake, Senior Product Marketing Manager, Venafi

At the 2014 PCI Community Meetings in Orlando, the 2014 PCI Special Interest Groups (SIGs) provided updates on their progress and presentations were given on the 2015 PCI SIG proposals in hopes of getting votes to become 2015 PCI SIG projects. As I’ve mentioned in previous blogs, Venafi has co-submitted a 2015 PCI SIG proposal with SecurityMetrics on Cryptographic Keys and Digital Certificates Security Guidelines. In the 2015 SIG proposal presentations, Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, delivered the presentation for this SIG proposal on securing keys and certificates. Watching the sessions at the PCI Community Meetings, now is the right time for this PCI SIG topic.

kevin_bocek_pci_dss_600x300

In the 2014 PCI Community Meeting keynote from Bob Arno, Adventures of a Thiefhunter, it really called into question our trust of other people. He talked about how teams of pickpockets work together to steal from unsuspecting victims and how they use the stolen credit cards. The pickpockets are successful, because we generally trust the people around us. Keys and certificates also establish trust, but, in both cases, criminals are leveraging this trust to avoid detection while committing their crimes.

Merchants, financial institutions, and payment processors rely on thousands of keys and certificates as the foundation of trust in the cardholder data environments (CDE), protecting cardholder data (CHD) across their websites, virtual machines, mobile devices, and cloud servers. Yet it is this very trust that cybercriminals want to use, not only to evade detection, but to achieve authentication and trusted status that bypasses other security controls and allows their actions to remain hidden. If only one of your critical keys or certificates is compromised, the digital trust you have established is eliminated. And this opens organizations up to PCI DSS audit failures and, more importantly, breaches.

The PCI SIG on Cryptographic Keys and Digital Certificates Security Guidelines has already rallied support from Global 100 merchants, PCI Qualified Security Assessors (QSAs), and security experts, and we’re looking for more support from the PCI community.

The 2015 PCI SIG proposals will be presented again at the 2014 PCI Community Meetings in Berlin (Oct 7-9). Then PCI Participating Organizations will vote on the 2015 PCI SIG proposals from October 13-23. After the vote, the PCI Security Standards Council (PCI SSC) will select 2-3 presentations to become 2015 PCI SIG projects. In early November, there will be a call for participation for the selected SIGs and the projects will kick off in January 2015.

Want more information? Want to get involved? Visit the website for the PCI SIG on Cryptographic Keys and Digital Certificates Security Guidelines at www.protecttrust.org.

CSA Congress Recap Roundup Arrow to Content

October 1, 2014 | Leave a Comment

Last week the CSA Congress and IAPP Privacy Academy in San Jose, California. It was the Cloud Security Alliance’s first time to partner with IAPP for their respective events. It was a successful event where cloud security and privacy professionals were able to rub elbows and learn best practices that encompass their fields.

During Congress, there were a spectrum of releases, events, awards, speakers, and survey results and encompassed CSA’s endeavors. Below are some links that aggregate some of the activity that occurred during CSA Congress 2014.

Ron Knode Award Winners

Each year at Congress, the CSA recognizes a few of our members around the globe for their excellence in volunteerism. Named in honor of Ron Knode, a member of the CSA family who passed away in 2012, as a means to award and recognize members whose contributions were invaluable. To learn who were the winners of the 2014 Ron Knode Service Awards, please visit – https://cloudsecurityalliance.org/media/news/csa-announces-annual-ron-knode-service-award-recipients/.

