Addressing the Skills Gap in Cloud Security Professionals

By Ryan Bergsma, Training Program Director, CSA

bridging the skills gapOne of the math lessons that has always stuck with me from childhood is that if you took a penny and doubled it every day for a month,  it would make you a millionaire. In fact, it wouldn’t even take the whole month, you would be a millionaire on the 28th day. Of course, most of us realize this would be nearly impossible to accomplish in reality (unless you invested in the right crypto at the right time in the fall and early winter of 2017). The reason that this old math lesson comes to mind when I think about the skills gap in IT security, and in particular cloud security, is because of Moore’s Law.

The rise of cybercrime & IT security

Granted doubling every two years is a lot different than doubling every day, but if you take 1970 as the starting point, we are already over 85 percent of the way to our computational power being one million times greater than what it was. I bring this up because it speaks to the rapid increase of power behind the tools that are at the disposal of criminal hackers today. Couple that with the fact that:

  1. Modern society relies so heavily on IT and…
  2. So many of our assets (from personal information, to intellectual property, to bank ledgers) can now be found online

And you have a scenario that is ripe for exploitation. With so much opportunity, albeit illegal, it is no wonder that bad actors have become prolific. And with this group of bad actors growing so rapidly, we see the boom of the IT security industry. Especially given the fact that though it may only take one persistent bad actor to breach a system or network, it generally requires an entire team to protect it.

So… the demand for cybersecurity professionals continues to balloon.

In fact, the Herjavec 2017 Cybersecurity Job Reports says “Cybercrime will more than triple the number of job openings over the next 5 years” and predicts that there will be 3.5 million unfilled cybersecurity positions by 2021.”

Increased threats to cloud computing

One particular realm of IT that has exploded into the mainstream consciousness in the past decade is cloud computing. Some of the benefits of cloud computing have driven large scale adoption of its use by both individuals and businesses. In many cases, it may even be in use without awareness of its use (or the potential impacts). Whether the awareness of the use of cloud offerings is there or not, the need for security in cloud computing most certainly is. Though it may be possible for cloud solutions to provide heightened levels of security when compared with traditional on-premises IT infrastructures and services, cloud  infrastructures, platforms and services do come with their own unique set of risks. CSA even maintains a list of Top Threats for cloud environments. These factors have left many businesses, even those with already existing IT security departments, scrambling to understand and mitigate the risks associated with the myriad of cloud solutions.

Meanwhile the shift to cloud continues to accelerate. The same Herjavec report also mentions that “Microsoft estimated that 75 percent of infrastructure will be under third-party control (i.e., cloud providers or Internet Services Providers) by 2020.”

Why the skills gap exists

With cybercrime driving the growing demand for cybersecurity professionals, the explosion of cloud usage, and it subsequent need for cloud security professionalswhy is it that so many of these jobs remain unfilled?

The harsh reality is that employers are not able to find the employees to fill these positions because the demand is so great. There are not enough individuals with the skill set and years of experience that employers are looking for to fill these critical positions. A survey of industry influencers conducted by Logic Monitor found that “58% agreed lack of cloud experience in their employees was one of the biggest challenges.” Employers are then left with the choice of leaving the positions unfilled or filling them with under qualified applicants. A 2017 Global Information Security Workforce Study  says that “It is not uncommon for cybersecurity workers to arrive at their jobs via unconventional paths. The vast majority, 87% globally, did not start in cybersecurity, but rather in another career. While many moved to cybersecurity from a related field such as IT, many professionals worldwide arrived from a non-IT background.”

What can be done to address this skills-gap?

Given the growing business demand for skilled cloud security professionals, what can be done to stem the tide of this increasing skills gap?

As an organization

To begin to combat the skills gap in cybersecurity professionals, and cloud security professionals in particular, businesses need to start taking proactive steps. Get your business behind initiatives to document current best practices in security and turn that documentation in training materials for the workforce. In cloud this is especially critical given its rapid development and expansion. This could be in the form of encouraging your senior employees to use some portion of on the clock time to volunteer for these types of initiatives, or it could be directly funding projects to create the new training materials. Organizations need to encourage and incentivize current employees that are less knowledgeable in security to take advantage of current training offers. It could also be worth considering setting up scholarship programs to make cybersecurity training more accessible for the next generation of cybersecurity professionals.

Of course given the gap, businesses also need to be more open to hiring these newly trained security professional into entry level and junior positions so that they can begin to build the experience required to fill more senior positions.

As an individual

And, for individuals who are interested in a cybersecurity career, get yourself into training and pursue certificates and certifications that demonstrate your interests and abilities to businesses that are desperately in need of qualified cybersecurity professionals. There are a wide range of options when it comes to cybersecurity, so make an effort to figure out where your interests lie. Some of the many options include things like computer forensics, pen testing, network security, security policy, end user education, security audit or secure software development. Whether you are interested in writing code or working with people, there are likely security opportunities that will be a good fit for you personally.

If you already have some level of security knowledge and are interested in cloud, our Certificate of Cloud Security Knowledge (CCSK) offering is a great place to start. Holders of the Certified Information Systems Security Professional (CISSP) from (ISC)2 benefit from the alignment between the bodies of knowledge of the two credentials. All CISSP’s 10 domains have an analog in CCSK’s 14 domains; where the domains overlap, CCSK builds on the CISSP domain and provides cloud-specific context.

For those holding ISACA’s Certified Information Systems Auditor (CISA) designation, better understanding of how clouds work and how they can be secured makes it easier to identify the appropriate measures to test control objectives and make appropriate recommendations.

If you’re interested in learning more about cloud security training for you or your team please visit our CCSK Training page or download our Free Prep-Kit.

Invest in your future with CCSK training

 

headshot of Ryan BergsmaRyan Bergsma is the Training Program Direct at CSA where he manages CSA’s training programs including the Certificate of Cloud Security Knowledge (CCSK) and Cloud Controls Matrix (CCM) Training.

Development of Cloud Security Guidance, with Mapping MY PDPA Standard to CCM Control Domains, Jointly Developed by MDEC and CSA

By Ekta Mishra, Research Analyst/APAC, Cloud Security Alliance

CCM logoThe Cloud Security Alliance Cloud Controls Matrix (CCM) provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the CSA CCM rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service attestations and control reports provided by cloud providers.

As a framework, the CSA CCM provides organizations with the needed structure, detail, and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

The Malaysian Personal Data Protection Commissioner issued the Personal Data Protection Standards 2015, which came into force on 23 December 2015 (the “Standards”). To those who are affected, namely any person that “processes” and “has control over or authorizes the processing of any personal data in relation to commercial transactions” (in other words, any person or company that deals with personal data in the course of its business, also known as “data users”), the Standards stand to be a new compliance hurdle and would impose additional responsibilities on these data users, over and above those set by the Malaysia Personal Data Protection Act 2010 (“PDPA”).

The inclusion of the Malaysian Personal Data Protection Standards into the CSA CCM aligns the  regional standard to over 30 global frameworks mapped in the CSA framework. Additionally, the mapping, conducted by the Malaysian Digital Economic Corporation (MDEC),  further expands the coverage of the CSA CCM into the APAC region.

