15 Data Security Policies Ignored by Modern Workers

March 9, 2016 | Leave a Comment

By Rachel Holdgrafer, Business Content Strategist, Code42

02-29-16_policy_vs_reality_blogIT isn’t the only department stretched thin. In the past 20 years the economy has grown nearly 60 percent. Corporate profits have increased 20 percent. And wages have stagnated for most Americans. The workday goes from 9 to 7 and the U.S. is among a small club of nations that doesn’t require time off. See the trend? Despite data security policies, everybody is working fast and hard in a dangerous, connected world.

At this breakneck speed, IT policies—designed to educate employees and manage risk—are white noise for the modern worker.

Clearly, both parties in this relationship have to change—and clearly, that change won’t be easy. In the meantime, IT can buoy data policies with smart technology that does what employees won’t—like continuously back up laptops to ensure business continuity in the face of anything.

After endpoint backup is in place, IT and modern workers should walk a mile in each other’s shoes as a first step in lessening the gap between policy and real life.

 

code42 policy vs. reality graphic

Security Versus Privacy in Today’s Enterprise

March 3, 2016 | Leave a Comment

By Rachel Holdgrafer, Business Content Strategist, Code42

02_24_16_securityvsprivacy_blog (1)Whether enterprise security or personal data privacy should prevail in the enterprise is the debate of the century. With internal actors responsible for 43 percent of enterprise data loss and 62 percent of respondents to the2016 Cyber Defense report indicating that a cyber attack is somewhat or very likely in the next year, today’s enterprise must have endpoint security in place to protects its data. Similarly, as the FBI demands that Apple build a backdoor into its iPhone iOS, personal data privacy is becoming even more critical.

Data is the exhaust of our digital lives—both personally and professionally. Protecting it is paramount for the enterprise and the individual. Terms of use, conditions of employment and IT policies protect the enterprise. Who—or what—protects the individual?

The simple smartphone
Bruce Schneier publishes extensively about how metadata—the context around a data point—is fundamentally “surveillance data,” tracking and recording relationships, associations, locations and search terms. Smartphones are not typically backed up by the enterprise and in an individual’s quest for personal data privacy, that’s a good thing. Smartphones should remain the individual’s outlet for conducting personal business. Here’s why:

Smartphones generate an enormous amount of data when they are turned on. Location services, GPS coordinates, phone calls, text messages, email, application usage, web searches—all create data streams that reveal a stunning amount about the human being carrying the phone. The graphic below examines four basic data streams created by the average smartphone and the deductions that can be made about you as a result.

security vs privacy graphic (1)

 

Private and secure
It’s possible for individual privacy and data security to coexist in the enterprise, but both the enterprise and the end user must play a role to make it a reality.

End users must take an active part in protecting their digital privacy and recognize that the devices and networks—as well as the data being created on them—belong to the enterprise. With this in mind, employees must conduct less personal business on enterprise-owned machines and networks, utilizing their personal smartphone or laptop instead. When the use of corporate devices and networks cannot be avoided, end users should be aware that the files and the meta data associated with their actions are visible to IT.

Additionally, end users must take an active approach to current events and pending legislation that may impact personal privacy. They must take action when necessary to ensure personal privacy standards are maintained (e.g. pushing back to prevent implementation of backdoors in mobile devices and unregulated collection and use of personal data).

In turn, the enterprise must do its part to respect and maintain personal data privacy. Employees need to be educated. The enterprise must explicitly tell employees when and where personal data will be collected and where, if anywhere, on their networks employees can assume privacy. With clear policies in place, the enterprise must uphold those policies and alert employees to any changes in how personal data will be collected, indexed or used.

The Software-Defined Perimeter and IaaS: A New Initiative

March 2, 2016 | Leave a Comment

By Kurt Glazemakers, CTO, Cryptzone

As enterprises embrace infrastructure as a service (IaaS) platforms, shifting new development and production into these environments, they face some challenges due to the dynamic nature of IaaS. Security, compliance and business & IT efficiency – specifically around granting, controlling, and reporting on which users can access which systems and services across a network – become major concerns.