Big Data Taxonomy Document

The Cloud Security Alliance’s Big Data Working Group released the Big Data Taxonomy Report, a new guidance report that aims to help decision makers understand and navigate the myriad choices within the big data designation, including data domains, compute and storage infrastructures, data analytics, visualization, security and privacy. For more information on the report, please visit – https://cloudsecurityalliance.org/media/news/csa-releases-new-big-data-taxonomy-report/

CSA Survey Finds IT Professionals Underestimating How Many Cloud Apps Exist in the Business Environment

In what could be called a tale of perception versus reality, the CSA released the results of a new survey that found a significant difference between the number of cloud-based applications IT and security professionals believe to be running in their environments, and the number reported by cloud application vendors. The survey titled, Cloud Usage: Risks and Opportunities was released at CSA Congress 2014. For more information, please visit – https://cloudsecurityalliance.org/media/news/csa-survey-professionals-underestimating-cloud-apps-usage/

Hackathon On! Cloud Security Alliance Challenges Hackers to Break its Software Defined Perimeter (SDP) at CSA Congress 2014

The CSA launched its second Hackathon at the CSA Congress, to validate the CSA Software Defined Perimeter (SDP) Specification to protect application resources distributed across multiple public clouds. In a twist from its last event (where no one was able to hack the SDP), the CSA is inviting Congress participants, along with hackers from all over the world to attempt to access a file server in a public cloud, which is protected by the SDP via a different public cloud. The first participant to successfully capture the target information on the protected file server will receive $10,000. Additionally, all participants will be entered into a random drawing to win $500. For more information, please visit – https://blog.cloudsecurityalliance.org/2014/09/18/csa-hackathon-on-launches-today-at-csa-congress-2014/

To participate in Hackathon, visit – https://hacksdp.com/

The Shared Burden of Cloud Data Security & Compliance Arrow to Content

October 1, 2014 | Leave a Comment

By Gerry Grealish, Chief Marketing Officer, Perspecsys

cloud-security2_COMPRESSEDData security remains a top concern for enterprises deploying popular cloud applications. While most will instinctively think of cloud data security and compliance as being handled only by IT departments, many enterprises are realizing that all aspects of security – from selecting a cloud service provider (CSP) to monitoring cloud use over time – requires involvement across the organization.

 

 

Cloud Data Security & Compliance Begins with Vetting Providers
There are key areas of due diligence for an enterprise depending on its industry, but all share common security requirements when selecting a CSP. Perhaps, as TechTarget recently suggested, FedRamp Standards will regulate security outside the government as well, but for now enterprises must have their own standards for evaluating a CSP.  An excellent existing resource is the Security, Trust and Assurance Registry (STAR) Program supported by the Cloud Security Alliance iso(CSA). This public registry provides a comprehensive set of offerings for CSP trust. The CSA’s Cloud Controls Matrix (CCM) includes a framework of cloud security standards and their Consensus Assessments Initiative Questionnaire (CAIQ) offers questions an enterprise should ask any CSP under consideration. CSPs should also be able to provide details on any third party security certifications they have obtained. I.e. the ISO/IEC 27001 standards for information security management systems (ISMS).

Questions for the CSP frequently begin with specifics on strategies used – such as encryption for data protection and multifactor user authentication for cloud access. It is also important to know who will have access to data, how often audits are conducted and what if any security incident have occurred in the past and, if there has been a security incident, how cloud  customers were notified and how quickly. Having representation from across the enterprise involved in the vetting of a CSP is critical – not only IT – but also Security, Data Privacy & Governance and End Users can help ensure all relevant questions are answered and that necessary security protocols are implemented. The standard language used in the FedRamp contract example is one place to start for any enterprise signing on with a new CSP.

Internal Security Standards
Security and compliance of sensitive corporate data going to the cloud falls primarily on the enterprise itself. Despite any guarantees in contracts with CSPs, when a security breach occurs it is the enterprise that experiences the consequences and many would say holds the most interest in minimizing damages for the enterprise and/or customers. If there is a security incident, clients and customers will certainly look at the enterprise itself to protect their data.

Internal security standards begin with adherence to well-defined protocols and security strategies established and agreed to by – again – not just IT, but representatives from Legal, Security, Governance and End Users. Questions to be answered include what data will actually be allowed to leave the physical premises of the enterprise and in what form. Industry and regulatory penalties compel most industries to have clear security standards in place. In some cases, security incidents have brought on class-action lawsuits against the enterprise. Strict internal security standards are one way to further protect the enterprise and its customers from having to go that route.