How to read the document:
1. The 4 sections from MY PDPA 2015 were mapped with CCM control domains. This was accomplished through matching each control in the CCM to a control(s) in MY PDPA to determine equivalence. This approach considered which CCM control is associated with control(s) in MY PDPA, and to what degree they are equivalent to each other. The extent of equivalence between controls of the two frameworks approximates the amount of efforts necessary to incorporate MY PDPA, using CCM as a base.
2. The CCM Control ID was used as a reference for the CCM control domain name.
3. A gap identification and analysis was conducted for remaining controls not considered equivalent (ie Partial and Full gaps) after the initial mapping.  Furthermore, a gap analysis provides indicators on how much efforts it may take to bridge gaps between the two frameworks.
4. The controls from MY PDPA which were determined to have Full and Partial gaps will be used as compensating controls in the main CCM document.

 

The four sections of the document have been derived from Malaysia (MY) Personal Data Protection Standard 2015
Data Security for Personal Data Processed Electronically A data user shall take practical steps to protect the personal data from any loss, misuse, modifications, unauthorized or accidental access or disclosure, alteration or destruction
Data Security for Personal Data Processed Non-Electronically A data user shall take practical steps to protect the personal data from any loss, misuse, modifications, unauthorized or accidental access or disclosure, alteration or destruction
Retention Standard A data user shall take practical steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed
Data Integrity Standard A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept updated by having regard to the purpose, including any directly related purpose, for which the personal data was collected and processed further

 

Typical Challenges in Understanding CCSK and CCSP: Technology Architecture

By Peter HJ van Eijk, Head Coach and Cloud Architect, ClubCloudComputing.com

CCSK examAs cloud computing is becoming increasingly mainstream, more people are seeking cloud computing security certification. Because I teach prep courses for the two most popular certifications—the Certificate of Cloud Security Knowledge (CCSK), organized by the Cloud Security Alliance (CSA), and the Certified Cloud Security Professional (CCSP), as organized by (ISC)2—I naturally see a wide variety of people as they work to pass these exams.

My students come from many different backgrounds, each bringing with them a unique set of experiences that color their understanding of the way the cloud is managed and controlled. To some these varying backgrounds might seem a hindrance, but quite the opposite is true because secure cloud adoption is a team sport where diverse backgrounds count in order to reduce the risk to organizations.

Despite their varying backgrounds, they all face similar challenges. A common challenge I see in my courses, especially for less technical people, is understanding information technology architecture in general. It’s something they struggle with, and also something that can be a hurdle in passing the exam. So, what is technology architecture and why is it important?

A technology architecture primer

Cloud computing, in my opinion, does not have that much new technology. Most of the technology we have today was already in existence before the advent of cloud computing.

Today, a common characteristic of the technologies that are relevant for cloud computing is the fact that they facilitate resource pooling and interconnection of systems. Resource pooling is an essential characteristic of cloud computing, and a technology such as server virtualization helps implement that sharing. But that technology should also guarantee proper separation between otherwise independent cloud tenants.

Technologies such as APIs and federated identity management allow the cloud to be made up of a lot of collaborating independent companies. This helps create an IT supply chain. Your average company has hundreds of SaaS suppliers who in turn use hundreds of other cloud companies to help them deliver their services.

APIs also enable the essential cloud characteristic of automatic self-service provisioning. For example, through APIs we can set up auto-scaling services. Again, this is a tool in building the IT supply chain.

Sharing requires caring

The new thing in cloud is sharing between independent companies, interconnecting different, independent providers and automating that. The whole technology architecture now spans the IT supply chain.

This has big governance and security implications. For example, when that collaboration or isolation fails, we cannot escalate these problems to our own CTO or CIO to resolve them. These problems are not confined to a single company anymore. They have to be resolved between companies.

The technical collaboration between companies will only work with proper contracts and management processes. This has to be set up in advance, instead of figuring out how it works later, as is so common inside an enterprise. And the people whose competence is to review these contracts and set up the service management processes therefore must understand how the technology enables that collaboration.

That is why technology architecture is so important for less technical people. And that is also why it can be hard. The CCSK body of knowledge focuses specifically on how cloud technology architecture has an impact on cloud management, in particular on cloud risk management, and that makes it a great tool for building effective cloud adoption teams.

Peter van Eijk is one of the world’s most experienced cloud trainers. He has worked for 30+ years in research, with IT service providers and in IT consulting (University of Twente, AT&T Bell Labs, EDS, EUNet, Deloitte). In more than 100 training sessions, he has helped organizations align on security and speed up their cloud adoption. He is an authorized CSA CCSK and (ISC)2 CCSP trainer, and has written or contributed to several cloud training courses.

 

Bitglass Security Spotlight: US Government Breaches Abound

By Jacob Serpa, Product Manager, Bitglass

man reading cybersecurity headlines in newspaperHere are the top cybersecurity headlines of recent weeks:

—Healthcare.gov breached
—US weapons systems contain cybersecurity gaps
—Over 35 million US voter records for sale
—National Guard faces ransomware attack

Healthcare.gov breached

75,000 people had their personal details stolen when hackers breached a government system that is frequently used to help individuals sign up for healthcare plans. Obviously, the information contained in the system was highly sensitive; for example, Social Security numbers. There are plans in motion for helping those affected through services like credit protection.

US weapons systems contain cybersecurity gaps

A new report finds that American weapons systems contain cybersecurity vulnerabilities. The US Department of Defense is reported to have neglected best security practices in these systems. These security gaps are described as being “mission-critical.”

Over 35 million US voter records for sale

An online forum that is well known for selling information exposed in data breaches was recently found to boast more than 35 million US voter records. Exposed data includes names, phone numbers, physical addresses, and much more belonging to residents of 19 states. Unfortunately, the accuracy of these private details was confirmed by experts. As such, anyone can purchase this sensitive information whenever they please.

National Guard faces ransomware attack

In Indiana, the National Guard was recently the victim of a ransomware attack. A system housing the personal details of military personnel and civilians was compromised in the event. The good news is that the attack is not believed to be a part of a coordinated assault on the National Guard – the organization was supposedly not specifically targeted. Regardless, information was exposed.

To learn about cloud access security brokers (CASBs) and how they can protect your enterprise from ransomware, data leakage, misconfigurations, and more, download the Definitive Guide to CASBs.

Documentation of Distributed Ledger Technology and Blockchain Use

By Ashish Mehta, Co-chair, CSA Blockchain/Distributed Ledger Working Group

Beyond Cryptocurrency blockchain DLT use casesCSA’s newest white paper, Beyond Cryptocurrency: Nine Relevant Blockchain and Distributed Ledger Technology (DLT) Use Cases, aims to identify wider use cases for both technologies beyond just cryptocurrency, an area with which both technologies currently have the widest association.

In the process of outlining several use cases across discrete economic application sectors, we covered multiple industry verticals, as well as some use cases which cover multiple verticals simultaneously.

For the purpose of this document, we considered a use case as relevant when it provides potential for any of the following:

—disruption of existing business models or processes;
—strong benefits for an organization, such as financial, improvement in speed of transactions, auditability, etc.;
—large and widespread application; and
—concepts that can be applied in real-world scenarios.

From concept to production environment, we also identified six separate stages of maturity—concept, proof of concept, prototype, pilot, pilot production, and production—to get a better assessment of how much work has been done within the scope and how much more work remains to be done.