The problem is that traditional security tools are unable to cope with the speed, scale, and complexity of this new, dynamic world, especially if organizations embrace dynamic release systems such as DevOps. As a result, security teams are unfortunately encountering familiar problems in their IaaS environments, including an inability to keep pace with a dynamic environment, users with over-privileged network access, and an inability to easily perform compliance reporting. Cloud service providers are facing similar challenges with IaaS management access.

Putting the Software-Defined Perimeter to use
A Software Defined Perimeter (SDP) helps solve these issues by establishing one perimeter for each user, effectively creating an individualized perimeter – a network ‘segment of one’. This segment of one delivers fine-grained authorization, contextual awareness and fewer hard-coded rules for IT and security teams to manage.

At Cryptzone, we are seeing great adoption of SDPs. And adoption is only set to increase.  Customers, partners and prospects increasingly want to apply SDP to cloud environments – both on-premises and cloud-based IaaS and for DevOps.

Leading the industry with a new SDP for Infrastructure as a Service (IaaS) initiative
Today we are pleased to announce the formation of a new SDP for IaaS Initiative with the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

We want to help lead the industry to define the problem and apply SDP as part of the solution for IaaS. Our goals for the Initiative include:

  • Documenting specific security, compliance and architecture challenges that arise from enterprise adoption of IaaS
  • Exploring how an SDP solution can solve these problems
  • Providing architectural and deployment guidelines and best practices for secure IaaS, including the impact of DevOps initiatives
  • Influencing the SDP specification to address IaaS-specific requirements

We aim to deliver with CSA an analysis and taxonomy of IaaS-specific security, network, identity, and compliance challenges, explanation of how an SDP architecture can address these challenges and deployment scenarios and use cases that examine aspects such as network configuration, identity management, authentication and security groups.

We want you!
If you want to help change the cloud security space, we want you! We’re actively seeking participation from enterprises, cloud providers, and technology vendors to collaborate on the creation of the deliverables listed above. This effort will begin in March 2016, with a goal of producing initial version of documents by Q3 2016. To participate contact Jason Garbis at jason.garbis[at]cryptzone.com or learn more at the CSA.

SecaaS Working Group Releases Preview of Security as a Service Functional Domain Definitions – Including Continuous Monitoring

February 29, 2016 | Leave a Comment

By John Yeoh, Senior Research Analyst, Global, Cloud Security Alliance

Numerous security vendors are now leveraging cloud-based Security as a Service (SecaaS) models to deliver security solutions. This shift has occurred for a variety of reasons including greater economies of scale and streamlined delivery mechanisms. However, these SecaaS offerings can take many forms causing market confusion and complicating the selection process. Customers are increasingly faced with evaluating security solutions, which do not run on premises, and need a better understanding of these offerings to evaluate the security risks and the shared responsibility over the security of systems for which they are accountable.

In order to improve the perception and reputation of these services, Security as a Service requires a clear definition and direction to ensure it is understood and to improve the adoption across industry sectors. This will lead to greater awareness, understanding and knowledge of SecaaS and its functions.

The CSA SecaaS Working Group is working to address these challenges by working with experienced knowledge leaders and intelligent market research in the industry to align with cloud governance best practices, document use cases, identify standards requirements, and create other innovative research artifacts.  The group’s research will allow the intended users to create guidelines for implementing SecaaS offerings, support those looking to purchase SecaaS solutions, and aid those tasked with implementing or auditing them.

Today, at the RSA Conference, the SecaaS Working Group is releasing Preview of Security as a Service Functional Domain Definitions – Including Continuous Monitoring.”

Continuous Monitoring has been recognized as a new category that the working group has addressed. This overview document is the first in a series of business, technical, and implementation guidance documents for the following security service categories:

  • Business Continuity and Disaster Recovery
  • Continuous Monitoring
  • Data Loss Prevention
  • Email Security
  • Encryption
  • Identity and Access Management (IAM)
  • Intrusion Management
  • Network Security
  • Security Assessments
  • Security Information and Event Management
  • Vulnerability Scanning
  • Web Security

For more information, visit CSA Security as a Service.

CSA’S Virtualization Working Group Publishes New Position Paper on Network Function Virtualization

February 29, 2016 | Leave a Comment

With the broad adoption of virtualized infrastructure, many security teams are now struggling with how to best secure these vital assets from targeted attacks. And because almost anyone can now easily virtualize resources such as compute, storage, networking and applications, the velocity and impact of security threats have increased significantly.