Employee Buy-In is Key
With the proliferation of mobile computing and bring your own device (BYOD), it is essential that employees are brought in to participate, understand and agree to the security policies established for the enterprise. This includes employees throughout the organization – the time, resources, or money it takes to establish this buy-in through training, policy communication and proper monitoring or support is well worth it when compared to damages organizations experience from careless BYOD policies.

Security Strategies – Encryption and tokenization
Encryption and tokenization are two data security methods that many enterprises are utilizing strengthen the enterprise’s cloud security strategy while maintaining control of their cloud data. Both methods can be used to safeguard sensitive information in public networks, the Internet, and in mobile devices. These powerful and interoperable solutions are being used by leading organizations to also ensure compliance with sector specific requirements such as HIPAA, PCI DSS, GLBA, and CJIS.

While hacking and data attacks continue to occur, an enterprise with proven security strategies in place minimizes the impact for itself and its customers. An enterprise with security responsibility held by not just IT, but other departments as well, including end-users, puts itself in the best possible situation to avoid major data breaches and be prepared to deal with one should it occur. See this infographic on how to respond to a cloud security breach, should one occur.

About the Author
Gerry Grealish is the Chief Marketing Officer at Perspecsys and is responsible for defining and executing the marketing and product vision. Previously, Gerry ran Product Marketing for the TNS Payments Division, helping create and execute the marketing and product strategy for its payment gateway and tokenization/encryption security solutions.

 

 

Why Dyre Is Different and What It Means for Enterprises Arrow to Content

September 30, 2014 | Leave a Comment

By Bob West, Chief Trust Officer, CipherCloud

Bob WestThe Dyre Trojan, which salesforce.com warned its customers about earlier this month, shows that cyber criminals have found a brand new way to target cloud applications.

It is the first known malware tool to deliberately target an enterprise cloud provider and use trusted cloud file sharing services like Dropbox to install itself on client systems. The malware hammers home exactly why companies need to pay close attention to both server-side and client-side security when using cloud services.

Dyre, or Dyreza, was first spotted in the wild in June attempting to steal the banking credentials of customers of major banks such as Citibank, RBS and NatWest. More recently, it appears to have been tweaked to specifically target customers of salesforce.com.

In design and function at least, Dyre is somewhat similar to other Remote Access Trojans (RAT) like Zeus. It typically arrives disguised as a harmless download or attachment that unsuspecting users are tricked into installing on their computers. It then lurks quietly on the system waiting for the user to type in a target URL, like Natwest.com or salesforce.com. Dyre then quickly intercepts the user’s browser session and routes it through a server controlled by the attacker.

Dyre employs a tactic called “browser hooking” to strip SSL protections from supposedly secure sessions. So someone entering their login credentials to access a saleforce.com account or their bank account is actually handing over their username, password and other session data in clear text to the attacker without realizing it.

The version of Dyre that targeted customers of salesforce.com appears designed only to harvest user logins, probably so the credentials can later be sold for use by other cyber criminals. An attacker can potentially use the illegally obtained credentials to take over the associated accounts and carry out all the actions of the authorized users of those accounts without anyone realizing anything until it is too late.

Cyber thieves have used this kind of account hijacking to drain hundreds of millions of dollars from the bank accounts of numerous small businesses, municipal governments and school districts over the past several years.

With Dyre, the threat has moved for the first time to cloud applications.

In this particular instance, the attackers used Dyre to go after customers of salesforce.com. But make no mistake – the malware can be used just as easily to harvest data from customers of other cloud applications as well.

Cyber criminals have clearly figured out that there is a lot of potentially profitable data that can be harvested by going after cloud customers. But instead of trying to infiltrate cloud server-side protections they appear to be going after vulnerable client systems belonging to the end users of enterprise cloud applications.

Many of those infected by Dyre were lured by spear-phishing emails containing a link to a malicious document hosted on Dropbox. Those who downloaded the document thinking it was safe because it was on a reliable site like Dropbox, infected their systems with Dyre. Because Dyre uses some sophisticated packaging and obfuscation techniques, it has been able to avoid detection by most AV tools until recently.