Some of the industry verticals which we identified are traditional industries, such as shipping, airline ticketing, insurance, banking, supply chain, and real estate, all of which are ripe for disruption from a technological point of view.

We also clearly identified the expected benefits from adoption of DLTs/blockchain in these use cases, type of DLT, use of private vs public blockchain, infrastructure provider-CSP and the type of services (IaaS, PaaS, SaaS). Identification of some other key features in the use case implementations such as Smart Contracts and Distributed Databases have also been outlined.

Future iterations of this document will provide updates on these use cases, depending on the level of progress seen over time. We hope this document will be a valuable reference to all key stakeholders in the blockchain/DLT ecosystem, as well as contribute to its maturity.

The success of the Beyond Cryptocurrency: Nine Relevant Blockchain and Distributed Ledger Technology Use Cases is the result of the dedicated professionals within the Blockchain/Distributed Ledger Working Group and would not have been possible without the expertise, focus, and collaboration of the following working group members:

  • Nadia Diakun
  • Raul Documet
  • Vishal Dubey
  • Akshay Hundia
  • Sabri Khemissa
  • Nishanth Kumar Pathi
  • Michael Roza

Download Beyond Cryptocurrency now.

Fixing Your Mis-Deployed NGFW

By Rich Campagna, Chief Marketing Officer, Bitglass

firewall logo imageThe Firewall/Next-Gen Firewall has been the cornerstone of information security strategy for decades now. The thing is, changes in network traffic patterns have resulted in most firewalls protecting a smaller and smaller percentage of enterprise network traffic over time.

This post will illustrate the root cause of these firewall mis-deployments, and how the typical enterprise can correct the issue, restoring the efficacy of their security strategy.

In the beginning

In the beginning, your firewall was in position to protect the majority of your corporate data and applications. Most users were on managed devices, on network (either physically or via VPN), and connected to data and applications inside of the enterprise (private) data center. Everything was protected and the deployment was sound:

premise apps to managed devices

Time goes on

As time went onthe first sanctioned SaaS applications were introduced to the organization. These typically took the form of major SaaS applications like Office 365, G Suite, and Salesforce. Since these applications are publicly available from anywhere, BYOD started to rear its ugly head as well (even if you had held it off in the past). This was the first step towards firewall mis-deployment, with a good portion of corporate data now existing unprotected outside the firewall:

premise apps to BYOD

Eventually, the business got the idea that cloud was easier, more agile, and more cost effective than premises applications, so the demands started to increase. In addition to major SaaS apps, niche industry and/or functional applications started popping up, and the organization began migrating premises applications (both custom apps and package software) to IaaS platforms. Today’s picture for most enterprises looks something like this:

premise apps to IaaS

Results are in

The result? Your firewall is currently protecting only a small percentage of your enterprise applications and data. There is, however, a simple fix for this deployment challenge:

firewall zero to CASB

With the constant wave of applications migrating to the cloud, it won’t be long before we hit Firewall Zero, with Cloud Access Security Brokers taking the firewall’s place as the cornerstone of enterprise security strategy.

Weigh in on the Cloud Control Matrix Addenda

Mapping of the cloud controls matrixDear Colleagues,

The Cloud Security Alliance would like to invite you to review and comment on the Cloud Control Matrix (CCM) addenda for the following standards:

—German Federal Office for Information Security (BSI) Cloud Computing Compliance Controls Catalogue (C5). (Add your comments to CCM-C5.)
—ISO/IEC 27002, ISO/IEC 27017 and ISO/IEC 27018. (Add your comments to CCM-ISO.)

These CCM addenda aim to help organizations assess and bridge compliance gaps between the CCM and other security frameworks. The documents contain:

  • a controls mapping between the above mentioned standards and the CCM (e.g., which control(s) in CCM maps to each given control in ISO27017),
  • a gap analysis, and
  • compensating controls (i.e. the actual “addendum”).

The CSA and the CCM Working Group hope that organizations will find this document useful for their security compliance programs.

To participate, please follow the links above to the review site. From there, you should be able to navigate to Google Sheets and provide your comments. Please do not provide editorial comments (i.e. grammar, formatting, etc), rather focus instead on the content of the document.

The peer review ends on December 20, 2018. We appreciate your assistance and thank you in advance for your time and contributions.

Best Regards,
CSA Research Team

CCSK Success Stories: Cloud Security Training from a CTO’s Perspective

By the CSA Education Team

Cory Cowgill headshotWe’re kicking off a series on cloud security training today with a Q&A with the Vice President and CTO of Fusion Risk Management, Cory Cowgill. With a background in enterprise software development spanning multiple industries, Cowgill has multiple certifications including Salesforce System Architect and Application Architect, Amazon Web Services Solution Architect, and Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK). He has presented at Dreamforce, the world’s largest enterprise software conference eight times, and is a member of the Salesforce MVP Hall of Fame.

What led you to the Certificate of Cloud Security Knowledge?

The research and work with the CCM (Cloud Controls Matrix) led me to the CSA Certificate of Cloud Security Knowledge. I am a lifelong learner so I decided to take the exam. I recently passed the CSA Certificate of Cloud Security Knowledge, and I found so much of the content directly valuable. I would recommend it to all IT security professionals. It provides a set of comprehensive and vendor-neutral cloud computing principles that are invaluable across security roles and responsibilities. The CSA Security Guidance v4 document will be required reading for all my engineering talent in our organization going forward.

You said you found so much of the CCSK content “directly valuable.” Could you talk more about the specific content you were able to use in your job?

Sure. As a CTO of a SaaS company, I am often engaged in prospect and customer discussion around our products security posture. I have found all of the domains to be helpful, but I find two domains especially helpful based on where a customer is on their cloud journey. Domain 1, “Cloud Computing Concepts and Architectures” is especially helpful when establishing a conversation with a customer who is very early on their journey, helping establish what the shared responsibility model will look like. For customers who are well on their cloud journey, I find Domain 6, “Management Plane and Business Continuity” to be extremely helpful as the management plane is where they customer will be implementing the majority of their security controls under the shared responsibility model.

What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?

The CCSK or CCSP provide the most value to individuals who may need to work with an array of cloud vendors. Many organizations have a mix of CSPs who provide a range of SaaS and IaaS solutions. Individuals responsible for the overall security posture of the organization cannot be expected to hold a certification for each CSP’s technology stack. This is where the CCSK or CCSP become valuable as you have a credential that is relevant to assessing the overall security posture regardless of vendor specific technical details. Vendor certifications are valuable to those individuals in the organization who are configuring and administering those specific CSP solutions.

What’s a common problem you see organizations struggling with when migrating to the cloud?

As the CTO I am frequently engaged in discussions with customers and prospects around the security posture of our SaaS product. It is no small understatement to say that there is a lot of education that needs to be done within enterprise IT security teams. Companies struggle to ask the right questions around cloud security as many still do not fundamentally understand the benefits of the cloud. Each organization has a separate set of questions or controls they want to discuss which takes considerable effort from both internal IT security resources and SaaS provider security teams.

This led me to the Cloud Security Alliance (CSA) and the Cloud Controls Matrix (CCM). The CCM addresses these pain points by providing a standardized controls matrix that can be used to drive the discussion between cloud vendors and cloud customers.