In response to these trends, the CSA’s Virtualization Working Group has convened a forum of experts to help network and data center practitioners adopt new best practices for securing their virtual infrastructure. The result is a new position paper on Network Function Virtualization, which discusses some of the potential security issues and concerns, and offers guidance for securing a Network Virtual Function (NFV) based architecture, whereby security services are provisioned in the form of Virtual Network Functions (VNFs). We refer to such an NFV-based architecture as the NFV Security Framework. This paper also references Software-Defined Networking (SDN) concepts, since SDN is a critical virtualization-enabling technology. The paper is the first step in developing practical guidance on how to secure NFV and SDN environments.

This white paper consists of five core sections:
Section 1: Provides a basic overview.
Section 2: Introduces NFV concepts, and briefly discusses SDN.
Section 3: Expounds on some of the security issues and concerns when introducing NFV into a cloud environment.
Section 4: Explains the benefits and opportunities of an NFV Security Framework.
Section 5: Expounds on the challenges and important elements of the NFV Security Framework.

“NFV and SDN have introduced significant new threat vectors into cloud providers and enterprise environments.  The CSA Virtualization Working Group looks forward to collaborating with the industry to determine how best to mitigate these threats.  We have created an initial step in that direction and hope to accelerate our ability to guide security experts with practical guidance in the near future”, said Kapil Raina, Co-Chair of the Virtualization Working Group

The Virtualization Working Group is sponsored by Trend Micro. Download a free copy of the paper.

You can catch the co-chairs and members of the working group during RSA 2016 at the CSA Research Working Group meetings. Visit CSA Research Working Group more information about the meetings.

CSA’s Consensus Assessments Initiative Releases Minor Update to Version 3.0.1

February 29, 2016 | Leave a Comment

CSA’s Consensus Assessments Initiative Working Group has released an update to version 3.0.1 of the Consensus Assessments Initiative Questionnaire (CAIQ) that included minor updates and corrections.

A tab was created in the spreadsheet titled “CAIQ Change Log” to capture the details of each update. This will be the location where all updates/corrections are logged until the next major version release. Updates included spelling and consistency in the document.

Consensus Assessments Initiative Questionnaire v3.0.1

Cloud Data Security Services Just Got Easier to Build and Assess

February 26, 2016 | Leave a Comment

By Alan Eng, Senior Manager/Product Marketing, Vormetric

vormetricIt is well documented that security is the leading concern hindering cloud adoption. However, it is not so clear cut how to build secure cloud services, or how to assess whether cloud services adhere to relevant security requirements. The Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) framework was specifically designed to offer insights on these topics. The CCM framework provides fundamental security principles to guide cloud service providers (CSPs) and to assist prospective cloud customers in assessing the overall security risk of a cloud offering.

Using the latest CCM framework, version 3.0.1, Vormetric has created two white papers that shed further light on these critical topics. One paper helps cloud providers understand how to meet industry security guidelines with Vormetric data security solutions. The second paper explains how customers looking to adopt cloud services can assess whether their cloud vendors adhere to cloud security best practices. This paper also describes which Vormetric solutions to look for in complying with these standards.

The CCM is aligned with many industry standards and control frameworks, including International Organization for Standardization (ISO) 27001 and 27002, ISACA COBIT, National Institute of Standards and Technology (NIST), Jericho Forum, North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), the Payment Card Industry Data Security Standard, version 3, and several others. As a result, CSPs can meet a number of industry security guidelines simply by adopting CCM requirements. In addition, the CCM framework features the Consensus Assessments Initiative Questionnaire (CAIQ), a detailed questionnaire that customers can use to assess the security capabilities of CSPs.

To develop our white papers, Vormetric staff worked with CSA CCM experts to identify which requirements pertained to data security. These white papers explain how the Vormetric Data Security Platform meets critical data security requirements.

By leveraging these white papers, security teams at CSPs can establish a clear path forward for securing data in their cloud environments. Further, executives at enterprises can use a concrete list of questions to assess and qualify prospective CSP offerings and ensure their data security needs are met. Below is a brief description of each white paper and the link to download the paper directly.