Salesforce.com, is one of the most successful and most trusted cloud services used by businesses. There’s really not a whole lot that salesforce.com or any other cloud provider can do in a situation like this beyond urging customers to follow security best practices. The vulnerability lies more on the client side and not in the cloud.

In an alert, salesforce.com urged customers to ensure that the antivirus tools on their client systems were fully updated and capable of detecting Dyre. The company also asked companies to consider implementing IP range restrictions to ensure that only users from a corporate network or VPN were allowed access to the Salesforce Platform. In addition, salesforce.com recommended that enterprises consider employing two-factor authentication as an additional security measure for users attempting to login from an unfamiliar device or location.

Customers of cloud applications can also mitigate their exposure to Dyre by using cloud encryption gateways for customer-side encryption that protects data. Businesses with particularly sensitive data in the cloud should also consider encrypting the client email addresses and other identifiers, such as Social Security Numbers, that are used for login and authentication to cloud applications.

SSL Vulnerabilities in Your Mobile Apps: What Could Possibly Go Wrong? Arrow to Content

September 29, 2014 | Leave a Comment

By Patriz Regalado, Product Marketing Manager, Venafi

The majority of people and consumers don’t usually think about security and data privacy when they log into their mobile banking app, take a photo of the check, and make a mobile deposit directly into their account. Nor do they think about security as they conveniently purchase their movie tickets on a Fandango mobile app.  People will automatically assume the company has issued a secure app, especially if the app comes from a reputable G2000 company and they downloaded it from the Apple or Google Play app store—or even directly from their employer.  What could possibly go wrong?

mobile_phone_app_security_600x300Well, evidently there’s a lot that can go wrong.  SSL vulnerabilities in the Android and iOS ecosystems and the man-in-the-middle (MITM) attacks they enable are exposing consumers’ banking credentials, health information, and other personal information.  What’s even scarier is that SSL vulnerabilities are prevalent in many of today’s most popular mobile apps as was recently uncovered by university researchers. The study found Android vulnerabilities that enabled the researchers to hack personal information such as usernames and passwords, social security numbers, and steal check images from popular mobile apps with the following success rates:

  • 92% for  Gmail
  • 83% for Chase
  • 92% for H&R Block
  • 86% for Newegg
  • 85% for WebMD
  • 83% for Hotels.com
  • 48% for Amazon

FireEye also recently published data that reported security flaws in the most commonly downloaded Android apps and found that a significant number of the apps are susceptible to MITM attacks.  FireEye reported that as of July 2014, out of the 1,000 most downloaded apps in the Google Play store, 73% of the apps that use SSL/TLS to communicate with a remote server do not check certificates.  And of the 10,000 random apps in the Google Play store, 40% do not check server certificates, exposing data they exchange with their servers to potential theft.

It wasn’t too long ago that MITM attacks emerged as a major threat to web-based, online transactions, and now we see that MITM attacks are increasingly becoming more widespread for mobile apps.  Mobile apps, just like websites, use the same method to secure communications—SSL/TLS.  However, SSL certificate validation is not trivial. Mobile apps often do not implement SSL validation correctly, making them vulnerable to active MITM attacks.  For example, an attacker can substitute a legitimate SSL certificate with one under his control and view data exchanged between the mobile device and remote server or manipulate private information submitted by the user.

Enterprises that are developing or are otherwise responsible for mobile apps deployed to their end users—consumers, customers, or clients—should fix these security vulnerabilities.  It’s up to IT security teams to ensure that user convenience never trumps the security of private consumer data.

 

 

Enabling Secure Collaboration and Compliance by Mitigating Increasing Information Risks (Part 2 of 2) Arrow to Content

September 25, 2014 | Leave a Comment

By Robert F. Brammer, Ph.D., Chief Strategy Officer at Brainloop, Inc.