How did CCM help communicate with customers?

By providing our standard CCM to prospects and customers along with our other compliance certifications and security assets we can rapidly assure customers and prospects that we are “Protecting the covenant of trust.”

When you said, “companies struggle to ask the right questions around cloud.” What types of questions are companies asking that they shouldn’t be asking? What types of questions do they need to be asking?

Many of the questions I respond to are very granular, infrastructure-related questions phrased or worded in terminology that is very specific to on-premise services. I seldom get asked about the management plane and the security controls and capabilities that fall under the responsibility of a customer in the shared responsibility model. The major CSPs have extremely mature security controls with compliance, certifications, and other attestations around their infrastructure components. While important to review that material and understand the infrastructure controls, the greatest risk is misconfiguration of the cloud services by the customer. Therefore, customers and prospects would be better served by understanding the management plane and security controls that are their responsibility to configure. This applies to all service models whether SaaS, PaaS, or IaaS.

While important to review that material and understand the infrastructure controls, the greatest risk is misconfiguration of the cloud services by the customer.

Some people are unfamiliar with the CSA Security Guidance. What would you compare it to?

All of the major cloud vendors across the service models have detailed documentation and guidance on their security postures and available controls. However, most enterprises have multiple cloud service providers with different delivery models and what is missing is a way to establish a common dialog across these CSPs’ security capabilities. In this regard I would compare the CSA security guidance to a critical guidebook that helps you establish a common dialog across CSPs as you evaluate their security postures.

What’s the biggest hurdle for security professionals who aren’t familiar with the cloud yet?

I think the biggest challenge is that there are so many different cloud technologies which can cause analysis paralysis. Do I get started with IaaS? If so do I pursue AWS, Azure, or Google? Do I start with a huge SaaS / PaaS vendor like Salesforce or ServiceNow? What will be most relevant? And when you couple this large array of CSPs with continually evolving technologies like serverless, it can be overwhelming to many. My advice is you can’t go wrong with any one vendor. You kind of need to just dive in the pool so to speak. Keep up the great work CSA!

If you’re interested in learning more about cloud security training for you or your team, please visit our CCSK Training page.

Invest in your future with CCSK training

 

Cory Cowgill headshotCory Cowgill is the Vice President & Chief Technology Officer, Fusion Risk Management, Inc., where he is responsible for research and development, customer engagement, operations and security, and go-to market initiatives. With a background in enterprise software development spanning multiple industries, Cowgill leads with a dedication to technology and risk management.

AWS Cloud: Proactive Security and Forensic Readiness – Part 4

Part 4: Detective Controls in AWS

By Neha Thethi, Information Security Analyst, BH Consulting

Security controls can be either technical or administrative. A layered security approach to protecting an organization’s information assets and infrastructure should include preventative controls, detective controls and corrective controls.

Preventative controls exist to prevent the threat from coming in contact with the weakness. Detective controls exist to identify that the threat has landed in our systems. Corrective controls exist to mitigate or lessen the effects of the threat being manifested.

This post relates to detective controls within AWS Cloud. It’s the fourth in a five-part series that provides a checklist for proactive security and forensic readiness in the AWS Cloud environment.

Detective controls in AWS Cloud

AWS detective controls include processing of logs and monitoring of events that allow for auditing, automated analysis, and alarming.

These controls can be implemented using AWS CloudTrail logs to record AWS API calls, Service-specific logs (for Amazon S3, Amazon CloudFront, CloudWatch logs, VPC flow logs, ELB logs, etc) and AWS Config to maintain a detailed inventory of AWS resources and configuration. Amazon CloudWatch is a monitoring service for AWS resources and can be used to trigger CloudWatch events to automate security responses. Another useful tool is Amazon GuardDuty which is a managed threat detection service in AWS and continuously monitors for malicious or unauthorized.

Event logging

Security event logging is crucial for detecting security threats or incidents. Security teams should produce, keep and regularly review event logs that record user activities, exceptions, faults and information security events. They should collect logs centrally and automatically analysed to detect suspicious behavior. Automated alerts can monitor key metrics and events related to security. It is critical to analyse logs in a timely manner to identify and respond to potential security incidents. In addition, logs are indispensable for forensic investigations.

The challenge of managing logs

However, managing logs can be a challenge. AWS makes log management easier to implement by providing the ability to define a data-retention lifecycle or define where data will be preserved, archived, or eventually deleted. This makes predictable and reliable data handling simpler and more cost-effective.

The following list recommends use of AWS Trusted Advisor for detecting security threats within the AWS environment. It covers collection, aggregation, analysis, monitoring and retention of logs, and, monitoring security events and billing to detect unusual activity.

The checklist provides best practice for the following:

  1. Are you using Trusted Advisor?
  2. How are you capturing and storing logs?
  3. How are you analyzing logs?
  4. How are you retaining logs?
  5. How are you receiving notification and alerts?
  6. How are you monitoring billing in your AWS account(s)?

Best-practice checklist

1. Are you using Trusted Advisor?
  • Use AWS Trusted Advisor to check for security compliance.
    Back to List
2. How are you capturing and storing logs?
  • Activate AWS Cloud Trail.
  • Collect logs from various locations/services including AWS APIs and user-related logs (e.g. AWS CloudTrail), AWS service-specific logs (e.g. Amazon S3, Amazon CloudFront, CloudWatch logs, VPC flow logs, ELB logs, etc.), operating system-generated logs, IDS/IPS logs and third-party application-specific logs
  • Use services and features such as AWS CloudFormation, AWS OpsWorks, or Amazon Elastic Compute Cloud (EC2) user data, to ensure that instances have agents installed for log collection
  • Move logs periodically from the source either directly into a log processing system (e.g., CloudWatch Logs) or stored in an Amazon S3 bucket for later processing based on business needs.Back to List
3. How are you analyzing logs?
  • ​​Parse and analyse security data using solutions such as AWS Config, AWS CloudWatch, Amazon EMR, Amazon Elasticsearch Service, etc.
  • Perform analysis and visualization with Kibana.
    Back to List
4. How are you retaining logs?
  • Store data centrally using Amazon S3, and, for long-term archiving if required, using Amazon Glacier
  • Define data-retention lifecycle for logs. By default, CloudWatch logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between 10 years and one day
  • Manage log retention automatically using AWS Lambda.
    Back to List
5. How are you receiving notification and alerts?
  • ​​Use Amazon CloudWatch Events for routing events of interest and information reflecting potentially unwanted changes into a proper workflow
  • Use Amazon GuardDuty to continuously monitor for malicious or unauthorized behavior
  • Send events to targets like an AWS Lambda function, Amazon SNS, or other targets for alerts and notifications.
    Back to List
6. How are you monitoring billing in your AWS account(s)?
  • Use detailed billing to monitor your monthly usage regularly
  • Use consolidated billing for multiple accounts. Back to List

Refer to the following AWS resources for more details:

Next up in the blog series, is Part 5 – Incident Response in AWS – best practice checklist. Stay tuned. Let us know in the comments below if we have missed anything in our checklist!

DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written. Also, please note that this checklist is for guidance purposes only.