Industry Guidelines for Building Secure Cloud Services: This white paper explains how CSPs can use the Vormetric Data Security Platform to address CCM requirements for data segregation, persistent protection of customer data, data access monitoring and auditability, availability, and data destruction.

Best Practices for Assessing Your Cloud Data Security Services: This white paper offers a detailed look at how Vormetric solutions address the requirements specified in the CAIQ. In addition, the paper details what enterprise decision makers should look for in their cloud data security services.

Both white papers are also available on the Vormetric resources page.

Quantum Technologies and Real World Information Security Challenges

February 25, 2016 | Leave a Comment

By Bruno Huttner, Quantum Safe Product Manager, ID Quantique

Most cyber security applications rely on a few cryptographic primitives, for both encryption and signature. These primitives are now known to be breakable by a Quantum Computer (QC), that is a computer operating according to the rules of quantum mechanics. The design and manufacture of such a computer is still a formidable tasks, which is expected to last for many years. However, a post by the NSA in 2015, which was very recently followed by a NIST report have brought a new sense of urgency to the matter.

Indeed, in view of the devastating effect the QC would have on our cryptographic systems, it is necessary to start thinking now about new ways to protect and authenticate data. Existing tapping techniques, in conjunction with almost unlimited storage abilities, allow malicious entities to gather and store incredible amounts of data. These encrypted data can be kept this way until the  quantum computer is ready,  and then subsequently decrypted. Therefore, data, which has to be kept secret for a long time, say tens of years, should already be encrypted in a quantum-safe manner. We need to prepare for the post-quantum era now.

There are two possible roads towards this goal. The first one is to keep algorithmic-based cryptography, but use different algorithms, known as Post–Quantum Algorithms (PQAs) or Quantum Resistant Algorithms (QRAs), which, we hope, will remain quantum-safe. The second one is to adopt an entirely different principle, and base some of our cryptographic primitives on physical methods. In this case, security does not depend on mathematical analysis, but on the laws of quantum mechanics. This is what is achieved by Quantum Key Distribution (QKD).

These two approaches are by no means exclusive. Each have different domains of application, and will most probably complement one another. Since QKD requires a physical infrastructure, it will be restricted to  large communication hubs, for example links between large data centres, such as the ones used for cloud infrastructure. In addition, as it is provably secure, QKD shall be used for high value data, which has to remain secret for a long period. However, QKD only deals with key distribution which is only one part of a quantum-resistant cryptosystem. QRAs, necessary for authentication, will also be used in links between end-users and communication infrastructure, for example mobile applications to antennas or telecom hubs. It could also be used for data with high privacy content, but shorter validity period.

Quantum Safe Security @ RSA 2016
Quantum technologies represent both a threat to current cyber security methods, and an asset to guarantee long-term cyber security in the post-quantum era. The “Quantum technologies and real world information security challenges” panel is the first of its kind, which will be presented at RSA Conference this year. The panellists have been chosen among real information security professionals from a variety of fields. The specific topics they will cover include:

  • The threat of the quantum computer against current cryptographic techniques.
  • The immediate and medium-term challenges faced by each industry that could be mitigated by quantum security approaches.
  • Different quantum solutions, the problems they can help address, and how they compare to the current approaches in use.
  • What are the perceived risks and weaknesses of Quantum Key Distribution solutions?
  • Discussions on any work / partnerships they have done in this area.

If you ever wondered whether you should start thinking about these issues, their stories are your own stories. This session will provide you with a clearer picture and possible action points for the future.

Session Details
Date: Friday,  March 4, 2016
Time: 10:10 AM
Venue: Moscone West, Room 2005

For more information about the session, click here.

Apple vs. FBI: The “Bad” Guys Always Get the “Good” Weapons

February 24, 2016 | Leave a Comment

By Susan Richardson, Manager/Content Strategy, Code42

02_19_16_apple_fbi_social_blogIt’s a powerful tool, created for good—until it falls into the wrong hands. Sounds like a classic James Bond plot, right? That’s how we see the battle surrounding government-mandated “backdoors” playing out—and why we side with Apple (and most of the tech world) in supporting the individual’s right to privacy. Because unfortunately, 007 doesn’t stand a chance against today’s cyber criminals.