In my previous post, I addressed three major trends that play an immense role in cybersecurity initiatives. These trends include the growth of digital business, information risks, and regulatory requirements. In this post, I’ll focus on issues related to collaboration and compliance. Since executives and Boards must address these issues, what are some key factors to include in the business policies, processes, and systems?

First, ensure that your strategy and policies are clear with respect to collaboration and compliance. These statements should address those areas requiring external and internal collaboration and the regulatory environment in which you operate. They should also address those information risks that are most significant for the organization. Since all of these topics evolve rapidly, you should conduct regular executive and Board-level reviews of these plans and policies.

Second, ensure that you have the appropriate staff, organization, and business processes to implement the above plans and policies. Management and staff development for these issues is vital and particularly challenging since the environment is so dynamic. A recent survey by Gartner summarizes these issues well. However, this organizational development will be essential to realize the 80% new business models in the next five years described in the above Accenture survey. Many organizations are developing enterprise-wide governance, risk management, and compliance (GRC) programs. GRC programs include governance (the processes by which executives and boards manage the enterprise), risk management (the processes by which management addresses risks to the enterprise), and compliance (the processes with which the enterprise complies with applicable laws and regulations). As enterprises become increasingly information-intensive, the protection of information assets is becoming more important in all three primary aspects of GRC programs.

Finally, enterprise systems must perform a broad range of business-critical functions, including the implementation of the above policies and business processes necessary to enable digital business agility, to protect sensitive corporate information, and to enable regulatory compliance. The challenge for CIOs is to design and operate these systems balancing requirements for functionality, performance, and costs while providing necessary security and compliance with corporate policies and regulatory requirements. End users will focus on functionality and performance, the CFO will focus on the costs, while the GRC program must ensure proper security and compliance. There is a growing market for systems to implement the policies and procedures of a GRC program, but the definitions of policies and procedures must precede selecting a GRC platform.

It is clear that we will continue to see the growth on importance in secure collaboration and regulatory compliance in the development of digital business. The ancient curse, “May you live in interesting times” certainly applies to today’s business environment.

About the Author

Dr. Robert F. Brammer is the Chief Strategy Officer, Americas for Brainloop, Inc., a leading provider of SaaS solutions for secure collaboration and regulatory compliance. He also serves as the President and CEO for Brammer Technology, LLC and recently retired as vice president and chief technology officer for Northrop Grumman’s Information Systems Sector.

Worse than Heartbleed? Arrow to Content

September 24, 2014 | Leave a Comment

Jim Reavis, Cloud Security Alliance

Today at 10am EST a vulnerability in the command shell Bash was announced (http://seclists.org/oss-sec/2014/q3/649 and http://seclists.org/oss-sec/2014/q3/650). Bash is a local shell, it doesn’t handle data supplied from remote users, so no big deal right? Wrong.

A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs. Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file.

In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.

To test if your system is vulnerable just try this on bash:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you’re vulnerable it’ll print:

vulnerable
this is a test

If you’ve updated Bash you’ll only see

this is a test

There is more information available at the following links:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://access.redhat.com/articles/1200223

And patches for Bash (most versions in the last 15 or so years) are available:

http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018
http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052
http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039
http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012
http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025

Enabling Secure Collaboration and Compliance by Mitigating Increasing Information Risks (Part 1 of 2) Arrow to Content

September 24, 2014 | Leave a Comment

By Robert F. Brammer, Ph.D., Chief Strategy Officer at Brainloop, Inc.

The growth of digital business, information risks, and regulatory requirements are major global business trends that have an immense impact on cybersecurity. These trends are prevalent throughout a broad range of industries – including the financial, aerospace and defense, and retail sectors, among many others – and present many opportunities and threats.

Realizing the potential benefits from digital business requires significant transformation involving greater collaboration with customers, suppliers, partners, and regulators. Performing this collaboration in a timely, cost-effective, and secure way in compliance with necessary laws and regulations is a necessary competency for many organizations.

Protection of information assets is a dynamic and significant topic for many enterprises. For example, Lloyd’s Risk Index for 2013 lists cyber risk as #3 on its list of 50 corporate risk priorities among business, economic, political, environmental, and natural hazard risks. While cyber threats from external organizations are very serious, many types of information risks also arise from lack of training and awareness of regulations and business practices or from errors in implementation.