Data Breaches on the Rise in Financial Services

By Jacob Serpa, Product Marketing Manager, Bitglass

Financial World: Breach Kingdom report coverFinancial services organizations are a prime target for hackers looking to steal and sell valuable data. This is because these firms handle sensitive information known as PII, personally identifiable information, as well as other financial data. In Financial World: Breach Kingdom, Bitglass’ latest financial breach report, the Next-Gen CASB reveals information about the state of security for financial services in 2018. Read on to learn more.

The rise of financial services breaches

2018 has seen the number of financial services breaches reach new heights. This is likely due to a large number of reasons. For example, some organizations may have an overreliance upon existing cybersecurity infrastructure and find it difficult to justify additional expenses in light of their existing sunk costs in security. Other firms may simply overestimate what traditional endpoint and premises-based tools can do to protect data from evolving threats. Regardless, the fact remains that financial services firms were breached in 2018 nearly three times more than they were in Bitglass’ previous, 2016 report.

Malware leads the pack

In prior years, the causes of financial services breaches were fairly diverse. Lost or stolen devices and hacking each caused about 20 percent of breaches, while unintended disclosures and malicious insiders were responsible for 14 percent and 13 percent, respectively.

However, this year saw a massive shift in the balance of power. Nearly three quarters of all financial services breaches in 2018 were caused by malware or hacking. This seems consistent with headlines over the last year – ransomware, cloud cryptojacking, and highly specialized malware variants have dominated the news when it comes to breaches.

What to do?

In financial services, far more must be done to secure sensitive information. While it is imperative that the enterprise can protect data against any threat, it is now clear that defending against malware deserves special attention. This is particularly true in light of the rise of cloud and BYOD. More devices and applications are storing and processing data than ever before, creating more opportunities for malware to infect the enterprise. Fortunately, there are appropriate solutions available.

To learn more about the state of cybersecurity in financial services, download Financial World: Breach Kingdom.

Cloud Security Alliance Releases Minor Update to CCM v3.0.1

By the CSA Research Team

CCM logoThe Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) Working Group has released a minor update for the CCM v3.0.1. This update incorporates mappings to IEC 62443-3-3 and BSI Compliance Controls Catalogue (C5).

The CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers.

As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. It strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

The CSA CCM Working Group would like to thank the following individuals for their contributions to this minor update:

Siemens

  • Claus Matzke
  • Kristian Beckers

CCM Working Group

  • Noel Haskins-Hafer
  • Kris Seeburn
  • Amita Radhakrishnan
  • Angela Dogan
  • Dibya Ranjan Nath
  • Hardeep Mehrotara
  • Jevon Wooden
  • Keith Stocks
  • Leena Singal
  • Loredana Mancini
  • Manjunath A.T.
  • Michael Roza
  • Reid Leake
  • Subrata Baguli
  • Umar Khan
  • Vamsi Kaipa

Please feel free to contact us at [email protected] if you have any queries regarding the update.

If you are interested in participating in future CCM Working Group activities, please feel free to sign up for the working group.

Cloud Security Alliance Announces the Release of the Spanish Translation of Guidance 4.0

By JR Santos, Executive Vice President of Research, Cloud Security Alliance.

Guidance 4.0 Spanish version coverThe Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the release of Guidance for Critical Areas of Focus in Cloud Computing 4.0 in Spanish. This is the second major translation release since Guidance 4.0 was released in July of 2017 (Previous version was released in 2011).

An actionable cloud adoption roadmap

Guidance 4.0, which acts as a practical, actionable roadmap for individuals and organizations looking to safely and securely adopt the cloud paradigm, includes significant content updates to address leading-edge cloud security practices.

Approximately 80 percent of the Guidance was rewritten from the ground up with domains restructured to better represent the current state and future of cloud computing security. Guidance 4.0 incorporates more of the various applications used in the security environment today to better reflect real-world security practices.

“Guidance 4.0 is the culmination of more than a year of dedicated research and public participation from the CSA community, working groups and the public at large,” said Rich Mogull, Founder & VP of Product, DisruptOPS. “The landscape has changed dramatically since 2011, and we felt the timing was right to make the changes we did. We worked hard with the community to ensure that the Guidance was not only updated to reflect the latest cloud security practices, but to ensure it provides practical, actionable advice along with the background material to support the CSA’s recommendations. We’re extremely proud of the work that went into this and the contributions of everyone involved.”

CCM, CAIQ, DevOps and more

Guidance 4.0 integrates the latest CSA research projects, such as the Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ), and covers such topics as DevOps, IoT, Mobile and Big Data. Among the other topics covered are:

  • DevOps, continuous delivery, and secure software development;
  • Software Defined Networks, the Software Defined Perimeter and cloud network security.
  • Microservices and containers;
  • New regulatory guidance and evolving roles of audits and compliance inheritance;
  • Using CSA tools such as the CCM, CAIQ, and STAR Registry to inform cloud risk decisions;
  • Securing the cloud management plane;
  • More practical guidance for hybrid cloud;
  • Compute security guidance for containers and serverless, plus updates to managing virtual machine security; and
  • The use of immutable, serverless, and “new” cloud architectures.

The oversight of the development of Guidance 4.0 was conducted by the professional research analysts at Securosis and based on an open research model relying on community contributions and feedback during all phases of the project. The entire history of contributions and research development is available online for complete transparency.

Seven Reasons Why Proxy-based CASBs Are Required for Office 365

By Rich Campagna, Chief Marketing Officer, Bitglass

O365 logoA competing CASB vendor blogged recently on why proxy-based Cloud Access Security Brokers (CASBs) shouldn’t be used for Office 365.

The post cites “7 reasons,” all of which are variations of just one reason: their CASB breaks each time Microsoft makes changes to Office 365.  What they call “application breakages” due to “updates,” are really “CASB outages.”  In other words, dog ate their homework.

A commonly cited issue with proxies (the only way to achieve real-time cloud data loss prevention or DLP) is their ability to adjust to the near constant changes in cloud applications. However, without an automated solution that can respond to these changes in real time, it’s up to quick response by CASB engineers to fix breakages after they occur, which leads to inevitability of downtime. Make sure you don’t fall into this trap. Select a CASB that can adapt to changes on the fly. Don’t throw out proxy technology completely just because some vendors can’t do it properly.

Proxy-based CASBs: Seven reasons why

So, knowing that a proxy-based solution for Office 365 can work, if you pick the right one, why go inline with Office 365 versus relying purely on out-of-band API integration? Here are 7 unique reasons:

  1. Managed vs Unmanaged Device Access Control – For most organizations, a managed device represents a much lower risk than an unmanaged BYO device. Proxy-based controls allow you to distinguish between the two and provide a different level of access to the app and to sensitive corporate data.
  2. OneDrive Sync Client Control – A OneDrive sync client constantly synching many GBs of corporate data to an unmanaged device is riskier than a user on that device logging into OneDrive via web browser to download a couple of files that they need. Proxy allows you to control by access method,
  3. Real-time Data Leakage Prevention – API-based integration with apps like Office 365 is great for scanning data-at-rest, but only provides “Monday morning” notifications of data leakage. Proxies prevent data leakage in real-time.
  4. BYOD Malware Prevention – Your organization probably has unmanaged devices connecting into Office 365. Devices that could be infected with malware. Proxy-based solutions stop malware from making its way into Office 365, thwarting would-be attempts to use Office as an IT sanctioned and paid for malware distribution tool.
  5. Session Management – You likely want to aggressively time out and reauthenticate users on unmanaged or new devices. Possible with proxy, not possible with API.
  6. Step-up Multifactor Authentication – See suspicious activity mid-session? Evidence of credential compromise? Only inline CASB allows you to do something about it as it starts to occur.
  7. Data-at-rest Encryption – In many industries, there is a desire to use the public cloud but without giving up control over your data. Proxy-based CASBs allow you to encrypt data before it gets to the cloud. Public cloud apps with private cloud security – have your cake and eat it too!