Backdoors: the classic “good” tool that falls into “bad” hands
The FBI’s court order to Apple—and Apple’s official and very public response—is just the latest in an ongoing debate and struggle to find the balance between the need for security and the right to privacy. The pro-backdoor camp believes these tools are essential for investigating criminals, terrorists and other nefarious actors, preventing them from “going dark” behind the wall of encryption. This all seems reasonable in the short term. Their cause is just. It’s a means to an end we all want—safety and security. It’s a one-time thing, right?

Wrong. Once the technology exists, there’s no going back—and there’s no sure way to completely control how it’s used or how it evolves. So, what happens when these backdoor keys fall into the wrong hands? It’s the classic plot of the James Bond series and other spy thrillers. But this time, it won’t be a single villain; it will be the entire shadowy world of cyber criminals, wreaking havoc with the newly created (and hacked) “keys to the kingdom.”

“But the government will protect the keys!”
Think the bad guys won’t get the backdoor keys? Think again. The U.S. government is already being hacked with alarming frequency and ease. Just last week, President Obama acknowledged that government IT infrastructure is woefully outdated and easily outgunned by agile cybercriminals. Even if the government moves to shore up these vulnerabilities, the mere existence of backdoor keys will be blood in the water for hungry cybercriminals, giving even greater incentive to target government IT infrastructure.

Code42 supports the individual right to privacy
At Code42, we recognize the need to balance security with privacy, but we ultimately believe in the individual’s right to privacy. We’ve talked about the problems with backdoors before—and industry experts agree that the risks outweigh the benefits. Our consumer tools, including Code42 CrashPlan, help our customers protect this right. In the enterprise world, we designed Code42 CrashPlan to empower the enterprise to define their security policies, providing employees with a respectful sense of privacy.

Forcing tech companies to sabotage their own products and hack their own customers will have a disastrous impact on the tech economy. But expecting a technology to only be used for good is a shortsighted move with the potential for far greater harm than good. And like we said, James Bond won’t be saving the day on this one.

The Netskope Cloud Report: The Cloud Malware Fan-out

February 23, 2016 | Leave a Comment

By Krishna Narayanaswamy, Co-founder and Chief Scientist, Netskope

NS-Cloud-Report-Feb16-WW-IG-00 (1)Today we released our Cloud Report in which we highlight cloud security findings from October through December of 2015.

This quarter we focus on an important finding from our research team. In scanning many hundreds of our customers’ tenants, we found that 4.1 percent of those enterprises’ sanctioned apps are laced with malware such as trojans, viruses, and spyware. The volume of malware in those apps ranged from a handful of files to many dozens in a customer tenant.

We analyzed the infections and found a “fan-out” pattern in the spread of the malware (or in some cases, the effect of the malware). This is due, ironically, to two critically useful capabilities that the cloud is known for – sync and share.

I’ll show an example of this in full forensic detail during my keynote at next week’s CSA Summit, but let me describe what we saw happen in a number of enterprises that got hit with ransomware recently:
– A user becomes infected with ransomware
– Upon detonation, the ransomware encrypts the files on the user’s hard drive
– Some of the files on the user’s hard drive are in sync folders of a cloud app
– The encrypted versions of the files sync with the cloud app, replacing the cloud versions with the encrypted ones
– Then additional users, with whom the original user had shared the sync folder, sync their desktop client folders with the cloud, and those desktop files become encrypted

We have observed the fan-out effect both for the spread of malware itself and for the spread of the effect of malware, such as encryption in the above example.

Note that our initial research was only on enterprises’ sanctioned apps, which represent less than five percent of total cloud usage. Given this, we believe that both malware, and this fan-out effect, are far more widespread than the 4.1 percent we observed. As we begin applying this research to unsanctioned apps in our cloud access security broker, we’ll report on what we find in future reports.

What do we recommend to combat this? Five things:
1. Back up versions of your critical content in the cloud. Enable your app’s “trash” feature and set the default purge to a week or more
2. Scan for and remediate malware at rest in your sanctioned apps
3. Detect malware incoming via sanctioned and unsanctioned apps
4. Detect anomalies in your sanctioned and unsanctioned cloud apps, such as unusual file upload activity or other out-of-the-norm behaviors
5. Monitor uploads to sanctioned and unsanctioned cloud apps for sensitive data, which can indicate exfiltration in which malware is communicating with a cloud-based command and control server