Risk and compliance are increasingly important areas for corporate executives and board members in many industries, notably including those discussed here.

The Global Growth of Digital Business and Distributed Collaboration

Five years ago, Forrester and Adobe published a report on the future of business collaboration. In that report they state “Today’s collaboration requirements are only a midpoint on a trend line toward a highly distributed, digitally connected, partner-fueled, and customer-driven future.” In the past five years, the world has accelerated significantly toward that future.

Last year the McKinsey Global Institute published a report in which they predict that within a decade there will be more than 2 billion people with Internet access and that we will see $5T-$7T of economic impact from automation of knowledge work. Another recent McKinsey paper stated, “Digitization is rewriting the rules of competition.” The authors also observe, “For businesses, digitization is transforming even physical flows of people into virtual flows, enabling remote work through tools for global collaboration.”

In January, Accenture published a survey of “500 C-level executives from 10 economies (both developed and emerging) about the key influence on their corporate strategy over the next five years.” There are two results to cite here. First, “the ability of technology and innovation to reshape industry norms and boundaries was most commonly cited as the most important structural shift that businesses will face over the next five years.” Second, “60 percent plan to pursue growth in, or in collaboration with, other industries, and “80 percent are planning growth via new business models.”

Similar analyses and examples like the incredible growth of new technology-driven companies like Google and Facebook all show the accelerating pace of digital business and the importance of connected collaboration in the business environment.

The Global Growth of Information Risks

A recent report by the World Economic Forum contains this conclusion:

“Despite years of effort, and tens of billions of dollars spent annually, the global economy is still not sufficiently protected against cyberattacks — and it is getting worse. The risk of cyberattacks could materially slow the pace of technology and business innovation with as much as $3 trillion in aggregate impact.”

These cyber threats are very diverse. Incidents within the past 12 months arising from diverse external threats include:

  • The Heartbleed incident exploiting vulnerabilities in the Internet infrastructure
  • The Target breach exploiting supply chain vulnerabilities
  • CryptoLocker (and further generations of ransomware) exploiting software default and human behavior
  • The JP Morgan breach exploiting web server vulnerabilities

As noted earlier, many other types of information risks arise from lack of training and awareness of regulations and business practices or from errors in system or process implementation. For example, the most recent Verizon Data Breach Report notes that “miscellaneous errors” (e.g., sending email messages with sensitive information to incorrect recipients) cause more than 25% of data breaches. The report states collaboration with external partners about sensitive information can often lead to problems without proper management attention: “…business processes involving sensitive info are particularly error prone. It’s also noteworthy that this pattern contains more incidents caused by business partners than any other.”

By 2020, threats to critical infrastructure will be even more significant than what we face today. With industries accelerating digitization to improve services and reduce costs, there are many new cyber threats to sectors, such as electric power, oil and gas, national security, and transportation. These threats are not only to financial and information security, but to operations and safety. Examples such as Stuxnet and Shamoon have damaged operations in significant ways. These cases are modest compared to what could happen this decade.

The Global Growth of Regulatory Compliance Requirements

The US regulatory environment has grown steadily in the past several decades. While measuring the scale and economic benefits is uncertain and controversial, some metrics give insight into this growth. Data from the Mercatus Center at George Mason University shows that the total word count for federal regulations now exceeds 100 million. Moreover, the growth of this total has exceeded the growth of the US GDP since this analysis began in 1997. The US Office of Management and Budget produces an annual report on the costs and benefits of regulation but acknowledges the large uncertainties and omissions in their estimates. However, there is no doubt that costs in the US alone are in the $100’sB annually. Compliance elsewhere is also significant, notably in the European Union.

There are many types of sensitive personal and corporate information protected by thousands of regulations. These include regulations for personal health and financial information, export control, intellectual property, Board proceedings, public company filings, mergers and acquisition plans, etc.