Bonus: One bonus add — Office 365 might be your main (or only) cloud app today, but that will most definitely change in the future. The fact is, only a small handful of cloud applications provide APIs that are security relevant, whereas a properly architected proxy can support any application.

Bitglass Security Spotlight: Uber, Apollo, & Chegg

By Jacob Serpa, Product Manager, Bitglass

man reading cybersecurity stories in newspaperHere are the top cybersecurity stories of recent weeks:

—Uber fined $148 million over cover-up
—Apollo database of 200 million contacts breached
—Chegg hack exposes 40 million users’ credentials
—Port of San Diego faces cyberattack

Uber fined $148 million over cover-up

In late 2016, Uber suffered a breach at the hands of hackers who were looking to infiltrate one of the company’s cloud services. However, instead of reporting the event (as they were supposed to), they instead paid the culprits $100,000 and elected to keep silent about the attack. Since then, all fifty states, as well as the District of Colombia, have sought legal action against the company, culminating in a fine of $148 million.

Apollo database of 200 million contacts breached

Apollo, a well-known sales engagement startup, recently had its database of 200 million contacts breached by malicious parties. Unfortunately, as detailed in the message that the company sent to the individuals whose information was exposed, the breach did take a number of weeks to detect. As massive damage can be done in a matter of moments, organizations must employ real-time security measures if they want to avoid a similar fate.

Chegg hack exposes 40 million users’ credentials

Chegg was recently found to have been breached by unauthorized users seeking to steal sensitive information. While it is believed that no Social Security numbers were stolen, data that was successfully exfiltrated included users’ names, usernames, passwords, email addresses, shipping addresses, and more. Unfortunately, the breach, which occurred in April of 2018, took months to detect, giving hackers plenty of time to pursue their malicious ends. The company has since reset the affected users’ passwords.

Port of San Diego faces cyberattack

Within a week of the cyberattack on the Port of Barcelona in Spain, another assault was launched upon the Port of San Diego. This pair of cyberattacks highlights the reality that hackers can target infrastructure and have widespread, adverse repercussions for organizations around the world. Fortunately, this particular attack affected only land-based operations at the port. The causes have yet to be discovered.

Learn about cloud access security brokers (CASBs) and how they can protect your enterprise from threats in the cloud and download the Definitive Guide to CASBs.

Bitglass Security Spotlight: Veeam, Mongo Lock, Password Theft, Atlas Quantum & the 2020 Census

By Jacob Serpa, Product Manager, Bitglass

man reading cybersecurity headlinesHere are the top cybersecurity headlines of recent weeks:
—440 million email addresses exposed by Veeam
—Unprotected MongoDB databases being targeted
—42 million emails, passwords, and more leaked
—Cold-boot attacks steal passwords and encryption keys
—2 billion devices still vulnerable to Bluetooth attack
—Atlas Quantum, cryptocurrency platform, breached
—Security concerns around the 2020 census
—Air Canada’s mobile app breached
—WellCare breach exposes data of 20k children

440 million email addresses exposed by Veeam

Data management company Veeam has ironically mismanaged hundreds of millions of users’ data. A public-facing database exposed 440 million users’ email addresses, names, and, in some circumstances, IP addresses. While this leak may seem innocuous, names and email addresses are all that is needed to conduct targeted spear phishing attacks.

Unprotected MongoDB databases being targeted

The rise of the Mongo Lock attack is seeing improperly secured, poorly configured Mongo DB databases being targeted in a ransomware-like fashion. In these attacks, hackers scan for publicly accessible databases, remove their contents, and demand a Bitcoin ransom in exchange for having data returned.

42 million emails, passwords, and more leaked

A public hosting service that allows individuals to upload files for free was recently found to contain a massive amount of personal data. Over 42 million email addresses and passwords, as well as partial credit card numbers, were found within the platform. As noted in the Veeam section, hackers can easily use this type of data to conduct targeted spear phishing campaigns and steal more sensitive information.

Cold-boot attacks steal passwords and encryption keys

A new cold-boot attack can take information in under two minutes from unsuspecting victims. The attack, which is further detailed at the above link, involves stealing information from RAM, or random access memory. Through this tactic, passwords and even encryption keys can be stolen. Fortunately, hackers need physical access to a computer to execute this kind of technique. Rather than allowing a system to sleep, forcing it to hibernate or shut down is a helpful defense.

2 billion devices still vulnerable to Bluetooth attack

One year ago, BlueBorne, a collection of vulnerabilities in devices that leverage Bluetooth, was revealed. Unfortunately, despite the fact that an entire year has gone by, 2 billion devices remain exposed. This is due to systems that have not been patched, systems that cannot be patched, and more.

Atlas Quantum, cryptocurrency platform, breached

Well-known cryptocurrency platform Atlas Quantum was recently found to have been breached. 261,000 of the company’s users had their names, account balances, email addresses, and phone numbers exposed. While the company initially declined to disclose the circumstances surrounding the breach, it did state that users’ cryptocurrencies were safe – it was merely information that was stolen.

Security concerns around the 2020 census

In the US, the Government Accountability Office has concerns about the cybersecurity of the Census Bureau. The bureau is reported to have thousands of security vulnerabilities – dozens of which are identified as highly risky and dangerous. Naturally, as conducting a census involves collecting data from countless citizens, these security gaps must be filled before the next census in 2020.

Air Canada’s mobile app breached

Late last month, Air Canada’s mobile app was found to have been breached. While it was only 1% of the application’s 1.7 million users that were affected, it was still 20,000 individuals who had their names, phone numbers, passport numbers, and dates of birth exposed.

WellCare breach exposes data of 20k children

In WellCare Health Plans’ recent breach, 20,000 children had their PHI (protected health information) exposed. The information’s security was compromised when WellCare accidentally mailed letters to the wrong addresses. Exposed data included children’s names, ages, and healthcare providers.

Learn about cloud access security brokers (CASBs) and how they can defend against the rising tide of data breaches.

 

POC the CASB

By Rich Campagna, Chief Marketing Officer, Bitglass

POCtheCASB poster imageThe Cloud Access Security Broker, or CASB, space has quickly made its way to the mainstream, with organizations of every size and every industry deploying CASBs whenever their data moves beyond the firewall.

While ready for primetime and widely deployed, some enterprises are taking the risky step of skipping the proof-of-concept or trial phase. Given the rapid evolution of the enterprise use cases, and of CASB vendor solutions, we always encourage organizations to #POCtheCASB (of course, it helps that our sales team has complete confidence in the quality of our CASB solution and in our support …).