The growth in the size of corporate compliance staffs and in their compensation illustrates the increasing importance of regulatory compliance. Failures have led to significant fines and imprisonment. As a result, many new Chief Compliance Officers have direct reporting relationships to top executives and their boards. Because demonstrating regulatory compliance often requires providing sensitive corporate information to government and service provider organizations, the increase in secure compliance and collaboration platforms is another indicator of the growth of this area.

Policies for control of sensitive information are particularly important for organizations with complex supply chains. These supply chains may include raw materials, finished parts, and outsourced business processes. As diverse as today’s supply chains are, they all involve sensitive information whose handling requires policies that recognize current cyber threats, regulatory requirements, and the needs to protect intellectual property. For example, Registration, Evaluation, Authorization, and Restriction of Chemicals (REACH) is a European Union Regulation for controlling production and use of chemicals and their potential impacts on health and environment. Companies involved in registering a chemical have the obligation to share data about it with government agencies and other specified organizations. Data in the registration documents is valuable intellectual property, and enterprise policies must ensure proper protection.

Addressing the Combined Impact of These Trends on Strategic Business Planning and Operations

Together these trends add up to the following conclusions:

  • The growth and trajectory of key areas of information technology – cloud, mobility, social media, big data, etc. are having inescapable impacts on business plans and operations. These are now C-Level and Board issues with significant operational impact.
  • Information risks have also become C-Level and Board issues. For example, the recent Target breach was a key factor in the resignations of the CEO and other executives and in litigation filed against several Directors for lack of proper oversight.
  • While the global net value of regulatory compliance may be debatable, the requirements for enterprise compliance are not. The growth of digital business with larger information risks will lead to further types of regulation.

Since executives and Boards must address these issues, what are some key factors to include in the business policies, processes, and systems? We’ll discuss this and more in the second part of this blog series coming soon.

About the Author

Dr. Robert F. Brammer is the Chief Strategy Officer, Americas for Brainloop, Inc., a leading provider of SaaS solutions for secure collaboration and regulatory compliance. He also serves as the President and CEO for Brammer Technology, LLC and recently retired as vice president and chief technology officer for Northrop Grumman’s Information Systems Sector.

New CSA Survey Reveals Emerging International Data Privacy Challenges; Discrepancies Illustrate the Demand for Data Protection Harmonization Arrow to Content

September 23, 2014 | Leave a Comment

By Evelyn de Souza,Data Privacy and Compliance Leader, Cisco Systems

According to a new survey from Cloud Security Alliance sponsored by Cisco, there is a growing and strong interest in harmonizing privacy laws towards a universal set of principles. Findings include overwhelming support for a global consumer bill of rights, global themes regarding data sovereignty, and the OECD principles as facilitating the trends of IoT, Cloud and Big Data.

Data privacy considerations are often overlooked in the development phase of cloud, IoT and Big Data solutions and put in the “too hard” basket. Historically, data privacy experts and the Information Security industry at large have focused deviations between different regions, instead of the similarities, which could encourage more effective collaboration.

The Cloud Security Alliance tested the existence of universal data privacy and data protection concepts and the extent to which these can be drivers for global co-operative efforts around Cloud, IoT and BigData. We hand-picked over 40 of the most influential cloud security leaders worldwide for their insights on existing international data protection standards and demands. The Data Protection Heat Index Survey Report was structured in four parts and the findings were highly indicative of a positive role that privacy and data protection principles can play in the development of cloud, IoT and big data solutions.

Data Residency and Sovereignty
Many organizations struggle with issues around data residency and sovereignty. However, there was a common theme of respondents identifying “personal data” and Personally Identifiable Information (PII) as the data that is required to remain resident in most countries.

Lawful Interception
Responses indicated a universal interpretation of the concept of lawful interception with responses such as: “The right to access data through country-specific laws if the needs arises, i.e. data needs to be made available for a cybercrime investigation.”