Seven ways to #POCtheCASB

Here are a few of the key areas to focus on for a successful trial:

  • Proxy Robustness – A commonly cited issue with proxies (the only way to achieve real-time cloud data loss prevention or DLP) is their ability to adjust to the near constant changes in cloud applications. However, without an automated solution that can respond to these changes in real time, it’s up to quick response by CASB engineers to fix breakages after they occur, which leads to inevitability of downtime. Make sure you don’t fall into this trap. Select a CASB that can adapt to changes on the fly. Don’t throw out proxy technology completely just because some vendors can’t do it properly.
  • User Experience – The days of the security team being able to put their needs ahead of the user experience are long gone. Be sure to test with volunteer users from a variety of different business units or departments. Ensure that the CASB solution preserves the user experience and requires minimal or no retraining for your test group.
  • Managed and Unmanaged Device Access – Even if you held BYOD at bay with premises applications, it will become a reality when you move to the cloud. Be sure to test the capabilities of the CASB on both managed devices, as well as on a range of BYO device types to ensure that policy and control capabilities work equally well on all device types.
  • Performance – A well-architected CASB solution should offer high performance and low latency for all users globally, as well as when under peak load. Test from a variety of geos and from several different times of day.
  • Enterprise Integration – Most enterprises end up integrating their CASB into several other systems including Active Directory, IDaaS, network DLP, SIEM and more. Test to be sure that the CASB has appropriate connectors for each of these systems.
  • Flexibility – You might initially deploy a CASB for a small number of cloud applications, but for most enterprises, their cloud footprint begins to evolve and grow rapidly once cloud takes root in the organization. Ensure that you develop test cases that exercise the CASBs ability to test not only your current needs, but the future needs of your business.
  • Policy – Last but not least, test out the policies you plan to develop on your CASB! Whether you’re planning to use baseline policies like access control and UEBA, or more sophisticated policies involving DLP and encryption, run the test CASB(s) through their policy paces.

Bitglass Security Spotlight: Yale, LifeLock, SingHealth, Malware Evolving & Reddit Breached

By Jacob Serpa, Product Manager, Bitglass

man reading cybersecurity headlinesHere are the top cybersecurity headlines of recent months:

—Future malware to recognize victims’ faces
—Reddit suffers breach
—6 million records of Georgian voters exposed
—RASPITE Group attacks US infrastructure
—Decade-old breach at Yale uncovered
—Bug exposes LifeLock customer data
—Patient data of 1.5 million exposed in SingHealth breach
—Tesla, GM, Toyota, and others expose 157 GB of data
—COSCO hit with ransomware attack

Future malware to recognize victims’ faces

Malware is poised to continue its evolution and deploy newer, more advanced capabilities. In particular, it is believed that threats will leverage artificial intelligence in order to become increasingly context aware. For example, malware may soon employ facial recognition that uses an individual’s appearance to trigger an attack.

Reddit suffers breach

Early last month, a hacker was discovered to have breached Reddit’s systems and stolen a variety of user data; for example, email addresses, passwords, private messages, and more. While the breached data came from an unsecured database containing information from 2005 to 2007, the incident still highlights the importance of maintaining constant visibility and control over data.

6 million records of Georgian voters exposed

Voters in Georgia recently had their personal information exposed when the office of the Secretary of State granted various parties access to voter registration data in an unsecured fashion. This data included dates of birth, drivers license numbers, and Social Security numbers. If the data were obtained by nefarious individuals, widespread identity theft could ensue very easily.

RASPITE Group attacks US infrastructure

Since 2017, the RASPITE Group has been a cybersecurity threat that has attacked nations around the world. Countries in the Middle East, Asia, and Europe have all suffered. Recently, the cybercriminal group was tied to Iran and found to be targeting electric utility companies in the US. Naturally, these organizations must have adequate defenses lying in wait

Decade-old breach at Yale uncovered

About ten years ago, Yale University suffered a breach. Unfortunately, at the time, the intrusion was not detected. Alumni and various faculty and staff had information like Social Security numbers exposed. This event highlights the need for proactive cybersecurity measures as well as constant threat monitoring.

Bug exposes LifeLock customer data

In an ironic twist of fate, LifeLock, an organization built upon defending customers from identity theft, was found to have exposed its users’ email addresses through a bug. The company’s users are now more vulnerable to targeted phishing attacks that imitate communications from LifeLock.

Patient data of 1.5 million exposed in SingHealth breach

Singaporean healthcare organization, SingHealth, was recently breached – much to the ire of those in the country pushing for Singapore to become a cloud-first nation. The cybersecurity incident exposed sensitive information belonging to 1.5 million, including 160,000 whose prescription details were stolen.

Tesla, GM, Toyota, and others expose 157 GB of data

Leading automotive companies (Ford, Volkswagen, and many others) were recently found to have extensive amounts of proprietary information publicly available online. The data was reportedly exposed by poor configurations around rsync protocol, demonstrating, once again, the importance of maintaining a robust and detail-oriented security posture.

COSCO hit with ransomware attack 

As one of the biggest shipping enterprises in the world, COSCO sends countless goods around the globe every day. Unfortunately, the company was recently hit with a ransomware attack that harmed some of its US operations. While the company has since responded to the attacks, ransomware continues to represent an imposing threat for businesses everywhere.

To learn about cloud access security brokers (CASBs) and how they can defend against malware, breaches, and more, download the Definitive Guide to CASBs.

In Europe, Cloud Is the New Default

By Salim Hafid, Senior Product Marketing Manager, Bitglass

Raiders of EMEA Cloud AdoptionIf you keep up with the blog, you’ll remember our 2018 global cloud adoption report, wherein thousands of organizations deployed cloud apps since we last conducted our automated analysis of over 100,000 firms. Many in EMEA wanted to know how Europe stacked up against the rest of the world, against the US, and whether companies in region were securing their cloud environments.

EMEA leading the cloud charge

Europe has always been ahead of the curve with respect to cloud usage. Cost and compliance concerns have driven IT in every organization to migrate and enable employee mobility. Of note, the research team’s analysis found that the rate of cloud adoption in EMEA outpaced US and global adoption, topping 84 percent this year and led by major SaaS productivity apps like Office 365 – used in 65 percent of firms in EMEA today.

Microsoft’s continued investment in their SaaS suite has pushed Office 365 deployments into far more organizations than Google with G Suite. More than three times as many organizations in EMEA now use Office 365 than use G Suite.

Many companies in Europe still haven’t secured data in the cloud

A majority of organizations in EMEA still don’t have single sign-on in place. Only 47 percent of organizations in our sample had some SSO tool. What’s more, few have taken steps to secure the growing number of Shadow IT applications in use. In almost every EMEA-based organization in our sample, the Bitglass team found more than one cloud app deployed. Most companies have some productivity app in use, a cloud messaging platform, an enterprise file sync and share tool, and IaaS workloads in AWS or Azure.

Our data revealed that a majority of organizations have deployed Office 365 or G Suite in addition to Slack. In the technology sector, for example, 3 in 4 organizations have tried Slack and nearly all have some cloud productivity app deployed.

Check out our full report, we explore the underlying trends driving organizations to the cloud and compare the growth of cloud in Europe to the rest of the world.