User Consent
73 percent of respondents indicated that there should be a call for a global consumer bill of rights and furthermore saw the United Nations as fostering that. This is very significant given the harmonization taking place in Europe with a single EU Data Privacy Directive for 28 member states. As well as with the renewed calls for a U.S. Consumer Bill of Privacy Rights in the United States and cross-border privacy arrangements in Australia and Asia.

Privacy Principles
Finally we explored whether OECD privacy principles that have been very influential in the development of many data privacy regulations also facilitate popular trends in cloud, IoT and big data initiatives or cause room for tension. The responses were very much in favor of facilitating the various trends.

The Data Protection Heat Index survey findings indicate a shared interest in incorporating emerging privacy principles into new solutions versus trying to retrofit existing solutions. The survey report includes an executive summary from Dr. Ann Cavoukian, Former Information and Privacy Commissioner of Ontario, Canada and commentary from other industry experts on the positive role that privacy can play in developing new and innovative cloud, IoT and Big Data Solutions. Download the Data Protection Heat Index survey report. Please tell us what you think by posting your comments below.

Where do you see opportunities for broader industry co-operation around data protection and data privacy?

Evelyn de Souza is a Data Privacy and Compliance Leader at Cisco Systems, where she focuses on developing industry blueprints to help organizations embrace the cloud securely and ensure data privacy in an agile manner. She currently serves as the Chair of the newly formed Cloud Security Alliance (CSA) data governance and privacy working group. Evelyn previously co-chaired the CSA Cloud Controls Matrix working group and played an integral role in guiding its development and evolution.

 

 

The Cloud Perception-Reality Gap Lives On in CSA Survey Arrow to Content

September 22, 2014 | Leave a Comment

by Krishna Narayanaswamy, Netskope Chief Scientist

Screen Shot 2014-09-22 at 3.47.15 PMI thought we had moved beyond the cloud app perception-reality gap.

Shadow IT has been a topic of much conversation in the media, at conferences, and among our customer and partner communities for the past several years. Gartner highlighted the issue when the analyst firm declared cloud access security brokers as the #1 information security priority for this year. And vendors have been reporting for over a year on the many hundreds of cloud apps they observe per enterprise. This is a known issue.

But if you read “Cloud Usage: Risks and Opportunities Report,” which was released by the Cloud Security Alliance on Friday, you may think you’re reading a report from last decade. The report details results from a survey conducted by the Cloud Security Alliance to 165 IT and security practitioners across a variety of industries and geographies.

Among the many surprising responses, three findings particularly struck me:

  • How many cloud apps do people think they have? According to the report, more than half (54 percent) of respondents believe that they have ten or fewer cloud apps. Ten or fewer! I use ten cloud apps in my first fifteen minutes at work each day. OK, that’s a slight exaggeration, but not by much. A full 87 percent of respondents believe they have 50 apps or fewer. When we perform a Cloud Risk Assessment for our customers and prospects, we ask this question. The most common answer is 50, and the average we find is 508 apps. That’s a ten-fold difference.
  • How much sensitive content is shared? According to the report, nearly half (48 percent) of respondents believe that less than 5 percent of their sensitive content in the cloud has been shared with unauthorized individuals or individuals outside of the organization. I think that’s low. In our cloud, we see that there are three shares for every content upload within cloud storage, and 49 of the 55 app categories we track have apps that enable sharing. That’s a lot of sharing.
  • How many apps are connected to the corporate directory? According to the report, 44 percent of respondents believe that 5 or fewer apps are integrated with their corporate directory. I guess that’s not surprising given #1, but if you believe that the reality is that organizations have 508 apps on average, that’s less than one percent. Given all of the recent data breaches, including ones involving cloud-based remote access technologies, you’d think that organizations would either want to authenticate users as they log into cloud apps or enforce policies to steer users to similar apps that are integrated with the corporate directory. After all, many of these apps are business-critical and house sensitive data.

Many of our customers and prospects have become a lot more aware of shadow IT, but based on this survey, it looks like we still have work to do to educate organizations about the magnitude of the issue, and what steps can be taken to discover and safely enable those apps. Get the full report here.

Page Dividing Line