Office 365 Security: It Takes Two to Tango

Many cloud apps – including Office 365 – operate under a shared responsibility model. Here’s what that means for your company

By Beth Stackpole, Feature Writer, Symantec

cloud Security concerns, once a long-standing hurdle to cloud deployment, may be on the wane, but the issue is still very much alive when it comes to cloud-based applications such as Microsoft Office 365.

It’s not that Office 365 is inherently less secure than other SaaS offering; it’s that companies still harbor misperceptions related to the shared responsibility model now commonplace for many cloud applications, including Microsoft Office 365. The issue is particularly acute given the rising popularity of the Microsoft cloud platform. Global cloud adoption has topped 81 percent, while Office 365 usage has surged from 34.3 percent to 56.3 percent this last year, eclipsing Google’s G suite, which held steady at 25 percent.

Under the shared responsibility model, security of physical assets, host infrastructure, network controls, and application-level controls are squarely in the hands of cloud service providers (CSPs) like Microsoft, but that hardly covers all the bases. Identity and access management and client and end point protection remain a split responsibility between the CSP and the customer; more importantly, the enterprise needs to take the reins when it comes to data security and classification—a delineation that is often lost on customers expecting that a SaaS solution means security requirements are taken care of.

“One of the most common misperceptions is that Microsoft, by default, is protecting all the data and that’s simply not the case,” says Swapnil Deshmukh, senior director of information security at Visa. “Organizations need to figure out how to protect the application stack and any code that resides there as well as how to protect data stored on the cloud itself.”

Not surprisingly, there have already been some well-publicized breaches. A wave of phishing attacks aimed at stealing passwords used Microsoft 365 Office files posing as tax forms, affecting millions of users. And then there was last year’s mishap when the Office 365 Admin Center itself inadvertently revealed usage data belonging to other tenants, which highlighted the risks in the context of regulations like the European GDPR (General Data Protection Regulations).

A holistic security approach

Symantec’s 2018 Shadow Data Report, which covers the key challenges encountered when trying to secure data and maintain compliance in cloud apps and services, reveals just how high the stakes have become. The report found that 32 percent of emails and attachments in the cloud are broadly shared and 1 percent of those contain compliance-related data, including Personally Identifiable Information (PII), Payment Card Information (PCI), and Protected Health Information (PHI), revealing a much higher risk than anticipated.

Moreover, 68 percent of organizations have some employees who exhibit high-risk behavior in cloud accounts, encompassing everything from data destruction to data exfiltration and accounts takeovers. It gets worse: The 2017 Symantec Internet Security Threat Report (ISTR) found that in 2016 one out of every 131 emails contained a malware attack, and 61 percent of organizations were hit by ransomware incidents.

Microsoft Office 365 delivers an array of security controls, including encryption of data both at rest and via network transmission, threat management and security monitoring capabilities, and online protection to ward against spam and malware. Azure Active Directory is used for authentication, identity management, and access controls and there is support for multi-factor authentication. The platform also has a built-in feature for email encryption, but it isn’t part of the default settings.

This highlights a problem for many users who simply don’t know what’s available beyond Office 365’s default security controls, notes Payton Moyer, president and COO of MLS Technology Group, a managed IT services provider. “Office 365 offers baseline security features baked in and ready to go by default, but to get the maximum security, you have to make an effort to add capabilities and turn them on,” he says.

What’s really important, experts say, is for enterprises to layer on additional security capabilities, including digital rights management; Data Loss Prevention services; as well as threat analytics, blocking, and remediation.

Adds Symantec Senior Technical Sales Manager, Adrian Covich: “People are looking for the base functionality and don’t necessarily proceed with security in mind. They also misunderstand the point to which Microsoft will secure them out of the box versus what they still need to do. There are still fundamental questions you need to answer with SaaS when it comes to the delineation of responsibilities and who has access to data. Are your users who they say they are? What data are you storing and are your business processes sufficiently secure?”

These extra protections should work holistically across the entire enterprise domain, not just for the Microsoft Office 365 cloud silo. To this point, a Cloud Access Security Broker (CASB) can integrate Office 365 and other cloud apps into the broader enterprise security architecture, delivering visibility into shadow IT and cloud application usage, providing data governance and controls for data stored in cloud apps, and leveraging machine learning and user behavior analytics to deliver advanced security and data protection.

“A CASB sits between the enterprise end user and Microsoft Office 365, looks at all the data, and allocates the right controls to it,” says Visa’s Deshmukh. “It stops data exfiltration avenues from an internal perspective and identifies adversaries that may have compromised end users.”

By sharing responsibility and taking a holistic approach, enterprises can close security gaps, minimize potential risks, and ensure a stress-free path to the cloud.

This post was originally published on Sept. 24, 2018, on Symantec.com.

Guideline on Effectively Managing Security Service in the Cloud

By Dr. Kai Chen, Director of Cybersecurity Technology, Huawei Technologies Co. Ltd.

cover of report on effectively managing cloud service securityThe cloud computing market is growing ever so rapidly. Affordable, efficient, and scalable, cloud computing remains the best solution for most businesses, and it is heartening to see the number of customers deploying cloud services continue to grow.

From the beginning of cloud’s existence, cloud service security has been among the top concerns of deployment. In order to deal with this, various organizations have invested huge efforts on cloud service security standards and researching best practices development and enforcement. Thanks to the efforts of cloud service providers (CSPs), cloud service security has reached an acceptable level. But from the cloud customers’ perspective, it is still somewhat lacking in best practices on how to secure their cloud services. The availability of such guidelines can be especially helpful for small and medium enterprises (SMEs) that constantly face shortages of professional security manpower. With this in mind, the Cloud Security Services Management (CSSM) Working Group developed the “Guideline on Effectively Managing Security Service in the Cloud” that applies to various cloud deployment models, from private, public, hybrid to community cloud.

The shared security responsibility model is no stranger to the cloud security community. Every leading CSP has published whitepapers or statements on shared security responsibility, explaining their roles and responsibilities in cloud provisioning. In other words, there are certain security responsibilities that are left to the cloud customers and are written down in cloud service agreements. The complexity is that in reality, given the same concept of shared responsibility, there are different interpretations and implementations among different CSPs. In many cases, it is challenging for cloud customers to clearly understand and bear their responsibilities in practice.

Cloud service security: A how-to

The Guideline provides an easy-to-understand guidance to cloud customers on how to design, deploy, and operate a secure cloud service with respect to different cloud service models, namely IaaS, PaaS, and SaaS, helping them ensure the secure running of service systems. With a distinct separation of responsibilities, cloud customers can clearly understand security responsibilities of their own and of CSPs, what security assurance features should be provided to bear these security responsibilities, existing gaps, and how to develop related capabilities to address such gaps.

Additionally, the Guideline provides guidance for CSPs in building cloud platform security assurance systems which can also be used by cloud service security integrators.

Not forgetting third-party security service providers that play important roles in securing cloud services, although according to the shared security responsibility model, they will have no responsibilities in cloud, these providers can leverage on the Guideline to better fit their services to CSPs and/or cloud customers.

The CSSM WG hopes that this effort allows for better understanding of cloud security responsibilities from both customers and CSPs, and through this create a more immaculate cloud security ecosystem.

Download the Guideline on Effectively Managing Security Service in the Cloud now.